• ホーム
  • ブログ
  • 良質なAWS-Solutions-Architect-ProfessionalのPDF問題集でAWS-Solutions-Architect-Professional試験問題を試せます [Q18-Q41]

良質なAWS-Solutions-Architect-ProfessionalのPDF問題集でAWS-Solutions-Architect-Professional試験問題を試せます [Q18-Q41]

Share

良質なAWS-Solutions-Architect-ProfessionalのPDF問題集でAWS-Solutions-Architect-Professional試験問題を試せます

一番最新のAmazon AWS-Solutions-Architect-Professional試験問題集PDF2023年更新


AWS-Solutions-Architect-Professional Certification Examは、利用可能な高度な、フォールトトレラント、およびスケーラブルなシステムの設計と展開、特定のシナリオの適切なAWSサービスの選択、複雑なマルチ層アプリケーションをAWSに移行するなど、幅広いトピックをカバーしています。 、コスト制御戦略を実装し、AWSソリューションのセキュリティとコンプライアンスの管理。この認定試験では、スケーラビリティ、可用性、断層トレランスに焦点を当てて、大規模な分散システムを設計および展開する候補者の能力もテストします。


AWS-Solutions-Architect-Professional 認定を取得することで、AWS 上で複雑なクラウドアーキテクチャを設計および展開する高度な専門知識を持っていることが示されます。この認定は、専門家がキャリアを進め、収益力を高めることができるだけでなく、組織が熟練したクラウドアーキテクトを特定して雇用するのに役立ちます。

 

質問 # 18
A company has developed a new billing application that will be released in two weeks.
Developers are testing the application running on 10 EC2 instances managed by an Auto Scaling group in subnet 172.31.0.0/24 within VPC A with CIDR block 172.31.0.0/16. The Developers noticed connection timeout errors in the application logs while connecting to an Oracle database running on an Amazon EC2 instance in the same region within VPC B with CIDR block
172.50.0.0/16. The IP of the database instance is hard- coded in the application instances.
Which recommendations should a Solutions Architect present to the Developers to solve the problem in a secure way with minimal maintenance and overhead?

  • A. Create and attach internet gateways for both VPCs. Configure default routes to the Internet gateways for both VPCs. Assign an Elastic IP for each Amazon EC2 instance in VPC A
  • B. Disable the SrcDestCheck attribute for all instances running the application and Oracle Database.
    Change the default route of VPC A to point ENI of the Oracle Database that has an IP address assigned within the range of 172.50.0.0/26
  • C. Create an additional Amazon EC2 instance for each VPC as a customer gateway; create one virtual private gateway (VGW) for each VPC, configure an end-to-end VPC, and advertise the routes for 172.50.0.0/16
  • D. Create a VPC peering connection between the two VPCs and add a route to the routing table of VPC A that points to the IP address range of 172.50.0.0/16

正解:D

解説:
A: It does not goes through NAT so this is not the solution.
B: It does not need to go through internet. This is not secured.
D: This is VPN which is not suitable. Peering should be used.


質問 # 19
In the context of Amazon ElastiCache CLI, which of the following commands can you use to view all ElastiCache instance events for the past 24 hours?

  • A. elasticache-describe-events --duration 24
  • B. elasticache-events --duration 1440
  • C. elasticache describe-events --source-type cache-cluster --duration 1440
  • D. elasticache-events --duration 24

正解:C

解説:
In Amazon ElastiCache, the code "aws elasticache describe-events --source-type cache-cluster -- duration 1440" is used to list the cache-cluster events for the past 24 hours (1440 minutes).
http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/ECEvents.Viewing.html


質問 # 20
A company is running several workloads in a single AWS account. A new company policy stales that engineers can provision only approved resources and that engineers must use AWS CloudFormation to provision these resources. A solutions architect needs to create a solution to enforce the new restriction on the IAM role that the engineers use for access.
What should the solutions architect do to create the solution?

