Amazon SAA-C03 Exam Practice Test Instant Access

Question 1

A company has an application that runs on Amazon EC2 instances within a private subnet in a VPC. The instances access data in an Amazon S3 bucket in the same AWS Region. The VPC contains a NAT gateway in a public subnet to access the S3 bucket. The company wants to reduce costs by replacing the NAT gateway without compromising security or redundancy.

Which solution meets these requirements?

AReplace the NAT gateway with a NAT instance.

BReplace the NAT gateway with an internet gateway.

CReplace the NAT gateway with a gateway VPC endpoint.

DReplace the NAT gateway with an AWS Direct Connect connection.

Answer : C

A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

AWS Documentation Extract:

'A gateway VPC endpoint enables you to privately connect your VPC to supported AWS services without requiring a NAT gateway or internet gateway.'

(Source: Amazon VPC documentation, Gateway Endpoints)

A: NAT instances still incur operational overhead and costs.

B: Internet gateway exposes resources and does not provide private access.

D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

Question 2

A company hosts a website analytics application on a single Amazon EC2 On-Demand Instance. The analytics software is written in PHP and uses a MySQL database. The analytics software, the web server that provides PHP, and the database server are all hosted on the EC2 instance. The application is showing signs of performance degradation during busy times and is presenting 5xx errors. The company needs to make the application scale seamlessly.

Which solution will meet these requirements MOST cost-effectively?

AMigrate the database to an Amazon RDS for MySQL DB instance. Create an AMI of the web application. Use the AMI to launch a second EC2 On-Demand Instance. Use an Application Load Balancer to distribute the load to each EC2 instance.

BMigrate the database to an Amazon RDS for MySQL DB instance. Create an AMI of the web application. Use the AMI to launch a second EC2 On-Demand Instance. Use Amazon Route 53 weighted routing to distribute the load across the two EC2 instances.

CMigrate the database to an Amazon Aurora MySQL DB instance. Create an AWS Lambda function to stop the EC2 instance and change the instance type. Create an Amazon CloudWatch alarm to invoke the Lambda function when CPU utilization surpasses 75%.

DMigrate the database to an Amazon Aurora MySQL DB instance. Create an AMI of the web application. Apply the AMI to a launch template. Create an Auto Scaling group with the launch template Configure the launch template to use a Spot Fleet. Attach an Application Load Balancer to the Auto Scaling group.

Answer : D

Migrate the database to Amazon Aurora MySQL - this will let the DB scale on it's own; it'll scale automatically without needing adjustment. Create AMI of the web app and using a launch template - this will make the creating of any future instances of the app seamless. They can then be added to the auto scaling group which will save them money as it will scale up and down based on demand. Using a spot fleet to launch instances- This solves the 'MOST cost-effective' portion of the question as spot instances come at a huge discount at the cost of being terminated at any time Amazon deems fit. I think this is why there's a bit of disagreement on this. While it's the most cost effective, it would be a terrible choice if amazon were to terminate that spot instance during a busy period.

Question 3

A solutions architect is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The solutions architect must make the file system accessible to each instance with the lowest possible latency.

Which solution will meet these requirements?

ACreate a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.

BCreate a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.

CCreate a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.

DCreate a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.

Answer : D

Amazon EFS requires a mount target in each Availability Zone where EC2 instances access the file system. This is because each mount target provides an elastic network interface in the subnet and AZ, reducing network latency by allowing EC2 instances to communicate locally with the EFS mount target. Creating a mount target in each AZ optimizes file system access performance and availability. Instances mount the EFS file system via the mount target in their respective AZ, which provides the lowest possible latency and avoids cross-AZ traffic.

Option A, with only a single mount target in the VPC, will cause cross-AZ traffic for instances in other AZs, increasing latency and potentially incurring data transfer costs. Option B is incomplete and introduces complexity with sharing directories across instances. Option C is invalid because mount targets are per AZ and per subnet, not per instance.

Amazon EFS Overview (https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html)

Creating Mount Targets (https://docs.aws.amazon.com/efs/latest/ug/manage-fs-access.html#creating-mount-targets)

AWS Well-Architected Framework --- Performance Efficiency Pillar (https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf)

Question 4

A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center. The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center.

Which solution will meet these requirements with the LEAST administrative overhead?

AProvision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.

BProvision an Amazon Route 53 private hosted zone. Configure NS records that point to on-premises DNS servers.

CCreate DNS endpoints by using Amazon Route 53 Resolver. Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.

DProvision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.

Answer : C

Amazon Route 53 Resolver endpoints allow you to integrate DNS between AWS and on-premises environments easily. By creating inbound and outbound resolver endpoints, you can configure conditional forwarding rules so that DNS queries for your on-premises AD domain are forwarded to the on-premises DNS servers. This approach is fully managed, scales automatically, and requires the least administrative overhead.

AWS Documentation Extract:

'Route 53 Resolver provides DNS resolution between AWS and on-premises environments, using endpoints and forwarding rules to manage DNS query routing seamlessly.'

(Source: Route 53 Resolver documentation)

A, D: Require provisioning, managing, and patching EC2 servers or domain controllers.

B: NS records in a private hosted zone do not provide true DNS forwarding.

