AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 2)
A company is processing videos in the AWS Cloud by using Amazon EC2 instances in an Auto Scaling group. It takes 30 minutes to process a video. Several EC2 instances scale in and out depending on the number of videos in an Amazon Simple Queue Service (Amazon SQS) queue.
The company has configured the SQS queue with a redrive policy that specifies a target dead-letter queue and a maxReceiveCount of 1. The company has set the visibility timeout for the SQS queue to 1 hour. The company has set up an Amazon CloudWatch alarm to notify the development team when there are messages in the dead-letter queue.
Several times during the day, the development team receives notification that messages are in the dead-letter queue and that videos have not been processed properly. An investigation finds no errors in the application logs.
How can the company solve this problem?

1. A. Turn on termination protection for the EC2 instances.
2. B. Update the visibility timeout for the SOS queue to 3 hours.
3. C. Configure scale-in protection for the instances during processing.
4. D. Update the redrive policy and set maxReceiveCount to 0.

Correct Answer: D

- (Exam Topic 2)
A solutions architect is working with a company that is extremely sensitive to its IT costs and wishes to implement controls that will result in a predictable AWS spend each month Which combination ot steps can help the company control and monitor its monthly AWS usage to achieve a cost that is as close as possible to the target amount? (Select THREE.)

1. A. Implement an IAM policy that requires users to specify a 'workload' tag for cost allocation when launching Amazon EC2 instances
2. B. Contact AWS Support and ask that they apply limits to the account so that users are not able to launch more than a certain number of instance types
3. C. Purchase all upfront Reserved Instances that cover 100% of the account's expected Amazon EC2 usage
4. D. Place conditions in the users' IAM policies that limit the number of instances they are able to launch
5. E. Define 'workload' as a cost allocation tag in the AWS Billing and Cost Management console
6. F. Set up AWS Budgets to alert and notify when a given workload is expected to exceed a defined cost

Correct Answer: AEF

- (Exam Topic 2)
A company's AWS architecture currently uses access keys and secret access keys stored on each instance to access AWS services Database credentials are hard-coded on each instance SSH keys for command-line remote access are stored in a secured Amazon S3 bucket The company has asked its solutions architect to improve the security posture of the architecture without adding operational complexly.
Which combination of steps should the solutions architect take to accomplish this? (Select THREE.)

1. A. Use Amazon EC2 instance profiles with an IAM role
2. B. Use AWS Secrets Manager to store access keys and secret access keys
3. C. Use AWS Systems Manager Parameter Store to store database credentials
4. D. Use a secure fleet of Amazon EC2 bastion hosts for remote access
5. E. Use AWS KMS to store database credentials
6. F. Use AWS Systems Manager Session Manager for remote access

Correct Answer: ACF

- (Exam Topic 2)
A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.
The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB cluster.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Add an inbound rule to the EC2 instances' security grou
2. B. Specify the DB cluster's security group as the source over the default Aurora port.
3. C. Add an outbound rule to the EC2 instances' security grou
4. D. Specify the DB cluster's security group as the destination over the default Aurora port.
5. E. Add an inbound rule to the DB cluster's security grou
6. F. Specify the EC2 instances' security group as the source over the default Aurora port.
7. G. Add an outbound rule to the DB cluster's security grou
8. H. Specify the EC2 instances' security group as the destination over the default Aurora port.
9. I. Add an outbound rule to the DB cluster's security grou
10. J. Specify the EC2 instances' security group as the destination over the ephemeral ports.

Correct Answer: AB

- (Exam Topic 2)
A company uses AWS Organizations with a single OU named Production to manage multiple accounts All accounts are members of the Production OU Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit's existing AWS account to the organization Once onboarded the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company's policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

1. A. Remove the organization's root SCPs that limit access to AWS Config Create AWS Service Catalog products for the company's standard AWS Config rules and deploy them throughout the organization, including the new account.
2. B. Create a temporary OU named Onboarding for the new account Apply an SCP to the Onboarding OU toallow AWS Config actions Move the new account to the Production OU when adjustments to AWS Config are complete
3. C. Convert the organization's root SCPs from deny list SCPs to allow list SCPs to allow the required services only Temporarily apply an SCP to the organization's root that allows AWS Config actions for principals only in the new account.
4. D. Create a temporary OU named Onboarding for the new account Apply an SCP to the Onboarding OU to allow AWS Config action
5. E. Move the organization's root SCP to the Production O
6. F. Move the new account to the Production OU when adjustments to AWS Config are complete.

Correct Answer: D
An SCP at a lower level can't add a permission after it is blocked by an SCP at a higher level. SCPs can only filter; they never add permissions. SO you need to create a new OU for the new account assign an SCP, and move the root SCP to Production OU. Then move the new account to production OU when AWS config is done.