AWS DUMPS

1. A company is hosting 60 TB of production-level data in an Amazon S3 bucket a solution architect needs to

bring that data on premises for quarterly audit requirements. This export of data must be encrypted while in
transit The Company has low network bandwidth in place between AWS and its on-premises data center
what should the solutions architect do to meet these requirements?

A. Deploy an AWS Storage Gateway volume gateway on AWS Enable a 90-day replication window to
transfer the data.

B. Deploy Amazon Elastic File System (Amazon EFS). With lifecycle policies enabled, on AWS Use it to transfer
the data.

C. Deploy an AWS Snowball device in the on-premises data center after completing an export job request in
the AWS Snowball console.

D. Deploy AWS Migration Hub with 90-day replication windows for data transfer.

Answer: A

2. A company has a custom application running on an Amazon EC instance that:

-Reads a large amount of data from Amazon S3

-Performs a multi-stage analysis

-Writes the results to Amazon DynamoDB

The application writes a significant number of large temporary files during the multi-stage analysis. The
process performance depends on the temporary storage performance what would be the fastest storage
option for holding the temporary files?

A. Multiple instance store volumes with software RAID 0.

B. Multiple Amazon S3 buckets with Transfer Acceleration for storage.
C. Multiple Amazon EBS drives with Provisioned IOPS and EBS optimization.
D. Multiple Amazon EFS volumes using the Network File System version 4.1 (NFSv4.1) protocol.

Answer: B
3. A company built a food ordering application that captures user data and stores it for the future analysis.
The application's static front end is deployed on an Amazon EC2 instance. The front-end application sends
the requests to the backend application running on separate EC2 instance. The backend application then
stores the data in Amazon RDS.

What should a solution architect do to decouple the architecture and make it scalable?

A. Use Amazon S3 to serve the static front-end application and send requests to Amazon API Gateway,
which writes the requests to an Amazon SQ3 queue. Place the backend instances in an Auto-Scaling group,
and scale based on the queue depth to process and store the data in Amazon RDS.
B. Use an EC2 instance to serve the front end and writes requests to an Amazon SQS queue. Place the
backend instance in an Auto Scaling group, and scale based on the queue depth to process and store the data
in Amazon RDS.
C. Use Amazon S3 to serve the front-end application, which sends requests to Amazon EC2 to execute the
backend application. The backend application will process and store the data in Amazon RDS.
D. Use Amazon S3 to serve the front-end application and write requests to an Amazon Simple Notification
Service (Amazon SNS) topic. Subscribe Amazon EC2 instances to the HTTP/HTTPS endpoint of the topic and
process and store the data in Amazon RDS.

Answer: A

4. A company's web application is running on Amazon EC2 instances behind an Application Load Balancer The
company recently changed its policy, which now requires the application to be accessed from one specific
country only Which configuration will meet this requirement?

A. Configure the security group for the EC2 instances.

B. Configure the security group on the Application Load Balancer.

C. Configure AWS WAF on the Application Load Balancer in a VPC.

D. Configure the network ACL for the subnet that contains the EC2 instances.

Answer: C

5. A company has a legacy application that process data in two parts. The second part of the process takes
longer than the first, so the company has decided to rewrite the application as two microservices running on
Amazon ECS that can scale independently.

How should a solutions architect integrate the microservices?

A. Implement code in micro service 1 to send data to Amazon Kinesis Data Firehose Implement code in
microservice 2 to read from Kinesis Data Firehose.
B. Implement code in microservice 1 to send data to an Amazon SQS queue Implement code in
microservice 2 to process messages from the queue.
C. Implement code in microservice 1 to send data to an Amazon S3 bucket Use S3 event notifications to
invoke microservice 2.
D. Implement code in microservice 1 to publish data to an Amazon SNS topic Implement code in microservice
2 to subscribe to this topic.

Answer: B

6. A company hosts its product information webpages on AWS. The existing solution uses multiple Amazon
C2 instances behind an Application Load Balancer in an Auto Scaling group The website also uses a custom
DNS name and communicates with HTTPS only using a dedicated SSL certificate The company is planning a
new product launch and wants to be sure that users from around the world have the best possible
experience on the new website What should a solutions architect do to meet these requirements?

A. Redesign the application to use Amazon CloudFront.

B. Redesign the application to use a Network Load Balancer.

C. Redesign the application to use AWS Elastic Beanstalk.

D. Redesign the application to use Amazon S3 static website hosting.

Answer: A

7. A company is moving its on-premises applications to Amazon EC2 instances However, as a result of
fluctuating compute requirements, the EC2 instances must always be ready to use between 8 AM and 5 PM
in specific Availability Zones. Which EG2 instances should the company choose to run the applications?

A. On-Demand Instances.

B. EC2 instances in an Auto Scaling group.

C. Spot Instances as part of a Spot Fleet.

D. Scheduled Reserved Instances.

Answer: D

8. A solutions architect is designing a new API using Amazon API Gateway that will receive requests from
users The volume of requests is highly variable; several hours can pass without receiving a single request The
data processing Will take place asynchronously, but should be completed within a few seconds after a
request is made Which compute service should the solutions architect have the API invoke to deliver the
requirements at the cost?

A. An AWS Glue job.

B. A containerized service hosted in Amazon ECS with Amazon EC2

C. An AWS Lambda function

D. A Containerized Service hosted in Amazon Elastic Kubemetes Service (Amazon EKS)

Answer: C

9. A company recently expanded globally and wants to make its application accessible to users in those
geographic locations. The application is deployed on Amazon EC2 instances behind an Application Load
Balancer in an Auto Scaling group. The company needs the ability shift traffic from resources in one region to
another what should a solutions architect recommend?

A. Configure an Amazon Route 53 geolocation routing policy.

B. Configure an Amazon Route 53 geoproximity routing policy.

C. Configure an Amazon Route 53 multivalue answer routing policy.

D. Configure an Amazon Route 53 latency routing policy.

Answer: B

10. A company owns an asynchronous API that is used to ingest user requests and, based on the request
type, dispatch requests to the appropriate microservice for processing. The company is using Amazon API
Gateway to depoly the API front end, and an AWS Lambda function that invokes Amazon DynamoDB to store
user requests before dispatching them to the processing microservices The company provisioned as much
DynamoDB throughput as is budget allows but the company is still experienc availability issues and is losing
user requests What should a solutions architect do to address this issue without impacting existing users?

A. Add throttling on the API Gateway with server-side throttling limits

B. Create a secondary index in DynamoDB for the table with the user requests

C. Use DynamoDB Accelerator (DAX) and Lambda to buffer writes to DynamoDB

D. Use the Amazon Simple Queue Service (Amazon SQS) queue and Lambda to buffer writes to DynamoDB

Answe: C

11. A company wants to migrate its web application to AWS the legacy web application consists of a web tier,
an application tier, and a MySQL database the re-architected application must consist of technologies that do
not require the administration team to manage instances or clusters

Which combination of services should a solutions architect include in the overall architecture? (Select two)

A. Amazon Aurora Serverless.

B. Amazon RDS for MySQL.
C. Amazon EC2 Spot Instances.
D. AWS Fargate.
E. Amazon Elastic search Service (Amazon ES)

Answer: AD
12. A solutions architect is designing a multi-Region disaster recovery solution for an application that will
provide public API access The application will use Amazon EC2 instances with a user data script to load
application code and an Amazon RDS for MySQL database The Recovery Time Objective (RTO) is 3 hours and
the Recovery Point Objective (RPO) is 24 hours Which architecture would meet these requirements at the
LOWEST cost?

A. Use an Application Load Balancer for Region failover Deploy new EC2 instances with the user data script
Deploy separate RDS instances in each Region.

B. Use Amazon Route 53 for Region failover Deploy new EC2 instances with the user data script Create a read
replica of the RDS instance in a backup Region.

C. Use Amazon Route 53 for Region failover Deploy new EC2 instances with the user data script for APIs and
create a snapshot of the RDS instance daily for a backup Replicate the snapshot to a backup Region.

D. Use Amazon API Gateway for the public APIs an Region failover Deploy new EC2 instances with the user
data script Create a MySQL read replica of the RDS instance in a backup Region.

Answer: A

13. A company hosts historical weather records in Amazon S3. The records are downloaded from the
company's website by a way of a URL that resolves to a domain name. Users all over the world access this
content through subscriptions. A third-party provider hosts the company's root domain name, but the
company recently migrated some of its services to Amazon Route 53 The Company wants to consolidate
contracts, reduce latency for users, and reduce costs related to serving the application to subscribers. Which
solution meets these requirements?

A. Create a web distribution on Amazon CloudFront to serve the S3 content for the application. Create a
CNAME record in a Route 53 hosted zone that points to the CloudFront distribution, resolving to the URL
domain name.

B. Create an A record in a Route 53 hosted zone for the application Create a Route 53 traffic policy for the
web application, and configure a geolocation rule. Configure health checks to check the health of the
endpoint and route DNS queries to other endpoints if an endpoint is unhealthy.

C. Create a web distribution on Amazon CloudFront to serve the S3 content for the application. Create an
ALIAS record in the Amazon Route 53 hosted zone that points to the CloudFront distribution, resolving to
the applications URL domain name.

D. Create an A record in a Route 53 hosted zone for the application Create a Route 53 traffic policy for the
web application, and configure a geoproximity rule Configure health Checks to check the. Health of the
endpoint and route DNS queries to other endpoints if an endpoint is unhealthy.

Answer: C
14. A company has established a new AWS account. The account is newly provisioned and no changed have
been made to the default settings. The company is concerned about AWS account root user. What should be
done to secure the root user?

A. Create IAM users for daily administrative tasks. Disable the root user.

B. Generate an access key for the root user. Use the access key for daily administration tasks instead of the
AWS Management Console.

C. Provide the root user credentials to the most senior solutions architect have the solutions architect use the
root user for daily administration tasks.

D. Create IAM users for daily administrative tasks enable multi-factor authentication on the root user.

Answer: D

15. A company is running a three-tier web application to process credit card payments the front-end user
interface consists of static webpages. The application tier can have long-running processes. The database tier
uses MySQL the application is currently running on a single, general purpose large Amazon EC2 instance a
solutions architect needs to decouple the services to make the web application highly available.

Which solution would provide the HIGHEST availability?

A. Move static assets and the application into a medium EC2 instance leave the database on the large
instance Place both instances in an Auto Scaling group.
B. Move static assets to Amazon S3 Move the application to Amazon Elastic Container Service (Amazon ECS)
containers with Auto Scaling enabled Move the database to Amazon RDS to deploy Multi-AZ.
C. Move static assets to Amazon CloudFront Leave the application in EC2 in an Auto Scaling group Move the
database to Amazon RDS to deploy Multi-AZ.
D. Move static assets to Amazon S3, Move the application to AWS Lambda with the concurrency limit set
Move the database to Amazon DynamoDB with on- demand enabled.

Answer: A

16. A company is running a two-tier ecommerce website using services The current architect uses a publish-
facing Elastic Load Balancer that sends traffic to Amazon EC2 instances in a private subnet. The static content
is hosted on EC2 instances, and the dynamic content is retrieved from a MYSQL database The application is
running in the United States The company recently started selling to users in Europe and Australia A solutions
architect needs to design solution so their international users have an improved browsing experience Which
solution is MOST cost-effective?

A. Host the entire website on Amazon S3.

B. Increase the number of public load balancers and EC2 instances.
C. Use Amazon CloudFront and Amazon S3 to host static images.
D. Deploy the two-tier website in AWS Regions in Europe and Australia.
Answer: C

17. A company wants to migrate a high performance computing (HPC) application and data from on-premises
to the AWS Cloud The company uses tiered storage on premises with hot high-performance parallel storage
to support the application during periodic runs of the application, and more economical cold storage to hold
the data when the application is not actively running Which combination of solutions should a solutions
architect recommend to support the storage needs of the application? (Choose two)

A. Amazon EFS for cold storage.

B. Amazon FSx for Windows for high-performance parallel storage.
C. Amazon S3 for high-performance parallel storage.
D. Amazon S3 for cold data storage.
E. Amazon FSX for Luster for high-performance parallel storage.

Answer: DE

18. A solutions architect must design a database solution for a high-traffic ecommerce web application the
database stores customer profiles and shopping cart information the database must support a peak load at
several mdbon requests each second and deliver responses in miHiseconds.The operational overhead for
managing and scaling the database must be minimized
Which database solution should the solutions architect recommend?

A. Amazon Redshift
B. Amazon RDS
C. Amazon Aurora
D. Amazon DynamoDB

Answer: D

19. A company is using a third-party vendor to manage its marketplace analytics. The vendor needs limited
programmatic access to resources in the company's account. All the needed policies have been created to
grant appropriate access .Which additional component will provide the vendor with the MOST secure access
to the account?

A. Implement a service control policy (SCP).

B. Create an IAM user.
C. Configure a single sign-on (SSO) identity provider.
D. Use a cross-account role with an external lD.

Answer: A
20. A company has migrated an on-premises Oracle database to an Amazon RDS for Oracle Multi-AZ DB
instance in the us-east-l Region A solutions architect is designing a disaster recovery strategy to have the
database provisioned in the us-west-2 Region in case the database becomes unavailable in the us-east-1
Region The design must ensure the database is provisioned in the us-west-2 Region in a maximum of 2 hours,
with a data toss window of no more than 3 hours How can these requirements be met?

A. Select the multi-Region option to provision a standby instance in us-west-2. The standby instance will be
automatically promoted to master in us-west-2 in case the disaster recovery environment needs to be
created.
B. Take automated snapshots of the database instance and copy them to us-west-2 every 3 hours Restore the
latest snapshot to provision another database instance fn. us-west-2 in case the disaster recovery
environment needs to be activated.
C. Create a multimaster read/write instances across multiple AWS Regions Select VPCs in us-east-1 and us-
west-2 to make that deployment Keep the master read/write instance in us-west-2 available to avoid having
to activate a disaster recovery environment.
D. Edit the DR instance and create a read replica in us-west-2 Promote the read replica to master in us-
west-2 in case the disaster recovery environment needs to be activated.

Answer: D

21. A solutions architect is designing the cloud architecture for a company that needs to host hundreds of
machine learning models for its users During startup, the models need to load up to 10 GB of data from
Amazon S3 into memory, but they do not need disk access. Most of the models are used sporadically, but the
users expect all of them to be highly available and accessible with low latency. Which solution meets the
requirements and is MOST cost-effective?

A. Deploy models as Amazon Elastic Container Service (Amazon ECS) services behind a single Application Load
Balancer with path-based routing where one path corresponds to each model.
B. Deploy models as AWS Lambda functions behind an Amazon API Gateway for each model.
C. Deploy models as Amazon Elastic Container Service (Amazon ECS) services behind an Application Load
Balancer for each model.
D. Deploy models as AWS Lambda functions behind a single Amazon API Gateway with path-based routing
where one path corresponds to each model.

Answer: C
22. A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles
during peak operating hours The Company wants to use these data points in its existing analytics platform. A
solutions architect must determine the most viable multi-tier option to support this architecture the data
points must be accessible from the REST API.
Which action meets these requirements for storing and retrieving location data?

A. Use Amazon Athena with Amazon S3.

B. Use Amazon QuickSight with Amazon Redshift.
C. Use Amazon API Gateway with Amazon Kinesis Data Analytics.
D. Use Amazon Apt Gateway with AWS Lambda.

Answer: C

23. A company is processing data on a daily basis. The results of the operations are stored in an Amazon S3
bucket, analyzed daily for one week, and then must remain immediately accessible for occasional analysis
What is the MOST cost-effective storage solution alternative to the current configuration?

A. Configure a lifecycle policy to transition the objects to Amazon S3 Glacier after 30 days.
B. Configure a lifecycle policy to transition the objects to Amazon S3 One Zone-Infrequent Access (S3 One
Zone-IA) after 30 days.
C. Configure a lifecycle policy to transition the objects to Amazon S3 Standard-Infrequent Access (S3
Standard-IA) after 30 days.
D. Configure a lifecycle policy to delete the objects after 30 days.

Answer: D

24. A company has an on-premises volume backup solution that has reached its end of life The company
wants to use AWS as part of a new backup solution and wants to maintain local access to all the data while it
is backed up AWS. The company wants to ensure that the data backed up on AWS is automatically and
securely transferred which solution meets these requirements?

A. Use AWS Storage Gateway and configure a cached volume gateway Run the Storage Gateway software
appliance on premises and configure a percentage of data to cache locally. Mount the gateway storage
volumes to provide local access to the data.
B. Use AWS Snowball Edge to migrate data out of the on-premises solution to Amazon S3. Use the
Snowball Edge file interface to provide on-premises systems with local access to the data.
C. Use AWS Snowball to migrate data out of the on-premises solution to Amazon S3 Configure on-premises
systems to mount the Snowball S3 endpoint to provide local access to the data.
D. Use AWS Storage Gateway and configure a stored volume gateway Run the Storage Gateway software
appliance on premises and map the gateway storage volumes to on-premises storage. Mount the gateway
storage volumes to provide local access to the data.

Answer: B
25. A company's application is running on Amazon EC2 instances within an Auto Scaling group behind an
Elastic Load Balancer. Based on the application's history the company anticipates a spike in traffic dunog a
hoMay each year a solutions architect must design a strategy to ensure that the Auto Scaling group
proactively increases capacity to minimize any performance impact on application users
Which solution will meet these requirements?

A. Configure an Amazon Simple Notification Service (Amazon SNS) notification to send alerts when there are
auto scaling EC2_INSTANCE_LAUNCH events.
B. Create an Amazon Cloud Watch alarm to scale up the EC2 instances when CPU utilization exceeds 90%.
C. Increase the minimum and maximum number of EC2 instances in the Auto Scaling group during the peak
demand period.
D. Create a recurring scheduled action to scale up the Auto Scaling group before the expected period of
peak demand.

Answer: D

26. A company wants to run a hybrid workload for data processing. The data needs to be accessed by on­
premises applications for local data processing using an NFS protocol, and must also be accessible from the
AWS Cloud for further analytics and batch processing.
Which solution will meet these requirements?

A. Use an AWS Storage Gateway volume gateway in a cached volume configuration to back up all the local
storage in the AWS cloud, then perform analytics on this data in the cloud.
B. Use an AWS Storage Gateway file gateway to provide file storage to AWS, then perform analytics on this
data in the AWS Cloud.
C. Use an AWS storage Gateway tape gateway to copy the backup of the local data to AWS, then perform
analytics on this data-in the AWS cloud.
D. Use an AWS Storage Gateway volume gateway in a stored volume configuration to regularly take
snapshots of the local data, then copy the data to AWS.

Answer: B

27. A web application runs on Amazon EC2 instances behind an Application Load Balancer. The application
allows users to create custom reports of historical weather data. Generating a report can take up to 5
minutes these long running requests use many of the available incoming connections, making the system
unresponsive to other users.
How can a solutions architect make the system more responsive?

A. Publish the reports to Amazon S3 and use Amazon cloudFront for downloading to the user.
B. Update the Client-side application code to increase its request timeout to 5 minutes.
C. Use Amazon SQS with AWS Lambda to generate reports.
D. Increase the idle timeout on the Application Load Balancer to 5 minutes.

Answer: C

28. A company has implemented one of its micro services on AWS Lambda that accesses an Amazon Dynamo
DB table named Books. A solutions architect is designing an 1AM policy to be attached to the Lambda
function's 1AM role, giving it access to put, update, and delete items in the Books table. The 1AM policy must
prevent function from performing any other actions on the Books table or any other;
Which 1AM policy would fulfill these needs and provide the LEAST privileged access?

A.
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Allow”,
"Action": [
"dynamodb: Putltem”,
"dynamodb: Update Item",
"dynamodb: Deleteltem"
],
"Resource": "arn:aws:dynamodb:us—west-2:123456789012:table/Books"
}

]
}
B. {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Allow”,
"Action": [
"dynamodb: Putltem”,
"dynamodb: Update Item",
"dynamodb: Deleteltem"
 ],
"Resource": "arn:aws:dynamodb:us—west-2:123456789012:table/*"
}

]
}
C. {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Allow”,
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us—west-2:123456789012:table/Books"
}

]
}
D. {
"Version":"2012-10-17",
"Statement": [
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Allow”,
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us—west-2:123456789012:table/Books"
},
{
"Sid": "PutUpdateDeleteOnBooks",
"Effect": "Deny”,
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us—west-2:123456789012:table/Books"
},

]
}

Answer: A
29. A company is planning to build a new web application on AWS. The company expects predictable traffic
most of the year and very high traffic on occasion. The web application needs to be highly available and fault
tolerant with minimal latency.
What should a solutions architect recommend to meet these requirements?

A. Use an Amazon Route 53 routing policy to distribute requests to two AWS Regions, each with one Amazon
EC2 instance.
B. Use Amazon EC2 instances in an Auto Scaling group with an Application Load Balancer across multiple
Availability Zones.
C. Use Amazon EC2 instances in a cluster placement group and include the cluster placement group within a
new Auto Scaling group.
D. Use Amazon EC2 instances in a cluster placement group with an Application Load Balancer across multiple
Availability Zones.

Answer: B

30. A public-facing web application queries a database hosted on an Amazon EC2 instance in a private subnet.
A large number of queries involve multiple table joins, and the application performance has been degrading
due to an increase in complex queries. The application team will be performing updates to improve
performance what should a solutions architect recommend to the application team? (Choose two)

A. Create a read replica to offload queries

B. Cache query data in Amazon SQS
C. Migrate the database to Amazon RDS
D. Migrate the database to Amazon Athena
E. Implement Amazon DynamoDB Accelerator to cache data

Answer: AC

31. A leasing company generates and emails PDF statements every month for all its customers. Each
statement is about 400 KB in size Customers can download their statements from the website for up to 30
days from when the statements were generated. At the end of their 3-year lease, the customers are emailed
a ZIP file that contains all the statements. What is the MOST cost-effective storage solution for this situation?