Question 5

A company wants to configure its Amazon CloudFront distribution to use SSL/TLS certificates. The company does not want to use the default domain name for the distribution. Instead, the company wants to use a different domain name for the distribution.

Which solution will deploy the certificate with icurring any additional costs?

ARequest an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-east-1 Region

BRequest an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-west-1 Region.

CRequest an Amazon issued public certificate from AWS Certificate Manager (ACU) in the us-east-1 Region

DRequest an Amazon issued public certificate from AWS Certificate Manager (ACU) in the us-west-1 Regon.

Answer : C

This option is the most efficient because it requests an Amazon issued public certificate from AWS Certificate Manager (ACM), which is a service that lets you easily provision,manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources1.It also requests the certificate in the us-east-1 Region, which is required for using an ACM certificate with CloudFront2.It also meets therequirement of deploying the certificate without incurring any additional costs, as ACM does not charge for certificates that are used with supported AWS services3. This solution meets the requirement of configuring its CloudFront distribution to use SSL/TLS certificates and using a different domain name for the distribution. Option A is less efficient because it requests an Amazon issued private certificate from ACM, which is a type of certificate that can be used only within your organization or virtual private cloud (VPC). However, this does not meet the requirement of configuring its CloudFront distribution to use SSL/TLS certificates, as CloudFront requires a public certificate. It also requests the certificate in the us-east-1 Region, which is correct. Option B is less efficient because it requests an Amazon issued private certificate from ACM, which is incorrect for the same reason as option A. It also requests the certificate in the us-west-1 Region, which is incorrect as CloudFront requires a certificate in the us-east-1 Region. Option D is less efficient because it requests an Amazon issued public certificate from ACM, which is correct. However, it requests the certificate in the us-west-1 Region, which is incorrect as CloudFront requires a certificate in the us-east-1 Region.

Question 6

A company is conducting an internal audit. The company wants to ensure that the data in an Amazon S3 bucket that is associated with the company's AWS Lake Formation data lake does not contain sensitive customer or employee dat

a. The company wants to discover personally identifiable information (Pll) or financial information, including passport numbers and credit card numbers.

Which solution will meet these requirements?

AConfigure AWS Audit Manager on the account. Select the Payment Card Industry Data Security Standards (PCI DSS) for auditing.

BConfigure Amazon S3 Inventory on the S3 bucket. Configure Amazon Athena to query the inventory.

CConfigure Amazon Macie to run a data discovery job that uses managed identifiers for the required data types.

DUse Amazon S3 Select to run a report across the S3 bucket.

Answer : C

Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS. Macie can run data discovery jobs that use managed identifiers for various types of PII or financial information, such as passport numbers and credit card numbers. Macie can also generate findings that alert you to potential issues or risks with your data.Reference:https://docs.aws.amazon.com/macie/latest/userguide/macie-identifiers.html

Question 7

A solutions architect is designing a multi-tier application for a company. The application's users upload images from a mobile device. The application generates a thumbnail of each image and returns a message to the user to confirm that the image was uploaded successfully.

The thumbnail generation can take up to 60 seconds, but the company wants to provide a faster response time to its users to notify them that the original image was received. The solutions architect must design the application to asynchronously dispatch requests to the different application tiers.

What should the solutions architect do to meet these requirements?

AWrite a custom AWS Lambda function to generate the thumbnail and alert the user. Use the image upload process as an event source to invoke the Lambda function.

BCreate an AWS Step Functions workflow Configure Step Functions to handle the orchestration between the application tiers and alert the user when thumbnail generation is complete

CCreate an Amazon Simple Queue Service (Amazon SQS) message queue. As images are uploaded, place a message on the SQS queue for thumbnail generation. Alert the user through an application message that the image was received

DCreate Amazon Simple Notification Service (Amazon SNS) notification topics and subscriptions Use one subscription with the application to generate the thumbnail after the imageupload is complete. Use a second subscription to message the user's mobile app by way of a push notification after thumbnail generation is complete.

Answer : C

This option is the most efficient because it uses Amazon SQS, which is a fully managed message queuing service that lets you send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available1. It also uses an SQS message queue to asynchronously dispatch requests to the different application tiers, which decouples the image upload process from the thumbnail generation process and enables scalability and reliability. It also alerts the user through an application message that the image was received, which provides a faster response time to the user than waiting for the thumbnail generation to complete. Option A is less efficient because it uses a custom AWS Lambda function to generate the thumbnail and alert the user, which is a way to run code without provisioning or managing servers. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses the image upload process as an event source to invoke the Lambda function, which could cause concurrency issues if there are many images uploaded at once.Option B is less efficient because it uses AWS Step Functions, whichis a fully managed service that provides a graphical console to arrange and visualize the components of your application as a series of steps2. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses Step Functions to handle the orchestration between the application tiers and alert the user when thumbnail generation is complete, which could introduce additional complexity and latency.Option D is less efficient because it uses Amazon SNS, which is a fully managed messaging service that enables you to send messages or notifications directly to users with SMS text messages or email3. However, this does not use an asynchronous dispatch mechanism to separate the image upload process from the thumbnail generation process. It also uses SNS notification topics and subscriptions to generate the thumbnail after the image upload is complete and message the user's mobile app by way of a push notification after thumbnail generation is complete, which could introduce additional complexity and latency.

Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam Practice Test