  • A. Provision resources in AWS CloudFormation stacks. Update the IAM policy for the engineers' IAM role to only allow access to their own AWS CloudFormation stack.
  • B. Update the IAM policy for the engineers' IAM role with permissions to only allow AWS CloudFormation actions. Create a new IAM policy with permission to provision approved resources, and assign the policy to a new IAM service role. Assign the IAM service role to AWS CloudFormation during stack creation.
  • C. Upload AWS CloudFormation templates that contain approved resources to an Amazon S3 bucket.
    Update the IAM policy for the engineers' IAM role to only allow access to Amazon S3 and AWS CloudFormation. Use AWS CloudFormation templates to provision resources.
  • D. Update the IAM policy for the engineers" IAM role with permissions to only allow provisioning of approved resources and AWS CloudFormation. Use AWS CloudFormation templates to create stacks with approved resources.

正解:A


質問 # 21
A bank is designing an online customer service portal where customers can chat with customer service agents. The portal is required to maintain a 15-minute RPO or RTO in case of a regional disaster. Banking regulations require that all customer service chat transcripts must be preserved on durable storage for at least
7 years, chat conversations must be encrypted in-flight, and transcripts must be encrypted at rest. The Data Lost Prevention team requires that data at rest must be encrypted using a key that the team controls, rotates, and revokes.
Which design meets these requirements?

  • A. The chat application logs each chat message into Amazon CloudWatch Logs. A subscription filter on the CloudWatch Logs group feeds into an Amazon Kinesis Data Firehose which streams the chat messages into an Amazon S3 bucket in the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Kinesis Data Firehose.
  • B. The chat application logs each chat message into Amazon CloudWatch Logs. A scheduled AWS Lambda function invokes a CloudWatch Logs. CreateExportTask every 5 minutes to export chat transcripts to Amazon S3. The S3 bucket is configured for cross-region replication to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the S3 bucket.
  • C. The chat application logs each chat message into Amazon CloudWatch Logs. The CloudWatch Logs group is configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy.
    Glacier cross-region replication mirrors chat archives to the backup region. Separate AWS KMS keys are specified for the CloudWatch Logs group and the Amazon Glacier vault.
  • D. The chat application logs each chat message into two different Amazon CloudWatch Logs groups in two different regions, with the same AWS KMS key applied. Both CloudWatch Logs groups are configured to export logs into an Amazon Glacier vault with a 7-year vault lock policy with a KMS key specified.

正解:D


質問 # 22
A company runs a Windows Server host in a public subnet that is configured to allow a team of administrators to connect over RDP to troubleshoot issues with hosts in a private subnet. The host must be available at all times outside of a scheduled maintenance window, and needs to receive the latest operating system updates within 3 days of release.
What should be done to manage the host with the LEAST amount of administrative effort?

  • A. Run the host in AWS OpsWorks Stacks. Use a Chief recipe to harden the AMI during instance launch.
    Use an AWS Lambda scheduled event to run the Upgrade Operating System stack command to apply system updates.
  • B. Run the host in a single-instance AWS Elastic Beanstalk environment. Configure the environment with a custom AMI to use a hardened machine image from AWS Marketplace. Apply system updates with AWS Systems Manager Patch Manager.
  • C. Run the host in an Auto Scaling group with a minimum and maximum instance count of 1. Use a hardened machine image from AWS Marketplace. Apply system updates with AWS Systems Manager Patch Manager.
  • D. Run the host on AWS WorkSpaces. Use Amazon WorkSpaces Application Manager (WAM) to harden the host. Configure Windows automatic updates to occur every 3 days.

正解:D

解説:
B, least amount of effort.
https://docs.aws.amazon.com/workspaces/latest/adminguide/workspace-maintenance.html A\C: Does not make sense D: a lot more work than B.


質問 # 23
Your company is getting ready to do a major public announcement of a social media site on AWS. The website is running on EC2 instances deployed across multiple Availability Zones with an Multi-AZ RDS MySQL Extra Large DB Instance backend. The site performs a high number of small reads and writes per second and relies on an eventual consistency model. After comprehensive tests you discover that there is read contention on RDS MySQL.
Which are the best approaches to meet these requirements? Choose 2 answers

  • A. Increase the RDS MySQL instance size and implement provisioned IOPS.
  • B. Deploy ElastiCache in-memory cache running in each availability zone.
  • C. Implement sharding to distribute load to multiple RDS MySQL Instances.
  • D. Add an RDS MySQL read replica in each availability zone.

