Amazon AWS-Certified-Solutions-Architect-Professional Exam Questions and Answers 2021

NEW QUESTION 1
A user is thinking to use EBS PIOPS volume. Which of the below mentioned options is a right use case for the PIOPS EBS volume?

• A. Analytics
• B. System boot volume
• C. Nlongo DB
• D. Log processing

Answer: C

Explanation: Provisioned IOPS volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads that are sensitive to storage performance and consistency in random access I/O throughput. Provisioned IOPS volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads, that are sensitive to storage performance and consistency in random access I/O throughput business applications, database workloads, such as NoSQL DB, RDBMS, etc. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVo|umeTypes.htm|

NEW QUESTION 2
You are implementing a URL whitelisting system for a company that wants to restrict outbound HTTP'S connections to specific domains from their EC2-hosted applications you deploy a single EC2 instance running proxy software and configure It to accept traffic from all subnets and EC2 instances in the VPC. You configure the proxy to only pass through traffic to domains that you define in its whitelist configuration You have a nightly maintenance window or 10 minutes where ail instances fetch new software updates. Each update Is about 200MB In size and there are 500 instances In the VPC that routinely fetch updates After a few days you notice that some machines are failing to successfully download some, but not all of their updates within the maintenance window. The download URLs used for these updates are correctly listed in the proxy's whitelist configuration and you are able to access them manually using a web browser on the instances. What might be happening? (Choose 2 answers)

• A. You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for all instances to download their updates in time.
• B. You are running the proxy on a sufficiently-sized EC2 instance in a private subnet andits network throughput is being throttled by a NAT running on an undersized EC2 instance.
• C. The route table for the subnets containing the affected EC2 instances is not configured to direct network traffic for the software update locations to the proxy.
• D. You have not allocated enough storage to the EC2 instance running the proxy so the network buffer is filling up, causing some requests to fail.
• E. You are running the proxy in a public subnet but have not allocated enough EIPs to support the needed network throughput through the Internet Gateway (IGW).

Answer: AB

NEW QUESTION 3
You are running a news website in the eu-west-1 region that updates every 15 minutes. The website has a world-wide audience it uses an Auto Scaling group behind an Elastic Load Balancer and an Amazon
RDS database Static content resides on Amazon S3, and is distributed through Amazon CIoudFront. Your Auto Scaling group is set to trigger a scale up event at 60% CPU utilization, you use an Amazon RDSextra large DB instance with 10.000 Provisioned IOPS its CPU utilization is around 80%. While freeable memory is in the 2 GB range.
Web analytics reports show that the average load time of your web pages is around 1.5 to 2 seconds, but your SEO consultant wants to bring down the average load time to under 0.5 seconds.
How would you improve page load times for your users? (Choose 3 answers)

• A. Lower the scale up trigger of your Auto Scaling group to 30% so it scales more aggressively.
• B. Add an Amazon EIastiCache caching layer to your application for storing sessions and frequent DB quenes
• C. Configure Amazon CIoudFront dynamic content support to enable caching of re-usable content from your site
• D. Switch the Amazon RDS database to the high memory extra large Instance type
• E. Set up a second installation in another region, and use the Amazon Route 53 latency-based routing feature to select the right region.

Answer: ABD

NEW QUESTION 4
Your company is storing millions of sensitive transactions across thousands of 100-GB files that must be encrypted in transit and at rest. Analysts concurrently depend on subsets of files, which can consume up to 5 TB of space, to generate simulations that can be used to steer business decisions. You are required to design an AWS solution that can cost effectively accommodate the long-term storage and in-flight subsets of data.

• A. Use Amazon Simple Storage Service (S3) with server-side encryption, and run simulations on subsets in ephemeral drives on Amazon EC2.
• B. Use Amazon S3 with server-side encryption, and run simulations on subsets in-memory on Amazon EC2.
• C. Use HDFS on Amazon EMR, and run simulations on subsets in ephemeral drives on Amazon EC2.
• D. Use HDFS on Amazon Elastic MapReduce (EMR), and run simulations on subsets in-memory on Amazon Elastic Compute Cloud (EC2).
• E. Store the full data set in encrypted Amazon Elastic Block Store (EBS) volumes, and regularly capturesnapshots that can be cloned to EC2 workstation

Answer: D

NEW QUESTION 5
Your company has an on-premises multi-tier PHP web application, which recently experienced downtime due to a large burst In web traffic due to a company announcement Over the coming days, you are expecting similar announcements to drive similar unpredictable bursts, and are looking to find ways to quickly improve your infrastructures ability to handle unexpected increases in traffic.
The application currently consists of 2 tiers a web tier which consists of a load balancer and several Linux Apache web servers as well as a database tier which hosts a Linux server hosting a MySQL database. Which scenario below will provide full site functionality, while helping to improve the ability of your application in the short timeframe required?

