IT Certification Guaranteed, The Easy Way!

Exam : SAA-C01

Title : AWS Certified Solutions

Architect - Associate (Released
February 2018)

Vendor : Amazon

Version : V14.35

1
 IT Certification Guaranteed, The Easy Way!

NO.1 A Solutions Architect plans to migrate NAT instances to NAT gateway.

The Architect has NAT instances with scripts to manage high availability.
What is the MOST efficient method to achieve similar high availability with NAT gateway?
A. Remove source/destination check on NAT instances.
B. Launch a NAT gateway in each Availability Zone.
C. Use a mix of NAT instances and NAT gateway.
D. Add an ELB Application Load Balancer in front of NAT gateway.
Answer: B

NO.2 You are designing a web application that stores static assets in an Amazon Simple Storage
Service (S3) bucket.
You expect this bucket to immediately receive over 150 PUT requests per second.
What should you do to ensure optimal performance?
A. Use multi-part upload.
B. Add a random prefix to the key names.
C. Amazon S3 will automatically manage performance at this scale.
D. Use a predictable naming scheme, such as sequential numbers or date time sequences, in the key
names
Answer: B

NO.3 A client application requires operating system privileges on a relational database server.
What is an appropriate configuration for highly available database architecture?
A. A standalone Amazon EC2 instance
B. Amazon RDS in a multi-AZ configuration
C. Amzon EC2 instances in a replication configuration utilizing a single Availability Zone
D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones
Answer: D

NO.4 You have decided to change the instance type for instances running in your application tier
that is using Auto Scaling. In which area below would you change the instance type definition?
A. Auto Scaling policy
B. Auto Scaling group
C. Auto Scaling tags
D. Auto Scaling launch configuration
Answer: D

NO.5 A Solutions Architect is designing a web application. The web and application tiers need to
access the Internet, but they cannot be accessed from the Internet.
Which of the following steps is required?
A. Attach an Elastic IP address to each Amazon EC2 instance and add a route from the private subnet
to the public subnet.
B. Launch a NAT gateway in the public subnet and add a route to it from the private subnet.
C. Launch Amazon EC2 instances in the public subnet and change the security group to allow

2
 IT Certification Guaranteed, The Easy Way!

outbound traffic on port 80.

D. Launch a NAT gateway in the private subnet and deploy a NAT instance in the private subnet.
Answer: B

NO.6 An Administrator is hosting on application on a single Amazon EC2 instance, which users can
access by the public hostname. The administrator is adding a second instance, but does not want
users to have to decide between many public hostnames.
Which AWS service will decouple the users from specific Amazon EC2 instances?
A. Amazon SQS
B. Auto Scaling group
C. Amazon EC2 security group
D. Amazon ELB
Answer: B

NO.7 A company is launching a static website using the zone apex (mycompany.com). The company
wants to use Amazon Route 53 for DNS. Which steps should the company perform to implement a
scalable and cost-effective solution? (Select TWO)
A. Host the website on an Amazon EC2 instance with ELB and Auto Scaling, and map a Route S3 abas
record to the ELB endpoint
B. Host the website using AWS Elastic Beanstalk, and map a Route 53 alias record to the Beanstalk
stack.
C. Host the website on an Amazon EC2 instance, and map a Route 53 alias record to the public IP
address of the Amazon EC2 instance.
D. Serve the website from an Amazon S3 bucket and map a Route 53 alias record to the website
endpoint
E. Create a Route 53 hosted zone, and set the NS records of the domain to use Route 53 name
servers.
Answer: A D

NO.8 What is required in order to make a single web server in VPC (Virtual Private Cloud) publicity
accessible?
Choose 4 answers
A. Configure an internet gateway
B. Associate an Elastic IP to the web server
C. Set up a NAT instance
D. Alter the web server's security group to allow inbound web traffic on ports being used to serve
web traffic
E. Configure the routing table of the subnet
F. Add a CNAME record to your Route 53 hosted zone
Answer: A B D E

NO.9 You are launching an application in an Auto Scaling group. To store the user session state, you
need a structured storage service with durability and low latency.
Which service meets your needs?

3
 IT Certification Guaranteed, The Easy Way!

A. Amazon DynamoDB
B. Amazon EC2 instance storage
C. Amazon S3
D. Amazon ElastiCache
Answer: A

NO.10 A Solutions Architect is designing a three-tier web application that includes an Auto Scaling
group of Amazon EC2 Instances running behind an ELB Classic Load Balancer. The security team
requires that all web servers must be accessible only through the Load Balancer and that none of the
web servers are directly accessible from the Internet.
How should the Architect meet these requirements?
A. Use a Load Balancer installed on an Amazon EC2 instance
B. Configure the web servers' security group to deny traffic from the public Internet
C. Create an Amazon CloudFront distribution in front of the ELB Classic Load Balancer
D. Configure the web tier security group to allow only traffic from the ELB Classic Load Balancer
Answer: C
Explanation
Routing Traffic to an ELB Load Balancer
If you host a website on multiple Amazon EC2 instances, you can distribute traffic to your website
across the instances by using an Elastic Load Balancing (ELB) load balancer. The ELB service
automatically scales the load balancer as traffic to your website changes over time. The load balancer
also can monitor the health of its registered instances and route domain traffic only to healthy
instances.
To route domain traffic to an ELB load balancer, use Amazon Route 53 to create an alias record that
points to your load balancer. An alias record is a Route 53 extension to DNS. It's similar to a CNAME
record, but you can create an alias record both for the root domain, such as example.com, and for
subdomains, such as www.example.com. (You can create CNAME records only for subdomains.) Note
Route 53 doesn't charge for alias queries to ELB load balancers or other AWS resources.
Prerequisites
Before you get started, you need the following:
* An ELB load balancer. You can use an ELB Classic, Application, or Network Load Balancer. For
information about creating a load balancer, see Getting Started with Elastic Load Balancing in the
Elastic Load Balancing User Guide Give the load balancer a name that will help you remember what
it's for later. The name that you specify when you create a load balancer is the name that you'll
choose when you create an alias record in the Route 53 console.
* A registered domain name. You can use Route 53 as your domain registrar, or you can use a
different registrar.
* Route 53 as the DNS service for the domain. If you register your domain name by using Route 53,
we automatically configure Route 53 as the DNS service for the domain.
For information about using Route 53 as the DNS service provider for your domain, see Making
Amazon Route 53 the DNS Service for an Existing Domain.

NO.11 A company has a workflow that sends video files from their onpremise system to AWS for
Trans coding. They use EC2 worker instances that pull Trans coding jobs from SQS an appropriate
service for this scenario?

4
 IT Certification Guaranteed, The Easy Way!

A. SQS synchronously provides transcoding output

B. SQS guarantees the order of the messages
C. SQS checks the health of the worker instances
D. SQS helps to facilitate horizontal scaling of encoding tasks
Answer: D

NO.12 A photo sharing service stores pictures in Amazon Simple Storage Service (S3) and allows
application signin using an Open ID Connect compatible identity provider. Which AWS Security Token
approach to temporary access should you use for the Amazon S3 operations?
A. SAML-based identity Federation
B. Cross-Account Access
C. AWS identity and Access Management roles
D. Web identity Federation
Answer: A

NO.13 A Solution Architect is designing a solution with AWS Lambda where different environments
require different database passwords. What should the Architect do to accomplish this in a secure
and scalable way?
A. Create a Lambda function for each individual environment
B. Use Amazon DynamoDB to store environment variables
C. Use encrypted AWS Lambda environment variables
D. Implement a dedicated Lambda function for distributing environment variables
Answer: C

NO.14 A company has reproducible data that they want to store on Amazon Web Services. The
company may want to retrieve the data on a frequent basis. Which Amazon web services storage
option allows the customer to optimize storage costs and still achieve high availability for their data?
A. Amazon S3 Reduced Redundancy Storage
B. Amazon EBS Magnetic Volume
C. Amazon Glacier
D. Amazon S3 Standard Storage
Answer: A

NO.15 A Solutions Architect is designing an application in AWS. The Architect must not expose the
application or database tier over the Internet for security reasons. The application must be low-cost
and have a scalable front end. The databases and application tier must have only one-way Internet
access to download software and patch updates Which solution helps to meet these requirements?
A. Use a NAT Gateway as the front end for the application tier and to enable the private resources to
have Internet access
B. Use an Amazon EC2-based proxy server as the front end for the application tier, and a NAT
Gateway to allow Internet access for private resources
C. Use an ELB Classic Load Balancer as the front end for the application tier, and an Amazon EC2
proxy server to allow Internet access for private resources

5
 IT Certification Guaranteed, The Easy Way!

D. Use an ELB Classic Load Balancer as the front end for the application tier, and a NAT Gateway to
allow Internet access for private resources
Answer: D
Explanation
You configure your load balancer to accept incoming traffic by specifying one or more listeners. A
listener is a process that checks for connection requests. It is configured with a protocol and port
number for connections from clients to the load balancer and a protocol and port number for
connections from the load balancer to the targets.
Elastic Load Balancing supports three types of load balancers: Application Load Balancers, Network
Load Balancers, and Classic Load Balancers. There is a key difference between the way you configure
these load balancers. With Application Load Balancers and Network Load Balancers, you register
targets in target groups, and route traffic to the target groups. With Classic Load Balancers, you
register instances with the load balancer.

NO.16 A customer owns a MySQL database that is accessed by various clients who expect, at most
100 ms latency on requests. Once a record is stored in the database, it is rarely changed Clients only
access one record at a time.
Database access has been increasing exponentially due to increased client demand. The resultant
load will soon exceed the capacity of the most expensive hardware available for purchase. The
customer wants to migrate to AWS, and is willing to change database systems.
Which service would alleviate the database load issue and offer virtually unlimited scalability for the
future?
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon Redshift
D. AWS Data Pipeline
Answer: C

NO.17 When will you incur costs with an Elastic IP address (EIP)?
A. When an EIP is allocated
B. When it is allocated and associated with a running instance
C. When it is allocated and associated with a stopped instance
D. Costs are incurred regardless of whether the EIP associated with a running instance
Answer: C

NO.18 What is the minimum interval for the data that Amazon CloudWatch receives and
aggregates?
A. One second
B. Five seconds
C. One minutes
D. Three minute
E. Five minutes
Answer: C

6
 IT Certification Guaranteed, The Easy Way!

NO.19 Your Amazon RDS MySQL DB instance runs on the largest available instance type. The DB
instance runs at near capacity for CPU and network bandwidth. You expect traffic to increase and are
looking for ways you can continue to scale your database. Which strategies allow you to continue to
scale and take on more traffic?
A. Create a cross-region read replica of the master database; configure the app to send read-only
calls to the replica
B. Convert the DB instance to a m=Multi-AZ deployment; configure the app to send read-only calls to
the standby
C. Create additional database accounts in the DB instance; configure the app servers to make calls
using different account credentials
D. Create a read replica of the master database in another Availability Zone; configure the app to
send read-only calls to the replica.
E. Create an Amazon Elasticache cluster; configure the app to retrieve frequently accessed data and
queries from the cache.
Answer: D E

NO.20 After launching an instance that you intend to serve as NAT (Network Address Translation)
device in a public subnet you modify your route tables to have the NAT device be the target of
internet bound traffic of your private subnet. When you try and make an outbound connection to the
internet from an instance in the private subnet, you are not successful. Which of the following steps
could resolve the issue?
A. Disabling the Source/Destination check attribute on the NAT instance
B. Attaching an Elastic IP address to the instance in the private subnet
C. Attaching a second Elastic Network Interface(ENI) to the instance in the private subnet, and
placing it in the public subnet
D. Attaching a second Elastic Network Interface to the NAT instance, and placing it in the private
subnet
Answer: A

NO.21 How can an EBS volume that is currently attached to an EC2 instance be migrated from one
Availability Zone to another?
A. Simply create a new volume in the other AZ and specify the original volume as the source
B. Detach the volume and attach it to another EC2 instance in the other AZ
C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ
D. Detach the volume, then use the ec2-migrate-volume command to move it to another AZ
Answer: C

NO.22 You have been asked to design a NAT solution for your company's VPC-based web
application. Traffic from the privatesubnets varies throughout the day from 500 Mbps to spikes of 7
Gbps.
What is the most cost-effective and scalable solution?
A. Create an Amazon EC2 NAT instance with a second elastic network (ENI) in a public subnet; route
all private subnet Internet traffic through the NAT gateway.
B. Create an Auto Scaling group of Amazon EC2 NAT instances in a public subnet; route all private

7
 IT Certification Guaranteed, The Easy Way!

subnet Internet traffic through the NAT gateway

C. Move the Internet gateway for the VPC to a public subnet; route all Internet traffic through the
Internet gateway
D. Create a NAT gateway in a public subnet; route all private subnet Internet Traffic through the NAT
gateway
Answer: D
Explanation
Getting Started
Let's try to see how we can create and configure an AWS NAT Gateway:
* Login to the AWS console, select VPC service and click on NAT Gateways as shown below:Managed
NAT gateway - dashboard
* Provide the necessary details, like subnet and Elastic IP, and create the NAT Gateway. You need the
select the subnet which you want to be private subnet and your Elastic IP so that it can communicate
to Internet.NAT Gateway - create
* Once created you will see this:NAT Gateway - success
* Once the NAT Gateway is created you can edit your routing table to send traffic destined for the
Internet toward the gateway. The gateway's internal address will be chosen automatically, and will
be in the same subnet as the gateway.
Once the NAT Gateway is configured, you are all set. Your private subnet instances should now be
able to communicate with the Internet without much management, monitoring, and configuration
overhead.
Sample NAT Gateway architecture: NAT Gateway - design

8
 IT Certification Guaranteed, The Easy Way!

Migrating from an existing NAT instance

If you are already using a NAT instance in your VPC setup, it's time to migrate now, and I can tell you
that it's not tough. You only need to make sure that you create the NAT Gateway in the same subnet
as your existing NAT instance. Then you need to edit the route table by replacing the existing NAT
reference with the internal address of the new gateway. I told you this was very straightforward. You
will need to ensure that you don't have any critical tasks running at the time of migration, because
changing a route from a NAT instance to the gateway can result in a dropped connection.
This feature was only very recently introduced by AWS, so it's definitely worth sharing. It can resolve
lots of existing concerns. Do you have your own experience with this new feature? Why not share it
with others.

NO.23 When an EC2 EBSbackend (EBS root) instance is stopped. What happens to the data on any
Ephemeral store volumes?
A. Data is automatically saved in an EBS volume
B. Data will be deleted and will no longer be accessible
C. Data is unavailable until the instance is restarted
D. Data is automatically saved as an EBS snapshot
Answer: B

9
 IT Certification Guaranteed, The Easy Way!

NO.24 A customer's security team requires the logging of all network access attempts to Amazon
EC2 instances in their production VPC on AWS.Which configuration will meet the security team's
requirement?
A. Enable CloudTrail for the production VPC.
B. Enable both CloudTrail and VPC Flow Logs for the AWS account.
C. Enable both CloudTrail and VPC Flow Logs for the production VPC.
D. Enable VPC Flow Logs for the production VPC.
Answer: D
Explanation
Amazon VPC provides features that you can use to increase and monitor the security for your VPC:
* Security groups - Act as a firewall for associated Amazon EC2 instances, controlling both inbound
and outbound traffic at the instance level
* Network access control lists (ACLs) - Act as a firewall for associated subnets, controlling both
inbound and outbound traffic at the subnet level
* Flow logs - Capture information about the IP traffic going to and from network interfaces in your
VPC When you launch an instance in a VPC, you can associate one or more security groups that
you've created.
Each instance in your VPC could belong to a different set of security groups. If you don't specify a
security group when you launch an instance, the instance automatically belongs to the default
security group for the VPC. For more information about security groups, see Security Groups for Your
VPC You can secure your VPC instances using only security groups; however, you can add network
ACLs as a second layer of defense. For more information about network ACLs, see Network ACLs.
You can monitor the accepted and rejected IP traffic going to and from your instances by creating a
flow log for a VPC, subnet, or individual network interface. Flow log data is published to CloudWatch
Logs, and can help you diagnose overly restrictive or overly permissive security group and network
ACL rules. For more information, see VPC Flow Logs.
You can use AWS Identity and Access Management to control who in your organization has
permission to create and manage security groups, network ACLs and flow logs. For example, you can
give only your network administrators that permission, but not personnel who only need to launch
instances. For more information, see Controlling Access to Amazon VPC Resources.
Amazon security groups and network ACLs don't filter traffic to or from link-local addresses
(169.254.0.0/16) or AWS-reserved IPv4 addresses-these are the first four IPv4 addresses of the
subnet (including the Amazon DNS server address for the VPC). Similarly, flow logs do not capture IP
traffic to or from these addresses.
These addresses support the services: Domain Name Services (DNS), Dynamic Host Configuration
Protocol (DHCP), Amazon EC2 instance metadata, Key Management Server (KMS-license
management for Windows instances), and routing in the subnet. You can implement additional
firewall solutions in your instances to block network communication with link-local addresses.

NO.25 A company collects click-stream data from amazon EC2 instances that are in an auto scaling
group. The age data feeds a centralized dashboard and is critical to the company's business. Which
method will help ensure data is collected before an auto scaling policy terminates an instance from
the auto scaling group?
A. Use Auto Scaling lifecycle hooks

10
 IT Certification Guaranteed, The Easy Way!

B. Trigger Amazon S3 event notifications

C. Implement Amazon kinesis as a log collector
D. Snapshot the Amazon EC2 instance Elastic Block Store volumes
Answer: A

NO.26 You are designing a scalable web application with stateless web servers. Which service or
feature is well suited to store user session information?
A. Amazon SQS
B. Amazon EC2 instance store
C. Amazon DynamoDB
D. Amazon EBS
Answer: B

NO.27 A company has a popular multi-player mobile game hosted in its on-premises datacenter. The
current infrastructure can no longer keep up with demand end the company is considering a move to
the cloud.
Which solution should a Solutions Architect recommend as me MOST scalable and cost- effective
solution to meet these needs?
A. Amazon EC2 and an Application Load Balancer
B. Amazon S3 and Amazon CloudFront
C. Amazon EC2 and Amazon Elastic Transcoder
D. AWS Lambda and Amazon API Gateway
Answer: A

NO.28 A customer has a public-facing web application hosted on a single amazon Elastic compute
Cloud (EC2) instance and serving videos directly from an amazon simple storage service bucket.
Which of the following will restrict third parties from directly accessing the video assets in the
bucket?
A. Use a bucket policy to only allow the public IP address of the Amazon EC2 instance hosting the
customer website
B. Use a bucket policy to only allow referrals from the main website URL
C. Launch the website Amazon EC2 instance using an IAM role that is authorized to access the videos
D. restrict access to the bucket to the public CIDR range of the company locations
Answer: A

NO.29 Which of the following features ensures even distribution of traffic to Amazon EC2 instances
in multiples Availability Zones registered with a load balancer?
A. An Amazon Route 53 latency routing policy
B. Elastic Load Balancing request routing
C. An Amazon Route 53 weighted routing policy
D. Elastic Load Balancing cross-zone load balancing
Answer: D

11
 IT Certification Guaranteed, The Easy Way!

NO.30 You are trying to use SSH to connect from your laptop to an Amazon EC2 instance over the
internet. You cannot establish a connection. What could be the problem?
A. The network ACL is set to deny all outbound TCP traffic to your laptop IP address
B. The IAM access key on your laptop does not have console access to the Amazon EC2 instance
C. There is no security group and no network ACL associated with the Amazon EC2 instance
D. The security group does not allow any outbound TCP traffic to your laptop IP address
Answer: D

NO.31 You have an Amazon EC2 instance that belongs to two security groups. The first security
group has a rule that allows ingress traffic to TCP port 80 from IP address 206.251.8.21 and the
second security group has a rule that allows ingress traffic to TCP ports 80 and 443 from everywhere.
Which traffic is allowed to the Amazon EC2 instance?
A. Only ingress traffic to TCP port 80 from everywhere
B. Only ingress traffic to TCP port 80 from 206.251.8.21
C. Only ingress traffic to TCP ports 80 and 443 from everywhere
D. Only ingress traffic to TCP ports 80 and 443 from 206.251.8.21
Answer: D

NO.32 You need a solution to distribute traffic across all the containers for a task running on
Amazon ECS. Your task definitions define dynamic host port mapping for your containers.
What AWS feature provides this functionality?
A. CloudFront custom origins support dynamic host port mapping
B. All Elastic Load Balancing instances support dynamic host port mapping
C. Classic Load Balancers support dynamic host port mapping
D. Application Load Balancers support dynamic host port mapping
Answer: D

NO.33 You are running a web application with four Amazon EC2 instances across two Availability
Zones. The instances are in an Auto Scaling group behind an ELB Classic Load Balancer. A scaling
event adds one instance to the group. After the event, you notice that, although all instances are
serving traffic, some instances are serving more traffic than others.
Which of the following could be the problem?
A. sticky bits is not enables on the ELB Classic Load Balancer
B. A SSL/TLS certificate has not been deployed on the ELB Classic Load Balancer
C. Cross-zone load balancing is not configuring on the ELB Classic Load Balancer
D. Access logs are not enabled on the ELB Classic Load Balancer
Answer: C

NO.34 You are working with a customers who is using chef configuration management in their data
center. Which service is designed to let the customer leverage existing chef recipes in AWS?
A. AWS CloudFormation
B. AWS OpsWorks
C. AWS Elastic Beanstalk

12
 IT Certification Guaranteed, The Easy Way!

D. Amazon Simple Workflow Service

Answer: B

NO.35 A client application requires operating system privileges on a relational database server.
What is an appropriate configuration for a highly available database architecture?
A. A standalone Amazon EC2 instance
B. Amazon RDS in a Multi-AZ configuration
C. Amazon EC2 instances in a replication configuration utilizing a single Availability Zone
D. Amazon EC2 instances in a replication configuration utilizing two different Availability Zones
Answer: D
Explanation
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html

NO.36 A company has a workflow that uploads video files from their data center to AWS for
transcoding. They use Amazon EC2 worker instances that pull transcoding jobs from SQS.
Why is SQS an appropriate service for this scenario?
A. SQS decouples the transcoding task from the upload.
B. SQS can accommodate message payloads of any size.
C. SQS checks the health of the worker instances.
D. SQS synchronously provides transcoding output.
Answer: C

NO.37 A Solutions Architect is designing a solution for a media company that will stream large
amounts of data from an Amazon EC2 instance. The data streams are typically large and sequential,
and must be able to support up to 500 MB/s.
Which storage type will meet the performance requirements of this application?
A. EBS Provisioned IOPS SSD
B. EBS General Purpose SSD
C. EBS Cold HDD
D. EBS Throughput Optimized HDD
Answer: D

NO.38 A retail company has sensors placed in its physical retail stores. The sensors send messages
over HTTP when customers interact with in-store product displays. A Solutions Architect needs to
implement a system for processing those sensor messages; the results must be available for the Data
Analysis team.
Which architecture should be used to meet these requirements?
A. Implement an Amazon API Gateway to server as the HTTP endpoint. Have the API Gateway trigger
an AWS Lambda function to process the messages, and save the results to an Amazon DynamoDB
table.
B. Create an Amazon EC2 instance to server as the HTTP endpoint and to process the messages. Save
the results to Amazon S3 for the Data Analysis team to download.
C. Use Amazon Route 53 to direct incoming sensor messages to a Lambda function to process the
message and save the results to a Amazon DynamoDB table.

13
 IT Certification Guaranteed, The Easy Way!

D. Use AWS Direct Connect to connect sensors to DynamoDB so that data can be written directly to a
DynamoDB table where it can be accessed by the Data Analysis team.
Answer: A

NO.39 In order to optimize performance for a compute cluster that requires low internode latency.
Which of the following feature should you use?
A. EC2 dedicated instances
B. Placement Groups
C. Multiple Availability Zones
D. VPC private subnets
E. AWS Direct Connect
Answer: B

NO.40 The Trusted Advisor service provides insight regarding which four categories of an AWS
account?
A. Security, fault tolerance, high availability, and connectivity
B. Security, access control, high availability, and performance
C. Performance, cost optimization, security, and fault tolerance
D. Performance, cost optimization, access control, and connectivity
Answer: C

NO.41 A manufacturing company captures data from machines running at customer sites. Currently,
thousands of machines send data every 5 minutes, and this is expected to grow to hundreds of
thousands of machines in the near future. The data is logged with the intent to be analyzed in the
future as needed.
What is the SIMPLEST method to store this streaming data at scale?
A. Create an Amazon Kinesis Firehouse delivery stream to store the data in Amazon S3.
B. Create an Auto Scaling group of Amazon EC2 servers behind ELBs to write the data into Amazon
RDS.
C. Create an Amazon SQS queue, and have the machines write to the queue.
D. Create an Amazon EC2 server farm behind an ELB to store the data in Amazon EBS Cold HDD
volumes.
Answer: B

NO.42 A company hosts a website on premises. The website has a mix of static and dynamic
content, but users experience latency when loading static files. Which AWS service can help reduce
latency?
A. Amazon CloudFront with on-premises servers as the origin
B. ELB Application Load Balancer
C. Amazon Route 53 latency-based routing
D. Amazon EFS to store and serve static files
Answer: A

NO.43 A company has an application that uses Amazon CloudFront for content that is hosted on an

14
 IT Certification Guaranteed, The Easy Way!

Amazon S3 bucket. After an unexpected refresh, the users are still seeing old content. Which step
should the Solutions Architect take to ensure that new content is displayed?
A. Perform a cache refresh on the CloudFront distribution that is serving the content
B. Perform an invalidation on the CloudFront distribution that is serving the content
C. Create a new cache behavior path with the updated content
D. Change the TTL value tor removing the old objects.
Answer: D

NO.44 You have a web application running on six Amazon EC2 instances, consuming about 45% of
resources on each instance. You are using auto-scaling to make sure that six instances are running at
all times. The number of requests this. Which of the following architectural choices should you make
?
A. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon
Elastic Load Balancer
B. Deploy 3 EC2 instances In one region and 3 other region and use Amazon Elastic Load Balancer
C. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer
D. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer
Answer: A

NO.45 You're building an API backend available at services.yourcompany.com. The API is

implemented with API Gateway and Lambda. You successfully tested the API using curl. You
implemented JavaScript to call the API from a webpage on your corporate website,
www.yourcompany.com. When you access that page in your browser, you get the following error:
"The same origin policy disallows reading the remote resource"
How can you allow your corporate webpages to invoke the API?
A. Enable CORS in the API Gateway
B. Enable CORS in the JavaScript frontend
C. Disable CORS in the JavaScript frontend
D. Disable CORS in the API Gateway
Answer: A

NO.46 A bank is writing new software that is heavily dependent upon database transactions for
write consistency. The application will also occasionally generate reports on data m the database,
and will do joins across multiple tables. The database must automatically scale as the amount of data
grows.
Which AWS service should be used to run the database?
A. Amazon S3
B. Amazon Aurora
C. Amazon DynamoDB
D. Amazon Redshift
Answer: C

NO.47 Which of the following are valid statements about Amazon S3? Choose 2 answers
A. S3 provides read-after-write consistency for any type of PUT or DELETE.