A. Store the statements using the Amazon S3 Glacier storage class. Create a lifecycle policy to move the
statements to Amazon S3 Glacier Deep Archive storage after 30 days.
B. Store the statements using the Amazon S3 Standard storage class. Create a lifecycle policy to move the
statements to Amazon S3 One Zone-Infrequent Access (53 One Zone-IA) storage after 30 days.
C. Store the statements using the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class
Create a lifecycle policy to move the statements to Amazon S3 Glacier storage after 30 days.
D. Store the statements using the Amazon S3 Standard storage class. Create a lifecycle policy to move the
statements to Amazon S3 Glacier storage after 1 day.

Answer: A

32. A company's production application runs online transaction processing (OLTP) transactions on an Amazon
RDS MySQL DB instance. The company is launching a new reporting tool that will access the same data. The
reporting tool must be highly available and not impact the performance of the production application. How
can this be achieved?

A. Create a Multi-AZ RDS Read Replica of the production RDS DB instance

B. Create a Single-AZ RDS Read Replica of the production RDS DB instance Create a second Single-AZ RDS
Read Replica from the replica.
C. Create multiple RDS Read Replicas of the production RDS DB instance. Place the Read Replicas in an Auto
Scaling group.
D. Create hourly snapshots of the production RDS DB instance.

Answer: A

33. A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage the
chief information security officer has directed that no application traffic between the two services should
traverse the public Internet which capability should the solutions architect use to meet the compliance
requirements?

A. Private subnet
B. AWS Key Management Service (AWS KMS)
C. VPC endpoint
D. Virtual private gateway

Answer: C

34. A company operates an eCommerce website on Amazon EC2 instances behind an Application Load
Balancer (ALB) in an Auto Scaling group. The site is experiencing performance issues related to a high request
rate from illegitimate external systems with changing IP addresses. The security team is worried about
potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a
way that has a minimal impact on legitimate users. What should a solutions architect recommend?

A. Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty
B. Deploy Amazon inspector and associate it with the ALB
C. Deploy AWS WAF, associate it with the ALB, and configure a rate-limiting rule.
D. Deploy rules to the network ACLs associated with the ALB to block the incoming traffic.
Answer: C

35. A company is planning to use Amazon S3 to store images uploaded by its users. The images must be
encrypted at rest in Amazon S3. The company does not want to spend time managing and rotating the keys,
but it does want to control who can access those keys. What should a solutions architect use to accomplish
this?

A. Server-Side Encryption with Customer-Provided Keys (SSE-C)

B. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
C. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
D. Server-Side Encryption with keys stored in an S3 bucket

Answer: B

36. A solutions architect is designing a hybrid application using the AWS cloud. The network between the on­
premises data center and AWS will use an AWS Direct Connect (DX) connection The application connectivity
between AWS, and the on-premises data center must be highly resilient. Which DX configuration should be
implemented to meet these requirements?

A. Configure multiple virtual interfaces on top of a DX connection

B. Configure a DX connection using the most reliable DX partner
C. Configure a DX connection with a VPN on top of it
D. Configure DX connections at multiple DX locations.

Answer: D

37. A start-up company has a web application based in the us-east-1 Region with multiple Amazon EC2
instances running behind an Application Load Balancer across multiple Availability Zones. As the company's
user base wows in the us west-1 Region, it needs a solution with low latency and high availability what should
a solutions architect do to accomplish this?

A. Provision EC2 instances and configure an Application Load Balancer in us-west-1. Configure Amazon Route
53 with a weighted routing policy Create alias record in Route 53 that points to the Application Load
Balancer.
B. Provision EC2 instances in us-west-1 switch the Application Load Balancer to a Network Load Balancer to
achieve cross-Region load balancing
C. Provision EC2 instances and configure an Application Load Balancer in us-west-1. Create an accelerator
in AWS Global Accelerator that uses an endpoint group that includes the load balancer endpoints in both
Regions
D. Provision EC2 instances and an Application Load Balancer in us-west-1. Make the load balancer distribute
the traffic based on the location of the request
Answer: C

38. A company is migrating to the AWS Cloud. A file server is the first workload to migrate. Users must be
able to access the file share using the Server Message Block (SMB) protocol. Which AWS managed service
meets these requirements?

A. Amazon S3
B. Amazon EBS
C. Amazon EC2
D. Amazon FSx

Answer: D

39. A company is running a photo hosting service in the us-east-1 Region. The service enables users across
multiple countries to upload and view photos. Some photos are heavily viewed for months, and others are
viewed for less than a week. The application allows uploads of up to 20 MB for each photo The service uses
the photo metadata to determine which photos to display to each user.
Which solution provides the appropriate user access MOST cost-effectively?

A. Store the photos in Amazon DynamoDB. Turn on DynamoDB Accelerator (DAX) to cache frequently viewed
items.
B. Store the photos in the Amazon S3 Glacier storage class set up an S3 Lifecycle policy to move photos older
than 30 days to the S3 Glacier Deep Archive storage class. Store the photo medata and its S3 location in
Amazon Elastic search Service (Amazon ES).
C. Stone the photos in the Amazon S3 Intelligent-Tiring storage class Store the photo metadata and its S3
location in DynamoDB.
D. Store the photos in the Amazon S3 Standard storage class Set up an S3 Lifecycle policy to move photos
older than 30 days to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Use the object tags
to keep track of metadata.

Answer: D

40. A company is moving its on-premises Oracle database to Amazon Aurora PostgreSQL The database has
several applications that write to the same tables. The applications need to be migrated one by one with a
month in between each migration. Management has expressed concerns that the database has a high
number of reads and writes the data must be kept in sync across both databases throughout the migration.
What should a solutions architect recommend?

A. Use AWS DataSync for the initial migration Use AWS Database Migration Service (AWS DMS) to create a
change data capture (CDC) replication task and a table mapping to select all tables.
B. Use the AWS Schema Conversion Tool with AWS Database Migration Service (AWS DMS) using a compute
optimized replication instance. Create a full load plus change data capture (CDC) replication task and a table
mapping to select the largest tables.
C. Use the AWS Schema Conversion Tool with AWS Database Migration Service (AWS DMS) using a
memory optimized replication instance create a full load plus change data capture (CDC) replication task
and a table mapping to select all tables.
D. Use AWS DataSync for the initial migration. Use AWS Database Migration Service (AWS DMS) to create a
full load plus change data capture (CDC) replication task and a table mapping to select a tables.

Answer: C

41. A company is creating a web application that will store a large number of images in Amazon S3 the
images will be accessed by users over variable periods of time. The company wants to.

• Retain all the images

• Incur no cost for retrieval

• Have minimal management overhead.

• Have the images available with no impact on retrieval time. Which solution meets these requirements?

A. Implement an S3 Lifecycle policy to move data to S3 Standard-Infrequent Access (S3' Standard-IA).

B. Implement S3 storage class analysis.
C. Implement S3 Intelligent-Tiering
D. Implement an S3 Lifecycle policy to move data to S3 One Zone-Infrequent Access (S3 One Zone-1A)

Answer: C

42. A solutions architect is working on optimizing a legacy document management application running on
Microsoft Windows Server in an on-premises data center. The application stores a large number of files on a
network file. The chief information officer wants to reduce the on-premises data center footprint and
minimize storage costs by moving on-premises storage to AWS. What should the solutions architect do to
meet these requirements?

A. Set up an AWS Storage Gateway file gateway.

B. Set up an Amazon Elastic Block Store (Amazon EBS) volume

C. Set up Amazon Elastic File System (Amazon EFS)

D. Set up AWS Storage Gateway as a volume gateway

Answer: A

43. A gaming company has multiple Amazon EC2 instances in a single Availability Zone for its multiplayer
game that communicates with users on Layer 4 the chief technology officer (CTO) wants to make the
architecture highly available and cost-effective. What should a solutions architect do to meet these
requirements? (Choose two.)?

A. Decrease the number of EC2 instances.

B. Configure an Auto Scaling group to add or remove instances in multiple Availability Zones automatically

C. Configure an Application Load Balancer in front of the EC2 instances.

D. Configure a Network Load Balancer in front of the EC2 instances.

E) Increase the number of EC2 instances

Answer: BD

44. A company has enabled AWS CloudTrail logs to deliver log files to an Amazon S3 bucket for each of its
developer accounts. The company has created a central AWS account for streamlining management and
audit reviews. An internal auditor needs to access the CloudTrail logs, yet access needs to be restricted for all
developer account users the solution must be secure and optimized. How should a solutions architect meet
these requirements?

A. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central
account Create an IAM role in the central account for the auditor. Attach an IAM policy providing read-only
permissions to the bucket.

B. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central
account. Create an IAM user in the central account for the auditor Attach an lAM policy providing full
permissions to the bucket

C. Configure an AWS Lambda function in each developer account to copy the log files to the central
account. Create an IAM role in the central account for the auditor. Attach an lAM policy providing read­
only permissions to the bucket.

D. Configure an AWS Lambda function in the central account to copy the log files from the S3 bucket in each
developer account. Create an IAM user in the central account for the auditor. Attach an IAM policy providing
full permissions to the bucket.

Answer: C
45. A company has multiple AWS accounts, for various departments. One of the departments wants to share
an Amazon S3 bucket with all other departments. Which solution will require the LEAST amount of effort?

A. Enable cross-account S3 replication for the bucket.

B. Create a pre-signed URL for the bucket and share it with other departments.

C. Set the S3 bucket policy to allow cross-account access to other departments

D. Create IAM users for each of the departments and configure a read-only IAM policy.

Answer: A

46. A company needs a secure connection between its on-premises environment and AWS This connection
does not need high bandwidth and will handle a small amount of traffic the connection should be set up
quickly. What is the MOST cost-effective method to establish this type of connection?

A. Implement a client VPN

B. Implement AWS Direct Connect

C. Implement an AWS Site-to-Site VPN connection

D. Implement a bastion on host on Amazon EC2

Answer: C

47. A recently acquired company is required to build its own infrastructure on AWS and migrate multiple
applications to the cloud within a month. Each application has approximately 50 TB of data to be transferred.
After the migration is complete, this company and its parent company will both require secure network
connectivity with consistent throughput from their data centers to the applications. A solutions architect
must ensure one-time data migration and ongoing network connectivity.

Which solution will meet these requirements?

A. AWS Site-to-Site VPN for both the initial transfer and ongoing connectivity.
B. AWS Direct Connect for both the initial transfer and ongoing connectivity.
C. AWS Snowball for the initial transfer and AWS Site-to-Site VPN for ongoing connectivity.
D. AWS Snowball for the initial transfer and AWS Direct Connect for ongoing connectivity

Answer: D
48. A Website runs a web application that receives a burst of traffic each day at noon. The users upload new
pictures and content daily, but have been complaining of timeout.The architecture uses Amazon EC2 Auto
Scaling groups and the custom application consistently takes 1 minute to initiate upon boot up before
responding to user requests How should a solutfons architect redesign the architecture to better respond to
changing traffic?

A. Configure a Network Load Balancer with a slow start configuration.

B. Configure an Auto Scaling step scaling policy with an instance warmup condition.

C. Configure Amazon CloudFront to use an Application Load Balancer as the origin.

D. Configure AWS ElastiCache for Redis to.offload direct requests to the servers.

Answer: C

49. A solutions architect must migrate a Windows internet information Services (IIS) web application to AWS.
The application currently relies on a file share hosted in the user's on-premises network-attached storage
(NAS) the solutions architected has proposed migrating the IIS web servers.

Which replacement to the on-premises file share is MOST resilient and durable?

A. Migrate the file share to Amazon Elastic File System (Amazon EFS).
B. Migrate the fife Share to AWS Storage Gateway.
C. Migrate the file Share to Amazon FSx for Windows File Server.
D. Migrate the file Share to Amazon RDS.

Answer: C

50. A company has created an isolated backup of its environment in another Region. The application is
running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover
process is m requires updating a DNS alias record to point to the secondary ALB in another Region. What
should a solutions architect do to automate the failover process?

A. Enable an Amazon Route 53 health check.

B. Create an CNAME record on Amazon Route 53 pointing to the ALB endpoint.
C. Enable an ALB health check
D. Create conditional forwarding rules on Amazon Route 53 pointing to an internal BIND DNS server.

Answer: B
51. A media streaming company collects real-time data and stores it in a disk-optimized database system. The
company is not getting the expected throughput and wants an in-memory database storage solution that
performs faster and provides high availability using data replication. Which database should a solutions
architect recommend?

A. Amazon RDS for MySQL

B. Amazon ElasticCache for Memcached.
C. Amazon ElasticCache for Redis.
D. Amazon RDS for PostgreSQL.

Answer: C

52. A solutions architect is helping a developer design a new ecommerce shopping cart application using AWS
services. The developer is unsure of the current database schema and expects to make changes as the
ecommerce site grows. The solution needs to be highly resilient and capable of automatically scaling read
and write capacity which database solution meets these requirements?

A. Amazon DynamoDB with on-demand enabled

B. Amazon DynamoDB with DynamoDB Streams enabled
C. Amazon SQS and Amazon Aurora PostgreSQL
D Amazon Aurora PostgreSQL

Answer: B

53. A company is performing an AWS Well-Architected Framework review of an existing workload deployed
on AWS The review identified a public-facing website running on the same Amazon EC2 instance as a
Microsoft Active Directory domain controller that was install recently to support other AWS services. A
solutions architect needs to recommend a new design that would improve the security of the architecture
and minimize the administrative demand on IT staff. What should the solutions architect recommend?

A. Create another-EC2 instance in the same subset and reinstall Active Directory on it Uninstall Active
Directory.
B. Use AWS Directory Service to create a managed Active Directory. Uninstall Active Directory on the
current EC2 instance.
C. Enable AWS Single Sign-On (AWS SSO) with Security Assertion Markup Language (SAML) 2 0 federations
with the current Active Directory controller Modify the EC2 instances security group to deny public access to
Active Directory.
D. Use AWS Directory Service to create an Active Directory connector. Proxy Active Directory requests to the
Active domain controller running on the current EC2 instance

Answer: B
54. A company runs a high-performance computing (HPC) workload on AWS. The workload required low-
latency network performance and high network throughput with tightly coupled node-to-node
communication. The Amazon EC2 instances are properly sized for compute and storage capacity, and are
launched using default options what should a solutions architect propose to improve the performance of the
workload?

A. Choose an Elastic Inference accelerator while launching Amazon EC2 instances.

B. Choose the required capacity reservation while launching Amazon EC2 instances
C. Choose dedicated instance tenancy while launching Amazon EC2 instances
D. Choose a cluster placement group while launching Amazon EC2 instances

Answer: D

55. Organizers for a global event want to put daily reports online as static HTML pages. The pages are
expected to generate millions of views from users around the world. The files are stored in an Amazon S3
bucket. A solutions architect has been asked to design an efficient and effective solution which action should
the solutions architect take to accomplish this?

A. Use cross -Regan replication to all Regions.

B. Generate presigned URLs for the files
C. Use Amazon CloudFront with the S3 bucket as its origin
D. Use the geoproximity feature of Amazon Route 53

Answer: C

56. A company is planning to migrate a commercial off-the-shelf application from its on-premises data center
to AWS The software has a software licensing model using sockets and cores with predictable capacity and
uptime requirements. The company wants to use its existing licenses, which were purchased earlier this year
Which Amazon EC2 pricing option is the MOST cost-effective?

A. Decimated On-Demand Instances

B. Dedicated Reserved Hosts
C. Dedicated Reserved Instances
D. Dedicated On-Demand Hosts

Answer: C
SI. A company is migrating a three-tier application to AWS. The application requires a MySQL database. In
the past, the application users reported poor application performance when creating new entries. These
performance issues were caused by users generating different real-time reports from the application during
working hours which solution will improve the performance of the application when it is moved to AWS?

A. Create an Amazon Aurora MySQL Multi-AZ DB cluster with multiple read replicas Configure the
application to use the reader endpoint for reports
B. Import the data into an Amazon DynamoDB table with provisioned capacity Refactor the application to use
DynamoDB for reports
C. Create the database on a compute optimized Amazon EC2 instance. Ensure compute resources exceed the
on-premises database
D. Create an Amazon Aurora MySQL Multi-AZ DB cluster Configure the application to use the backup instance
of the cluster as an endpoint for the reports

Answer: A

58. A company has developed a new video game as a web application. The application is in a three-tier
architecture in a VPC with Amazon RDS for MySQL in the database layer. Several players will compete
concurrently online The game's developers want to display a top-10 scoreboard in near-real time and offer
the ability to stop and restore the game while preserving the current scores. What should a solutions
architect do to meet these requirements? to compute the scoreboard and serve the read traffic to the web
application?

A. Create is read replica on Amazon RDS for MySQL to run queries to compute the scoreboard and serve the
read traffic to the web application.
B. Place an Amazon CloudFront distribution in front of the web application to cache the scoreboard in a
section of the application
C. Set up an Amazon ElastiCache for Memcached cluster to cache the scores for the web application to
display.
D. Set up an Amazon ElastiCache for Redis cluster to compute and cache the scores for the web application to
display

Answer: C

59. A company hosts an application on an Amazon EC2 instance that requires a maximum of 200 GB storage
space. The application is used infrequently, with peaks during mornings and evenings. Disk VO vanes, but
peaks at 3000 lOPS. The chief financial officer of the company is concerned about costs and has asked a
solutions architect to recommend the most cost-effective storage option that does not sacrifice performance.
Which solution should the solutions architect recommend?

A. Amazon EBS General Purpose SSD (gp2)

B. Amazon EBS Cold HDD (sc 1)
C. Amazon EBS Provisioned lOPS SSD (iol )
D. Amazon EBS Throughput Optimized HDD (stl)
Answer: A

60. A company is seeing access requests by some suspicious IP addresses. The security team discovers the
requests are from different IP addresses under the same CIDR range. What should a solutions architect
recommend to the team?

A. Add a deny rule in the inbound table of the network ACL with a lower number than other rules.
B. Add a rule in the outbound table of the security group to deny the traffic from that CIDR range.
C. Add a deny rule in the outbound table of the network ACL with a lower rule number than other rules
D. Add a rule in the inbound table of the security to deny the traffic from that CIDR range.

Answer: A

61. A company has an application that calls AWS Lambda functions. A recent code review found database
credentials stored in the source code. The database credentials need to be removed from the Lambda source
code The credentials must then be securely stored and rotated on an ongoing basis to meet security policy
requirements. What should a solutions architect recommend to meet these requirements?

A. Store the password in AWS Secrets Manager. Associate the Lambda function with a role that can
retrieve the password from Secrets Manager given its secret ID
B. Move the database password to an environment variable associated with the Lambda function. Retrieve
the password from the environment variable upon execution.
C. Store the password in AWS Key Management Service (AWS KMS). Associate the Lambda function with a
role that can retrieve the password from AWS KMS given its key ID
D. Store the password in AWS CloudHSM. Associate the Lambda function with a role that can retrieve the
password from CloudHSM given its key ID.

Answer: A

62. The financial application at a company stores monthly reports in an Amazon S3 bucket The vice president
of finance has mandated that all access to these reports be logged and that any modifications to the log files
be detected_ Which actions can a solutions architect take to meet these requirements?

A. Use S3 server access logging on the bucket that houses the reports with the read and write data events
and log file validation options enabled
B. Use AWS CloudTrail to create a new trail Configure the trail to log read and write data events on the S3
bucket that houses the reports Log these events to a new bucket and enable log file validation
C. Use S3 server access logging on the bucket that houses the reports with the read and write management
events and log file validation options enabled
D. Use AWS CloudTrail to create a new trail. Configure the trail to log read and write management events on
the S3 bucket that houses the reports. Log these events to a new bucket; and enable log file validation
Answer: B

63. A solutions architect needs to design a managed storage solution for a company's application that
includes high-performance machine learning. This application runs on AWS Fargate, and the connected
storage needs to have concurrent access to files and deliver high performance_ which storage option should
the solutions architect recommend?

A. Create an Amazon S3 bucket for the application and establish an lAM role for Fargate to communicate with
Amazon S3.
B. Create an Amazon Elastic File System (Amazon EFS) file share and establish an IAM role that allows Fargate
to communicate with Amazon EFS.
C. Create an Amazon Elastic Block Store (Amazon EBS) volume for the application and establish an IAM role
that allows Fargate to communicate with Amazon EBS.
D. Create an Amazon FSx for Lustre file share and establish an IAM role that allows Fargate to
communicate with FSx for Lustre

Answer: D

64. A company has an application with a REST-based Interface that allows data to be received in near-real
time from a third-party vendor Once received, the application processes and stores the data for further
analysis The application is running on Amazon EC2 instances. The third-party vendor has received many 503
Service Unavailable Errors when sending data to the application. When the data volume spikes, the compute
capacity reaches its maximum limit and the application is unable to process all requests. Which design should
a solutions architect recommend to provide a more scalable solution?

A. Repackage the application as a container. Deploy the application using Amazon Elastic Container Service
(Amazon ECS) using the EC2 launch type with an Auto Scaling group.
B. Use Amazon Simple Notification Service (Amazon SNS) to ingest the data Put the EC2 instances in an Auto
Scaling group behind an Application Load Balancer.
C. Use Amazon Kinesis Data Streams to ingest the data Process the data using AWS Lambda functions.
D. Use Amazon API Gateway on top of the existing application. Create a usage plan with a quota limit for the
third-party vendor

Answer: C
65. A company runs an application using Amazon ECS. The application creates resized versions of an original
image and then makes Amazon S3 API calls to store the resized images in Amazon S3. How can a solutions
architect ensure that the application has permission to access Amazon S37?

A. Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the
container.
B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task
definition.
C. Create a security group that allows access from Amazon ECS to Amazon S3, and update the launch
configuration used by the ECS cluster.
D. Create an IAM user with S3 permissions and then relaunch the Amazon EC2 instances for the ECS cluster
while logged in as this account

Answer: B

66. A company requires a durable backup storage solution for its on-premises database servers while
ensuring on-premises applications maintain access to these backups for quick recovery. The company will use
AWS storage services as the destination for these backups. A solutions architect is designing a solution with
minimal operational overhead which solution should the solutions architect implement?

