AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 3)
A company is building an application that will run on an AWS Lambda function. Hundreds of customers will use the application. The company wants to give each customer a quota of requests for a specific time period.
The quotas must match customer usage patterns. Some customers must receive a higher quota for a shorter time period.
Which solution will meet these requirements?

1. A. Create an Amazon API Gateway REST API with a proxy integration to invoke the Lambda function.For each customer, configure an API Gateway usage plan that includes an appropriate request quot
2. B. Create an API key from the usage plan for each user that the customer needs.
3. C. Create an Amazon API Gateway HTTP API with a proxy integration to invoke the Lambda function.For each customer, configure an API Gateway usage plan that includes an appropriate request quot
4. D. Configure route-level throttling for each usage pla
5. E. Create an API key from the usage plan for each user that the customer needs.
6. F. Create a Lambda function alias for each custome
7. G. Include a concurrency limit with an appropriate request quot
8. H. Create a Lambda function URL for each function alia
9. I. Share the Lambda function URL for each alias with the relevant customer.
10. J. Create an Application Load Balancer (ALB) in a VP
11. K. Configure the Lambda function as a target for the AL
12. L. Configure an AWS WAF web ACL for the AL
13. M. For each customer, configure a rate-based rule that includes an appropriate request quota.

Correct Answer: A
The correct answer is A.
* A. This solution meets the requirements because it allows the company to create different usage plans for each customer, with different request quotas and time periods. The usage plans can be associated with API keys, which can be distributed to the users of each customer. The API Gateway REST API can invoke the Lambda function using a proxy integration, which passes the request data to the function as input and returns the function output as the response. This solution is scalable, secure, and cost-effective12
* B. This solution is incorrect because API Gateway HTTP APIs do not support usage plans or API keys. These features are only available for REST APIs3
* C. This solution is incorrect because it does not provide a way to enforce request quotas for each customer. Lambda function aliases can be used to create different versions of the function, but they do not have any quota mechanism. Moreover, this solution exposes the Lambda function URLs directly to the customers, which is not secure or recommended4
* D. This solution is incorrect because it does not provide a way to differentiate between customers or users. AWS WAF rate-based rules can be used to limit requests based on IP addresses, but they do not support any other criteria such as user agents or headers. Moreover, this solution adds unnecessary complexity and cost by using an ALB and a VPC56
References:
1: Creating and using usage plans with API keys - Amazon API Gateway 2: Set up a proxy integration with a Lambda proxy integration - Amazon API Gateway 3: Choose between HTTP APIs and REST APIs - Amazon API Gateway 4: Using AWS Lambda aliases - AWS Lambda 5: Rate-based rule statement - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced 6: Lambda functions as targets for Application Load Balancers - Elastic Load Balancing

- (Exam Topic 2)
A company recently started hosting new application workloads in the AWS Cloud. The company is using Amazon EC2 instances, Amazon Elastic File System (Amazon EFS) file systems, and Amazon RDS DB instances.
To meet regulatory and business requirements, the company must make the following changes for data backups:
* Backups must be retained based on custom daily, weekly, and monthly requirements.
* Backups must be replicated to at least one other AWS Region immediately after capture.
* The backup solution must provide a single source of backup status across the AWS environment.
* The backup solution must send immediate notifications upon failure of any resource backup.
Which combination of steps will meet this requirement with the LEAST amount of operational overhead? (Select THREE.)

1. A. Create an AWS Backup plan with a backup rule for each of the retention requirements.
2. B. Configure an AWS backup plan to copy backups to another Region.
3. C. Create an AWS Lambda function to replicate backups to another Region and send notification if a failure occurs.
4. D. Add an Amazon Simple Notification Service (Amazon SNS) topic to the backup plan to send a notification for finished jobs that have any status except BACKUP- JOB- COMPLETED.
5. E. Create an Amazon Data Lifecycle Manager (Amazon DLM) snapshot lifecycle policy for each of the retention requirements.
6. F. Set up RDS snapshots on each database.

Correct Answer: ABD
Cross region with AWS Backup:
https://docs.aws.amazon.com/aws-backup/latest/devguide/cross-region-backup.html

- (Exam Topic 2)
A company's interactive web application uses an Amazon CloudFront distribution to serve images from an Amazon S3 bucket. Occasionally, third-party tools ingest corrupted images into the S3 bucket. This image corruption causes a poor user experience in the application later. The company has successfully implemented and tested Python logic to detect corrupt images.
A solutions architect must recommend a solution to integrate the detection logic with minimal latency between the ingestion and serving.
Which solution will meet these requirements?

1. A. Use a Lambda@Edge function that is invoked by a viewer-response event.
2. B. Use a Lambda@Edge function that is invoked by an origin-response event.
3. C. Use an S3 event notification that invokes an AWS Lambda function.
4. D. Use an S3 event notification that invokes an AWS Step Functions state machine.

Correct Answer: B
This solution will allow the detection logic to be run as soon as the image is uploaded to the S3 bucket, before it is served to users via the CloudFront distribution. This way, the detection logic can quickly identify any corrupted images and prevent them from being served to users, minimizing latency between ingestion and serving.
Reference: AWS Lambda@Edge documentation:
https://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html You can use Lambda@Edge to run your code in response to CloudFront events, such as a viewer request, an origin request, a response, or an error.

- (Exam Topic 2)
A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company's marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects.
A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Account.
The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need.
Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)

1. A. Create a bucket policy that includes read permissions for the S3 bucke
2. B. Set the principal of the bucket policy to the account ID of the Strategy account
3. C. Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
4. D. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role.
5. E. Create a bucket policy that includes read permissions for the S3 bucke
6. F. Set the principal of the bucket policy to an anonymous user.
7. G. Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
8. H. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key

Correct Answer: ACF
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

- (Exam Topic 2)
A company wants to deploy an API to AWS. The company plans to run the API on AWS Fargate behind a load balancer. The API requires the use of header-based routing and must be accessible from on-premises networks through an AWS Direct Connect connection and a private VIF.
The company needs to add the client IP addresses that connect to the API to an allow list in AWS. The company also needs to add the IP addresses of the API to the allow list. The company's security team will allow /27 CIDR ranges to be added to the allow list. The solution must minimize complexity and operational overhead.
Which solution will meet these requirements?

1. A. Create a new Network Load Balancer (NLB) in the same subnets as the Fargate task deployments.Create a security group that includes only the client IP addresses that need access to the AP
2. B. Attach the new security group to the Fargate task
3. C. Provide the security team with the NLB's IP addresses for the allow list.
4. D. Create two new /27 subnet
5. E. Create a new Application Load Balancer (ALB) that extends across the new subnet
6. F. Create a security group that includes only the client IP addresses that need access to the AP
7. G. Attach the security group to the AL
8. H. Provide the security team with the new subnet IP ranges for the allow list.
9. I. Create two new '27 subnet
10. J. Create a new Network Load Balancer (NLB) that extends across the new subnet
11. K. Create a new Application Load Balancer (ALB) within the new subnet
12. L. Create a security group that includes only the client IP addresses that need access to the AP
13. M. Attach the security group to the AL
14. N. Add the ALB's IP addresses as targets behind the NL
15. O. Provide the security team with the NLB's IP addresses for the allow list.
16. P. Create a new Application Load Balancer (ALB) in the same subnets as the Fargate task deployments.Create a security group that includes only the client IP addresses that need access to the AP
17. Q. Attach the security group to the AL
18. R. Provide the security team with the ALB's IP addresses for the allow list.

Correct Answer: A