15
 IT Certification Guaranteed, The Easy Way!

B. Consistency is not guaranteed for any type of PUT or DELETE.

C. A successful response to a PUT request only occurs when a complete object is saved.
D. Partially saved objects are immediately readable with a GET after an overwrite PUT.
E. S3 provides eventual consistency for overwrite PUTS and DELETES.
Answer: C E

NO.48 A Solutions Architect is designing a mobile application that will capture receipt images to
track expenses. The Architect wants to store the images on Amazon S3. However, uploading images
through the web server will create too much traffic. What is the MOST efficient method to store
images from a mobile application on Amazon S3?
A. Upload directly to S3 using a pre-signed URL
B. Upload to a second bucket, and have a Lambda event copy the image to the primary bucket
C. Upload to a separate Auto Scaling group of servers behind an ELB Classic Load Balancer, and have
them write to the Amazon S3 bucket
D. Expand the web server fleet with Spot Instances to provide the resources to handle the images
Answer: A

NO.49 Your existing web application requires a persistent key-value store database that must service
50,000 reads/second. Your company is looking at 10% growth in traffic and data volume month over
month for the next several years. Which service meets these requirements?
A. Amazon RDS
B. Amazon SQS
C. Amazon Redshift
D. Amazon DynamoDB
Answer: D

NO.50 Which of the following does AWS own under the shared security responsibility model?
Choose 3 answers
A. Patching of Amazon Elastic Compute Cloud hypervisors
B. Decommissioning storage devices at end of life
C. Encryption of traffic within a virtual private cloud
D. Physical security of AWS data centers and facilities
E. Logical security of customer SSH private key material
F. Access control within a virtual private cloud
Answer: A B D

NO.51 You are deploying an application to track GPS coordinates of delivery trucks in the United
States. Coordinates are transmitted from each delivery truck once every three seconds. You need to
design an architecture that will enable real-time processing of these coordinates from multiple
consumers. Which service should you use to implement data ingestion?
A. Amazon Kinesis
B. Amazon Simple Queue Service
C. Amazon AppStream

16
 IT Certification Guaranteed, The Easy Way!

D. AWS Data Pipeline

Answer: A

NO.52 A Solutions Architect needs a storage solution for a fleet of Linux web application servers. The
solution should provide file system interface and be able to support millions of files. Which AWS
service should the Architect choose?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS
D. Amazon ElastiCache
Answer: D

NO.53 A Solutions Architect needs to convert potential single points of failure to a highly-available
configuration.
The current architecture contains Amazon EC2 instances with databases running in one Availability
Zone.
Web-tier resources have not been given public addresses, but still require Internet access.
Which solution should the Architect use to maintain high availability?
A. Use ELB Classic Load Balancer with the web user. Deploy EC2 instances in two Availability Zones
and enable Multi-AZ RDS Deploy a NAT gateway in one Availability Zone.
B. Use ELB Classic Load Balancer with the web tier. Deploy EC2 instances in two Availability Zones
and enable Multi-AZ RDS Deploy NAT gateways in both Availability Zones
C. Use ELB Classic Load Balancer with the database tier. Deploy Amazon EC2 instances in two
Availability Zones and enable Multi-AZ RDS. Deploy NAT gateways in both Availability Zones
D. Use ELB Classic Load Balancer with the database tier. Deploy Amazon EC2 instances in two
Availability Zones and enable Multi-AZ RDS. Deploy a NAT gateway in one Availability Zone
Answer: B
Explanation
Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and
operates at both the request level and connection level. Classic Load Balancer is intended for
applications that were built within the EC2-Classic network. We recommend Application Load
Balancer for Layer 7 and Network Load Balancer for Layer 4 when using Virtual Private Cloud (VPC).

NO.54 Which of the following services natively encrypts data at rest within an AWS region? Choose 2
answers
A. Amazon DynamoDB
B. Amazon CloudFront
C. Amazon Simple Queue Service
D. Amazon Glacier
E. AWS storage Gateway
Answer: D E

NO.55 A popular e-commerce application runs on AWS. The application encounters performance
issues. The database is unable to handle the amount of queries and load during peak times. The

17
 IT Certification Guaranteed, The Easy Way!

database is running on the RDS Aurora engine on the largest instance size available.
What should an administrator do to improve performance?
A. Convert the database to Amazon Redshift.
B. Create a CloudFront distribution.
C. Convert the database to use EBS Provisioned IOPS.
D. Create one or more read replicas.
Answer: C

NO.56 A Solution Architect is trying to bring a data warehouse workload to an Amazon EC2 instance.
The data will reside in Amazon EBS volumes and full table scans will be executed frequently. What
type of Amazon AWS EBS volume would be most suitable in this scenario?
A. Throughput Optimized HDD (st1)
B. Provisioned IOPS SSD (io1)
C. General Purpose SSD (gp2)
D. Cold HDD (sc1)
Answer: C

NO.57 A company wants to migrate a highly transactional database to AWS Requirements state that
the database has more than 6 TB of data and will grow exponentially.
Which solution should a Solutions Architect recommend?
A. Amazon Aurora
B. Amazon Redshift
C. Amazon DynamoDB
D. Amazon RDS MySQL
Answer: A

NO.58 How can an EBS volume that is currently attached to an EC2 instance be migrated from one
Availability Zone to another?
A. Detach the volume and attach it to another EC2 instance in the other AZ
B. Create a snopshot of the volume, and create a new volume from the snapshot in the other AZ
C. Detach the volume, then use the ec2-migrate-volume command to move it to another AZ
D. Simply create a new volume in the other AZ and specify the original volume as the source
Answer: B

NO.59 Your company has set up an application in eu-west1 with a disaster recovery site in eu-
central-1. You want to be notified of any AWS API activity in regions other than these two.
How can you monitor AWS API activity in other regions?
A. Create a CloudWatch alarm for CloudTrail events
B. Create a CloudWatch alarm for SSH key usage
C. Create a CloudWatch alarm for Trusted Advisor
D. Create a CloudWatch alarm for VPC flow logs
Answer: A

18
 IT Certification Guaranteed, The Easy Way!

NO.60 You are building a solution for a customer to extend their on-premises data centre to AWS.
The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS
product or feature satisfies this requirement?
A. Amazon VPC peering
B. Elastic IP Addresses
C. Amazon VPC virtual private gateway
D. AWS Direct Connect
Answer: D

NO.61 A Solutions Architect is creating a new relational database. The Compliance team will use the
database and mandates that data content must be stored across three different Availability Zones.
Which of the following options should the Architect use?
A. Amazon Aurora
B. Amazon RDS MySQL with Multi-AZ enabled
C. Amazon DynamoDB
D. Amazon ElastiCache
Answer: B

NO.62 Which AWS services are valid origins for an Amazon CloudFront distribution? Choose 2
answers
A. Amazon DynamoDB
B. Amazon S3
C. Amazon Glacier
D. ELB Classic Load Balancer
E. Amazon RDS
Answer: B D

NO.63 A Solutions Architect is building an application on AWS that will require 20,000 IOPS on a
particular volume to support a media event. Once the event ends, the IOPS need is no longer
required. The marketing team asks the Architect to build the platform to optimize storage without
incurring downtime.
How should the Architect design the platform to meet these requirements?
A. Change the Amazon EC2 instant types.
B. Change the EBS volume type to Provisioned IOPS.
C. Stop the Amazon EC2 instance and provision IOPS for the EBS volume.
D. Enable an API Gateway to change the endpoints for the Amazon EC2 instances.
Answer: B

NO.64 Which security functions are based on AWS STS? Choose 2 answers
A. Adding conditions to managed policies
B. Using Web federated identity to authenticate users
C. Using IAM roles with Amazon EC2 instances
D. Assigning managed policies to IAM groups

19
 IT Certification Guaranteed, The Easy Way!

E. Using access keys to authenticate IAM users

Answer: B E

NO.65 A Solutions Architect is designing a VPC. Instances in a private subnet must be able to
establish IPv6 traffic to the Internet. The design must scale automatically and not incur any additional
cost. This can be accomplished with:
A. an egress-only internet gateway
B. a NAT gateway
C. a custom NAT instance
D. a VPC endpoint
Answer: A

NO.66 An organization hosts 10 microservices, each in an Auto Scaling group behind individual
Classic Load Balancers Each EC2 instance is running at optimal load.
Which of the following actions would allow the organization to reduce costs without impacting
performance?
A. Reduce the number of EC2 instances behind each Classic Load Balancer
B. Change instance types in the Auto Scaling group launch configuration.
C. Change the maximum size but leave the desired capacity of the Auto Scaling groups
D. Replace the Classic Load Balancers with a single Application Load Balancer
Answer: B

NO.67 If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each instance
a predetermined private IP address, you should:
A. Assign a group of sequential Elastic IP address to the instances
B. Use standard EC2 instances since each instance gets a private Domain Name Service already
C. Launch the instances in the Amazon Virtual Cloud (VPC)
D. Launch the instances in a placement Group
E. Launch the instances from a private Amazon Machine Image (AMI)
Answer: C

NO.68 A Solutions Architect is about to deploy an API on multiple EC2 instances in an Auto Scaling
group behind an ELB The support team has the following operational requirements
1 They get an alert when the requests per second go over 50,000
2 They get an alert when latency goes over 5 seconds
3 They can validate how many times a day users call the API requesting highly-sensitive data Which
combination of steps does the Architect need to take to satisfy these operational requirements?
(Select TWO.)
A. Ensure that CloudTrail is enabled
B. Create a custom CloudWatch metric to monitor the API for data access
C. Configure CloudWatch alarms for any metrics the support learn requires
D. Ensure that detailed monitoring for the EC2 instances is enabled
E. Create an application to export and save CloudWatch metrics for longer term trending analysis

20
 IT Certification Guaranteed, The Easy Way!

Answer: B D

NO.69 A customer needs to deploy a NoSQL-based datastore to Amazon EC2 instances. The NoSQL
software has native replication for durability of the data store. Which of the following storage
options is the most cost-effective and performs best for the data store?
A. Amazon EBS Magnetic volumes
B. Amazon EBS provisioned IOPS volumes
C. Amazon EBS general purpose SSD volumes
D. SSD-based Amazon EC2 instance store volumes
Answer: B

NO.70 An organization runs an online voting system for a television program. During broadcasts,
hundreds of thousands of votes are submitted within minutes and sent to a front-end feet of auto-
scaled Amazon EC2 instances. The EC2 instances push the votes to a RBDMS database. The database
is unable to keep up with the front-end connection requests.
What is the MOST efficient and cost-effective way of ensuring that votes are processes in a timely
manner?
A. Each front-end node should send votes to an Amazon SQS queue. Provision worker instances to
read the SQS queues and process the message information into the RBDMS database
B. As the load on the database increases, horizontally-scale the RDBMS database with additional
memory-optimized instances. When voting has ended, scale down the additional instances
C. Re-provision the RDBMS database with larger, memory-optimized instances. When voting ends,
re-provision the back-end database with similar instances
D. Send votes from each front-end node to Amazon DynamoDB. Provision worker instances to
process the votes in DynamoDB into the RDBMS database
Answer: A

NO.71 A Solutions Architect is developing a solution for sharing files in an organization. The solution
must allow multiple users to access the storage service at once from different virtual machines and
scale automatically. It must also support file-level locking.
Which storage service meets the requirements of this use case?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS
D. Cached Volumes
Answer: B

NO.72 Which of the following statements are true about Amazon Route 53 resource records?
Choose 2 answers
A. An Alias record can map one DNS name to another Amazon Route 53 DNS name.
B. A CNAME record can be created for your zone apex.
C. An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
D. TTL can be set for an Alias record in Amazon Route 53.
E. An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.

21
 IT Certification Guaranteed, The Easy Way!

Answer: A C
Explanation
https://aws.amazon.com/route53/faqs/
Amazon Route 53 offers 'Alias' records (an Amazon Route 53-specific virtual record). Alias records are
used to map resource record sets in your hosted zone to Amazon Elastic Load Balancing load
balancers, Amazon CloudFront distributions, AWS Elastic Beanstalk environments, or Amazon S3
buckets that are configured as websites.
Alias records work like a CNAME record in that you can map one DNS name (example.com) to
another
'target' DNS name (elb1234.elb.amazonaws.com).
http://docs.a
ws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
A CNAME record can point to any DNS record hosted anywhere, including to the resource record set
that Amazon Route 53 automatically creates when you create a policy record.

NO.73 A company is using AWS Key Management Service (AWS KMS) to secure their Amazon RDS
databases. An auditor has recommended that the company log all use of their AWS KMS keys.
What is me SIMPLEST solution?
A. Associate AWS KMS metrics with Amazon CloudWatch
B. Use AWS CloudTrail to log AWS KMS key usage.
C. Deploy a monitoring agent on the RDS instances
D. Poll AWS KMS periodically with a scheduled job
Answer: B

NO.74 A Solutions Architect needs to design an Amazon EC2 duster to analyze data that is currently
stored in Amazon S3. A key requirement is to utilize the fastest storage service available when
analyzing the data locally on the Amazon EC2 instance.
Which of the following storage types should the Architect choose to meet the requirement?
A. AWS Storage Gateway
B. Amazon EBS using Provisioned IOPS (PIOPS)
C. Amazon EC2 instance (ephemeral) Store
D. Amazon Glacier
Answer: B

NO.75 You manually launch a NAT AMI in a public subnet. The network in properly configured.
Security groups and network access control lists are properly configured. Instances in a private
subnet can access the NAT. The NAT can access the internet. However, private instances cannot
access the internet. What additional step is required to allow access from the private instances?
A. Enable Source/Destination check on the private instances
B. Enable Source/Destination check on the NAT instance
C. Disable Source/Destination check on the private instance
D. Disable Source/Destination check on the NAT instance
Answer: D

22
 IT Certification Guaranteed, The Easy Way!

NO.76 Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS)
volumes? Choose 2 answers
A. Snapshots are automatically encrypted
B. Existing volumes can be encrypted
C. Supported on all Amazon EBS volume types
D. Available to all instances types
E. Shared volumes can be encrypted
Answer: A C

NO.77 A customer need to capture all client connection information from their load balancer every
five minutes. The company wants to use this data for analyzing traffic patterns and troubleshooting
their applications. Which of the following options meets the customer requirements?
A. Enable access logs on the load balancer
B. Enable Amazon CloudWatch metrics on the load balancer
C. Enable AWS CloudTrail for the load balancer
D. Install the Amazon CloudWatch logs agent on the load balancer
Answer: A

NO.78 Which of the following approaches help improve the availability of an application on AWS?.
Choose 2 answer
A. Using multiple Availability zones
B. Using placement groups
C. Using Amazon virtual private cloud
D. Using AutoScaling to replace lost capacity
E. Using the largest available instance type
Answer: A D

NO.79 A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is
not connected to their corporate network. They are connecting to the VPC.
Which of the following bastion deployment scenarios will meet this requirement?
A. Deploy a Windows Bastion host on the corporate network that has RDP access to all intances in
the VPC
B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet, and allow SSH
access to the bastion from anywhere
C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP
access to the bastion from only the corporate public IP addresses
D. Deploy a Windows Bastion host with an auto-assigned Public subnet, and allow RDP access to the
bastion from only the corporate public IP addresses
Answer: D

NO.80 On a single EC2 instance, which configuration provides the highest IOPS performance?
A. Using an EBS-optimized instance using provisioned IOPs volumes
B. Striping across several EBS volumes using standards EBS volumes

23
 IT Certification Guaranteed, The Easy Way!

C. Using a High 1/0 instance using local instance storage volumes

D. Striping across several EBS volumes using provisioned IOPs volumes
Answer: A

NO.81 A Solutions Architect is designing a photo application on AWS. Every time a user uploads a
photo to Amazon S3, the Architect must insert a new item to a DynamoDB table.
Which AWS-managed service is the BEST fit to insert the item?
A. Lambda@Edge
B. AWS Lambda
C. Amazon API Gateway
D. Amazon EC2 instances
Answer: B

NO.82 A Solutions Architect needs to design an architecture for a new, mission-critical batch
processing billing application. The application is requited to run Monday. Wednesday, and Friday
from 5 AM to 11 AM. Which is the MOST cost-effective Amazon EC2 pricing model?
A. Amazon EC2 Spot Instances
B. On-Demand Amazon EC2 Instances
C. Scheduled Reserved instances
D. Dedicated Amazon EC2 Instances
Answer: A

NO.83 One company wants to share the contents of their Amazon S3 bucket with another company
Security requirements mandate that only the other company's AWS accounts have access to the
contents of the Amazon S3 bucket.
Which Amazon S3 feature will allow secure access to the Amazon S3 bucket?
A. Bucket policy
B. Object lagging
C. CORS configuration
D. Lifecycle policy
Answer: C
Explanation
Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one
domain to interact with resources in a different domain. With CORS support, you can build rich client-
side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3
resources.
This section provides an overview of CORS. The subtopics describe how you can enable CORS using
the Amazon S3 console, or programmatically by using the Amazon S3 REST API and the AWS SDKs.

NO.84 You've been tasked with choosing a datastore to persist GPS coordinates for a new app. The
service needs consistent, single-digit-millisecond latency at any scale. Which AWS service meets your
requirements?
A. Amazon S3
B. Amazon Redshift

24
 IT Certification Guaranteed, The Easy Way!

C. Amazon RDS
D. Amazon DynamoDB
Answer: D
Explanation
Amazon DynamoDB is a fast and flexible NoSQL database service for all applications that need
consistent, single-digit millisecond latency at any scale. It is a fully managed cloud database and
supports both document and key-value store models. Its flexible data model, reliable performance,
and automatic scaling of throughput capacity, makes it a great fit for mobile, web, gaming, ad tech,
IoT, and many other applications. Start today by downloading the local version of DynamoDB, then
read our Getting Started Guide.

NO.85 A company hosts a popular web application. The web application connects to a database
running in a private VPC subnet. The web servers must be accessible only to customers on an SSL
connection. The RDS MySQL database server must be accessible only from the web servers.
How should the Architect design a solution to meet the requirements without impacting running
applications?
A. Create a network ACL on the web server's subnet, and allow HTTPS inbound and MySQL
outbound.
Place
both database and web servers on the same subnet.
B. Open an HTTPS port on the security group for web servers and set the source to 0.0.0.0/0. Open
the MySQL port on the database security group and attach it to the MySQL instance. Set the source
to Web Server Security Group.
C. Create a network ACL on the web server's subnet, and allow HTTPS inbound, and specify the
source as
0.0.0.0/0. Create a network ACL on a database subnet, allow MySQL port inbound for web servers,
and deny all outbound traffic.
D. Open the MySQL port on the security group for web servers and set the source to 0.0.0.0/0. Open
the HTTPS port on the database security group and attach it to the MySQL instance. Set the source to
Web Server Security Group.
Answer: D

NO.86 You are deploying an application to collect votes for a very popular television show. Millions
of users will submit votes using mobile devices. The votes must be collected into a durable, scalable,
and highly available data store for real-time public tabulation. Which service should you use?
A. Amazon DynamoDB
B. Amazon Redshift
C. Amazon Kinesis
D. Amazon Simple Queue Service
Answer: C

NO.87 A workload consists of downloading an image from an Amazon S3 bucket, processing the
image, and moving to another Amazon S3 bucket. An Amazon EC2 instance runs a scheduled task
every hour to perform the operation.
How should a Solutions Architect redesign the process so that it is highly available?

25
 IT Certification Guaranteed, The Easy Way!

A. Change the Amazon EC2 instance to compute optimized

B. Launch a second Amazon EC2 instance to monitor the health of the first
C. Trigger a Lambda function when a new object is uploaded
D. Install copy the images to an attached Amazon EBS volume
Answer: C

NO.88 A Solutions Architect is designing a solution that retains traffic information between network
interfaces. The traffic information will then be monitored for anomalies by an InfoSec team using
Amazon CloudWatch.
What approach should the Architect take?
A. Save all inbound requests to Amazon DynamoDB
B. Maintain traffic history on each Amazon EC2 instance
C. Enable Amazon VPC Flow Logs
D. Save all inbound requests to Amazon S3
Answer: C

NO.89 Your Amazon EC2 instances must access the AWS API, so you created a NAT gateway in an
existing subnet.
When you try to access the AWS API, you are unsuccessful.
What could be preventing access?
A. The instances need an IAM role granting access to the NAT gateway
B. The NAT gateway subnet does not have a route to an Internet gateway
C. The NAT gateway does not have a route to the virtual private gateway
D. The instances are not in the same subnet as the NAT gateway
Answer: B

NO.90 Which aspects of Amazon EC2 security are the responsibility of AWS? Choose 2 answers
A. Virtualization Infrastructure
B. Physical security of hardware
C. Guest operating systems
D. Application authentication
E. VPC and security group configuration
Answer: B C
Explanation
AWS Security Responsibilities
* AWS is responsible for protecting the global infrastructure that runs all of the services offered in
the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities
that run AWS services.
* AWS provide several reports from third-party auditors who have verified their compliance with a
variety of computer security standards and regulations
* AWS is responsible for the security configuration of its products that are considered managed
services for e.g. RDS, DynamoDB
* For Managed Services, AWS will handle basic security tasks like guest operating system (OS) and
database patching, firewall configuration, and disaster recovery.

26
 IT Certification Guaranteed, The Easy Way!

NO.91 If you want to setup a web server on EC2 with multiple Virtual Hosts Using distinct SSL
certificates you need to:
A. Use an S3 bucket with server side encryption
B. Run your Apache EC2 instance in VPC
C. Create one Amazon Elastic Load Balancer with SSL termination
D. Upload your SSL server certification to Amazon identity and Access Management
Answer: C

NO.92 A workload in an Amazon VPC consist of a single web-server launched from a custom AMI.
Session state is stored in database. How should the Solutions Architect modify this workload to be
both highly available and scalable?
A. Create a launch configuration with a desired capacity of two web servers across multiple
Availability Zones. Create an Auto Scaling group with the AMI ID of the web server image. Use
Amazon Route S3 latency-based routing to balance traffic across the Auto Scaling group.
B. Create a launch configuration with the AMI ID of the web server image. Create an Auto Scaling
group using the newly-created launch configuration, and a desired capacity of two web servers across
multiple regions. Use an Application Load Balancer (ALB) to balance traffic across the Auto Scaling
group
C. Create a launch configuration with the AMI ID of the web server image. Create an Auto Scaling
group using the newly-created launch configuration, and a desired capacity of two web servers across
multiple Availability Zones. Use an ALB to balance traffic across the Auto Scaling group
D. Create a launch configuration with the AMI ID of the web server image. Create an Auto Scaling
group using the newly-created launch configuration, and a desired capacity of two web servers across
multiple Availability Zones. Use Route 53 weighted routing to balance traffic across the Auto Scaling
group
Answer: A

NO.93 If you're unable to connect via SSH to your EC2 instance. Which of the following should you
check and possibly correct to restore connectivity?
A. Adjust security group to permit egress traffic over TCP port 443 from your IP
B. Modify the instance security group to allow ingress of ICMP packets from your IP
C. Apply the most recently released Operating System security patches
D. Configure the IAM role to permit changes to security group settings
E. Adjust the instance's Security Group to permit ingress traffic over port 22 from your IP
Answer: C

NO.94 Which services can invoke AWS lambda functions? Choose 2 answers
A. Amazon SNS
B. Amazon Reoute53
C. Amazon Redshift
D. Amazon DynamoDB
E. Elastic Load Balancing

27
 IT Certification Guaranteed, The Easy Way!

Answer: A D

NO.95 An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH
from any IP address and deny all outbound traffic. What changes need to be made to allow SSH
access to the instance?
A. The outbound security group needs to be modified to allow outbound traffic.
B. The outbound network ACL needs to be modified to allow outbound traffic.
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the outbound security group and outbound network ACL need to be modified to allow
outbound traffic.
Answer: B
Explanation
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

NO.96 What is a placement group?

