AWS-Solution-Architect-Associate Free Practice Test

- (Topic 4)
A solutions architect is designing a REST API in Amazon API Gateway for a cash payback service The application requires 1 GB of memory and 2 GB of storage for its computation resources. The application will require that the data is in a relational format.
Which additional combination of AWS services will meet these requirements with the LEAST administrative effort? {Select TWO.)

1. A. Amazon EC2
2. B. AWS Lambda
3. C. Amazon RDS
4. D. Amazon DynamoDB
5. E. Amazon Elastic Kubernetes Services (Amazon EKS)

Correct Answer: BC
AWS Lambda is a service that lets users run code without provisioning or managing servers. It automatically scales and manages the underlying compute resources for the code. It supports multiple languages, such as Java, Python, Node.js, and G1o. By using AWS Lambda for the REST API, the solution can meet the requirements of 1 GB of memory and minimal administrative effort.
Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. It supports multiple database engines, such as MySQL, PostgreSQL, Oracle, and SQL Server2. By using Amazon RDS for the data store, the solution can meet the requirements of 2 GB of storage and a relational format.
* A. Amazon EC2. This solution will not meet the requirement of minimal administrative effort, as Amazon EC2 is a service that provides virtual servers in the cloud that users have to configure and manage themselves. It requires users to choose an instance type, an operating system, a security group, and other options3.
* D. Amazon DynamoDB. This solution will not meet the requirement of a relational format, as Amazon DynamoDB is a service that provides a key-value and document database that delivers single-digit millisecond performance at any scale. It is a non-relational or NoSQL database that does not support joins or transactions.
* E. Amazon Elastic Kubernetes Services (Amazon EKS). This solution will not meet the requirement of minimal administrative effort, as Amazon EKS is a service that provides a fully managed Kubernetes service that users have to configure and manage themselves. It requires users to create clusters, nodes groups, pods, services, and other Kubernetes resources.
Reference URL: https://aws.amazon.com/lambda/

- (Topic 4)
A company needs to provide customers with secure access to its data. The company processes customer data and stores the results in an Amazon S3 bucket.
All the data is subject to strong regulations and security requirements. The data must be encrypted at rest. Each customer must be able to access only their data from their AWS account. Company employees must not be able to access the data.
Which solution will meet these requirements?

1. A. Provision an AWS Certificate Manager (ACM) certificate for each custome
2. B. Encrypt the data client-sid
3. C. In the private certificate policy, deny access to the certificate for all principals except an 1AM role that the customer provides.
4. D. Provision a separate AWS Key Management Service (AWS KMS) key for each custome
5. E. Encrypt the data server-sid
6. F. In the S3 bucket policy, deny decryption of data for all principals except an 1AM role that the customer provides.
7. G. Provision a separate AWS Key Management Service (AWS KMS) key for each custome
8. H. Encrypt the data server-sid
9. I. In each KMS key policy, deny decryption of data for all principals except an 1AM role that the customer provides.
10. J. Provision an AWS Certificate Manager (ACM) certificate for each custome
11. K. Encrypt the data client-sid
12. L. In the public certificate policy, deny access to the certificate for all principals except an 1AM role that the customer provides.

Correct Answer: C
The correct solution is to provision a separate AWS KMS key for each customer and encrypt the data server-side. This way, the company can use the S3 encryption feature to protect the data at rest and delegate the control of the encryption keys to the customers. The customers can then use their own IAM roles to access and decrypt their data. The company employees will not be able to access the data because they are not authorized by the KMS key policies. The other options are incorrect because:
✑ Option A and D are using ACM certificates to encrypt the data client-side. This is
not a recommended practice for S3 encryption because it adds complexity and overhead to the encryption process. Moreover, the company will have to manage the certificates and their policies for each customer, which is not scalable and secure.
✑ Option B is using a separate KMS key for each customer, but it is using the S3
bucket policy to control the decryption access. This is not a secure solution because the bucket policy applies to the entire bucket, not to individual objects. Therefore, the customers will be able to access and decrypt each other’s data if they have the permission to list the bucket contents. The bucket policy also overrides the KMS key policy, which means the company employees can access the data if they have the permission to use the KMS key.
References:
✑ S3 encryption
✑ KMS key policies
✑ ACM certificates

- (Topic 3)
A company is developing a new mobile app. The company must implement proper traffic filtering to protect its Application Load Balancer (ALB) against common application-level attacks, such as cross-site scripting or SQL injection. The company has minimal infrastructure and operational staff. The company needs to reduce its share of the responsibility in managing, updating, and securing servers for its AWS environment.
What should a solutions architect recommend to meet these requirements?

1. A. Configure AWS WAF rules and associate them with the ALB.
2. B. Deploy the application using Amazon S3 with public hosting enabled.
3. C. Deploy AWS Shield Advanced and add the ALB as a protected resource.
4. D. Create a new ALB that directs traffic to an Amazon EC2 instance running a third-party firewall, which then passes the traffic to the current ALB.

Correct Answer: A
A solutions architect should recommend option A, which is to configure AWS WAF rules and associate them with the ALB. This will allow the company to apply traffic filtering at the application layer, which is necessary for protecting the ALB against common application-level attacks such as cross-site scripting or SQL injection. AWS WAF is a managed service that makes it easy to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The company can easily manage and update the rules to ensure the security of its application.

- (Topic 2)
A company wants to build a scalable key management Infrastructure to support developers who need to encrypt data in their applications.
What should a solutions architect do to reduce the operational burden?

1. A. Use multifactor authentication (MFA) to protect the encryption keys.
2. B. Use AWS Key Management Service (AWS KMS) to protect the encryption keys
3. C. Use AWS Certificate Manager (ACM) to create, store, and assign the encryption keys
4. D. Use an IAM policy to limit the scope of users who have access permissions to protect the encryption keys

Correct Answer: B
https://aws.amazon.com/kms/faqs/#:~:text=If you are a developer who needs to digitally,a broad set of industry and regional compliance regimes.

- (Topic 4)
A company is designing a new web service that will run on Amazon EC2 instances behind
an Elastic Load Balancing (ELB) load balancer. However, many of the web service clients can only reach IP addresses authorized on their firewalls.
What should a solutions architect recommend to meet the clients' needs?

1. A. A Network Load Balancer with an associated Elastic IP address.
2. B. An Application Load Balancer with an associated Elastic IP address.
3. C. An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address.
4. D. An EC2 instance with a public IP address running as a proxy in front of the load balancer.

Correct Answer: A
A Network Load Balancer can be assigned one Elastic IP address for each Availability Zone it uses1. This allows the clients to reach the load balancer using a static IP address that can be authorized on their firewalls. An Application Load Balancer cannot be assigned an Elastic IP address2. An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address would not work because the load balancer would still use its own IP address as the source of the forwarded requests to the web service. An EC2 instance with a public IP address running as a proxy in front of the load balancer would add unnecessary complexity and cost, and would not provide the same scalability and
availability as a Network Load Balancer. References: 1: Network Load Balancers - Elastic Load Balancing3, IP address type section2: How to assign Elastic IP to Application Load Balancer in AWS?4, answer section.