AWS Certified Solutions Architect – Professional

1) You need to improve performance of queries to your DynamoDB table. The most common queries do not use the partition key. What should you do?
Create a Global Secondary Index with the most common queried attribute as the hash key
Create a Local Secondary Index with the most common queried attribute as the partition key
Create a Global Secondary Index with the most common queried attribute as the range key
Increase the RCU and WCU for the table
Create a Local Secondary Index with the most common queried attribute as the sort key

Correct Answer: Create a Global Secondary Index with the most common queried attribute as the hash key

2) Considering consistency models, which statements taken by themselves are incorrect? (Choose 2)
Lazy writes are an attribute of perpetual consistency.
Eventual consistency could result in stale data.
Availability is usually more important than consistency.
Row locking attempts to ensure consistency by keeping updates atomic.

Correct Answer: Lazy writes are an attribute of perpetual consistency.

.Availability is usually more important than consistency..

3) What DynamoDB features can be utilised to increase the speed of read operations? (Choose 2)
DynamoDB Accelerator (DAX)
Encryption at Rest
Streams
Secondary Indexes

Correct Answer: DynamoDB Accelerator (DAX).Secondary Indexes.

4) Amazon Elasticache can fulfil a number of roles. Choose the operations from the following list which can be implemented using Elasticache for Redis. (Choose 3)
Relational Data Store
In-Memory Data Store
Pub/Sub
Sorted Sets

Correct Answer: In-Memory Data Store.

Pub/Sub.

Sorted Sets.

5) Which of these database approaches would be best for storing and analyzing the complex interpersonal relationships of people involved in organized crime. (Choose 2)
DynamoDB
Redshift
Elasticache
Database on EC2
S3
Neptune

Correct Answer: Database on EC2

.Neptune.

6) In the Lab for this chapter, what was the city with the highest average ozone levels on October 9, 2018?
Tulare
Freso
Savanah
Phoenix
Mercer

Correct Answer: Tulare

7) Which of the following data formats does Amazon Athena support? (Choose 3)
Apache Parquet
Apache ORC
XML
JSON

Correct Answer: Apache Parquet.

Apache ORC.

JSON.

8) You have decided to use EFS for sharing files across many EC2 instances and you want to be able to tolerate an AZ failure. You should:
Create EFS mount targets in each AZ and configure each EC2 instance to mount its local AZ mount target FQDN
Create EFS shares in each AZ and configure each EC2 instance to mount the share in its local AZ via the FQDN
Create EFS mount targets in each AZ and configure each EC2 instance to mount the common mount target FQDN
Configure EFS File Sync agent on the EC2 instances
Do nothing as EFS is already multi-AZ

Correct Answer: Create EFS mount targets in each AZ and configure each EC2 instance to mount the common mount target FQDN

9) Via CLI, you try to fetch some metadata from a file from an S3 bucket but get back 404 Not Found. You then realize the mistake and upload the file. Immediately after the upload, you try again to fetch the metadata. What are potential outcomes we might expect and why? (Choose 2)
Because the initial upload command creates an ETag header only, we will not receive back any metadata.
Because the upload is not propagated fully, we will receive a 404 Not Found.
Because we did not use multi-part upload, we will not receive back metadata.
We will receive back the requested metadata.
Because the upload is not yet complete, we will receive a 404 Not Found.

Correct Answer: Because the upload is not propagated fully, we will receive a 404 Not Found.

.We will receive back the requested metadata..

10) Which of the following are considered attributes of the ACID compliance model? (Choose 3)
Atomic
Immutable
Consistent
Durable
Available
Persistent

Correct Answer: Atomic.Consistent.Durable.

11) As part of your disaster recovery preparation, you have decided to maintain a replica of your on-site data on AWS S3 using Storage Gateway. Which mode should you use?
Volume Gateway Cached Mode
Gateway Transfer Mode
Gateway Stored Volume Mode
Gateway Cached Volume Mode
Tape Gateway

Correct Answer: Gateway Stored Volume Mode

12) You are trying to decide on what product you should select for your in-memory cache needs. You require support for encryption. Which should you choose?
DynamoDB
ElastiCache Cluster
ElastiCache Redis
Elastic Map Reduce
ElastiCache Memcached

Correct Answer: ElastiCache Redis

13) You are architecting a complex application landscape that values fast disk I/O for EC2 instances above everything else. Which storage option would you choose?
EBS
EFS
Instance Store
S3
IOPS

Correct Answer: Instance Store

14) __ is an immutable way to set policies on a Glacier vault such as retention or enforcing MFA before delete.
Glacier Data Policy
Glacier Vault Lock
Bucket Policy
Vault Security Policy
Identity Access Management Policy

Correct Answer: Glacier Vault Lock

15) You notice that you cannot ping an EC2 instance that you recently started in a public subnet. What could be the problem?
The security group does not allow inbound ICMP traffic.
The security group does not allow inbound TCP traffic.
The NACL does not allow outbound TCP traffic.
The NACL does not allow inbound UDP traffic.
The security group does not allow outbound UDP traffic.
The security group does not allow inbound UDP traffic.