A. A collection of Auto Scaling groups in the same region
B. A feature that enables EC2 instances to interact with each other via high bandwidth, low latency
connections
C. A collection of authorized CloudFront edge locations for a distribution
D. A collection of Elastic Load Balancers in the same Region or Availability Zone
Answer: B

NO.97 A company is launching an application that it expects to be very popular. The company needs
a database that can scale with the rest of the application. The schema will change frequently. The
application cannot afford any downtime for database changes.
Which AWS service allows the company to achieve these objectives?
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon RDS MySQL
D. Amazon Aurora
Answer: A

NO.98 You are migrating a MySQL database to Amazon RDS. You have allocated enough block
storage for the initial migration. You expect data storage requirements to grow slowly over time:
How can you expand the storage capacity of your Amazon RDS database instance in the future?
A. Allocate additional storage as needed. Plan for a brief database outage during the allocation.
B. Migrate the data base to a larger instance type as needed. Plan for a period of reduced
performance during the migration
C. Migrate the database to a larger instance type as needed. Plan for a brief database outage during
the migration
D. Allocate additional storage as needed. Plan for a period of reduced performance during the
allocation
Answer: C

28
 IT Certification Guaranteed, The Easy Way!

NO.99 An existing application stores sensitive information on a non-boot Amazon EBS data volume
attached to an Amazon Elastic Compute Cloud instance. Which of the following approaches would
protect the sensitive data on an Amazon EBS volume?
A. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS
volume Mount the Amazon EBS volume
B. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume.
Delete the old Amazon EBS volume
C. Unmount the EBS volume. Toggle the encryption attribute to True. Re-mount the Amazon EBs
volume
D. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS
CloudHSM. Re-mount the Amazon EBS volume
Answer: A

NO.100 A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS
instances and send real-time alerts to their operations team. Which AWS services can accomplish
this?
Choose 2 answers
A. Amazon Simple Email Service
B. Amazon CloudWatch
C. Amazon Simple Queue Service
D. Amazon Route 53
E. Amazon Simple Notification Service
Answer: B E

NO.101 Your application provides data transmission services. Files containing data to be
transformed are first uploaded to Amazon S3 and then transformed by a fleet of sport EC2 instances.
Files submitted by your premium customers must be transformed with the highest Priority. How
should you implement such a system?
A. Use two SQS queues. One for high priority messages, the other for default priority. Transformation
instances first poll the high priority queue, if there is no message; they poll the default priority queue
.
B. Use Route latency based-routing to send high priority tasks to the closet transformation instances.
C. Use a DynamoDB table with an attribute defining the priority level. Transformation instances will
scan the table for tasks, sorting results by priority level
D. Use a single SQS queue. Each message contains the priority contains the priority level.
Transformation instances poll high=priority messages first
Answer: A

NO.102 A team has an application that detects new ejects being uploaded into an Amazon S3
bucket.
The uploads trigger a Lambda function to write object metadata into an Amazon DynamoDB table
and RDS PostgreSQL database. Which action should the team lake to ensure high availability?
A. Enable cross-region replication in the Amazon S3 bucket

29
 IT Certification Guaranteed, The Easy Way!

B. Create a Lambda function for each Availability Zone the application is deployed in.
C. Enable multi-AZ on the RDS PostgreSQL database
D. Create a DynamoDB stream for the DynamoDB table
Answer: D

NO.103 A Solutions Architect must design a solution that encrypts data in Amazon S3 Corporate
policy mandates encryption keys be generated and managed on premises Which solution should the
Architect use to meet the security requirements?
A. AWS CloudHSM
B. SSE-KMS. Server-side encryption with AWS KMS managed keys
C. SSE-S3 Server-side encryption with Amazon-managed master key
D. SSE-C Server-side encryption with customer-provided encryption keys
Answer: B
Explanation
Protecting Data Using Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) Server-side
encryption is about protecting data at rest. AWS Key Management Service (AWS KMS) is a service
that combines secure, highly available hardware and software to provide a key management system
scaled for the cloud. AWS KMS uses customer master keys (CMKs) to encrypt your Amazon S3
objects. You use AWS KMS via the Encryption Keys section in the IAM console or via AWS KMS APIs to
centrally create encryption keys, define the policies that control how keys can be used, and audit key
usage to prove they are being used correctly. You can use these keys to protect your data in Amazon
S3 buckets.
The first time you add an SSE-KMS-encrypted object to a bucket in a region, a default CMK is created
for you automatically. This key is used for SSE-KMS encryption unless you select a CMK that you
created separately using AWS Key Management Service. Creating your own CMK gives you more
flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the
encryption keys used to protect your data.

NO.104 A Solutions Architect is designing a microservices-based application using Amazon ECS. The
application includes a WebSocket component, and the traffic needs to be distributed between
microservices based on the URL.
Which service should the Architect choose to distribute me workload?
A. ELB Classic Load Balancer
B. Amazon Route 53 DNS
C. ELB Application Load Balancer
D. Amazon CloudFront
Answer: C

NO.105 You have an application running on an Amazon Elastic Compute Cloud instance, that
uploads 5 GB video objects to Amazon Simple Storage Service (S3). Video uploads are taking longer
than expected, resulting in poor application performance. Which method will help improve
performance of your application?
A. Enable enhanced networking
B. Use Amazon S3 multipart upload

30
 IT Certification Guaranteed, The Easy Way!

C. Leveraging Amazon CloudFront, use the HTTP POST method to reduce latency.
D. Use Amazon Elastic Block Store Provisioned IOPs and use an Amazon EBS-optimized instance
Answer: B

NO.106 A customer owns a simple API for their website that receives about 1,000 requests each day
and has an average response time of 50 ms. It is currently hosted on one c4.large instance. Which
changes to the architecture will provide high availably at the LOWEST cost?
A. Create an Auto Scaling group with a minimum of one instance and a maximum of two instances
then use an Application Load Balancer to balance the traffic
B. Recreate the API using Amazon API Gateway and use AWS Lambda as the service backend
C. Create an Auto Scaling group with a minimum and a maximum of two instances, then use an
Application Load Balancer to balance the traffic.
D. Recreate the API using Amazon API Gateway and integrate the new API with the existing backend
service
Answer: B

NO.107 A Solutions Architect is designing a log-processing solution that requires storage that
supports up to 500 MB/s throughput. The data is sequentially accessed by an Amazon EC2 instance.
Which Amazon storage type satisfies these requirements?
A. EBS Provisioned IOPS SSD (io1)
B. EBS General Purpose SSD (gp2)
C. EBS Throughput Optimized HDD (st1)
D. EBS Cold HDD (sc1)
Answer: C

NO.108 An organization is currently hosting a large amount of frequently accessed data consisting of
key-value pairs and semi-structured documents in their data center. They are planning to move this
data to AWS.
Which of one of the following services MOST effectively meets their needs?
A. Amazon Redshift
B. Amazon RDS
C. Amazon DynamoDB
D. Amazon Aurora
Answer: C

NO.109 You are working with a customer who is using Chef configuration management in their data
center. Which service is designed to let the customer leverage existing Chef recipes in AWS?
A. Amazon Simple Workflow Service
B. AWS Elastic Beanstalk
C. AWS CloudFormation
D. AWS OpsWorks
Answer: D
Reference: http://aws.amazon.com/opsworks/

31
 IT Certification Guaranteed, The Easy Way!

NO.110 A solution architect is designing an application that will encrypt all data in an Amazon
Redshift cluster. Which action will encrypt the data at rest?
A. Place the Redshift KMS Default Cluster in a private subnet
B. Use the AWS KMS Default Customer master key
C. Encrypt the Amazon EBS volumes
D. Encrypt the data using SSL/TLS
Answer: B
Explanation
Reference https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html

NO.111 Which technique can be used to integrate AWS IAM (Identity and Access Management) with
an on-premise LDAP (Lightweight Directory Access Protocol) directory service?
A. Use an IAM policy that references the LDAP account identifiers and the AWS credentials.
B. Use SAML (Security Assertion Markup Language) to enable single sign-on between AWS and LDAP.
C. Use AWS Security Token Service from an identity broker to issue short-lived AWS credentials.
D. Use IAM roles to automatically rotate the IAM credentials when LDAP credentials are updated.
E. Use the LDAP credentials to restrict a group of users from launching specific EC2 instance types.
Answer: B

NO.112 A Solutions Architect is designing solution with AWS Lambda where different environments
require different database passwords.
What should the Architect do to accomplish this in a secure and scalable way?
A. Create a Lambda function for each individual environment.
B. Use Amazon DynamoDB to store environmental variables.
C. Use encrypted AWS Lambda environmental variables.
D. Implement a dedicated Lambda function for distributing variables.
Answer: C

NO.113 You are using an m1.small EC2 instance with one 300GB EBS volume to host a relational
database. You determined that write throughput to the database needs to be increased. Which of
the following approaches can help achieve this? Choose 2 answers
A. Add an EBS volume and place into RAID 5
B. Use an array of EBS volumes
C. Place the instance in an Auto Scaling Group
D. Increase the size of the EC2 instance
E. Enable multi-AZ mode
F. Put the database behind an Elastic Load Balancer
Answer: B D

NO.114 Which set of Amazon S3 features helps to prevent and recover from accidental data loss?
A. Object lifecycle and service access logging
B. Object versioning and Multi-factor authentication
C. Access controls and server-side encryption

32
 IT Certification Guaranteed, The Easy Way!

D. Website hosting and Amazon S3 policies

Answer: B

NO.115 How can you secure data at rest on an EBS volume?

A. Attach the volume to an instance using EC2's SSL interface.
B. Write the data randomly instead of sequentially.
C. Encrypt the volume using the S3 server-side encryption service.
D. Create an IAM policy that restricts read and write access to the volume.
E. Use an encrypted file system on top of the EBS volume.
Answer: E

NO.116 An on-premises workload consists of a single server with an Apache instance end a MySQL
database. The Solutions Architect plans to migrate on-premises database to MySQL on Amazon RDS
using multiple Availability Zones. What solution ensures that the remaining workload win be highly
available?
A. Provision the workload in an Auto Scaling group, with a minimum of two servers Use an Amazon
Route
53 DNS-weighted routing policy to direct traffic to healthy servers.
B. Provision the workload in an Auto Scaling group across Availability Zones, with a minimum of two
Amazon EC2 instances Use an Application Load Balancer in front of an Auto Scaling group
C. Provision at least two EC2 instances across two separate regions Use an Application Load Balancer
to direct traffic between the instances
D. Provision the workload in an Auto Scaling group across Availability Zones, with a minimum of two
servers Use a Route 53 DNS simple routing policy to direct traffic to healthy servers
Answer: B

NO.117 An organization designs a mobile application for their customers to upload photos to a site
The application needs a secure login with MFA. The organization wants to limit the initial ouiW time
and maintenance of the solution.
Which solution should a Solutions Architect recommend to meet the requirements?
A. Use Amazon Cognito Identity with SMS-based MFA
B. Edit AWS IAM policies to require MFA for all users.
C. Federate IAM against corporate AD that requires MFA.
D. Use Amazon API Gateway and require SSE for photos.
Answer: A

NO.118 You originally built a VPC for a two-tier application. The subnets for the web and data tiers
use all the IP address space in the VPC. Now you want to add subnets for an application tier.
How can you accommodate the new subnets in your VPC?
A. Change the CIDR block for the VPC to create enough free address space for the new subnets
B. Create the new subnets in the VPC; the VPC will automatically scale to accommodate the new
subnets
C. Build a new VPC that can accommodate all the subnets, and migrate the application to the new
VPC

33
 IT Certification Guaranteed, The Easy Way!

D. Reduce the CIDR block ranges of the existing subnets to make room for the new subnets
Answer: A

NO.119 A customer is running two Amazon EC2 instances, Server1 and Server2, in different subnets
of the same VPC.
Server1 can ping Server2, but Server2 cannot ping Server1.What could explain this behavior? Choose
2 answers
A. The ingress rules for Server1's security group do not allow ICMP traffic
B. The ingress rules for Server2's security group do not allow ICMP traffic
C. The two servers are not located in the same Availability Zone
D. There is no route from Server2 to Server1 defined in the route table
E. The operating system firewall on Server1 is blocking traffic from Server2
Answer: A E

NO.120 You run an adsupported photo sharing website using S3 to serve photos to visitors of your
site. At some point you find out that other sites have been linking to the photos on your site, Causing
loss to your business. What is an effective method to mitigate this?
A. Use CloudFront distributions for static content
B. Store photos on an EBS volume of the web server
C. Block the IPs of the offering websites in Security Groups
D. Remove public read access and use signed URLs with expiry dates
Answer: D

NO.121 Which service should an organization use if it requires an easily managed and scalable
platform to host its web application running on Nginx?
A. AWS Lambda
B. Auto Scaling
C. AWS Elastic Beanstalk
D. Elastic Load Balancing
Answer: C

NO.122 You have a load balancer configured for VPC, and all backend Amazon EC2 instances are in
service.
However, your web browser times out when connecting to the load balancer's DNS name. Which
options are probable causes of this behaviour?
A. The load balancer was not configured to use a public subnet with an Internet gateway configured
B. The Amazon EC2 instances do not have a dynamically allocated private IP address
C. The security groups or network ACLs are nor properly configured for web traffic
D. The load balancer is not configured in a private subnet with a NAT instance
E. The VPC does not have a VGW configured
Answer: A C

NO.123 A Solutions Architect has a multi-layer application running in Amazon VPC. The application
has an ELB Classic Load Balancer as the front end in a public subnet, and an Amazon EC2-based

34
 IT Certification Guaranteed, The Easy Way!

reverse proxy that performs content-based routing to two backend Amazon EC2 instances hosted in a
private subnet. The Architect sees tremendous traffic growth and is concerned that the reverse proxy
and current backend setup will be insufficient.
Which actions should the Architect take to achieve a cost-effective solution that ensures the
application automatically scales to meet traffic demand? (Select TWO)
A. Replace the Amazon EC2 reverse proxy with an EL8 internal Classic Load Balancer
B. Add Auto Scaling to the Amazon EC2 backend fleet
C. Add Auto Scaling to the Amazon EC2 reverse proxy layer
D. Use t2 burstable instance types for the backend fleet
E. Replace both the frontend and reverse proxy layers with an ELB Application Load Balancer
Answer: B C

NO.124 You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances
running in your VPC.
Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH
access to the host. Which option will meet the customer requirement?
A. Security Group Inbound Rule: Protocol - TCP. Port Range - 22, Source 72.34.51.100/32
B. Security Group Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32
C. Network ACL Inbound Rule: Protocol - UDP, Port Range - 22, Source 72.34.51.100/32
D. Network ACL Inbound Rule: Protocol - TCP, Port Range-22, Source 72.34.51.100/0
Answer: A

NO.125 You are working with customer who has 10 TB of archival data that they want to migrate to
Amazon Glacier.
The customer has a 1Mbps connection to the Internet. Which service or feature provide the fastest
method of getting the data into Amazon Glacier?
A. Amazon Glacier multipart upload
B. AWS Storage Gateway
C. VM Import/Export
D. AWS Import/Export
Answer: D

NO.126 Which AWS service allows you to collect and process e-commerce data for near real-time
analysis?
A. Amazon Redshift
B. Amazon DynamoDB
C. Amazon Elastic Map reduce
D. Amazon ElasticCache
Answer: C

NO.127 You have a distributed application that periodically processes large volumes of data across
multiple Amazon EC2 Instances. The application is designed to recover gracefully from Amazon EC2
instance failures. You are required to accomplish this task in the most cost-effective way. Which of
the following will meet your requirements?

35
 IT Certification Guaranteed, The Easy Way!

A. Spot Instances
B. Reserved instances
C. Dedicated instances
D. On-Demand instances
Answer: A

NO.128 A Solutions Architect is developing a new web application on AWS The Architect expects the
application to become very popular, so the application must scale to support the load. The Architect
wants to focus on software development and deploying new features without provisioning or
managing instances. Which solution is appropriate?
A. Amazon API Gateway and AWS Lambda
B. Elastic Load Balancing with Auto Scaling groups and Amazon EC2
C. Amazon API Gateway and Amazon EC2
D. Amazon CloudFront and AWS Lambda
Answer: B

NO.129 A website experiences unpredictable traffic. During peak traffic times, the database is
unable to keep up with the write request.
Which AWS service will help decouple the web application from the database?
A. Amazon SQS
B. Amazon EFS
C. Amazon S3
D. AWS Lambda
Answer: A

NO.130 To meet compliance standards, a company must have encrypted archival data storage. Data
will be accessed infrequently, with lead times when in advance of when archived data must be
recovered. The company requires that the storage be secure, durable and provided at the lowest
price per 1TB of data stored.
What type of stooge should be used?
A. Amazon S3
B. Amazon EBS
C. Amazon Glacier
D. Amazon EFS
Answer: C

NO.131 A company is deploying a new two-tier web application in AWS. The company has limited
staff and requires high availability, and the application requires complex queries and table joins.
Which configuration provides the solution for the company's requirements?
A. mySQL installed on two Amazon EC2 instances in a single Availability Zone
B. Amazon RDS for MySQL with Multi-AZ
C. Amazon ElasticCache
D. Amazon DynamoDB

36
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.132 A Solutions Architect is designing a solution that can monitor memory and disk space
utilization of all Amazon EC2 instances running Amazon Linux and Windows. Which solution meets
this requirement?
A. Default Amazon CloudWatch metrics
B. Custom Amazon CloudWatch metrics
C. Amazon inspector resource monitoring
D. Detailed monitoring of Amazon EC2 instances
Answer: A

NO.133 A company has an application that stores sensitive data. The company is required by
government regulations to store multiple copies of its data.
What would be the MOST resilient and cost-effective option to meet this requirement?
A. Amazon EFS
B. Amazon RDS
C. AWS Storage Gateway
D. Amazon S3
Answer: D

NO.134 You Auto Scaling group is configured to launch one new Amazon EC2 instance if the overall
CPU load exceeds 65% over a five-minute interval. Occasionally, the Auto Scaling group launches a
second Amazon EC2 instance before the first is operational. The second instance is not required and
introduces needless compute costs. How can you prevent the Auto Scaling group from launching the
second instance?
A. Add a scaling-specific cooldown period to the scaling policy
B. Configure a lifecycle hook for your Auto Scaling group
C. Adjust the CPU threshold that triggers a scaling action
D. Attach a new launch configuration to the Auto Scaling group
Answer: A

NO.135 Your customers located around the globe require low-latency access to private video files.
Which configuration meets these requirements?
A. Use Amazon CloudFront with signed URLs
B. Use Amazon EC2 with provisioned IOPS Amazon EBS volumes
C. Use Amazon S3 with signed URLs
D. Use Amazon S3 with access control lists
Answer: A

NO.136 Developers are creating a new online transaction processing (OLTP) application for a small
database that is very read-write intensive. A single table in the database is updated continuously
throughout the day, and the developers want to ensure that the database performance is consistent.
Which Amazon EBS storage option will achieve the MOST consistent pertoimance to help maintain
application performance?

37
 IT Certification Guaranteed, The Easy Way!

A. Provisioned IOPS SSD

B. General Purpose SSD
C. Cold HDD
D. Throughput Optimized HDD
Answer: A

NO.137 You are migrating an existing enterprise application to AWS. It requires standard file system
access from multiple instances. It also requires high storage throughput with consistently low
latencies. You are looking for a storage solution that will grow and shrink capacity automatically.
How can you accomplish this in AWS?
A. Create an Amazon S3 bucket that the application can for its storage requirements
B. Launch an Amazon Redshift cluster with dense storage nodes to use with the application
C. Create an Amazon EFS file system and mount it on all of the application instances
D. Launch an EBS-backed EC2 instance. Create and share an NFS amount with application
Answer: C

NO.138 When using the following AWS services, which should be implemented in multiple
Availability Zones for high availability solutions? Choose 2 answers
A. Amazon Simple Storage Service
B. Amazon Elastic Load Balancing
C. Amazon Elastic Compute Cloud
D. Amazon Simple Notification Service
E. Amazon DynamoDB
Answer: B C

NO.139 A company's website receives 50.000 requests each second, and the company wants 10 use
multiple applications to analyze the navigation patterns of the users on their website so that the
experience can Be personalized.
What can a Solutions Architect use to collect page clicks for the website and process them
sequentially for each user?
A. Amazon Kinesis Stream
B. Amazon SQS standard queue
C. Amazon SQS FIFO queue
D. AWS CloudTrail trail
Answer: A

NO.140 An application provides a feature that allows users to securely download private and
personal files. The web server is currently overwhelmed with serving files for download. A Solutions
Architect must find a more effective solution to reduce web server load and costs, and must allow
users to download only their own files Which solution meets all requirements?
A. Store the files securely on Amazon S3 and have the application generate an Amazon S3 pre-signed
URL for the user to download.
B. Store the files in an encrypted Amazon EBS volume, and use a separate set of servers to serve the

38
 IT Certification Guaranteed, The Easy Way!

downloads.
C. Have the application encrypts the files and stores them in the local Amazon EC2 Instance Store
prior to serving them up for download.
D. Create an Amazon CloudFront distribution to distribute and cache the files.
Answer: D

NO.141 A Solutions Architect is designing a web application that is running on an Amazon EC2
instance. The application stores data in DynamoDB. The Architect needs to secure access to the
DynamoDB table.
What combination of steps does AWS recommend to achieve secure authorization? (Select two.)
A. Store an access key on the Amazon EC2 instance with rights to the Dynamo DB table.
B. Attach an IAM user to the Amazon EC2 instance.
C. Create an IAM role with permissions to write to the DynamoDB table.
D. Attach an IAM role to the Amazon EC2 instance.
E. Attach an IAM policy to the Amazon EC2 instance.
Answer: A C

NO.142 A customer is hosting their company website on a cluster of web servers that are behind a
public-facing load balancer. The customer also uses Amazon Route S3 to manage their public DNS.
How should the customer configure the DNS zone apex record to point to the load balancer?
A. Create a CNAME record pointing to the load balancer DNS name
B. Create a CNAME record aliased to the load balancer DNS name
C. Create an A record pointing to the IP address of the load balancer
D. Create an A record aliased to the load balancer DNS name
Answer: B

NO.143 Per the AWS Acceptable Use Policy, Penetration testing of EC2 instances:
A. Are expressly prohibited under all circumstances
B. May be performed by AWS, and is periodically performed by AWS
C. May be performed by the customer on their own instances, only if performed from EC2 instances
D. May be performed by the customer on their own instances with prior authorization from AWS
E. May be performed by AWS, and will be performed by AWS upon customer request
Answer: D

NO.144 A company is building a two-tier web application to serve dynamic transaction-based

content. The data tier is leveraging an Online Transactional Processing (OLTP) database. What
services should you leverage to enable an elastic and scalable web tier?
A. Elastic Load Balancing, Amazon EC2, and Auto Scaling
B. Elastic Load Balancing, Amazon RDS with Multi-AZ, and Amazon S3
C. Amazon RDS with Multi-AZ and Auto Scaling
D. Amazon EC2, Amazon DynamoDB, and Amazon S3
Answer: A

39
 IT Certification Guaranteed, The Easy Way!

NO.145 A company's development team plans to create an Amazon S3 bucket that contains millions
of images. The team wants to maximize the read performance of Amazon S3.
Which naming scheme should the company use?
A. Add a date as the prefix.
B. Add a sequential id as the suffix.
C. Add a hexadecimal hash as the suffix.
D. Add a hexadecimal hash as the prefix.
Answer: D

NO.146 A company has an Amazon RDS database backing its production website. The Sales team
needs to run queries against the database to track training program effectiveness. Queries against
the production database cannot impact performance, and the solution must be easy to maintain.
How can these requirements be met?
A. Use an Amazon Redshift database. Copy the product database into Redshift and allow the team to
query it.
B. Use an Amazon RDS read replica of the production database and allow the team to query against
it.
C. Use multiple Amazon EC2 instances running replicas of the production database, placed behind a
load balancer.
D. Use an Amazon DynamoDB table to store a copy of the data.
Answer: A

NO.147 A customer is complaining that requests made to theirload balancer are closing
prematurely. The customer also mentions that the issue only happens when waiting for the multi-
week report to be generated. Which option will resolve the customer's issue?
A. Adjust the timeout on health check settings
B. Increase the idle timeout on registered instances
C. Disable connection draining on the load balancer
D. Enable stickiness on the load balancer
Answer: C

NO.148 Your organization is looking for a solution that can help the business with streaming data.
Several services will require access to read and process the same stream concurrently.
What AWS service meets the business requirements?
A. Amazon Kinesis Streams
B. Amazon SQS
C. Amazon Kinesis Firehose
D. Amazon CloudFront
Answer: C

NO.149 When an EC2 instance that is backed by an s3based AMI is terminated .What happens to the
data on the root volume?
A. Data is unavailable until the instance is restarted

40
 IT Certification Guaranteed, The Easy Way!

B. Data is automatically deleted

C. Data is automatically saved as an EBS snapshot
D. Data is automatically saved as an EBS volume
Answer: B

NO.150 The AWS CloudHSM service is integrated with which of the following service? Choose 2
answers
A. Amazon Elastic Block Store
B. Amazon Simple Storage Service
C. Amazon redshift
D. Amazon DynamoDB
E. Amazon RDS (Oracle)
Answer: C E

NO.151 A company hosts a two-tier application that consists of a publicly accessible web server that
communicates with a private database. Only HTTPS port 443 traffic to the web server must be
allowed from the internet.
Which of the following options will achieve these requirements? (Select Two.)
A. Security group rule that allows inbound internet traffic for port 443
B. Security group rule that drives all inbound internet traffic expect port 443
C. Network ACL rule that allows port 443 inbound and all ports outbound for internet traffic
D. Security group rule that allows internet traffic for port 443 in both inbound and outbound
E. Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic
Answer: A E

NO.152 A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS
instance and send real-time alerts to their operations team. Which AWS services can accomplish this?
Choose 2 answers
A. Amazon Simple Email Service
B. Amazon CloudWatch
C. Amazon Simple Queue Service
D. Amazon Route 53
E. Amazon Simple Notification Service
Answer: B E

NO.153 Your company's IT policies mandate that all critical data must be duplicated in two physical
locations at least
100 miles apart.
What storage option meets this requirement?
A. One Amazon S3 bucket
B. Two Amazon S3 buckets in the same region
C. One Amazon Glacier archive
D. Two Amazon S3 buckets in different regions

41
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.154 How frequently does the Amazon CloudWatch Logs agent send data by default?
A. Every five seconds
B. Every minute
C. Every five seconds and is configurable by the user
D. Every minute and is configurable by the user
Answer: B

NO.155 Which of the following instance types are available as Amazon EBS backend only?
A. General purpose T2
B. General purpose M3
C. Compute-optimized C4
D. Compute-optimized C3
E. Storage-optimized 12
Answer: A C

NO.156 A user in account A has created a bucket and added a bucket policy allowing all actions for a
user in account
B. the user in account B has uploaded a file to the bucket, specifying Amazon S3 server-side
encryption (SSE) and Amazon S3 reduced redundancy storage (RRS). Using the AWS management
console, the user in account A attempts to download the file from the bucket but gets an "Access
Denied" error. What is causing the error?
A. Account A user has not granted READ permission to itself
B. Account B user has not granted READ permission to account A user
C. SSE and RRS cannot be used on an object at the same time
D. An SSE object cannot be copied between two different accounts
Answer: B

NO.157 Your security team requires each Amazon ECS task to have an IAM policy that limits the
task's privileges to only those required for its use of AWS services. How can you achieve this?
A. Reboot each Amazon ECS task programmatically to generate new instance metadata for each task
B. Connect to each running Amazon ECS container instance and add discrete credentials
C. Use IAM roles on the Amazon ECS container instances to associate IAM roles with each ECS task on
that instance
D. Use IAM roles for Amazon ECS tasks to associate a specific IAM role with each ECS task definition
Answer: D

NO.158 A legacy application running on premises requires a Solutions Architect to be able to open a
firewall to allow access to several Amazon S3 buckets. The Architect has a VPN connection to AWS in
place. How should the Architect meet this requirement?
A. Create an 1AM role that allows access from the corporate network to Amazon S3
B. Configure a proxy on Amazon EC2 and use an Amazon S3 VPC endpoint.

