NEW QUESTION 1
A company wants to establish connectivity between its on-premlses data center and AWS (or an existing workload. The workload runs on Amazon EC2 Instances in two VPCs In different AWS Regions. The VPCs need to communicate with each other. The company needs to provide connectivity from Its data center to both VPCs. The solution must support a bandwidth of 600 Mbps to the data center.
Which solution will meet these requirements?

• A. Set up an AWS Site-to-Site VPN connection between the data center and one VP
• B. Create a VPC peering connection between the VPCs.
• C. Set up an AWS Site-to-Site VPN connection between the data center and each VP
• D. Create a VPC peering connection between the VPCs.
• E. Set up an AWS Direct Connect connection between the data center and one VP
• F. Create a VPC peering connection between the VPCs.
• G. Create a transit gatewa
• H. Attach both VPCs to the transit gatewa
• I. Create an AWS Slte-to-Site VPN tunnel to the transit gateway.

Answer: B

NEW QUESTION 2
A company is preparing to store confidential data in Amazon S3 For compliance reasons the data must be encrypted at rest Encryption key usage must be logged tor auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and «the MOST operationally efferent?

• A. Server-side encryption with customer-provided keys (SSE-C)
• B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• C. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation
• D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automate rotation

Answer: D

Explanation:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also saves the KMS key's older cryptographic material in perpetuity so it can be used to decrypt data that the KMS key encrypted.
Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use.
AWS KMS supports optional automatic key rotation only for customer managed CMKs. Enable and disable key rotation. Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

NEW QUESTION 3
A company stores confidential data in an Amazon Aurora PostgreSQL database in the ap-southeast-3 Region The database is encrypted with an AWS Key Management Service (AWS KMS) customer managed key The company was recently acquired and must securely share a backup of the database with the acquiring company's AWS account in ap-southeast-3.
What should a solutions architect do to meet these requirements?

• A. Create a database snapshot Copy the snapshot to a new unencrypted snapshot Share the new snapshot with the acquiring company's AWS account
• B. Create a database snapshot Add the acquiring company's AWS account to the KMS key policy Share the snapshot with the acquiring company's AWS account
• C. Create a database snapshot that uses a different AWS managed KMS key Add the acquiring company's AWS account to the KMS key alia
• D. Share the snapshot with the acquiring company's AWS account.
• E. Create a database snapshot Download the database snapshot Upload the database snapshot to an Amazon S3 bucket Update the S3 bucket policy to allow access from the acquiring company's AWS account

Answer: A

NEW QUESTION 4
A company stores data in an Amazon Aurora PostgreSQL DB cluster. The company must store all the data for 5 years and must delete all the data after 5 years. The company also must indefinitely keep audit logs of actions that are performed within the database. Currently, the company has automated backups configured for Aurora.
Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)

• A. Take a manual snapshot of the DB cluster.
• B. Create a lifecycle policy for the automated backups.
• C. Configure automated backup retention for 5 years.
• D. Configure an Amazon CloudWatch Logs export for the DB cluster.
• E. Use AWS Backup to take the backups and to keep the backups for 5 years.

Answer: AD

NEW QUESTION 5
A company wants to use Amazon S3 for the secondary copy of itdataset. The company would rarely need to access this copy. The storage solution’s
cost should be minimal.
Which storage solution meets these requirements?

• A. S3 Standard
• B. S3 Intelligent-Tiering
• C. S3 Standard-Infrequent Access (S3 Standard-IA)
• D. S3 One Zone-Infrequent Access (S3 One Zone-IA)

Answer: C

NEW QUESTION 6
A company needs to ingested and handle large amounts of streaming data that its application generates. The application runs on Amazon EC2 instances and sends data to Amazon Kinesis Data Streams. which is contained wild default settings. Every other day the application consumes the data and writes the data to an Amazon S3 bucket for business intelligence (BI) processing the company observes that Amazon S3 is not receiving all the data that trio application sends to Kinesis Data Streams.
What should a solutions architect do to resolve this issue?

• A. Update the Kinesis Data Streams default settings by modifying the data retention period.
• B. Update the application to use the Kinesis Producer Library (KPL) lo send the data to Kinesis Data Streams.
• C. Update the number of Kinesis shards lo handle the throughput of me data that is sent to Kinesis Data Streams.
• D. Turn on S3 Versioning within the S3 bucket to preserve every version of every object that is ingested in the S3 bucket.

