Practice Free SAA-C03 Exam Online Questions
Question #131
A company uses Amazon EC2 instances and stores data on Amazon Elastic Block Store (Amazon EBS) volumes. The company must ensure that all data is encrypted at rest by using AWS Key Management Service (AWS KMS). The company must be able to control rotation of the encryption keys.
Which solution will meet these requirements with the LEAST operational overhead?
- A . Create a customer managed key Use the key to encrypt the EBS volumes.
- B . Use an AWS managed key to encrypt the EBS volumes. Use the key to configure automatic key rotation.
- C . Create an external KMS key with imported key material. Use the key to encrypt the EBS volumes.
- D . Use an AWS owned key to encrypt the EBS volumes.
Correct Answer: A
A
Explanation:
To meet the requirement of controlling key rotation with minimal operational overhead, creating a customer managed key (CMK) in AWS KMS is the optimal solution. With CMKs, you can define custom key rotation policies, ensuring that you retain control over the key lifecycle, including enabling automatic key rotation every year.
Key AWS features:
Custom Key Management: A customer managed key allows you to control the key policies, lifecycle, and enable key rotation for compliance.
Least Operational Overhead: Using a customer managed key simplifies encryption management while offering more flexibility than AWS managed or owned keys.
AWS Documentation: The AWS Well-Architected Framework recommends customer managed keys for environments where key control and flexibility are required.
A
Explanation:
To meet the requirement of controlling key rotation with minimal operational overhead, creating a customer managed key (CMK) in AWS KMS is the optimal solution. With CMKs, you can define custom key rotation policies, ensuring that you retain control over the key lifecycle, including enabling automatic key rotation every year.
Key AWS features:
Custom Key Management: A customer managed key allows you to control the key policies, lifecycle, and enable key rotation for compliance.
Least Operational Overhead: Using a customer managed key simplifies encryption management while offering more flexibility than AWS managed or owned keys.
AWS Documentation: The AWS Well-Architected Framework recommends customer managed keys for environments where key control and flexibility are required.
Question #132
An online gaming company is transitioning user data storage to Amazon DynamoDB to support the company’s growing user base. The current architecture includes DynamoDB tables that contain user profiles, achievements, and in-game transactions.
The company needs to design a robust, continuously available, and resilient DynamoDB architecture to maintain a seamless gaming experience for users.
Which solution will meet these requirements MOST cost-effectively?
- A . Create DynamoDB tables in a single AWS Region. Use on-demand capacity mode. Use global tables to replicate data across multiple Regions.
- B . Use DynamoDB Accelerator (DAX) to cache frequently accessed data. Deploy tables in a single AWS Region and enable auto scaling. Configure Cross-Region Replication manually to additional Regions.
- C . Create DynamoDB tables in multiple AWS Regions. Use on-demand capacity mode. Use
DynamoDB Streams for Cross-Region Replication between Regions. - D . Use DynamoDB global tables for automatic multi-Region replication. Deploy tables in multiple AWS Regions. Use provisioned capacity mode. Enable auto scaling.
Correct Answer: D
D
Explanation:
DynamoDB Global Tables provide a fully managed, multi-region, and multi-master database solution that allows you to deploy DynamoDB tables in multiple AWS Regions. This ensures high availability and resiliency across different geographical locations, providing a seamless gaming experience for users. Using provisioned capacity mode with auto-scaling ensures cost-efficiency by scaling up or down based on actual demand.
Option A: While on-demand capacity mode is flexible, provisioned capacity with auto-scaling is more cost-effective for predictable workloads.
Option B (DAX): DAX improves read performance, but it doesn’t provide the multi-region replication needed for high availability and resiliency.
Option C: DynamoDB Streams with manual cross-region replication adds more complexity and operational overhead compared to Global Tables. AWS
Reference: DynamoDB Global Tables
D
Explanation:
DynamoDB Global Tables provide a fully managed, multi-region, and multi-master database solution that allows you to deploy DynamoDB tables in multiple AWS Regions. This ensures high availability and resiliency across different geographical locations, providing a seamless gaming experience for users. Using provisioned capacity mode with auto-scaling ensures cost-efficiency by scaling up or down based on actual demand.