42
 IT Certification Guaranteed, The Easy Way!

C. Use Amazon API Gateway to do IP whitelisting.

D. Configure IP whitelisting on the customer's gateway
Answer: A

NO.159 What is one key difference between an Amazon EBS-backed and an instance-store backed
instance?
A. Instance-store backed instances can be stopped and restarted
B. Amazon EBS-backed instances can be stopped and restarted
C. Virtual Private Cloud requires EBS backed instances
D. Auto Scaling requires using Amazon EBS- backed instances
Answer: B

NO.160 Within a VPC, you need to allow a wide range of ports, and block several non-contiguous
ports within the range. Which option will allow you to do this ?
A. Using a network ACL, place a DENY rule for ports to be blocked ahead of the ALLOW rule for the
wide range of ports
B. Using a network ACL, place a DENY rule for ports to be blocked after the ALLOW rule for the wide
range of ports
C. Using a security group, place a DENY rule for ports to be blocked ahead of the ARROW rule for the
wide range of ports
D. Using a security group, place a DENY rule for ports to be blocked after the ALLOW rule for the
wide range of ports
Answer: B

NO.161 A Solutions Architect was tasked with reviewing several templates that build VPCs and
ensuring that they meet specific security requirements. After reviewing the templates, the Architect
realizes that all of the templates are missing important security best practices.
What should the Architect do to implement security best practices in an efficient manner?
A. Use VPC peering to enforce network consistency
B. Restrict users from deploying an AWS CloudFormation template.
C. Provide the teams a nested AWS CloudFormation template that builds the VPC correctly.
D. Create AWS identity and Access Management (IAM) policies that enforce the corporate VPC
architecture standards
Answer: D

NO.162 If you want to launch Amazon Elastic Compute Cloud (EC2) instances and assign each
instance a predetermined private IP address you should:
A. Launch the instance from a private Amazon Machine Image (AMI).
B. Assign a group of sequential Elastic IP address to the instances.
C. Launch the instances in the Amazon Virtual Private Cloud (VPC).
D. Launch the instances in a Placement Group.
E. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already.
Answer: C

43
 IT Certification Guaranteed, The Easy Way!

NO.163 For which of the following use cases are Simple Queue Service (SQS) and Amazon EC2 an
appropriate solution? Choose 2 answers
A. Using as a distributed session store for your web application
B. Managing a multi-step and multi-decision checkout process of an e-commerce website
C. Using as an SNS endpoint to trigger execution of video transcoding jobs
D. Orchestrating the execution or distributed and auditable business processes
E. Using as an encrypted to collect thousands of data points per hour from a distributed fleet of
sensors
Answer: D E

NO.164 A Solutions Architect notices slower response times from an application. The CloudWatch
metrics on the MySQL RDS indicate Read IOPS are high and fluctuate significantly when the database
is under load.
How should the database environment be re-designed to resolve the IOPS fluctuation?
A. Change the RDS instance type to get more RAM.
B. Change the storage type to Provisioned IOPS.
C. Scale the web server tier horizontally.
D. Split the DB layer into separate RDS instances.
Answer: B

NO.165 A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows
application sign-in using an opened connect-compatible identity provider. Which AWS Security Token
Service approach to temporary access should you use for the Amazon S3 operations?
A. Cross-Account Access
B. AWS identity and Access Management roles
C. SAML-based Identity Federation
D. Web identity Federation
Answer: C

NO.166 How can you secure data at rest on an EBS volume?

A. Create an IAM policy that restricts read and write access to the volume
B. Use an encrypted file system on top of the EBS volume
C. Write the data randomly instead of sequentially
D. Encrypt the volume using the S3 server-side encryption service
E. Attach the volume to an insurance using EC2 SSL interface
Answer: B

NO.167 A Solutions Architect needs to use AWS to implement pilot light disaster recovery for a
three- tier web application hosted in an on-premises datacenter.
Which solution allows rapid provision of a working, fully-scaled production environment?
A. Continuously replicate the production database server to Amazon RDS Use AWS CloudFormation
to deploy the application and any additional servers if necessary
B. Continuously replicate the production database server to Amazon RDS Create one application load

44
 IT Certification Guaranteed, The Easy Way!

balancer and register on-premises servers Configure ELB Application Load Balancer to automatically
deploy Amazon EC2 instances for application and additional servers if the on- premises application is
down.
C. Use a scheduled Lambda function to replicate the production database to AWS Use Amazon Route
53 health checks to deploy the application automatically to Amazon S3 if production is unhealthy
D. Use a scheduled Lambda function to replicate the production database to AWS Register on-
premises servers to an Auto Scaling group and deploy the application and additional servers if
production is unavailable.
Answer: B

NO.168 A workload consists of downloading an image from an Amazon S3 bucket, processing the
image, and moving it to another Amazon S3 bucket. An Amazon EC2 instance runs a scheduled task
every hour to perform the operation.
How should a Solutions Architect redesign the process so that it is highly available?
A. Charge the Amazon EC2 instance to compute optimized
B. Launch a second Amazon EC2 instance to monitor the health of the first
C. Trigger a Lambda function when a new object is uploaded
D. Initially copy the images to an attached Amazon EBS volume.
Answer: A

NO.169 A development team is building an application win front-end and backend application tiers.
Each tier consists of Amazon EC2 instances behind on ELB Classic Load Balancer. The instances run in
Auto Scaling groups across multiple Availability Zones. The network team has allocated the
10.0.0.0/24 address space for this application. Only the front-end load balancer should be exposed to
the Internet. There are concerns about the limited size of the address space and the ability of each
tier to scale.
What should the VPC subnet design be in each Availability Zone?
A. One public subnet for the load balancer tier, one public subnet for the front-end tier, and one
private subnet for the backend tier
B. One shared public subnet for all tiers of the application
C. One public subnet for the load balancer tier and one shared private subnet for the application tiers
D. One shared private subnet for all tiers of the application
Answer: A

NO.170 You are tasked with migrating a high throughput, distributed, fault-tolerent NoSQL data
store to AWS. The system is extremely disk-IO intensive. Which instance family is best suited for this
workload?
A. I2
B. T2
C. HS!
D. R3
Answer: A

NO.171 An organization runs an online media site, hosted on-premises. An employee posted a

45
 IT Certification Guaranteed, The Easy Way!

product review that contained videos and pictures. The review went viral and the organization needs
to handle the resulting spike in website traffic.
What action would provide an immediate solution?
A. Redesign the website to use Amazon API Gateway, and use AWS Lambda to deliver content.
B. Add server instances using Amazon EC2 and use Amazon Route 53 with a failover routing policy.
C. Serve the images and videos via an Amazon CloudFront distribution created using the news site as
the origin.
D. Use Amazon ElasticCache for Redis for caching and reducing the load requests from the origin.
Answer: C

NO.172 Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers
A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.
B. Each subnet maps to a single Availability Zone.
C. CIDR block mask of/25 is the smallest range supported.
D. By default, all subnets can route between each other, whether they are private or public.
E. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP.
Answer: B D

NO.173 A Solutions Architect is deploying a new production MySQL database on AWS. It is critical
that the database is highly available. What should the Architect do to achieve this goal with Amazon
RDS?
A. Create a read replica of the primary database and deploy it in a different AWS Region
B. Enable multi-AZ to create a standby database in a different Availability Zone
C. Enable multi-AZ to create a standby database in a different AWS Region
D. Create a read replica of the primary database and deploy it in a different Availability Zone
Answer: A

NO.174 A stray Amazon EC2 r3.8xlarge instance is running in your AWS account. Before terminating
it, you want to find the owner to confirm that it is not needed.
Where can you find the identity that launched this instance?
A. CloudTrail logs
B. VPC flow logs
C. ELB access logs
D. Operating system logs
Answer: A

NO.175 A Solutions Architect needs to allow developers to have SSH connectivity to web servers.
The requirements are as follows:
* Limit access to users originating from the corporate network
* Web servers cannot have SSH access directly from the Internet
* Web servers reside in a private subnet
Which combination of steps must the Architect complete to meet these requirements? (Select TWO)
A. Create a bastion host that authenticates users against the corporate directory
B. Create a bastion host with security group rules that only allow traffic from the corporate network

46
 IT Certification Guaranteed, The Easy Way!

C. Attach an IAM role to the bastion host with relevant permissions

D. Configure the web servers' security group to allow SSH traffic from a bastion host
E. Deny all SSH traffic from the corporate network in the inbound network ACL.
Answer: A C

NO.176 Which Amazon elastic compute cloud feature can you query from within the instance to
access instance properties?
A. Instance user data
B. Amazon Machine Image
C. Resource tags
D. Instance metadata
Answer: D

NO.177 An application requires block storage for file updates. The data is 500 GB and must
continuously sustain 100 MiB/s of aggregate read/write operations.
Which storage option is appropriate for this application?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS
D. Amazon Glacier
Answer: B

NO.178 For which of the following use cases are Simple Workflow Service (SWF) and Amazon EC2 an
appropriate solution? Choose 2 answers
A. Using as an endpoint to collect thousands of data points per hour from a distributed fleet of
sensors
B. Managing a multi-step and multi-decision checkout process of an e-commerce website
C. Orchestrating the execution of distributed and auditable business processes
D. Using as an SNS (Simple Notification Service) endpoint to trigger execution of video transcoding
jobs
E. Using as a distributed session store for your web application
Answer: B C

NO.179 Your application currently stores data on an unencrypted EBS volume. A new security policy
mandates that all data must be encrypted at rest. How can you encrypt the data?
A. Create a snapshot of the volume. Create a new, encrypted volume from the snapshot. Replace the
volume.
B. Create a snapshot of the volume. Make an encrypted copy of the snapshot. Create a new volume
from the new snapshot. Replace the volume.
C. Modify the EBS settings to encrypt the volume. You do need to detach the volume or stop the
instance.
D. Stop the instance. Detach the volume. Modify the EBS settings to encrypt the volume. Reattach
the volume. Start the instance.

47
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.180 Which of the following approaches provides the lowest cost for Amazon Elastic Block Store
snapshots while giving you the ability to fully restore data?
A. Maintain a single snapshots: the latest snapshot is both incremental and complete
B. Maintain the most current snapshots, archive the original and incremental to Amazon Glacier
C. Maintain a volume snapshot: subsequent snapshots will overwrite one another
D. Maintain two snapshots: the original snapshot and the latest incremental snapshot
Answer: A

NO.181 A us-based company is expanding their web presence into Europe. The company wants to
extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-1)
region. Which of the following options would enable an equivalent experience for users on both
continents?
A. Use a public-facing load balancer per region to load-balancer web traffic, and enable HTTP health
checks
B. Use a public-facing load balancer per region to load balancer web traffic, and enable sticky
sessions
C. Use Amazon Route S3, and apply a geolocation routing policy to distribution traffic across both
regions
D. Use Amazon Route S3, and apply a weighted routing policy to distribute traffic across both regions
Answer: C

NO.182 A customer has written an application that uses Amazon S3 exclusively as a data store. The
application workswell until the customer increases the rate at which the application is updating
information. The customer now reports that outdated data occasionally appears when the
application accesses objects in Amazon S3.
What could be the problem, given that the application logic is otherwise correct?
A. The application is reading parts of objects from Amazon S3 using a range header.
B. The application is reading objects from Amazon S3 using parallel object requests.
C. The application is updating records by writing new objects with unique keys.
D. The application is updating records by overwriting existing objects with the same keys.
Answer: A

NO.183 A company has an Amazon RDS-managed online transaction processing system that has very
heavy read and write. The Solutions Architect notices throughput issues with the system.
How can the responsiveness of the primary database be improved?
A. Use asynchronous replication for standby to maximize throughput during peak demand.
B. Offload SELECT queries that can tolerate stale data to READ replica.
C. Offload SELECT and UPDATE queries to READ replica.
D. Offload SELECT query that needs the most current data to READ replica.
Answer: A

NO.184 How can a user track memory usage in an EC2 instance?

48
 IT Certification Guaranteed, The Easy Way!

A. Call Amazon CloudWatch to retrieve the memory usage metric data that exists for the EC2
Instance
B. Assign an 1AM role to the EC2 instance with an 1AM policy granting access to the desired metric.
C. Use an instance type that supports memory usage reporting to a metric by default
D. Place en agent on the EC2 instance to push memory usage to an Amazon CloudWatch custom
metric.
Answer: D

NO.185 A Solutions Architect is designing an architecture for a mobile gaming application. The
application is expected to be very popular. The Architect needs to prevent the Amazon ROS MySQL
database from becoming a bottleneck due to frequently accessed queries.
Which service or feature should the Architect add to prevent a bottleneck?
A. Multi-AZ feature on the RDS MySQL Database
B. ELB Classic Load Balancer in front of the web application tier.
C. Amazon SQS in front of RDS MySQL Database
D. Amazon ElastiCache in front of the RDS MySQL Database.
Answer: D

NO.186 You have a video Trans coding application running on Amazon EC2. Each instance pools a
queue to find out which video should be Trans coded, and then runs a Trans coding process.
If this process is interrupted, the video will be Trans coded by another instance based on the queuing
system.
You have a large backlog of videos which need to be Trans coded and would like to reduce this
backlog by adding more instances. You will need these instances only until the backlog is reduced.
Which type of Amazon EC2 instance should you use to reduce the backlog in the most cost effective
way?
A. Dedicated instances
B. Spot instances
C. On-demand instances
D. Reserved instances
Answer: B

NO.187 What are characteristics of Amazon S3? Choose 2 answers

A. S3 allows you to store objects of virtually unlimited size.
B. S3 offers Provisioned IOPS.
C. S3 allows you to store unlimited amounts of data.
D. S3 should be used to host a relational database.
E. Objects are directly accessible via a URL.
Answer: C E
Reference:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-
access-to-s3.

NO.188 Which of the following items are required to allow an application deployed on an EC2

49
 IT Certification Guaranteed, The Easy Way!

instance to write data to a DynamoDB table? Assume that to security keys are allowed to be stored
on the EC2 instance.
A. Launch an EC2 instance with the IAM user included in the launch configuration
B. Create an IAM user that allows write access to the DynamoDB table
C. Add an IAM user to a running EC2 instance
D. Create an IAM role that allows write access to the dynamoDB table
E. Add an IAM role to a running EC2 instance
F. Launch an EC2 instance with the IAM role included in the launch configuration
Answer: D F

NO.189 A company needs to quickly ensure that all files created in an Amazon S3 bucket in us-east-1
are also available in another bucket in ap-southeast-2. Which option represents the SIMPLEST way to
implement this design?
A. Add an S3 lifecycle rule to move any new files from the bucket in us-east-1 to the bucket in ap-
southeast-2.
B. Create a Lambda function to be triggered for every new file in us-east-1 that copies the file to the
bucket in ap-southeast-2
C. Use SNS to notify the bucket in ap-southeast-2 to create a file whenever a file is cheated in the
bucket in us-east-1.
D. Enable versioning and configure cross-region replication from the bucket in us-east-1 to the
bucket in ap-southeast-2.
Answer: A

NO.190 A Solutions Architect is designing a database solution that must support a high rate of
random disk reads and writes. It must provide consistent performance, and requires long-term
persistence.
Which storage solution BEST meets these requirements?
A. An Amazon EBS Provisioned IOPS volume
B. An Amazon EBS General Purpose volume
C. An Amazon EBS Magnetic volume
D. An Amazon EC2 Instance Store
Answer: A

NO.191 A Solutions Architect is designing a solution that includes a managed VPN connection. To
monitor whether the VPN connection is up or down, the Architect should use:
A. an external service to ping the VPN endpoint from outside the VPC
B. AWS CloudTrail to monitor the endpoint
C. the CloudWatch TunnelState Metric
D. an AWS Lambda function that parses the VPN connection logs.
Answer: C

NO.192 A media company has deployed a multi-tier architecture on AWS. Web servers are deployed
in two Availability Zones using an Auto Scaling group with a default Auto Scaling termination policy.
The web servers' Auto Scaling group currently has 15 instances running.

50
 IT Certification Guaranteed, The Easy Way!

Which instance will be terminated first during a scale-in operation?

A. The instance with the oldest launch configuration.
B. The instance in the Availability Zone that has most instances.
C. The instance closest to the next billing hour.
D. The oldest instance in the group.
Answer: D

NO.193 A Solutions Architect is designing an application that stores objects encrypted in an Amazon
S3 bucket. The company's security requirements state that the encryption key is stored by the
organization. Which methods meet this requirement? (Select TWO.)
A. Use S3 server-side encryption with customer-provided keys.
B. Use S3 client-side encryption.
C. Use S3 server-side encryption with Amazon S3 managed keys
D. Use S3 server-side encryption with AWS KMS managed keys.
E. Use S3 server-side encryption with the company's own keys imported into AWS KMS
Answer: A D

NO.194 An application on an Amazon EC2 instance routinely stops responding to requests and
requires a reboot to recover. The application logs are already exported into Amazon CloudWatch,
and you notice that the problem consistently follows the appearance of a specific message in the log.
The application team is working to address the bug, but has not provided a date for the fix.
What workaround can you implement to automate recovery of the instance until the fix is deployed?
A. Create an Amazon CloudWatch alarm on instance memory usage; based on that alarm, trigger an
Amazon CloudWatch action to reboot the instance
B. Create a AWS CloudTrail alarm on low CPU; based on that alarm, trigger an Amazon SNS message
to the Operations team
C. Create an Amazon CloudWatch alarm on an Amazon CloudWatch Logs for that message; based on
that alarm, trigger an Amazon CloudWatch action to reboot the instance
D. Create an AWS CloudTrail alarm to detect the deadlock; based on that alarm, trigger an Amazon
SNS message to the Operations team
Answer: C

NO.195 You have an Amazon EC2 instance with data stored in an Amazon elastic block store (EBS)
volume. You want to make the data available in another region. Which of the following methods
should be used for making the data in the Amazon EBS volume available to the newly launched
Amazon EC2 instance?
A. Detach the Amazon EBS volume and attach it to the newly launched Amazon EC2 instance
B. Snapshot the Amazon EBS volume and copy it to the other region. Create a new Amazon EBS
volume from the snapshot, and attach it to the newly launched Amazon EC2 instance
C. Copy the Amazon EBS volume to the other region, create a new Amazon EBS volume from that,
and then attach it to newly launched Amazon EC2 instance
D. Use AWS Import/Export to copy the Amazon EBS volume to the other region and attach it to
newly launched instance

51
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.196 A Solution Architect is designing an application that uses Amazon EBS volumes. The volumes
must be backed up to a different region.
How should the Architect meet this requirement?
A. Create EBS snapshots directly from one region to another.
B. Move the data to an Amazon S3 bucket and enable cross-region replication.
C. Create EBS snapshots and then copy them to the desired region.
D. Use a script to copy data from the current Amazon EBS volume to the destination Amazon EBS
volume.
Answer: C

NO.197 A Solutions Architect is designing a new application that needs to access data in a different
AWS account located within the same region. The data must not be accessed over the Internet.
Which solution will meet these requirements with the LOWEST cost?
A. Add rules to the security groups in each account.
B. Establish a VPC Peering connection between accounts.
C. Configure Direct Connect in each account.
D. Add a NAT Gateway to the data account.
Answer: B

NO.198 You are configuring your company's application to use Auto Scaling and need to move user
state information.
Which of the following AWS services provides a shared data store with durability and low latency?
A. Amazon Simple Storage Service
B. Amazon DynamoDB
C. Amazon EC2 instance storage
D. AWS ElasticCAche Memcached
Answer: A

NO.199 You have been asked to design a NAT solution for your company's VPC-based web
application. Traffic from the private subnets varies throughout the day from 500 Mbps to spikes of 7
Gbps. What is the most cost-effective and scalable solution?
A. Move the internet gateway for the VPC to a public subnet: route all internet traffic through the
internet gateway
B. Create an Amazon EC2 NAT instance with a second elastic network interface in a public subnet;
route all private subnet internet traffic through the NAT gateway
C. Create an Auto Scaling group of Amazon EC2 NAT instances in a public subnet; route all private
subnet internet traffic through the NAT gateway
D. Create a NAT gateway in a public subnet; route all private subnet internet traffic through the NAT
gateway
Answer: D

NO.200 You have a content management system running on an Amazon EC2 instance that is

52
 IT Certification Guaranteed, The Easy Way!

approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?
A. EC2Config service
B. IAM roles
C. User Data
D. AWS Config
Answer: C

NO.201 You have an application running in multiple Availability Zones, to confirm this application
can continue to operate at full capacity without performance degradation or downtime. In the event
of an Availability Zone failure. You must:
A. Use Spot instances to guarantee supplemental capacity
B. Use Auto Scaling to launch instances in other Availability Zones to replace lost capacity
C. Use dedicated instances in all Availability Zones
D. Have enough running EC2 instances in other Availability Zones
Answer: B

NO.202 You have just created an Amazon Relational Database Service (RDS) PostgreSQL instances in
Amazon VPC and are unable to connect. Which of the following may be causing connection issues to
your Amazon RDS endpoint? Choose 3 answers
A. Incorrect rules in VPC security groups
B. Incorrect rules in DB security groups
C. Amazon RDS endpoint port restrictions on the local firewall
D. An incorrect configuration in the Options Group
E. An incorrect Amazon RDS DB instance type
F. The Amazon RDS instance is not yet in a running state
Answer: B C F

NO.203 A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows
application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token
Service approach to temporary access should you use for the Amazon S3 operations?
A. SAML-based Identity Federation
B. Cross-Account Access
C. AWS Identity and Access Management roles
D. Web Identity Federation
Answer: D
Explanation
Web identity federation - You can let users sign in using a well-known third-party identity provider
such as Loginwith Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible
provider. AWS STS webidentity federation supports Login with Amazon, Facebook, Google, and any
OpenID Connect (OICD)-compatible identity provider.

NO.204 You bid $0.22 for an Amazon EC2 Spot Instance when the market price was $0.20. For 90
minutes, the market price remained at $0.20. Then the market price changed to $0.25, and your
instance was terminated by AWS.

53
 IT Certification Guaranteed, The Easy Way!

What was your cost of running the instance for the entire duration?
A. $0.47
B. $0.20
C. $0.22
D. $0.40
Answer: C

NO.205 A company wants to analyze all of its sales information aggregated over the last 12 months.
The company expects there to be over 10TB of data from multiple sources. What service should be
used?
A. Amazon DynamoDB
B. Amazon Aurora MySQL
C. Amazon RDS MySQL
D. Amazon Redshift
Answer: D

NO.206 A company plans to use AWS for all new batch processing workloads. The company's
developers use Docker containers for the new batch processing. The system design must
accommodate critical and non-critical batch processing workloads 24/7.
How should a Solutions Architect design this architecture in a cost-efficient manner?
A. Purchase Reserved Instances to run all containers. Use Auto Scaling groups to schedule jobs.
B. Host a container management service on Spot Instances. Use Reserved Instances to run Docker
containers.
C. Use Amazon ECS orchestration and Auto Scaling groups: one with Reserve Instances, one with Spot
Instances.
D. Use Amazon ECS to manage container orchestration. Purchase Reserved Instances to run all batch
workloads at the same time.
Answer: C

NO.207 Which services allow the customer to retain full administrative privileges of the underlying
EC2 instances?
Choose 2 answers
A. Amazon Relational Database Service
B. Amazon Elastic Map Reduce
C. Amazon ElastiCache
D. Amazon DynamoDB
E. AWS Elastic Beanstalk
Answer: C E

NO.208 A Solutions Architect is designing network architecture for an application that has
compliance requirements.
The application will be hosted on Amazon EC2 instances in a private subnet and will be using Amazon
S3 for storing data. The compliance requirements mandate that the data cannot traverse the public
Internet.

54
 IT Certification Guaranteed, The Easy Way!

What is the MOST secure way to satisfy this requirement?