• A. Failover environment: Create an S3 bucket and configure it for website hostin
• B. Migrate your DNS to Route53 using zone file import, and leverage Route53 DNS failover to failover to the S3 hosted website.
• C. Hybrid environment: Create an AMI, which can be used to launch web sewers in EC2. Create an Auto Scaling group, which uses the AMI to scale the web tier based on incoming traffi
• D. Leverage Elastic Load Balancing to balance traffic between on-premises web servers and those hosted In AWS.
• E. Offload traffic from on-premises environment: Setup a CIoudFront distribution, and configure CIoudFront to cache objects from a custom origi
• F. Choose to customize your object cache behavior, and select a TTL that objects should exist in cache.
• G. Migrate to AWS: Use VM Import/Export to quickly convert an on-premises web server to an AM
• H. Create an Auto Scaling group, which uses the imported AMI to scale the web tier based on incoming traffi
• I. Create an RDS read replica and setup replication between the RDS instance and on-premises MySQL server to migrate the database.

Answer: C

NEW QUESTION 6
An EC2 instance that performs source/destination checks by default is launched in a private VPC subnet. All security, NACL, and routing definitions are configured as expected. A custom NAT instance is launched.
Which of the following must be done for the custom NAT instance to work?

• A. The source/destination checks should be disabled on the NAT instance.
• B. The NAT instance should be launched in public subnet.
• C. The NAT instance should be configured with a public IP address.
• D. The NAT instance should be configured with an elastic IP addres

Answer: A

Explanation: Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
Reference:
http://docs.aws.amazon.com/AmazonVPC/Iatest/UserGuide/VPC_NAT_|nstance.htm|#EIP_Disab|e_Src DestCheck

NEW QUESTION 7
You create a VPN connection, and your VPN device supports Border Gateway Protocol (BGP). Which of the following should be specified to configure the VPN connection?

• A. Classless routing
• B. Classfull routing
• C. Dynamic routing
• D. Static routing

Answer: C

Explanation: If you create a VPN connection, you must specify the type of routing that you plan to use, which will depend upon on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), you need to specify dynamic routing when you configure your VPN connection. If your device does not support BGP, you should specify static routing.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmI

NEW QUESTION 8
A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are behind a public lacing ELB Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API.
How should they architect their solution?

• A. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances.
• B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
• C. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
• D. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.

Answer: D

NEW QUESTION 9
One of your AWS Data Pipeline actMties has failed consequently and has entered a hard failure state after retrying thrice. You want to try it again. Is it possible to increase the number of automatic retries to more than thrice?

• A. Yes, you can increase the number of automatic retries to 6.
• B. Yes, you can increase the number of automatic retries to indefinite number.
• C. No, you cannot increase the number of automatic retries.
• D. Yes, you can increase the number of automatic retries to 10.

Answer: D

Explanation: In AWS Data Pipeline, an actMty fails if all of its actMty attempts return with a failed state. By default, an actMty retries three times before entering a hard failure state. You can increase the number of automatic retries to 10. However, the system does not allow indefinite retries.
Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 10
What happens when Dedicated instances are launched into a VPC?

• A. If you launch an instance into a VPC that has an instance tenancy of dedicated, you must manually create a Dedicated instance.
• B. If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is created as a Dedicated instance, only based on the tenancy of the instance.
• C. If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance isautomatically a Dedicated instance, regardless of the tenancy of the instance.
• D. None of these are tru

Answer: C

Explanation: If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is automatically a Dedicated instance, regardless of the tenancy of the instance.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/dedicated-instance.html

NEW QUESTION 11
A user is planning to host a web server as well as an app server on a single EC2 instance which is a part of the public subnet of a VPC. How can the user setup to have two separate public IPs and separate security groups for both the application as well as the web server?

• A. Launch VPC with two separate subnets and make the instance a part of both the subnets.
• B. Launch a VPC instance with two network interface
• C. Assign a separate security group and elastic IP to them.
• D. Launch a VPC instance with two network interface
• E. Assign a separate security group to each and AWS will assign a separate public IP to them.
• F. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subne

Answer: B

Explanation: If you need to host multiple websites(with different IPs) on a single EC2 instance, the following is the suggested method from AWS.
Launch a VPC instance with two network interfaces
Assign elastic IPs from VPC EIP pool to those interfaces (Because, when the user has attached more than one network interface with an instance, AWS cannot assign public IPs to them.)
Assign separate Security Groups if separate Security Groups are needed
This scenario also helps for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Mu|tip|e|P.htmI