Option A: While on-demand capacity mode is flexible, provisioned capacity with auto-scaling is more cost-effective for predictable workloads.
Option B (DAX): DAX improves read performance, but it doesn’t provide the multi-region replication needed for high availability and resiliency.
Option C: DynamoDB Streams with manual cross-region replication adds more complexity and operational overhead compared to Global Tables. AWS
Reference: DynamoDB Global Tables
Question #133
A company sets up an organization in AWS Organizations that contains 10AWS accounts. A solutions
architect must design a solution to provide access to the accounts for several thousand employees. The company has an existing identity provider (IdP). The company wants to use the existing IdP for authentication to AWS.
Which solution will meet these requirements?
- A . Create IAM users for the employees in the required AWS accounts. Connect IAM users to the existing IdP. Configure federated authentication for the IAM users.
- B . Set up AWS account root users with user email addresses and passwords that are synchronized from the existing IdP.
- C . Configure AWS IAM Identity Center Connect IAM Identity Center to the existing IdP Provision users and groups from the existing IdP
- D . Use AWS Resource Access Manager (AWS RAM) to share access to the AWS accounts with the users in the existing IdP.
Correct Answer: C
C
Explanation:
AWS IAM Identity Center:
IAM Identity Center provides centralized access management for multiple AWS accounts within an organization and integrates seamlessly with existing identity providers (IdPs) through SAML 2.0 federation.
It allows users to authenticate using their existing IdP credentials and gain access to AWS resources without the need to create and manage separate IAM users in each account.
IAM Identity Centeralso simplifies provisioning and de-provisioning users, as it can automatically synchronize users and groups from the external IdP to AWS, ensuring secure and managed access. Integration with Existing IdP:
The solution involves configuringIAM Identity Centerto connect to the company’s IdP using SAML. This setup allows employees to log in with their existing credentials, reducing the complexity of managing separate AWS credentials.
Once connected, IAM Identity Centerhandles authentication and authorization, granting users access to the AWS accounts based on their assigned roles and permissions.
Why the Other Options Are Incorrect:
Option A: Creating separateIAM usersfor each employee is not scalable or efficient. Managing thousands of IAM users across multiple AWS accounts introduces unnecessary complexity and operational overhead.
Option B: Using AWSroot userswith synchronized passwords is a security risk and goes against AWS best practices. Root accounts should never be used for day-to-day operations.
Option D: AWS Resource Access Manager (RAM)is used for sharing AWS resources between accounts, not for federating access for users across accounts. It doesn’t provide a solution for authentication via an external IdP.
AWS
Reference: AWS IAM Identity Center
SAML 2.0 Integration with AWS IAM Identity Center
By setting upIAM Identity Centerand connecting it to the existing IdP, the company can efficiently manage access for thousands of employees across multiple AWS accounts with a high degree of operational efficiency and security. Therefore, Option Cis the best solution.
C
Explanation:
AWS IAM Identity Center:
IAM Identity Center provides centralized access management for multiple AWS accounts within an organization and integrates seamlessly with existing identity providers (IdPs) through SAML 2.0 federation.
It allows users to authenticate using their existing IdP credentials and gain access to AWS resources without the need to create and manage separate IAM users in each account.
IAM Identity Centeralso simplifies provisioning and de-provisioning users, as it can automatically synchronize users and groups from the external IdP to AWS, ensuring secure and managed access. Integration with Existing IdP:
The solution involves configuringIAM Identity Centerto connect to the company’s IdP using SAML. This setup allows employees to log in with their existing credentials, reducing the complexity of managing separate AWS credentials.
Once connected, IAM Identity Centerhandles authentication and authorization, granting users access to the AWS accounts based on their assigned roles and permissions.
Why the Other Options Are Incorrect:
Option A: Creating separateIAM usersfor each employee is not scalable or efficient. Managing thousands of IAM users across multiple AWS accounts introduces unnecessary complexity and operational overhead.
Option B: Using AWSroot userswith synchronized passwords is a security risk and goes against AWS best practices. Root accounts should never be used for day-to-day operations.
