AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 3)
A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of
creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.
A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.
Which combination of steps should the solutions architect take to meet the requirements? (Select THREE.)

1. A. Create a destination Amazon Kinesis data stream in the central logging account.
2. B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
3. C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data strea
4. D. Create a trust polic
5. E. Specify the trust policy in the IAM rol
6. F. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
7. G. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queu
8. H. Create a trust polic
9. I. Specify the trust policy in the IAM rol
10. J. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
11. K. Create an AWS Lambda functio
12. L. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
13. M. Create an AWS Lambda functio
14. N. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.

Correct Answer: ACE

- (Exam Topic 2)
A company's public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months.
Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount.
A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency. Which solution meets these requirements?

1. A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
2. B. Create a new AWS WAF Bot Control implementatio
3. C. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
4. D. Create a new AWS WAF web AC
5. E. Add a new rule that blocks requests that match the SQL database rule grou
6. F. Set the web ACL to allow all other traffic that does not match those rule
7. G. Attach the web ACL to the ALB in front of the ECS tasks.
8. H. Create a new AWS WAF web AC
9. I. Create a new empty IP set in AWS WA
10. J. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP se
11. K. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP se
12. L. Attach the web ACL to the ALB in front of the ECS tasks.

Correct Answer: C
The company should create a new AWS WAF web ACL. The company should add a new rule that blocks requests that match the SQL database rule group. The company should set the web ACL to allow all other traffic that does not match those rules. The company should attach the web ACL to the ALB in front of the ECS tasks. This solution will meet the requirements because AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked1. By creating a new AWS WAF web ACL, the company can create a collection of rules that define the conditions for allowing or blocking web requests. By adding a new rule that blocks requests that match the SQL database rule group, the company can prevent SQL injection attacks from reaching the ECS API service. The SQL database rule group is a managed rule group provided by AWS that contains rules to protect against common SQL injection attack patterns2. By setting the web ACL to allow all other traffic that does not match those rules, the company can ensure that legitimate traffic can access the API service. By attaching the web ACL to the ALB in front of the ECS tasks, the company can apply the web security rules to all requests that are forwarded by the load balancer.
The other options are not correct because:
Creating a new AWS WAF Bot Control implementation would not prevent SQL injection attacks from reaching the ECS API service. AWS WAF Bot Control is a feature that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities. However, it does not protect against SQL injection attacks, which are malicious attempts to execute unauthorized SQL statements against your database3.
Creating a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks would not prevent SQL injection attacks from reaching
the ECS API service. Monitoring mode is a feature that enables you to evaluate how your rules would perform without actually blocking any requests. However, this mode does not provide any protection against attacks, as it only logs and counts requests that match your rules4.
Creating a new AWS WAF web ACL and creating a new empty IP set in AWS WAF would not prevent SQL injection attacks from reaching the ECS API service. An IP set is a feature that enables you to specify a list of IP addresses or CIDR blocks that you want to allow or block based on their source IP address. However, this approach would not be effective or efficient against SQL injection attacks, as it would require constantly updating the IP set with new IP addresses of attackers, and it would not block attackers who use proxies or VPNs.
References:
https://aws.amazon.com/waf/
https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-monitoring-mode.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-ip-sets.html

- (Exam Topic 3)
A financial services company has an asset management product that thousands of customers use around the world. The customers provide feedback about the product through surveys. The company is building a new analytical solution that runs on Amazon EMR to analyze the data from these surveys. The following user personas need to access the analytical solution to perform different actions:
• Administrator: Provisions the EMR cluster for the analytics team based on the team's requirements
• Data engineer: Runs E TL scripts to process, transform, and enrich the datasets
• Data analyst: Runs SQL and Hive queries on the data
A solutions architect must ensure that all the user personas have least privilege access to only the resources that they need. The user personas must be able to launch only applications that are approved and authorized. The solution also must ensure tagging for all resources that the user personas create.
Which solution will meet these requirements?

