AWS Certified Solutions Architect Associate Exam 2023 Questions And Answers
Elastic Network Interface (ENI) - Answer- An elastic network interface
... [Show More] (ENI) is a logical networking component in a VPC that represents a virtual network card. You can attach a network interface to an EC2 instance in the following ways:
When it's running (hot attach)
When it's stopped (warm attach)
When the instance is being launched (cold attach).
Amazon SQS (Simple Queue Service) - Answer- Offers reliable and scalable hosted queues for storing messages as they travel between computer. Provides hosted
level queue for storing messages as they travel between computers
Makes it easy to build automated workflow between web services
Transmit any volume of data, at any throughput level without losing messages or requiring other services to be always available
A hosted queue that lets you integrate and decouple distributed software systems and components.
SQS supports both standard and FIFO queues.
SQS uses pull based (polling) not push based.
Users can access Amazon SQS from their VPC using VPC endpoints, without using public
IPs, and without needing to traverse the public internet. VPC endpoints for Amazon SQS are powered by AWS PrivateLink.
Amazon S3 - Answer- Simple Storage Service (SaaS), a scalable, high-speed, low
cost, web-based cloud storage service designed for online backup and archiving of
data and application programs.
-
AWS Lambda - Answer- AWS Lambda - AWS Lambda is a compute service where you can upload your code and the service can run the code on your behalf using the AWS infrastructure. You package up and upload your custom code to AWS Lambda when you create a Lambda function
Amazon S3 Notification Feature - Answer- The Amazon S3 notification feature enables you to receive notifications when certain events happen in your bucket. To enable notifications, you must first add a notification configuration identifying the events you want Amazon S3 to publish, and the destinations where you want Amazon S3 to send the event notifications.
Amazon S3 supports the following destinations where it can publish events:
Amazon Simple Notification Service (Amazon SNS) topic - A web service that coordinates and manages the delivery or sending of messages to subscribing endpoints or clients.
Amazon Simple Queue Service (Amazon SQS) queue - Offers reliable and scalable hosted queues for storing messages as they travel between computer.
AWS Lambda - AWS Lambda is a compute service where you can upload your code and the service can run the code on your behalf using the AWS infrastructure. You package up and upload your custom code to AWS Lambda when you create a Lambda function
Amazon DynamoDB - Answer- DynamoDB is a NoSQL database that supports key-
value and document data structures. A key-value store is a database service that
provides support for storing, querying, and updating collections of objects that are
identified using a key and values that contain the actual content being stored.
Meanwhile, a document data store provides support for storing, querying, and
updating items in a document format such as JSON, XML, and HTML.
Amazon S3 as a Database Repository or Search Engine Target - Answer- To speed up access to relevant data, you can pair Amazon S3 with a search engine such as Amazon CloudSearch or a database such as Amazon DynamoDB or Amazon RDS. In these scenarios, Amazon S3 stores the actual information, and the search engine or database serves as the repository for associated metadata such as the object name, size, keywords, and so on. Metadata in the database can easily be indexed and queried, making it very efficient to locate an object's reference by using a search engine or a database query. This result can be used to pinpoint and retrieve the object itself from Amazon S3.
Amazon Snowball Edge - Answer- Although an AWS Snowball device costs less than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note that the storage capacity is different from the usable capacity for Snowball and
Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence, it would be costly if you use two Snowball devices compared to using just one AWS Snowball Edge device.
The AWS Snowball Edge is a type of Snowball device with on-board storage and compute power for select AWS capabilities. Snowball Edge can undertake local processing and edge-computing workloads in addition to transferring data between your local environment and the AWS Cloud.
Each Snowball Edge device can transport data at speeds faster than the internet. This transport is done by shipping the data in the appliances through a regional carrier. The appliances are rugged shipping containers, complete with E Ink shipping labels. The AWS Snowball Edge device differs from the standard Snowball because it can bring the power of the AWS Cloud to your on-premises location, with local storage and compute functionality.
