SAA-C03 Free Practice Test

- (Topic 4)
A company has an organization in AWS Organizations that has all features enabled The company requires that all API calls and logins in any existing or new AWS account must be audited The company needs a managed solution to prevent additional work and to minimize costs The company also needs to know when any AWS account is not compliant with the AWS Foundational Security Best Practices (FSBP) standard.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Deploy an AWS Control Tower environment in the Organizations management account Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.
2. B. Deploy an AWS Control Tower environment in a dedicated Organizations member account Enable AWS Security Hub and AWS Control Tower Account Factory in the environment.
3. C. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ) Submit an RFC to self-service provision Amazon GuardDuty in the MALZ.
4. D. Use AWS Managed Services (AMS) Accelerate to build a multi-account landing zone (MALZ) Submit an RFC to self-service provision AWS Security Hub in the MALZ.

Correct Answer: A
AWS Control Tower is a fully managed service that simplifies the setup and governance of a secure, compliant, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using controls you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Controls implement governance rules for security, compliance, and operations. AWS Security Hub is a service that provides a comprehensive view of your security posture across your AWS accounts. It aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer, as well as from AWS Partner solutions. AWS Security Hub continuously monitors your environment using automated compliance checks based on the AWS best practices and industry standards, such as the AWS Foundational Security Best Practices (FSBP) standard. AWS Control Tower Account Factory is a feature that automates the provisioning of new AWS accounts that are preconfigured to meet your business, security, and compliance requirements. By deploying an AWS Control Tower environment in the Organizations management account, you can leverage the existing organization structure and policies, and enable AWS Security Hub and AWS Control Tower Account Factory in the environment. This way, you can audit all API calls and logins in any existing or new AWS account, monitor the compliance status of each account with the FSBP standard, and provision new accounts with ease and consistency. This solution meets the requirements with the least operational overhead, as you do not need to manage any infrastructure, perform any data migration, or submit any requests for changes. References:
✑ AWS Control Tower
✑ [AWS Security Hub]
✑ [AWS Control Tower Account Factory]

- (Topic 1)
A company is developing a two-tier web application on AWS. The company's developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database. The company must not hardcode database credentials in the application. The company must also implement a solution to automatically rotate the database credentials on a regular basis.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Store the database credentials in the instance metadat
2. B. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.
3. C. Store the database credentials in a configuration file in an encrypted Amazon S3 bucke
4. D. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same tim
5. E. Use S3 Versioning to ensure the ability to fall back to previous values.
6. F. Store the database credentials as a secret in AWS Secrets Manage
7. G. Turn on automatic rotation for the secre
8. H. Attach the required permission to the EC2 role to grant access to the secret.
9. I. Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Stor
10. J. Turn on automatic rotation for the encrypted parameter
11. K. Attach the required permission to the EC2 role to grant access to the encrypted parameters.

Correct Answer: C
https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_database_secret.ht ml

- (Topic 3)
A company runs a web application on Amazon EC2 instances in multiple Availability Zones. The EC2 instances are in private subnets. A solutions architect implements an internet- facing Application Load Balancer (ALB) and specifies the EC2 instances as the target group. However, the internet traffic is not reaching the EC2 instances.
How should the solutions architect reconfigure the architecture to resolve this issue?

1. A. Replace the ALB with a Network Load Balance
2. B. Configure a NAT gateway in a public subnet to allow internet traffic.
3. C. Move the EC2 instances to public subnet
4. D. Add a rule to the EC2 instances’ security groups to allow outbound traffic to 0.0.0.0/0.
5. E. Update the route tables for the EC2 instances’ subnets to send 0.0.0.0/0 traffic through the internet gateway rout
6. F. Add a rule to the EC2 instances’ security groups to allow outbound traffic to 0.0.0.0/0.
7. G. Create public subnets in each Availability Zon
8. H. Associate the public subnets with the AL
9. I. Update the route tables for the public subnets with a route to the private subnets.