正解:B、D


質問 # 24
A Solutions Architect must create a cost-effective backup solution for a company's 500MB source code repository of proprietary and sensitive applications. The repository runs on Linux and backs up daily to tape. Tape backups are stored for 1 year.
The current solutions are not meeting the company's needs because it is a manual process that is prone to error, expensive to maintain, and does not meet the need for a Recovery Point Objective (RPO) of 1 hour or Recovery Time Objective (RTO) of 2 hours. The new disaster recovery requirement is for backups to be stored offsite and to be able to restore a single file if needed.
Which solution meets the customer's needs for RTO, RPO, and disaster recovery with the LEAST effort and expense?

  • A. Replace local tapes with an AWS Storage Gateway virtual tape library to integrate with current backup software. Run backups nightly and store the virtual tapes on Amazon S3 standard storage in US- EAST-1. Use cross-region replication to create a second copy in US-WEST-2. Use Amazon S3 lifecycle policies to perform automatic migration to Amazon Glacier and deletion of expired backups after 1 year?
  • B. Replace the local source code repository storage with a Storage Gateway stored volume. Change the default snapshot frequency to 1 hour. Use Amazon S3 lifecycle policies to archive snapshots to Amazon Glacier and remove old snapshots after 1 year. Use cross-region replication to create a copy of the snapshots in US-WEST-2.
  • C. Configure the local source code repository to synchronize files to an AWS Storage Gateway file Amazon gateway to store backup copies in an Amazon S3 Standard bucket. Enable versioning on the Amazon S3 bucket. Create Amazon S3 lifecycle policies to automatically migrate old versions of objects to Amazon S3 Standard 0 Infrequent Access, then Amazon Glacier, then delete backups after 1 year.
  • D. Replace the local source code repository storage with a Storage Gateway cached volume. Create a snapshot schedule to take hourly snapshots. Use an Amazon CloudWatch Events schedule expression rule to run on hourly AWS Lambda task to copy snapshots from US-EAST -1 to US- WEST-2.

正解:C

解説:
https://aws.amazon.com/storagegateway/faqs/?nc=sn&loc=6
https://docs.aws.amazon.com/AmazonS3/latest/dev/Versioning.html
A: Run backup nightly: does not meet RPO of 1 hour.
B: Although it does not have hourly snapshot, it has versioning configured. This is better for file based recovery. The question only needs the backup to be stored offsite so this actually does satisfy the requirement.
C: Because this uses cross region replication, it has 2 copies and double the cost.
D: Because this is a cache copy, during restore, you will need to download the whole volume from S3 which may exceed the 2 hour RTO.


質問 # 25
A company runs a memory-intensive analytics application using on-demand Amazon EC2 compute optimized instance. The application is used continuously and application demand doubles during working hours. The application currently scales based on CPU usage. When scaling in occurs, a lifecycle hook is used because the instance requires 4 minutes to clean the application state before terminating.
Because users reported poor performance during working hours, scheduled scaling actions were implemented so additional instances would be added during working hours. The Solutions Architect has been asked to reduce the cost of the application.
Which solution is MOST cost-effective?

  • A. Use the existing launch configuration that uses C5 instances, and update the application AMI to include SSM Agent. Leave the Auto Scaling policies to scale based on CPU utilization. Use scheduled Reserved Instances for the number of instances required after working hours, and use Spot Instances to cover the increased demand during work hours.
  • B. Use the existing launch configuration that uses C5 instances, and update the application AMI to include the Amazon CloudWatch agent. Change the Auto Scaling policies to scale based on memory utilization.
    Use Reserved Instances for the number of instances required after working hours, and use Spot Instances to cover the increased demand during working hours.
  • C. Create a new launch configuration using R5 instances, and update the application AMI to include the Amazon CloudWatch agent. Change the Auto Scaling policies to scale based on memory utilization. use Reserved Instances for the number of instances required after working hours, and use Standard Reserved Instances with On-Demand Instances to cover the increased demand during working hours.
  • D. Update the existing launch configuration to use R5 instances, and update the application AMI to include SSM Agent. Change the Auto Scaling policies to scale based on memory utilization. Use Reserved instances for the number of instances required after working hours, and use Spot Instances with on-Demand instances to cover the increased demand during working hours.

