AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 3)
A company has more than 10.000 sensors that send data to an on-premises Apache Kafka server by using the Message Queuing Telemetry Transport (MQTT) protocol. The on-premises Kafka server transforms the data and then stores the results as objects in an Amazon S3 bucket.
Recently, the Kafka server crashed. The company lost sensor data while the server was being restored. A solutions architect must create a new design on AWS that is highly available and scalable to prevent a similar occurrence.
Which solution will meet these requirements?

1. A. Launch two Amazon EC2 instances to host the Kafka server in an active/standby configuration across two Availability Zone
2. B. Create a domain name in Amazon Route 53. Create a Route 53 failover polic
3. C. Route the sensors to send the data to the domain name.
4. D. Migrate the on-premises Kafka server to Amazon Managed Streaming for Apache Kafka (Amazon MSK). Create a Network Load Balancer (NLB) that points to the Amazon MSK broker Enable NL8 health check
5. E. Route the sensors to send the data to the NLB.
6. F. Deploy AWS loT Core, and connect it to an Amazon Kinesis Data Firehose delivery strea
7. G. Use an AWS Lambda function to handle data transformatio
8. H. Route the sensors to send the data to AWS loT Core.
9. I. Deploy AWS loT Core, and launch an Amazon EC2 instance to host the Kafka serve
10. J. Configure AWS loT Core to send the data to the EC2 instanc
11. K. Route the sensors to send the data to AWS loT Core.

Correct Answer: C
Because MSK has Maximum number of client connections 1000 per second and the company has 10,000 sensors, the MSK likely will not be able to handle all connections https://docs.aws.amazon.com/msk/latest/developerguide/limits.html

- (Exam Topic 1)
A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization.
The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to
and from the company's on-premises network.
Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list.
The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.
Which solution meets these requirements with the LEAST amount of operational overhead?

1. A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team's AWS accoun
2. B. Deploy an AWS Lambda function in each AWS accoun
3. C. Configure the Lambda function to run every time an SNS topic receives a messag
4. D. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the accoun
5. E. Instruct the security team to distribute changes by publishing messages to its SNS topic.
6. F. Create new customer-managed prefix lists in each AWS account within the organizatio
7. G. Populate the prefix lists in each account with all internal CIDR range
8. H. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security group
9. I. Instruct the security team to share updates with each AWS account owner.
10. J. Create a new customer-managed prefix list in the security team's AWS accoun
11. K. Populate the customer-managed prefix list with all internal CIDR range
12. L. Share the customer-managed prefix listwith the organization by using AWS Resource Access Manage
13. M. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
14. N. Create an IAM role in each account in the organizatio
15. O. Grant permissions to update security groups.Deploy an AWS Lambda function in the security team's AWS accoun
16. P. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.

Correct Answer: C
Create a new customer-managed prefix list in the security team’s AWS account. Populate the
customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups. This solution meets the requirements with the least amount of operational overhead as it requires the security team to create and maintain a single customer-managed prefix list, and share it with the organization using AWS Resource Access Manager. The owners of each AWS account are then responsible for allowing the prefix list in their security groups, which eliminates the need for the security team to manually notify each account owner when changes are made. This solution also eliminates the need for a separate AWS Lambda function in each account, reducing the overall complexity of the solution.

- (Exam Topic 3)
A company is planning to migrate an Amazon RDS for Oracle database to an RDS for PostgreSQL DB instance in another AWS account. A solutions architect needs to design a migration strategy that will require no downtime and that will minimize the amount of time necessary to complete the migration. The migration strategy must replicate all existing data and any new data that is created during the migration The target database must be identical to the source database at completion of the migration process
All applications currently use an Amazon Route 53 CNAME record as their endpoint for communication with the RDS for Oracle DB instance The RDS for Oracle DB instance is in a private subnet.
Which combination of steps should the solutions architect take to meet these requirements? (Select THREE)

1. A. Create a new RDS for PostgreSQL DB instance in the target account Use the AWS Schema Conversion Tool (AWS SCT) to migrate the database schema from the source database to the target database
2. B. Use the AWS Schema Conversion Tool (AWS SCT) to create a new RDS for PostgreSQL DB instance in the target account with the schema and initial data from thesource database
3. C. Configure VPC peering between the VPCs in the two AWS accounts to provide connectivity to both DB instances from the target accoun
4. D. Configure the security groups that are attached to each DB instance to allow traffic on the database port from the VPC in the target account.
5. E. Temporarily allow the source DB instance to be publicly accessible to provide connectivity from the VPC in the target account Configure the security groups that are attached to each DB instance to allow traffic on the database port from the VPC in the target account.
6. F. Use AWS Database Migration Service (AWS DMS) in the target account to perform a full load plus change data capture (CDC) migration from the source database to the target database When the migration is complete, change the CNAME record to point to the target DB instance endpoint
7. G. Use AWS Database Migration Service (AWS DMS) in the target account to perform a change data capture (CDC) migration from the source database to the target database When the migration is complete change the CNAME record to point to the target DB instance endpoint.

Correct Answer: ACE

- (Exam Topic 2)
A company needs to establish a connection from its on-premises data center to AWS. The company needs to connect all of its VPCs that are located in different AWS Regions with transitive routing capabilities between VPC networks. The company also must reduce network outbound traffic costs, increase bandwidth throughput, and provide a consistent network experience for end users.
Which solution will meet these requirements?

1. A. Create an AWS Site-to-Site VPN connection between the on-premises data center and a new central VP
2. B. Create VPC peering connections that initiate from the central VPC to all other VPCs.
3. C. Create an AWS Direct Connect connection between the on-premises data center and AW
4. D. Provision a transit VIF, and connect it to a Direct Connect gatewa
5. E. Connect the Direct Connect gateway to all the other VPCs by using a transit gateway in each Region.
6. F. Create an AWS Site-to-Site VPN connection between the on-premises data center and a new central VP
7. G. Use a transit gateway with dynamic routin
8. H. Connect the transit gateway to all other VPCs.
9. I. Create an AWS Direct Connect connection between the on-premises data center and AWS Establish an AWS Site-to-Site VPN connection between all VPCs in each Regio
10. J. Create VPC peering connections that initiate from the central VPC to all other VPCs.

Correct Answer: B
Transit GW + Direct Connect GW + Transit VIF + enabled SiteLink if two different DX locations https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-direct-connect-sitelink/

- (Exam Topic 1)
An AWS partner company is building a service in AWS Organizations using Its organization named org. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2 The company must establish least privilege security access using an API or command line tool to the customer account
What is the MOST secure way to allow org1 to access resources h org2?

1. A. The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks
2. B. The customer should create an IAM user and assign the required permissions to the IAM user The customer should then provide the credentials to the partner company to log In and perform the required tasks.
3. C. The customer should create an IAM role and assign the required permissions to the IAM rol
4. D. The partner company should then use the IAM rote's Amazon Resource Name (ARN) when requesting access to perform the required tasks
5. E. The customer should create an IAM rote and assign the required permissions to the IAM rot
6. F. The partner company should then use the IAM rote's Amazon Resource Name (ARN). Including the external ID in the IAM role's trust pokey, when requesting access to perform the required tasks

Correct Answer: C
https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
This is the most secure way to allow org1 to access resources in org2 because it allows for least privilege security access. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) and include the external ID in the IAM role’s trust policy when requesting access to perform the required tasks. This ensures that the partner company can only access the resources that it needs and only from the specific customer account.