AWS-Solution-Architect-Associate Free Practice Test

- (Topic 4)
A company runs multiple workloads in its on-premises data center. The company's data center cannot scale fast enough to meet the company's expanding business needs. The company wants to collect usage and configuration data about the on-premises servers and workloads to plan a migration to AWS.
Which solution will meet these requirements?

1. A. Set the home AWS Region in AWS Migration Hu
2. B. Use AWS Systems Manager to collect data about the on-premises servers.
3. C. Set the home AWS Region in AWS Migration Hu
4. D. Use AWS Application Discovery Service to collect data about the on-premises servers.
5. E. Use the AWS Schema Conversion Tool (AWS SCT) to create the relevant template
6. F. Use AWS Trusted Advisor to collect data about the on-premises servers.
7. G. Use the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates.Use AWS Database Migration Service (AWS DMS) to collect data about the on-premises servers.

Correct Answer: B
The most suitable solution for the company’s requirements is to set the home AWS Region in AWS Migration Hub and use AWS Application Discovery Service to collect data about the on-premises servers. This solution will enable the company to gather usage and configuration data of its on-premises servers and workloads, and plan a migration to AWS.
AWS Migration Hub is a service that simplifies and accelerates migration tracking by aggregating migration status information into a single console. Users can view the discovered servers, group them into applications, and track the migration status of each application from the Migration Hub console in their home Region. The home Region is the AWS Region where users store their migration data, regardless of which Regions they migrate into1.
AWS Application Discovery Service is a service that helps users plan their migration to AWS by collecting usage and configuration data about their on-premises servers and databases. Application Discovery Service is integrated with AWS Migration Hub and supports two methods of performing discovery: agentless discovery and agent-based discovery. Agentless discovery can be performed by deploying the Application Discovery Service Agentless Collector through VMware vCenter, which collects static configuration data and utilization data for virtual machines (VMs) and databases. Agent-based discovery can be performed by deploying the AWS Application Discovery Agent on each of the VMs and physical servers, which collects static configuration data, detailed time-series system- performance information, inbound and outbound network connections, and processes that are running2.
The other options are not correct because they do not meet the requirements or are not relevant for the use case. Using the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates and using AWS Trusted Advisor to collect data about the on- premises servers is not correct because this solution is not suitable for collecting usage and configuration data of on-premises servers and workloads. AWS SCT is a tool that helps users convert database schemas and code objects from one database engine to another, such as from Oracle to PostgreSQL3. AWS Trusted Advisor is a service that provides best practice recommendations for cost optimization, performance, security, fault tolerance, and service limits4. Using the AWS Schema Conversion Tool (AWS SCT) to create the relevant templates and using AWS Database Migration Service (AWS DMS) to collect data about the on-premises servers is not correct because this solution is not suitable for collecting usage and configuration data of on-premises servers and workloads. As mentioned above, AWS SCT is a tool that helps users convert database schemas and code objects from one database engine to another. AWS DMS is a service that helps users migrate relational databases, non-relational databases, and other types of data stores to
AWS with minimal downtime5. References:
✑ Home Region - AWS Migration Hub
✑ What is AWS Application Discovery Service? - AWS Application Discovery Service
✑ AWS Schema Conversion Tool - Amazon Web Services
✑ What Is Trusted Advisor? - Trusted Advisor
✑ What Is AWS Database Migration Service? - AWS Database Migration Service

- (Topic 3)
A solutions architect wants all new users to have specific complexity requirements and mandatory rotation periods tor IAM user passwords What should the solutions architect do to accomplish this?

1. A. Set an overall password policy for the entire AWS account
2. B. Set a password policy for each IAM user in the AWS account
3. C. Use third-party vendor software to set password requirements
4. D. Attach an Amazon CloudWatch rule to the Create_newuser event to set the password with the appropriate requirements

Correct Answer: A
This option is the most efficient because it sets an overall password policy for the entire AWS account, which is a way to specify complexity requirements and mandatory rotation periods for IAM user passwords1. It also meets the requirement of setting a password policy for all new users, as the password policy applies to all IAM users in the account. This solution meets the requirement of setting specific complexity requirements and mandatory rotation periods for IAM user passwords. Option B is less efficient because it sets a password policy for each IAM user in the AWS account, which is not possible as password policies can only be set at the account level. Option C is less efficient because it uses third- party vendor software to set password requirements, which is not necessary as IAM provides a built-in way to set password policies. Option D is less efficient because it attaches an Amazon CloudWatch rule to the Create_newuser event to set the password with the appropriate requirements, which is not possible as CloudWatch rules cannot modify IAM user passwords.

- (Topic 4)
A 4-year-old media company is using the AWS Organizations all features feature set fo organize its AWS accounts. According to he company's finance team, the billing information on the member accounts
must not be accessible to anyone, including the root user of the member accounts. Which solution will meet these requirements?