A. Back up the databases to an AWS Storage Gateway volume gateway and access it using the Amazon S3 API
B. Deploy an AWS Storage Gateway file gateway on-premises and associate it with an Amazon S3 bucket.
C. Transfer the database backup files to an Amazon Elastic Block Store (Amazon EBS) volume attached to an
Amazon EC2 instance.
D. Back up the database directly to an AWS Snowball device and use lifecycle rules to move the data to
Amazon S3 Glacier Deep Archive.

Answer: B

67. A company has NFS servers in an on-premises data center that need to periodically back up small
amounts of data to Amazon S3 Which solution meets these requirements and is MOST cost-effective?

A. Set up an AWS Direct Connect connection between the on-premises data center and a VPC, and copy the
data to Amazon S3.
B. Set up an SFTP sync using AWS Transfer for SFTP to sync data from on-premises to Amazon S3
C. Set up an AWS DataSync agent on the on-premises servers, and sync the data to Amazon S3
D. Set up AWS Glue to copy the data from the on-premises servers to Amazon S3

Answer: B
68. A solutions architect needs to design a resilient solution for Windows users' home directories. The
solution must provide fault tolerance, file-level backup and recovery, and access control, based upon the
company's Active Directory. Which storage solution meets these requirements?

A. Configure a Multi-AZ file system with Amazon FSx for Windows File Server Join Amazon FSx to Active
Directory.
B. Configure Amazon Elastic Block Store (Amazon EBS) to store the users' home directories Configure AWS
Single Sign-On with Active Directory.
C. Configure Amazon S3 to store the users' home directories. Join Amazon S3 to Active Directory.
D. Configure Amazon Elastic File System (Amazon EFS) for the users' home directories. Configure AWS Single
Sign-On with Active Directory

Answer: B

69. A company has a two-tier application architecture that runs in public and private subnets Amazon EC2
instances running the web application are in the public subnet and a database runs on the private subnet.
The web application instances and the database are running in a single Availability Zone (AZ). Which
combination of steps should a solutions architect take to provide high availability for this architecture?
(Choose two.)

A. Create new public and private subnets in the same AZ for high availability
B. Create an Amazon EC2 Auto Scaling group and Application Load Balancer spanning multiple AZs.
C. Add the existing web application instances to an Auto Scaling group behind an Application Load Balancer.
D. Create new public and private subnets in a new AZ. Create a database using Amazon EC2 in one AZ.
E. Create new public and private subnets in the same VPC. Each in a new AZ Migrate the database to an
Amazon RDS multi-AZ deployment

Answer: BE

70. A financial services company has a web application that serves users in the United States and Europe. The
application consists of a database tier and a web server tier The database tier consists of a MySQL database
hosted in us-east-1 Amazon Route 53 geoproximity routing is used to direct traffic to instances in the closest
Region A performance review of the system reveals that European users are not receiving the same level of
query performance as Moser, the United States Which changes should be made to the database tier to
improve performance?

A. Migrate the database to Amazon DynamoDB. Use DynamoDB global tables to enable replication to
additional Regions.
B. Migrate the database to Amazon RDS for MySQL. Configure Multi-AZ in one of the European Regions.
C. Migrate the database to an Amazon Aurora global database in MySQL compatibility mode Configure
read replicas in one of the European Regions
D. Deploy MySQL instances in each Region Deploy an Application Load Balancer in front of MySQL to reduce
the load on the primary instance
Answer: C

71. A solutions architect is redesigning a monolithic application to be a loosely coupled application composed
of two microservices: Microservice A and Microservice B Microservice A places messages in a main Amazon
Simple Queue Service (Amazon SQS) queue for Microservice B to consume When Microservice B fails to
process a message after four retries. The message needs to be removed from the queue and stored for
further investigation. What should the solutions architect do to meet these requirements?

A. Create an SOS queue for failed messages. Microservice An ads failed messages to that queue after
microservice B receives and fails to process the message four times
B. Create an SOS dead-letter queue. Configure the main SQS queue to deliver messages to the dead-letter
queue after the message has been received four times.
C. Create an SOS dead-letter queue. Microservice B adds failed messages to that queue after it receives and
fails to process the message four times.
D. Create an SQS queue for failed messages. Configure the SQS queue for failed messages to pull messages
from the main SQS queue after the original message has been received four times.

Answer: B

72. A company receives 10 TB of instrumentation data each day from several machines located at a single
factory the data consists of JSON files stored on a storage area network (SAN) in an on-premises data center
located within the factory. The company wants to send this data to Amazon S3 where it can be accessed by
several additional systems that provide critical near-real-time analytics. A secure transfer is important
because the data is considered sensitive. Which solution offers the MOST reliable data transfer?

A. AWS Database Migration Service (AWS DMS) over public internet

B. AWS Database Migration Service (AWS DMS) over AWS Direct Connect
C. AWS DataSync over public internet
D. AWS DataSync over AWS Direct Connect

Answer: D

73. A company's application runs on Amazon EC2 instances behind an Application Load Balancer (ALB) the
instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. On the first day of
every month at midnight, the application becomes much slower when the month-end financial calculation
batch executes. This causes the CPU utilization of the EC2 instances to immediately peak to 100%, which
disrupts the application. What should a solutions architect recommend to ensure the application is able to
handle the workload and avoid downtime?

A. Configure an Amazon CloudFront distribution in front of the ALB.

B. Configure an EC2 Auto Scaling simple scaling policy based on CPU utilization.
C. Configure an EC2 Auto Scaling scheduled scaling policy based on the monthly schedule.
D. Configure Amazon ElastiCache to remove some of the workload from the EC2 instances.

Answer: C

74. A company runs an application in a branch office within a small data closet with no virtualized compute
resources the application data is stored on an NFS volume. Compliance standards require a daily offsite
backup of the NFS volume. Which solution meet these requirements?

A. Install an AWS Storage Gateway volume gateway with cached volumes on-premises to replicate the data to
Amazon S3
B. Install an AWS Storage Gateway volume gateway with stored volumes on-premises to replicate the data to
Amazon S3.
C. Install an AWS Storage Gateway file gateway hardware appliance on-premises to replicate the data to
Amazon S3.
D. Install an AWS Storage Gateway file gateway on-premises to replicate the data to Amazon S3.

Answer: C

75. A company is hosting an election reporting website on AWS for users around the world. The website uses
Amazon EC2 instances for the web and application tiers in an Auto Scaling group with Application Load
Balancers. The database tier uses an Amazon RDS for MySQL database. The website is updated with election
results once an hour and has historically observed hundreds of users accessing the reports. The company is
expecting a significant increase in demand because of upcoming elections in different countries. A solutions
architect must improve the website's ability to handle additional demand while minimizing the need for
additional EC2 instances. Which solution will meet these requirements?

A. Launch an Amazon CloudFront web distribution to cache commonly requested website content.
B. Deploy a reverse proxy into the design using an EC2 instance with caching enabled for commonly
requested website content
C. Launch an Amazon ElastiCache cluster to cache common database queries
D. Enable disk-based caching on the EC2 instances to cache commonly requested website content.

Answer: A

76. A solutions architect is designing a customer-facing application. The application is expected to have a
variable amount of reads and writes depending on the time of year and clearly defined access patterns
throughout the year Management requires that database auditing and scaling be managed in the AWS Cloud
the Recovery Point Objective (RPO) must be less than 5 hours. Which solutions can accomplish this? (Choose
two.)
A. Use Amazon Redshift Configure concurrency scaling. Enable audit logging. Perform database snapshots
every 4 hours.
B. Use Amazon DynamoDB with auto-scaling. Use on-demand backups and AWS CloudTrail.
C. Use Amazon DynamoDB with auto-scaling. Use on-demand backups and Amazon DynamoDB Streams.
D. Use Amazon RDS with auto-scaling. Enable the database auditing parameter. Configure the backup
retention period to at least 1 day.
E. Use Amazon RDS with Provisioned lOPS. Enable the database auditing parameter. Perform database
snapshots every 5 hours.

Answer: BC

77. A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's
chief information officer wants to simplify the on-premises backup infrastructure and reduce costs by
eliminating the use of physical backup tapes. The company must preserve the existing investment in the on­
premises backup applications and workflows. What should a solutions architect recommend?

A. Set up an Amazon EFS file system that connects with the backup applications using the NFS interface
B. Set up AWS Storage Gateway to connect with the backup applications using the NFS interface
C. Set up an Amazon EFS file system that connects with the backup applications using the iSCSI interface
D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library
(VTL) interface.

Answer: D

78. A company is working with an external vendor that requires write access to the company's Amazon
Simple Queue Service (Amazon SOS) queue. The vendor has its own AWS account. What should a solutions
architect do to implement least privilege access?

A. Update the permission policy on the SOS queue to give write access to the vendor's AWS account.
B. Update AWS Resource Access Manager to provide write access to the SQS queue from the vendor's AWS
account
C. Create an IAM user with write access to the SQS queue and share the credentials for the IAM user.
D. Create a cross-account role with access to all SOS queues and use the vendor's AWS account in the trust
document for the role

Answer: D
79. A company wants to use high performance computing (HPC) infrastructure on AWS for financial risk
modeling. The company's HPC workloads run on Linux. Each HPC workflow runs on hundreds of Amazon EC2
Spot Instances, is short-lived, and generates thousands of output files that are ultimately stored in persistent
storage for analytics and long-term future use The Company seeks a cloud storage solution that permits the
copying of on-premises data to long-term persistent storage to make data available for processing by all EC2
instances. The solution should also be a high performance file system that is integrated with persistent
storage to read and write datasets and output files. Which combination of AWS services meets these
requirements?

A. Amazon S3 bucket with a VPC endpoint integrated with an Amazon Elastic Block Store (Amazon EBS)
General Purpose SSD (gp2) volume
B. Amazon FSx for Windows File Server integrated with Amazon S3
C. Amazon FSx for Luster integrated with Amazon S3
D. Amazon S3 Glacier integrated with Amazon Elastic Block Store (Amazon EBS)

Answer: C

80. A company has a web application with sporadic usage patterns. There is heavy usage at the beginning of
each month, moderate usage at the start of each week, and unpredictable usage during the week The
application consists of a web server and a MySQL database server running inside the data center The
company would like to move the application to the AWS Cloud, and needs to select a cost-effective database
platform that will not require database modifications. Which solution will meet these requirements?

A. Amazon DynamoDB
B. Amazon RDS for MySQL
C. MySQL-compatible Amazon Aurora Serverless
D. MySQL deployed on Amazon EC2 in an Auto Scaling group

Answer: B

81. A company needs to store data in Amazon S3. A compliance requirement states that when any changes
are made to objects, the previous state of the object with any changes must be preserved. Additionally, files
older than 5 years should not be accessed but need to be archived for auditing. What should a solutions
architect recommend that is MOST cost-effective'?

A. Enable object-level versioning and S3 Object Lock in governance mode

B. Enable object-level versioning. Enable a lifecycle policy to move data older than 5 years to S3 Glacier
Deep Archive.
C. Enable object-level versioning and S3 Object Lock in compliance mode.
D. Enable object-level versioning. Enable a lifecycle policy to move data older than 5 years to S3 Standard-
Infrequent Access (S3 Standard-IA).
Answer: B

82. An application hosted on AWS is experiencing performance problems, and the application vendor wants
to perform an analysis of the log file to troubleshoot further. The log file is stored on Amazon S3 and is 10 GB
in size the application owner will make the log file available to the vendor for a limited time what is the MOST
secure way to do this?

A. Enable public read on the S3 object and provide the link to the vendor
B. Create an IAM user for the vendor to provide access to the S3 bucket and the application Enforce multi­
factor authentication.
C. Generate a presigned URL and have the vendor download the log file before it expires.
D. Upload the file to Amazon WorkDocs and share the public link with the vendor

Answer: C

83. A company has an application that uses Amazon Elastic File System (Amazon EFS) to store data. The files
are 1 GB in size or larger and are accessed often only for the first few days after creation. The application
data is shared across a cluster of Linux servers. The company wants to reduce storage costs for the
application what should a solutions architect do to meet these requirements?

A. Configure a lifecycle policy to move the files to the EFS Infrequent Access (IA) storage class after 7 days.
B. Implement Amazon FSx and mount the network drive on each server.
C. Move the files from Amazon EFS and store them locally on each Amazon EC2 instance
D. Move the files to Amazon S3 with S3 Lifecycle policies enabled rewrite the application to support
mounting the S3 bucket

Answer: D

84. A company runs a web service on Amazon EC2 instances behind an Application Load Balancer, The
instances run in an Amazon EC2 Auto Scaling group across two Availability Zones. The company needs a
minimum of four instances at all times to meet the required service level agreement (SLA) while keeping
costs low If an Availability Zone fails, how can the company remain compliant with the SLA?

A. Add a target tracking scaling policy with a short cooldown period.

B. Change the Auto Scaling group to use six servers across three Availability Zones
C. Change the Auto Scaling group launch configuration to use a larger instance type
D. Change the Auto Scaling group to use eight servers across two Availability Zones

Answer: A
85. A company has media and application files that need to be shared internally Users currently are
authenticated using Active Directory and access files from a Microsoft Windows platform The chief executive
officer wants to keep the same user permissions, but wants the company to improve the process as the
company is reaching its storage capacity limit What should a solutions architect recommend?

A. Set up Amazon E02 on Windows attach multiple Amazon Elastic Block Store (Amazon EBS) volumes, and
move all media and application files.
B. Configure Amazon FSx for Windows File Server and move all the media and application files.
C. Set up a corporate Amazon S3 bucket and move all media and application files.
D. Configure Amazon Elastic File System (Amazon EFS) and move all media and application files.

Answer: B

86. A marketing company is storing CSV files in an Amazon S3 bucket for statistical analysis. An application on
an Amazon EC2 instance needs permission to efficiently process the CSV data stored in the S3 bucket. Which
action will MOST securely grant the EC2 instance access to the S3 bucket?

A. Create an lAM user for the application with specific permissions to the S3 bucket
B. Store AWS credentials directly on the EC2 instance for applications on the instance to use for API calls.
C. Attach a resource-based policy to the S3 bucket
D. Associate an lAM role with least privilege permissions to the EC2 instance profile.

Answer: D

87. A company has an Amazon S3 bucket that contains mission-critical data. The company wants to ensure
this data is protected from accidental deletion. The data should still be accessible, and a user should be able
to delete the data intentionally. Which combination of steps should a solutions architect take to accomplish
this? (Select TWO.)

A. Create a bucket policy on the S3 bucket.

B. Enable MFA Delete on the S3 bucket
C. Enable versioning on the S3 bucket.
D. Enable default encryption on the S3 bucket
E. Create a Recycle policy for the objects in the S3 bucket

Answer: BC
88. A three-tier web application processes orders from customers. The web tier consists of Amazon EC2
instances behind an Application Load Balancer, a middle tier of three EC2 instances decoupled from the web
tier using Amazon SQS and an Amazon DynamoDB backend at peak times, customers who submit orders
using the site have to wait much longer than normal to receive confirmations due to lengthy processing
times. A solutions architect needs to reduce these processing times. Which action will be MOST effective in
accomplishing this?

A. Replace the SQS queue with Amazon Kinesis Data Firehose

B. Use Amazon EC2 Auto Scaling to scale out the middle tier instances based on the SQS queue depth
C. Use Amazon ElastiCache for Redis in front of the DynamoDB backend tier
D. Add an Amazon CloudFront distribution to cache the responses for the web tier.

Answer: B

89. A media company is evaluating the possibility of moving its systems to the AWS Cloud The company
needs at least 10 TB of storage with the maximum possible I/O performance for video processing 300 TB of
very durable storage for storing media content, and 900 TB of storage to meet requirements for archival
media that is not in use anymore. Which set of services should a solutions architect recommend to meet
these requirements?

A. Amazon EBS for maximum performance. Amazon S3 for durable data storage, and Amazon S3 Glacier
for archival storage.
B. Amazon EBS for maximum performance Amazon EFS for durable data storage. and Amazon S3 Glacier for
archival storage.
C. Amazon EC2 instance store for maximum performance, Amazon EFS for durable data storage. And Amazon
S3 for archival storage.
D. Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon
S3 Glacier for archival storage.

Answer: A

90. A company receives data from millions of users totaling about 1 TB each day The Company provides its
users with usage reports going back 12 months. All usage data must be stored for at least 5 years to comply
with regulatory and auditing requirements. Which storage solution is MOST cost-effective?

A. Store the data in Amazon S3 Standard, Set a lifecycle rule to transition the data to S3 Glacier Deep
Archive after 1 year. Set a lifecycle rule to delete the data after 5 years.
B. Store the data in Amazon 53 Standard. Set a lifecycle rule to transition the data to S3 Standard-Infrequent
Access (S3 Standard-LA) after 1 year. Set a lifecycle rule to delete the data after 5 years.
C. Store the data in Amazon S3 Standard, Set a lifecycle rule to transition the data to S3 One Zone-Infrequent
Access (S3 One Zone-IA) after 1 year. Set a lifecycle rule to delete the data after 5 years
D) Store the data in Amazon S3 One Zone-infrequent Access (S3 One Zone-lA). Set a lifecycle rule to transition
the data to S3 Glacier after 1 year. Set the lifecycle rule to -delete the data after 5 years.

Answer: A

91. A company uses an Amazon S3 bucket to store static images for its website. The company configured
permissions to allow access to Amazon S3 objects by privileged users only. What should a solutions architect
do to protect against data loss? (Choose two.)

A. Use MFA Delete to require multi-factor authentication to delete an object.

B. Enable access logging on the S3 bucket.
C. Enable versioning on the S3 bucket.
D. Configure an S3 lifecycle rule to transition objects to Amazon S3 Glacier
E. Enable server-side encryption on the S3 bucket

Answer: AC

92. A company hosts its core network services, including directory services and DNS, in its on-premises data
center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS
accounts are planned that will require quick, cost-effective, and consistent access to these network services.
What should a solutions architect implement to meet these requirements with the LEAST amount of
operational overhead?

A. Create a DX connection in each new account. Route the network traffic to the on-premises servers
B. Configure AWS Transit Gateway between the accounts. Assign DX to the transit gateway and route
network traffic to the on-premises servers.
C. Create a VPN connection between each new account and the DX VPC. Route the network traffic to the on­
premises servers.
D. Configure VPC endpoints in the DX VPC for all required services. Route the network traffic to the on­
premises servers.

Answer: B

93. A company recently released a new type of internet-connected sensor The Company is expecting to sell
thousands of sensors, which are designed to stream high volumes of data each second to a central location. A
solutions architect must design a solution that ingests and stores data so that engineering teams can analyze
it in near-real time with millisecond responsiveness. Which solution should the solutions architect
recommend?

A. Use an Amazon SQS queue to ingest the data. Consume the data with an AWS Lambda function, which
then stores the data in Amazon Redshift.
B. Use an Amazon SOS queue to ingest the data. Consume the data with an AWS Lambda function, which
then stores the data in Amazon DynamoDB.
C. Use Amazon Kinesis Data Streams to ingest the data consume the data with an AWS Lambda function.
Which then stores the data in Amazon DynamoDB.
D. Use Amazon Kinesis Data Streams to ingest the data consume the data with an AWS Lambda function,
which then stores the data in Amazon Redshift.

Answer: D

94. A manufacturing company wants to implement predictive maintenance on its machinery equipment. The
company will install thousands of loT sensors that will send data to AWS in real time. A solutions architect is
tasked with implementing a solution that will receive events in an ordered manner for each machinery asset
and ensure that data is saved for further processing at a later time. Which solution would be MOST efficient?

A. Use Amazon Kinesis Data Streams for real-time events with a shard for each equipment asset. Use Amazon
Kinesis Data Firehose to save data to Amazon EBS
B. Use Amazon Kinesis Data Streams for real-time events with a partition for each equipment asset. Use
Amazon Kinesis Data Firehose to save data to Amazon S3.
C. Use an Amazon SOS FIFO queue for real-time events with one queue for each equipment asset Trigger an
AWS Lambda function for the SQS queue to save data to Amazon EFS.
D. Use an Amazon-SOS standard queue for real-time events with one queue for each equipment asset.
Trigger an AWS Lambda function from the SOS queue to save data to Amazon S3

Answer: B

95. An ecommerce company has noticed performance degradation of its Amazon RDS based web application
the performance degradation is attributed to an increase in the number of read-only SQL queries triggered by
business analysts. A solutions architect needs to solve the problem with minimal changes to the existing web
application what should the solutions architect recommend?

A. Load the data into Amazon ElastiCache and have the business analysts run their queries
B. Create a read replica of the primary database and have the business analysts run their queries
C. Export the data to Amazon DynamoDB and have the business analysts run their queries
D. Copy the data into an Amazon Redshift cluster and have the business analysts run their queries

Answer: B
96. A company runs an internal browser-based application. The application runs on Amazon EC2 instances
behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple
Availability Zones. The Auto Scaling group scales up to 20 instances during work hours, but scales down to 2
instances overnight Staff are complaining that the application is very slow when the day begins, although it
runs well by mid-morning_ How should the scaling be changed to address the staff complaints and keep costs
to a minimum?

A. Implement a target tracking action triggered at a lower CPU threshold, and decrease the cooldown period.
B. Implement a scheduled action that sets the desired capacity to 20 shortly before the office opens.
C. Implement a scheduled action that sets the minimum and maximum capacity to 20 shortly before the
office opens.
D. Implement a step scaling action triggered at a lower CPU threshold, and decrease the cooldown period.

Answer: B

97. A company's legacy application is currently relying on a single-instance Amazon RDS MySQL database
without encryption* Due to new compliance requirements, all existing and new data in this database must be
encrypted. How should this be accomplished?

