SAA-C03 Free Practice Test

- (Topic 1)
A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses a customer managed customer master key (CMK) to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?

1. A. Make the encrypted AMI and snapshots publicly availabl
2. B. Modify the CMK's key policy to allow the MSP Partner's AWS account to use the key
3. C. Modify the launchPermission property of the AM
4. D. Share the AMI with the MSP Partner's AWS account onl
5. E. Modify the CMK's key policy to allow the MSP Partner's AWS account to use the key.
6. F. Modify the launchPermission property of the AMI Share the AMI with the MSP Partner's AWS account onl
7. G. Modify the CMK's key policy to trust a new CMK that is owned by the MSP Partner for encryption.
8. H. Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS accoun
9. I. Encrypt the S3 bucket with a CMK that is owned by the MSP Partner Copy and launch the AMI in the MSP Partner's AWS account.

Correct Answer: B
Share the existing KMS key with the MSP external account because it has already been used to encrypt the AMI snapshot. https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external- accounts.html

- (Topic 3)
A company wants to implement a disaster recovery plan for its primary on-premises file storage volume. The file storage volume is mounted from an Internet Small Computer Systems Interface (iSCSI) device on a local storage server. The file storage volume holds hundreds of terabytes (TB) of data.
The company wants to ensure that end users retain immediate access to all file types from the on-premises systems without experiencing latency.
Which solution will meet these requirements with the LEAST amount of change to the company's existing infrastructure?

1. A. Provision an Amazon S3 File Gateway as a virtual machine (VM) that is hosted on premise
2. B. Set the local cache to 10 T
3. C. Modify existing applications to access the files through the NFS protoco
4. D. To recover from a disaster, provision an Amazon EC2 instance and mount the S3 bucket that contains the files.
5. E. Provision an AWS Storage Gateway tape gatewa
6. F. Use a data backup solution to back up all existing data to a virtual tape librar
7. G. Configure the data backup solution to run nightly after the initial backup is complet
8. H. To recover from a disaster, provision an Amazon EC2 instance and restore the data to an Amazon Elastic Block Store (Amazon EBS) volume from the volumes in the virtual tape library.
9. I. Provision an AWS Storage Gateway Volume Gateway cached volum
10. J. Set the local cache to 10 T
11. K. Mount the Volume Gateway cached volume to the existing file server by using iSCS
12. L. and copy all files to the storage volum
13. M. Configure scheduled snapshots of the storage volum
14. N. To recover from a disaster, restore a snapshot to an Amazon Elastic Block Store (Amazon EBS) volume and attach the EBS volume to an Amazon EC2 instance.
15. O. Provision an AWS Storage Gateway Volume Gateway stored volume with the same amount of disk space as the existing file storage volum
16. P. Mount the Volume Gateway stored volume to the existing file server by using iSCSI, and copy all files to the storage volum
17. Q. Configure scheduled snapshots of the storage volum
18. R. To recover from a disaster, restore a snapshot to an Amazon Elastic Block Store (Amazon EBS) volume and attach the EBS volume to an Amazon EC2 instance.

Correct Answer: D
"The company wants to ensure that end users retain immediate access to all file types from the on-premises systems " - Cached volumes: low latency access to most recent data - Stored volumes: entire dataset is on premise, scheduled backups to S3 Hence Volume Gateway stored volume is the apt choice.

- (Topic 1)
A company has a three-tier web application that is deployed on AWS. The web servers are
deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to Integrate the web application with the appliance to inspect all traffic to the application before the traffic teaches the web server. Which solution will moot these requirements with the LEAST operational overhead?

1. A. Create a Network Load Balancer the public subnet of the application's VPC to route the traffic lo the appliance for packet inspection
2. B. Create an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection
3. C. Deploy a transit gateway m the inspection VPC Configure route tables to route the incoming pockets through the transit gateway
4. D. Deploy a Gateway Load Balancer in the inspection VPC Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance

Correct Answer: D
https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/

- (Topic 4)
A company has a new mobile app. Anywhere in the world, users can see local news on topics they choose. Users also can post photos and videos from inside the app.
Users access content often in the first minutes after the content is posted. New content quickly replaces older content, and then the older content disappears. The local nature of the news means that users consume 90% of the content within the AWS Region where it is uploaded.
Which solution will optimize the user experience by providing the LOWEST latency for content uploads?

