AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 2)
A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.
The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB cluster.
Which combination of steps will meet these requirements? (Select TWO.)

1. A. Add an inbound rule to the EC2 instances' security grou
2. B. Specify the DB cluster's security group as the source over the default Aurora port.
3. C. Add an outbound rule to the EC2 instances' security grou
4. D. Specify the DB cluster's security group as the destination over the default Aurora port.
5. E. Add an inbound rule to the DB cluster's security grou
6. F. Specify the EC2 instances' security group as the source over the default Aurora port.
7. G. Add an outbound rule to the DB cluster's security grou
8. H. Specify the EC2 instances' security group as the destination over the default Aurora port.
9. I. Add an outbound rule to the DB cluster's security grou
10. J. Specify the EC2 instances' security group as the destination over the ephemeral ports.

Correct Answer: AB

- (Exam Topic 2)
A company uses AWS Organizations with a single OU named Production to manage multiple accounts All accounts are members of the Production OU Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit's existing AWS account to the organization Once onboarded the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company's policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

1. A. Remove the organization's root SCPs that limit access to AWS Config Create AWS Service Catalog products for the company's standard AWS Config rules and deploy them throughout the organization, including the new account.
2. B. Create a temporary OU named Onboarding for the new account Apply an SCP to the Onboarding OU toallow AWS Config actions Move the new account to the Production OU when adjustments to AWS Config are complete
3. C. Convert the organization's root SCPs from deny list SCPs to allow list SCPs to allow the required services only Temporarily apply an SCP to the organization's root that allows AWS Config actions for principals only in the new account.
4. D. Create a temporary OU named Onboarding for the new account Apply an SCP to the Onboarding OU to allow AWS Config action
5. E. Move the organization's root SCP to the Production O
6. F. Move the new account to the Production OU when adjustments to AWS Config are complete.

Correct Answer: D
An SCP at a lower level can't add a permission after it is blocked by an SCP at a higher level. SCPs can only filter; they never add permissions. SO you need to create a new OU for the new account assign an SCP, and move the root SCP to Production OU. Then move the new account to production OU when AWS config is done.

- (Exam Topic 1)
A company has an internal application running on AWS that is used to track and process shipments in the company's warehouse. Currently, after the system receives an order, it emails the staff the information needed to ship a package. Once the package is shipped, the staff replies to the email and the order is marked as shipped.
The company wants to stop using email in the application and move to a serverless application model. Which architecture solution meets these requirements?

1. A. Use AWS Batch to configure the different tasks required lo ship a packag
2. B. Have AWS Batch trigger an AWS Lambda function that creates and prints a shipping labe
3. C. Once that label is scanne
4. D. as it leaves the warehouse, have another Lambda function move the process to the next step in the AWS Batch job.B.
5. E. When a new order is created, store the order information in Amazon SQ
6. F. Have AWS Lambda check the queue every 5 minutes and process any needed wor
7. G. When an order needs to be shipped, have Lambda print the label in the warehous
8. H. Once the label has been scanned, as it leaves the warehouse, have an Amazon EC2 instance update Amazon SOS.
9. I. Update the application to store new order information in Amazon DynamoD
10. J. When a new order is created, trigger an AWS Step Functions workflow, mark the orders as "in progress," and print a package label to the warehous
11. K. Once the label has been scanned and fulfilled, the application will trigger an AWS Lambda function that will mark the order as shipped and complete the workflow.
12. L. Store new order information in Amazon EF
13. M. Have instances pull the new information from the NFS and send that information to printers in the warehous
14. N. Once the label has been scanned, as it leaves the warehouse, have Amazon API Gateway call the instances to remove the order information from Amazon EFS.

Correct Answer: C

- (Exam Topic 2)
What should the solutions architect do to meet this requirement7

1. A. / Use Amazon CloudWatch to monitor the Sample Count statistic for each service in the ECS cluster Se: an alarm for when the math expression sample Notification SERVICE_QUOTA(service)"100 is greater than 80 Notify the development team by using Amazon Simple Notification Service (Amazon SNS)
2. B. Use Amazon CloudWatch to monitor service quotas that are published under the AWS-'Usage metric namespace Set an alarm for when the math expression metricSERVlCE QUOTA(metric)"100 is greater than 80 Notify the development team by using Amazon Simple Notification Service (Amazon SNS).
3. C. Create an AWS Lambda function to poll detailed metrics from the ECS cluste
4. D. When the number running Fargate tasks is greater than 80. invoke Amazon Simple Email Service (Amazon SES) to notify the development team
5. E. Create an AWS Config rule to evaluate whether the Fargate SERVICE_QUOTA is greater than 80. Use Amazon Simple Email Service (Amazon SES) to notify the development team when the AWS Config rule is not compliant.

Correct Answer: B

- (Exam Topic 1)
A start up company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company's engineers rely heavily on SSH access to the instances for troubleshooting.
The company's existing architecture includes the following:
• A VPC with private and public subnets, and a NAT gateway
• Site-to-Site VPN for connectivity with the on-premises environment
• EC2 security groups with direct SSH access from the on-premises environment
The company needs to increase security controls around SSH access and provide auditing of commands executed by the engineers.
Which strategy should a solutions architect use?

1. A. Install and configure EC2 Instance Connect on the fleet of EC2 instance
2. B. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
3. C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's device
4. D. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
5. E. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's device
6. F. Enable AWS Config for EC2 security group resource change
7. G. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
8. H. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attache
9. I. Attach the IAM role to all the EC2 instance
10. J. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Correct Answer: D
Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.ht https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.ht