Option D: AWS Resource Access Manager (RAM)is used for sharing AWS resources between accounts, not for federating access for users across accounts. It doesn’t provide a solution for authentication via an external IdP.
AWS
Reference: AWS IAM Identity Center
SAML 2.0 Integration with AWS IAM Identity Center
By setting upIAM Identity Centerand connecting it to the existing IdP, the company can efficiently manage access for thousands of employees across multiple AWS accounts with a high degree of operational efficiency and security. Therefore, Option Cis the best solution.
Question #134
An online video game company must maintain ultra-low latency for its game servers. The game servers run on Amazon EC2 instances. The company needs a solution that can handle millions of UDP internet traffic requests each second.
Which solution will meet these requirements MOST cost-effectively?
- A . Configure an Application Load Balancer with the required protocol and ports for the internet traffic. Specify the EC2 instances as the targets.
- B . Configure a Gateway Load Balancer for the internet traffic. Specify the EC2 instances as the targets.
- C . Configure a Network Load Balancer with the required protocol and ports for the internet traffic.
Specify the EC2 instances as the targets. - D . Launch an identical set of game servers on EC2 instances in separate AWS Regions. Route internet traffic to both sets of EC2 instances.
Correct Answer: C
C
Explanation:
The most cost-effective solution for the online video game company is to configure a Network Load Balancer with the required protocol and ports for the internet traffic and specify the EC2 instances as the targets. This solution will enable the company to handle millions of UDP requests per second with ultra-low latency and high performance.
A Network Load Balancer is a type of Elastic Load Balancing that operates at the connection level (Layer 4) and routes traffic to targets (EC2 instances, microservices, or containers) within Amazon VPC based on IP protocol data. A Network Load Balancer is ideal for load balancing of both TCP and UDP traffic, as it is capable of handling millions of requests per second while maintaining high throughput at ultra-low latency. A Network Load Balancer also preserves the source IP address of the clients to the back-end applications, which can be useful for logging or security purposes1.
C
Explanation:
The most cost-effective solution for the online video game company is to configure a Network Load Balancer with the required protocol and ports for the internet traffic and specify the EC2 instances as the targets. This solution will enable the company to handle millions of UDP requests per second with ultra-low latency and high performance.
A Network Load Balancer is a type of Elastic Load Balancing that operates at the connection level (Layer 4) and routes traffic to targets (EC2 instances, microservices, or containers) within Amazon VPC based on IP protocol data. A Network Load Balancer is ideal for load balancing of both TCP and UDP traffic, as it is capable of handling millions of requests per second while maintaining high throughput at ultra-low latency. A Network Load Balancer also preserves the source IP address of the clients to the back-end applications, which can be useful for logging or security purposes1.
Question #135
A financial company needs to handle highly sensitive data. The company will store the data in an Amazon S3 bucket. The company needs to ensure that the data is encrypted in transit and at rest. The company must manage the encryption keys outside the AWS Cloud.
Which solution will meet these requirements?
- A . Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) customer managed key
- B . Encrypt the data in the S3 bucket with server-side encryption (SSE) that uses an AWS Key Management Service (AWS KMS) AWS managed key
- C . Encrypt the data in the S3 bucket with the default server-side encryption (SSE)
- D . Encrypt the data at the company’s data center before storing the data in the S3 bucket
Correct Answer: D
D
Explanation:
This option is the only solution that meets the requirements because it allows the company to encrypt the data with its own encryption keys and tools outside the AWS Cloud. By encrypting the data at the company’s data center before storing the data in the S3 bucket, the company can ensure that the data is encrypted in transit and at rest, and that the company has full control over the encryption keys and processes. This option also avoids the need to use any AWS encryption services or features, which may not be compatible with the company’s security policies or compliance standards.
D
Explanation:
This option is the only solution that meets the requirements because it allows the company to encrypt the data with its own encryption keys and tools outside the AWS Cloud. By encrypting the data at the company’s data center before storing the data in the S3 bucket, the company can ensure that the data is encrypted in transit and at rest, and that the company has full control over the encryption keys and processes. This option also avoids the need to use any AWS encryption services or features, which may not be compatible with the company’s security policies or compliance standards.