1. A. Upload and store content in Amazon S3. Use Amazon CloudFront for the uploads.
2. B. Upload and store content in Amazon S3. Use S3 Transfer Acceleration for the uploads.
3. C. Upload content to Amazon EC2 instances in the Region that is closest to the use
4. D. Copy the data to Amazon S3.
5. E. Upload and store content in Amazon S3 in the Region that is closest to the use
6. F. Use multiple distributions of Amazon CloudFront.

Correct Answer: B
The most suitable solution for optimizing the user experience by providing the lowest latency for content uploads is to upload and store content in Amazon S3 and use S3 Transfer Acceleration for the uploads. This solution will enable the company to leverage the AWS global network and edge locations to speed up the data transfer between the users and the S3 buckets.
Amazon S3 is a storage service that provides scalable, durable, and highly available object storage for any type of data. Amazon S3 allows users to store and retrieve data from anywhere on the web, and offers various features such as encryption, versioning, lifecycle management, and replication1.
S3 Transfer Acceleration is a feature of Amazon S3 that helps users transfer data to and from S3 buckets more quickly. S3 Transfer Acceleration works by using optimized network paths and Amazon’s backbone network to accelerate data transfer speeds. Users can enable S3 Transfer Acceleration for their buckets and use a distinct URL to access them, such as .s3-accelerate.amazonaws.com2.
The other options are not correct because they either do not provide the lowest latency or are not suitable for the use case. Uploading and storing content in Amazon S3 and using
Amazon CloudFront for the uploads is not correct because this solution is not designed for optimizing uploads, but rather for optimizing downloads. Amazon CloudFront is a content delivery network (CDN) that helps users distribute their content globally with low latency and high transfer speeds. CloudFront works by caching the content at edge locations around the world, so that users can access it quickly and easily from anywhere3. Uploading content to Amazon EC2 instances in the Region that is closest to the user and copying the data to Amazon S3 is not correct because this solution adds unnecessary complexity and cost to the process. Amazon EC2 is a computing service that provides scalable and secure virtual servers in the cloud. Users can launch, stop, or terminate EC2 instances as needed, and choose from various instance types, operating systems, and configurations4. Uploading and storing content in Amazon S3 in the Region that is closest to the user and using multiple distributions of Amazon CloudFront is not correct because this solution is not cost-effective or efficient for the use case. As mentioned above, Amazon CloudFront is a CDN that helps users distribute their content globally with low latency and high transfer speeds. However, creating multiple CloudFront distributions for each Region would incur additional charges and management overhead, and would not be necessary since 90% of the content is consumed within the same Region where it is uploaded3.
References:
✑ What Is Amazon Simple Storage Service? - Amazon Simple Storage Service
✑ Amazon S3 Transfer Acceleration - Amazon Simple Storage Service
✑ What Is Amazon CloudFront? - Amazon CloudFront
✑ What Is Amazon EC2? - Amazon Elastic Compute Cloud

- (Topic 4)
A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other external applications using the internet.
However, the company’s security policy states that any external service cannot initiate a connection to the EC2 instances.
What should a solutions architect recommend to resolve this issue?

1. A. Create a NAT gateway and make it the destination of the subnet's route table.
2. B. Create an internet gateway and make it the destination of the subnet's route table
3. C. Create a virtual private gateway and make it the destination of the subnet's route table.
4. D. Create an egress-only internet gateway and make it the destination of the subnet's route table.

Correct Answer: D
An egress-only internet gateway is a VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances. This meets the company’s security policy and requirements. To use an egress-only internet gateway, you need to add a route in the subnet’s route table that routes IPv6 internet traffic (::/0) to the egress-only internet gateway.
Reference URLs:
1 https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html
2 https://dev.to/aws-builders/what-is-an-egress-only-internet-gateways-in-aws-7gp
3 https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html