A. Enable RDS Multi-AZ mode with encryption at rest enabled Perform a failover to the standby instance to
delete the original instance.
B. Create an Amazon S3 bucket with server-side encryption enabled. Move all the data to Amazon S3. Delete
the RDS instance.
C. Take a Snapshot of the RDS instance. Create an encrypted copy of the snapshot. Restore the RDS
instance from the encrypted snapshot.
D. Create an RDS read replica with encryption at rest enabled. Promote the read replica to master and switch
the over to the new master Delete the old RDS instance

Answer: C

98. A company is hosting its static website in an Amazon S3 bucket, which is the origin for Amazon
CloudFront The Company has users in the United States, Canada, and Europe and wants to reduce co What
should a solutions architect recommend?

A. Modify the CloudFront price class to include only the locations of the countries that are served
B. Implement a CloudFront Secure Sockets Layer (SSL) certificate to push security closer to the locations of
the countries that are served
C. Implement CloudFront events with Lambda@Edge to run the website's data processing
D. Adjust the CloudFront caching time to live (TTL) from the default to a longer timeframe.

Answer: D
99. A company has a service that produces event data. The company wants to use AWS to process the event
data as it is received. The data is written in a specific order that must be maintained throughout processing.
The company wants to implement a solution that minimizes operational overhead. How should a solutions
architect accomplish this?

A. Create an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications containing
payloads to process configure an AWS Lambda function as a subscriber.
B. Create an Amazon Simple Queue Service (Amazon SQS) FIFO queue to hold messages. Set up an AWS
Lambda function to process messages from the queue.
C. Create an Amazon Simple Notification Service (Amazon SNS) topic to deliver notifications containing
payloads to process Configure an Amazon Simple Queue Service (Amazon SQS) queue as a subscriber
D. Create an Amazon Simple Queue Service (Amazon SQS) standard queue to hold messages Set up an AWS
Lambda function to process messages from the queue independently.

Answer: B

100. An online photo application lets users upload photos and perform image editing operations The
application offers two classes of wince, free and paid Photos submitted by paid users are processed before
those submitted by free users. Photos are uploaded to Amazon S3 and the job information is sent to Amazon
SQS. Which configuration should a solutions architect recommend?

A. Use one SQS FIFO queue Assign a higher priority to the paid photos so they are processed first.
B. Use two SQS standard queues one for paid and one for free Configure Amazon EC2 instances to prioritize
polling for the paid queue over the free queue.
C. Use two SQS FIFO queues one for paid and one for free Set the free queue to use short polling and the paid
queue to use long polling.
D. Use one SQS standard queue set the visibility timeout of the paid photos to zero Configure Amazon EC2
instances to prioritize visibility settings so paid photo are processed first

Answer: A

101. A company runs a website on Amazon EC2 instances behind an ELB Application Load Balancer. Amazon
Route 53 and email address that users can reach if the primary website is down.

How should the company deploy this solution?

A. Deploy the application in another AWS Region-and use-ELB health checks for failover routing
B. Use Amazon S3 website hosting for the backup website and Route 53 failover routing policy.
C. Use Amazon S3 website hosting for the backup website and Route 53 latency routing policy
D. Deploy the application in another AWS Region and use Server-side redirection on the primary website

Answer: B
102. A company has an ecommerce application that stores data in an on-premises SQL database The
Company has decided to migrate this database to AWS. However, as part of the migration, the company
wants Io find a way to attain sub-millisecond responses to common read requests. 1

A solutions architect knows that the increase in speed is paramount and that a small percentage of stale data
return in the database reads is acceptable. What should the solutions architect recommend?

A. Build a database cache using Amazon Elastic search Service (Amazon ES)
B. Build the database as a larger instance type.
C. Build a database cache using Amazon ElastiCache
D. Build Amazon RDS read replicas

Answer: D

103. An application is running on Amazon EC2 instances. Sensitive information required for the application is
stored in Amazon S3 bucket. The bucket needs to be protected from internet access while only allowing
services within the VPC access to the bucket.

Which combination of actions should solutions archived take to accomplish this? (Choose two.)

A. Apply a bucket policy to restrict access to the S3 endpoint

B. Add anS3 AGL to the bucket that has sensitive information
C. Restrict users using the IAM policy to use the specific bucket
D. Create a VPC endpoint for Amazon S3.
E. Enable server access logging on the bucket

Answer: AD

104. A company has a multi-tier application that runs six front-end web servers in an Amazon EC2 Auto
Scaling group in a single Availability Zone behind an Application Load Balancer (ALB). A solutions architect
needs to modify the infrastructure to be highly available without modifying the application. Which
architecture should the solutions architect choose that provides high availability?

A. Modify the Auto Scaling group to use three instances across each of two Availability Zones.
B. Create an Auto Scaling group that uses three instances across each of two Regions
C. Create an Auto Scaling template that can be used to quickly create more instances in another Region.
D. Change the ALB in front of the Amazon EC2 instances in a round-robin configuration to balance traffic to
the web tier.

Answer: A
105. A solutions architect is designing an architecture to run a third-party database server. The database
software is memory intensive and has a CPU-based licensing model where the cost increases with the
number of VCPU cores within the operating system. The solutions architect must select an Amazon EC2
instance with sufficient memory to run the database software, but the selected instance has 3 large number
of vCPUs the solutions architect must ensure that the vCPUs will not be underutilized and must minimize
costs which solution meets these requirements'?

A. Configure the CPU cores and threads on the selected EC2 instance during instance launch '
B. Creates new Capacity Reservation and select the appropriate instance type Launch the instance into this
new Capacity Reservation ''I
C. Create a new EC2 instance and ensure multithreading is enabled when configuring the instance details
D. Select and launch a smaller EC2 instance with an appropriate number of vCPUs.

Answer: D

106. A company is migrating from an on-premises infrastructure to the AWS Cloud. One of the company's
applications stores files on a Windows file server farm that uses Distributed File System Replication (DFSR) to
keep data in sync. A solutions architect needs to replace the file server farm which service should the
solutions architect use?
A. Amazon EFS
B. Amazon FSx
C. AWS Storage Gateway
D. Amazon S3

Answer: B

107. A solutions architect needs to design a network that will allow multiple Amazon EC2 instances to access
a common data source used for mission-critical data that can be accessed by all the EC2 instances
simultaneously. The solution must be highly scalable, easy to implement, and support the NFS protocol.

Which solution meets these requirements?

A. Create an additional EC2 instance and configure it as a file server Create a security group that allows
communication between the instances and apply that to the additional instance
B. Create an Amazon EFS file system. Configure a mount target in each Availability Zone. Attach each
instance to the appropriate mount target.
C. Create an Amazon EBS volume with the appropriate permissions Create a role in AWS IAM that grants the
correct permissions to the EBS volume Attach the roletotheEC2 instances that need access to the data
D. Create an Amazon S3 bucket with the appropriate permissions. Create a role in AWS IAM that grants the
correct permissions to the S3bucket. Attach the rote to theEC2 instances that need access to the data
Answer: B

108. A company's dynamic website is hosted using on-premises servers in the United States. The company is
launching its product in Europe, and it wants to optimize site-loading times for new European users. The
site's backend must remain in the United States. The product is being launched in a few days, and an
immediate solution is needed. What should the solutions architect recommend?

A. Use an Amazon Route 53 geo-proximity routing policy pointing to on-premises servers.

B. Launch an Amazon EC2 instance in us-east-1 and migrate the site to it.
C. Use Amazon Cloud Front with a custom origin pointing to the on-premises servers
D. Move the website to Amazon S3. Use cross-Region replication between Regions, j

Answer: C

109. A solutions architect is moving the static content from a public website hosted on Amazon EC2 instances
to an Amazon S3 bucket An Amazon Cloud Front distribution will be used to deliver the static asset* The
security group used by the EC2 instances restricts access to a limited set of IP ranges Access to the static
content should be similarly restricted Which combination Of steps will meet these requirements? (Choose
two)

A. Create a new security group that includes the same IP restrictions that exist in the current EC2 security
group. Associate this new security group with the cloud Front distribution,
B. Create an origin access identity (OA1) and associate it with the distribution. Change the permissions in the
bucket policy so that only the OAI can read the objects.
C. Create a new security group that includes the same IP restrictions that exist in the current EC2 security
group Associate this new security group with the S3 bucket hosting the static content
D. Create a new IAM role and associate the role with the distribution. Change the permissions either on the
S3 bucket or on the files within the S3 bucket so that only the newly created IAM role has read and
download permissions
E. Create an AWS WAF web ACL that includes the same IP restrictions that exist in the EC2 security group.
Associate this new web ACL with the cloud Front distribution.

Answer: CD

110. IA solutions architect is performing a security review of a recently migrated workload. The workload is a
web application that consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load
Balancer The solutions architect must improve the security posture and minimize the impact of a DDoS attack
on resources which solution is MOST effective?

A. Configure an AWS WAF ACL with rate-based rules. Create an Amazon cloud Front distribution that points
to the Application Load Balancer Enable the WAF ACL on the cloud Front distribution
B. Enable Amazon GuardDuty and configure findings written to Amazon Cloud Watch Create an event with
CloudWatch Events for DDoS alerts that triggers Amazon Simple Notification Service (Amazon SNS). Have
Amazon SNS invoke a custom AWS Lambda function that parses the logs looking for a DDoS attack Modify a
network ACL to block identified source IP addresses. '
C. Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to
capture a potential DDoS attack. Use the identified information to mortify a network ACL to block access.
D. Enable VPC Flow Logs and store then in Amazon S3. Create a custom AWS Lambda functions that parses
the logs looking for a DDoS attack. Modify a network ACC to block identified source IP addresses'.

Answer: C

111. A company must generate sales reports at the beginning of every month the reporting process launches
20 Amazon EC2 instances on the first of the month. The process runs for 7 days and cannot be interrupted.
The company wants to minimize costs. Which pricing model should the company choose?

A. Reserved Instances
B. Scheduled Reserved Instances
C. Spot Block instances
D. On-Demand Instances

Answer: B

112. A company is launching a new application deployed on an Amazon Elastic Container Service (Amazon
ECS) cluster and is using the Fargate launch type for ECS tasks. The company is monitoring CPU and memory
usage because it is expecting high traffic to the application upon its launch However; the company wants to
reduce costs when utilization decreases. What should a solutions architect recommend?

A. Amazon EC2 Auto Scaling with simple scaling policies Io scale when ECS metric breaches Tigger an Amazon
Cloud Watch alarm.
B. Use an AWS Lambda function to scale Amazon ECS based on metric breaches that Tigger an Amazon Cloud
Watch alarm
C. Use AWS Application Auto Scaling with target tracking policies to scale when ECS metric breaches Tigger
an Amazon Cloud Watch alarm
D. Use Amazon EC2 Auto Scaling to scale at certain periods based on previous traffic patterns.

Answer: C

113. A company is building applications in containers. The company wants to migrate its on-premises
development and operations services from its on-premises data center to AWS. Management states that
production system must be cloud agnostic and use the same configuration and administrator tools across
production systems a solutions architect needs to design a managed solution that will align open-source
software. Which solution meets these requirements?
A. Launch the containers on Amazon EC2 with EC2 instance worker nodes
B. Launch the containers on Amazon Elastic Containers service (Amazon ECS) with AWS Fargate instances
C. Launch the containers on Amazon Elastic Kubenetes Service (Amazon EKS) and EKS workers nodes.
D. Launch the containers on Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 instance
worker nodes.

Answer: C

114. A company wants to replicate its data to AWS to recover in the event of a disaster. Today, a system
administrator has scripts that copy data to a NFS share Individual backup files need to be accessed
administrators to deal with errors in processing. What should a solutions architect recommend to meet these
requirements?

A. Modify the script to copy data to an AWS Storage Gateway for File Gateway virtual appliance instead of
the on-premises NFS share.
B. Modify the script to copy data to an Amazon S3 Glacier Archive instead of the on-premises NFS share
C. Modify the script to copy data to an Amazon Elastic File System (Amazon EFS) volume instead of the on­
premises NFS share CX0?
D. Modify the script to copy data to an Amazon S3 bucket instead of the on-premises NFS share.

Answer: A

115. A solutions architect must design a solution for a persistent database that is being migrated from on­
premises to AWS. The database requires 64,000 IOPS according to the database administrator. If possible, the
database administrator wants to use a single Amazon Elastic Block Store (Amazon EBS) volume to host the
database instance which solution effectively meets the database administrator's criteria?

A. Create an Nitro-based Amazon EC2 instance with an Amazon EBS Provisioned IOPS SSD (io1) volume
attached Configure the volume to have 64,000 IOPS.
B. Use an instance from the I3 I/O optimized family and leverage local ephemeral storage to achieve the IOPS
requirement
C. Provision two volumes and assign 32 000 IOPS to each Create a logical volume at the operating system
level that aggregates both volumes to achieve the IOPS requirements.
D. Create and map an Amazon Elastic File System (Amazon EFS) volume to the database instance and use the
volume to achieve the required IOPS for the database

Answer: A
116. An application running on an Amazon EC2 instance in VPC-A needs to access files in another EC2
instance in VPC-B Both are in separate. AWS accounts. The network administrator needs to design a solution
to enable secure access to EC2 instance in VPC-B from VPC-A. The connectivity should not have a single point
of failure or bandwidth concerns which solution will meet these requirements?

A. Create a private Virtual interface (VlF) for the EC2 instance running in VPC-B and add appropriate routes
from VPC-B. '
B. Set up VPC gateway endpoints for the EC2 instance running in VPC-B Ac.
C. Attach a virtual private gateway to VPC-B arid enable routing from VPC-A
D. Set up a VPC peering connection between VPC-A and VPC-B

Answer: A

117. A company is hosting a website behind multiple Application Load Balancers. The company has different
distribution rights for its content around the world. A solutions architect needs to ensure that users are
served the correct content without violating distribution rights.

Which configuration should the solutions architect choose to meet these requirements?

A. Configure Amazon Route 53 with a geoproximity routing policy.

B. Configure Amazon Cloud Front with AWS WAF.
C. Configure Application Load Balancers with AWS WAF.
D. Configure Amazon Route 53 with a geolocation policy.

Answer: D

118. A company is running a multi-tier web application on AWS. The application runs its database tier on
Amazon Aurora MySQL the application and database tiers are in the us-east-1 Region. A database
administrator, who regularly monitors the Aurora DB cluster, finds that an intermittent increase in read
traffic is creating high CPU utilization on the read replica and causing increased read latency of the
application. What should a solutions architect do to improve read scalability?

A. Reboot the Aurora DB cluster

B. Create a cross-Region read replica
C. Configure Aurora Auto Scaling for the read replica
D. Increase the instance class of the read replica.

Answer: A
119. A company plans to store sensitive user data on Amazon S3. Internal security compliance requirement
mandate encryption of data before sending it to Amazon S3. What should a solutions architect recommend
to satisfy these requirements?

A. Client-side encryption with Amazon S3; managed (ericryption keys)

B. Client-side encryption with a master key stored in AWS Key Management Service (AWS KMS)
C. Server-side encryption with customer-provided, encryption keys
D. Server side encryption with keys stored in AWS key Management Service (AWS KMS)

Answer: B

120. A solutions architect observes that a nightly batch-processing job is automatically scaled up for 1 hour
before the desired Amazon EC2 capacity is reached. The peak capacity is the same every night and the batch
jobs stays start at 1 AM. The solutions architect needs to find a cost-effective solution that will allow for the
desired EC2 capacity to be reached quickly and allow the Auto Scaling group to scale down after the batch
jobs are complete What should the solutions architect do to meet these requirements?

A. Increase the maximum capacity for the Auto Scaling group

B. Change the scaling policy to add more EC2 instances during each scaling
C. Configure scheduled scaling to scale up to the desired compute level
D. Increase the minimum capacity for the Auto Scaling group

Answer: C

121. A solutions architect is designing a solution that requires frequent updates to a website that is hosted on
Amazon S3 with versioning enabled. For compliance reasons, the older versions of the objects will not be
accessed frequently arid will need to be deleted after 2 years. What should the solutions architect
recommend to meet these requirements at the LOWEST cost?

A. Replicate older object versions to a new bucket Use an S3 Lifecycle policy to expire the objects in the new
bucket after 2 years.
B. Configure an S3 Lifecycle policy to transition older versions of objects to S3 Glacier. Expire the objects
after 2 years.
C. Enable S3 Event Notifications on the bucket that sends older objects to the Amazon Simple Queue Service
(Amazon SQS queue f6? farther processing.
D. Use S3 batch operations to replace object tags Expire the objects based on the modified tags.

Answer: B
122. A company's order fulfillment service uses a MySQL database. The database needs to support a large
number of concurrent queries and transactions. Developers are spending time patching and tuning the
database this is causing delays in releasing new product features.

The company wants to use cloud-based services to help address this new challenge. The solution must allow
the developers to migrate the database with little or no code changes and must optimize performance.

Which service should a solutions architect use to meet these requirements?

A. Amazon EtastiCache
B. MySQL on Amazon EC2
C. Amazon DynamoDB
D. Amazon Aurora

Answer: D

123. A company's website hosted on Amazon EC2 instances processes classified data stored in Amazon S3.
Due to security concerns, the company requires a private and secure connection between its EC2 resources
and Amazon S3. Which solution meets these requirements?

A. Set up a NAT gateway to access resources outside the private subnet

B. Set up an IAM policy to grant read-write access to the S3 bucket?
C. Set up S3 bucket policies to allow access from a VPC endpoint
D. Set up an access key ID and a secret access key to access the S3 bucket

Answer: B

124. A company wants to build an online marketplace application on AWS as a set of loosely coupled micro
services for this application, when a customer submits a new order; two micro services should handle the
event simultaneously. The Email micro service will send a confirmation email, and the Order Processing micro
service will start the order delivery process. If a customer cancels an order, the Order cancellation and Email
microservrces should handle the event simultaneously. A solutions architect wants to use Amazon Simple
Queue Service (Amazon SQS) and Amazon Simple Notification Service (Amazon SNS) to design the messaging
between the micro services. How should the solutions architect design the solution?

A. Create an SNS topic and publish order events to it Create three SQS queues for the Email, Order
Processing, and Order Cancellation micro services. Subscribe all SQS queues to the SNS topic with message
B. Create three SNS topics for each micro service Publish order events to the three topics. Subscnbe each of
the Email, Order Processing, and Order Cancellation micro services to its own topic
C. Create two SQS queues and publish order events to both queues simultaneously. One queue is for the
Email and Order Processing micro services. The second queue is for the Email and Order Cancellation micro
services
D. Create a single SQS queue and publish order events to it The Email, Order Processing, and Order
Cancellation micro services can then consume messages off the queue.
Answer: C

125. An administrator of a large company wants to monitor for and prevent any cryptocurrency - related
attacks on the company's AWS accounts. Which AWS service can the administrator use to protect the
company against attacks?

A. Amazon GuardDutty
B. Amazon Macie
C. Amazon Inspector
D. Amazon Cognit

Answer: A

126. A solutions architect must analyze and update a company exists (AM policies prior to deploying a new
workload. The solutions architect created the following policy.

{
"Version:"2012*10-lT",

"statement". [{

Effect":'Deny",

"NotAction" "s3:Putobject",

"Resource”: •**,

"Condition":{"BooflAxists":Caws:MultiFactOFauthRresent":"false"}}

]
What is the net effect of this policy?

A. Users will be denied all actions except s3 PutObjectifmulti-factor authentication (MFA) is enabled.
B. Users wHI.be denied all actions except s3: PutObject if multi-factor authentication (MFA) is hot enabled.
C. Users will be allowed all actions except s3: PutObject if multi-factor authentication (MFA) is enabled.
D. User will allowed all actions except s3: PutObject if multi-factor authentication (MFA) is not enabled.

Answer: B
127. A company is setting up an application to use an Amazon RDS MySQL DB instance. The database must be
architected for high availability across Availability Zones and AWS Regions with minimal downtime how
should a solution architect meet this requirement?

A. Set up an RDS MySQL Multi-AZDB instance. Configure a read replica in a different Region.
B. Set up an RDS MySQL Multi-AZ DB.instance.Configure an appropriate backup window.
C. Set up an RDS MySQL Single-AZ DB instance. Configure a read replica in a different Region.
D. Set up an RDS MySQL Single-AZ DB instance Copy automated snapshots to at least one other Region.

Answer: A

128. A company needs guaranteed Amazon EC2 capacity in three specific Availability Zones in a specific AWS
Region for an upcoming event that will last 1 week. What should the company do to guarantee the EC2
capacity? |

A. Create an on-Demand Capacity Reservation that specifies the Region and three Availability Zones
needed
B. Purchase Reserved Instances that specify the Region needed
C. Purchase Reserved Instances that specify the Region and three Availability Zones needed.
D. Create an On-Demand Capacity Reservation that specifies the Region needed

Answer: A

129. A company recently migrated a message processing system to AWS. The system receives messages into
an ActiveMQ queue running on an Amazon EC2 instance. Messages are processed by a consumer application
running on Amazon EG2.The consumer application processes the messages and writes results to a MySQL
database running on Amazon EC2.The company wants this application to be highly available with low
operational complexity. Which architecture offers the HIGHEST availability?

A. Add a second ActiveMQ server to another Availability Zone Add an additional consumer EC2 instance in
another Availability Zone Replicate the MySQL database to another Availability Zone
B. Use Amazon MQ with active/standby brokers configured across two Availability Zones Add an additional
consumer EC2 instance in another Availability Zone. Replicate the MySQL database to another Availabitly
C. Use Amazon MQ with active/standby brokers configured across two Availability Zones Add an Auto
Scaling group for the consumer EC2 instances across two Availability Zones Use Amazon RDS for MySQL
with Multi-AZ enabled
D. Use Amazon MQ with active/standby brokers configured across two Availability Zones Add an additional
consumer EC2 instance in another Availability Zone. Use Amazon RDs for MySQL with Multi-AZ enabled.

Answer: C
130. A solutions architect wants all new users to have specific complexity requirements and mandatory r
what should the solutions architect do to accomplish this.

A. Use third-party vendor software to set password requirements.

B. Attach ah Amazon Cloud Watch rule to the Create_newuser event to set the password with appropriate
requirements.
C. Set a password policy for each 1AM user in the AV$/S-account.
D. Set an overall password policy for the entire AWS account.