1. A. Create IAM roles for each user person
2. B. Attach identity-based policies to define which actions the user who assumes the role can perfor
3. C. Create an AWS Config rule to check for noncompliant resource
4. D. Configure the rule to notify the administrator to remediate the noncompliant resources.
5. E. Set up Kerberos-based authentication for EMR clusters upon launc
6. F. Specify a Kerberos security configuration along with cluster-specific Kerberos options.
7. G. Use AWS Service Catalog to control the Amazon EMR versions available for deployment, the cluster configuration, and the permissions for each user persona.
8. H. Launch the EMR cluster by using AWS CloudFormatio
9. I. Attach resource-based policies to the EMR cluster during cluster creatio
10. J. Create an AWS Config rule to check for noncompliant clusters and noncompliant Amazon S3 bucket
11. K. Configure the rule to notify the administrator to remediate the noncompliant resources.

Correct Answer: C

- (Exam Topic 3)
A company runs applications in hundreds of production AWS accounts. The company uses AWS Organizations with all features enabled and has a centralized backup operation that uses AWS Backup.
The company is concerned about ransomware attacks. To address this concern, the company has created a new policy that all backups must be resilient to breaches of privileged-user credentials in any production account.
Which combination of steps will meet this new requirement? (Select THREE.)

1. A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts.
2. B. Add an SCP that restricts the modification of AWS Backup vaults.
3. C. Implement AWS Backup Vault Lock in compliance mode.
4. D. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier.
5. E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production accoun
6. F. Ensure that the S3 bucket has S3 Object Lock enabled.
7. G. Implement least privilege access for the IAM service role that is assigned to AWS Backup.

Correct Answer: ABC

- (Exam Topic 1)
A company wants to deploy an AWS WAF solution to manage AWS WAF rules across multiple AWS accounts. The accounts are managed under different OUs in AWS Organizations.
Administrators must be able to add or remove accounts or OUs from managed AWS WAF rule sets as needed Administrators also must have the ability to automatically update and remediate noncompliant AWS WAF rules in all accounts
Which solution meets these requirements with the LEAST amount of operational overhead?

1. A. Use AWS Firewall Manager to manage AWS WAF rules across accounts in the organizatio
2. B. Use an AWS Systems Manager Parameter Store parameter to store account numbers and OUs to manage Update the parameter as needed to add or remove accounts or OUs Use an Amazon EventBridge (Amazon CloudWatch Events) rule to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account
3. C. Deploy an organization-wide AWS Config rule that requires all resources in the selected OUs to associate the AWS WAF rule
4. D. Deploy automated remediation actions by using AWS Lambda to fix noncompliant resources Deploy AWS WAF rules by using an AWS CloudFormation stack set to target the same OUs where the AWS Config rule is applied.
5. E. Create AWS WAF rules in the management account of the organization Use AWS Lambda environment variables to store account numbers and OUs to manage Update environment variables as needed to add or remove accounts or OUs Create cross-account IAM roles in member accounts Assume the rotes by using AWS Security Token Service (AWS STS) in the Lambda function to create and update AWS WAF rules in the member accounts.
6. F. Use AWS Control Tower to manage AWS WAF rules across accounts in the organization Use AWS Key Management Service (AWS KMS) to store account numbers and OUs to manage Update AWS KMS as needed to add or remove accounts or OUs Create IAM users in member accounts Allow AWS Control Tower in the management account to use the access key and secret access key to create and update AWS WAF rules in the member accounts

Correct Answer: A
https://aws.amazon.com/solutions/implementations/automations-for-aws-firewall-manager/
In this solution, AWS Firewall Manager is used to manage AWS WAF rules across accounts in the organization. An AWS Systems Manager Parameter Store parameter is used to store account numbers and OUs to manage. This parameter can be updated as needed to add or remove accounts or OUs. An Amazon EventBridge rule is used to identify any changes to the parameter and to invoke an AWS Lambda function to update the security policy in the Firewall Manager administrative account. This solution allows for easy management of AWS WAF rules across multiple accounts with minimal operational overhead