AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 2)
A digital marketing company has multiple AWS accounts that belong to various teams. The creative team uses an Amazon S3 bucket in its AWS account to securely store images and media files that are used as content for the company's marketing campaigns. The creative team wants to share the S3 bucket with the strategy team so that the strategy team can view the objects.
A solutions architect has created an IAM role that is named strategy_reviewer in the Strategy account. The solutions architect also has set up a custom AWS Key Management Service (AWS KMS) key in the Creative account and has associated the key with the S3 bucket. However, when users from the Strategy account assume the IAM role and try to access objects in the S3 bucket, they receive an Account.
The solutions architect must ensure that users in the Strategy account can access the S3 bucket. The solution must provide these users with only the minimum permissions that they need.
Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)

1. A. Create a bucket policy that includes read permissions for the S3 bucke
2. B. Set the principal of the bucket policy to the account ID of the Strategy account
3. C. Update the strategy_reviewer IAM role to grant full permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key.
4. D. Update the custom KMS key policy in the Creative account to grant decrypt permissions to the strategy_reviewer IAM role.
5. E. Create a bucket policy that includes read permissions for the S3 bucke
6. F. Set the principal of the bucket policy to an anonymous user.
7. G. Update the custom KMS key policy in the Creative account to grant encrypt permissions to the strategy_reviewer IAM role.
8. H. Update the strategy_reviewer IAM role to grant read permissions for the S3 bucket and to grant decrypt permissions for the custom KMS key

Correct Answer: ACF
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/

- (Exam Topic 2)
A company wants to deploy an API to AWS. The company plans to run the API on AWS Fargate behind a load balancer. The API requires the use of header-based routing and must be accessible from on-premises networks through an AWS Direct Connect connection and a private VIF.
The company needs to add the client IP addresses that connect to the API to an allow list in AWS. The company also needs to add the IP addresses of the API to the allow list. The company's security team will allow /27 CIDR ranges to be added to the allow list. The solution must minimize complexity and operational overhead.
Which solution will meet these requirements?

1. A. Create a new Network Load Balancer (NLB) in the same subnets as the Fargate task deployments.Create a security group that includes only the client IP addresses that need access to the AP
2. B. Attach the new security group to the Fargate task
3. C. Provide the security team with the NLB's IP addresses for the allow list.
4. D. Create two new /27 subnet
5. E. Create a new Application Load Balancer (ALB) that extends across the new subnet
6. F. Create a security group that includes only the client IP addresses that need access to the AP
7. G. Attach the security group to the AL
8. H. Provide the security team with the new subnet IP ranges for the allow list.
9. I. Create two new '27 subnet
10. J. Create a new Network Load Balancer (NLB) that extends across the new subnet
11. K. Create a new Application Load Balancer (ALB) within the new subnet
12. L. Create a security group that includes only the client IP addresses that need access to the AP
13. M. Attach the security group to the AL
14. N. Add the ALB's IP addresses as targets behind the NL
15. O. Provide the security team with the NLB's IP addresses for the allow list.
16. P. Create a new Application Load Balancer (ALB) in the same subnets as the Fargate task deployments.Create a security group that includes only the client IP addresses that need access to the AP
17. Q. Attach the security group to the AL
18. R. Provide the security team with the ALB's IP addresses for the allow list.

Correct Answer: A

- (Exam Topic 1)
A company is running an Apache Hadoop cluster on Amazon EC2 instances. The Hadoop cluster stores approximately 100 TB of data for weekly operational reports and allows occasional access for data scientists to retrieve data. The company needs to reduce the cost and operational complexity for storing and serving this data.
Which solution meets these requirements in the MOST cost-effective manner?

1. A. Move the Hadoop cluster from EC2 instances to Amazon EM
2. B. Allow data access patterns to remain the same.
3. C. Write a script that resizes the EC2 instances to a smaller instance type during downtime and resizes the instances to a larger instance type before the reports are created.
4. D. Move the data to Amazon S3 and use Amazon Athena to query the data for report
5. E. Allow the data scientists to access the data directly in Amazon S3.
6. F. Migrate the data to Amazon DynamoDB and modify the reports to fetch data from DynamoD
7. G. Allow the data scientists to access the data directly in DynamoDB.

Correct Answer: C
"The company needs to reduce the cost and operational complexity for storing and serving this data. Which solution meets these requirements in the MOST cost-effective manner?" EMR storage is ephemeral. The company has 100TB that need to persist, they would have to use EMRFS to backup to S3 anyway. https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-storage.html
100TB
EBS - 8.109$ S3 - 2.355$
You have saved 5.752$
This amount can be used for Athen. BTW. we don't know indexes, amount of data that is scanned. What we know is that tit will be: "occasional access for data scientists to retrieve data"

- (Exam Topic 2)
A company is using multiple AWS accounts The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A The company's applications and databases are running in Account B.
A solutions architect win deploy a two-net application In a new VPC To simplify the configuration, the db.example com CNAME record set tor the Amazon RDS endpoint was created in a private hosted zone for
Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example com is not resolvable on the Amazon EC2 instance The solutions architect confirmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Select TWO J

1. A. Deploy the database on a separate EC2 instance in the new VPC Create a record set for the instance's private IP in the private hosted zone
2. B. Use SSH to connect to the application tier EC2 instance Add an RDS endpoint IP address to the/eto/resolv.conf file
3. C. Create an authorization lo associate the private hosted zone in Account A with the new VPC In Account B
4. D. Create a private hosted zone for the example.com domain m Account B Configure Route 53 replication between AWS accounts
5. E. Associate a new VPC in Account B with a hosted zone in Account
6. F. Delete the association authorization In Account A.

Correct Answer: CE
https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/

- (Exam Topic 1)
A company wants to migrate a 30 TB Oracle data warehouse from on premises to Amazon Redshift The company used the AWS Schema Conversion Tool (AWS SCT) to convert the schema of the existing data warehouse to an Amazon Redshift schema The company also used a migration assessment report to identify manual tasks to complete.
The company needs to migrate the data to the new Amazon Redshift cluster during an upcoming data freeze period of 2 weeks The only network connection between the on-premises data warehouse and AWS is a 50 Mops internet connection
Which migration strategy meets these requirements?

1. A. Create an AWS Database Migration Service (AWS DMS) replication instanc
2. B. Authorize the public IP address of the replication instance to reach the data warehouse through the corporate firewall Create a migration task to run at the beginning of the data freeze period.
3. C. Install the AWS SCT extraction agents on the on-premises server
4. D. Define the extract, upload, and copy tasks to send the data to an Amazon S3 bucke
5. E. Copy the data into the Amazon Redshift cluste
6. F. Run the tasks at the beginning of the data freeze period.
7. G. install the AWS SCT extraction agents on the on-premises server
8. H. Create a Site-to-Site VPN connection Create an AWS Database Migration Service (AWS DMS) replication instance that is the appropriate size Authorize the IP address of the replication instance to be able to access the on-premises data warehouse through the VPN connection
9. I. Create a job in AWS Snowball Edge to import data into Amazon S3 Install AWS SCT extraction agents on the on-premises servers Define the local and AWS Database Migration Service (AWS DMS) tasks to send the data to the Snowball Edge device When the Snowball Edge device is returned to AWS and the data is available in Amazon S3, run the AWS DMS subtask to copy the data to Amazon Redshift.

Correct Answer: D
AWS Database Migration Service (AWS DMS) can use Snowball Edge and Amazon S3 to migrate large databases more quickly than by other methods https://docs.aws.amazon.com/dms/latest/userguide/CHAP_LargeDBs.html
https://www.calctool.org/CALC/prof/computing/transfer_time