Snowball Edge devices have three options for device configurations - storage optimized, compute optimized, and with GPU. When this guide refers to Snowball Edge devices, it's referring to all options of the device. Whenever specific information applies only to one or more optional configurations of devices, like how the Snowball Edge with GPU has an on-board GPU, it will be called out.
AWS Security Token Service (AWS STS) - Answer- AWS Security Token Service (AWS STS) is the service that you can use to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use.
In this diagram, IAM user Alice in the Dev account (the role-assuming account) needs to access the Prod account (the role-owning account). Here's how it works: Alice in the Dev account assumes an IAM role (WriteAccess) in the Prod account by calling AssumeRole.
STS returns a set of temporary security credentials.
Alice uses the temporary security credentials to access services and resources in the Prod account. Alice could, for example, make calls to Amazon S3 and Amazon EC2, which are granted by the WriteAccess role.
Amazon Data Lifecycle Manager (Amazon DLM) - Answer- You can use Amazon Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and deletion of snapshots taken to back up your Amazon EBS volumes. Automating snapshot management helps you to:
-Protect valuable data by enforcing a regular backup schedule.
-Retain backups as required by auditors or internal compliance. -Reduce storage costs by deleting outdated backups.
Combined with the monitoring features of Amazon CloudWatch Events and AWS CloudTrail, Amazon DLM provides a complete backup solution for EBS volumes at no additional cost. Hence, Option 5 is the correct answer as it is the fastest and costeffective solution in providing an automated way of backing up your EBS volumes.
Amazon EC2 Autoscaling Cooldown Period - Answer- In Auto Scaling, the following statements are correct regarding the cooldown period:
It ensures that the Auto Scaling group does not launch or terminate additional EC2 instances before the previous scaling activity takes effect.
Its default value is 300 seconds.
It is a configurable setting for your Auto Scaling group.
NACL Definition and Execution Process - Answer- A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Network ACL Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.
EBS Replication - Answer- EBS volume in an Availability Zone, it is automatically replicated within that zone only to prevent data loss due to a failure of any single hardware component. After you create a volume, you can attach it to any EC2 instance in the same Availability Zone.
Virtual Private Gateway - Answer- By default, instances that you launch into a virtual private cloud (VPC) can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, updating your security group rules, and creating an AWS managed VPN connection.
Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network. AWS supports Internet Protocol security (IPsec) VPN connections.
A customer gateway is a physical device or software application on your side of the VPN connection.
To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer gateway device. Next, you have to set up an Internet-routable IP address (static) of the customer gateway's external interface.
AWS OpsWorks - Answer- AWS OpsWorks is a configuration management service that provides managed instances of Chef and Puppet. Chef and Puppet are automation platforms that allow you to use code to automate the configurations of your servers. OpsWorks lets you use Chef and Puppet to automate how servers are configured, deployed, and managed across your Amazon EC2 instances or onpremises compute environments. OpsWorks has three offerings - AWS Opsworks for Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
Amazon S3 Data Encryption - Answer- Server-side encryption is about data encryption at rest—that is, Amazon S3 encrypts your data at the object level as it writes it to disks in its data centers and decrypts it for you when you access it. As long as you authenticate your request and you have access permissions, there is no difference in the way you access encrypted or unencrypted objects. For example, if you share your objects using a pre-signed URL, that URL works the same way for both encrypted and unencrypted objects.
You have three mutually exclusive options depending on how you choose to manage the encryption keys:
Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
Pilot Light - Answer- The term pilot light is often used to describe a DR scenario in which a minimal version of an environment is always running in the cloud. The idea of the pilot light is an analogy that comes from the gas heater. In a gas heater, a small flame that's always on can quickly ignite the entire furnace to heat up a house. This scenario is similar to a backup-and-restore scenario.