A. Use a NAT Instance.
B. Use a NAT Gateway.
C. Use a VPC endpoint.
D. Use a Virtual Private Gateway.
Answer: C

NO.209 A new application is being deployed on Amazon EC2. The application needs to read/write up
to 3 TB of data lo an external data store and requires read-after-write consistency across all AWS
regions for writing new objects into this data store. Which is the MOST cost-effective data storage
service that meets these requirements?
A. Amazon EBS
B. Amazon Glacier
C. Amazon EFS
D. Amazon S3
Answer: B
Explanation
Amazon S3 Glacier is an extremely low-cost storage service that provides secure, durable, and flexible
storage for data backup and archival. With Amazon S3 Glacier, customers can reliably store their data
for as little as
$0.004 per gigabyte per month. Amazon S3 Glacier enables customers to offload the administrative
burdens of operating and scaling storage to AWS, so that they don't have to worry about capacity
planning, hardware provisioning, data replication, hardware failure detection and repair, or time-
consuming hardware migrations.

NO.210 A Solutions Architect is designing the storage layer for a production relation database. The
database will run on Amazon EC2. The database is accessed by an application that performs intensive
reads and writes, so the database requires the LOWEST random I/O latency.
Which data storage method fulfils the above requirements?
A. Store data in a filesystem backed by Amazon Elastic File System (EFS)
B. Store data Amazon S3 and use a third-party solution to expose Amazon S3 as a filesystem to the
database server
C. Store data in Amazon DynamoDB and emulate relational database semantics
D. Stripe data across multiple Amazon EBS volume using RAID 0
Answer: D

NO.211 A Solutions Architect is designing a Lambda function that calls an API to list all running
Amazon RDS instances.
How should the request be authorized?
A. Create an IAM access and secret key, and store it in the Lambda function.
B. Create an IAM role to the Lambda function with permissions to list all Amazon RDS instances.
C. Create an IAM role to Amazon RDS with permissions to list all Amazon RDS instances.
D. Create an IAM access and secret key, and store it in an encrypted RDS database.
Answer: C

55
 IT Certification Guaranteed, The Easy Way!

NO.212 A company is deploying a two-tier, highly available web application to AWS. Which service
provides durable storage for static content while utilizing lower overall CPU resources for web tier?
A. Amazon S3
B. Amazon EBS volume
C. Amazon RDS instance
D. Amazon EC2 instance store
Answer: A

NO.213 An application relies on messages being sent and received in order. The volume will never
exceed more than
300 transactions each second.
Which service should be used?
A. Amazon SQS
B. Amazon SNS
C. Amazon ECS
D. AWS STS
Answer: A

NO.214 An application consists of microservices. The microservices need to communicate

asynchronously and the solution must ensure that each message is consumed only once.
Which service should be used?
A. Amazon Kinesis
B. Amazon SQS
C. Amazon SQS
D. AWS STS
Answer: C

NO.215 A Solutions Architect a VPC. Instances in a private subnet must to be able to establish IPv6
traffic to the Internet. The design must scale automatically and not incur any additional cost.
This can be accomplished with:
A. An egress-only internet gateway
B. A NAT Gateway
C. A custom NAT Instance
D. A VPC endpoint
Answer: D

NO.216 A company has a legal requirement to store point-in-time copies of its Amazon RDS
PostGreSQL database instance in facilities that are at least 200 miles apart.
Use of which of the following provides the easiest way to comply with this requirement?
A. Cross-region read replica
B. Multiple Availability Zone snapshot copy
C. Multiple Availability Zone read replica
D. Cross-region snapshot copy

56
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.217 Which of the following are true regarding AWS Cloud Trail?
Choose 3 answers
A. Cloudtrail is enabled globally
B. Cloudtrail is enabled by default
C. Cloudtrail is enabled on a per-region basis
D. Cloudtrail is enabled on a per-service basis
E. Logs can be delivered to a single Amazon S3 bucket for aggregation
F. Logs can only be processes and delivered to the region in which they are generated
Answer: A C E

NO.218 A Solutions Architect is architecting a workload that requires a highly available shared block
file storage system that must be consumed by multiple Linux applications. Which service meets this
requirement?
A. Amazon EFS
B. Amazon S3
C. AWS Storage Gateway
D. Amazon EBS
Answer: D

NO.219 You need a solution to distribute traffic evenly across all of the containers for a task running
on Amazon ECS.
Your task definitions define dynamic host port mapping for your containers. What AWS feature
provides this functionality?
A. All elastic Load balancing instances support dynamic host port mapping
B. Application load balancers support dynamic host port mapping
C. CloudFront custom origins support dynamic host port mapping
D. Classic load balancers support dynamic host port mapping
Answer: B

NO.220 Your company wants to start working with AWS, but has not yet opened an account. With
which of the following services should you begin local development?
A. Amazon DynamoDB
B. Amazon Simple Queue Service
C. Amazon Simple Email Service
D. Amazon CloudSearch
Answer: A

NO.221 A company is deploying a new two-tier web application in AWS. The company has limited
staff and requires high availability, and the application requires complex queries and table joins.
Which configuration provides the solution for the company's requirements?
A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone

57
 IT Certification Guaranteed, The Easy Way!

B. Amazon RDS for MySQL with Multi-AZ

C. Amazon ElastiCache
D. Amazon DynamoDB
Answer: B

NO.222 You are deploying an application to track GPS coordinates of delivery in the United States.
Coordinates are transmitted from each delivery truck once every three seconds. You need to design
an architecture that will enable realtime processing of these coordinates from multiple consumers.
Which service should you use to implement data ingestion?
A. Amazon Kinesis
B. AWS Data Pipeline
C. Amazon AppStream
D. Amazon Simple Queue Service
Answer: A

NO.223 Which Auto Scaling features allow you to scale ahead of expected increases in load?
Choose 2 answers
A. Cooldown period
B. Lifecycle hooks
C. Desired capacity
D. Metric-based scaling
E. Health check grace period
F. Scheduled scaling
Answer: C F

NO.224 You have a web portal composed of two services. Each service musts scale independently.
Both services should be served under the same domain.
Which configuration allows this?
A. Use one AWS Classic Load Balancer. Create a redirect in the web server based on users' source IPs.
B. Use two AWS Application Load Balancer; one for each service. Assign the same CNAME to both.
C. Use one AWS Application Load Balancer. Specify listener rules to route requests to each service.
D. Use two AWS Classic Load Balancers; one for each service. Assign the same CNAME to both.
Answer: B

NO.225 An Organization has a long-running image processing application that runs on Spot
Instances that will terminated when interrupted. A highly available workload must be designed to
respond to Spot Instance interruption notices. The solution must include a two-minute warning when
there is not enough capacity.
How can these requirements be met?
A. Use Amazon CloudWatch Events to invoke an AWS Lambda function that can launch On-Demand
Instances
B. Regularly store data from the application on Amazon DynamoDB. Increase the maximum number
of instances in the AWS Auto Scaling group.

58
 IT Certification Guaranteed, The Easy Way!

C. Manually place a bid for additional Spot Instances at a higher price in the same AWS Region and
Availability Zone
D. Ensure that the Amazon Machine Image associated with the application has the latest
configurations for the launch configuration
Answer: B

NO.226 A Solution Architect is designing a three-tier web application. The Architect wants to restrict
access to the database tier to accept traffic from the application servers only. However, these
application servers are in an Auto Scaling group and may vary in quantity.
How should the Architect configure the database servers to meet the requirements?
A. Configure the database security group to allow database traffic from the application server IP
addresses.
B. Configure the database security group to allow database traffic from the application server
security group.
C. Configure the database subnet network ACL to deny all inbound non-database traffic from the
applicationtier subnet.
D. Configure the database subnet network ACL to allow inbound database traffic from the
application-tier subnet.
Answer: C

NO.227 Your company moved into AWS and created separate AWs accounts per department. To
address latency and bandwidth challenges, the company ordered a single AWS Direct Connect circuit.
How should you allocate the cost of the data transfer over AWS Direct Connect back to each
department ?
A. Configure a connection per department and ta each with the department account number. Use
details usage reports
B. Configure a connection per department and set the Connection Owner to the department's AWS
account number
C. Configure virtual interfaces and tag each with the department account number. Use detail usage
reports
D. Configure virtual interfaces and set the virtual interface owner to the department's AWS account
number
Answer: C

NO.228 You have launched an Amazon elastic compute cloud (EC2) instance in a VPC with an
attached internet gateway. You assigned a public IP address to the Amazon EC2 instance but cannot
connect from your on-premises client via SSH. Which of the following may be the cause of the
behavior experienced? Choose 2 answers
A. An incorrect security group rule for inbound SSH traffic
B. An incorrect policy in the AWS IAM service
C. An incorrect AWS IAM role used in the Amazon EC2 instances
D. An incorrect routes in the subnet's route table
E. An incorrect security group rule for outbound SSH traffic
Answer: A B

59
 IT Certification Guaranteed, The Easy Way!

NO.229 A company is launching a marketing campaign on their website tomorrow and expects a
significant increase in traffic. The website is designed as a multi-tiered web architecture, and the
increase in traffic could potentially overwhelm the current design.
What should a Solutions Architect do to minimize the effects from a potential failure in one or more
of the tiers?
A. Migrate the database to Amazon RDS.
B. Set up DNS failover to a statistic website.
C. Use Auto Scaling to keep up with the demand.
D. Use both a SQL and a NoSQL database in the design.
Answer: C

NO.230 A company has asked a Solutions Architect to ensure that data is protected during data
transfer to and from Amazon S3. Use of which service will protect the data in transit?
A. AWS KMS
B. HTTPS
C. SFTP
D. FTPS
Answer: B

NO.231 An instance is launched into a VPC subnet with the network ACL configures to allow all
inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH
from any IP address and deny all outbound traffic. What changes need to be made to allow SSH
access to instance?
A. The outbound security group needs to be modified to allow outbound traffic
B. Both the outbound security group and outbound network ACL need to be modified to allow
outbound traffic
C. The outbound network ACL needs to be modified to allow outbound traffic
D. Nothing, it can be accessed from any IP address using SSH
Answer: B

NO.232 Application servers currently deployed in a private subnet require the ability to integrate
with a third-party service accessible through the Internet.
Which changes are required to provide outbound Internet connectivity In the VPC without providing
inbound Internet connectivity to the application servers?
A. Create a NAT Gateway without attaching an Internet Gateway to the VPC
B. Create a NAT Gateway and attach an Internet Gateway to the VPC.
C. Attach an Internet Gateway to the VPC without creating a NAT Gateway.
D. Attach a Virtual Private Gateway to the VPC and create a NAT Gateway.
Answer: B
Explanation
NAT Gateway Basics
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should
reside. For more information about public and private subnets, see Subnet Routing. You must also

60
 IT Certification Guaranteed, The Easy Way!

specify an Elastic IP address to associate with the NAT gateway when you create it. After you've
created a NAT gateway, you must update the route table associated with one or more of your private
subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private
subnets to communicate with the internet.
Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that
zone.
You have a limit on the number of NAT gateways you can create in an Availability Zone. For more
information, see Amazon VPC Limits.
Note
If you have resources in multiple Availability Zones and they share one NAT gateway, in the event
that the NAT gateway's Availability Zone is down, resources in the other Availability Zones lose
internet access. To create an Availability Zone-independent architecture, create a NAT gateway in
each Availability Zone and configure your routing to ensure that resources use the NAT gateway in
the same Availability Zone.
If you no longer need a NAT gateway, you can delete it. Deleting a NAT gateway disassociates its
Elastic IP address, but does not release the address from your account.
The following diagram illustrates the architecture of a VPC with a NAT gateway. The main route table
sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway
sends the traffic to the internet gateway using the NAT gateway's Elastic IP address as the source IP
address.
A VPC with public and private subnets and a NAT gateway

61
 IT Certification Guaranteed, The Easy Way!

NO.233 An application is running on an Amazon EC2 instance in a private subnet. The application
needs to read and write data onto Amazon Kinesis Data Streams, and corporate policy requires that
this traffic should not go to the internet.
How can these requirements be met?
A. Configure a NAT gateway in a public subnet and route all traffic to Amazon Kinesis through the
NAT gateway.
B. Configure a gateway VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway
VPCendpoint.
C. Configure an interface VPC endpoint for Kinesis and route all traffic to Kinesis through the gateway
VPC endpoint.
D. Configure an AWS Direct Connect private virtual interface for Kinesis and route all traffic to Kinesis
through the virtual interface.
Answer: C

NO.234 As part of securing an API layer but on Amazon API Gateway, a Solutions Architect has to
authorize users who are currently authenticated by an existing identity provider. The users must be
denied access for a period of one hour after three unsuccessful attempts.
How can be Solutions Architect meet these requirements?
A. Use AWS IAM authorization and add least-privileged permissions to each respective IAM role
B. Use an API Gateway custom authorizer to invoke an AWS Lambda function to validate each user's
identity
C. Use Amazon Cognito user pools to provide built-in user management
D. Use Amazon Cognito user pools to integrate with external identity providers
Answer: B

NO.235 An application stack includes an Elastic Load Balancer in a public subnet a fleet of Amazon
EC2 instances in an Auto Scaling group, and an Amazon RDS MySQL cluster Users connect to the
application from the Internet. The application servers and database must be secure.
How should a Solutions Architect perform this task?
A. Create a private subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS
cluster.
B. Create a private subnet tor the Amazon EC2 instances and a private subnet for the Amazon RDS
cluster.
C. Create a public subnet for the Amazon EC2 instances and a private subnet for the Amazon RDS
cluster.
D. Create a public subnet for the Amazon EC2 instances and a public subnet for the Amazon RDS
cluster.
Answer: C

NO.236 A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as
part of their backup and archive infrastructure. The customer plans to use third-party software to
support this integration.
Which approach will limit the access of the third party software to only the Amazon S3 bucket named
"company-backup"?

62
 IT Certification Guaranteed, The Easy Way!

A. A custom bucket policy limited to the Amazon S3 API in the Amazon Glacier archive
"company-backup"
B. A custom bucket policy limited to the Amazon S3 API in "company-backup"
C. A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive
"company-backup"
D. A custom IAM user policy limited to the Amazon S3 API in "company-backup"
Answer: B

NO.237 A Solutions Architect is designing the architecture for a new three-tier web-based e-
commerce site that must be available 24/7. Requests are expected to range from 100 to 10,000 each
minute. Usage can vary depending on time of day, holidays, and promotions. The design should be
able to handle these volumes, with the ability to handle higher volumes if necessary.
How should the Architect design the architecture to ensure the web tier is cost-optimized and can
handle the expected traffic? (Select two.)
A. Launch Amazon EC2 instances in an Auto Scaling group behind an ELB.
B. Store all static files in a multi-AZ Amazon Aurora database.
C. Create an CloudFront distribution pointing to static content in Amazon S3.
D. Use Amazon Route 53 to route traffic to the correct region.
E. Use Amazon S3 multi-part uploads to improve upload times.
Answer: A C

NO.238 What would happen to an RDS (Relational Database Service) multiAvailability Zone
deployment if the primary DB instance fails?
A. The IP of the primary DB instance is switched to the standby DB instance
B. A new DB instance is created in the standby availability zone
C. The canonical name record (CNAME) is changed from primary to standby
D. The RDS DB instance reboots
Answer: C

NO.239 You have an EC2 Security Group with several running EC2 instances. You change the Security
Group rules to allow inbound traffic on a new port and protocol, and launch several new instances in
the same Security Group. The new rules apply:
A. Immediately to all instances in the security group.
B. Immediately to the new instances only.
C. Immediately to the new instances, but old instances must be stopped and restarted before the
new rules apply.
D. To all instances, but it may take several minutes for old instances to see the changes.
Answer: A

NO.240 Which of the following notification endpoints or clients are supported by Amazon Simple
Notification Service? Choose 2 answers
A. Email
B. CloudFront distribution

63
 IT Certification Guaranteed, The Easy Way!

C. File Transfer Protocol

D. Short Message Service
E. Simple Network Management Protocol
Answer: B C

NO.241 You have an Amazon EC2 instance in a VPC that is in a stopped state. Which of the following
actions can you perform on this instance?
A. Change security groups
B. Disable detailed monitoring
C. Attach to an Auto Scaling group
D. Detach the network interface
Answer: C

NO.242 An Auto-Scaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto
Scaling needs to terminate an EC2 instance by default, AutoScaling will:
Choose 2 answers
A. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating
the instance.
B. Terminate the instance with the least active network connections. If multiple instances meet this
criterion, one will be randomly selected.
C. Send an SNS notification, if configured to do so.
D. Terminate an instance in the AZ which currently has 2 running EC2 instances.
E. Randomly select one of the 3 AZs, and then terminate an instance in that AZ.
Answer: B D

NO.243 A user is designing a new service that receives location updates from 3.600 rental cars every
hour. The cars upload their location to an Amazon S3 bucket. Each location must be checked tor
distance from the original rental location. Which services will process the updates and automatically
scale?
A. Amazon EC2 and Amazon EBS
B. Amazon Kinesis Firehouse and Amazon S3
C. Amazon ECS and Amazon RDS
D. Amazon S3 events and AWS Lambda
Answer: A

NO.244 When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any
ephemeral store volumes?
A. Data is unavailable until the instance is restarted
B. Data will be deleted and will no longer be accessible
C. Data is automatically saved in an EBS snapshot
D. Data is automatically saved in an EBS volume
Answer: B

64
 IT Certification Guaranteed, The Easy Way!

NO.245 A Solutions Architect is designing a solution that will include a database in Amazon RDS.
Corporate security policy mandates that the database, its logs, and its backups are all encrypted.
Which is the MOST efficient option to fulfill the security policy using Amazon RDS?
A. Launch an Amazon RDS instance with encryption enabled Enable encryption for logs and backups
B. Launch an Amazon RDS instance Enable encryption for the database, logs, and backups
C. Launch an Amazon RDS instance with encryption enabled Logs and backups are automatically
encrypted
D. Launch an Amazon RDS instance. Enable encryption for backups Encrypt logs with a database-
engine feature
Answer: B

NO.246 A Lambda function must execute a query against an Amazon RDS database in a private
subnet. Which steps are required to allow the Lambda function to access the Amazon RDS database
(Select TWO.)
A. Create a VPC Endpoint for Amazon RDS
B. Create the Lambda function within the Amazon RDS VPC.
C. Change the ingress rules of Lambda security group, allowing the Amazon RDS security group
D. Change the ingress rules of the Amazon RDS security group, allowing the Lambda security group
E. Add an Internet Gateway (IGW) to the VPC route the private subnet to the IGW
Answer: A D

NO.247 A news organization plans to migrate their 20 TB video archive to AWS. The files are rarely
accessed, but when they are a request is made in advance and a 3- to 5-hour retrieval time frame is
acceptable However, when there is a breaking news story, the editors require access to archived
footage within minutes.
Which storage solution meets the needs of this organization while providing the LOWEST cost of
storage?
A. Store the archive in Amazon S3 Reduced Redundancy Storage.
B. Store the archive in Amazon Glacier and use standard retrieval for all content
C. Store the archive in Amazon Glacier and pay the additional charge for expedited retrieval when
needed
D. Store the archive in Amazon S3 with a lifecycle policy to move this to S3 Infrequent Access after 30
days.
Answer: A

NO.248 A web application stores all data in an Amazon RDS Aurora database instance. A Solutions
Architect wants to provide access to the data for a detailed report for the Marketing team, but is
concerned that the additional load on the database will affect the performance of the web
application.
How can the report be created without affecting the performance of the application?
A. Create a read replica of the database.
B. Provision a new RDS instance as a secondary master.
C. Configure the database to be in multiple regions.
D. Increase the number of provisioned storage IOPS.

65
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.249 You are running a mobile media application and are considering API Gateway for the client
entry point. What benefits would this provide? Choose 2 answers
A. Caching API responses
B. Intrusion prevention
C. IP blacklisting
D. Load balancing
E. Throttling traffic
Answer: A E
Explanation
API Logging, Caching, Throttling, Bursting and Monitoring
Instead of invoking the backend API for every client call, developers can configure caching which will
improve performance. Cache settings allow developers to control the way the cache key is built and
the time-to-live (TTL) of the data stored for each method. The management API can be invoked to
invalidate the cache. The pricing for this feature is based on the size of the cache.
Developers need to protect their backend APIs from deliberate misuse. They may also want to
restrict the rate at which the API is invoked. Through throttling, it is possible to set a rate limit of API
requests to avoid sudden spikes. API Gateway can also be configured to handle bursts of API calls for
specific scenarios. Clients can include automatic retry logic when they receive a 429 HTTP response as
a result of throttling. With the right configuration of cache and throttling, developers can increase the
performance while securing the backend API.
Since API Gateway is a crucial element of an application, it needs to be monitored for uptime. For
custom gateways, administrators need to configure native monitoring combined with agents.
Amazon API Gateway integrates with CloudWatch, the one-stop monitoring service for all AWS
services. By configuring an IAM role that has write access to CloudWatch logs, API Gateway can be
monitored for a variety of metrics.
image00

Configuring Caching, Logging, Monitoring and Throttling

NO.250 Your company runs an application that generates several thousand 1-GB reports a month.
Approximately 10% of these reports will be accessed once during the first 30 days and must be

66
 IT Certification Guaranteed, The Easy Way!

Available on demand. After 30 days, reports are no longer accessed as a part of normal business
processes but must be retained for compliance reasons. Which architecture would meet these
requirements with the lowest cost?
A. Upload the reports to Amazon S3 Standard storage class. Set a lifecycle configuration on the
bucket to transition the reports to Amazon Glacier after 30 days
B. Upload the report s to Amazon S3 standard- infrequent Access storage class. Set a lifecycle
configuration on the bucket to transition the reports to Amazon Glacier after 30 days
C. Upload the reports to Amazon Glacier. When reports are requests, copy them to Amazon S3
standard storage class for access. Delete the copied reports after they have been viewed
D. Upload the reports to Amazon S3 standard- infrequent access storage class. When reports are
requests, copy them to Amazon S3 standard storage class for access. Delete the copied reports after
they have been viewed.
Answer: A

NO.251 Which of the following categories are available from Amazon elastic compute cloud instance
metadata ?
Choose two answers
A. Instance ID
B. Elastic Load Balancing health status
C. Auto Scaling launch configuration
D. Bucket device mapping
E. Bucket ID
Answer: A C

NO.252 A company needs to deploy services to an AWS region which they have not previously used.
The company currently has an AWS identity and Access Management (IAM) role for the Amazon EC2
instances, which permits the instance to have access to Amazon DynamoDB. The company wants
their EC2 instances in the new region to have the same privileges. How should the company achieve
this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create an Amazon Machine Image (AMI) of the instance and copy it to the desired region using
the AMI Copy feature
Answer: B

NO.253 You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in
service.
However, your web browser times out when connecting to the load balancer's DNS name. Which
options are probable causes of this behavior? Choose 2 answers
A. The load balancer was not configured to use a public subnet with an Internet gateway configured
B. The security groups or network ACLs are not properly configured for web traffic
C. The VPC does not have a VGW configured
D. The Amazon EC2 instances do not have a dynamically allocated private IP address

67
 IT Certification Guaranteed, The Easy Way!

E. The load balancer is not configured in a private subnet with a NAT instance
Answer: A B

NO.254 You need to configure an Amazon S3 bucket to serve static assets for your public-facing web
application.
Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2
answers
A. Set permissions on the object to public read during upload
B. Configure the bucket ACL to sell all objects to public read
C. Configure the bucket policy to set all objects to public read
D. Use AWS identity and access Management roles to set the bucket to public read
E. Amazon S3 objects default to public read, so no action is needed
Answer: B C

NO.255 In AWS, which security aspects are the customer's responsibility? Choose 4 answers
A. Life-Cycle management of IAM credentials
B. Security Group and ACL settings
C. Controlling physical access to compute resources
D. Path management on the EC2 instance's operating system
E. Encryption of EBS volumes
F. Decommissioning storage devices
Answer: A B D E

NO.256 You are building a system to distribute confidential training videos to employees. Using
cloud front, what method could be used to serve content that is stored in S3, but not publically
accessible from S3 directly?
A. Add the CloudFront account security group "amazon-ct/amazon-cf-sg" to the appropriate S3
bucket policy
B. Create an Origin Access identity for CLoudFront and grant access to the objects in your S3 bucket
to that OAI
C. Create an identity and Access Amangeement User for CloudFornt and grant Access to the objects
in your S3 bucket to that IAM user
D. Create a S3 bucket policy that lists the Cloudfront distribution ID as the Principle and the target as
the Amazon Resource Name
Answer: B

NO.257 A workload in an Amazon VPC consist of an Elastic Load Balancer that distributes incoming
requests across a fleet of six Amazon EC2 instances. Each EC2 instance stores and retrieves data from
an Amazon DynamoDB table.
Which of the following provisions will ensure that this workload a highly available?
A. Provision DynamoDB tables across a minimum of two Availability Zones
B. Provision the EC2 instances evenly across a minimum of two Availability Zones in two regions
C. Provision the EC2 instances evenly across a minimum of two Availability Zones in a single region

68
 IT Certification Guaranteed, The Easy Way!

D. Provision the Elastic Load Balancer to distribute connections across multiple Availability Zones
Answer: D

NO.258 At t2.medium EC2 instance type must be launched with what type of amazon machine
image (AMI)?
A. An instance store Hardware Virtual Machine AMI
B. An instance store Paravirtual AMI
C. An Amazon EBS-backed Hardware Virtual Machine AMI
D. An Amazon EBS-backed paravirtual AMI
Answer: C

NO.259 Your Amazon VPC has a pubic subnet with a route that sends all internet traffic to the
internet gateway. An Amazon EC2 instance in the Public subnet has an assigned private IP address.
The instance belongs to a security group set to allow all outbound traffic. The instance cannot access
the internet. Why could the internet be unreachable from this instance?
A. The instance "source/destination check" property must be enabled
B. The instance security group must allow all inbound traffic
C. The instance does not have a public IP address
D. The internet gateway security group must allow all outbound traffic
Answer: C

NO.260 An application on an Amazon EC2 instance routinely stops responding to requests and
requires a reboot to recover. The application logs are already exported into Amazon CloudWatch,
and you notice that the problem consistently follows the appearance of a specific message in the log.
The application team is working to address the bug, but has not provided a date for the fix. What
workaround can you implement to automate recovery of the instance until the fix is deployed?
A. Create an Amazon CloudWatch alarm on instance memory usage; based on that alarm, trigger an
Amazon CloudWatch action to reboot the instance
B. Create an Amazon CloudWatch alarm on an Amazon CloudWatch Logs filter for that message;
based on that alarm trigger an Amazon CloudWatch action to reboot the instance
C. Create an AWS CloudTrail alarm to detect the deadlock; based on that alarm, trigger an Amazon
SNS message to the Operations team
D. Create an AWS CloudTrail alarm on low CPU; based on that alarm, trigger an Amazon SNS message
to the Operations team
Answer: B

NO.261 A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same
region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The
company wants to push minor code releases from Dev to Prod to speed up time to market. Which of
the following options helps the company accomplish this?
A. Create a new peering connection Between Prod and Dev along with appropriate routes.
B. Create a new entry to Prod in the Dev route table using the peering connection as the target.
C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway
as the target.