正解:C

解説:
Explanation
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring_ec2.html


質問 # 26
How many cg1.4xlarge on-demand instances can a user run in one region without taking any limit
increase approval from AWS?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:B

解説:
Generally AWS EC2 allows running 20 on-demand instances and 100 spot instances at a time. This limit
can be increased by requesting at https://aws.amazon.com/contact-us/ec2-request. Excluding certain
types of instances, the limit is lower than mentioned above. For cg1.4xlarge, the user can run only 2
on-demand instances at a time.
Reference: http://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_ec2


質問 # 27
A company has developed a web application that runs on Amazon EC2 instances in one AWS Region. The company has taken on new business in other countries and must deploy its application into other to meet low-latency requirements for its users. The regions can be segregated, and an application running in one region does not need to communicate with instances in other regions.
How should the company's Solutions Architect automate the deployment of the application so that it can be MOST efficiently deployed into multiple regions?

  • A. Write a bash script that uses the AWS CLI to query the current state in one region and output an AWS CloudFormation template. Create a CloudFormation stack from the template by using the AWS CLI, specifying the --region parameter to deploy the application to other regions.
  • B. Write a CloudFormation template describing the application's infrastructure in the resources section.
    Create a CloudFormation stack from the template by using the AWS CLI, specify multiple regions using the --regions parameter to deploy the application.
  • C. Write a CloudFormation template describing the application's infrastructure in the Resources section.
    Use a CloudFormation stack set from an administrator account to launch stack instances that deploy the application to other regions.
  • D. Write a bash script that uses the AWS CLI to query the current state in one region and output a JSON representation. Pass the JSON representation to the AWS CLI, specifying the --region parameter to deploy the application to other regions.

正解:C

解説:
Explanation
A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. All the resources included in each stack are defined by the stack set's AWS CloudFormation template. As you create the stack set, you specify the template to use, as well as any parameters and capabilities that template requires.https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-concepts.html
https://sanderknape.com/2017/07/cloudformation-stacksets-automated-cross-account-region-deployments/


質問 # 28
A company is configuring connectivity to a multi-account AWS environment to support application workloads that serve users in a single geographic region The workloads depend on a highly available on-premises legacy system deployed across two locations it is critical for the AWS workloads to maintain connectivity to the legacy system and a minimum of 5 Gbps of bandwidth is required All application workloads within AWS must have connectivity with one another Which solution will meet these requirements?

  • A. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location Create and attach a virtual private gateway for each AWS account VPC Create a DX gateway in a central network account and associate it with the virtual private gateways Create a public virtual interface on each DX connection and associate the interface with the DX gateway
  • B. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on-premises location Create private virtual interfaces on each connection for each AWS account VPC Associate the private virtual interface with a virtual private gateway attached to each VPC
  • C. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on-premises location Create and attach a virtual private gateway for each AWS account VPC Create a transit gateway in a central network account and associate it with the virtual private gateways Create a transit virtual interface on each DX connection and attach the interface to the transit gateway
  • D. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location Create a transit gateway and a DX gateway in a central network account Create a transit virtual interface for each DX interface and associate them with the DX gateway Create a gateway association between the DX gateway and the transit gateway

正解:A


質問 # 29
A company has a new application that needs to run on five Amazon EC2 instances in a single AWS Region.
The application requires high-throughput, low-latency network connections between all of the EC2 instances where the application will run. There is no requirement for the application to be fault tolerant.
Which solution will meet these requirements?

  • A. Launch five new EC2 instances into an Auto Scaling group in the same Availability Zone. Attach an extra elastic network interface to each EC2 instance.
  • B. Launch five new EC2 instances into a partition placement group. Ensure that the EC2 instance type supports enhanced networking.
  • C. Launch five new EC2 instances into a spread placement group. Attach an extra elastic network interface to each EC2 instance.
  • D. Launch five new EC2 instances into a cluster placement group. Ensure that the EC2 instance type supports enhanced networking.