For example, with AWS you can maintain a pilot light by configuring and running the most critical core elements of your system in AWS. When the time comes for recovery, you can rapidly provision a full-scale production environment around the critical core.
RDS Failover - Answer- In Amazon RDS, failover is automatically handled so that you can resume database operations as quickly as possible without administrative intervention in the event that your primary database instance went down. When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your
DB instance to point at the standby, which is in turn promoted to become the new
primary.
Allowing a Custom Port - Answer- To allow the custom port, you have to change the
Inbound Rules in your Security Group to allow traffic coming from the mobile
devices. Security Groups usually control the list of ports that are allowed to be used
by your EC2 instances and the NACLs control which network or list of IP addresses
can connect to your whole VPC.
When you create a security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group. By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
ELB Types and Details - Answer- Elastic Load Balancing supports three types of
load balancers. You can select the appropriate load balancer based on your
application needs.
If you need flexible application management and TLS termination then we recommend that you use Application Load Balancer. If extreme performance and static IP is needed for your application then we recommend that you use Network Load Balancer. If your application is built within the EC2 Classic network then you should use Classic Load Balancer.
An Application Load Balancer functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model. After the load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply, and then selects a target from the target group for the rule action. You can configure listener rules to route requests to different target groups based on the content of the application traffic. Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Application Load Balancers support TLS termination capabilities, path-based routing,
host-based routing and support for containerized applications hence, Option 1 is
correct.
AWS provides a number of security related managed services. From the options below, select which AWS service is related to protecting your infrastructure from which security issue. - Answer- AWS provides various services to cope with many security related issues and because of this, there are a number of options which are correct. AWS Shield has two options listed above, but only one is correct. AWS Shield operates on layer 3 and 4 of the ISO network model and its primary purpose is to protect against DDoS attacks. It does not have any affect against SQL Injection attacks which are dealt with by AWS WAF. WAF also protects against Cross Site Scripting and can block traffic from IP addresses based on rules. Finally, Amazon Macie tackles a different problem related to Data Loss Prevention and protects sensitive data.
Your company has asked you to investigate the use of KMS for storing and managing keys in AWS. From the options listed below, what key management features are available in KMS? - Answer- There are many features which are native to the KMS service. Only import your own keys, disable and re-enable keys and define key management roles in IAM are valid. Importing keys into a custom key store and migrating keys from the default key store to a custom key store are not possible. Lastly operating as a private, native HSM is a function of CloudHSM and is not possible directly within KMS.
You run a meme creation website that stores the original images in S3 and each meme's meta data in DynamoDB. You need to decide upon a low-cost storage option for the memes, themselves. If a meme object is unavailable or lost, a Lambda function will automatically recreate it but at a $10 licencing cost per creation. Which storage solution should you use to store the memes in the most cost effective way? - Answer- The Question describes a situation where low cost 1Zone-IA would be perfect. However it also says that there is a high licence cost with each meme generation. The storage savings between IA and 1Zone-IA are about $0.0025 this is small compared to the $10 for licencing. Therefore you may well be better to pay for full S3-IA.
You've been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this? - Answer- The essence of a stateless installation is that the scalable components are disposable, and configuration is stored away from the disposable components. The best way to solve this type of problem is by elimination. Storage Gateway offers no advantage in this situation. CloudWatch is a reporting tool and will not help. An ELB will distribute load but will not really specific to stateless design. Elasticache is well suited for very short fast cycle data and is very suitable to replace in memory or on disk state data previously held on the web servers. RDS is well suited to structured and long cycle data, and DynamoDB is well suited for unstructured and medium cycle data. Both can be used for certain types of stateful data either in partner with or instead of Elasticache.
You are a systems administrator and you need to monitor the health of your production environment. You decide to do this using CloudWatch. However, you notice that you cannot see the health of every important metric in the default dashboard. When monitoring the health of your EC2 instances, for which of the following metrics do you need to design a custom CloudWatch metric? - Answer- Remember under the shared security model that AWS can see the instance, but not inside the instance to what it is doing. AWS can see that you have Memory, but how much of the memory is being used cannot be seen by AWS. In the case of CPU AWS can see how much of CPU you are using, but cannot see what you are using if for.