69
 IT Certification Guaranteed, The Easy Way!

D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local
routes for all VPCs.
Answer: A

NO.262 A company has a legacy application using a proprietary file system and plans to migrate the
application to AWS.
Which storage service should the company use?
A. Amazon DynamoDB
B. Amazon S3
C. Amazon EBS
D. Amazon EFS
Answer: B
Explanation
Friendly interfaces to S3. These methods make it simple to use S3 with your existing native
applications.
Rather than lifting and shifting large datasets at once, these help you integrate existing process flows
like backup and recovery or continuous Internet of Things streams directly with cloud storage.

NO.263 You're building an API backend available at services.yourcompany.com. The API is

implemented with API Gateway and Lambda. You successfully tested the API using curd. You
implemented Javascript to call the API from a webpage on your corporate website,
www.yourcompany.com. When you access that page in your browser, you get the following error:
"The same origin policy disallows reading he remote resource" How can you allow your corporate
webpages to invoke the API?
A. Disable CORS in the API gateway
B. Enable CORS in the Javascript frontend
C. Disable CORS in the Javascript frontend
D. Enable CORS in the API gateway
Answer: D

NO.264 You have a web application running on six Amazon EC2 instances, consuming about 45% of
resources on each instance. You are using autoscaling to make sure that six instances are running at
all times. The number of requests this application processes is consistent and does not experience
spikes. The application is critical to your business and you want high availability at all times. you want
the load to be distributed evenly between all instances. you also want to use the same Amazon
Machine image(AMI) for all instances .which of the following architectural choices should you make?
A. Deploy 2 EC2 instances in three regions and use Amazon Elastic Load Balancer
B. Deploy 6 EC2 instances in one availability zone and use Amazon Elastic Load Balancer
C. Deploy 3 EC2 instances in one availability zone and 3 in another availability zone and use Amazon
Elastic Load Balancer
D. Deploy 3 EC2 instances in one region and 3 in another region and use Amazon Elastic Load
Balancer
Answer: C

70
 IT Certification Guaranteed, The Easy Way!

NO.265 A Solutions Architect needs to build a resilient data warehouse using Amazon Redshift. The
Architect needs to rebuild the Redshift cluster in another region.
Which approach can the Architect take to address this requirement?
A. Modify the Redshift cluster and configure cross-region snapshots to the other region.
B. Modify the Redshift cluster to take snapshots of the Amazon EBS volumes each day, sharing those
snapshots with the other region.
C. Modify the Redshift cluster and configure the backup and specify the Amazon S3 bucket in the
other region.
D. Modify the Redshift cluster to use AWS Snowball in export mode with data delivered to the other
region.
Answer: B

NO.266 Your company stores financial documents in amazon S3. Aacording to company policy, all
financial documents must be retained for a perios of seven years. however documents older than
one year are rarely accessed. How can you optimize cost?
A. Create an Amazon S3 lifecycle rule to move objects older than one year to storage Gateway
B. Create an Amazon S3 lifecycle rule to move objects older than one year to Amazon Glacier
C. Create an Amazon S3 event to move objects older than one year to Amazon Glacier
D. Create an Amazon S3 event to move objects older than one year to Storage Gateway
Answer: C

NO.267 A company is migrating its data center to AWS. As part of this migration, there is a three-tier
web application that has strict data-at-rest encryption requirements. The customer deploys this
application on Amazon EC2 using Amazon EBS, and now must provide encryption at-rest.
How can this requirement be met without changing the application?
A. Use AWS Key Management Service and move the encrypted data to Amazon S3.
B. Use an application-specific encryption API with AWS server-side encryption
C. Use encrypted EBS storage volumes with AWS-managed keys
D. Use third-party tools to encrypt the EBS data volumes with Key Management Service Bring Your
Own Keys.
Answer: A

NO.268 You have a CloudFront distribution configured with the following path patterns:
When users request objects that start with 'static2/', they are receiving 404 response codes. What
might be the problem?
A. The "*" path pattern must appear before 'static1/*' path
B. CloudFront distributions cannot have origins in different AWS regions
C. CloudFront distributions cannot have multiple different origin types
D. The '*' path pattern must appear after the 'static2/*' path
Answer: B

NO.269 A business team requires a structured storage solution to store all of a company's historical
sales data.
Currently there are 4 TB of data, which will grow to hundreds of terabytes within a few years. The

71
 IT Certification Guaranteed, The Easy Way!

team must be able to regularly run queries against the data using current business intelligence tools
Fast performance is required despite the dataset growth.
Which solution should the company use?
A. Amazon Redshift
B. Amazon Aurora
C. Amazon DynamoDB
D. Amazon S3
Answer: B

NO.270 A Solutions Architect is designing a public-facing web application for employees to upload
linages to their social media account. The application consists of multiple Amazon EC2 instances
behind an elastic load balancer, an Amazon S3 bucket where uploaded images are stored and an
Amazon DynamoDB table for storing image metadata.
Which AWS service can the Architect use to automate the process of updating metadata in the
DynamoDB table upon image upload?
A. Amazon CloudWatch
B. AWS Cloud Formation
C. AWS Lambda
D. Amazon SQS
Answer: B

NO.271 A company has configured and peered two VPCs : VPC-1 and VPC-2. VPC-1 contains only
private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct
Connect connection and private virtual interface to connect their on-premises network with VPC-1.
Which two methods increase the fault tolerance of the connection to VPC-1? Choose 2 answers
A. Establish a hardware VPN over the internet between VPC-2 and then the on-premises network
B. Establish a hardware VPN over the internet between VPC-1 and then the on-premises network
C. Establish a new AWS direct connect connection and private virtual interface in the same region as
VPC-2
D. Establish a new AWS direct connect connection and private virtual interface in a different AWS
region than VPC-1
E. Establish a new AWS direct connect connection and private virtual interface in the same AWS
region as VPC-1
Answer: A D

NO.272 You have an application running on a single Amazon EC2 instance with a 1 TB Amazon EBS
magnetic volume. Using CloudWatch, you have found that Amazon EBS throughput is poor when the
Amazon EC2 instance is under high network load. Which of the following may help improve
performance?
A. Relaunch the instance as Amazon EBS-optimized
B. Modify the instance to enable enhanced networking
C. Migrate the Amazon EBS volume to a General Purpose volume
D. Migrate the Amazon EBS volume to a provisioned IOPs volume
Answer: D

72
 IT Certification Guaranteed, The Easy Way!

NO.273 In order to optimize performance for a compute cluster that requires low inter-node
latency, which of the following feature should you use?
A. EC2 Dedicated Instances
B. AWS Direct Connect
C. VPC private
D. Multiple Availability Zones
E. Placement Groups
Answer: E

NO.274 Which set of Amazon 53 features helps to prevent and recover from accidental data loss?
A. Object lifecycle and service access logging
B. Object versioning and Multi-factor authentication
C. Access controls and server-side encryption
D. Website hosting and Amazon S3 policies
Answer: B

NO.275 A mobile application serves scientific articles from individual files in an Amazon S3 bucket.
Articles older than
30 days are rarely read. Articles older than 60 days no longer need to be available through the
application, but the application owner would like to keep them for historical purposes.
Which cost-effective solution BEST meets these requirements?
A. Create a Lambda function to move files older than 30 days to Amazon EBS and move files older
than 60 days to Amazon Glacier.
B. Create a Lambda function to move files older than 30 days to Amazon Glacier and move files older
than
60 days to Amazon EBS.
C. Create lifecycle rules to move files older than 30 days to Amazon S3 Standard Infrequent Access
and move files older than 60 days to Amazon Glacier.
D. Create lifecycle rules to move files older than 30 days to Amazon Glacier and move files older than
60 days to Amazon S3 Standard Infrequent Access.
Answer: C

NO.276 A Solutions Architect is designing a solution to store a large quantity of event data in
Amazon S3. The Architect anticipates that the workload will consistently exceed 100 requests each
second.
What should the Architect do in Amazon S3 to optimize performance?
A. Randomize a key name prefix.
B. Store the event data in separate buckets.
C. Randomize the key name suffix.
D. Use Amazon S3 Transfer Acceleration.
Answer: A
Explanation
Reference https://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-

73
 IT Certification Guaranteed, The Easy Way!

considerations.html

NO.277 A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same
region. Test is peered to both prod and Dev. All VPCs have non-overlapping CIDR blocks. The
company wants to push minor code releases from Dev to Prod to speed up time to market. Which of
the following options helps the company accomplish this?
A. Create a new peering connection between Prod and Dev along with appropriate routes
B. Create a new entry to Prod in the Dev route table using the peering connection as the target
C. Attach a security gateway to Dev. Add a new entry in the Prod route table identifying the gateway
as the target
D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local
routes for all VPCs
Answer: A

NO.278 A company is storing data on Amazon Simple Storage Service (S3). The company's security
policy mandates that data is encrypted at rest. Which of the following methods can achieve this?
Choose 3 answers
A. Use Amazon S3 server-side encryption with AWS key management Service managed keys
B. Use Amazon S3 server-side encryption with customer-provided keys
C. Use Amazon S3 server-side encryption with EC2 key pair
D. Use Amazon S3 bucket policies to restrict access to the data at rest
E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
F. Use SSL to encrypt the data while in transit to Amazon S3
Answer: A B E

NO.279 A Solutions Architect is designing the architecture for a web application that will be hosted
on AWS Internet users will access the application using HTTP and HTTPS How should the Architect
design the traffic control requirements?
A. Use a network ACL to allow outbound ports for HTTP and HTTPS Deny other traffic for inbound
and outbound.
B. Use a network ACL to allow inbound ports for HTTP and HTTPS Deny other traffic for inbound and
outbound
C. Allow inbound ports for HTTP and HTTPS In the security group used by the web servers.
D. Allow outbound ports for HTTP and HTTPS in the security group used by the webservers
Answer: C

NO.280 An application is running in a single AWS region. The business team adds a requirement to
run the application in a second region for multi-region high availability. A Solutions Architect needs to
enable traffic to be distributed to multiple regions for high availability.
Which AWS service meets the requirements?
A. Amazon Route 53
B. Elastic Load Balancing
C. Amazon CloudFront
D. Amazon S3 Website Hosting

74
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.281 When creation of an EBS snapshot is initiated, but not completed, the EBS volume:
A. Can be used while the snapshot is in progress
B. Cannot be used until the snapshot completes
C. Can be used in read-only mode while the snapshot is in progress
D. Cannot be detached or attached to an EC2 instance until the snapshot completes
Answer: A

NO.282 Which of the following are characteristics of a reserved instance?

A. It is specific to an Amazon Machine Image(AMI)
B. It can be applied to instances launched by Auto Scaling
C. It can be migrated across Availability Zones
D. It can be used to lower Total Cost of Ownership (TCO) of a system
E. It is specific to an insurance Type
Answer: C D E

NO.283 How can the domain's zone apex, for example,"myzoneapexdomain.com", be pointed
towards an Elastic Load Balancer?
A. By using an Amazon Route 53 Alias record
B. By using an A record
C. By using an AAAA record
D. By using an Amazon Route 53 CNAME record
Answer: A

NO.284 Which of the following items are required to allow an application deployed on an EC2
instance to write data to a Dynamo DB table? Assume that no security keys are allowed to be stored
on the EC2 instance? Choose 2 answers
A. Add an IAM Role to a running EC2 instance
B. Launch an EC2 instance with the IAM Role included in the launch configuration
C. Create an IAM User that allows write access to the DynamoDB table
D. Create an IAM role that allows write access to the DynamoDB table
E. Launch an EC2 instance with the IAM user included in the launch configuration
F. Add an IAM user to a running EC2 instance
Answer: B D

NO.285 A Solutions Architect plans to migrate NAT Instances to NAT gateway. The Architect has NAT
Instances with scripts to manage high availability. What Is the MOST efficient method to achieve
similar high availability with NAT gateway?
A. Remove source/destination check on NAT instances
B. Launch a NAT gateway m each Availability Zone
C. Use a mix of NAT instances and NAT gateway
D. Add an ELB Application Load Balancer in front of NAT gateway

75
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.286 A Solutions Architect is architecting a workload that requires a performant object-based

storage system that must be shared with multiple Amazon EC2 instances. Which AWS service meets
this requirement?
A. Amazon EFS
B. Amazon S3
C. Amazon EBS
D. Amazon ElastiCache
Answer: A

NO.287 A client is migrating a legacy web application to the AWS Cloud. The current system uses an
Oracle database as a relational database management system solution. Backups occur every night,
and the data is stored onpremises. The Solutions Architect must automate the backups and identity a
storage solution while keeping costs low.
Which AWS service will meet these requirements?
A. Amazon RDS
B. Amazon RedShift
C. Amazon DynamoDB Accelerator
D. Amazon ElastiCache
Answer: A

NO.288 After launching an instance that you intend to serve as a NAT (Network Address Translation)
device in a public subnet you modify your route tables to have the NAT device be the target of
internet bound traffic of your private subnet. When you try and make an outbound connection to the
internet from an instance in the private subnet, you are not successful. Which of the following steps
could resolve the issue?
A. Attaching a second Elastic network interface to the instance in the private subnet, and placing it in
the public subnet
B. Attaching an Elastic IP address to the instance in the private subnet
C. Disabling the Source/Destination check attribute on the NAT instance
D. Attaching a second Elastic Network interface to the NAT instance, and placing it in the private
subnet
Answer: C

NO.289 A company runs a legacy application with a single-tier architecture on an Amazon EC2
Instance. Disk I/O is low, with occasional small spikes during business hours. The company requires
the instance to be stopped from 8 PM to 8 AM daily.
Which storage option is MOST appropriate for this workload?
A. Amazon EC2 instance storage
B. Amazon EBS General Purpose SSD (gp2) storage
C. Amazon S3
D. Amazon EBS Provision IOPS SSD (io1) storage
Answer: C

76
 IT Certification Guaranteed, The Easy Way!

NO.290 A Solutions Architect is designing an elastic application that will have between 10 and 50
Amazon EC2 concurrent instances running, dependent on load. Each instance must mount storage
that will read and write to the same 50 GB folder. Which storage type meets the requirements?
A. Amazon S3
B. Amazon EFS
C. Amazon EBS volumes
D. Amazon EC2 instance store
Answer: A

NO.291 What Is the MOST cost-efficient way to host a scalable website with only static content?
A. An Auto Scaling group
B. An Amazon EC2 instance
C. An Amazon S3 bucket
D. An Elastic Beanstalk stack
Answer: C

NO.292 What are characteristics Os Amazon S3?

Choose 2 answers
A. S3 allows you to store unlimited amounts of data
B. S3 offers Provisioned IOPS
C. S3 allows you to store objects of virtually unlimited size
D. S3 should be used to host a relational database
E. Objects are directly accessible via a URL
Answer: A E

NO.293 You are working with a customer who has 10 TB of archival data that they want to migrate
to Amazon glacier.
The customer has a 1-Mbps connection to the internet. Which service or feature provides the fastest
method of getting the data into Amazon glacier?
A. Amazon Glacier multipart upload
B. AWS storage Gateway
C. VM Import/Export
D. AWS Import/Export
Answer: A

NO.294 A Solutions Architect is designing a highly-available website that is served by multiple web
servers hosted outside of AWS. If an instance becomes unresponsive, the Architect needs to remove
it from the rotation.
What is the MOST efficient way to fulfill this requirement?
A. Use Amazon CloudWatch to monitor utilization.
B. Use Amazon API Gateway to monitor availably
C. Use an Amazon Elastic Load Balancer

77
 IT Certification Guaranteed, The Easy Way!

D. Use Amazon Route 53 health checks

Answer: A

NO.295 A company's policy requires that all data stored in Amazon S3 is encrypted. The company
wants to use the option with the least overhead and does not manage any encryption keys.
Which of the following options will meet the company's requirements?
A. AWS CloudHSM
B. AWS Trusted Advisor
C. Server Side Encryption (SSE-S3)
D. Server Side Encryption (SSE-KMS)
Answer: D

NO.296 Which route needs to be added to your routing table in order to allow connections to the
internet from your subnet?
A. Destination: 0.0.0.0/0 target: 0.0.0.0/24
B. Destination: 0.0.0.0/0 target: your internet Gateway
C. Destination: 10.0.0.0/32 target: your Virtual Gateway
D. Destination: 0.0.0.0/33 target: your internet gateway
Answer: B

NO.297 Your Amazon VPC has a public subnet with a route that sends all Internet traffic to the
Internet gateway. An Amazon EC2 instance in the public subnet has an assigned private IP address.
The instance belongs to a security group set to allow all outbound traffic. The instance cannot access
the Internet.
Why could the Internet be unreachable from the instance?
A. The instance does not have a public IP address.
B. The internet gateway security group must allow all outbound traffic.
C. The instance security group must allow all inbound traffic.
D. The instance "Source/Destination check" property must be enabled.
Answer: A

NO.298 Which procedure for backing up a relational database on EC2 that is using a set of RAIDed
EBS volumes for storage minimizes the time during which the database cannot be written to and
results in a consistent backup?
A. 1 stop the EC2 instance, 2 snapshot the EBS volume
B. 1 suspend disk I/O, 2 create an image of the EC2 instance, 3 resume disk I/O
C. 1 detach EBS volumes, 2 start EBS snapshot of volumes, 3 re-attach EBS volumes
D. 1 suspend disk I/O, 2 start EBS snapshot of volumes, 3 wait for snapshots to complete, 4 resume
disk I/O
E. 1 suspend disk I/O,2 start EBS snapshot of volumes, 3 resume disk I/O
Answer: C

NO.299 An internet-facing multi-tier web application must be highly available. An ELB Classic Load
Balancer is deployed in front of the web tier. Amazon EC2 instances at the web application tier are

78
 IT Certification Guaranteed, The Easy Way!

deployed evenly across two Availably Zones. The database is deployed using RDS Multi-AZ. A NAT
instance is launched for Amazon EC2 instances and database resources to access the Internet. These
instances are not assigned with public IP addresses.
Which component poses a potential single point of failure in this architecture?
A. Amazon EC2
B. NAT instance
C. ELB Classic Load Balancer
D. Amazon RDS
Answer: C

NO.300 Legacy applications currently send messages through a single Amazon EC2 instance, which
then routes the messages to the appropriate destinations. The Amazon EC2 instance is a bottleneck
and single point of failure, so the company would like to address these issues.
Which services could address this architecture use case? (Select TWO)
A. Amazon SNS
B. AWS STS
C. Amazon SQS
D. Amazon Route 53
E. AWS Glue
Answer: A C

NO.301 A social networking portal experiences latency and throughput issues due to an increased
number of users.
Application servers use very large datasets from an Amazon RDS database, which creates a
performance bottleneck on the database.
Which AWS service should be used to improve performance?
A. Auto Scaling
B. Amazon SQS
C. Amazon ElastiCache
D. ELB Application Load Balancer
Answer: C

NO.302 Which combination of two policies enables AWS identity and access management cross-
account access?
Choose 2 answers
A. Permission policy
B. Bucket policy
C. Key policy
D. Trust policy
E. Access policy
Answer: A B

NO.303 An AWS workload in a VPC is running a legacy database on an Amazon EC2 instance. Data is
stored on a

79
 IT Certification Guaranteed, The Easy Way!

200GB Amazon EBS (gp2) volume. At peak load times, logs show excessive wait time.
What solution should be implemented to improve database performance using persistent storage?
A. Migrate the data on the Amazon EBS volume to an SSD-backed volume.
B. Change the EC2 instance type to one with EC2 instance store volumes.
C. Migrate the data on the EBS volume to provisioned IOPS SSD (io1).
D. Change the EC2 instance type to one with burstable performance.
Answer: D

NO.304 An e-commerce application is hosted in AWS. The last time a new product was launched,
the application experienced a performance issue due to an enormous spike in traffic. Management
decided that capacity must be doubled the week after the product is launched.
Which is the MOST efficient way for management to ensure that capacity requirements are met?
A. Add a Step Scaling policy.
B. Add a Dynamic Scaling policy.
C. Add a Scheduled Scaling action.
D. Add Amazon EC2 Spot Instances.
Answer: A

NO.305 A user is testing a new service that receives location updates from 3,600 rental cars every
hour.
Which service will collect data and automatically scale to accommodate production workload?
A. Amazon EC2
B. Amazon Kinesis Firehose
C. Amazon EBS
D. Amazon API Gateway
Answer: D

NO.306 An application uses a single-Instance deployment of Amazon RDS MySQL database. The
database has intensive read operations, and the heavy load is causing performance issues. How can a
user improve performance?
A. Create read replicas
B. Stripe the data across multiple Amazon EBS volumes
C. Switch to a Multi-AZ RDS database
D. Take hourly database snapshots
Answer: B
Explanation
Benefits of Using EBS Volumes
EBS volumes provide several benefits that are not supported by instance store volumes.
* Data availability
When you create an EBS volume in an Availability Zone, it is automatically replicated within that zone
to prevent data loss due to failure of any single hardware component. After you create a volume, you
can attach it to any EC2 instance in the same Availability Zone. After you attach a volume, it appears
as a native block device similar to a hard drive or other physical device. At that point, the instance
can interact with the volume just as it would with a local drive. The instance can format the EBS

80
 IT Certification Guaranteed, The Easy Way!

volume with a file system, such as ext3, and then install applications.
An EBS volume can be attached to only one instance at a time, but multiple volumes can be attached
to a single instance. If you attach multiple volumes to a device that you have named, you can stripe
data across the volumes for increased I/O and throughput performance.
An EBS volume and the instance to which it attaches must be in the same Availability Zone.
You can get monitoring data for your EBS volumes, including root device volumes for EBS-backed
instances, at no additional charge. For more information about monitoring metrics, see Monitoring
Volumes with CloudWatch. For information about tracking the status of your volumes, see Amazon
CloudWatch Events for Amazon EBS.

NO.307 A Solutions Architect is designing a microservice to process records from Amazon Kinesis
Streams. The metadata must be stored a Amazon DynamoDB. The microservice most be capable of
concurrently processing
10.000 records daily as they arrive in the Kinesis stream.
The MOST scalable way to design the microservice is:
A. As an AWS Lambda function
B. As a process on an Amazon EC2 instance.
C. As a Docker container running on Amazon ECS
D. As a Docker container on an EC2 instance
Answer: A

NO.308 A customer is deploying a production portal application on AWS. The database tier has
structured data. The company requires a solution that is easily manageable and highly availability.
How can these requirements be met?
A. Deploy the database on multiple Amazon EC2 instances backed by Amazon EBS across multiple
Availability Zones
B. Use Amazon RDS with a multiple Availability Zone option
C. Use RDS with a single Availability Zone option and schedule periodic database snapshots
D. Use Amazon DynamoDB
Answer: D

NO.309 A Solutions Architect is building a multi-tier website. The web servers will be in a public
subnet, and the database servers will be in a private subnet. Only the web servers can be accessed
from the internet.
The database servers must have Internet access for software updates. Which solution meets these
requirements?
A. Assign Elastic IP addresses to the database instances
B. Allow Internet traffic on the private subnet through the network ACL
C. Use a NAT Gateway.
D. Use an egress-only internet Gateway
Answer: C

NO.310 A Solutions Architect is defining a shared Amazon S3 bucket where corporate applications
will save objects.
How can the Architect ensure that when an application uploads an object to the Amazon S3 bucket,

81
 IT Certification Guaranteed, The Easy Way!

the object is encrypted?