正解:C


質問 # 30
A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company's security team is concerned about how to integrate the security tool with AWS technology.
The company plans to deploy the application migration to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a dedicated VPC. The company needs to use the security tool to inspect all packets that come in and out of the VPC. This inspection must occur in real time and must not affect the application's performance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region.
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)

  • A. Deploy the security tool on EC2 instances in a new Auto Scaling group in the existing VPC.
  • B. Provision a transit gateway to facilitate communication between VPCs.
  • C. Deploy the web application behind a Network Load Balancer.
  • D. Deploy an Application Load Balancer in front of the security tool instances.
  • E. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool.

正解:A、E

解説:
Explanation
Option A, Deploy the security tool on EC2 instances in a new Auto Scaling group in the existing VPC, allows the company to use its existing security tool while still running it within the AWS environment. This ensures that all packets coming in and out of the VPC are inspected by the security tool in real time. Option D, Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool, allows for high availability within an AWS Region. By provisioning a Gateway Load Balancer for each Availability Zone, the traffic is redirected to the security tool in the event of any failures or outages. This ensures that the security tool is always available to inspect the traffic, even in the event of a failure.
upvoted 1 times


質問 # 31
You are implementing AWS Direct Connect. You intend to use AWS public service end points such as
Amazon S3, across the AWS Direct Connect link. You want other Internet traffic to use your existing link
to an Internet Service Provider.
What is the correct way to configure AWS Direct connect for access to services such as Amazon S3?

  • A. Create a public interface on your AWS Direct Connect link Redistribute BGP routes into your existing
    routing infrastructure; advertise specific routes for your network to AWS.
  • B. Configure a public Interface on your AWS Direct Connect link Configure a static route via your AWS
    Direct Connect link that points to Amazon S3 Advertise a default route to AWS using BGP.
  • C. Create a private interface on your AWS Direct connect link. Redistribute BGP routes into your existing
    routing infrastructure and advertise a default route to AWS.
  • D. Create a private interface on your AWS Direct Connect link. Configure a static route via your AWS
    Direct connect link that points to Amazon S3 Configure specific routes to your network in your VPC.

正解:A


質問 # 32
A web company is looking to implement an external payment service into their highly available application deployed in a VPC. Their application EC2 instances are behind a public facing ELB.
Auto Scaling is used to add additional instances as traffic Increases. Under normal load the application runs 2 Instances in the Auto Scaling group but at peak it can scale 3x in size.
The application instances need to communicate with the payment service over the Internet, which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisted IP addresses are allowed at a time and can be added through an API.
How should they architect their solution?

  • A. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
  • B. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.
  • C. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
  • D. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the NAT instances.

正解:D


質問 # 33
A company has VPC flow logs enabled for its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP address
198.51.100.2 destined for a private Amazon EC2 instance.
A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0.
Which set of steps should the solutions architect take to meet these requirements?

  • A. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • B. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • C. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
  • D. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.

正解:D

解説:
Explanation
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ by Cloudxie says "select appropriate log"


質問 # 34
A company Is serving files to its customers through an SFTP server that Is accessible over the internet The SFTP server Is running on a single Amazon EC2 instance with an Elastic IP address attached Customers connect to the SFTP server through its Elastic IP address and use SSH for authentication The EC2 instance also has an attached security group that allows access from all customer IP addresses.
A solutions architect must implement a solution to improve availability minimize the complexity ot infrastructure management and minimize the disruption to customers who access files. The solution must not change the way customers connect.
Which solution will meet these requirements?