Which of the following features only relate to Spread Placement Groups? - Answer-
Spread placement groups have a specific limitation that you can only have a
maximum of 7 running instances per Availability Zone. Deploying instances in a
single Availability Zone is unique to Cluster Placement Groups only and therefore is
not correct.
Which of the following Amazon S3 Storage Classes offer 99.999999999% (11 x 9s) durability? - Answer- Reduced Redundancy Storage is the only S3 Class that does not offer 99.999999999% durability.
Currently the S3 Classes are; Standard, Standard-Infrequent Access, One Zone-
Infrequent Access, Reduced Redundancy Storage and for archive, Glacier & Glacier Deep Archive. Reduced Redundancy Storage is the only S3 Class that does not offer 99.999999999% durability.
Which of the following RDS database engines have a limit to the amount of databases that can run per instance? - Answer- Both the Oracle and SQL Server database engines have limits to how many databases that can run per instance. Primarily, this is due to the underlying technology being proprietary and requiring specific licensing to operate. The database engines based on Open Source technology such as Aurora, MySQL, MariaDB or PostgreSQL have no such limits.
Which of the following are not valid CloudFormation template sections? - Answer- In total there are 9 valid sections allowed within a CloudFormation template. Entries including "Parameters", "Resources" and "Outputs" are considered valid. "Options" is not a template section.
What is the maximum response time for a Business Level 'production down' Support
Case? - Answer- 1 Hour
What are the four levels of AWS premium support? - Answer- Basic, Developer,
Business, Enterprise. Remember that 'Free Tier' is a billing rebate. It is not an
account type or support type.
Route53, the AWS implementation of DNS, supports a number of Routing policies.
Which of the following are valid Policy types? - Answer- Route53 provides an
advanced level of service and sophistication going beyond the basic service of the
normal DNS implementation. It offers the following routing policy types: Latency,
Simple, Geoproximity, and Failover.
Which of the following strategies does AWS use to deliver the promised levels of DynamoDB performance? - Answer- DynamoDB makes use of parallel processing to achieve predictable performance. You visualise each partition as an independent DB server of fixed size. Each responsible for a defined block of data. In SQL terminology it is called sharding. The documentation is specific about the SSDs, but makes no mention of read-replicas or EBS-Optimised. Caching in-front of DDB is an option (DAX), but it is not inherent to DDB. DynamoDB stores data on Solid State Disks and partitions its database across a number of nodes.
You have been monitoring a sensitive autoscaling group, and you expect it to scalein as you enter a period of holiday downtime. The auto scaling group is distributed over three AZs ( AZ - A & -B have two instances each, and AZ -C has three instances). All instances have different CPU and Memory utilization, and all instances have been running for a different number of days. All instances come from different versions of a root AMI, and all instances have different numbers of sessions
connected. Which instance will be the 1st to shut down? - Answer- AutoScaling
scales-in according to a hierarchy of decisions. Please see the link for further details.
The Customer Experience manager comes to see you about some odd behaviours with the ticketing system: messages presented to the support team are not arriving in the order in which they were generated. You know that this is due to the way that the underlying SQS standard queue service is being used to manage messages. Which of the following are correct explanations? - Answer- With a Standard queue, delivery is "at-least-once", and FIFO delivery is not guaranteed. If FIFO delivery is required, A FIFO queue should be used.
What is the maximum VisibilityTimeout of an SQS message in a FIFO queue? - Answer- The visibility timeout controls how long a message is invisible in the queue while it is being worked on by a processing instance. This interval should not be confused with how long the message can remain in the queue. The maximum Visibility Timout of an SQS message in a FIFO queue is 12 Hours.
