29 November, 2023

The Up To The Minute Guide To AWS-Certified-Solutions-Architect-Professional Preparation Exams

Ucertify offers free demo for AWS-Certified-Solutions-Architect-Professional exam. "Amazon AWS Certified Solutions Architect Professional", also known as AWS-Certified-Solutions-Architect-Professional exam, is a Amazon Certification. This set of posts, Passing the Amazon AWS-Certified-Solutions-Architect-Professional exam, will help you answer those questions. The AWS-Certified-Solutions-Architect-Professional Questions & Answers covers all the knowledge points of the real exam. 100% real Amazon AWS-Certified-Solutions-Architect-Professional exams and revised by experts!

Check AWS-Certified-Solutions-Architect-Professional free dumps before getting the full version:

Page: 1 / 33

Total 398 questions Full Exam Access

Question 1

A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

Create VPC subnets in two separate availability zones and launch instances in different subnets.

Create VPC with only one public subnet and launch instances in different AZs using that subnet.

Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC.

Create VPC with only one private subnet and launch instances in different AZs using that subne

Question 2

A corporate web application is deployed within an Amazon Virtual Private Cloud (VPC) and is connected to the corporate data center via an IPSec VPN. The application must authenticate against the
on-premises LDAP server. After authentication, each logged-in user can only access an Amazon Simple Storage Space (S3) keyspace specific to that user.
Which two approaches can satisfy these objectives? (Choose 2 answers)

Develop an identity broker that authenticates against IAM security Token service to assume a IAM role in order to get temporary AWS security credentials The application calls the identity broker to get AWS temporary security credentials with access to the appropriate S3 bucket.

The application authenticates against LDAP and retrieves the name of an IAM role associated with the use

The application then calls the IAM Security Token Service to assume that IAM rol

The application can use the temporary credentials to access the appropriate S3 bucket.

Develop an identity broker that authenticates against LDAP and then calls IAM Security Token Service to get IAM federated user credential

The application calls the identity broker to get IAM federated user credentials with access to the appropriate S3 bucket.

The application authenticates against LDAP the application then calls the AWS identity and AccessManagement (IAM) Security service to log in to IAM using the LDAP credentials the application can use the IAM temporary credentials to access the appropriate S3 bucket.

The application authenticates against IAM Security Token Service using the LDAP credentials the application uses those temporary AWS security credentials to access the appropriate S3 bucket.

Question 3

In Amazon Cognito, your mobile app authenticates with the Identity Provider (|dP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito, which returns a new for the user and a set
of temporary, limited-prMlege AWS credentials.

Cognito Key Pair

Cognito API

Cognito ID

Cognito SDK

Question 4

You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: is being used by CIoudFront." Which of the following statements is probably the reason why you are getting this error?

Before you can delete an SSL certificate you need to set up https on your server.

Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM

Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CIoudFront certificate.

You can't delete SSL certificates . You need to request it from AW

Question 5

A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

It will deny access

It is not possible to set a policy based on the time or IP

IAM will throw an error for policy conflict

It will allow access

Question 6

A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending against this attack?

Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway)

Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Nlain Route Table with the new EIP

Create 15 Security Group rules to block the attacking IP addresses over port 80

Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

Question 7

You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet.
Which of the following options would you consider? (Choose 2 answers)

Implement IDS/IPS agents on each Instance running In VPC

Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.

Implement Elastic Load Balancing with SSL listeners In front of the web applications

Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

Question 8

You are tasked with moving a legacy application from a virtual machine running Inside your datacenter to an Amazon VPC Unfortunately this app requires access to a number of on-premises services and no one who configured the app still works for your company. Even worse there's no documentation for it.
What will allow the application running inside the VPC to reach back and access its internal dependencies
without being reconfigured? (Choose 3 answers)

An AWS Direct Connect link between the VPC and the network housing the internal services.

An Internet Gateway to allow a VPN connection.

An Elastic IP address on the VPC instance

An IP address space that does not conflict with the one on-premises

Entries in Amazon Route 53 that allow the Instance to resolve its dependencies' IP addresses

A VM Import of the current virtual machine

Question 9

You have a periodic Image analysis application that gets some files In Input analyzes them and tor each file writes some data in output to a ten file the number of files in input per day is high and concentrated in a few hours of the day.
Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results it takes almost 20 hours per day to complete the process
What services could be used to reduce the elaboration time and improve the availability of the solution?