  • A. Disassociate the Elastic IP address from me EC2 instance Create an Amazon S3 bucket to be used for sftp file hosting Create an AWS Transfer Family server Configure the Transfer Family server with a publicly accessible endpoint. Associate the SFTP Elastic IP address with the new endpoint. Point the Transfer Family server to the S3 bucket Sync all files from the SFTP server to the S3 bucket.
  • B. Disassociate the Elastic IP address from the EC2 instance. Create an Amazon S3 bucket to be used for SFTP file hosting Create an AWS Transfer Family server. Configure the Transfer Family server with a VPC-hosted. internet-facing endpoint. Associate the SFTP Elastic IP address with the new endpoint.
    Attach the security group with customer IP addresses to the new endpoint. Point the Transfer Family server to the S3 bucket. Sync all files from the SFTP server to The S3 bucket
  • C. Disassociate the Elastic IP address from the EC2 instance. Create a new Amazon Elastic File System (Amazon EFS) file system to be used for SFTP file hosting. Create an AWS Fargate task definition to run an SFTP server. Specify the EFS file system as a mount in the task definition Create a Fargate service by using the task definition, and place a Network Load Balancer (NLB> is front of the service When configuring the service, attach the security group with customer IP addresses to the tasks that run the SFTP server Associate the Elastic IP address with the Nl B Sync all files from the SFTP server to the S3 bucket
  • D. Disassociate the Elastic IP address from the EC2 instance Create a multi-attach Amazon Elastic Block Store (Amazon EBS) volume to be used to SFTP file hosting Create a Network Load Balancer (NLB) with the Elastic IP address attached Create an Auto Scaling group with EC2 instances that run an SFTP server Define in the Auto Scaling group that instances that are launched should attach the new multi-attach EBS volume Configure the Auto Scaling group to automatically add instances behind the NLB Configure the Auto Scaling group to use the security group that allows customer IP addresses for the EC2 instances that the Auto Scaling group launches Sync all files from the SFTP server to the new multi-attach EBS volume

正解:B

解説:
Explanation
https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/
https://docs.aws.amazon.com/transfer/latest/userguide/create-server-in-vpc.html
https://aws.amazon.com/premiumsupport/knowledge-center/aws-sftp-endpoint-type/


質問 # 35
An organization is setting up a web application with the JEE stack. The application uses the JBoss app
server and MySQL DB. The application has a logging module which logs all the activities whenever a
business function of the JEE application is called. The logging activity takes some time due to the large
size of the log file. If the application wants to setup a scalable infrastructure which of the below mentioned
options will help achieve this setup?

  • A. Host logging and the app server on the same instance so that the network latency will be shorter.
  • B. Create a separate module for logging and using SQS compartmentalize the module such that all calls
    to logging are asynchronous.
  • C. Host logging and the app server on separate servers such that they are both in the same zone.
  • D. Host the log files on EBS with PIOPS which will have higher I/O.

正解:B

解説:
The organization can always launch multiple EC2 instances in the same region across multiple AZs for
HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that
they can both run in parallel without affecting the performance of the main application. In this scenario
logging takes a longer time due to the large size of the log file. Thus, it is recommended that the
organization should separate them out and make separate modules and make asynchronous calls among
them. This way the application can scale as per the requirement and the performance will not bear the
impact of logging.
Reference: http://www.awsarchitectureblog.com/2014/03/aws-and-compartmentalization.html


質問 # 36
A large company is migrating its entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.
The Finance department requires a centralized method for payment but must maintain visibility into each group's spending to allocate costs.
The Security team requires a centralized mechanism to control IAM usage in all the company's accounts.
What combination of the following options meet the company's needs with LEAST effort?
(Choose two.)

  • A. Consolidate all of the company's AWS accounts into a single AWS account. Use tags for billing purposes and IAM's Access Advice feature to enforce the least privilege model.
  • B. Use a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
  • C. Enable all features of AWS Organizations and establish appropriate service control policies that filter IAM permissions for sub-accounts.
  • D. Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
  • E. Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.

正解:C、D


質問 # 37
To abide by industry regulations, a Solution must design a solution that will store a company's circuit data in multiple public AWS Region, including in the United State, where the company's is located. The Solution Architect required to provide access to the data stored in AWS to the company's global WAN network. The Security team mandates that no traffic accessing this data should traverse the public internet.
How should the Solutions Architect design a highly available solution that meets the requirements and is cost effective?