Your company likes the idea of storing files on AWS. However, low-latency service of the majority of files is important to customer service. Which Storage Gateway configuration would you use to achieve both of these ends? - Answer- GatewayStored volumes store your primary data locally, while asynchronously backing up that data to AWS. Depending on the Cache allocated you can achieve the same with File Gateway
Which of the following conditions may you set when configuring AWS WAF? -
Answer- String Match, IP Match, Size Constraint, others?
You have been engaged as a consultant by a company that generates utility bills and publishes them online. PDF images are generated, then stored on a highperformance RDS instance. Customarily, invoices are viewed by customers once per month. Recently, the number of customers has increased threefold, and the waittime necessary to view invoices has increased unacceptably. The CTO is unwilling to alter the codebase more than necessary this quarter, but needs to return performance to an acceptable level before the end-of-the-month print run. Which of the following solutions would you feel comfortable proposing to the CTO and GM? - Answer- Caching content is not always effective. Sometimes, optimal solutions cannot be achieved; so you need to figure out the next best way to keep the show going.
When it comes to Security Groups within a custom VPC, which of the following statements are correct? - Answer- Security Groups are stateful and updates are applied immediately.
Statefull - Answer- The technology used in firewalls that keeps track of connections
so that it knows what to allow back into the network.
Stateless - Answer- A technology implementation that DOES NOT keep track of
connections. It DOES NOT know what to allow back into the network.
When editing permissions (policies and ACLs), to whom does the concept of the "Owner" refer? - Answer- The Owner concept comes into play especially when setting or locking down access to various objects.
Your company has a policy of encrypting all data at rest. You host your production environment on EC2 in a bespoke VPC. Attached to your EC2 instances are multiple EBS volumes, and you must ensure this data is encrypted. Which of the following options will allow you to do this? - Answer- EBS volumes can be encrypted, but they are not encrypted by default. SSL certificates will only be useful to encrypt data in transit, not data at rest.
You are a solutions architect working for a busy media company with offices in
Japan and the United States. Your production environment is hosted both in USEAST-1 and AP-NORTHEAST-1. Your European users have been connecting to the production environment in Japan, and are seeing the site in Japanese rather than in English. You need to ensure that they view the English language version. Which of the routing policies could help you achieve this? - Answer- The aim is to direct sessions to the host that will provide the correct language. GeoLocation is the best option because it is based on national borders. Geoproximity routing is another option where the decision can be based on distance. While latency-based routing will usually direct the client to the correct host, connectivity issues with the US Regions might direct traffic to AP. In this case, the word \"ensure\" is operative: users MUST connect to the English-language site. Watch the wording in the exam: a requirement may be presented very casually in the wording of the question. However, understanding that requirement is mandatory if you're going to arrive at the correct answer.
You are a solutions architect working for a large anti-virus company and your job is to secure your company's production AWS environment. A new policy dictates that a particular public facing subnet needs to allow RDP on port 3389 at the network ACL layer. You create an inbound rule allowing traffic to port 3389 on the ACL level. However, users complain that they still cannot connect. Which of the following answers may represent the root cause of the connectivity issues? - Answer- Network Access Control Lists are stateless; updates are applied near instantaneously.
You have provisioned a custom VPC with a subnet that has a CIDR block of
10.0.3.0/28 address range. Inside this subnet, you have 2 webservers, 2 application servers, 2 database servers, and a NAT. You have configured an Autoscaling group on the two web servers to automatically scale when the CPU utilization goes above 90%. Several days later you notice that autoscaling is no longer deploying new instances into the subnet, despite the CPU utilization of all web servers being at 100%. Which of the following answers may offer an explanation? - Answer- A /28 subnet will only have 16 addresses available. AWS reserve both the first four and last IP addresses in each subnet's CIDR block. It is likely that your autoscaling group has provisioned too many EC2 instances and you have run out of internal private IP addresses. [Show Less]