AWS-Solution-Architect-Associate Free Practice Test

- (Topic 4)
A company is running its production and nonproduction environment workloads in multiple AWS accounts. The accounts are in an organization in AWS Organizations. The company needs to design a solution that will prevent the modification of cost usage tags.
Which solution will meet these requirements?

1. A. Create a custom AWS Config rule to prevent tag modification except by authorized principals.
2. B. Create a custom trail in AWS CloudTrail to prevent tag modification
3. C. Create a service control policy (SCP) to prevent tag modification except by authonzed principals.
4. D. Create custom Amazon CloudWatch logs to prevent tag modification.

Correct Answer: C
This solution meets the requirements because it uses SCPs to restrict the actions that can be performed on cost usage tags in the organization. SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs specify the maximum permissions for an organization, organizational unit (OU), or account. You can use SCPs to enforce consistent tag policies across your organization and prevent unauthorized or accidental changes to your tags. You can also create exceptions for authorized principals, such as administrators or auditors, who need to modify tags for legitimate purposes.
References:
✑ Service control policies (SCPs) - AWS Organizations
✑ Tag policies - AWS Organizations

- (Topic 1)
A company is storing sensitive user information in an Amazon S3 bucket The company wants to provide secure access to this bucket from the application tier running on Ama2on EC2 instances inside a VPC.
Which combination of steps should a solutions architect take to accomplish this? (Select TWO.)

1. A. Configure a VPC gateway endpoint for Amazon S3 within the VPC
2. B. Create a bucket policy to make the objects to the S3 bucket public
3. C. Create a bucket policy that limits access to only the application tier running in the VPC
4. D. Create an IAM user with an S3 access policy and copy the IAM credentials to the EC2 instance
5. E. Create a NAT instance and have the EC2 instances use the NAT instance to access the S3 bucket

Correct Answer: AC
https://aws.amazon.com/premiumsupport/knowledge-center/s3-private-connection-no-authentication/

- (Topic 1)
A company has an application that provides marketing services to stores. The services are based on previous purchases by store customers. The stores upload transaction data to the company through SFTP, and the data is processed and analyzed to generate new marketing offers. Some of the files can exceed 200 GB in size.
Recently, the company discovered that some of the stores have uploaded files that contain personally identifiable information (PII) that should not have been included. The company wants administrators to be alerted if PII is shared again. The company also wants to automate remediation.
What should a solutions architect do to meet these requirements with the LEAST development effort?

1. A. Use an Amazon S3 bucket as a secure transfer poin
2. B. Use Amazon Inspector to scan me objects in the bucke
3. C. If objects contain Pl
4. D. trigger an S3 Lifecycle policy to remove the objects that contain Pll.
5. E. Use an Amazon S3 bucket as a secure transfer poin
6. F. Use Amazon Macie to scan the objects in the bucke
7. G. If objects contain Pl
8. H. Use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects mat contain Pll.
9. I. Implement custom scanning algorithms in an AWS Lambda functio
10. J. Trigger the function when objects are loaded into the bucke
11. K. It objects contain Rl
12. L. use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain Pll.
13. M. Implement custom scanning algorithms in an AWS Lambda functio
14. N. Trigger the function when objects are loaded into the bucke
15. O. If objects contain Pl
16. P. use Amazon Simple Email Service (Amazon STS) to trigger a notification to the administrators and trigger on S3 Lifecycle policy to remove the objects mot contain PII.

Correct Answer: B
To meet the requirements of detecting and alerting the administrators when PII is shared and automating remediation with the least development effort, the best approach would be to use Amazon S3 bucket as a secure transfer point and scan the objects in the bucket with Amazon Macie. Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data stored in Amazon S3. It can be used to classify sensitive data, monitor access to sensitive data, and automate remediation actions.
In this scenario, after uploading the files to the Amazon S3 bucket, the objects can be scanned for PII by Amazon Macie, and if it detects any PII, it can trigger an Amazon Simple Notification Service (SNS) notification to alert the administrators to remove the objects containing PII. This approach requires the least development effort, as Amazon Macie already has pre-built data classification rules that can detect PII in various formats. Hence, option B is the correct answer.
References:
✑ Amazon Macie User Guide: https://docs.aws.amazon.com/macie/latest/userguide/what-is-macie.html
✑ AWS Well-Architected Framework - Security Pillar: https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html

- (Topic 2)
An online retail company has more than 50 million active customers and receives more than 25,000 orders each day. The company collects purchase data for customers and stores this data in Amazon S3. Additional customer data is stored in Amazon RDS.
The company wants to make all the data available to various teams so that the teams can perform analytics. The solution must provide the ability to manage fine-grained permissions for the data and must minimize operational overhead.
Which solution will meet these requirements?

