NO.15 A Solution Architect is creating a multi-tiered architecture for an application that includes a
public-facing web tier. Security requirement state that the Amazon EC2 instance running in the
application tier must not be accessible directly from the internet.
What should be done to accomplish this?
A. create a multi-VPC peering mesh with network access rules limiting Communications to specific
ports implements an internet gateway on each VCP for external communication.
B. Place all instances in a single Amazon VPC with AWS WAF as the web front-end communication
conduit Configure a NAT gateway for external communications.
C. Use VPC peering to peer with on-premises hardware. Direct enterprise traffic through the VPC
peer connection to the instances hosted in the private VPC.
D. Deploy the web and application instances in a private subnet Provision an Application Load
Balancer in the public subnet install gateway and use security groups to control communications
between the layers.
Ans: A or D
NO.35 A company wants to durably store data in 8 KB chunks. The company will access the data
once every few months. However, when the company does access the data, it must be done with as
little latency as possible.
Which AWS service should a Solutions Architect recommend if cost is NOT a factor?
A. Amazon DynamoDB
B. Amazon EBS Throughput Optimized HDD Volumes
C. Amazon EBS Cold HDD Volumes
D. Amazon ElastiCache
NO.58 A company is writing a new service running on Amazon EC2 that must create thumbnail
images of thousands of images in a large archive. The system will write scratch data to storage during
Which storage service is best suited for this scenario?
A. EC2 instance store
B. Amazon EFS
C. Amazon CloudSearch
D. Amazon EBS Throughput Optimized HDD (st1)
Ans:A or D
NO.81 A company is migrating on-premises databases to AWS. The company’s backend application
produces a large amount of database queries for reporting purposes, and the company wants to
offload some of those reads to Read Replica, allowing the primary database to continue performing
Which AWS database platforms will accomplish this? (Select TWO.)
A. Amazon RDS for Oracle
B. Amazon RDS for PostgreSQL
C. Amazon RDS for MariaDB
D. Amazon DynamoDB
E. Amazon RDS for Microsoft SQL Server
Answer: A B
NO.83 A Security team reviewed their company’s VPC Flow Logs and found that traffic is being
directed to the internet. The application in the VPC uses Amazon EC2 instances for compute and
Amazon S3 for storage. The company’s goal is to eliminate internet access and allow the application
to continue to function.
What change should be made in the VPC before updating the route table?
A. Create a NAT gateway for Amazon S3 access
B. Create a VPC endpoint for Amazon S3 access
C. Create a VPC endpoint for Amazon EC2 access
D. Create a NAT gateway for Amazon EC2 access
Ans: B or D
NO.86 A Solutions Architect must create a solution whereby user access to multiple Amazon Aurora
MySQL databases is securely managed with short-lived connection credentials.
How can the Solutions Architect meet these requirements?
A. Create a database user to run the GRANT statement with a short-lived token.
B. Create the user account to use the AWS-provided AWSAuthenticationPlugin with 1AM.
C. Use AWS Systems Manager to securely save the connection secrets, and use the secrets while
D. Use AWS KMS to securely save the connection secrets, and use the secrets while connecting.
A or D
NO.101 An application publishes Amazon SNS messages in response to several events. An AWS
Lambda function subscribes to these messages. Occasionally the function will fail while processing a
message, so the original event message must be preserved for root cause analysis.
What architecture will meet these requirements without changing the workflow?
A. Subscribe an Amazon SQS queue to the Amazon SNS topic and trigger the Lambda function from
B. Configure Lambda to write failures to an SQS Dead Letter Queue.
C. Configure a Dead Letter Queue for the Amazon SNS topic.
D. Configure the Amazon SNS topic to invoke the Lambda function synchronously.
Ans: A or B
NO.105 A customer has a production application that frequently overwrites and deletes data, the
application requires the most up-to-date version of the data every time it is requested.
Which storage should a Solutions Architect recommend to bet accommodate this use case?
A. Amazon S3
B. Amazon RDS
C. Amazon RedShift
D. AWS Storage Gateway
NO.111 A Solutions Architect is designing an Amazon VPC. Applications in the VPC must have private
connectivity to Amazon DynamoDB in the same AWS Region.
The design should route DynamoDB traffic through:
A. VPC peering connection.
B. NAT gateway
C. VPC endpoint
D. AWS Direct Connect
NO.146 A customer owns a simple API for their website that receives about 1,000 requests each day
and has an average response time of 50 ms. It is currently hosted on one c4.large instance.
Which changes to the architecture will provide high availability at the LOWEST cost?
A. Create an Auto Scaling group with a minimum of one instance and a maximum of two instances,
then use an Application Load Balancer to balance the traffic.