  • A. Establish two AWS Direct Connect connections from the company headquarters to an AWS Region Use The company WAJV to send traffic over a DX connection Use Enter-region VPC peering to access the data in other AWS Regions
  • B. Establish two AWS Direct Connect connections from the company headquarters lo an AWS Region Use the company WAN to send traffic over a DX connection Use an AWS transit vpc solution to access data in oilier AWS Regions
  • C. Establish AWS Direct Connect connections from the company headquarters to all AWS Regions in use.
    Use the company WAN to send Traffic over to the headquarters and then to the respective DX connection to access the data
  • D. Establish two AWS Direct Connect corrections Horn the company headquarters to an AWS Region. Use me company WAN to send traffic over a DX connection Use Direct Connect Gateway to access data m other AWS Region.

正解:B


質問 # 38
A company runs an e-commerce platform with front-end and e-commerce tiers. Both tiers run on LAMP stacks with the front-end instances running behind a load balancing appliance that has a virtual offering on AWS. Currently, the Operations team uses SSH to log in to the instances to maintain patches and address other concerns. The platform has recently been the target of multiple attacks, including
* A DDoS attack.
* An SQL injection attack.
* Several successful dictionary attacks on SSH accounts on the web servers.
The company wants to improve the security of the e-commerce platform by migrating to AWS.
The company's Solutions Architects have decided to use the following approach:
* Code review the existing application and fix any SQL injection issues.
* Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial security patching.
* Install AWS Systems Manager to manage patching and allow the system administrators to run ommands on all instances, as needed.
What additional steps will address all of other identical attack types while providing high availability and minimizing risk?

  • A. Disable SSH access to the EC2 instances. Migrate on-premises MySQL to Amazon RDS Single- AZ.
    Leverage an AWS Elastic Load Balancer to spread the load. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.
  • B. Disable SSH access to the Amazon EC2 instances. Migrate on-premises MySQL to Amazon RDS Multi-AZ. Leverage an Elastic Load Balancer to spread the load and enable AWS Shield Advanced for protection. Add an Amazon CloudFront distribution in front of the website. Enable AWS WAF on the distribution to manage the rules.
  • C. Enable SSH access to the Amazon EC2 instances through a bastion host secured by limiting access to specific IP addresses. Migrate on-premises MySQL to a self-managed EC2 instance.
    Leverage an AWS Elastic Load Balancer to spread the load and enable AWS Shield Standard for DDoS protection.
    Add an Amazon CloudFront distribution in front of the website.
  • D. Enable SSH access to the Amazon EC2 instances using a security group that limits access to specific IPs. Migrate on-premises MySQL to Amazon RDS Multi-AZ. Install the third-party load balancer from the AWS Marketplace and migrate the existing rules to the load balancer's AWS instances. Enable AWS Shield Standard for DDoS protection.

正解:B


質問 # 39
A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.
Which solutions meet these requirements? (Choose two.)

  • A. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
  • B. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway's AWS integration type.
  • C. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway's AWS integration type.
  • D. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions
  • E. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.

正解:A、E

解説:
Explanation
https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-dynamo-db.html


質問 # 40
Identify a true statement about using an IAM role to grant permissions to applications running on Amazon EC2 instances.

  • A. When AWS credentials are rotated; developers have to update only the root Amazon EC2 instance that uses their credentials.
  • B. When AWS credentials are rotated, you don't have to manage credentials and you don't have to worry about long-term security risks.
  • C. When AWS credentials are rotated, developers have to update only the Amazon EC2 instance on which the password policy was applied and which uses their credentials.
  • D. When AWS credentials are rotated, you must manage credentials and you should consider precautions for long-term security risks.

正解:B

解説:
Explanation
Using IAM roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. Because role credentials are temporary and rotated automatically, you don't have to manage credentials, and you don't have to worry about long-term security risks.
http://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.html


質問 # 41
......

100%無料AWS Certified Solutions Architect AWS-Solutions-Architect-Professional問題集PDFお試しサンプル認定ガイドカバー率:https://www.goshiken.com/Amazon/AWS-Solutions-Architect-Professional-mondaishu.html

PDF試験材料は2023年最新の実際に出るAWS-Solutions-Architect-Professional問題集:https://drive.google.com/open?id=1mLsDD4gUaNx2D7y3sU86vTPmrT5sN2qL

関するブログ

もっと
AWS-Solutions-Architect-Professional無料問題集