Answer: D

131. A company has an on-premises business application that generates hundreds of files each day. These
files are stored on an SMB file share and require a low-latency connection to the application servers A new
company policy states all application-generated files must be copied to AWS. There is already a VPN
connection to AWS. The application development team does not have time to make the necessary code
modifications to move the application to AWS. Which service should a solutions architect recommend to
allow the application to copy files to AWS?

A. AWS-Snowball
B. AWS Storage Gateway
C. Amazon Elastic-File System (Amazon EFS)
D. Amazon FSx for Windows File Server

Answer: D

132. A company hosts its application using Amazon Elastic Container Service (Amazon ECS) and wants to
ensure high availability. The company want to be able to update to its application even if nodes in one
Availability Zone are not accessible. The' expected request volume for the application is 100 requests per
second, and each container task is able to company wantst0 be able to deploy updates to its application even
if nodes in one Availability Zone deployment type with the minimum healthy percent parameter set to 50%
and the maximum percent set to 100% Serve 31 east 60 recluses second me company set up Amazon ECS
with a rolling update Which configuration of tasks and Availability Zones meets these requirements? -

A. Deploy the application across two Availability Zones, with one task in each Availability Zone.
B. Deploy the application across three. Availability Zones, with one task in each Availability Zone
C. Deploy the application across two Availability Zones, with two tasks in each Availability Zone.
D. Deploy the application across three Availability Zones, with two tasks in each Availability Zone.

Answer: A
133. A company provides an online service for posting video content and transcoding it for use by any mobile
platform The application architecture uses Amazon Elastic Fite System (Amazon EFS) Standard to collect and
store the videos so that multiple Amazon EC2 Linux instances can access the video content for processing As
the popularity of the service has grown over time, the storage costs have become too expensive. Which
storage solution is MOST cost-effective?

A. Use AWS Storage Gateway for volumes to store and process the video content
B. Use Amazon EFS for storing the video content once processing is complete, transfer the files to Amazon
Elastic Block Store (Amazon EBS).
C. Use Amazon S3 for storing the video content. Move the files temporarily over to an Amazon Elastic Block
Store (Amazon EBS) Volume attached to the server for processing.
D. Use AWS Storage Gateway for files to store and process the video content.

Answer: C

134. A company is building its web application using containers on AWS. The company requires three
instances of the web application to run at all times. The application must be able to scale to meet increases in
demand. Management is extremely sensitive to cost but agrees that the application should be highly
available.

What should a solutions architect recommend?

A. Create an Amazon Elastic Container Service (Amazon ECS) cluster using the Fargate launch type Create a
task definition for the web application Create an ECS service with a desired count Of three tasks-.,
B. Create an Amazon Elastic Container Service (Amazon ECS) cluster using the Amazon EC2 launch type with
three container instances in one Availability Zone. Create attack definition for the web application. Place one
task for each .container instance.
C. Create an Amazon Elastic Container Service (Amazon ECS) cluster using the Fargate launch type with one
container instance in three different Availability Zones. Create a task definition for the web application Create
an ECS 'service with a desired count of three tasks.
D. Create an Amazon Elastic Container Service (Amazon ECS) cluster using the Amazon EC2 launch type
with one container instance in two different Availability Zones. Create a task definition for the web
application Place two tasks on one-container instance and one task on the remaining container instance.

Answer: D

135. A company hosts an application used to upload files to an Amazon S3 bucket. Once uploaded, the files
are processed to extract metadata, which takes less than 5 seconds. The volume and frequency of the
uploads vanes from a few files each hour to hundreds of concurrent uploads. The company has asked a
solutions architect to design a cost-effective architecture that will meet these requirements.

What should the solutions architect recommend?

A. Configure ah object-created event notification within the S3 bucket to invoke an AWS Lambda function
to process the files.
B. Configure AWS CloudTrail trails to log S3 API calls. Use AWS AppSync to process the files.
C. Configure Amazon Kinesis Data Streams to, process and send data to Amazon S3. Invoke an AWS Lambda
function to. Process the files.
D. Configure an Amazon Simple Notification Service (Amazon SNS) topic to process the files uploaded to
Amazon S3. Invoke an AWS Lambda function to process the files.

Answer: A

136. A company hosts a training site on a fleet of Amazon EC2 instances. The company anticipates that its
new course, which consists of dozens of training videos on the site, will be extremely popular when it is
released in 1 week. What should a solutions architect do to minimize the anticipated server load?

A. Store the videos in Amazon ElastiCache for Redis Update the web servers to serve the videos using the
ElastiCache API
B. Store the videos in an Amazon S3 bucket Create an AWS Storage Gateway file gateway to access the S3
bucket Create a user data script for the web servers to mount the file gateway.
C. Store the videos in Amazon Elastic File System (Amazon EFS). Create a user data script for the web servers
to mount the. EFS volume
D. Store the videos in an Amazon S3 bucket. Create an Amazon CloudFront distribution with an origin access
identity (OAI) of that S3 bucket. Restrict Amazon S3 access to the OAI.

Answer: B

137. A company wants to share forensic accounting data that is stored in an Amazon RDS DB instance with an
external auditor has its own AWS account and requires its own copy of the database. How should the
company securely share the database with the auditor?

A. Create a read replica of the database and configure 1AM standard database authentication to grant the
auditor access.
B. Copy a snapshot of the database to Amazon S3 and assign an IAM role to the auditor to grant access to the
object in the bucket.
C. Export the database contents to text files, store the files in Amazon S3, and create a new 1AM user for the
auditor with access to that bucket
D. Make an encrypted snapshot of the database, share the snapshot, and allow access to the AWS Key
Management Service (AWS KMS) encryption key.

Answer: A
138. A company uses Application Load Balancers (ALBs) in different AWS Regions the ALBs receive
inconsistent traffic that can spike and drop throughout the year. The company's networking team needs to
allow the IP addresses of the ALBs in the on-premises firewall to enable connectivity.

Which Solution is the MOST scalable with minimal configuration changes?

A. Write an AWS Lambda script to get the IP addresses of the ALBs in different Regions Update the on­
premises firewall's rule to allow the IP addresses of the ALBs.
B. Migrate all ALBs in different Regions to the Network Load Balancer (NLBs) update the on-premises
firewall's rule to allow the Elastic IP addresses of all the NLBs.
C. Launch a.Network Load Balancer (NLB) in one Region Register the pnvate IP addresses of the ALBs in
different Regions with the NLB Update the on- premises firewall-'Arule to allow the Elastic IP address
attached to the
D. Launch AWS Global Accelerator. Register the ALBs in different Regions to the accelerator. Update the
on-premises firewall's rule to allow static IP addresses associated with the accelerator

Answer: D

139. A company is developing a mobile game that streams score updates to a backend processor and then
posts results on a leaderboard. A solutions architect needs to design a solution that can handle large traffic
spikes, process the mobile game updates in order of receipt, and store the processed updates in a highly
available database The Company also wants to minimize the management overhead required to maintain the
solution.

What should the solutions architect do to meet these requirements?

A. Push score updates to an Amazon Simple Notification Service (Amazon SNS) topic Subscribe an AWS
Lambda function to the SNS topic: to process the updates. Store the processed updates a SQL database
running on Amazon EC2
B. Push score updates to Amazon Kinesis Data Streams Process the updates with a fleet of Amazon EC2
instances set up for Auto Scaling Store the processed updates in Amazon Redshift
C. Push score updates to an Amazon Simple Queue Service (Amazon SQS) queue Use a fleet of Amazon EC2
instances with Auto Scaling to process the updates in the SQS queue. Store the processed updates in an
Amazon RDS Multi-AZ DB instance.
D. Push score Updates to Amazon Kinesis Data Streams. Process the updates in Kinesis Data Streams with
AWS Lambda. Store the processed updates in Amazon Dynamic

Answer: C
140. A Company uses Amazone S3 as its object storage solution. The company has thousands of S3 buckets its
uses to store data that is accessed less frequently than others. A solutions architect found that life cycle
policies are not consistently implemented or are implemented partially?

A. Use Amazon Elastic BlooAStore'(Amazon EBS) automated snapshots

B. Use S3 ACLs.
C. Use S3 Intelligent-Tiering storage.
D. Use S3 One Zone-infrequent Access (S3 One Zone-IA).

Answer: C

141. A company that hosts its web application on AWS wants to ensure all Amazon EC2 instances, Amazon
RDS DB instances, and Amazon Redshift dusters are configured with tags. The company wants to I | w
configuring and operating this check. What should a solutions architect do to accomplish this?

A. Write API calls to check all resources for proper tag allocation Schedule an AWS Lambda function through
Amazon Cloud Watch to periodically run the code.
B. Use Cost Explore display resources that are not properly tagged. Tag those resources manually.
C. Write API calls to check all resources for proper tag allocation. Periodically run the code on an EC2
instance.
D. Use AWS Config rules to define and detect resources that are not properly tagged.

Answer: D

142. A company has a live chat application running on its on-premises servers that use WebSockets. The
company wants to migrate the application to AWS. Application traffic is inconsistent and the company
expects there to be more traffic with sharp spikes in the future.

The company wants a highly scalable solution with no server maintenance nor advanced capacity planning
which solution meets these requirements?

A. Use Amazon API Gateway and AWS Lambda with an Amazon DynamoDB table as the data store Configure
the DynamoDB table for provisioned capacity. z O '
B. Use Amazon API Gateway and AWS Lambda with an Amazon DynamoDB table as the data store.
Configure the DynamoDB table for on-demand capacity.
C. Run Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group with an Amazon
DynamoDB table as the data store. Configure the DynarpoDBtable for on-demand capacity AT
D. Run Amazon EC2 instances behind a Network Load Balancer in an Auto Scaling group with an Amazon
DynamoDB table as the data store. Configure the DynamoDB table for provisioned capacity.

Answer: B
143. A company is building a document storage application on AWS. The application runs on Amazon EC2
instances in multiple Availability Zones. The company requires the document store to be highly available the
documents need to be returned immediately when requested. The lead engineer has configured the
application to use Amazon Elastic Block Store (Amazon EBS) to store the documents, but is willing to consider
other options to meet the availability requirement what should a solutions architect recommend?

A. Use Amazon EBS for the EC2 instance root volumes configure the application to build the document store
on Amazon S3 Glacier.
B. Use at least three Provisioned IOPS EBS volumes for EC2 instances mount the volumes to the EC2 instances
in a RAID 5 configuration
C. Snapshot the EBS volumes regularly and build new volumes using those snapshots in additional
Availability Zones.
D. Use Amazon EBS for the EC2 instance root volumes configure the application to build the document store
on Amazon S3.

Answer: C

144. A Company is planning to migrate its virtual server-based workloads to AWS the Company has internet­
facing load balancers backed by application servers. The application servers rely on patches from an internet-
hosted

Which services should a solutions architect recommend be hosted on the public subnet? (Choose two)

A. Amazon RDS DB instances

B. NAT gateway
C. Amazon Elastic File System (Amazon EFS) volumes
D. Amazon EC2 application servers
E. Application Load Balancers

Answer: BE

145. NA company has a highly dynamic batch processing job that uses many Amazon EC2 instances to
complete it The job is stateless in nature, can be started and stopped atany given time with no negative
impact and typically takes upwards of 60 minutes total to complete The company has asked a solutions
architect to design a scalable and cost-effective solution that meets the requirements of the job.

A. What should the solutions architect recommend?

B. Purchase EC2 Reserved Instances
C. Implement Reprocessing on AWS Lambda
D. lmplernent EC2 On-Demand Instances.
E. Implement EC2 Spot Instances

Answer: D
146. A Company's websites is using an Amazon RDS MySQL Multi-AZ DB instance for its transactional data
storage its transactional data storage there are other internal systems that query this DB instance to fetch
data for internal batch processing The ROS DB instance slow down significantly when the internal system
fetch data . This impact the website is read and write performance, and the users experience slow response
time

Which solution will improve the website's performance?

A. A Use an RDS PostgreSQL DB instance instead of a MySQL database

B. Add an additional Availability Zone to the current RDS MySQL Multi AZ DB instance
C. Add a read replica to the RDS DB instance and configure the internal systems to query the read replica
D. Use Amazon ElastiCache to cache the query responses for the website.

Answer: C

147. A company is deploying a multi-instance application within AWS that requires minimal latency between
the instances what should a solutions architect recommend?

A. Use an Auto Seating group with a cluster placement group.

B. Use a Network Load Balancer with multiple Amazon EC2 Dedicated Hosts as the targets
C. Use an Auto Scaling group with single Availability Zones in the same AWS Region.
D. Use an Auto Scaling group with multiple Availability Zones in the same AWS Region.

Answer: A

148. A company's application hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Due to
data sensitivity, traffic cannot traverse the internet how should a solutions architect configure access?

A. Configure AWS Private Link between the EC2 instance and the S3 bucket.
B. Create a private hosted zone using .Amazon Route 53.
C. Configure a VPC gateway endpoint for Amazon S3 in the VPC.
D. Set up a site-to-site VPN connection between the VPC and the S3 bucket.

Answer: C

149. A company wants to deploy a shared file system for its .NET application servers and Microsoft SQL
Server databases running on Amazon EC2 instances with Windows Server 2016-The solution must be able to
be integrated into the corporate Active Directory domain, be highly durable, be managed by AWS, and
provide high levels of throughput and IOPS. Which solution meets these requirements?

A. Deploy a Windows file server two On Demand instances across two Availability Zones
B. Use Amazon FSx for Windows File Server
C. Use AWS Storage Gateway in file gateway mode.
D. Use Amazon Elastic File System (Amazon EFS)

Answer: B

150. A group requires permissions to list an Amazon S3 bucket and delete objects from that bucket. An
administrator has created the following 1AM policy to provide access to the bucket and applied that policy to
the group. The group is not able to delete objects in the bucket. The company follows least-privilege access
rules

"Version" r.Wj2-10-17»,

"Stateaent": ,(> ,

"Effebt": "Allow"

"Action”: (

""Action?: [

■ vQj* "»3:LlstBucket", vQl i. "s3:DeleteObject" 1/ L

.. “Resource": (

"arntews:s3::: bucke t-naae

"Effect": "Allow"

Which statement should a solutions architect add to the policy to correct bucket access?

A. "Action": [

"s3:Deleteobject"

]
"Resource": ["arn:awss3::bucket-name*"],

"Effect":"Allow"

B. "Action": [

"s3:object" ]

"Resource": ["arn:aws:s3::bucket-name/*"],

"Effect":"Allow"

C. "Action": [

"s3:Deleteobject"
]
"Resource": ["arn:aws:s3::bucket-name/*"],

"Effect":"Allow"

Answer: C

151. An application is running on an Amazon EC2 instance and must have millisecond latency when running
the workload. The application makes many small reads and writes to the file system, but the file system itself
is sm3” Which Amazon Elastic-Block Store (Amazon EBS) volume type should a solutions architect attach to
their EC2 instance?

A. Cold HDD (sc1)

B. General Purpose SSD (gp2)
C. TOPS SSD (io1)
D. Throughput Optimized HDD (st1)

Answer: B

152. A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4
CIDR blocks there is one public subnet and one private subnet in each of three Availability Zones (AZs) for
high availability. An internet gateway is used to provide internet access for the public subnets. The private
subnets require access to the internet to allow Amazon EC2 instances to download software updates. What
should the solutions architect do to enable internet access for the private subnets?

A. Create an egress-only internet gateway on One of the public subnets Update the route table for the
private subnets that forward non-VPC traffic to the egress- only internet gateway
B. Create a second internet gateway on one of the private subnets. Update the route table for the
private subnets that forward non-VPC traffic to the private internet gateway
C. Create three NAT instances, one for each private subnet in each AZ Create a private route table for
each AZ that forwards non-VPC traffic to the NAT instance in its AZ
D. Create three gateways, one for each public subnet in each AZ. Create a private route table for each
AZ that forwards non-VPC traffic to the NAT gateway in its AZ.

Answer: C

153. A company runs a static website through its on-premises data center. The company has multiple servers
that handle all of its traffic interrupted he website becomes unavailable. The company wants to expand its
presence globally and plans to triple its website traffic. What should a solutions architect recommend to
meet these requirements?

A. Migrate the website content to Amazon EQ2 instances and vertically scale as the load increases
B. Migrate the website content to Amazon EC2 Instances with public Elastic IP addresses in multiple
AWS Regions.
C. Use Amazon Route 53 to distribute the loads across multiple Amazon CloudFront distributions for
each AWS Region that exists globally.
D. Migrate the website content to Amazon S3 arid host the website on Amazon CloudFront.

Answer: C

154. A company's web application is using multiple Linux Amazon EC2 instances and storing data on Amazon
EBS volumes. The company is looking for a solution to increase the resiliency of the application in case of a
and to provide storage that complies with atomicity, consistency, isolation, and durability (ACID). What
should a solutions architect do to meet these requirements?

A. Create an Application Load Balancer with Auto Scaling groups across multiple Availability Zones. Store
data using Amazon S3 One Zone-Infrequent Access (S3 One Zone-iA)
B. Create an Application Load Balancer with Auto Scaling groups across multiple Availability Zones
Store data on Amazon EFS and mount a target on each instance
C. Launch the application on EC2 instances in each Availability Zone Attach EBS volumes to each EC2
instance
D. Create an Application Load Balancer with Auto Scaling groups across multiple Availability Zones
Mount an instance store on each EC2 instance.

Answer: B

155. A company is deploying a web portal. The company wants to ensure that only the web portion of the
application is publicly accessible. To accomplish this, the VPC was designed with two public subnets and two
private subnets the application will run on several Amazon EC2 instances in an Auto Scaling group. SSL
termination must be off loaded from the EC2 instances. What should a solutions architect do to ensure these
requirements are met?

A. Configure the Network Load Balancer in the public subnets Configure the Auto Scaling group in the
public subnets and associate it with the Application Load Balancer. .
B. Configure the Application Load Balancer in the public subnets. Configure the Auto Scaling group in
the private subnets and associate it with the Application Load Balancer.
C. Configure the Application Load Balancer in the private subnets. Configure the Auto Scaling group in
the private subnets and associate it with the Application Load Balancer
D. Configure the Network Load Balancer in the public subnets Configure the Auto Scaling group in the
private subnets and associate it with the Application Load Balancer

Answer: B
156. A company is running a media store across multiple Amazon EC2 instances distributed across multiple
Availability Zones in a single VPC. The company wants a high-performing solution to share data between all
the EC2 instances, and prefers to keep the data within the VPC only. What should a solutions architect
recommend?

A. ConfigureahAmazon Elastic Block Store (Amazon EBS).volume and mount it across all instances.
B. Configure an Amazon Elastic File-System (AmazonEFS) file system and mount it across all instances.
C. Create an Amazon S3 bucket and configure all instances to access it as a mounted volume
D. Create A Amazon S3 bucket and call the service APIs from each instance's application.

Answer: C

157. A mobile gaming company runs application servers on Amazon EC2 instances. The servers receive
updates from players every 15 minutes. The mobile game creates a JSON object of the progress made in the
game since the last update, and sends the JSON object to an Application Load Balancer. As the mobile game
is played, game updates are being lost. The company wants to create a durable way to get the updates in
order. What should a solutions architect recommend to decouple the system?

A. Use 'Amazon Kinesis Data Streams to capture the data and store the JSON object in Amazon S3.
B. Use Amazon Simple Notification Service (Amazon SNS) to capture the data and EC2 instances to
process the messages sent to the Application Load Balancer
C. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues to capture the data and EC2
instances to process the messages in the queue.
D. Use Amazon Kinesis Data Firehose to capture the data, and store the JSON object in Amazon S3.

Answer: C

158. An ecommerce website is deploying its web application as Amazon Elastic Container Service (Amazon
ECS) container instances behind an Application Load Balancer (ALB). During: periods of high activity, the
website slows down and availability is reduced. A solutions architect uses Amazon CloudWatch alarms to
receive notifications whenever there is an availability issue so they can scale Out resources. Company
management wants a solution that automatically responds to such events. Which solution meets these
requirements?

A. Set up AWS Auto Scaling to scale out the ECS service when there are timeouts on the ALB Set up AWS
Auto Scaling to scale out the ECS cluster when the CPU or memory reservation is too high.
B. Set up AWS Auto Scaling to scale out the ECS service when the ALB target group CPU utilization is too
high.
C. Set up AWS Auto Scaling to scale out the ECS service when the ALB CPU utilization is too high.
D. Set up AWS Auto Scaling to scale out the ECS cluster when the CPU or memory reservation is too
high.

Answer: C
159. A solutions architect is designing a highly available website that is served by multiple web servers hosted
outside of AWS. If an instance becomes unresponsive, the architect needs to remove it from the rotation.
What is the MOST efficient way to fulfill this requirement?

A. Use Amazon Cloud Watch to monitor Utilization.

B. Use Amazon API Gateway to monitor availability
C. Use Amazon Route 53 health checks
D. Use Amazon Elastic Load Blancer.

Answer: A

160. A company is migrating a Linux-based web server group to AWS. The web servers must access files in a
shared file store for some content. T° architect do to meet these requirements.

A. Create an Amazon S3 Standard bucket with access to the web server

B. Configure aws Amazon CloudFront distnbution with ah Amazon S3 bucket as the origin.
C. Configure Amazon Elastic Block Store (Amazon EBS) Provisioned IOPS SSD (io 1) volumes and mount
them on all web servers.
D. Create an Amazon Elastic File System (Amazon EFS) volume and mount it on all web servers.
Answer: D

161. A recently treated startup built a three-tier web application. The front end has static content. The
application layer is based on micro services. User data is stored as JSON documents that need to be accessed
with low latency. The company expects regular traffic to be low during the first year, with peaks in traffic
when it publicizes new features every month. The startup team needs to minimize operational overhead
costs. What should a solutions architect recommend to accomplish this?