B. Recreate the API using Amazon API Gateway and use AWS Lambda as the service backend.
C. Create an Auto Scaling group with a maximum of two instances, then use an Application Load
Balancer to balance the traffic.
D. Recreate the API using Amazon API Gateway and integrate the new API with the existing backend
Ans: A or B
NO.149 An organization is deploying Amazon ElastiCache for Redis and requires password
protection to improve their data security posture.
Which solution should a Solutions Architect recommend?
A. Redis Auth
B. AWS Single Sign-On
C. 1AM database authentication
D. VPC security group for Redis
Ans: A or B
NO.150 To meet compliance standards, a company must have encrypted archival data storage. Data
will be accessed infrequently, with lead times well in advance of when archived data must be
recovered. The company requires that the storage be secure, durable, and provided at the lowest
price per 1TB of data stored.
What type of storage should be used?
A. Amazon S3
B. Amazon EBS
C. Amazon Glacier
D. Amazon EFS
Ans:A or C
NO.159 A workload consists of downloading an image from an Amazon S3 bucket, processing the
image, and moving it to another Amazon S3 bucket. An Amazon EC2 instance runs a scheduled task
every hour to perform the operation.
How should a Solutions Architect redesign the process so that it is highly available?
A. Change the Amazon EC2 instance to compute optimized.
B. Launch a second Amazon EC2 instance to monitor the health of the first.
C. Trigger a Lambda function when a new object is uploaded.
D. Initially copy the images to an attached Amazon EBS volume.
NO.162 A Solutions Architect is designing a new architecture that will use an Amazon EC2 Auto
Which of the following factors determine the health check grace period? (Select TWO.)
A. How frequently the Auto Scaling group scales up or down.
B. How many Amazon CloudWatch alarms are configured for status checks.
C. How much of the application code is embedded in the AMI.
D. How long it takes for the Auto Scaling group to detect a failure.
E. How long the bootstrap script takes to run.
Answer: C E
NO.208 A Solutions Architect is defining a shared Amazon S3 bucket where corporate applications
will save objects.
How can the Architect ensure that when an application uploads an object to the Amazon S3 bucket,
the object is encrypted?
A. Set a CORS configuration.
B. Set a bucket policy to encrypt all Amazon S3 objects.
C. Enable default encryption on the bucket.
D. Set permission for users
NO.215 A company hosts a two-tier application that consists of a publicly accessible web server that
communicates with a private database. Only HTTPS port 443 traffic to the web server must be
allowed from the Internet.
Which of the following options will achieve these requirements? (Choose two.)
A. Security group rule that allows inbound Internet traffic for port 443.
B. Security group rule that denies all inbound Internet traffic except port 443.
C. Network ACL rule that allows port 443 inbound and all ports outbound for Internet traffic.
D. Security group rule that allows Internet traffic for port 443 in both inbound and outbound.
E. Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic.
Answer: A E
Ans: AC or AE?
NO.256 A company is developing a new stateless web service with low memory requirements.
The service needs to scale based on demand.
What is the MOST cost-effective solution?
A. Deploy the application onto AWS Elastic Beanstalk
B. Deploy the application onto AWS Lambda with access through Amazon API Gateway
C. Deploy the application onto an Amazon EC2 Spot Fleet
D. Deploy the application onto a container with an Amazon ECS EC2 launch type
NO.274 A company runs a legacy application with a single-tier architecture on an Amazon EC2
instance. Disk I/O is low, with occasional small spikes during business hours. The company requires
the instance to be stopped from 8 PM to 8 AM daily.
Which storage option is MOST appropriate for this workload?
A. Amazon EC2 instance storage
B. Amazon EBS General Purpose SSD (gp2) storage
C. Amazon S3
D. Amazon EBS Provision IOPS SSD (io1) storage
Ans: B or C
Q58. A，这题考察的关键词是“scratch data”，临时数据如何保存最好，当然是实例存储了。实例存储虽然不是持久的，但是速度最快，最适合保存临时数据。
Q83. B。因为题目至提到需要使用EC2和S3，所以通过VPC Endpoint可以让EC2访问S3而同时保证EC2不能访问Internet。挂了NAT GW也是能访问Internet的。
Q111. 这题必须是C，VPC Peering做不到这个效果，因为DynamoDB是不在VPC内部的，是在Region级别的。
Q146. 这题严格来说A也是可以的，但是我要做到高可用，Auto Scaling组设置1个最大实例就可以了。但是要最大节约成本，肯定使用API GW+Lambda的组合了，毫无疑问的。
Q150. 绝对是C了，几个关键词，archival, infrequently, lowest price，还说读取的适合能提前知道
Q256. D。几个关键词，Stateless，low memory，很适合用容器服务，因为容器服务能最大化利用实例的资源。
哎呀，回复话题必需登录。 Login here