Correct Answer: D
https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

- (Topic 4)
A company runs applications on AWS that connect to the company's Amazon RDS database. The applications scale on weekends and at peak times of the year. The company wants to scale the database more effectively for its applications that connect to the database.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Use Amazon DynamoDB with connection pooling with a target group configuration for the databas
2. B. Change the applications to use the DynamoDB endpoint.
3. C. Use Amazon RDS Proxy with a target group for the databas
4. D. Change the applications to use the RDS Proxy endpoint.
5. E. Use a custom proxy that runs on Amazon EC2 as an intermediary to the databas
6. F. Change the applications to use the custom proxy endpoint.
7. G. Use an AWS Lambda function to provide connection pooling with a target group configuration for the databas
8. H. Change the applications to use the Lambda function.

Correct Answer: B
Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon Relational Database Service (RDS) that makes applications more scalable, more resilient to database failures, and more secure1. RDS Proxy allows applications to pool and share connections established with the database, improving database efficiency and application scalability2. RDS Proxy also reduces failover times for Aurora and RDS databases by up to 66% and enables IAM authentication and Secrets Manager integration for database access1. RDS Proxy can be enabled for most applications with no code changes2.

- (Topic 4)
A company is designing a tightly coupled high performance computing (HPC) environment in the AWS Cloud The company needs to include features that will optimize the HPC environment for networking and storage.
Which combination of solutions will meet these requirements? (Select TWO )

1. A. Create an accelerator in AWS Global Accelerato
2. B. Configure custom routing for the accelerator.
3. C. Create an Amazon FSx for Lustre file syste
4. D. Configure the file system with scratch storage.
5. E. Create an Amazon CloudFront distributio
6. F. Configure the viewer protocol policy to be HTTP and HTTPS.
7. G. Launch Amazon EC2 instance
8. H. Attach an Elastic Fabric Adapter (EFA) to the instances.
9. I. Create an AWS Elastic Beanstalk deployment to manage the environment.

Correct Answer: BD
These two solutions will optimize the HPC environment for networking and storage. Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance, scalable storage for compute workloads. It is built on the world’s most popular high-performance file system, Lustre, which is designed for applications that require fast storage, such as HPC and machine learning. By configuring the file system with scratch storage, you can achieve sub-millisecond latencies, up to hundreds of GBs/s of throughput, and millions of IOPS. Scratch file systems are ideal for temporary storage and shorter-term processing of data. Data is not replicated and does not persist if a file server fails. For more information, see Amazon FSx for Lustre.
Elastic Fabric Adapter (EFA) is a network interface for Amazon EC2 instances that enables
customers to run applications requiring high levels of inter-node communications at scale on AWS. Its custom-built operating system (OS) bypass hardware interface enhances the performance of inter-instance communications, which is critical to scaling HPC and machine learning applications. EFA provides a low-latency, low-jitter channel for inter- instance communications, enabling your tightly-coupled HPC or distributed machine learning applications to scale to thousands of cores. EFA uses libfabric interface and libfabric APIs for communications, which are supported by most HPC programming models. For more information, see Elastic Fabric Adapter.
The other solutions are not suitable for optimizing the HPC environment for networking and storage. AWS Global Accelerator is a networking service that helps you improve the availability, performance, and security of your public applications by using the AWS global network. It provides two global static public IPs, deterministic routing, fast failover, and TCP termination at the edge for your application endpoints. However, it does not support OS- bypass capabilities or high-performance file systems that are required for HPC and machine learning applications. For more information, see AWS Global Accelerator. Amazon CloudFront is a content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is integrated with AWS services such as Amazon S3, Amazon EC2, AWS Elemental Media Services, AWS Shield, AWS WAF, and AWS Lambda@Edge. However, CloudFront is not designed for HPC and machine learning applications that require high levels of inter-node communications and fast storage. For more information, see [Amazon CloudFront].
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. You can simply upload your code and Elastic Beanstalk automatically handles the deployment, from capacity provisioning, load balancing, auto-scaling to application health monitoring. However, Elastic Beanstalk is not optimized for HPC and machine learning applications that require OS-bypass capabilities and high-performance file systems. For more information, see [AWS Elastic Beanstalk].
References: Amazon FSx for Lustre, Elastic Fabric Adapter, AWS Global Accelerator, [Amazon CloudFront], [AWS Elastic Beanstalk].