Correct Answer: The security group does not allow inbound ICMP traffic.

16) Which of these statements on Direct Connect are False. (Choose 2)
Direct Connect requires 802.1Q VLAN support.
Direct Connect connections are highly available.
Direct Connect requires BGP routing.
Traffic through a Direct Connect connection can reach the internet via AWS Internet Gateway.

Correct Answer: Traffic through a Direct Connect connection can reach the internet via AWS Internet Gateway.

17) You have setup VPC Peering between VPC_BLUE and VPC_YELLOW and also VPC_BLUE and VPC_RED. In testing, you realize that you cannot reach VPC_RED from VPC_YELLOW. What is the simplest way you can fix this?
Ensure that you are using the same CIDR block for both VPC_RED and VPC_YELLOW.
Add a Transit VPC with appropriate VPN connection to each VPC.
Setup a peering connection between VPC_YELLOW and VPC_RED.
Add a route from VPC_YELLOW to VPC_RED in the VPC_BLUE route table.

Correct Answer: Setup a peering connection between VPC_YELLOW and VPC_RED.

18) What networking components will allow IPv6 data to communicate between a VPC and the Internet? (Choose 2)
Direct Connect
Egress-Only Internet Gateway
Internet Gateway
NAT

Correct Answer: Egress-Only Internet Gateway.Internet Gateway.

19) What are some reasons you might want to use a NAT Instance over a NAT Gateway? (Choose 3)
You want the ability to detach your Elastic IP.
You want to allow public Internet initiated connections to your private instances.
You only need to provide NAT for one or two machines.
You want to support IPv6 traffic.
You want to use security groups.

Correct Answer: You want the ability to detach your Elastic IP.

.You want to allow public Internet initiated connections to your private instances.

.You want to use security groups..

20) Which of these CIDR blocks and/or IP addresses are invalid for a private VPC or subnet on AWS? (Choose 2)
172.31.4.2/15
10.2.4.255
192.168.1.2 with subnet mask 255.255.255.0
8.8.8.8

Correct Answer: 172.31.4.2/15.192.168.1.2 with subnet mask 255.255.255.0.

21) In an effort to increase security, you have updated the NACLs for your VPC subnets to only allow inbound port 22 from the public Internet and deny all outbound traffic. Now, you are unable to SSH into your instance from the internet where you could before. Assuming nothing else has changed, What is the reason?
You need to assign the updated NACL to the subnets.
You need to allow all TCP inbound traffic in your NACL.
You need to allow outbound traffic on TCP port 22 in your NACL.
You need to allow outbound traffic for TCP ports between 1025 to 65535.
You need to add the port for SSH to your SG.

Correct Answer: You need to allow outbound traffic for TCP ports between 1025 to 65535.

22) You are building an application hosted on AWS for a customer. The customer has a very old firewall that can only whitelist external destinations via IP address only. Which solution could you use? (Choose 2)
Application Load Balancer with EIP
No AWS Load Balancer as all ELBs must be accessed by their FQDN
Classic Load Balancer
Network Load Balancer with EIP
Application Load Balancer with Global Accelerator

Correct Answer: Network Load Balancer with EIP.

Application Load Balancer with Global Accelerator.

23) You want to allow your VPC instances to resolve using on-prem DNS. Can you do this and how/why?
Yes, by configuring a DHCP Option Set to issue your on-prem DNS IP to VPC clients.
No, VPC resources are prevented from using a DNS located on a non-AWS network for security reasons.
Yes, by setting up a Route 53 Private Zone and configuring NS records for your on-prem DNS.
No, VPC resources must use the local DNS within their respective subnet for latency reasons.

Correct Answer: Yes, by configuring a DHCP Option Set to issue your on-prem DNS IP to VPC clients.