A. Set a CORS configuration.
B. Set a bucket policy to encrypt all Amazon S3 objects.
C. Enable default encryption on the bucket.
D. Set permission for users.
Answer: B

NO.311 A customer is running two Amazon EC2 instances, Server1 and server2, in different subnets
of the same VPC.
Server1 can ping Server2, but server2 cannot ping Server1. What could explain this behavior? Choose
2 answers
A. There is no route from server2 to server 1 defined in the route table
B. The ingress rules for Server1's security group do not allow ICMP traffic
C. The two servers are not located in the same Availability Zone
D. The operating system firewall on server1 is blocking traffic from server 2
E. The ingress rules for server2 security group do not allow ICMP traffic
Answer: A D

NO.312 Which of the following are use cases for Amazon DynamoDB? Choose 3 answers
A. Storing BLOB data
B. Managing web sessions
C. Storing JSON documents
D. Storing metadata for Amazon S3 objects
E. Running relational joins and complex updates
F. Storing large amounts of infrequently accessed data
Answer: B C D

NO.313 What services will help identify Amazon EC2 instances with underutilized CPU capacity?
Choose 2 answers
A. Cost Explorer
B. Amazon EC2 usage reports
C. AWS CloudTrail
D. Amazon CloudWatch
E. AWS Trusted Advisor
Answer: B D

NO.314 A Solutions Architect is building a new feature using Lambda to create metadata when a
user uploads a picture to Amazon S3 All metadata must be indexed.
Which AWS service should the Architect use to store this metadata?
A. Amazon S3
B. Amazon DynamoDB
C. Amazon Kinesis
D. Amazon EFS

82
 IT Certification Guaranteed, The Easy Way!

Answer: A

NO.315 A Solutions Architect is building an application that stores object data. Compliance
requirements state that the data stored is immutable.
Which service meets these requirements?
A. Amazon S3
B. Amazon Glacier
C. Amazon EFS
D. AWS Storage Gateway
Answer: B

NO.316 You have been asked to design a fault-tolerant and scalable web application across three
Availability Zones.
The presentation logic will reside on web server's behinds an ELB Classic Load Balance, and the
application logic will reside on a set of app servers behind a second load balancer.
How should you use Auto Scaling groups?
A. Deploy two Auto Scaling groups: one for the web servers in all Availability Zones and one for the
app servers in all Availability Zones
B. Deploy six Auto Scaling groups: a web server group in each Availability Zone and an app server
group in each Availability Zone
C. Deploy one Auto Scaling group that includes all the web and app servers across all Availability
Zones
D. Deploy three Auto Scaling groups: one for each Availability Zone that includes both web and app
servers
Answer: A

NO.317 A Solutions Architect is designing a workload that requires capacity reservation al all limes
using many r4
2xlarge instances. The workload will run 24/7 for the next two years and uses Amazon Linux What Is
the MOST cost-effective way to obtain this required compute capacity?
A. Regional Standard Reserved instances
B. Spot Fleet
C. Regional Convertible Reserved Instances
D. Standard Reserved Instances
Answer: D

NO.318 A company is preparing to give AWS Management Console access to developers. Company
policy mandates identity federation and role based access control. Roles are currently assigned using
groups in the corporate Active Directory. What combination of the following will give developers
access to the AWS console?
Choose 2 answers
A. AWS Directory Service AD connector
B. AWS Directory Service Simple AD
C. AWS identity and Access Management groups

83
 IT Certification Guaranteed, The Easy Way!

D. AWS identity and Access Management roles

E. AWS identity and Access Management users
Answer: A D

NO.319 A Solution Architect is designing a new social media application. The application must
provide a secure method for uploading profile photos. Each user should be able to upload a profile
photo into a shared storage location for one week after their profile is created.
Which approach will meet all of these requirements?
A. Use Amazon Kinesis with AWS CloudTrail for auditing the specific times when profile photos are
uploaded.
B. Use Amazon EBS volumes with IAM policies restricting user access to specific time periods
C. Use Amazon S3 with the default private access policy and generate pre-signed URLs each time a
new site profile is created
D. Use Amazon CloudFront with AWS CloudTrail for auditing the specific times when profile photos
are uploaded.
Answer: C

NO.320 Two Auto Scaling applications, Application A and Application B, currently run within a
shared set of subnets.
A Solutions Architect wants to make sure that Application A can make requests to Application B, but
Application B should be denied from making requests to Application A.
Which is the SIMPLEST solution to achieve this policy?
A. Using security groups that reference the security groups of the other application
B. Using security groups that reference the application server's IP addresses
C. Using Network Access Control Lists to allow/deny traffic based on application IP addresses
D. Migrating the applications to separate subnets from each other
Answer: C

NO.321 A customer is leveraging Amazon simple storage service in eu-west-1 to store static content
for a web-based property. The customer is storing objects using the standard storage class. Where
are the customer's objects replicated ?
A. A single facility in eu-west-1 and a single facility in eu-central-1
B. A single facility in ru-west-1 and a single facility in us-east-1
C. Multiple facilities in eu-west-1
D. A single facility in eu-west-1
Answer: C

NO.322 A colleague asked for your advice about how to easily deploy, monitor, and scale a three-
tier LAMP (Linux, Apache, MySQL, PHP) application on AWS. Your colleague has time and staffing
constraints and wants to deploy and manage the application with minimal effort.
What AWS service would you suggest?
A. Data Pipeline
B. Elastic Beanstalk
C. CloudFormation

84
 IT Certification Guaranteed, The Easy Way!

D. CodeDeploy
Answer: D
Explanation
AWS CodeDeploy automates code deployments to any instance, including Amazon EC2 instances and
on-premises servers. AWS CodeDeploy makes it easier for you to rapidly release new features, helps
you avoid downtime during application deployment, and handles the complexity of updating your
applications.

NO.323 A Solutions Architect is designing an application on AWS that will connect to the on-premise
data center through a VPN connection. The solution must be able to log network traffic over the VPN.
Which service logs this network traffic?
A. AWS CloudTrail
B. logs Amazon VPC flow logs
C. Amazon S3 bucket logs
D. Amazon CloudWatch Logs
Answer: B
Explanation
VPC Flow LogsIn order to provide better support for this important aspect of network monitoring, we
are introducing Flow Logs for the Amazon Virtual Private Cloud. Once enabled for a particular VPC,
VPC subnet, or Elastic Network Interface (ENI), relevant network traffic will be logged to CloudWatch
Logs for storage and analysis by your own applications or third-party tools.
You can create alarms that will fire if certain types of traffic are detected; you can also create metrics
to help you to identify trends and patterns.
The information captured includes information about allowed and denied traffic (based on security
group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA
protocol number, packet and byte counts, a time interval during which the flow was observed, and an
action (ACCEPT or REJECT).

NO.324 A customer needs corporate IT governance and cost oversight of all AWS resources
consumed by its divisions.
The divisions wants to maintain administrative control of the discrete AWS resources they consume
and keep those resources separate from the resources of other divisions. Which of the following
options, when used together, will support the autonomy/control of divisions while enabling
corporate IT to maintain governance and oversight? Choose 2 answers
A. Enable IAM cross-account access for all corporate IT administrators in each child account.
B. Create separate VPCs for each division within the corporate IT AWS account
C. Use AWS Consolidated Billing and disable AWS root account access for the child accounts
D. Use AWS Consolidated billing to link the divisions accounts to a parent corporate account
E. Write all child AWS CloudTrail and Amazon CloudWatch logs to each child account's Amazon S3 log
bucket
Answer: C E

NO.325 A company is designing a failover strategy in Amazon Route 53 for its resources between
two AWS Regions.
The company must have the ability to route a user's traffic to the region with least latency, and if

85
 IT Certification Guaranteed, The Easy Way!

both regions are healthy, Route 53 should route traffic to resources in both regions.
Which strategy should the Solutions Architect recommend?
A. Configure active-active failover using Route 53 latency DNS records.
B. Configure active-passive failover using Route 53 latency DNS records.
C. Configure active-active failover using Route 53 failover DNS records.
D. Configure active-passive failover using Route 53 failover DNS records.
Answer: A

NO.326 A prediction process requires access to a trained model that is stored in an Amazon S3
bucket. The process takes a few seconds to process an image and make a prediction. The process is
not overly resource-intensive, does not require any specialized hardware and takes less than 512 MB
of memory to run.
What would be the MOST effective compute solution for this use case?
A. Amazon ECS
B. Amazon EC2 Spot instances
C. AWS Lambda functions
D. AWS Elastic Beanstalk
Answer: C

NO.327 An application hosted on AWS uses object storage for storing internal reports that are
accessed daily by the CFO Currently, these reports are publicly available. How should a Solutions
Architect re-design this architecture lo prevent unauthorized access to these reports?
A. Encrypt the files on the client side and store the files on Amazon Glacier, then decrypt the reports
on the client side.
B. Move the files to Amazon ElastiCache and provide a username and password for downloading the
reports.
C. Specify the use of AWS KMS server-side encryption at the time of an object creation on Amazon
S3.
D. Store the files on Amazon S3 and use the application to generate S3 pre-signed URLs to users.
Answer: D

NO.328 A customer has a production application that frequently overwrites and deletes data, the
application requires the most up-to-date version of the data every time it is requested. Which
storage service should a Solutions Architect recommend to best accommodate this use case?
A. Amazon S3
B. Amazon RDS
C. Amazon Red Shift
D. AWS Storage Gateway
Answer: A

NO.329 A Solution Architect is designing a disaster recovery solution for a 5 TB Amazon Redshift
cluster. The recovery site must be at least 500 miles (805 kilometers) from the live site.
How should the Architect meet these requirements?
A. Use AWS CloudFormation to deploy the cluster in a second region.

86
 IT Certification Guaranteed, The Easy Way!

B. Take a snapshot of the cluster and copy it to another Availability Zone.

C. Modify the Redshift cluster to span two regions.
D. Enable cross-region snapshots to a different region.
Answer: C

NO.330 After creating a new IAM user which of the following must be done before they can
successfully make API calls?
A. Create a set of Access Keys for the user
B. Enable Multi-Factor Authentication for the user
C. Add a password to the user
D. Assign a Password Policy to the user
Answer: A

NO.331 Which services can invoke AWS lambda functions?

A. Amazon Route53
B. Amazon Redshift
C. Elastic Load Blanching
D. Amazon DynamoDB
E. Amazon SNS
Answer: D E

NO.332 A company needs to deploy services to an AWS region which they not previously used. The
company currently has an AWS identity and Access Management (IAM) role for their Amazon EC2
instances, which permits the instance to have access to Amazon DynamoDB. The company wants
their EC2 instances in the new region to have the same privileges. How should the company achieve
this?
A. Create a new IAM role and associated policies within the new region
B. Assign the existing IAM role to the Amazon EC2 instances in the new region
C. Copy the IAM role and associated policies to the new region and attach it to the instances
D. Create the Amazon Machine Image of the instance and copy it to the desired region using the AMI
Copy feature
Answer: B

NO.333 An online company wants to conduct real-time sentiment analysis about its products from
its social media channels using SQL. Which of the following solutions has the LOWEST cost and
operational burden?
A. Set up a streaming data ingestion application on Amazon EC2 and connect it to a Hadoop cluster
for data processing. Send the output to Amazon S3 and use Amazon Athena to analyze the data.
B. Configure the input stream using Amazon Kinesis Data Streams Use Amazon Kinesis Data Analytics
to write SQL queries against the stream.
C. Configure the input stream using Amazon Kinesis Data Streams. Use Amazon Kinesis Data Firehose
to send data to an Amazon Redshift cluster, and then query directly against Amazon Redshift.
D. Set up a streaming data ingestion application on Amazon EC2 and send the output to Amazon S3

87
 IT Certification Guaranteed, The Easy Way!

using Kinesis Data Firehose. Use Athena to analyze the data

Answer: B

NO.334 A client notices that their engineers often make mistakes when creating Amazon SQS
queues for their backend system.
Which action should a Solutions Architect recommend to improve this process?
A. Use the AWS CLI to create queues using AWS IAM Access Keys.
B. Write a script to create the Amazon SQS queue using AWS Lambda.
C. Use AWS Elastic Beanstalk to automatically create the Amazon SQS queues.
D. Use AWS CloudFormation Templates to manage the Amazon SQS queue creation
Answer: D

NO.335 Which of the following actions can Cloud Formation trigger when launching Amazon Linux
EC2 instance?
A. Download and install software
B. Attach the instance to an Elastic Map Reduce job flow
C. Change the password for the root user
D. Create custom files on the file system
E. Change the EC2 instance metadata
Answer: A D

NO.336 A call center application consists of a three-tier application using Auto Scaling groups to
automatically scale resources as needed. Users report that every morning at 9:00 AM the system
becomes very slow for about 15 minutes. A Solution Architect determines that a large percentage of
the call center staff starts work at 9:00 AM, so Auto Scaling does not have enough time to scale out
to meet demand.
How can the Architect fix the problem?
A. Change the Auto Scaling group's scale out event to scale based on network utilization.
B. Create an Auto Scaling scheduled action to scale out the necessary resources at 8:30 AM every
morning.
C. Use Reserved Instances to ensure the system has reserved the right amount of capacity for the
scale-up events.
D. Permanently keep a steady state of instances that is needed at 9:00 AM to guarantee available
resources, but leverage Spot Instances.
Answer: A

NO.337 You have configured mycorp.com as an Amazon route 53 private hosted zone for Amazon
virtual private cloud. Amazon elastic compute cloud (EC2) instances in your eu-east-1 virtual private
cloud successfully resolve to internal.mycorp.com. You are extending your infrastructure to a VPC in
eu-west-1. Why are Amazon EC2 instance in eu-west-1 unable to resolve to internal.mycorp.com?
A. The VPC in eu-west 1 is not associated to the private hosted zone
B. The DHCP options set in eu-west-1 requires the private hosted zone name server IP addresses
C. The enableDnsHostnames attribute of the VPC in eu-west-1 should be set to false
D. A second private hosted zone for Amazon VPC is requires for eu-west-1

88
 IT Certification Guaranteed, The Easy Way!

Answer: B

NO.338 A Solutions Architect is developing software on AWS that requires access to multiple AWS
services, including an Amazon EC2 instance. This is a security sensitive application, and AWS
credentials such as Access Key ID and Secret Access Key need to be protected and cannot be exposed
anywhere in the system.
What security measure would satisfy these requirements?
A. Store the AWS Access Key ID/Secret Access Key combination in software comments.
B. Assign an IAM user to the Amazon EC2 instance.
C. Assign an IAM role to the Amazon EC2 instance.
D. Enable multi-factor authentication for the AWS root account.
Answer: B

NO.339 A company is designing a hybrid IT architecture and requires a private connection between
an on-premises data center and their virtual private cloud (VPC). Which of the following would
enable the company to achieve this? Choose 2 answers
A. VPN connection
B. AWS Direct connect
C. AWS DataPipeline
D. Amazon Route53
E. ClassicLink
Answer: A B

NO.340 A company must collect temperature data from thousands of remote weather devices. The
company must also store this data in a data warehouse to run aggregations and visualizations.
Which services will meet these requirements? (Choose two.)
A. Amazon Kinesis Data Firehouse
B. Amazon SQS
C. Amazon Redshift
D. Amazon SNS
E. Amazon DynamoDB
Answer: A B

NO.341 A company uses Amazon S3 for storing a variety of files. A Solutions Architect needs to
design a feature that will allow users to instantly restore any deleted files within 30 days of deletion.
Which is the Most cost-efficient solution?
A. Create lifecycle policies that move the objects to Amazon Glacier and delete them after 30 days
B. Enable cross-region replication. Empty the replica bucket every 30 days using an AWS Lambda
function
C. Enable versioning and create a lifecycle policy to remove expired versions after 30 days
D. Enable versioning and MFA Delete. Using a Lambda function, remove MFA delete from objects
more than 30 days old
Answer: C

89
 IT Certification Guaranteed, The Easy Way!

NO.342 You try to connect via SSH to a newly created Amazon EC2 instance and get one of the error
messages:
"Network error: Connection timed out" or "Error connecting to [instance], reason: -> Connection
timed out connect," You have confirmed that the network and security group rules are configured
correctly and the instance is passing status checks. What steps should you take to identify the source
of the behavior? Choose 2 answers
A. Verify that your IAM user policy has permission to launch Amazon EC2 instances
B. Verify that you are connecting with the appropriate user name for your AMI
C. Verify that the Amazon EC2 instance was launched with the proper IAM role
D. Verify that your federation trust to AWS has been established
E. Verify that the private key file corresponds to the Amazon EC2 key pair assigned at launch
Answer: C E

NO.343 A Solutions Architect is designing an Amazon VPC. Applications in the VPC must have private
connectivity to Amazon DynamoDB in the same AWS Region. The design should route DynamoDB
traffic through:
A. VPC peering connection
B. NAT gateway
C. VPC endpoint
D. AWS Direct Connect
Answer: C

NO.344 You have established a virtual private cloud (VPC) peering relationship between VPC 1 and
VPC 2. VPC 1 has routes to VPC 2, yet hosts in VPC 1 cannot connect to hosts in VPC 2. Which of the
following is a possible cause?
A. Security groups applied to VPC 2 are blocking the traffic
B. The network access control list applied to VPC 2 denies by default
C. The subnet route table in VPC 2 does not have routes to VPC 1
D. The VPCs have not been attached to a virtual private gateway
Answer: B

NO.345 You have a content management system running on an Amazon EC2 instance that is
approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?
A. Create a load balancer, and register the Amazon EC2 instance with it
B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin
C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
D. Create a launch configuration from the instance using the CreateLaunchConfiguration action
Answer: C

NO.346 A company is building software on AWS that requires access to various AWS services. Which
configuration should be used to ensure that AWS credentials (i.e., Access Key ID/secret access key
combination) are not compromised?
A. Enable Multi-factor Authentication for your AWS root account

90
 IT Certification Guaranteed, The Easy Way!

B. Assign an IAM role to the Amazon EC2 instance

C. Store the AWS Access key ID/secret Access Key combination in software comments
D. Assign an IAM user to the Amazon EC2 instance
Answer: B

NO.347 A company is storing a data on Amazon Simple Storage Service (S3). The company's security
policy mandates that data is encrypted at rest. Which of the following methods can achieve this?
Choose 3 answers
A. Use Amazon S3 server-side encryption with AWS key management service managed keys
B. Use Amazon S3 server-side encryption with customer-provided keys
C. Use Amazon S3 server-side encryption with EC2 key pair
D. Use Amazon S3 bucket policies to restrict access to the data at rest
E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key
F. Use SSL to encrypt the data while in transit to Amazon S3
Answer: A B C

NO.348 You have an environment that consists of a public subnet using Amazon VPC and 3 instances
that are running in this subnet. These three instances can successfully communicate with other hosts
on the internet. you launch a fourth instance in the same subnet, using the same AMI and security
group configuration you used for the others, but find that this instance cannot be accessed from the
internet. What should you do to enable internet access?
A. Configure a publically routable IP Address in the host OS of the fourth instance
B. Deploy a NAT instance into the public subnet
C. Modify the routing table for the public subnet
D. Assign an elastic IP address to the fourth instance
Answer: D

NO.349 Which of the following requires a custom cloudwatch metric to monitor?

A. Memory utilization of an EC2 instance
B. CPU utilization of an EC2 instance
C. Disk usage activity of an EC2 instance
D. Data transfer of an EC2 instance
Answer: A

NO.350 Your company runs an application that generates several thousand 1-GB reports a month.
Approximately 10% of these reports will be accessed once during the first 3 days and must be
available on demand. After 30 days, reports are no longer accessed as a part of normal business
processes but must be retained for compliance reasons.
Which architecture would meet these requirements with the lowest cost?
A. Upload the reports to Amazon S3 Standard - Infrequent Access storage class. Set a lifecycle
configuration on the bucket to transition the reports to Amazon Glacier after 30 days.
B. Upload the reports to Amazon Glacier. When reports are requested, copy them to Amazon S3
Standard storage class for access. Delete the copied reports after they have been viewed.

91
 IT Certification Guaranteed, The Easy Way!

C. Upload the reports to Amazon S3 Standard storage class. Set a lifecycle configuration on the
bucket to transition the reports to Amazon Glacier after 30 days.
D. Upload the reports to Amazon S3 Standard - Infrequent Access storage class. When reports are
requested, copy them to Amazon S3 Standard storage class for access. Delete the copied reports
after they have been viewed.
Answer: C

NO.351 A customers needs to capture all client connection information from their load balancer
every five minutes.
The company wants to use data for analyzing traffic patterns and troubleshooting their applications.
Which of the following options meets the customer requirements?
A. Enable access logs on the load balancer
B. Enable AWS CloudTrail for the load balancer
C. Enable Amazon CloudWatch metrics on the load balancer
D. Install the Amaozn CloudWatch Logs agent on the load balancer
Answer: B

NO.352 Using only AWS services .you intend to automatically scale a fleet of stateless of stateless
web servers based on CPU and network utilization metrics. Which of the following services are
needed? Choose 2 answers
A. Auto Scaling
B. Amazon Simple Notification Service
C. AWS Cloud Formation
D. CloudWatch
E. Amazon Simple Workflow Service
Answer: A D

NO.353 Which features can be used to restrict access to data in S3? Choose 2 answers
A. Set an S3 ACL on the bucket or the object.
B. Create a CloudFront distribution for the bucket.
C. Set an S3 bucket policy.
D. Enable IAM Identity Federation
E. Use S3 Virtual Hosting
Answer: C D
Reference:
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-
access-to-s3.

NO.354 You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet
with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public
route table is configured to send all internet-based internet. Why is the internet unreachable from
this instance?
A. The Internet gateway security group must allow all outbound traffic
B. The instance does not have a public IP address

92
 IT Certification Guaranteed, The Easy Way!

C. The instance "Source/Destination check" property must be enabled

D. The instance security group must allow all inbound traffic
Answer: B

NO.355 A legacy application needs to interact with local stooge using iSCSI. A team needs to design
a reliable storage solution to provision all new storage on AWS.
Which storage solution meets the legacy application requirements?
A. AWS Snowball storage for the legacy application until the application can be re-architected
B. AWS Storage Gateway in cached mode for the legacy application storage to write data to Amazon
S3
C. AWS Storage Gateway in stored mode for the legacy application storage to write data to Amazon
S3
D. An Amazon S3 volume mounted on the legacy application server locally using the File Gateway
service
Answer: D

NO.356 A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that
is not connected to their corporate network. They are connecting to the VPC over the Internet to
manage all of their Amazon EC2 instances running in both the public and private subnets. They have
only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to
the application instance security groups, but the company wants to further limit administrative
access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will
meet this requirement?
A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in
the VPC.
B. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH
access to the bastion from anywhere.
C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP
access to the bastion from only the corporate public IP addresses.
D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and
allow RDP access to the bastion from only the corporate public IP addresses.
Answer: D

NO.357 Which of the following are true regarding encrypted amazon elastic block store (EBS)
volumes? Choose 2 answers
A. Available to all instance types
B. Existing volumes can be encrypted
C. Supported on all Amazon EBS volume types
D. Snapshots are automatically encrypted
E. Shared volumes can be encrypted
Answer: C D

NO.358 As part of securing an API layer built on Amazon API gateway, a Solutions Architect has to
authorize users who are currently authenticated by an existing identity provider. The users must be

93
 IT Certification Guaranteed, The Easy Way!

denied access for a period of one hour after three unsuccessful attempts.
How can the Solutions Architect meet these requirements?
A. Use AWS IAM authorization and add least-privileged permissions to each respective IAM role.
B. Use an API Gateway custom authorizer to invoke an AWS Lambda function to validate each user's
identity.
C. Use Amazon Cognito user pools to provide built-in user management.
D. Use Amazon Cognito user pools to integrate with external identity providers.
Answer: B

NO.359 A Solutions Architect is building a multi-tier website. The web servers will be in a public
subnet, and the database servers will be in a private subnet. Only the web servers can be accessed
from the Internet. The database servers must have Internet access for software updates.
Which solution meets the requirements?
A. Assign Elastic IP addresses to the database instances.
B. Allow Internet traffic on the private subnet through the network ACL.
C. Use a NAT Gateway.
D. Use an egress-only Internet Gateway.
Answer: C

NO.360 When creation of an EBS snapshot is initiated, but not completed, the EBS volume:
A. Cannot be detached or attached to an EC2 instance until the snapshot completes
B. Can be used while the snapshots is in progress
C. Cannot be used until the snapshot completes
D. Can be used in read-only mode while the snapshot is in progress
Answer: B

NO.361 Your application contains thousands of Images in an Amazon RDS MySQL instance. These
images are frequently accessed and the number of images is growing rapidly. Which should you
implement to reduce cost and improve application performance?
A. Create two Amazon RDS My SQL read replicas in different regions, and migrate the images to the
cross-region read replicas
B. Migrate the images to Amazon Glacier, and allow the end users to access the images through
Amazon CloudFront
C. Migrate the images to Amazon Elastic Block Store volumes, and allow the end users to access the
images through Amazon CloudFront
D. Migrate the images to Amazon Simple Storage Service, and allow the end udders to access the
images through Amazon CloudFront
Answer: D

NO.362 You have a web application running on Elastic Beanstalk using a RDS database instance.
Using Amazon ElastiCache to store your web session data instead of storing it in the relational
database will: Choose 2 answers
A. Improve read/write performances of your session data
B. Improve write performance by using ElasticCache to write to your database

94
 IT Certification Guaranteed, The Easy Way!

C. Reduce the load on your database instance

D. Improve availability of your session data in an AZ failover scenario
Answer: A C

NO.363 You have a Cassandra cluster running in private subnets in an Amazon VPC. A new
application in a different Amazon VPC needs access to the database.
How can the new application access the database?
A. Set up a VPC peering connection between the two Amazon VPCs.
B. Set up a dual-homed instance with ENIs in both Amazon VPCs.
C. Set up a NAT Gateway in the application's Amazon VPC.
D. Set up a NAT Gateway in the database's Amazon VPC.
Answer: A

NO.364 A Solutions Architect is designing a stateful web application that will run for one year (24/7)
and then be decommissioned. Load on this platform will be constant, using a number of r4.8xlarge
instances. Key drivers for this system include high availability is not required.
What is the MOST cost-effective way to purchase compute for this platform?
A. Scheduled Reserved instances
B. Convertible Reserved Instances
C. Standard Reserved instances
D. Spot Instances
Answer: C

NO.365 An Autoscaling group spans 3 AZs and currently has 4 running EC2 instances. When Auto
scaling needs to terminate an EC2 instance, by default, Auto scaling will:
A. Send an SNS notification, if configured to do so
B. Allow at least five minutes for Windows/Linux shutdown scripts to complete, before terminating
the instance
C. Randomly select one of the 3 AZs, and then terminate an instance in that AZ
D. Terminate an instance in the AZ which currently has 2 running EC2 instances
E. Terminate the instance with the least active network connections if multiple instances meet this
criterion, one will be randomly selected
Answer: A D

NO.366 A media company has more than 100TB of data to be stored and retrieved infrequently.
However the company occasionally receives requests for data within an hour The company needs a
low- cost retrieval method to handle the requests.
Which service meets this requirement?
A. Amazon S3 Standard
B. Amazon Glacier standard retrievals
C. Amazon Glacier bulk retrievals
D. Amazon S3 Standard Infrequent Access
Answer: D

95
 IT Certification Guaranteed, The Easy Way!

NO.367 A customer has a single 3-TB volume on-premises that is used to hold a large repository of
images and print layout files. This repository is growing at 500 GB a year and must be presented as a
single logical volume. The customers is becoming. Which AWS Storage Gateway configuration meets
the customer requirements?
A. Gateway-Cached volumes with snapshots scheduled to Amazon S3
B. Gateway-stored volumes with snapshots scheduled to Amazon S3
C. Gateway-Virtual Tape library with snapshots to Amazon S3
D. Gateway-Virtual tape library with snapshots to Amazon Glacier
Answer: C

NO.368 Which of the following are valid statements about Amazon S3? Choose 2 answers
A. S3 provides read-after-write consistency for any type of PUT or DELETE
B. Partially saved objects are immediately readable with a GET after an overwrite Put
C. Consistency is not guaranteed for any type of PUT and DELETE
D. A successful response to a PUT request only occurs when a complete object is saved
E. S3 provides eventual consistency for overwrite PUTS and DELETES
Answer: A E

NO.369 A Solutions Architect is designing an application on AWS that uses persistent block storage.
Data must beencrypted at rest.
Which solution meets the requirement?
A. Enable SSL on Amazon EC2 instances.
B. Encrypt Amazon EBS volumes on Amazon EC2 instances.
C. Enable server-side encryption on Amazon S3.
D. Encrypt Amazon EC2 Instance Storage.
Answer: B

NO.370 Your web application front end consists of multiple EC2 instances behind an Elastic Load
Balancer. You configured ELB to perform health checks on these EC2 instances, if an instance fails to
pass health checks, which statement will be true?
A. The instance gets terminated automatically by the ELB.
B. The instance gets quarantined by the ELB for root cause analysis.
C. The instance is replaced automatically by the ELB.
D. The ELB stops sending traffic to the instance that failed its health check.
Answer: D

NO.371 An interactive, dynamic website runs on Amazon EC2 instances in a single subnet behind an
ELB Classic Load Balancer.
Which design changes will make the site more highly available?
A. Move some Amazon EC2 instances to a subnet in a different way.
B. Move the website to Amazon S3.
C. Change the ELB to an Application Load Balancer.
D. Move some Amazon EC2 instances to a subnet in the same Availability Zone.

