Free Amazon Web Services SAA-C03 Practice Exam with Questions & Answers | Set: 5

Windows file server is on-premise and we need something to replicate the data to the cloud, the only option we have is AWS FSx for Windows File Server. Also, since the information is confidential and sensitive, we also want to make sure that the appropriate users have access to it in a secure manner.https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.html

https://aws.amazon.com/ec2/dedicated-hosts/ Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2, so that you get the flexibility and cost effectiveness of using your own licenses, but with the resiliency, simplicity and elasticity of AWS.

Lambda server-less is scalable and elastic than EC2 api gateway solution

Understanding the Requirement: The application running on EC2 instances in private subnets needs frequent access to large confidential files stored in S3, minimizing data transfer costs.

Analysis of Options:

Gateway Endpoint for S3: Provides a secure, scalable, and cost-effective way for instances in private subnets to access S3 without using the internet or NAT gateways, thus minimizing data transfer costs.

Single NAT Gateway: Incurs additional costs for data transfer through the NAT gateway, which is not cost-effective.

PrivateLink Interface Endpoint for S3: Primarily used for accessing AWS services over a private connection but is more complex and costly compared to a gateway endpoint for S3.

Multiple NAT Gateways: Increases costs significantly and adds complexity without offering the cost benefits of a gateway endpoint.

Best Solution:

Gateway Endpoint for S3: This solution provides the required access with the least data transfer costs and minimal complexity.

A solutions architect should recommend option A, which is to configure AWS WAF rules and associate them with the ALB. This will allow the company to apply traffic filtering at the application layer, which is necessary for protecting the ALB against common application-level attacks such as cross-site scripting or SQL injection. AWS WAF is a managed service that makes it easy to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. The company can easily manage and update the rules to ensure the security of its application.

This option is the most efficient because it uses API usage plans and API keys, which are features of Amazon API Gateway that allow you to control who can access your API and how much and how fast they can access it1. It also implements API usage plans and API keys to limit the access of users who do not have a subscription, which enables you to create different tiers ofaccess for your API and charge users accordingly. This solution meets the requirement of updating the application so that only users who have a subscription can access premium content. Option A is less efficient because it uses API caching and throttling on the API Gateway API, which are features of Amazon API Gateway that allow you to improve the performance and availability of your API and protect your backend systems from traffic spikes2. However, this does not provide a way to limit the access of users who do not have a subscription. Option B is less efficient because it uses AWS WAF on the API Gateway API, which is a web application firewall service that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources3. However,this does not provide a way to limit the access of users who do not have a subscription. Option C is less efficient because it uses fine-grained IAM permissions to the premium content in the DynamoDB table, which are permissions that allow you to control access to specific items or attributes within a table4. However, this does not provide a way to limit the access of users who do not have a subscription at the API level.

https://aws.amazon.com/rds/features/backup/

Automated backups, will meet the requirement. Amazon RDS allows you to automatically create backups of your DB instance. Automated backups enable point-in-time recovery (PITR) for your DB instance down to a specific second within the retention period, which can be up to 35 days. By setting the retention period to 30 days, the company can restore the database to its state from up to 5 minutes before any change within the last 30 days.

This option is the most efficient because it uses Amazon SQS, which is a fully managed message queuing service that lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available1. It also uses an SQS message queue to asynchronously dispatch requests to the different application tiers, which decouples the image upload process from the thumbnail generation process and enables scalability and reliability. It also alerts the user through an application message that the image was received, which provides a faster response time to the user than waiting for the thumbnail generation to complete. Option A is less efficient because it uses a custom AWS Lambda function to generate the thumbnail and alert the user, which is a way to run code without provisioning or managing servers. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses the image upload process as an event source to invoke the Lambda function, which could cause concurrency issues if there are many images uploaded at once. Option B is less efficient because it uses AWS Step Functions, whichis a fully managed service that provides a graphical console to arrange and visualize the components of your application as a series of steps2. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses Step Functions to handle the orchestration between the application tiers and alert the user when thumbnail generation is complete, which could introduce additional complexity and latency. Option D is less efficient because it uses Amazon SNS, which is a fully managed messaging service that enables you to send messages or notifications directly to users with SMS text messages or email3. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses SNS notification topics and subscriptions to generate the thumbnail after the image upload is complete and message the user’s mobile app by way of a push notification after thumbnail generation is complete, which could introduce additional complexity and latency.