Answer: A

NEW QUESTION 7
A company is creating a new application that will store a large amount of data. The data will be analyzed hourly and will be modified by several Amazon EC2 Linux instances that are deployed across multiple Availability Zones. The needed amount of storage space will continue to grow for the next 6 Months.
Which storage solution should a solutions architect recommend to meet these requirements?

• A. Store the data in Amazon S3 Glacier Update me S3 Glacier vault policy to allow access to the application Instances
• B. Store the data in an Amazon Elastic Block Store (Amazon EBS) volume Mount the EBS volume on the application nuances.
• C. Store the data in an Amazon Elastic File System (Amazon EFS) tile system Mount the file system on the application instances.
• D. Store the data in an Amazon Elastic Block Store (Amazon EBS) Provisioned K)PS volume shared between the application instances.

Answer: C

NEW QUESTION 8
A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL.
What should a solutions architect do to meet these requirements?

• A. Write individual policies for each S3 bucket to grant read permission for only CloudFront access.
• B. Create an IAM use
• C. Grant the user read permission to objects in the S3 bucke
• D. Assign the user to CloudFront.
• E. Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).
• F. Create an origin access identity (OAI). Assign the OAI to the CloudFront distributio
• G. Configure the S3 bucket permissions so that only the OAI has read permission.

Answer: D

Explanation:
Explanation
https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3

NEW QUESTION 9
A company runs multiple Windows workloads on AWS. The company’s employees use Windows the file shares that are hosted on two Amazon EC2 instances. The file shares synchronize data between themselves and maintain duplicate copies. The company wants a highly available and durable storage solution that preserves how users currently access the files.

• A. Migrate all the data to Amazon S3 Set up IAM authentication for users to access files
• B. Set up an Amazon S3 File Gatewa
• C. Mount the S3 File Gateway on the existing EC2 Instances.
• D. Extend the file share environment to Amazon FSx for Windows File Server with a Multi-AZ configuratio
• E. Migrate all the data to FSx for Windows File Server.
• F. Extend the file share environment to Amazon Elastic File System (Amazon EFS) with a Multi-AZ configuratio
• G. Migrate all the data to Amazon EFS.

Answer: C

NEW QUESTION 10
A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company’s product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solution architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?

• A. Share the dashboard from the CloudWatch consol
• B. Enter the product manager’s email address, and complete the sharing step
• C. Provide a shareable link for the dashboard to the product manager.
• D. Create an IAM user specifically for the product manage
• E. Attach the CloudWatch Read Only Access managed policy to the use
• F. Share the new login credential with the product manage
• G. Share the browser URL of the correct dashboard with the product manager.
• H. Create an IAM user for the company’s employees, Attach the View Only Access AWS managed policy to the IAM use
• I. Share the new login credentials with the product manage
• J. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
• K. Deploy a bastion server in a public subne
• L. When the product manager requires access to the dashboard, start the server and share the RDP credential
• M. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.

Answer: A

NEW QUESTION 11
A solutions architect is creating a new VPC design. There are two public subnets for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web servers use only HTTPS. The solutions architect has already created a security group for the load balancer allowing port 443 from 0.0.0.0/0.
Company policy requires that each resource has the least access required to still be able to perform its tasks. Which additional configuration strategy should the solutions architect use to meet these requirements?

• A. Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group (or the MySQL servers and allow port 3306 from the web servers security group.
• B. Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.
• C. Create a security group for the web servers and allow port 443 from the load balance
• D. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.
• E. Create a network ACL for the web servers and allow port 443 from the load balance
• F. Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Answer: C

NEW QUESTION 12
A company wants to build a data lake on AWS from data that is stored in an onpremises Oracle relational database. The data lake must receive ongoing updates from the on-premises database.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Use AWS DataSync to transfer the data to Amazon S3. Use AWS Glue to transform the data and integrate the data into a data lake.
• B. Use AWS Snowball to transfer the data to Amazon S3. Use AWS Batch to transform the data and integrate the data into a data lake.
• C. Use AWS Database Migration Service (AWS DMS) to transfer the data to Amazon S3 Use AWS Glue to transform the data and integrate the data into a data lake.
• D. Use an Amazon EC2 instance to transfer the data to Amazon S3. Configure the EC2 instance to transform the data and integrate the data into a data lake.