1. A. Migrate the purchase data to write directly to Amazon RD
2. B. Use RDS access controls to limit access.
3. C. Schedule an AWS Lambda function to periodically copy data from Amazon RDS to Amazon S3. Create an AWS Glue crawle
4. D. Use Amazon Athena to query the dat
5. E. Use S3 policies to limit access.
6. F. Create a data lake by using AWS Lake Formatio
7. G. Create an AWS Glue JDBC connection to Amazon RD
8. H. Register (he S3 bucket in Lake Formatio
9. I. Use Lake Formation access controls to limit access.
10. J. Create an Amazon Redshift cluste
11. K. Schedule an AWS Lambda function to periodically copy data from Amazon S3 and Amazon RDS to Amazon Redshif
12. L. Use Amazon Redshift access controls to limit access.

Correct Answer: C
To make all the data available to various teams and minimize operational overhead, the company can create a data lake by using AWS Lake Formation. This will allow the company to centralize all the data in one place and use fine-grained access controls to manage access to the data. To meet the requirements of the company, the solutions architect can create a data lake by using AWS Lake Formation, create an AWS Glue JDBC connection to Amazon RDS, and register the S3 bucket in Lake Formation. The solutions architect can then use Lake Formation access controls to limit access to the data. This solution will provide the ability to manage fine-grained permissions for the data and minimize operational overhead.

- (Topic 3)
A gaming company is moving its public scoreboard from a data center to the AWS Cloud. The company uses Amazon EC2 Windows Server instances behind an Application Load Balancer to host its dynamic application. The company needs a highly available storage solution for the application. The application consists of static files and dynamic server-side code.
Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)

1. A. Store the static files on Amazon S3. Use Amazon CloudFront to cache objects at the edge.
2. B. Store the static files on Amazon S3. Use Amazon ElastiCache to cache objects at the edge.
3. C. Store the server-side code on Amazon Elastic File System (Amazon EFS). Mount the EFS volume on each EC2 instance to share the files.
4. D. Store the server-side code on Amazon FSx for Windows File Serve
5. E. Mount the FSx for Windows File Server volume on each EC2 instance to share the files.
6. F. Store the server-side code on a General Purpose SSD (gp2) Amazon Elastic Block Store (Amazon EBS) volum
7. G. Mount the EBS volume on each EC2 instance to share the files.

Correct Answer: AD
A because Elasticache, despite being ideal for leaderboards per Amazon, doesn't cache at edge locations. D because FSx has higher performance for low latency needs. https://www.techtarget.com/searchaws/tip/Amazon-FSx-vs-EFS-Compare-the-AWS-file- services "FSx is built for high performance and submillisecond latency using solid-state drive storage volumes. This design enables users to select storage capacity and latency independently. Thus, even a subterabyte file system can have 256 Mbps or higher throughput and support volumes up to 64 TB."
Amazon S3 is an object storage service that can store static files such as images, videos, documents, etc. Amazon EFS is a file storage service that can store files in a hierarchical structure and supports NFS protocol. Amazon FSx for Windows File Server is a file storage service that can store files in a hierarchical structure and supports SMB protocol. Amazon EBS is a block storage service that can store data in fixed-size blocks and attach to EC2 instances.
Based on these definitions, the combination of steps that should be taken to meet the requirements are:
* A. Store the static files on Amazon S3. Use Amazon CloudFront to cache objects at the edge. D. Store the server-side code on Amazon FSx for Windows File Server. Mount the FSx for Windows File Server volume on each EC2 instance to share the files.