Question #136
A solutions architect needs to connect a company’s corporate network to its VPC to allow on-premises access to its AWS resources. The solution must provide encryption of all trafficbetween the corporate network and the VPC at the network layer and the session layer. The solution also must provide security controls to prevent unrestricted access between AWS and the on-premises systems.
Which solution meets these requirements?
- A . Configure AWS Direct Connect to connect to the VPC. Configure the VPC route tables to allow and deny traffic between AWS and on premises as required.
- B . Create an IAM policy to allow access to the AWS Management Console only from a defined set of corporate IP addresses Restrict user access based on job responsibility by using an IAM policy and roles
- C . Configure AWS Site-to-Site VPN to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.
- D . Configure AWS Transit Gateway to connect to the VPC. Configure route table entries to direct traffic from on premises to the VPC. Configure instance security groups and network ACLs to allow only required traffic from on premises.
Correct Answer: C
C
Explanation:
This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.
AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS. Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.
Why Not Other Options?
Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.
Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.
Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption. AWS
Reference: AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.
Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.
C
Explanation:
This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.
AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS. Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.
Why Not Other Options?
Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.
Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.
Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption. AWS
Reference: AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.
Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.
Question #137
A company has resources across multiple AWS Regions and accounts. A newly hired solutions architect discovers a previous employee did not provide details about the resources invent^. The solutions architect needs to build and map the relationship details of the various workloads across all accounts.
Which solution will meet these requirements in the MOST operationally efficient way?
- A . Use AWS Systems Manager Inventory to generate a map view from the detailed view report.
- B . Use AWS Step Functions to collect workload details Build architecture diagrams of the workloads manually.
- C . Use Workload Discovery on AWS to generate architecture diagrams of the workloads.
- D . Use AWS X-Ray to view the workload details Build architecture diagrams with relationships
Correct Answer: C
C
Explanation:
Workload Discovery on AWS (formerly called AWS Perspective) is a tool that visualizes AWS Cloud workloads. It maintains an inventory of the AWS resources across your accounts and Regions, mapping relationships between them, and displaying them in a web UI. It also allows you to query AWS Cost and Usage Reports, search for resources, save and export architecture diagrams, and more1. By using Workload Discovery on AWS, the solution can build and map the relationship details of the various workloads across all accounts with the least operational effort.
C
Explanation:
Workload Discovery on AWS (formerly called AWS Perspective) is a tool that visualizes AWS Cloud workloads. It maintains an inventory of the AWS resources across your accounts and Regions, mapping relationships between them, and displaying them in a web UI. It also allows you to query AWS Cost and Usage Reports, search for resources, save and export architecture diagrams, and more1. By using Workload Discovery on AWS, the solution can build and map the relationship details of the various workloads across all accounts with the least operational effort.
Question #138
An online photo-sharing company stores Hs photos in an Amazon S3 bucket that exists in the us-west-1 Region. The company needs to store a copy of all new photos in the us-east-1 Region.
Which solution will meet this requirement with the LEAST operational effort?
- A . Create a second S3 bucket in us-east-1. Use S3 Cross-Region Replication to copy photos from the existing S3 bucket to the second S3 bucket.
- B . Create a cross-origin resource sharing (CORS) configuration of the existing S3 bucket. Specify us-east-1 in the CORS rule’s Allowed Ongm element.
- C . Create a second S3 bucket in us-east-1 across multiple Availability Zones. Create an S3 Lifecycle rule to save photos into the second S3 bucket,
- D . Create a second S3 bucket In us-east-1. Configure S3 event notifications on object creation and update events to Invoke an AWS Lambda function to copy photos from the existing S3 bucket to the second S3 bucket.
Correct Answer: A
A
Explanation:
Understanding the Requirement: The company needs to store a copy of all new photos in the us-east-1 Region from an S3 bucket in the us-west-1 Region.
Analysis of Options:
Cross-Region Replication: Automatically replicates objects across regions with minimal operational effort once configured.