96
 IT Certification Guaranteed, The Easy Way!

Answer: C

NO.372 A data analytics startup company asks a Solutions Architect to recommend an AWS data
store option for indexed data.
The data processing engine will generate and input more than 64 TB of processed data every day.
with item sizes reaching up to 300 KB The startup is flexible with data storage models and is more
interested in a database that requires minimal effort to scale with a growing dataset size.
Which AWS data store service should the Architect recommend?
A. Amazon RDS
B. Amazon Redshift
C. Amazon DynamoDB
D. Amazon S3
Answer: C

NO.373 An organization regularly bocks up their application data. The application backups are
required to be stored on Amazon S3 for a certain amount of time, and need to be accessed instantly
in the event of a disaster recovery.
Which of the following Amazon S3 storage classes would be the MOST cost-effective option to meet
the needs of this scenario?
A. Glacier Storage Class
B. Standard Storage Class
C. Standard - Infrequent Access (IA)
D. Reduced Redundancy Class (RRS)
Answer: C

NO.374 A company requires that the source, destination, and protocol of all IP packets be recorded
when traversing a private subnet.What is the MOST secure and reliable method of accomplishing this
goal.
A. Create VPC flow logs on the subnet.
B. Enable source destination check on private Amazon EC2 instances.
C. Enable AWS CloudTrail logging and specify an Amazon S3 bucket for storing log files.
D. Create an Amazon CloudWatch log to capture packet information.
Answer: A

NO.375 A three-tier application is being created to host small news articles. The application is
expected to serve millions of users. When breaking news. Which design meets these requirements
while minimizing costs?
A. Use Auto Scaling groups to increase the number of Amazon EC2 instances delivering the web
application.
B. Use Auto Scaling groups to increase the size of the Amazon RDS instances delivering the database
C. Use Amazon DynamoDB strongly consistent reads to adjust for the increase in traffic.
D. Use Amazon DynamoDB Accelerator (DAX) (IO cache read operations to the database
E. the site must handle very large spikes in traffic without significantly impacting database.
Answer: B

97
 IT Certification Guaranteed, The Easy Way!

Explanation
Amazon RDS is a managed relational database service that provides you six familiar database engines
to choose from, including Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and
PostgreSQL.
This means that the code, applications, and tools you already use today with your existing databases
can be used with Amazon RDS. Amazon RDS handles routine database tasks such as provisioning,
patching, backup, recovery, failure detection, and repair.
Amazon RDS makes it easy to use replication to enhance availability and reliability for production
workloads.
Using the Multi-AZ deployment option, you can run mission-critical workloads with high availability
and built-in automated fail-over from your primary database to a synchronously replicated secondary
database.
Using Read Replicas, you can scale out beyond the capacity of a single database deployment for read-
heavy database workloads.

NO.376 A company is developing several critical long-running applications hosted on Docker.

How should a Solutions Architect design a solution to meet the scalability and orchestration
requirements on AWS?
A. Use Amazon ECS and Service Auto Scaling.
B. Use Spot Instances for orchestration and for scaling containers on existing Amazon EC2 Instances.
C. Use AWS OpsWorks to launch containers in new Amazon EC2 instances.
D. Use Auto scaling groups to launch containers on existing Amazon EC2 instances.
Answer: A

NO.377 When will you incur costs with an Elastic IP address (EIP)?
A. When an EIP is allocated.
B. When it is allocated and associated with a running instance.
C. When it is allocated and associated with a stopped instance.
D. Costs are incurred regardless of whether the EIP is associated with a running instance.
Answer: C

NO.378 A Solutions Architect has a two-tier blog application with a single Amazon EC2 instance web
server and Amazon RDS MySQL Multi-AZ DB instances. The Architect is re-architecting the application
for high availability by adding instances in a second Availability Zone.
Which additional services will improve the availability of the application? (Select TWO)
A. Auto Scaling group
B. AWS CloudTrail
C. ELB Classic Load Balancer
D. Amazon DynamoDB
E. Amazon ElasitCache
Answer: D E

NO.379 A Solutions Architect is designing the storage layer for a production relational database. The
database will run on Amazon EC2. The database is accessed by an application that performs intensive

98
 IT Certification Guaranteed, The Easy Way!

reads and writes, so the database requires the LOWEST random I/O latency.
Which data storage method fulfills the above requirements?
A. Store data m a filesystem backed by Amazon Elastic File System (EFS)
B. Store data in Amazon S3 and use a third-party solution to expose Amazon S3 as a filesystem to the
database server
C. Store data in Amazon DynamoDB and emulate relational database semantics
D. Stripe data across multiple Amazon EBS volumes using RAID 0
Answer: D

NO.380 A Solutions Architect must design an Amazon DynamoDB table to store data about
customer activities. The data is used to analyze recent customer behavior, so data that is less than a
week old is heavily accessed and older data is accessed infrequently. Data that is more than one
month old never needs to be referenced by the application but needs to be archived for year-end
analytics.
A. Use DynamoDB time-to-live settings to expire items after a certain time period
B. Provision a higher write capacity unit to minimize the number of partitions
C. Create separate tables for each week's data with higher throughput for the current week
D. Pre-process data to consolidate multiple records to minimize write operations
E. Export the old table data from DynamoDB to Amazon S3 using AWS Data Pipeline and delete the
old table
Answer: C E

NO.381 A web application experiences high compute costs due to serving a high amount of static
web content.
How should the web server architecture be designed to be the MOST cost-efficient?
A. Create an Auto Scaling group to scale out based on average CPU usage.
B. Create an Amazon CloudFront distribution to pull static content from an Amazon S3 bucket.
C. Leverage Reserved Instances to add additional capacity at a significantly lower price.
D. Create a multi-region deployment using an Amazon Route 53 geolocation routing policy.
Answer: B

NO.382 After reviewing their logs, a startup company noticed larger, random spikes in traffic to their
web application.
The company wants to configure a cost-efficient Auto Scaling solution to support high availability of
the web application. Which scaling plan should a Solution Architect recommend to meet the
company's needs?
A. Dynamic
B. Scheduled
C. Manual
D. Lifecycle
Answer: A

NO.383 A company needs to deploy virtual desktops to its customers in a virtual private cloud,
leveraging existing security controls. Which set of AWS services and features will meet the company's

99
 IT Certification Guaranteed, The Easy Way!

requirements?
A. Virtual private network connection, AWS Directory services, and ClassicLink
B. Virtual private network connection, AWS Directory services, and Amazon WorkSpaces
C. AWS Directory service, Amazon WorkSpaces, and AWS Identity and Access Management
D. Amazon Elastic Compute Cloud, and AWS identity and access management
Answer: B

NO.384 A company is using an Amazon S3 bucket located in us-west-2 to serve videos to their
customers. Their customers are located all around the world and the videos are requested a lot
during peak hours. Customers in Europe complain about experiencing slow downloaded speeds, and
during peak hours, customers in all locations report experiencing HTTP 500 errors.
What can a Solutions Architect do to address these issues?
A. Place an elastic load balancer in front of the Amazon S3 bucket to distribute the load during peak
hours.
B. Cache the web content with Amazon CloudFront and use all Edge locations for content delivery.
C. Replicate the bucket in eu-west-1 and use an Amazon Route 53 failover routing policy to
determine which bucket it should serve the request to.
D. Use an Amazon Route 53 weighted routing policy for the CloudFront domain name to distribute
the GET request between CloudFront and the Amazon S3 bucket directly.
Answer: D

NO.385 An application tier currently hosts two web services on the same set of instances, listening
on different ports.
Which AWS service should a Solutions Architect use to route traffic to the service based on the
incoming request path?
A. AWS Application Load Balancer
B. Amazon CloudFront
C. Amazon Route 53
D. AWS Classic Load Balancer
Answer: A

NO.386 You have a database application running on two instances in Amazon EC2.This application
runs 24x7x365 and has a consistent and predictable workload. You want to choose the most
costeffective pricing model. What kind of Amazon EC2 instances should you use?
A. Dedicated instances
B. On-demand instances
C. Reserved instances
D. Spot instances
Answer: C

NO.387 You have a content management system running on an Amazon EC2 instance that is
approaching 100% CPU utilization. Which option will reduce load on the Amazon EC2 instance?
A. Create a new load balancer, and register the Amazon EC2 instqance with it
B. Create a CloudFront distribution, and configure the Amazon EC2 instance as the origin

100
 IT Certification Guaranteed, The Easy Way!

C. Create an Auto Scaling group from the instance using the CreateAutoScalingGroup action
D. Create a launch configuration from the instance using the CreateLaunchConfiguration action
Answer: C

NO.388 How can software determine the public and private IP addresses of the Amazon EC2
instance that it is running on?
A. Use ipconfig or ifconfig command
B. Query the local instance metadata
C. Query the appropriate Amazon CloudWatch metric
D. Query the local instance userdata
Answer: B

NO.389 A media company asked a Solutions Architect to design a nighty available storage solution
to serve as a centralized document store for their Amazon EC2 instances. The storage solution needs
to be POSIX-compliant scale dynamically and be able to serve up to 100 concurrent EC2 instances.
Which solution meets these requirements?
A. Create an Amazon S3 bucket and store all of the documents in this bucket.
B. Create an Amazon EBS volume and allow multiple users to mount that volume to their EC2
instance(s)
C. Use Amazon Glacier to store all of the documents
D. Create an Amazon Elastic File System (Amazon EFS) to store and share the documents.
Answer: D

NO.390 A business-critical MySql database is running on an Amazon EC2 instance. Storage

Performance and durability are important to the application.
Which volume type provides a persistent volume with single-digit millisecond latencies and sustained
IOPS performance?
A. Amazon EC2 instance store
B. Amazon EBS Cold HDD
C. Amazon EBS provisioned IOPS SSD
D. Amazon EBS General purpose SSD
Answer: A

NO.391 A company is evaluating Amazon S3 as a data storage solution for their daily analyst reports.
The company has implemented stringent requirements concerning the security of the data at test
Specifically, the CISO asked for the use of envelope encryption with separate permissions for the use
of an envelope key, automated rotation of the encryption keys, and visibility into when an encryption
key was used and by whom.
Which steps should a Solutions Architect take to satisfy the security requirements requested by the
CISO?
A. Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Customer-
Provided Keys (SSE-C)
B. Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Amazon
S3Managed Keys (SSE-S3)

101
 IT Certification Guaranteed, The Easy Way!

C. Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with AWS KMS-
Managed Keys (SSE-KMS)
D. Create an Amazon S3 bucket to store the reports and use Amazon S3 versioning with Server- Side
Encryption with Amazon S3-Managed Keys (SSE-S3)
Answer: C

NO.392 A Solutions Architect is designing an application that requires having six Amazon EC2
instances running at all times. The application will be deployed in the sa-east-1 region, which has
three Availability Zones: sa-east-la, sa-east-1b, and sa-east-1c.
Which action will provide 100 percent fault tolerance and the LOWEST cost in the event that one
Availability Zone in the region becomes unavailable?
A. Deploy six Amazon EC2 instances in sa-east-1a, six Amazon EC2 instances in sa-east-1b, and six
Amazon EC2 instances in sa-east-lc.
B. Deploy six Amazon EC2 instances in sa-east-1a, four Amazon EC2 instances in sa-east-lb, and two
Amazon EC2 instances in sa-east-1c.
C. Deploy three Amazon EC2 instances in sa-east-1a, three Amazon EC2 instances in sa-east-1b, and
three Amazon EC2 instances in sa-east-1c.
D. Deploy two Amazon EC2 instances in sa-east-1a, two Amazon EC2 instances in sa-east-1b, and two
Amazon EC2 instances in sa-east-1c.
Answer: C

NO.393 When you put objects in Amazon 53, what is the indication that an object was successfully
stored?
A. A HTTP 200 result code and MD5 checksum, taken together, indicate that the operation was
successful
B. A success code is inserted into the S3 object metadata
C. Amazon S3 is engineered for 99.999999999% durability. Therefore there is no need to confirm that
data was inserted.
D. Each S3 account has a special bucket named_ s3_logs. Success codes are written to this bucket
with a timestamp and checksum
Answer: A

NO.394 A mobile client requires data from several application-layer services to populate its user
interface. What can the application team use to decouple the client interface from the underlying
services behind them?
A. Application Load Balancer
B. Amazon API Gateway
C. Amazon Cognito
D. AWS Device Farm
Answer: C

NO.395 A company is running both their website and human resources (HR) application within the
same virtual private cloud (VPC). For company compliance and security reasons, the instances
running their HR application stack must not share hardware with other AWS customers. The website

102
 IT Certification Guaranteed, The Easy Way!

owner wants to keep their infrastructure costs as low as possible. How can the company ensure that
all of the requirements are met within a single VPC?
A. Create the VPC with Dedicated tenancy, launch the HR instances in placement groups, and launch
the website instances in Shared tenancy
B. Create the VPC with dedicated tenancy, launch the HR instances in Default tenancy, and launch
the website instances in Shared tenancy
C. Create the VPC with Default tenancy, launch the HR instances in placement groups, and launch the
website instances in Shared tenancy
D. Create the VPC with default tenancy, launch the HR instances in Dedicated tenancy, and launch
the website instances in Shared tenancy
Answer: D

NO.396 You have been asked to design a fault-tolerant and scalable web application across three
availability zones.
The presentation logic will reside on web servers behind an ELB classic load balancer, and the
application logic will reside on a set of app servers behind a second load balancer. How should you
use auto scaling groups?
A. Deploy two Auto Scaling groups: one for the web servers in all Availability zones and one for the
app servers in all Availability zones
B. Deploy three auto scaling groups: one for each Availability zone that includes both web and app
servers
C. Deploy six auto scaling groups: a web server group in each Availability zone and an app server
group in each availability zone
D. Deploy one auto scaling group that includes al the web and app servers across all availability zones
Answer: B

NO.397 A Solutions Architect must select the storage type tor a big data application that requires
very high sequential I/O. The data must persist if the instance is stopped. Which of the following
storage types will provide the best fit at the LOWEST cost for the application?
A. An Amazon EC2 instance store local SSD volume
B. An Amazon EBS provisioned IOPS SSD volume
C. An Amazon EBS throughput optimized HDD volume
D. An Amazon EBS general purpose SSD volume
Answer: D

NO.398 Your company has separate AWS accounts for development and production. Each developer
is assigned an IAM user in the development account. Developers occasionally need to access the
production account to roll out changes to that environment. Your company does not allow the
creation of IAM users in the production account.
What strategy will allow the development team to access the production account?
A. Create an IAM role in the production account. Allow IAM users in the development account to
assume the role.
B. Create an IAM group in the development account. Grant IAM users in the development account
membership in the group.

103
 IT Certification Guaranteed, The Easy Way!

C. Create an IAM group in the production account. Grant IAM users in the development account
membership in the group.
D. Create an IAM role in the development account. Allow IAM users in the development account to
assume the role.
Answer: A

NO.399 An instance is launched into a VPC subnet with the network ACL configured to allow all
inbound traffic and deny all outbound traffic. The instance's security group is configured to allow SSH
form any IP address and deny all outbound traffic. What changes need to be made to allow SSH
access to the instance?
A. The outbound security group needs to be modified to allow outbound traffic
B. The outbound network ACL needs to be modified to allow outbound traffic
C. Both the outbound security group and outbound network ACL need to modified to allow outbound
traffic
D. Nothing, it can be accessed from any IP using SSH
Answer: C

NO.400 A company is deploying a two tier, highly available web application to AWS. Which Service
provides durable storage for static content while utilizing lower overall CPU resources for the web
tier?
A. Amazon EBS volume
B. Amazon S3
C. Amazon EC2 instance store
D. Amazon RDS instance
Answer: B

NO.401 An organization must process a stream erf large-volume hashtag data in real time and needs
to run custom SQL queries on the data to gel insights on certain lags. The organization needs this
solution to be elastic and does not want to manage clusters.
Which of the following AWS services meets these requirements?
A. Amazon Elasticsearch Service
B. Amazon Athena
C. Amazon Redshift
D. Amazon Kinesis Data Analytics
Answer: B

NO.402 A Solutions Architect is designing a web application that will be hosted on Amazon EC2
instances in a public subnet. The web application uses a MySQL database in a private subnet. The
database should be accessible to database administrators. Which of the following options should the
Architect recommend? (Select TWO.)
A. Create a bastion host in a public subnet, and use the bastion host to connect to the database.
B. Log in to the web servers in the public subnet to connect to the database.
C. Perform DB maintenance after using SSH to connect to the NAT Gateway in a public subnet.
D. Create an IPSec VPN tunnel between the customer site and the VPC, and use the VPN tunnel to

104
 IT Certification Guaranteed, The Easy Way!

connect to the database.

E. Attach an Elastic IP address to the database.
Answer: A
Explanation
It is best practise to place your database servers into a private subnet. By definition a private subnet
in Amazon Web Service (AWS) is not reachable from the internet. So there is no internet gateway
assigned to it. With proper security groups configured you restrict the database access to that (web)
servers which need access only.
But that configuration makes it more complicated for managing the database servers, e.g. connecting
with SQL clients. Instead of putting your database instance into a public subnet you can configure a
bastion host (aka jump box) for acting as an intermediate server. The following picture gives you a
quick overview:
aws_architecture

You place a small EC2 instance (e.g. t2.nano) into a public subnet within your VPC. After that you can
connect with e.g. Putty (for Windows) to establish a SSH connection and configure it to create an SSH
tunnel for the database port.
Please note your security group settings. The bastion host has inbound access for port 22 and your
source IP address only (or more which is not recommended). The security group for the RDS instance
will allow inbound access for port 3306 (for MySQL) with restriction to the security groups which
needs access to the database server (in our case the bastion host). With that configuration you limit
the database access to the minimum needed.
Configuring Putty
At first enter the hostname with ec2-user. This is the public IP address of your bastion host:

105
 IT Certification Guaranteed, The Easy Way!

putty1
After that you define your private key for authentication:

106
 IT Certification Guaranteed, The Easy Way!

putty2
In the last step you enter the SSH tunnel settings for your database instance. In this example we
create a tunnel for port 3306 on your local computer to port 3306 on the RDS instance host (DNS
name). This is possible, because the bastion host and the database instance are placed within the
same VPC and the routing table allows the communication between both subnets.

107
 IT Certification Guaranteed, The Easy Way!

putty3
After establishing the putty connection we can connect to our database on localhost, port 3306:

108
 IT Certification Guaranteed, The Easy Way!

dbweaver1
Making it more convenient ...
This is all fine but we can do it even more convenient. One solution is to place all Putty settings into a
batch file:
@ECHO OFF
SET PUTTY_EXE=C:\Putty\putty.exe
start %PUTTY_EXE% ec2-user@18.197.56.5 -i d:\my_private_key.ppk -L
3306:demo.abc.eu-central-1.rds.amazonaws.com:3306
After saving it to a batch file we can start the SSH tunnel by a double-click.
Another solution depends on your SQL Client. In some clients like e.g. DBWeaver or the MySQL
Workbench you can configure a TCP connection over SSH directly. With that option you can configure
it all in that client.
No Putty configuration or batch file to be started.

109
 IT Certification Guaranteed, The Easy Way!

mysql_workbench

Be sure to select "Standard TCP/IP over SSH" and the correct private key format.

NO.403 Which requirements must be met in order for a Solutions Architect to specify that an
Amazon EC2 instance should stop rather than terminate when its Spot Instance is interrupted?
(Choose two.)
A. The Spot Instance request type must be one-time.
B. The Spot Instance request type must be persistent.
C. The root volume must be an Amazon EBS volume.
D. The root volume must be an instance store volume.
E. The launch configuration is changed.
Answer: B C

NO.404 A Solutions Architect needs to design a solution that will enable a security learn to detect,
review and perform root cause analysis of security incidents that occur in a cloud environment. The
Architect must provide a centralized view of all API for current and future AWS regions.
How should the Architect accomplish this task?
A. Enable AWS CloudTtail logging in each individual region Repeat this for all tutu re regions.
B. Enable Amazon CloudWatch logs for all AWS services across all regions and aggregate them in a
single Amazon S3 bucket
C. Enable AWS Trusted Advisor security checks and report all security incidents tor all regions.
D. Enable AWS CloudTrail by creating a new trail and apply the trail to all regions
Answer: D

110
 IT Certification Guaranteed, The Easy Way!

NO.405 A Solutions Architect is designing a solution to monitor weather changes by the minute. The
frontend application is hosted on Amazon EC2 instances. The backend must be scalable to a virtually
unlimited size, and data retrieval must occur with minimal latency.
Which AWS service should the Architect use to store the data and achieve these requirements?
A. Amazon S3
B. Amazon DynamoDB
C. Amazon RDS
D. Amazon EBS
Answer: A

NO.406 You have created an API powered by API Gateway and AWS Lambda. Because of a new
feature release, you expect traffic volume on your API to increase 10-fold. Which configuration
should you use?
A. Use one Lambda function with API gateway as the trigger. Increase the amount of memory
configured for the lambda function
B. Use one Lambda function with API gateway as the trigger. AWS Lambda will allocate capacity to
match the rate of incoming events
C. Use multiple API Gateway endpoints, each triggering a Lambda function. You are charged per call,
not per endpoint
D. Use multiple copies of the Lambda function, each with API gateway as th trigger. You are charged
per request, not per function
Answer: A

NO.407 You are building an automated transcription service in which Amazon EC2 worker instances
process an uploaded audio file and generate a text file. You must store both of these files in the same
durable storage until the text file is retrieved. You do not know what the storage capacity
requirements are. Which storage option is both cost-efficient and scalable?
A. Multiple instances stores
B. A single Amazon S3 bucket
C. Multiple Amazon EBS volume with snapshots
D. A single Amazon Glacier vault
Answer: C

NO.408 You are architecting a web application that will be backed by a relational database. The
application will be read-heavy, and database queries will be computationally intensive.
How can you improve overall application response for users?
A. Use data Pipeline to replicate your relational data across all of your web tier nodes
B. Use Amazon SQS to distribute messages among workers that are less busy
C. Use ElastiCache to store critical pieces of data in memory for low-latency access
D. Use an Auto Scaling group and ELB Classic Load Balancer for the application tier
Answer: A

NO.409 A customer wants to track access to their Amazon Simple Storage Service (S3) buckets and
also use this information for their internal security and access audits. Which of the following will

111
 IT Certification Guaranteed, The Easy Way!

meet the Customer requirement?

A. Enable AWS CloudTrail to audit all Amazon S3 bucket access.
B. Enable server access logging for all required Amazon S3 buckets.
C. Enable the Requester Pays option to track access via AWS Billing
D. Enable Amazon S3 event notifications for Put and Post.
Answer: B

NO.410 A Solutions Architect is designing a solution that must store and retrieve session data and
JSON documents.
The solution must provide high availability strong consistency, and data durability. Which solution
meets these requirements?
A. Amazon EBS volume with Provisioned IOPS
B. Amazon EC2 instance store
C. Amazon SQS
D. Amazon DynamoDB table
Answer: C

112