AWS-Solution-Architect-Associate Free Practice Test

- (Exam Topic 3)
A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public subnet must be open to the internet on port 443. The Amazon RDS for MySQL D6 instance in the database subnet must be accessible only to the web servers on port 3306.
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)

1. A. Create a network ACL for the public subnet Add a rule to deny outbound traffic to 0 0 0 0/0 on port3306
2. B. Create a security group for the DB instance Add a rule to allow traffic from the public subnet CIDR block on port 3306
3. C. Create a security group for the web servers in the public subnet Add a rule to allow traffic from 0 0 0 O'O on port 443
4. D. Create a security group for the DB instance Add a rule to allow traffic from the web servers' security group on port 3306
5. E. Create a security group for the DB instance Add a rule to deny all traffic except traffic from the web servers' security group on port 3306

Correct Answer: CD

- (Exam Topic 1)
A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create an S3 bucket in each Region Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) Configure replication between the S3 buckets.
2. B. Create a customer managed multi-Region KMS ke
3. C. Create an S3 bucket in each Regio
4. D. Configure replication between the S3 bucket
5. E. Configure the application to use the KMS key with client-side encryption.
6. F. Create a customer managed KMS key and an S3 bucket in each Region Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) Configure replication between the S3 buckets.
7. G. Create a customer managed KMS key and an S3 bucket m each Region Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS) Configure replication between the S3 buckets.

Correct Answer: B
From https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
For most users, the default AWS KMS key store, which is protected by FIPS 140-2 validated cryptographic modules, fulfills their security requirements. There is no need to add an extra layer of maintenance responsibility or a dependency on an additional service. However, you might consider creating a custom key store if your organization has any of the following requirements: Key material cannot be stored in a shared environment. Key material must be subject to a secondary, independent audit path. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3. https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html
https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

- (Exam Topic 3)
A company previously migrated its data warehouse solution to AWS. The company also has an AWS Direct Connect connection. Corporate office users query the data warehouse using a visualization tool. The average size of a query returned by the data warehouse is 50 MB and each webpage sent by the visualization tool is approximately 500 KB. Result sets returned by the data warehouse are not cached.
Which solution provides the LOWEST data transfer egress cost for the company?

1. A. Host the visualization tool on premises and query the data warehouse directly over the internet.
2. B. Host the visualization tool in the same AWS Region as the data warehous
3. C. Access it over the internet.
4. D. Host the visualization tool on premises and query the data warehouse directly over a Direct Connect connection at a location in the same AWS Region.
5. E. Host the visualization tool in the same AWS Region as the data warehouse and access it over a Direct Connect connection at a location in the same Region.

Correct Answer: D
https://aws.amazon.com/directconnect/pricing/ https://aws.amazon.com/blogs/aws/aws-data-transfer-prices-reduced/

- (Exam Topic 3)
A company recently migrated its web application to AWS by rehosting the application on Amazon EC2 instances in a single AWS Region. The company wants to redesign its application architecture to be highly available and fault tolerant. Traffic must reach all running EC2 instances randomly.
Which combination of steps should the company take to meet these requirements? (Choose two.)

1. A. Create an Amazon Route 53 failover routing policy.
2. B. Create an Amazon Route 53 weighted routing policy.
3. C. Create an Amazon Route 53 multivalue answer routing policy.
4. D. Launch three EC2 instances: two instances in one Availability Zone and one instance in another Availability Zone.
5. E. Launch four EC2 instances: two instances in one Availability Zone and two instances in another Availability Zone.

Correct Answer: CE
https://aws.amazon.com/premiumsupport/knowledge-center/multivalue-versus-simple-policies/

- (Exam Topic 1)
A company has a website hosted on AWS. The website is behind an Application Load Balancer (ALB) that is configured to handle HTTP and HTTPS separately. The company wants to forward all requests to the website so that the requests will use HTTPS.
What should a solutions architect do to meet this requirement?

1. A. Update the ALB's network ACL to accept only HTTPS traffic
2. B. Create a rule that replaces the HTTP in the URL with HTTPS.
3. C. Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.
4. D. Replace the ALB with a Network Load Balancer configured to use Server Name Indication (SNI).

Correct Answer: C
https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/
How can I redirect HTTP requests to HTTPS using an Application Load Balancer? Last updated: 2020-10-30 I want to redirect HTTP requests to HTTPS using Application Load Balancer listener rules. How can I do this? Resolution Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/