NEW QUESTION 12
You must architect the migration of a web application to AWS. The application consists of Linux web servers running a custom web server. You are required to save the logs generated from the application to a durable location.
What options could you select to migrate the application to AWS? (Choose 2)

• A. Create an AWS Elastic Beanstalk application using the custom web server platfor
• B. Specify the web server executable and the application project and source file
• C. Enable log file rotation to Amazon Simple Storage Service (S3).
• D. Create Dockerfile for the applicatio
• E. Create an AWS OpsWorks stack consisting of a custom laye
• F. Create custom recipes to install Docker and to deploy your Docker container using the Dockerfil
• G. Create customer recipes to install and configure the application to publish the logs to Amazon CIoudWatch Logs.
• H. Create Dockerfile for the applicatio
• I. Create an AWS OpsWorks stack consisting of a Docker layer that uses the Dockerfil
• J. Create custom recipes to install and configure Amazon Kineses to publish the logs into Amazon CIoudWatch.
• K. Create a Dockerfile for the applicatio
• L. Create an AWS Elastic Beanstalk application using the Docker platform and the Dockerfil
• M. Enable logging the Docker configuration to automatically publish the application log
• N. Enable log file rotation to Amazon S3.
• O. Use VM import/Export to import a virtual machine image of the server into AWS as an AM
• P. Create an Amazon Elastic Compute Cloud (EC2) instance from AMI, and install and configure the Amazon C|oudWatch Logs agen
• Q. Create a new AMI from the instanc
• R. Create an AWS Elastic Beanstalk application using the AMI platform and the new AMI.

Answer: AD

NEW QUESTION 13
An AWS customer runs a public blogging website. The site users upload two million blog entries a month. The average blog entry size is 200 KB. The access rate to blog entries drops to negligible 6 months after publication and users rarely access a blog entry 1 year after publication. Additionally, blog entries have a high update rate during the first 3 months following publication, this drops to no updates after 6 months. The customer wants to use CIoudFront to improve his user's load times. Which of the following recommendations would you make to the customer?

• A. Duplicate entries into two different buckets and create two separate CIoudFront distributions where S3 access is restricted only to Cloud Front identity
• B. Create a CIoudFront distribution with "US Europe" price class for US/Europe users and a different CIoudFront distribution with "AII Edge Locations" for the remaining users.
• C. Create a CIoudFront distribution with S3 access restricted only to the CIoudFront identity and partition the blog entry's location in S3 according to the month it was uploaded to be used with CIoudFront behaviors.
• D. Create a CIoudFront distribution with Restrict Viewer Access Forward Query string set to true and minimum TTL of 0.

Answer: C

NEW QUESTION 14
In AWS, which security aspects are the customer's responsibility? Choose 4 answers

• A. Security Group and ACL (Access Control List) settings
• B. Decommissioning storage devices
• C. Patch management on the EC2 instance's operating system
• D. Life-cycle management of IAM credentials
• E. Controlling physical access to compute resources
• F. Encryption of EBS (Elastic Block Storage) volumes

Answer: ACDF

NEW QUESTION 15
A read only news reporting site with a combined web and application tier and a database tier that receives large and unpredictable traffic demands must be able to respond to these traffic fluctuations automatically. What AWS services should be used meet these requirements?

• A. Stateless instances for the web and application tier synchronized using EIastiCache Memcached in an autoscaimg group monitored with CIoudWatch and RDS with read replicas.
• B. Stateful instances for the web and application tier in an autoscaling group monitored with CIoudWatch and RDS with read replicas.
• C. Stateful instances for the web and application tier in an autoscaling group monitored with CIoudWatc
• D. And multi-AZ RDS.
• E. Stateless instances for the web and application tier synchronized using EIastiCache Memcached in an autoscaling group monitored with CIoudWatch and multi-AZ RDS.

Answer: A

NEW QUESTION 16
Doug has created a VPC with CIDR 10.201.0.0/16 in his AWS account. In this VPC he has created a public subnet with CIDR block 10.201.31.0/24. While launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance. Which is the most likely reason for this issue?

• A. Private address IP 10.201.31.6 is currently assigned to another interface.
• B. Private IP address 10.201.31.6 is reserved by Amazon for IP networking purposes.
• C. Private IP address 10.201.31.6 is blocked via ACLs in Amazon infrastructure as a part of platform security.
• D. Private IP address 10.201.31.6 is not part of the associated subnet's IP address rang

Answer: A

Explanation: In Amazon VPC, you can assign any Private IP address to your instance as long as it is: Part of the associated subnet's IP address range
Not reserved by Amazon for IP networking purposes Not currently assigned to another interface Reference: http://aws.amazon.com/vpc/faqs/