S3 to store I/O file

SQS to distribute elaboration commands to a group of hosts working in paralle

Auto scaling to dynamically size the group of hosts depending on the length of the SQS queue

EBS with Provisioned IOPS (PIOPS) to store I/O file

SNS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications

S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in paralle

Auto scaling to dynamically size the group of hosts depending on the number of SNS notifications

EBS with Provisioned IOPS (PIOPS) to store I/O files SQS to distribute elaboration commands to a group of hosts working in parallel Auto Scaling to dynamically size the group ot hosts depending on the length of the SQS queue.

Question 10

Your company has recently extended its datacenter into a VPC on AVVS to add burst computing capacity as needed Members of your Network Operations Center need to be able to go to the AWS Management Console and administer Amazon EC2 instances as necessary You don't want to create new IAM users for each NOC member and make those users sign in again to the AWS Management Console Which option below will meet the needs for your NOC members?

Use OAuth 2 0 to retrieve temporary AWS security credentials to enable your NOC members to sign in to the AWS Management Console.

Use web Identity Federation to retrieve AWS temporary security credentials to enable your NOC members to sign in to the AWS IV|anagement Console.

Use your on-premises SAML 2.0-compliant identity provider (IDP) to grant the NOC members federated access to the AWS Management Console via the AWS single sign-on (SSO) endpoint.

Use your on-premises SAML 2.0-compliam identity provider (IDP) to retrieve temporary security credentials to enable NOC members to sign in to the AWS Management Console.

Question 11

An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.
How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

The organization should not accept the request as sharing the credentials means compromising on security.

Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.

Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.

The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization’s data center.

Question 12

AWS has launched T2 instances which come with CPU usage credit. An organization has a requirement which keeps an instance running for 24 hours. However, the organization has high usage only during 11 AM to 12 PM. The organization is planning to use a T2 small instance for this purpose.
If the organization already has multiple instances running since Jan 2012, which of the below mentioned options should the organization implement while launching a T2 instance?

The organization must migrate to the EC2-VPC platform first before launching a T2 instance.

While launching a T2 instance the organization must create a new AWS account as this account does not have the EC2-VPC platform.

Create a VPC and launch a T2 instance as part of one of the subnets of that VPC.

While launching a T2 instance the organization must select EC2-VPC as the platform.

Question 13

Dave is the main administrator in Example Corp., and he decides to use paths to help delineate the users in the company and set up a separate administrator group for each path-based dMsion. Following is a subset of the full list of paths he plans to use:
. /marketing
. /saIes
.HegaI
Dave creates an administrator group for the marketing part of the company and calls it NIarketing_Admin. He assigns it the /marketing path. The group's ARN is arn:aws:iam::123456789012:group/marketing/NIarketing_Admin.
Dave assigns the following policy to the NIarketing_Admin group that gives the group permission to use all IAM actions with all groups and users in the /marketing path. The policy also gives the IV|arketing_Admin group permission to perform any AWS S3 actions on the objects in the portion of the corporate bucket.
{
"Version": "2012-10-I7",
"Statement": [
{
"Effect": "Deny",
"Action": "iam:*", "Resource": [
"arn:aws:iam::123456789012:group/marketing/*", "arn:aws:iam::123456789012:user/marketing/*"
I
},
{
"Effect": "A||ow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::exampIe_bucket/marketing/*"
},
{
"Effect": "A||ow", "Action": "s3:ListBucket*",
"Resource": "arn:aws:s3:::exampIe_bucket", "Condition":{"StringLike":{"s3:prefix": "marketing/*"}} I
I I

True

False

Question 14

You deployed your company website using Elastic Beanstalk and you enabled log file rotation to S3. An Elastic Map Reduce job is periodically analyzing the logs on S3 to build a usage dashboard that you share with your CIO.
You recently improved overall performance of the website using Cloud Front for dynamic content delivery and your website as the origin.
After this architectural change, the usage dashboard shows that the traffic on your website dropped by an order of magnitude. How do you fix your usage dashboard'?

Enable Cloud Front to deliver access logs to S3 and use them as input of the Elastic Map Reduce job.

Turn on Cloud Trail and use trail log tiles on S3 as input of the Elastic Map Reduce job

Change your log collection process to use Cloud Watch ELB metrics as input of the Elastic MapReduce job

Use Elastic Beanstalk "Rebuild Environment" option to update log delivery to the Elastic lV|ap Reduce job.

Use Elastic Beanstalk 'Restart App server(s)" option to update log delivery to the Elastic Map Reduce job.

Question 15

An organization is making software for the CIA in US

CIA agreed to host the application on AWS but ina secure environmen

The organization is thinking of hosting the application on the AWS GovC|oud regio

Which of the below mentioned difference is not correct when the organization is hosting on the AWS GovCIoud in comparison with the AWS standard region?