Answer: C

NEW QUESTION 13
A solutions architect is designing a two-tier web application The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet Security is a high priority for the company
How should security groups be configured in this situation? (Select TWO )

• A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.
• B. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.
• C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.
• D. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.
• E. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Answer: AC

Explanation:
"Security groups create an outbound rule for every inbound rule." Not completely right. Statefull does NOT mean that if you create an inbound (or outbound) rule, it will create an outbound (or inbound) rule. What it does mean is: suppose you create an inbound rule on port 443 for the X ip. When a request enters on port 443 from X ip, it will allow traffic out for that request in the port 443. However, if you look at the outbound rules, there will not be any outbound rule on port 443 unless explicitly create it. In ACLs, which are stateless, you would have to create an inbound rule to allow incoming requests and an outbound rule to allow your application responds to those incoming requests.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules

NEW QUESTION 14
A company wants to migrate its on-premises application to AWS. The application produces output files that vary in size from tens of gigabytes to hundreds of terabytes The application data must be stored in a standard file system structure
The company wants a solution that scales automatically, is highly available, and requires minimum operational overhead.
Which solution will meet these requirements?

• A. Migrate the application to run as containers on Amazon Elastic Container Service (Amazon ECS) Use Amazon S3 for storage
• B. Migrate the application to run as containers on Amazon Elastic Kubernetes Service (Amazon EKS) Use Amazon Elastic Block Store (Amazon EBS) for storage
• C. Migrate the application to Amazon EC2 instances in a Multi-AZ Auto Scaling grou
• D. Use Amazon Elastic File System (Amazon EFS) for storage.
• E. Migrate the application to Amazon EC2 instances in a Multi-AZ Auto Scaling grou
• F. Use Amazon Elastic Block Store (Amazon EBS) for storage.

Answer: C

NEW QUESTION 15
A company is running several business applications in three separate VPCs within me us-east-1 Region. The applications must be able to communicate between VPCs. The applications also must be able to consistently send hundreds to gigabytes of data each day to a latency-sensitive application that runs in a single on-premises data center.
A solutions architect needs to design a network connectivity solution that maximizes cost-effectiveness Which solution moots those requirements?

• A. Configure three AWS Site-to-Site VPN connections from the data center to AWS Establish connectivity by configuring one VPN connection for each VPC
• B. Launch a third-party virtual network appliance in each VPC Establish an iPsec VPN tunnel between the Data center and each virtual appliance
• C. Set up three AWS Direct Connect connections from the data center to a Direct Connect gateway inus-east-1 Establish connectivity by configuring each VPC to use one of the Direct Connect connections
• D. Set up one AWS Direct Connect connection from the data center to AW
• E. Create a transit gateway, and attach each VPC to the transit gatewa
• F. Establish connectivity between the Direct Connect connection and the transit gateway.

Answer: C

NEW QUESTION 16
A company is planning on deploying a newly built application on AWS in a default VPC. The application will consist of a web layer and database layer. The web server was created in public subnets, and the MySQL database was created in private subnet. All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.

• A. Create a database server security group with inbound and outbound rules for MySQL port 3306 traffic to and from anywhere (0.0.0.0/0).
• B. Create a database server security group with an inbound rule for MySQL port 3300 and specify the source as a web server security group.
• C. Create a web server security group within an inbound allow rule for HTTPS port 443 traffic from anywbere (0.0.0.0/0) and an inbound deny rule for IP range 182. 20.0.0/16
• D. Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0). Create network ACL inbound and outbound deny rules for IP range 182. 20.0.0/16
• E. Create a web server security group with an inbound and outbound rules for HTTPS port 443 traffic to and from anywbere (0.0.0.0/0). Create a network ACL inbound deny rule for IP range 182. 20.0.0/16.

Answer: BD

NEW QUESTION 17
A company is using a SQL database to store movie data that is publicly accessible. The database runs on an Amazon RDS Single-AZ DB instance A script runs queries at random intervals each day to record the number of new movies that have been added to the database. The script must report a final total during business hours The company's development team notices that the database performance is inadequate for development tasks when the script is running. A solutions architect must recommend a solution to resolve this issue. Which solution will meet this requirement with the LEAST operational overhead?

• A. Modify the DB instance to be a Multi-AZ deployment
• B. Create a read replica of the database Configure the script to query only the read replica
• C. Instruct the development team to manually export the entries in the database at the end of each day
• D. Use Amazon ElastiCache to cache the common queries that the script runs against the database

Answer: B

NEW QUESTION 18
......