This option is the most efficient because it uses a predictive scaling policy for the Auto Scaling group, which isa type of scaling policy that uses machine learning to predict capacity requirements based on historical data from CloudWatch1. It also configures the policy to scale based on forecast, which enables the Auto Scaling group to adjust its capacity in advance of trafficchanges. It also sets the scaling metric to CPU utilization and the target value for the metric to 60%, which aligns with the baseline CPU utilization that is noted on each run. It also sets the instances to pre-launch 30 minutes before the jobs run, which ensures that enough capacity is provisioned before the weekly scripted batch jobs start. This solution meets the requirement of provisioning the capacity 30 minutes before the jobs run with the leastoperational overhead. Option A is less efficient because it uses a dynamic scaling policy for the Auto Scaling group, which is a type of scaling policy that adjusts your Auto Scaling group’s capacity in response to changing demand2. However, this does not provide a way to provision the capacity 30 minutes before the jobs run, as it only reacts to changing traffic. Option B is less efficientbecause it uses a scheduled scaling policy for the Auto Scaling group, which is a type of scaling policy that lets you scale your Auto Scaling group based on a schedule that you create3. However, this does not provide a way to scale based on forecast or CPU utilization, as it only scales based on predefined metrics and policies. Option D is less efficient because it uses an Amazon EventBridge event to invoke an AWS Lambda function when the CPU utilization metric value for the Auto Scaling group reaches 60%, which is a way to trigger serverless functions based on events. However, this does not provide a way to provision the capacity 30 minutes before the jobs run, as it only reacts to changing traffic.

Understanding the Requirement: The company has petabytes of data in S3 Standard across multiple buckets with varying access frequencies. They do not know the access patterns and need a cost-optimized storage solution with minimal operational effort.

Analysis of Options:

S3 Intelligent-Tiering: This storage class automatically moves data between two access tiers (frequent and infrequent) based on changing access patterns. It incurs a small monitoring and automation charge but eliminates the need to manually move data between storage classes.

S3 Storage Class Analysis Tool: While useful for determining access patterns, this tool requires manual intervention to move objects to the appropriate storage class, which increases operational overhead.

S3 Glacier Instant Retrieval: This storage class is designed for data that is rarely accessed but requires instant retrieval when needed. It may not be suitable for data with unknown and varying access patterns.

S3 One Zone-IA: This is a lower-cost option for infrequently accessed data stored in a single availability zone. It does not provide the same level of durability and availability as other options and requires knowledge of access patterns.

Best Option for Operational Efficiency:

S3 Intelligent-Tiering provides the best balance of cost savings and operational efficiency. It dynamically adjusts to access patterns without manual intervention, ensuring the company is only paying for what they need without the risk of incurring high costs for infrequent access data.

RDS supported Storage > https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html GP2 max IOPS >https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/general-purpose.html#gp2-performance

Amazon RDS provides three storage types: General Purpose SSD (also known as gp2 and gp3), Provisioned IOPS SSD (also known as io1), and magnetic (also known as standard).They differ in performance characteristics and price, which means that you can tailor your storage performance and cost to the needs of your database workload. You can create MySQL,MariaDB, Oracle, and PostgreSQL RDS DB instances with up to 64 tebibytes (TiB) of storage. You can create SQL Server RDS DB instances with up to 16 TiB of storage. For this amount of storage, use the Provisioned IOPS SSD and General Purpose SSD storage types.https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Storage.html

Understanding the Requirement: The company wants to cost-optimize their workload that uses EC2, Lambda, Fargate, and SageMaker, covering the most services with the fewest savings plans.

Analysis of Options:

EC2 Instance Savings Plan: Limited to EC2 and SageMaker, missing coverage for Lambda and Fargate.

Compute Savings Plan: Provides the most flexibility, covering a broad range of compute services, including EC2, Lambda, Fargate, and SageMaker.

SageMaker Savings Plan: Specifically for SageMaker, missing coverage for EC2, Lambda, and Fargate.

Combination of plans: The Compute Savings Plan is versatile and can be combined to cover different services efficiently.

Best Solution:

Compute Savings Plan for EC2, Lambda, and SageMaker: Covers the primary compute services efficiently.

Compute Savings Plan for Lambda, Fargate, and EC2: Covers the remaining services, ensuring broad coverage with minimal plans.

This answer is correct because it meets the requirements of transitioning to an event-driven architecture, using serverless concepts, and minimizing operational overhead. AWS Step Functions is a serverless service that lets you coordinate multiple AWS services into workflows using state machines. State machines are composed of tasks and transitions that define the logic and order of execution of the workflow steps. AWS Lambda is a serverless function-as-a-service platform that lets you run code without provisioning or managing servers. Lambda functions can be invoked by Step Functions as tasks in a state machine, and can perform different aspects of the data management workflow, such as data ingestion, transformation, validation, and analysis. By using Step Functions and Lambda, the company can benefit from the following advantages:

Event-driven: Step Functions can trigger Lambda functions based on events, such as timers, API calls, or other AWS service events. Lambda functions can also emit events to other services or state machines, creating an event-driven architecture.

Serverless: Step Functions and Lambda are fully managed by AWS, so the company does not need to provision or manage any servers or infrastructure. The company only pays for the resources consumed by the workflows and functions, and can scale up or down automatically based on demand.

Operational overhead: Step Functions and Lambda simplify the development and deployment of workflows and functions, as they provide built-in features such as monitoring, logging, tracing, error handling, retry logic, and security. The company can focus on the business logic and data processing rather than the operational details.