The billing for the AWS GovCLoud will be in a different account than the Standard AWS account.

GovCIoud region authentication is isolated from Amazon.com.

Physical and logical administrative access only to U.

persons.

It is physically isolated and has logical network isolation from all the other region

Question 16

A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer's end, however the customer is unable to connect from EC2 instances inside its VPC to servers residing in its datacenter.
Which of the following options provide a viable solution to remedy this situation? (Choose 2 answers)

Add a route to the route table with an IPsec VPN connection as the target.

Enable route propagation to the virtual pinnate gateway (VGW).

Enable route propagation to the customer gateway (CGW).

Modify the route table of all Instances using the 'route' command.

Modify the Instances VPC subnet route table by adding a route back to the customer's on-premises environment.

Question 17

You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. www.examp|e.com) and has a 2-tier architecture, with multiple application sewers and a database sewer. Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A MuIti-AZ RDS MySQL instance will be used for the database. During the migration you can change the application code, but you have to file a change request.
How would you implement the architecture on AWS in order to maximize scalability and high availability?

File a change request to implement Alias Resource support in the applicatio

Use Route 53 Alias Resource Record to distribute load on two application servers in different Azs.

File a change request to implement Latency Based Routing support in the applicatio

Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different Azs.

File a change request to implement Cross-Zone support in the applicatio

Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs.

File a change request to implement Proxy Protocol support in the applicatio

Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different Azs.

Question 18

What happens when Dedicated instances are launched into a VPC?

If you launch an instance into a VPC that has an instance tenancy of dedicated, you must manually create a Dedicated instance.

If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is created as a Dedicated instance, only based on the tenancy of the instance.

If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance isautomatically a Dedicated instance, regardless of the tenancy of the instance.

None of these are tru

Question 19

True or False: The Amazon EIastiCache clusters are not available for use in VPC at this time.

TRUE

True, but they are available only in the GovCIoud.

True, but they are available only on request.

FALSE

Question 20

An organization, which has the AWS account ID as Q99988887777, has created 50 IAM users. All the users are added to the same group examkiller. If the organization has enabled that each IAM user can login with the AWS console, which AWS login URL will the IAM users use??

https://Q99988887777.aws.amazon.com/examkiIIer/

https://signin.aws.amazon.com/examki|Ier/

https://examkiller.signin.aws.amazon.com/999988887777/consoIe/

https://999988887777.signin.aws.amazon.com/consoIe/

Question 21

A user is configuring MySQL RDS with PIOPS. What should be the minimum PIOPS that the user should provision?

1000

200

2000

500

Question 22

Identify an application that polls AWS Data Pipeline for tasks and then performs those tasks.

A task executor

A task deployer

A task runner

A task optimizer

Question 23

An organization has created multiple components of a single application for compartmentalization. Currently all the components are hosted on a single EC2 instance. Due to security reasons the organization wants to implement two separate SSLs for the separate modules although it is already using VPC. How can the organization achieve this with a single instance?

You have to launch two instances each in a separate subnet and allow VPC peering for a single IP.

Create a VPC instance which will have multiple network interfaces with multiple elastic IP addresses.

Create a VPC instance which will have both the ACL and the security group attached to it and have separate rules for each IP address.

Create a VPC instance which will have multiple subnets attached to it and each will have a separate IP address.

Question 24

You are designing a multi-platform web application for AWS The application will run on EC2 instances and will be accessed from PCs. tablets and smart phones Supported accessing platforms are Windows, MacOS, IOS and Android Separate sticky session and SSL certificate setups are required for different platform types which of the following describes the most cost effective and performance efficient architecture setup?

Setup a hybrid architecture to handle session state and SSL certificates on-prem and separate EC2 Instance groups running web applications for different platform types running in a VPC.

Set up one ELB for all platforms to distribute load among multiple instance under it Each EC2 instance implements ail functionality for a particular platform.

Set up two ELBs The first ELB handles SSL certificates for all platforms and the second ELB handles session stickiness for all platforms for each ELB run separate EC2 instance groups to handle the web application for each platform.

Assign multiple ELBS to an EC2 instance or group of EC2 instances running the common components of the web application, one ELB for each platform type Session stickiness and SSL termination are done at the ELBs.

Question 25

What is the maximum length for a certificate ID in AWS IAM?

1024 characters

512 characters

64 characters

128 characters

Page: 1 / 33

Total 398 questions Full Exam Access