A. Use Amazon S3 static website hosting to store and serve the front end Use Amazon API Gateway and
AWS Lambda functions for the application layer Use Amazon-DynamoDB to store user data
B. Use Amazon S3 static website hosting to store and serve the front end Use Amazon Elastic
Kubernetes Service (Amazon EKS) for the application layer Use Amazon DynamoDB to store user data
C. Use Amazon S3 static website hosting to store and serve the front end Use AWS Elastic Beanstalk
for the application layer. Use Amazon DynamoDB to store user date
D. Use Amazon S3 static website hosting to store and serve the front end Use Amazon API
Gateway and AWS Lambda functions for the application layer. Use Amazon RDS with read replicas to store
User data.

Answer: C

162. A company is deploying a production portal application on AWS. The database tier has structured data.
The company requires a solution that is easily manageable and highly available. How can these requirements
be met?
A. Use Amazon RDS with a multiple Availability Zone option
B. Deploy the database on multiple Amazon EC2 instances backed by Amazon Elastic Block Store
(Amazon EBS) across multiple Availability Zones. .
C. Use Amazon DynamoDB
D. Use Amazon RDS with a single Availability Zone option and schedule periodic database snapshots

Answer: A

163. A company has a three-tier environment on AWS that ingests sensor data from its users' devices The
traffic flows through a Network Load Balancer (NLB), then to Amazon EC2 instances for the web tier, and
finally to EC2 instances for the application tier that makes database calls. What should a solutions architect
do to improve the security of data in transit to the web tier?

A. Configure-AWS Shield Advanced and enable AWS WAF on the NLB.

B. Encrypt the Amazon Elastic Block ‘Store (Amazon EBS) volume on the EC2 instances using AWS Key
Management (AWS KMS)
C. Configure a TLS listener and add the server certificate on the NLB
D. Change the load balancer to an Application Load Balancer and attach AWS WAF to it

Answer: C

164. An online shopping application accesses an Amazon RDS Multi-AZ DB instance Database performance is
slowing down the application. After upgrading to the next-generation instance type there was no significant
performance improvement. Analysis shows approximately 700IOPS are sustained, common queries run for
long durations, and memory utilization is high. Which application change should a solutions architect
recommend to resolve these issues?

A. Deploy a two-node Amazon ElastiCache cluster and modify the application to query the cluster first
and query the database only if heeded
B. Migrate the RDS instance to an Amazon Redshift cluster and enable weekly garbage collection
C. Separate the long-running queries into a new Multi-AZ RDS database and modify the application to
query whichever database is needed.
D. Create an Amazon Simple Queue Service (Amazon SQS) FIFO queue for common queries and query it
first and query the database only if needed.

Answer: A

165. A company is preparing to migrate its on-premises application to AWS. The application consists of
application servers and a Microsoft SQL Server database. The database cannot be migrated to a different
engine because SQL Server features are used in the application's NET code. The company wants to attain the
greatest availability possible while minimizing operational and management overhead. What should a
solutions architect do to accomplish this?
A. Install SQL Server on Amazon EC2in a Multi-AZ deployment
B. Migrate the data to Amazon RDS for SQL Server in a Multi-AZ deployment.
C. Deploy the database on Amazon RDS for SQL Server with Multi-AZ Replicas
D. Migrate the data to Amazon RDS for SQL Server in a Cross Region Multi-AZ deployment.

Answer: B

166. A company designs a mobile app for its customers to upload photos to a website the app needs a secure
login with multi-factor authentication (MFA). The company wants to limit the initial build time and the
maintenance of the Solution. Which solution should a solutions architect recommend to meet these
requirements'?

A. Federate IAM against the corporate Active Directory that requires MFA
B. Use Amazon Cognito Identity with SMS-based MFA
C. Use Amazon API Gateway and require server-side encryption (SSE) for photos.
D. Edit 1AM policiesA) require MF A for all users.

Answer: B

167. A company is preparing to launch a public-racing web application in the AWS Cloud. The architecture
consists of Amazon EC2 instances within a VPC behind an Elastic I DNS. The company's solutions architect
must recommend a solution to detect and protect against large-scale DDoS attacks. Which solution meets
these requirements?

A. Enable Amazon GuardDuty on the account

B. Enable AWS Shield Advanced and assign the ELB to it
A. C Enable AWS Shield and assign Amazon Route 53 to it
C. Enable Amazon Inspector on the EC2 instances.

Answer: B

168. A company is deploying an application that processes large quantities of data in parallel The company
plans to use Amazon EC2 instances for the workload. The network architecture must be configurable to
provide the lowest. Which combination of network solutions will meet these requirements? (Select TWO.)

A. Attach an Elastic Fabric Adapter (EFA) to each EC2 instance

D. B Run the EC2 instances in a cluster placement group.
B. Place the EC2 instances in a single Availability Zone
C. Distribute the EC2 instances across multiple Availability Zones
D. Use Amazon elastic Block Store (Amazon EBS) optimized instance types

Answer: AB
169. A company's website receives 50,000 requests each second. The company wants to use multiple
applications to analyze the navigation patterns of the website users So that the experience can be person a
feed Which AWS service or feature should a solutions architect use to collect page clicks for the website and
process them sequentially for each user?

A. Amazon Kinesis Data Streams

B. Amazon Simple Queue Service (Amazon SQS) standard queue
C. AWS Cloud Trail
D. Amazon Simple Queue Service (Amazon SQS) HFO queue

Answer: A

170. A company runs a legacy application with a single-tier architecture on an Amazon EC2 instance. Disk /0 is
low, with occasional small spikes during business hours'; The company requires the instance to be stopped
from 8 PM to 8 AM daily. Which storage option is MOST appropriate for this workload?

A. Amazon EC2 instance storage

B. Amazon EBS General Purpose SSD (gp2) storage
C. Amazon EBS Provisioned IOPS SSD (io2) storage

Answer: B

171. A company wants to optimize the cost of its data storage for data that is accessed Quarterly the
company requires high throughput, low latency, and rapid access, when needed. Which Amazon S3 storage
class should a solutions architect recommend? M y

A. Amazon S3 Glacier (S3 Glacier)

B. ArnazonS3 Standard-infrequent Access (S3 Standard-IA)
C. Amazon S3 Intelligent-Tiering (S3 Intelligent-Tiering)
D. AmazonS3 Standard (S3 Standard)

Answer: C

172. A solutions architect is designing an elastic application that will have between 10 and 50 Amazon EC2
concurrent instances running, depending on the load. Each instance must mount storage that will read and
write to the same 50 GB folder. Which storage type meets the requirements?

A. Amazon Elastic File System(Amazon EFS)

B. Amazon Amazon Elastic Block Store(Amazon EBS) volumes
C. Amazon S3
D. Amazon EC2 instance store

Answer: A
173. A company has an application that serves clients that are deployed in more than 20,000 retail storefront
locations around the world The application consists of backend web services that are exposed over Hi IPS on
port 443 The application is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB) The
retail locations communicate with the web application over the public internet The company allows each
retail location to renter the IP address that the retail location has been allocated by its local ISP The
company's security team recommends to increase the security of the application endpoint by restricting
access to only the P addresses registered by the retail locations What should a solutions architect do to meet
these requirements?

A. Configure the network ACL on the subnet that contains the- public interface of the ALB Update the
ingress rules on the network ACL with entnes for each of the registered IP addresses.
B. Deploy AWS Firewall Manager to manage the ALB Configure firewall rules to restrict traffic to the ALB
Modify the firewall rules to include the registered IP addresses.
C. Associate an AWS WAF web ACL with the ALB Use IP rule sets on the ALB to filter traffic Update the IP
addresses in the rule to include the registered IP addresses.
D. Store the IP addresses in an Amazon DynamoDB table Configure an AWS Lambda authorization
function on the ALB to validate those incoming requests are from the registered IP addresses.

Answer: D

174. A company is building a payment application that must be highly available, even during regional service
disruptions. A solutions architect must design a data storage solution that can be easiy replicated and used n
other AWS Regions. The application also requires low-latency atomicity, consistency, isolation, and durability
(ACID) transactions that need to be immediately available to generate reports. The development team also
needs to use SQL which data storage solution meets these requirements?

A. Amazon S3 with cross- Region replication and Amazon Athena

B. B Amazon Aurora Global Database
C. Amazon DynamoDB global tables
D. MySQL on Amazon EC2 instances with Amazon Elastic Block Store (Amazon EBS) snapshot replication

Answer: A

175. A company hosts its web application on AWS using seven Amazon EC2 instances. The company requires
that the IP addresses of all healthy EC2 instances be returned in response.to DNS queries. Which policy
should be used to meet this requirement?

A. Simple routing policy

B. Geolocation routing policy
C. Multivalued routing policy
D. Latencyrouting policy
Answer: C

176. A company is planning to transfer multiple terabytes of data to AWS. The data is collected offline from
ships the company wants to run complex transformations before transferring the data Which AWS service
shot solution an architect recommend for this migration?

A. AWS Snowball EdgeCompute Optimized

B. Aws Snowball
C. Aws Snowball Edge Storage Optimized
D. Aws Snowmobile

Answer: A

177. A company has a server less website delivered by Amazon CloudFront the website includes images from
Amazon S3 buckets. Before the images are delivered to the website, they need to be resized based on
dimensions passed from the browser using a query parameter. The company needs an efficient solution that
minimizes costs what should a solutions architect do to meet these requirements?

A. Design AWS Lambda functions in Amazon API Gateway to receive the HTTP request, respond with the
resized linage from Amazon S3rand cache it in CloudFront
B. Launch an Amazon EC2 Instance and run an application to resize the images. Create an EC2 origin in
CloudFront to fetch and*cache the images
C. Use Lambda© Edge functions to fetch the images from Amazon S3, resize and cache the images,
and persist the resized images back to Amazon S3.
D. Launch an Amazon EC2 instance and nun an application to query the images from Amazon S3, resize
the images, and store them in Amazon ElastiCache for the website

Answer: C

178. A company has an application that generates a large number of files, each approximately 5 MB in size
the files are stored in Amazon S3. Company policy requires the files to be stored for 4 years before they can
be deleted immediate accessibility is always required as the files contain critical business data that is not easy
to reproduce. The files are frequently accessed in the first 30 days of the object creation but are rarely
accessed after the first 30 days. Which storage solution is MOST cost-effective?

A. A. Create an S3 bucket lifecycle policy to move files from S3 Standard to S3 Glacier 30 days from
object creation delete the files 4 years after object creation.
B. B. Create an S3 bucket lifecycle policy to move files from S3 Standard to S3 One Zone-Infrequent
Access (S3 One Zone-IA) 30 days from object creation Delete the files 4 years after object creation A0
C. C. Create an S3 bucket lifecycle policy to move files from S3 Standard to S3 Standard-Infrequent
Access (S3 Standard-IA) 30 days from object creation Move the files to S3 Glacier 4 years after object creation
D. D. Create an S3 bucket lifecycle policy to move files from S3 Standard to S3 Standard-Infrequent
Access (S3 Standard-IA) 30 days from object creation Delete the files 4 years after object

Answer: A

179. A company is relocating its data center and wants to securely transfer 50tb data to AWS within 2weeks.
The existing data center has a site-to-site VPN connection to AWS that is 90% utilized. Which AWS server
should a solution architect use to meet these requirements?

A. AWS dataSync with a VPNendpoint

B. AWS direct connect
C. AWS storage gateway
D. AWS Snowball Edge Storage Optimized

Answer: D

180. A company wants to build a scalable key management infrastructure to support developers who need to
encrypt data in their applications

A. Use AWS Certificate Manager (ACM) to create, store, and assign the encryption keys.
B. Use multifactor authentication (MFA) to protect the encryption keys
C. Use AWS Key Management Service (AWS KMS) to protect the encryption keys
D. Use an AWS policy to limit the scope of users who have access permissions to protect the encryption
keys.

Answer: C

181. A company is planning to migrate a mission-critical, three-tier web application from on premises to
the AWS Cloud. The backend database is shared with other on-premises systems and will remain in the
on-premises data center. The application tier requires quick and predictable response times between
the presentation tier and the database. Encryption is required for data in transit between client web
browsers and the VPC, and between the on-premises data center and the VPC. Which solution meets
these requirements?

A. Use SSL/TLS for the web traffic encryption. Use VPN tunnels over an AWS Direct Connect
connection for the data transfers between the VPC and the on-premises data center.
B. Use. SSL/TLS for the web traffic encryption Use an AWS Direct Connect connection for the data
transfers between the VPC and the on-premises data center.
C. Use SSL/TLS for the web traffic encryption. Use VPN tunnels for the data transfer between the VPC
and the on-premises data center
D. Use VPN tunnels over an AWS Direct Connect connection for the data transfers between the VPC and
the on-premises data center
Answer: A

182. A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must
initiate communications with other external applications using the internet However, the company's security
policy states that any external service cannot initiate a connection to the EC2 instances What should a
solutions architect recommend to resolve this issue?

A. Create an egress-only internet gateway and make it the destination of the subnet's route table
B. Create a virtual private gateway and make it the destination of the subnet's route table
C. Create a NAT gateway and make it the destination of the subnet's route table.
D. Create an internet gateway and make it the destination of the subnet's route table.

Answer: A

183. A company has an on-premises application that generates a large amount of time-sensitive data
that is backed up to Amazon S3 the application has grown and there are user complaints about internet
bandwidth limitations. A solutions architect needs to design a long-term solution that allows for both
timely backups to Amazon S3 and with minimal impact on internet connectivity for internal for internal
users.

A. Order daily AWS Snowball devices. Load the data onto the Snowball devices and return the devices to
AWS each day
B. Submit a support ticket through the AWS Management Console Request the removal of S3 service
limits from the account
C. Establish a new AWS Direct Connect connection and direct backup traffic through this new
connection
D. Establish AWS VPN connections and proxy all traffic through a VPC gateway endpoint

Answer: C

184. A company has an application that runs on Amazon EC2 instances within a private subnet in a VPC. The
instances access data in an Amazon S3 bucket in the same AWS Region. The VPC contains a NAT gateway in a
pubic subnet to access the S3 bucket. The company wants to reduce costs by replacing the NAT gateway
without compromising security or redundancy. Which solution meets these requirements?

A. Replace the 'NAT gateway with a NAT instance.

B. Replace theNAT gateway with a gateway VPC endpoint
C. Replace the NAT gateway with an internet gateway.
D. Replace the NAT gateway with an AWS Direct Connect connection.

Answer: B
185. A company has a dynamic web application hosted on two Amazon EC2 instances. The company has its
own SSL certificate, which is on each instance to perform SSL termination. There has been an increase in
traffic recently, and the operations teach determined that SSL encryption and decryption is causing the
compute capacity of the web servers to reach their maximum limit. What should a solutions architect do to
increase the application's performance?

A. Create a new SSL certificate using AWS Certificate Manager (ACM). Install the ACM certificate on
each instance
B. Create anotherEC2 instance as a proxy server. Migrate the SSL certificate to the new instance and
configure it to direct connections to the existing EC2 instances.
C. Create an Amazon S3 bucket. Migrate the SSL certificate to the S3 bucket Configure the EC2 instances
to reference the bucket for SSL termination.
D. Import the SSL certificate into AWS Certificate Manager (ACM) Create an Application Load Balancer
with an HTTPS listener that uses the SSL certificate from ACM

Answer: A

186. A solutions architect is designing a solution for a dynamic website, "example .com," that is deployed in
two AWS Regions: Tokyo, Japan and Sydney, Australia. The architect wants to ensure that users located in
Australia age _ directed to the website deployed in the Sydney AWS Region and users located in Japan are
directed to the website in the Tokyo AWS Region when they browse to example com." Which service should
the architect use to achieve this goal With the LEAST administrative effort?

A. Amazon CloudFront with geolocation routing

B. Application toad Balancer
C. Amazon Route 53
D. Network Load Balancer deployed across multiple regions

Answer: A

187. A company has an application running on Amazon EC2 On-Demand Instances. The application does not
scale, and the instances run in one AWS Region. The company wants the flexibility to change the operating
system from windows to AWS Linux in the future. The company needs t0 reduce the cost of the instances
without creating additional operational overhead or changes to the application. What should the company
purchase to meet these?

A. An EC2 Instance Savings Plan for the instance type being used
B. Dedicated Hosts for the instance type being used
C. A Compute Savings Plan for the instance type being used
D. Convertible Reserved Instances for the instance type being used

Answer: D
188. A company has an application running on Amazon EC2 instances in a private subnet. The application
needs to store and retrieve data in Amazon S3. To reduce costs, the company wants to configure its AWS
resources in a cost-effective manner. How should the company accomplish this?

A. Deploy a NAT gateway to access the S3 buckets.

B. Deploy AWS Storage Gateway to access the S3 buckets
C. Deploy an S3 interface endpoint to access the S3 buckets.
D. Deploy an S3 gateway endpoint to access the S3 buckets.

Answer: D

189. A company has an application workflow that uses an AWS Lambda function to download and
decrypt files from Amazon S3. These files are encrypted using AWS key management service customer
master keys (AWS KMS CMIKs). A solutions architect needs to design a solution that will ensure the
required permissions are set correctly which combination of actions accomplish this.

A. Grant the decrypt permission for the Lambda 1AM role in the KMS key's policy
B. Grant the decrypt permission for the Lambda resource policy in the KMS key’s policy.
C. Attach the KMS decrypt permission to the Lambda function's resource policy.
D. Create a-new 1AM policy with the kms decrypt permission and attach the policy to the Lambda
function
E. Create a new 1AM role with the kms decrypt permission and attach the execution role to the
Lambda function.

Answer: AE

190. A company is designing a message -driven order processing application on AWS. The application consists
of many services and needs to communicate the results of its processing to multiple consuming services. Each
of the consuming services may take up to 5 days to receive the messages Which process will meet these
requirements?

A. The application sends the results of its processing to an Amazon Simple Notification Service
(Amazon SNS) topic Each consuming service subscribes to this SNS topic and consumes the results.
B. The application sends the results of its processing to an Amazon Simple Queue Service
(Amazon SQS) queue Each consuming service runs as an AWS Lambda function that consumes this single SQS
queue
C. The application sends the results of its processing to an Amazon Simple Notification Service
(Amazon SNS) topic Each consuming service consumes the messages. directly from its corresponding SNS
topic.
D. The application sends the results of its processing to an Amazon Simple Notification Service
(Amazon SNS) topic An Amazon Simple Queue Service (Amazon SQS) queue is created for each service
and each queue is configured to be a subscriber of the SNS topic.

Answer: D
191. A gaming company is designing a highly available architecture. The application runs on a modified
Linux kernel and supports only UDP-based traffic. The company needs the front- end tier to provide the
best possible user experience. That tier must have low latency, route traffic to the nearest edge
location, and provide static IP addresses for entry into the application endpoints. What should a
solutions architect do to meet these requirements?

A. Configure Amazon API Gateway to forward requests to an Application Load Balancer Use Amazon EC2
instances for the application in an EC2 Auto Scaling group.
B. Configure Amazon CloudFront to forward requests to a Network Load Balance Use AWS Lambda for
the application in an AWS Application Auto Scaling group.
C. Configure AWS Global Accelerator to forward requests to a Network Load Balancer Use Amazon
EC2 instances for the application in an EC2 Auto Scaling group
D. Configure Amazon Route 53 to forward requests to an Application Load Balancer Use AWS Lambda
for the application in AWS Application Auto Scaling.

Answer: C

192. A company has a Microsoft NET application that runs on on-premises Windows Server. The application
stores data by using an Oracle Database Standard Edition server. The company is planning a migration to
AWS and wants to minimize development changes while moving the application. The AWS application
environment should be highly available. Which combination of actions should the company take to meet
these requirements? (Select TWO.)

A. Replat form the application to run an Amazon EC2 with the Amazon Linux Amazon Machine Image
(AMI).
B. Rehost the application in AWS Elastic Beanstalk with the NET platform in a Multi-AZ deployment.
C. Use AWS Database Migration Service (AWS DMS) to migrate from the Oracle database to Oracle on
Amazon RDS in a Multi-AZ deployment.
D. Use AWS Database Migration Service (AWS DMS) to migrate from the Oracle database to Amazon
DynamoDB in a Multi-AZ deployment
E. Refactor the application as server less with AWS Lambda functions running NET Core

Answer: BC
193. A solutions architect is designing a solution to access a catalog of images and provide users with the
ability to submit requests to customize images Image customization parameters will be in any request to an
AWS API Gateway API. The customized image will be generated on demand, and users will receive a link they
can click to view or download their customized image. The solution must be highly available for viewing and
customizing mages what the MOST cost-effective solution to meet these requirements is.

A. Use Amazon EC2 instances to manipulate the original image into the requested customization Store
the original images in Amazon S3 and the manipulated images in Amazon DynamoDB Configure an Amazon
CloudFront S3 bucket as the origin
B. Use AWS' Lambda to manipulate the original image to the requested customization. Store the
original images in Amazon S3 and the manipulated images in Amazon DynamoDB Configure an Elastic Load
Balanced m front the Amazon EC2 instances.
C. Use AWS Lambda to manipulate the original image to the requested customization. Store the
original and manipulated images in Amazon S3. Configure an Amazon CloudFront distribution with the S3
bucket as the origin
D. Use Amazon EC2 instances to manipulate the origin image into the requested customization Store
the origin and manipulated images in Amazon S3. Configure an Elastic Load Balancer in front of the EC2
instances.

Answer: C

194. A start-up company has a web application based in the us-east-1 Region with multiple Amazon EC2
instances running behind an Application Load Balancer across multiple Availability Zones. As the company's
user base grows in the uswest-1 Region, ft needs a solution with low latency and high availability. What
should a solutions architect do to accomplish this?

A. Provision EC2 instances and configure an Application Load Balancer in us-west-1 Configure Amazon
Route 53 with a weighted routing policy. Create alias records in Route 53 that point to the Application Load
Balancer
B. Provision EC2 instances and an Application Load Balancer in us-west-1 Make the load balancer
distribute the traffic based on the location of the request
C. Provision EC2 instances and configure an Application Load Balancer in us-west-1 Create an
accelerator in AWS Global Accelerator that uses an endpoint group that includes the load balancer
endpoints in both Regions.
D. Provision EC2 instances in us-west-1. Switch the Application Load Balancer to a Network Load
Balancer to achieve cross-Region load balancing.

