AWS-Certified-Solutions-Architect-Professional Free Practice Test

- (Exam Topic 2)
A company has VPC flow logs enabled for its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP address 198.51.100.2 destined for a private Amazon EC2 instance.
A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0.
Which set of steps should the solutions architect take to meet these requirements?

1. A. Open the AWS CloudTrail consol
2. B. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interfac
3. C. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
4. D. Open the Amazon CloudWatch consol
5. E. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interfac
6. F. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
7. G. Open the AWS CloudTrail consol
8. H. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interfac
9. I. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.
10. J. Open the Amazon CloudWatch consol
11. K. Select the log group that contains the NAT gateway's elasticnetwork interface and the private instance's elastic network interfac
12. L. Run a query to filter with the destination address set as "like 198.51.100.2" and the source address set as "like 203.0". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.

Correct Answer: D
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-analyze-inbound-traffic-nat-gateway/ by Cloudxie says "select appropriate log"

- (Exam Topic 1)
A company stores sales transaction data in Amazon DynamoDB tables. To detect anomalous behaviors and respond quickly, all changes lo the items stored in the DynamoDB tables must be logged within 30 minutes.
Which solution meets the requirements?

1. A. Copy the DynamoDB tables into Apache Hive tables on Amazon EMR every hour and analyze them (or anomalous behavior
2. B. Send Amazon SNS notifications when anomalous behaviors are detected.
3. C. Use AWS CloudTrail to capture all the APIs that change the DynamoDB table
4. D. Send SNS notifications when anomalous behaviors are detected using CloudTrail event filtering.
5. E. Use Amazon DynamoDB Streams to capture and send updates to AWS Lambd
6. F. Create a Lambda function to output records lo Amazon Kinesis Data Stream
7. G. Analyze any anomalies with Amazon Kinesis Data Analytic
8. H. Send SNS notifications when anomalous behaviors are detected.
9. I. Use event patterns in Amazon CloudWatch Events to capture DynamoDB API call events with an AWS Lambda (unction as a target to analyze behavio
10. J. Send SNS notifications when anomalous behaviors are detected.

Correct Answer: C
https://aws.amazon.com/blogs/database/dynamodb-streams-use-cases-and-design-patterns/#:~:text=DynamoDB DynamoDb Stream to capture DynamoDB update. And Kinesis Data Analytics for anomaly detection (it uses
AWS proprietary Random Cut Forest Algorithm)

- (Exam Topic 2)
A company has a media metadata extraction pipeline running on AWS. Notifications containing a reference to a file Amazon S3 are sent to an Amazon Simple Notification Service (Amazon SNS) topic The pipeline consists of a number of AWS Lambda functions that are subscribed to the SNS topic The Lambda functions extract the S3 file and write metadata to an Amazon RDS PostgreSQL DB instance.
Users report that updates to the metadata are sometimes stow to appear or are lost. During these times, the CPU utilization on the database is high and the number of failed Lambda invocations increases.
Which combination of actions should a solutions architect take to r-e'p resolve this issue? (Select TWO.)

1. A. Enable massage delivery status on the SNS topic Configure the SNS topic delivery policy to enable retries with exponential backoff
2. B. Create an Amazon Simple Queue Service (Amazon SOS) FIFO queue and subscribe the queue to the SNS topic Configure the Lambda functions to consume messages from the SQS queue.
3. C. Create an RDS proxy for the RDS instance Update the Lambda functions to connect to the RDS instance using the proxy.
4. D. Enable the RDS Data API for the RDS instanc
5. E. Update the Lambda functions to connect to the RDS instance using the Data API
6. F. Create an Amazon Simple Queue Service (Amazon SQS) standard queue for each Lambda function and subscribe the queues to the SNS topi
7. G. Configure the Lambda functions to consume messages from their respective SQS queue.

Correct Answer: CE

- (Exam Topic 2)
A company wants to use Amazon S3 to back up its on-premises file storage solution. The company s
on-premises file storage solution supports NFS and the company wants its new solution to support NFS The company wants to archive the backup Files after 5 days If the company needs archived files for disaster recovery, the company is willing to wait a few days for the retrieval of those Files.
Which solution meets these requirements MOST cost-effectively?

1. A. Deploy an AWS Storage Gateway file gateway that is associated with an S3 bucket Move the files from the on-premises file storage solution to the file gateway Create an S3 Lifecycle rule to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) after 5 days
2. B. Deploy an AWS Storage Gateway volume gateway that is associated with an S3 bucket Move the files from the on-premises file storage solution to the volume gateway Create an S3 Lifecycle rule to move the files to S3 Glacier Deep Archive after 5 days
3. C. Deploy an AWS Storage Gateway tape gateway that is associated with an S3 bucket Move the files from the on-premises file storage solution to the tape gateway Create an S3 Lifecycle rule to move the files to S3 Standard-Infrequent Access (S3 Standard-IA) after 5 days
4. D. Deploy an AWS Storage Gateway file gateway that is associated with an S3 bucket Move the files from the on-premises file storage solution to the file gateway Create an S3 Lifecycle rule to move the files to S3 Glacier Deep Archive after 5 days

Correct Answer: D

- (Exam Topic 1)
A financial services company logs personally identifiable information 10 its application logs stored in Amazon S3. Due to regulatory compliance requirements, the log files must be encrypted at rest. The security team has mandated that the company's on-premises hardware security modules (HSMs) be used to generate the CMK material.
Which steps should the solutions architect take to meet these requirements?

1. A. Create an AWS CloudHSM cluste
2. B. Create a new CMK in AWS KMS using AWS_CloudHSM as the source (or the key material and an origin of AWS_CLOUDHS
3. C. Enable automatic key rotation on the CMK with a duration of 1 yea
4. D. Configure a bucket policy on the togging bucket thai disallows uploads of unencrypted data and requires that the encryption source be AWS KMS.
5. E. Provision an AWS Direct Connect connection, ensuring there is no overlap of the RFC 1918 address space between on-premises hardware and the VPC
6. F. Configure an AWS bucket policy on the logging bucket that requires all objects to be encrypte
7. G. Configure the logging application to query theon-premises HSMs from the AWS environment for the encryption key material, and create a unique CMK for each logging event.
8. H. Create a CMK in AWS KMS with no key material and an origin of EXTERNA
9. I. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AW
10. J. Configure a bucket policy on the logging bucket that disallows uploads ofnon-encrypted data and requires that the encryption source be AWS KMS.
11. K. Create a new CMK in AWS KMS with AWS-provided key material and an origin of AWS_KMS.Disable this CM
12. L. and overwrite the key material with the key material from the on-premises HSM using the public key and import token provided by AW
13. M. Re-enable the CM
14. N. Enable automatic key rotation on the CMK with a duration of 1 yea
15. O. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.

Correct Answer: C
https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to-aws-kms-for-less-than-15-00-a-yea https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html