24) Which of the following DNS record types does Route 53 not support?
AAAA
CNAME
DNSKEY
SPF

Correct Answer: DNSKEY

25) What is the purpose of an Egress-Only Internet Gateway? (Choose 2)
Allows instances communicating over IPv4 or IPv6 to access the Internet
Prevents IPv6 based Internet resources initiating a connection into a VPC
Allows VPC based IPv6 traffic to communicate to the Internet
Prevents IPv6 traffic accessing the Internet by utilising Security Groups

Correct Answer: Prevents IPv6 based Internet resources initiating a connection into a VPC.Allows VPC based IPv6 traffic to communicate to the Internet.

26) What might I consider to decrease the likelihood that multiple EC2 instances are impacted by some sort of underlying hardware failure in AWS.
Dedicated Instances
Clustered Placement Groups
Distributed Placement Groups
Dedicated Hosts
Spread Placement Groups

Correct Answer: Spread Placement Groups

27) You have the app currently hosted in three regions around the globe and you have defined Route 53 Geolocation routing to route people to the nearest region. Some customers complain that they are not able to access the service. What could be the cause?
You need to ensure the weights of all routes do not exceed 255.
You need to use a CNAME record rather than an A record.
You need to ensure that you have a default route in addition to other geolocation routes.
You need to adjust the bias factor for the geolocation routes.
You need to use an AAAA record rather than an A record

Correct Answer: You need to ensure that you have a default route in addition to other geolocation routes.

28) Which statements about SGs and NACLs are true? (Choose 3)
NACLs are stateful.
NACLs are stateless.
SGs are stateful.
SGs are stateless.
NACLs support DENY rules.
SGs support DENY rules.

Correct Answer: NACLs are stateless.

.SGs are stateful.

.NACLs support DENY rules..

29) You are creating a mobile app that needs secure access to AWS resources. What is the best way to do this?
Create an anonymous token vending machine to issue temporary credentials.
Use secure token service and web identity federation using AssumeRoleWithIdentity.
Use secure token service and web identity federation using AssumeRoleWithWebIdentity.
Use the Cognito SDK to provide temporary credentials.
Create an identity token vending machine to issue temporary credentials.

Correct Answer: Use the Cognito SDK to provide temporary credentials.

30) Your client is trying to setup SSO for on-prem employees into AWS via a trust relationship with Simple AD but its not working. What is the most likely cause?
They need to extend the AD schema to accommodate the extra SSO attributes.
Ports 53, 88 and 445 are not open on the NACLs between the VPC subnet and on-prem.
The Trust Relationship has not been setup properly in the respective IAM role.
They have chosen a Small size but SSO is only supported in the Large size.
Kerberos-based SSO is not configured properly.
Simple AD does not support trust relationships with other domains.

Correct Answer: Simple AD does not support trust relationships with other domains.

31) Because of regulatory requirements, certain areas of your organization can only use certain regions. Which is the BEST way to implement this control?
Access Control List
Identity-based Policy
Resource-based Policy
Service Control Policy

Correct Answer: Service Control Policy

32) _ says only issue enough access to do only that which is needed and nothing more.
Security Practices Framework
Well-Designed Framework
Risk Management Rule
Principle of Lowest Access
Principle of Least Privilege

Correct Answer: Principle of Least Privilege

33) What is the main difference between IDS and IPS?
IDS features typically include: alerting administrators of possible incidents, logging information, and reporting attempts.
An IPS usually handles proactive patching of system vulnerabilities.
An IDS monitors networks and systems for malicious activity or policy violation, and report them to systems administrators.
An IPS will take automatic action on suspicious traffic within the network.

Correct Answer: An IPS will take automatic action on suspicious traffic within the network.

34) Which of the following AWS services allow native encryption of data, while at rest? (Choose 3)
S3
Elastic File System (EFS)
Elastic Block Store (EBS)
Elasticache for Memcached

Correct Answer: S3.Elastic File System (EFS).Elastic Block Store (EBS).

35) Which are characteristics of OAuth 2.0? (Choose 2)
It issues tokens to clients.
It is best suited for single-sign-on scenarios.
It handles authorization.
It handles authentication.
It can contain group and membership information.

Correct Answer: It handles authorization.

36) Your client recently failed a security audit because they had username and passwords hard-coded in a script which runs on an EC2 instance. Which of the following is a way to remediate?
Store credentials in an encrypted file on S3 and create an IAM role with access assigning it to the EC2 instance.
Store credentials in DynamoDB and create an IAM policy with access and assign to the EC2 instance.
Store credentials in KMS and create an IAM role with access and assign to the EC2 instance.
Store credentials on an encrypted EBS volume that gets dynamically attached and detached when the script is executed.