Answer: C
195. Management has decided to deploy all AWS VPCs with IPv6 enabled. After some time, a solutions
architect tries to launch a new instance and receives an error stating that there is not enough ip address
space available in the subnet: What should the solutions architect do to fix this?

A. Disable the IPv4 subnet and migrate all instances to-IPv6 only. Once that is complete, launch the
instance
B. Create s new IPv6-only subnet with a large range, and then launch the instance
C. Create a new IPv4 subnet with a larger range, and then launch the instance
D. Check to make sure that only IPv6 was used during the VPC creation

Answer: B

196. An online retailer has a series of flash sales occurring every Friday. Sales traffic will increase during the
sales only and the platform will handle the increased load. The platform IS a three-tier application. The WCD
tier RJOS 00 Amazon EC2 instances behind an Application Load Balancer. Amazon CloudFront is used to
reduce web server load, but many requests for dynamic content must Q0 to the Web Servers. What should
be done to the web tier to reduce costs without influencing performance or reliability?

A. Use Spot Instances

B. Purchase scheduled Reserved Instances.
C. Implement Amazon ElastiCache.
D. Use T-series instances.

Answer: B

197. A company designed a. stateless two-tier application that uses Amazon EC2 in a single Availability Zone
and an Amazon RDS Multi-AZ DB instance. New company management wants to ensure the application IS
highly available What should a solutions architect do to meet this requirement?

A. Configure the application to use Amazon Route 53' latency-based routing to feed requests to the
application.
B. Configure the application to use Multi-AZ EC2 Auto Scaling and create an Application Load
Balancer.
C. Configure Amazon Route 53 rules to handle incoming requests and create a Multi-AZ Application
Load Balancer.
D. Configure die application to take snapshots of the EC2 instances and send them to a different AWS
Region.

Answer: B
198. A solutions architect is designing a new workload in which an AWS Lambda function will access an
Amazon DynamoDB table. What is the MOST secure means of granting the Lambda function access to the
DynamoDB table?

A. Create an AM role with the necessary permissions to access the DynamoDB table Assign the role to
the Lambda function.
B. Create a DynamoDB user name and password and 'give them to the developer to use in the Lambda
function.
C. Create an 1AM role allowing access from. AWS Lambda Assign the role to the DynamoDB table.
D. Create an IAM user, and create access and secret keys for the user. Give the user the necessary
permissions to access the DynamoDB table. Have the developer use these keys to access the resourcesA

Answer: A

199. An application provides a feature that allows users to securely download private and personal files The
web server is currently overwhelmed with serving files for download. A solutions architect must find a more
effective reduce the web server load and cost, and must allow users to download only their own files. Which
solution meets all requirements?

A. Have the application encrypt the files and store them in the local Amazon EC2 Instance Store prior to
serving them up for download.
B. Create an Amazon CloudFront distribution to distribute and cache the files
C. Store the files in an encrypted Amazon Elastic Block Store (Amazon EBS) volume, and use a separate
set of servers to serve the downloads.
D. Store the files securely on Amazon S3 and have the application generate an Amazon S3 pre-signed

Answer: D

200. A company runs a photo processing application that needs to frequently upload and download pictures
from Amazon S3 buckets that are io t h transfer fees and needs to implement a solution to reduce these
costs. the same AWS Region. A solutions architect has noticed an increased cost data transfer fees and needs
to implements a solution to reduce these cost

How can the solutions architect meet this requirement?

A. Deploy Amazon API Gateway into a public subnet and adjust the route table to route S3 calls through
it.
B. Deploy a NAT gateway into a public subnet and attach an endpoint policy that allows access to the S3
buckets
C. Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access
to the S3 buckets
D. Deploy the application into a public subnet and allow it to route through an internet gateway to
access the S3 buckets.

Answer: C
201. A company runs analytics software on Amazon EC2 instances. The software accepts job requests
from users to process data that has been uploaded to amazon S3. Users report that some submitted
data is not being processed. Amazon Cloud Watch reveals that the EC2 instances have a consistent CPU
utilization at or near 100% The Company wants to improve system performance and scale the system
based on user load.

A. Create an 93 VPC endpoint for Amazon S3 Update the software to reference the endpoint.
B. Create a copy of the instance. Place all instances behind an Application Load Balancer.
C. Route incoming requests to Amazon Simple Queue Service (Amazon SQS) Configure an EC2 Auto
Scaling group based on queue size. Update the software to read from the queue.
D. Stop the EC2 instances. Modify the instance type to one with a more powerful CPU and more
memory. Restart the instances.

Answer: C

202. A company fails an AWS security review conducted by a third party. The review finds that some of the
company's methods to access the Amazon EMR API are not secure Developers are using AWS Ctoud9, and
access keys are connecting to the Amazon EMR API through the public internet. Which combination of steps
should the company take to MOST improve its security? (Select TWO.)

A. Set up VPC endpoints to connect to the Amazon EMR API.

B. Setup a VPC peering connection to the Amazon EMR API.

C. Set up 1AM roles to be used to connect to the Amazon EMR API.

D. Set up each developer with AWS Secrets Manager to store access keys.

E. Set up a NAT gateway to connect to the Amazon EMR API.

Answer: AC

203. A prediction process requires access to a trained model that is stored in an Amazon S3 bucket. The
process takes a few seconds to process an image and make a prediction. The process is not overly resource­
intensive, does not require any specialized hardware, and takes less than 512 MB of memory to run. What is
the MOST effective compute solution for this use case?

A. AWS Elastic Beanstalk

B. Amazon Elastic Container Service (Amazon ECS)

C. AWS Lambda functions

D. Amazon EC2 Spot instances

Answer: C
204. A solutions architect is designing an architecture that includes web. Application, and database tiers. The
web tier must be capable of auto scaling. The solutions architect has decided to separate each tier into its
own subnets. The design includes two public subnets and four private subnets. The security team requires
that tiers be able to communicate with each other only when there is a business need and that all other
network traffic be blocked what should the solutions architect do to meet these requirements?

A. Create network ACLS in all six subnets to limit traffic to the sources and destinations required for the
application to function

B. Create an Amazon Guard Duty source/destination rule set to control communication

C. Create one security group for all tiers to limit traffic to only the required source and destinations

D. Create specific security groups for each tier to limit traffic to only the required source and destinations

Answer: D

205. A company seeks a storage solution for its application. The Solution must be highly available and
scalable. The solution also must function as a file system, be mountable by multiple Linux instances m AWS
and on premises through native protocols, and have no minimum size requirement. The company has set up
a Site-to-site VPN for access from its on-premises network to its VPC. Which storage solution meets these
requirements?

A. Amazon FSx Multi-AZ deployments

B. Amazon Elastic File System (Amazon EFS) With a Single mount target and multiple access points

C. Amazon Elastic Block Store (Amazon EBS) Multi Attach volumes

D Amazon Elastic File System (Amazon EFS) with multiple mount targets

Answer: B

206. A company observes an increase in amazon EC2 costs in its most recent bill. The billing team
notices unwanted vertical scaling of instance types for a couple of EC2 instances. A solutions architect
needs to create a graph comparing the last 2 months of EC2 costs and perform an in-depth analysis to
identify the root cause of the vertical scaling. How should the solutions architect generate the
information with the LEAST operational overhead?

A. Use Cost Explorer's granular filtering feature to perform an in-depth analyst of EC2 costs based on
instance types

B. Use AWS Cost and Usage Reports to create a report and send it to an Amazon S3 bucket. Use Amazon
Quick Sight with Amazon S3 as a source to generate an interactive graph based on instance types

C. Use AWS Budgets lo create a budget report and compare EC2 costs based on instance types
D. Use Graphs from the AWS Billing and Cost Management dashboard to compare EC2 costs based on
instance types for the last 2 months.

Answer: A

207. A development team runs monthly resource-intensive tests on its general purpose Amazon RDS for
MySQL 08 instance with Performance Insights enabled. The testing lasts for 48 hours once a month and is the
only process that uses the database. The team wants to reduce the cost of running the running the tests
without reducing the compute and memory attributes of the DB instance. Which solution meets these
requirements MOST cost-effectively?

A. Create a snapshot when tests are completed terminate the DB instance and restore the snapshot when
required

B. Stop the DB instance when tests are completed Restart the DB instance when required
C. Modify the instance to a low-capacity instance when tests are completed Modify the DB instance again
when required
D. Use an Auto Scaling policy with the DB instance to automatically scale when tests are completed
Answer: A

208. A company is using Amazon S3 as its local repository for weekly analysis reports One of the company
wide requirements is to secure data at rest using encryption The company chooses Amazon S3 server-side
encryption (SSE) I How can the object be decrypted when a GET request is issued?

A. Amazon S3 manages encryption and decryption automatically

B. The user needs to decrypt the object using a private key
C. The User needs a PUT request to decrypt the object
D. Amazon S3 provides a server-side key for decrypting the object.

Answer: A

209. An environment has an auto Scaling group across two availability Zone referred to as AZ-a and AZ­
b. AZ-a has four amazon EC2 instances, and AZ-b has three EC2 instances. the auto policy. None of the
instance are protected from a scale-in event.

How will Auto Scaling proceed if there is a scale-in event?

A. Auto scaling selects an instance to terminate randomly.

B. Auto scaling terminates the instance with the closest next billing hour of all instances.

C. Auto Scaling selects the Availability Zone with four EC2 instances and then continues to evaluate.

D. Auto Scaling terminates the instance with the oldest launch configuration of all instances.

Answer: C
 210. A company has two application it wants to migrate to AWS Both applications process a large set of files
by accessing the at the same time. Both Application need to read the files with low latency which
architecture should a solution architect recommend for this situation?

A. Configure one memory optimized Amazon EC? instances to run both applications simultaneously. Create
an Amazon Elastic Block Store (Amazon EBS) volume with provisioned IOPS to store the data.

B. Configure tow AWS Lambda functions to run the application. Create an Amazon EC2 instance with an
Amazon Elastic block Store (Amazon EBS) volume to store data.

C. Configure two Amazon EC2 instances to run both applications Configure Amazon Elastic. File System
(Amazon EFS) with General Purpose performance mode and Bursting Throughput mode to store data.

D. Configure two AWS Lambda functions to run the applications Create an Amazon EC2 instance with an
instance store volume to store the data.

Answer: C

211. Company has a build server that is in an Auto Scaling group and often has multiple Linux instances
running. The build server requires consistent and mountable shared NFS storage for jobs and configurations

Which storage option should a solutions architect recommend?

A. Amazon S3

B. Amazon Elastic Block Store (Amazon EBS)

C. Amazon Elastic File System (Amazon EFS)

D. Amazon FSx

Answer: C

212: A company is running Amazon RDS for My SQL. The company's disaster recovery requirements
state that a near-real-time replica of the database must be maintained on premises the company wants
the data to the encrypted transit

Which solution meets these requirements?

A. Use My SQL replication to replicate from AWS to on premises over an IP sec VPN on top of an AWS Direct
Connect connection?

B. Use AWS Database Migration Service (AWS DMS) and AWS Direct Connect to migrate the data from AWS
Io on premises.

C. Use the Amazon RDS Multi-AZ feature Choose on premises as the failover Availably Zone over an IPsec
VPN on top of an AWS Direct Connect connection.
D. Use AWS Data Pipeline to replicate from AWS to on premises over an IPsec VPN on top of an AWS Direct
Connect connection.

Answer: C

213. A product manager of an ecommerce website is launching a new product line next month. The
application hosting the website runs on Amazon EC2 instances in an Auto Scaling group behind a load
balancer. Testing has been performed, and the maximum load at launch has been estimated. Traffic to the
application is expected to decrease gradually within the first few weeks after the launch. This workload is the
only one on this account that is expected to scale during launch_ Which combination of steps is MOST cost­
effective to ensure that there will be adequate capacity when the application scales at launch? (Select TWO.)

A. Purchase Scheduled Instances to reserve capacity for the launch, and run them on a daily schedule during
peak capacity hours.

B. Create On-Demand Capacity Reservations for the instance types on which the application will run Then
cancel the reservations after the launch.

C. Purchase Reserved Instances (Rls) with zonal scope to reserve capacity and get the discount for compute.
Then cancel the Rls after the launch.

D. Check the EC2 service quotas on the account, and request an increase if the values are lower than the
expected load at launch.

E. Contact AWS to reserve hardware in the AWS Region that will be near the most users.

Answer: BD

214. A company is rolling out a new web service, but is unsure how many customers the service will
attract. However, the company is unwilling to accept any downtime. What could a solutions architect
recommend to the company to keep track of customers' current session data?

A. Amazon Dynamo DB

B. Amazon RDS.

C. AWS Cloud Trail

D. Amazon EC2

Answer: A

215. A company hosts a popular web application. The web application connects to a database running in a
private VPC subnet the web servers must be accessible only to customers on an SSL connection. The Amazon
ROS for MySQL database server must be accessible only from the web servers. How should a solutions
architect design a solution to meet the requirements without impacting running applications'?
A. Create a network ACL on the web server's subnet, and allow HTTPS inbound and MySQL outbound Place
both database and web servers on the same subnet.

B. Open the MySQL port on the security group for web servers and set the source to 0 0 0.0/0. Open the
HTTPS port on the database security group and attach it to the MySQL instance. Set the source to web
security group.

C. Create a network ACL on the web server's subnet; allow HTTPS inbound, and specify the source as
0.0.0.0/0. Create a network ACL on a database subnet, allow MySQL port inbound for web servers, and deny
all outbound traffic.

D. Open an HTTPS port on the security group for web servers and set the source to 0.0.0.0/0. Open the
MySQL port on the database security group and attach it to the MySQL instance. Set the source to web
server security group.

Answer: D

216. A company is running an application on AWS to process weather sensor data that is stored in an
Amazon S3 bucket Three batch jobs run hourly to process the data in the S3 bucket for different
purposes the company wants to reduce the overall processing time by running the three applications in
parallel using an event-based approach What should a solutions architect do to meet these
requirements?

A. Enable S3 Event Notifications for new objects to separate Amazon Simple Queue Service (Amazon SQS)
FIFO queues create an additional SQS queue for each application, and subscribe each queue to the initial
topic for processing.

B. Enable S3 Event Notifications for new objects to an Amazon Simple Queue Service (Amazon SQS) FIFO
queue. Subscribe all applications to the queue for processing.

C. Enable S3 Event Notifications for new objects to an Amazon Simple Queue Service (Amazon SQS) standard
queue create an additional SOS queue for all applications, and subscribe all applications to the initial queue
for processing.

D. Enable S3 Event Notifications for new objects to an Amazon Simple Notification Service (Amazon SNS)
topic create an Amazon Simple Queue Service (Amazon SQS) queue for each application, and subscribe
each queue to the topic for processing.

Answer: D

217. A company sells datasets to customers who do research in artificial intelligence and machine learning
(AWL). The data base are large, formatted files that are stored in an amazon S3 bucket in the US-east -1
Region. The company hosts a web application that the customers use to purchase access to a given dataset.
The web application is deployed on multiple Amazon EC2 instance behind an application load balancer us
made. After a purchase is made. The customers receive an S3 signed URL that allows access to the files.
The customers are distributed across North America and Europe. The company wants to reduce the cost that
is associated with data transfer and wants to maintain or improve performance. What should a solutions
architect do to meet these requirements?

A. Modify the web application to enable streaming of the datasets to end users Configure the web
application to read the data from the existing S3 bucket Implement access control directly in the application.

B. Deploy an Amazon Cloud front distribution with the existing S3 bucket as the origin. Direct customer
requests to the Cloud Front URL. Switch to Cloud Front signed URLS for access control.

C. Set up a second S3 bucket in the eu-central-1 Region with S3 Cross-Region Replication between the
buckets. Direct customer requests to the closest Region. Continue to use-S3 signed URLS for access comic

D. Configure S8 Transfer Acceleration on the existing S3 bucket. Direct customer requests to the S3 Transfer
Acceleration endpoint. Continue to use S3 signed URLs for access control_

Answer: B

218. A company has an AWS account used for software engineering. The AWS account has access to the
company's on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic
routes to the virtual private gateway.

A development team recently created an AWS Lambda function through the console. The development team
needs to allow the function to access a database that runs in a private subnet in the company's data center.
Which solution will meet these requirements'?

A. Set up a VPN connection from AWS to the data center. Route the traffic from the Lambda function through
the VPN.

B. Create an Elastic IP address Configure the Lambda function to send traffic through the Elastic IP address
without an elastic network interface

C. Configure the Lambda function to run in the VPC with the apocopate security group.

D. Update the route tables in the VPC to allow the Lambda function to access the on-premises data center
through Direct Connect

Answer: D

219. A company hosts its multi-tier applications on AWS. For compliance, governance, auditing, and security,
the company must track configuration changes on its AWS resources and record a history of API calls made to
these resources.

What should a solutions architect do to meet these requirements?

A. Use AWS configure to track configuration changes and Amazon cloud watch to record API calls.
B. Use AWS Cloud-Trail to track configuration changes and AWS configure to record API calls.

C. Use AWS configure to track configuration changes and AWS cloud rail to record API calls.

D. Use AWS Cloud trail to track configuration changes and Amazon cloud watch to record API calls

Answer: C

220. A company has an application that provides marketing services to stores. The services are based on
previous purchases by store customers. The stores upload transaction data to the company through
SFTP, and the data is processed and analyzed to generate new marketing offers. Some of the files can
exceed 200 GB in size.

Recently, the company discovered that some of the stores have uploaded files that contain personally
identifiable information (P11) that should not have been included. The company wants administrators to be
alerted if Pll Is shared again. The company also wants to automate remediation. What should a solutions
architect do to meet these requirements with the LEAST development effort?

A. Use an Amazon 53 bucket as a secure transfer point Use Amazon Macie to scan the objects in the
bucket. If objects contain P11, use Amazon Simple Notification Service (Amazon SNS) to trigger a
notification to the administrators to remove the objects that contain Pll.

B. Implement custom scanning algorithms in an AWS Lambda function trigger the function when objects are
loaded into the bucket. If objects contain PII use Amazon Simple Email Service (Amazon SES) to trigger a
notification to-the administrators and trigger an S3 Lifecycle policy to remove the objects that contain P11.

C. Use an Amazon 53 bucket as a secure transfer point_ Use Amazon Inspector to scan the objects in the
bucket if objects contain PII. Trigger a 53 Lifecycle policy to remove the objects that contain Pll.

D. implement custom scanning algorithms in an AWS Lambda function. Trigger the function when objects are
loaded into the bucket. If objects contain PII, use Amazon Simple Notification -Service (Amazon SNS) to
trigger notification to the administrators to remove the objects that contain PII.

Answer: A

221. Restaurant reservation application needs to access a waiting list. When a customer tries to reserve a
table, and none are available, the customer application will put the user on the waiting list, and the
application will notify the customer when a table becomes free. The waiting list must preserve the order in
which customers were added to the waiting list.

Which service should the solutions architect recommend to store this waiting?

A. A FIFO queue in Amazon Simple Queue Service (Amazon SQS)

B. A standard queue in Amazon Simple Queue Service (Amazon SQS)

C. AWS Step Functions invoking AWS Lambda functions

D. Amazon Simple Notification Service (Amazon SNS)

Answer: A

222. A company provides a three-tier web application to its customers. Each customer has an AWS
account in which the application is deployed, and these accounts are members of the company's
organization in AWS Organizations. To protect its customers' AWS accounts and applications, the
company wants to monitor them for unusual and unexpected behavior. The company needs to analyses
and monitor customer VPC Flow Logs, AWS cloud trail togs, and DNS logs.

What should a solutions architect do to meet these requirements?

A. Designate an account in the organization as the AWS WAF master account. Enable AWS WAF and AWS
WAF logs in every account, and invite the accounts to join the AWS.VVAF master account Analyze AWS WAF
logs TN the-AWS WAF master account.

B. Designate an account in the organization as the Amazon Guard Duty master account Enable Guard Duty
in every account, and invite the accounts to join the Guard Duty master account. Analyze Guard Duty
findings in the Guard Duty master account.

C. Designate an account in the organization as the AWS Resource Access Manager (AWS RAM) master
account Enable AWS RAM in every account, and invite the accounts to join the AWS RAM master account
analyze AWS RAM togs in the AWS RAM master account.

D. Designate an account in the organization as the AWS Shield master account. Enable Shield and Shield logs
in every account, and invite the accounts to join the Shield master account analyzed Shield findings in the
Shield master account.

Answer: B

223. A product team is creating a new application that will store a large amount of data the data will be
analyzed hourly and modified by multiple Amazon EC2 Linux instances. The application team believes the
amount of space needed will continue to grow for the next 6 months.

Which set of actions should a solutions architect take to support these needs?

A. Store the data in an Amazon EBS volume. Mount the EBS volume on the application instances.

B. Store the data in Amazon S3 Standard-Infrequent Access (S3 Standard-IA) Update the bucket policy to
allow access to the application instances.

C. Store the data in Amazon S3 Glacier Update the vault policy to allow access to the application instances.

D. Store the data in an Amazon EFS file system Mount the file system on the application instances.

Answer: D
224. A company is planning to migrate 40 servers hosted on premises in VMware to the AWS Cloud The
migration process must be implemented with minimal downtime the company also wants to test the
servers before the cutover date_ Which solution meets these requirements?

A. Deploy the AWS Data Sync agent into the on-premises environment Use Data Sync to migrate the servers.

B. Deploy the AWS Server Migration Service (AWS SMS) connector into the on-premises environment. Use
AWS SMS to migrate the servers
C. Deploy an AWS Database Migration Service (AWS DMS) replication instance into AWS. Use AWS DMS to
migrate the servers.

D. Deploy an AWS Snowball device connected by way of RJ45 to the on-premises network Use Snowball to
migrate the servers.