Understanding the Requirement: The company wants to restrict each application to its specific prefix in an S3 bucket and have granular control over the objects under each prefix.

Analysis of Options:

Dedicated S3 Access Points: Provides a scalable and flexible way to manage access to S3 buckets, allowing specific policies to be attached to each access point, thereby controlling access at the prefix level.

S3 Batch Operations: Suitable for large-scale changes but involves more operational overhead and does not dynamically control future access.

Replication to new S3 buckets: Involves unnecessary duplication of data and increased storage costs, and operational overhead for managing multiple buckets.

Combination of replication and access points: Adds unnecessary complexity and overhead compared to using access points directly.

Best Solution:

Dedicated S3 Access Points: This provides the least operational overhead while meeting the requirements for prefix-level access control and granular management.

https://aws.amazon.com/blogs/security/rotate-amazon-rds-database-credentials-automatically-with-aws-secrets-manager/

Understanding the Requirement: The company needs programmatic access to its AWS usage costs for the current year and cost forecasts for the next 12 months, with minimal operational overhead.

Analysis of Options:

AWS Cost Explorer API: Provides programmatic access to detailed usage and cost data, including forecast costs. It supports pagination for handling large datasets, making it an efficient solution.

Downloadable AWS Cost Explorer report csv files: While useful, this method requires manual handling of files and does not provide real-time access.

AWS Budgets actions via FTP: This is less suitable as it involves setting up FTP transfers and does not provide the same level of detail and real-time access as the API.

AWS Budgets reports via SMTP: Similar to FTP, this method involves additional setup and lacks the real-time access and detail provided by the API.

Best Option for Minimal Operational Overhead:

AWS Cost Explorer API provides direct, programmatic access to cost data, including detailed usage and forecasting, with minimal setup and operational effort. It is the most efficient solution for integrating cost data into an operational cost dashboard.

Understanding the Requirement: The company needs to migrate applications to AWS, maintaining isolated networks while allowing communication with a shared services VPC and among the applications.

Analysis of Options:

Software VPN Tunnels: This approach involves high administrative overhead and complexity in managing multiple VPN connections.

VPC Peering: While suitable for smaller numbers of VPCs, it becomes complex and hard to manage at scale with over 100 applications.

Direct Connect: Primarily used for high-bandwidth, low-latency connections to on-premises networks, not inter-VPC communication.

Transit Gateway: Simplifies network management by acting as a central hub, allowing easy routing and scalability as more applications are migrated.

Best Solution:

Transit Gateway: This provides a scalable, efficient solution with minimal administrative overhead for managing network connections between multiple VPCs and the shared services VPC.

Understanding the Requirement: The company needs to mitigate DDoS attacks on its website, which uses AWS Global Accelerator to route traffic to an Application Load Balancer (ALB).

Analysis of Options:

AWS WAF on Global Accelerator: Allows for centralized protection and can block traffic based on rate-based rules, effectively mitigating DDoS attacks with minimal implementation effort.

Lambda Function and VPC Network ACL: Requires custom implementation and ongoing management, increasing complexity and effort.

AWS WAF on ALB: Provides protection but involves additional configuration and management at the ALB level.

CloudFront Distribution in front of Global Accelerator: Adds unnecessary complexity and changes the current traffic flow setup.

Best Solution:

AWS WAF on Global Accelerator: This provides the required protection with the least implementation effort, ensuring effective DDoS mitigation and maintaining the existing architecture.

Understanding the Requirement: The application running on EC2 instances in a private subnet needs to process sensitive information from an S3 bucket without using the internet.

Analysis of Options:

Internet Gateway: This would expose the application to the internet, which is not suitable for accessing sensitive information securely.

VPN Connection: VPN is primarily used for secure connections between on-premises networks and AWS VPCs, not for direct S3 access within the same VPC.

NAT Gateway: This allows instances in a private subnet to connect to the internet, but the goal is to avoid internet access.

VPC Endpoint: Provides a private connection between the VPC and S3 without using the internet, ensuring secure access to the S3 bucket.

Best Solution:

VPC Endpoint: Configuring a VPC endpoint allows secure, private communication between the EC2 instances and the S3 bucket without using the internet, ensuring data security and compliance.

Requirement Analysis: The goal is to migrate from Microsoft SQL Server to Amazon Aurora PostgreSQL with minimal application code changes.

Babelfish for Aurora PostgreSQL: Babelfish allows Aurora PostgreSQL to understand SQL Server queries natively, reducing the need for application code changes.

AWS Schema Conversion Tool (SCT): This tool helps in converting the database schema from SQL Server to PostgreSQL.

AWS Database Migration Service (DMS): DMS can be used to migrate data from SQL Server to Aurora PostgreSQL seamlessly.

Combined Approach: Enabling Babelfish addresses the SQL query compatibility, while SCT and DMS handle the schema and data migration.

References

Babelfish for Aurora PostgreSQL:Babelfish Documentation

AWS SCT and DMS:AWS Database Migration Service