Correct Answer: Store credentials in an encrypted file on S3 and create an IAM role with access assigning it to the EC2 instance.

37) What is the most efficient way of logging all external interaction with AWS services for your accounts globally?
Setup CloudTrail in each region where you have assets to store logs in S3 buckets in that region.
Setup Log Consolidation in AWS Organizations for all accounts globally.
Setup CloudWatch in each region where you have assets to store logs in S3 buckets in that region.
Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.
Setup CloudWatch in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.

Correct Answer: Setup CloudTrail in your main region and configure it to log all regions and store logs in a single S3 bucket in your main region.

38) You want to gradually migrate data directly from an on-prem RAID10 file server to S3 without moving it to other storage first. Which of these would you use?
AWS CLI
Storage Gateway – Volume Gateway Stored Mode
Storage Migration Service

Correct Answer: AWS CLI

39) You have decided to migrate your on-prem legacy Informix database to Amazon Aurora. How might this be facilitated most efficiently?
Manually create the target schema on Aurora then use Data Pipeline with JDBC to move the data.
Use Data Migration Service for discovery, schema creation and data migration.
Use the Schema Conversion Tool and Data Extraction Agents to create the schema and migrate the data.

Correct Answer: Manually create the target schema on Aurora then use Data Pipeline with JDBC to move the data.

40) Which is not part of a component of the Cloud Adoption Framework?
Creation of a strong business case for cloud adoption.
Align KPIs with newly enabled business capabilities.
Reinvent business processes to take advantage of new capabilities.

Correct Answer: Reinvent business processes to take advantage of new capabilities.

41) You are evaluating a technical migration plan for a customer. Which of the following project assumptions is incorrect?
Because we use VMWare we do not need to install agents on our VMs to use AWS Application Discovery Service.
We can replicate our Linux, Windows and Solaris VMs, syncing volumes and creating periodic AMIs.
We can use DMS to migrate our MongoDB database to DynamoDB.

Correct Answer: We can replicate our Linux, Windows and Solaris VMs, syncing volumes and creating periodic AMIs.

42) Given a VPC CIDR of 10.0.0.0/16 and subnet CIDR block of 10.0.0.0/24, what would you expect the DNS address to be for DHCP clients in that subnet given default settings?
10.0.0.0
10.0.0.2
There is no way to know because the IP address of the DNS is randomly assigned.
10.0.0.3

Correct Answer: 10.0.0.2

43) You are migrating from an Oracle on-prem database to an Oracle RDS database. Which of these describes this migration properly?
Synchronous migration
Heterogeneous migration
Homogenous migration

Correct Answer: Homogenous migration

44) Which of the following options allows users to have secure access to private files located in S3? (Choose 3)
Public S3 buckets
CloudFront Signed Cookies
CloudFront Origin Access Identity
CloudFront Signed URLs

Correct Answer: CloudFront Signed Cookies.

CloudFront Origin Access Identity.

CloudFront Signed URLs.

45) Your client is contemplating migration to a hybrid architecture over the next year. What preparation tasks would you suggest that would be directly tied to supporting this migration? (Choose 3)
Tie individual performance objectives with cost savings goals.
Ensure that there are sufficient change management processes in place.
Create an accurate inventory of all systems and services.
Spend some time uncovering or verifying current on-prem total ownership costs.
Re-architect tightly coupled interfaces to loosely coupled patterns.

Correct Answer: Create an accurate inventory of all systems and services.

.Spend some time uncovering or verifying current on-prem total ownership costs.

.Re-architect tightly coupled interfaces to loosely coupled patterns..

46) Which of the following native AWS services does not support a VPC endpoint connection?
API Gateway
Amazon MQ
DynamoDB

Correct Answer: Amazon MQ

47) Which migration strategy generally has the least cost for an enterprise?
Retire
Re-architect
Retain

Correct Answer: Retire

48) After an EMR cluster is terminated, what happens to the data stored as HDFS?
It is automatically copied out to S3 in Parquet format.
It is deleted.
It is automatically copied out to S3 in HDFS format.

Correct Answer: It is deleted.

49) What is the main benefit of loosely coupled architectures for scalability?
Permits more flexibility.
Greater resource utilization.
More atomic functional units.

Correct Answer: More atomic functional units.

50) When developing a Amazon Kinesis Data Stream application, what is the recommended method to read data from a shard?
KCL
API
KPL

Correct Answer: KCL