CORS Configuration: Used for allowing resources on a web page to be requested from another domain, not for replication.
S3 Lifecycle Rule: Manages the transition of objects between storage classes within the same bucket, not for cross-region replication.
S3 Event Notifications with Lambda: Requires additional configuration and management compared to Cross-Region Replication.
Best Solution:
S3 Cross-Region Replication: This solution provides an automated and efficient way to replicate objects to another region, meeting the requirement with the least operational effort.
Reference: Amazon S3 Cross-Region Replication
A
Explanation:
Understanding the Requirement: The company needs to store a copy of all new photos in the us-east-1 Region from an S3 bucket in the us-west-1 Region.
Analysis of Options:
Cross-Region Replication: Automatically replicates objects across regions with minimal operational effort once configured.
CORS Configuration: Used for allowing resources on a web page to be requested from another domain, not for replication.
S3 Lifecycle Rule: Manages the transition of objects between storage classes within the same bucket, not for cross-region replication.
S3 Event Notifications with Lambda: Requires additional configuration and management compared to Cross-Region Replication.
Best Solution:
S3 Cross-Region Replication: This solution provides an automated and efficient way to replicate objects to another region, meeting the requirement with the least operational effort.
Reference: Amazon S3 Cross-Region Replication
Question #139
A company is planning to deploy its application on an Amazon Aurora PostgreSQL Serverless v2 cluster. The application will receive large amounts of traffic. The company wants to optimize the storage performance of the cluster as the load on the application increases.
Which solution will meet these requirements MOST cost-effectively?
- A . Configure the cluster to use the Aurora Standard storage configuration.
- B . Configure the cluster storage type as Provisioned IOPS.
- C . Configure the cluster storage type as General Purpose.
- D . Configure the cluster to use the Aurora l/O-Optimized storage configuration.
Correct Answer: D
D
Explanation:
Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.
Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.
Implementation:
During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.
The storage system will automatically handle scaling and performance optimization based on the application load.
Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.
Reference: Amazon Aurora I/O-Optimized
D
Explanation:
Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.
Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.
Implementation:
During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.
The storage system will automatically handle scaling and performance optimization based on the application load.
Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.
Reference: Amazon Aurora I/O-Optimized
Question #140
A company wants to improve its ability to clone large amounts of production data into a test environment in the same AWS Region. The data is stored in Amazon EC2 instances on Amazon Elastic Block Store (Amazon EBS) volumes. Modifications to the cloned data must not affect the production environment. The software that accesses this data requires consistently high I/O performance.
A solutions architect needs to minimize the time that is required to clone the production data into the test environment.
Which solution will meet these requirements?
- A . Take EBS snapshots of the production EBS volumes. Restore the snapshots onto EC2 instance store volumes in the test environment.
- B . Configure the production EBS volumes to use the EBS Multi-Attach feature. Take EBS snapshots of the production EBS volumes. Attach the production EBS volumes to the EC2 instances in the test environment.
- C . Take EBS snapshots of the production EBS volumes. Create and initialize new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment before restoring the volumes from the production EBS snapshots.
- D . Take EBS snapshots of the production EBS volumes. Turn on the EBS fast snapshot restore feature
on the EBS snapshots. Restore the snapshots into new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment.
Correct Answer: C
C
Explanation:
To clone the production data into the test environment with high I/O performance and without
affecting the production environment, the best option is to take EBS snapshots of the production EBS
volumes and restore them onto new EBS volumes in the test environment. Then, attach the new EBS
volumes to EC2 instances in the test environment. This option minimizes the time required to clone
the data and ensures that modifications to the cloned data do not affect the production environment.
Therefore, option C is the correct answer.
Reference: https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html
C
Explanation:
To clone the production data into the test environment with high I/O performance and without
affecting the production environment, the best option is to take EBS snapshots of the production EBS
volumes and restore them onto new EBS volumes in the test environment. Then, attach the new EBS
volumes to EC2 instances in the test environment. This option minimizes the time required to clone
the data and ensures that modifications to the cloned data do not affect the production environment.
Therefore, option C is the correct answer.
Reference: https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html