1. A. Add all finance team users to an IAM grou
2. B. Attach an AWS managed policy named Billing to the group.
3. C. Attach an identity-based policy to deny access to the billing information to all users, including the root user.
4. D. Create a service control policy (SCP) to deny access to the billing informatio
5. E. Attach the SCP to the root organizational unit (OU).
6. F. Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

Correct Answer: C
Service Control Policies (SCP): SCPs are an integral part of AWS Organizations and allow you to set fine-grained permissions on the organizational units (OUs) within your AWS Organization. SCPs provide central control over the maximum permissions that can be granted to member accounts, including the root user. Denying Access to Billing Information: By creating an SCP and attaching it to the root OU, you can explicitly deny access to billing information for all accounts within the organization. SCPs can be used to restrict access to various AWS services and actions, including billing- related services. Granular Control: SCPs enable you to define specific permissions and restrictions at the organizational unit level. By denying access to billing information at the root OU, you can ensure that no member accounts, including root users, have access to the billing information.

- (Topic 4)
A company wants to analyze and generate reports to track the usage of its mobile app. The app is popular and has a global user base The company uses a custom report building program to analyze application usage.
The program generates multiple reports during the last week of each month. The program takes less than 10 minutes to produce each report. The company rarely uses the program to generate reports outside of the last week of each month. The company wants to generate reports in the least amount of time when the reports are requested.
Which solution will meet these requirements MOST cost-effectively?

1. A. Run the program by using Amazon EC2 On-Demand Instance
2. B. Create an Amazon EventBridge rule to start the EC2 instances when reports are requeste
3. C. Run the EC2 instances continuously during the last week of each month.
4. D. Run the program in AWS Lambd
5. E. Create an Amazon EventBridge rule to run a Lambda function when reports are requested.
6. F. Run the program in Amazon Elastic Container Service (Amazon ECS). Schedule Amazon ECS to run the program when reports are requested.
7. G. Run the program by using Amazon EC2 Spot Instance
8. H. Create an Amazon EventBridge rule to start the EC2 instances when reports are requeste
9. I. Run the EC2 instances continuously during the last week of each month.

Correct Answer: B
This solution meets the requirements most cost-effectively because it leverages the serverless and event-driven capabilities of AWS Lambda and Amazon EventBridge. AWS Lambda allows you to run code without provisioning or managing servers, and you pay only for the compute time you consume. Amazon EventBridge is a serverless event bus service that lets you connect your applications with data from various sources and routes that data to targets such as AWS Lambda. By using Amazon EventBridge, you can create a rule that triggers a Lambda function to run the program when reports are requested, and you can also schedule the rule to run during the last week of each month. This way, you can generate reports in the least amount of time and pay only for the resources you use.
References:
✑ AWS Lambda
✑ Amazon EventBridge

- (Topic 4)
A company is designing a web application on AWS The application will use a VPN connection between the company's existing data centers and the company's VPCs. The company uses Amazon Route 53 as its DNS service. The application must use private DNS records to communicate with the on-premises services from a VPC. Which solution will meet these requirements in the MOST secure manner?

1. A. Create a Route 53 Resolver outbound endpoin
2. B. Create a resolver rul
3. C. Associate the resolver rule with the VPC
4. D. Create a Route 53 Resolver inbound endpoin
5. E. Create a resolver rul
6. F. Associate the resolver rule with the VPC.
7. G. Create a Route 53 private hosted zon
8. H. Associate the private hosted zone with the VPC.
9. I. Create a Route 53 public hosted zon
10. J. Create a record for each service to allow service communication.

Correct Answer: A
To meet the requirements of the web application in the most secure manner, the company should create a Route 53 Resolver outbound endpoint, create a resolver rule, and associate the resolver rule with the VPC. This solution will allow the application to use private DNS records to communicate with the on-premises services from a VPC. Route 53 Resolver is a service that enables DNS resolution between on-premises networks and AWS VPCs. An outbound endpoint is a set of IP addresses that Resolver uses to forward DNS queries from a VPC to resolvers on an on-premises network. A resolver rule is a rule that specifies the domain names for which Resolver forwards DNS queries to the IP addresses that you specify in the rule. By creating an outbound endpoint and a resolver rule, and associating them with the VPC, the company can securely resolve DNS queries for the on-premises services using private DNS records12.
The other options are not correct because they do not meet the requirements or are not secure. Creating a Route 53 Resolver inbound endpoint, creating a resolver rule, and associating the resolver rule with the VPC is not correct because this solution will allow DNS queries from on-premises networks to access resources in a VPC, not vice versa. An inbound endpoint is a set of IP addresses that Resolver uses to receive DNS queries from resolvers on an on-premises network1. Creating a Route 53 private hosted zone and associating it with the VPC is not correct because this solution will only allow DNS resolution for resources within the VPC or other VPCs that are associated with the same hosted zone. A private hosted zone is a container for DNS records that are only accessible from one or more VPCs3. Creating a Route 53 public hosted zone and creating a record for each service to allow service communication is not correct because this solution will expose the on-premises services to the public internet, which is not secure. A public hosted zone is a container for DNS records that are accessible from anywhere on the internet3. References:
✑ Resolving DNS queries between VPCs and your network - Amazon Route 53
✑ Working with rules - Amazon Route 53
✑ Working with private hosted zones - Amazon Route 53