Answer: B

225. A company is running a batch application on Amazon EC2 instances. The application consists of a
backend with multiple Amazon RDS databases. The application is causing a high number of reads on the
databases. A solutions architect must reduce the number of databases reads while ensuring high availability.
What should the solutions architect do to meet this requirement?

A. Use Amazon Route 53 DNS caching:

B. Use Amazon ElastiCache for Memcached.

C. Use Amazon ElastiCache for Redis.

D. Add Amazon RDS read replicas.

Answer: D

226. A company wants to run a static website served through Amazon Cloud Front What is an advantage of
storing the website content in an Amazon S3 bucket instead of an Amazon Elastic Block Store (Amazon EBS)
volume?

A. S3 buckets support object-level read throttling preventing abuse EBS) volumes do not provide object-level
throttling
B. S3 buckets are replicated globally, allowing for large scalability EBS volumes are replicated only within
an AWS Region
C. S3 buckets can be encrypted. Allowing for secure storage of the web files EBS volumes cannot be
encrypted.
D. S3 is an origin for Cloud Front EBS volumes would need EC2 instances behind an Elastic Load Balancing
load balancer to be an origin
Answer: B
2Z7. A company is building a Restful serveries web application on AWS by using Amazon API Gateway and
AWS Lambda. The users of this web application will be geographically distributed, and the company wants to
reduce the latency of API requests to these users. Which type of endpoint should a solutions architect use to
meet these requirements?

A. Regional endpoint

B. Interface VPC endpoint

C. Private endpoint

D. Edge-optimized endpoint

Answer: D

228. A company wants to launch a new application using Amazon Route 53, an Application Load Balancer (AL
B), and an Amazon EC2 Auto Scaling group. The company is preparing to perform user experience testing and
has a limited budget for this phase of the project Although the company plans to do a load test in the future,
it wants to prevent users from load testing at this time because it wants to limit unnecessary EC2 automatic
scaling_ What should a solutions architect do to minimize costs of the user experience testing?

A. Deploy AWS WAF on the ALB with a rate-based rule configured to limit the number of requests each client
can make.

B. Configure AWS Shield's client request threshold to 100 connections per client.

C. Deploy Amazon Simple Queue Service (Amazon SQS) between the ALB and Auto Scaling group to queue
client requests and change the Auto Scaling group maximum size to one.

D. Configure the ALB with an advanced request routing policy to throttle the client connections being sent to
the Auto Scaling group

Answer: C

229. A company has a website hosted on AWS. The website is behind an Application Load Balancer (ALB) that
is configured to handle HTTP and HTTPS separately. The company wants to forward all requests to the
website so that the requests will use HTTPS. What should a solutions architect do to meet this requirement?

A. Replace the ALB with a Network Load Balancer configured to use Server Name Indication (SNI)

B. Update the ALB1s network ACL to accept only HTTPS traffic.

C. Create a rule that replaces the HTTP in the URL with HTTPS

D. Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.

Answer: D
230. A company wants to deploy an additional Amazon Aurora MySQL DB cluster for development purposes
This cluster will be used several times a week for a few minutes upon request to debug production query
issues. The company wants to keep overhead low for this resource. Which solution meets the company's
requirements MOST cost-effectively?

A. Create a stop/start schedule for the DB instances

B Purchase a Reserved Instance for the DB instances.

C. Run the DB instances on Aurora Server less.

D. Create an AWS Lambda function to stop DB instances if there are no active connections.

Answer: C

231. A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and
needs the required permissions to perform the task. The developer already has an IAM user with valid IAM
credentials required for Amazon S3. What should a solutions architect do to grant the permissions?

A. Create a signed request using the existing lAM credentials in the Lambda function.
B. Create an LAM execution role with the required permissions and attach the IAM role to the Lambda
function
C. Add required lAM permissions in the resource policy of the Lambda function.
D. Create a new MA user and use the existing lAM credentials in the Lambda function

Answer: B

232. A company wants to enforce strict security guidelines on accessing AWS Cloud resources as the company
migrates production workloads from its data centers. Company management wants all users to receive
permissions according to their job roles and functions. Which solution meets these requirements with the
LEAST operational overhead'?

A. Create an (AM role for each job function Require each employee to call the sts Assume Role action in the
AWS Management Console to perform their job role.

B. Create individual IAM user accounts for each employee. Create IAM policies for each job function. Create
IAM groups, and attach associated policies to each group. Assign the lAM users to a group based on their job
role

C. Create individual lAM user accounts for each employee Create an IAM policy for each Job function, and
attach the policy to all lAM users based on their job-role.

D. Create an AWS Single Sign-On deployment. Connect to the on-premises Active Directory to centrally
manage users and permissions across the company.

Answer: D
233. A company is deploying an application that processes large quantities of data in batches as needed
the company plans to use Amazon EC2 instances for the workload. The network architecture must
support a highly scalable solution and prevent groups of nodes from sharing the same underlying
hardware_ Which combination of network solutions will meet these requirements? (Select TWO.)

A. Run the EC2 instances in a cluster placement group

B. Run the EC2 instances in a spread placement group.

C. Run the EC2 instances in a partition placement group.

D. Create Capacity Reservations for the EC2 instances to run in a placement group.

E. Place the EC2 instances in an EC2 Auto Scaling group.

Answer: CE

234. A solutions architect needs to design a low-latency solution for a static single-page application accessed
by users utilizing a custom domain name. The solution must be serveries, encrypted in transit, and cost­
effective Which combination of AWS services and features should the solutions architect use? (Choose two)

A. AWS Fargate

B. Amazon EC2

C. Amazon Cloud Front

D. Amazon S3

E. Elastic Load Balancer

Answer: CD

236. A company has a Microsoft Windows-based application that must be migrated to AWS. This application
requires the use of a shared Windows file system attached to multiple Amazon EC2 Windows instances. What
should a solutions architect do to accomplish this?

A. Configure AWS Storage Gateway in Volume Gateway mode Mount the volume to each Windows Instance.

B. Configure an Amazon EBS volume with the required size. Attach each EC2 instance to the volume Mount
the file system within the volume to each Windows instance

C. Configure Amazon FSx for Windows File Server. Mount the Amazon FSx volume to each Windows
Instance.

D. Configure a volume using Amazon EFS Mount the EFS volume to each Windows Instance.

Answer: C
237. A security team to limit access to specific services or actions in all of the team's AWS accounts. All
accounts belong to a large organization in AWS Organizations_ The solution must be scalable and there must
be a single point where permissions can be maintained. What should a solutions architect do to accomplish
this?

A. create cross-account roles in each account to deny access to the services or actions.

B. Create a security group to allow accounts and attach it to user groups.

C. Create an ACL to provide access to the services or actions.

D. Create a service control policy in the root organizational unit to deny access to the services or actions.

Answer: D

238. A solutions architect is designing a system to analyze the performance of financial markets while the
markets are closed. The system will run a series of compute-intensive jobs for 4 hours every night the time to
complete the compute jobs is expected to remain constant, and jobs cannot be interrupted once started
Once completed, the system is expected to run for a minimum of 1 year Which type of Amazon EC2 instances
should be used to reduce the cost of the system?

A. Standard Reserved Instances

B. On-Demand instances
C. Spot instances
D. Scheduled Reserved Instances
Answer: D

239. A company wants to migrate its MySQL database from on premises to AWS The company recently
experienced a database outage that significantly impacted the business to ensure this does not happen again
the company wants a reliable database solution on AWS that minimizes data loss and stores every
transaction on at least two nodes Which solution meets these requirements?

A. Create an Amazon RIDS MySQL 1DB instance with Multi-AZ functionality enabled to synchronously
replicate the data

B. Create an Amazon RIDS DB instance with synchronous replication to three nodes in three Availability
Zones.

C. Create an Amazon EC2 instance with a MySQL engine installed that triggers an AWS Lambda function to
synchronously replicate the data to an Amazon RDS MYSQL DB instance.

D. Create an Amazon RDS MySQL DB instance and then create a read replica in a separate AWS Region that
synchronously replicates the data.

Answer: B
240. A company hosts an online shopping application that stores all orders in an Amazon RDS for PostgreSQL
Single-AZ DB instance. Management wants to eliminate single points of failure and has asked a solutions
architect to recommend an approach to minimize database downtime without requiring any changes to the
application code. Which solution meets these requirements?

A. Create a new RDS Multi-AZ deployment. Take a snapshot of the current RDS instance and restore the
new Multi-AZ deployment with the snapshot.

B. Convert the existing database instance to a Multi-AZ deployment by modifying the database instance and
specifying the Multi-AZ option

C. Place the RDS for PostgreSQL database in an Amazon EC2 Auto Scaling group with a minimum group size of
two. Use Amazon Route 53 weighted record sets to distribute requests across instances

D. Create a read-only replica of the PostgreSQL database in another Availability Zone Use Amazon Route 53
weighted record sets to distribute requests across the databases.

Answer: A

241. A company has a hybrid application hosted on multiple on premises servers with static IP addresses
There is already a VPN that provides connectivity between the VPC and the on-premises network the
company wants to distribute TCP traffic across the on-premises servers for internet users ' What should a
solutions architect recommend to provide a highly available and scalable solution?

A. Launch an internet-facing Network Load Balancer (NLB) and register on premises IP addresses with the
NLB

B. Launch-an Amazon EC2 instance, attach an Elastic IP address, and distribute traffic to the on-premises
servers

C. Launch an-internet-facing Application Load Balancer (ALB) and register on-premises IP addresses with the
ALB.

D. Launch an Amazon EC2 instance with public IP addresses in an Auto Scaling group and distribute traffic lo
the on-premises servers.

Answer: A

242. An application running on an Amazon EC2 instance needs to access an Amazon DynamoDB table
Both the EC2 instance and the DynamoDB table are m the same AWS account A solutions architect must
configure the necessary permissions Which solution will allow least privilege access to the DynamoDB
table from the EC2 instance?
A. Create an IAM role with the appropriate policy to allow access to the DynamoDB table Aid the EC? instance
to the trust relationship policy document to allow it to assume the role.

B. Create an 1AM role with the appropriate policy to allow access to the DynamoDB table Create an
instance profile to assign this IAM role to the EC2 instance

C. Create an IAM user with the appropriate policy to allow access to the DynamoDB table Store the
credentials in an Amazon S3 bucket and read them from within the application code directly.

D. Create an IAM user with the appropriate policy to allow access to the DynamoDB table Ensure that the
application stores the IAM credentials securely on local storage and uses them to make the DynamoDB calls.

Answer: B

243. An application runs on Amazon EC2 instances in private subnets. The application needs to access an
Amazon DynamoDB table. What is the MOST secure way to access the table while ensuring that the traffic
does not leave the AWS network?

A. Use a NAT gateway in a public subnet.

B. Use the Internet gateway attached to the VPC

C. Use a NAT instance in a private subnet

D. Use a VPC endpoint for DynamoDB.

Answer: D

244. As part of budget planning, management wants a report of AWS billed items listed by user the data will
be used to create department budgets_ A solutions architect needs to determine the most efficient way to
obtain this report information. Which solution meets these requirements?

A. Access the bill details from the billing dashboard and download the bill.

B. Run a query with Amazon Athena to generate the report.

C. Create a report in Cost Explorer and download the report.

D. Modify a cost budget in AWS Budgets to alert with Amazon Simple Email Service (Amazon SES)

Answer: C

245. A company has an automobile sales website that stores its listings in a database on Amazon RDS. When
an automobile is sold, the listing needs to be removed from the website and the data must be sent to
multiple target systems. Which design should a solutions architect recommend?
A. Subscribe to an RDS event notification and send an -Amazon Simple Queue Service (Amazon SOS) queue
fanned out to multiple Amazon Simple Notification Service (Amazon SNS) topics Use AWS, Lambda functions
update the targets.

B. Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic
fanned out to multiple Amazon Simple Queue Service (Amazon SOS) queues. Use AWS Lambda functions to
update the targets.

C. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the
information to an Amazon Simple Queue Service (Amazon SOS) queue for the targets to consume.

D. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the
information to an Amazon Simple Queue Service (Amazon SOS) FIFO queue for the targets to consume.

Answer: C

246. A company has an on-premises MySQL database used by the global sales team with infrequent access
patterns. The sales team requires the database to have minimal downtime. A database administrator wants
to migrate this database to AWS without selecting a particular instance type in anticipation of more users in
the future Which service should a solutions architect recommend?

A. Amazon RDS for MySQL

B. Amazon Redshift Spectrum

C. Amazon Aurora Serveries for MySQL

D. Amazon Aurora MySQL

Answer: D

247. A company has created a VPC with multiple private subnets in multiple Availability Zones (AZs) and
one public subnet in one of the AZs. The public subnet is used to launch a NAT gateway There is instance
in the private subnets that use a NAT gateway to connect to the Internet. In case of an AZ failure, the
company wants to ensure that the instances are not all experiencing internet connectivity issues and
that there is a backup plan ready. Which solution should a solutions architect recommend that is MOST
highly available'?

A. Create public subnets. In each AZ and launch a NAT gateway in each subnet. Configure the traffic from
the private subnets in each AZ to the respective NAT gateway.

B. Create a new public subnet with a NAT gateway in the same AZ Distribute the traffic between the two NAT
gateways.

C. Create an Amazon EC2 NAT instance in the same public subnet. Replace the NAT gateway with the NAT
instance and associate the instance with an Auto Scaling group with an appropriate scaling policy
D. Create an Amazon EC2 NAT instance in a new public subnet. Distribute the traffic between the NAT
gateway and the NAT instance.

Answer: A

248. A solutions architect is using Amazon S3 to design the storage architecture of a new digital media
application. The media files must be resilient to the loss of an Availability Zone. Some files are accessed
frequently while other files are rarely accessed in an unpredictable pattern the solutions architect must
minimize the costs of storing and retrieving the media files. Which storage option meets these requirements?

A. S3 Standard

B S3 Standard-infrequent Access (S3 Standard-1A)

C. S3 Intelligent-Tiering

D. S3 One Zone-4nfrequent Access (S3 One Zone-lA)

Answer: C

249. X company stores user data in AWS The data is used continuously with peak usage during business hours
Access patterns vary, with some data not being used for months at a time A solutions architect must choose a
cost- effective solution that maintains the highest level of durability while maintaining high availability Which
storage solution meets these requirements?

A. Amazon S3 Standard

B. Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA)

C. Amazon S3 Glacier Deep Archive

D. Amazon S3 Intelligent-Tiering

Answer: D

250. A company's web application uses an Amazon RDS PostgreSQL DB instance to store its application data
During the financial closing period at the start of every month. Accountants run large queries that impact the
database's performance due to high usage. The company wants to minimize the impact that the reporting
activity has on the web application. What should a solutions architect do to reduce the impact on the
database with the LEAST amount of effort?

A. Create a read replica and direct reporting traffic to the replica.

B. Create a cross-Region read replica and direct reporting traffic to the replica.

C. Create a Multi-AZ database and direct reporting traffic to the standby

D. Create an Amazon Redshift database and direct reporting traffic to the Amazon Redshift database

Answer: A
251. A company has an API-based inventory reporting application running on Amazon EC2 instances. The
application stores information in an Amazon DynamoDB table the company's distribution centers have an on­
premises shipping application that calls an API to update the inventory before printing shipping labels. The
company has been experiencing application interruptions several times each day, resulting in lost
transactions what should a solutions architect recommend to improve application resiliency?

A. Modify the application to send inventory updates using Amazon Simple Queue Service (Amazon SQS)

B. Modify the shipping application to write to a local database

C. Modify the application APIs to run serveries using AWS Lambda Modify the application APIs to run
serveries using AWS Lambda.

D. Configure Amazon API Gateway to call the EC2 inventory application APIs.

Answer: C

252. A company is building a cloud storage and sharing application for photos. Users can upload photos
from their computers and mobile phones to be stored durably in the cloud. After photos are uploaded,
most are shared and downloaded frequently for the first 40- -90 days. The photos are generally accessed
less often after 90 days, but some photos maintain a high access rate. The application initially stores
photos in Amazon S3 Standard. A solutions architect needs to reduce the application's operational costs
without sacrificing user experience or data durability which strategy should the solutions architect use
to meet these requirements MOST cost-effectively?

A. Define an S3 Lifecycle rule to transition objects from S3 Standard to S3 Glacier after 90 days.

B. Define an S3 Lifecycle rule to transition objects from S3 Standard to S3 One Zone-Infrequent Access (S3
One Zone-IA) after 90 days.

C. Define an S3 Lifecycle rule to transition objects to 53 Intelligent-Tiering immediately.

D. Define an S3 Lifecycle rule to transition objects from S3 Standard to S3 Standard-Infrequent Access (S3
Standard-IA) after 65 days.

Answer: A

253. A company has an application hosted on Amazon EC2 instances in two VPCs across different AWS
Regions. To communicate with each other, the instances use the internet for connectivity. The security team
wants to ensure that no communication between the instances happens over the internet. What should a
solutions architect do to accomplish this?

A. Create a NAT gateway and update the route table of the EC2 instances' subnet.

B. Create a VPN connection and update the route table of the EC2 instances' subnet
C. Create a VPC peering connection and update the route table of the EC2 instances' subnet,

D. Create a VPC endpoint and update the route table of the EC2 instances' subnet

Answer: C

254. An online retail company stores its order details in an Amazon S3 bucket in its AWS account_ The
company has a contract with a vendor to analyze this data. The company wants to prevent charges
associated with the vendor's access to the data stored in the S3 bucket. The vendor agrees and is willing to
pay for any cost for the access to the company's S3 bucket. Which of the following should the vendor use?

A. S3 object tagging-with the vendor's AWS account number

B. A Bit Torrent protocol with 'Amazon S3

C. Intelligent-Tiering S3 buckets

D. Requester Pays S3 buckets

Answer: D

255. A company has no existing file share services_ A new project requires access to file storage that is
mountable as a drive for on-premises desktops the file server must authenticate users to an Active
Directory domain before they are able to access the storage. Which service will allow Active Directory
users to mount storage as a drive on their desktops?

A. AWS Storage Gateway

B. AWS Snowball Edge
C. Amazon S3 Glacier
D. AWS Data Sync

Answer: D

256. A company has two AWS accounts: Production and Development There are code changes ready in the
Development account to push to the Production account. In the alpha phase, only two senior developers on
the development team need access to the Production account. In the beta phase, more developers might
need access to perform testing as well, what should a solutions architect recommend?

A. Create two policy documents using the AWS Management Console in each account assign the policy to
developers who need access.

B. Create an AM. Role in the Production account with the trust policy that specifies the Development account
Allow developers to assume the role

C. Create an LAM group in the Production account and add it as a principal in the trust policy that specifies
the Production account Add developers to the group.
D. Create an IAM rote in the Development account. Give one lAM role access to the Production account.
Allow developers to assume the role

Answer: C

257. A company is running an application on Amazon EC2 instances hosted in a private subnet of a VPC. The
EC2 instances are configured in an Auto Scaling group behind an Elastic Load Balancer (ELB). The EC2
instances use a NAT gateway for outbound internet access. However, the EC2 instances are not able to
connect to the public internet to download software updates, what are the possible root causes of this issue?
(Select TWO.)

A. The route tables in the VPC are configured incorrectly

B. The security group attached to the NAT gateway is configured incorrectly.

C. The outbound rules on the security group attached to the EC2 instances are configured incorrectly.

D. The ELB is not configured with a proper health check,

E. The EC2 instances are not associated with an Elastic lP address

Answer: CE

258. A development team is creating an event-based application that uses AWS Lambda functions.
Events will be generated when files are added to an Amazon S3 bucket. The development team
currently has Amazon Simple Notification Service (Amazon SNS) configured as the event target from
Amazon S3. What should a solutions architect do to process the events from Amazon S3 in a scalable
way?

A. Create an SNS subscription that processes the event in Amazon Elastic Kubernetes Service (Amazon EKS)
before the event runs in Lambda.

B. Create an SNS subscription that sends the event to AWS Server Migration Service (AWS SMS) Configure the
Lambda function to poll from the SMS event.

C. Create an SNS subscription that sends the event to Amazon Simple Queue Service (Amazon SOS).
Configure the SOS queue to trigger a Lambda function.

D. Create an SNS subscription that processes the event in Amazon Elastic Container Service (Amazon ECS)
before the event runs in Lambda.

Answer: C
259. A company uses an Amazon S3 bucket as its data lake storage platform. The S3 bucket contains a
massive amount of data that is accessed randomly by multiple teams and hundreds of applications. The
company wants to reduce the S3 storage costs and provide immediate availability for frequently accessed
objects. What is the MOST operationally efficient solution that meets these requirements?

A. Create and 53 Lifecycle rule to transition objects to the S3 Intelligent Tiering storage class.

B. Transition objects to the S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Create an AWS
Lambda function to transition objects to the S3 Standard storage class when they are accessed by an
application.

C. Store objects in Amazon S3 Glacier. Use S3 Select to provide applications with access to the data.

D. Use data from 53 storage class analysis to create S3 Lifecycle rules to automatically transition objects to
the S3 Standard-Infrequent Access (S3 Standard-1A) storage

Answer: B

260. A solutions architect needs to design a centralized logging solution for a group of web applications
running on Amazon EC2 instances. The solution requires minimal development effort due to budget
constraints. What should the architect recommend?

A. Install and configure Amazon Cloud Watch Logs agent in the Amazon EC2 instances.

B. Create a crontab job script in each instance to regularly push the logs to Amazon S3.

C. Enable AWS CloudTrail to map all API calls invoked by the applications.

D. Enable Amazon Event Bridge (Amazon Cloud Watch Events) in the AWS Management Console.

Answer: A

261. A company is planning to migrate a legacy application to AWS. The application currently uses NFS to
communicate to an on-premises storage solution to store application data. The application cannot be
modified to use any other communication protocols other than NFS for this purpose. Which storage solution
should a solutions architect recommend for use after the migration?

A. Amazon Elastic File System (Amazon EFS)

B. Amazon EMR File System (Amazon EMRFS)

C. Amazon Elastic Block Store (Amazon EBS)

D. AWS Data Sync

Answer: A
262. A company has several Amazon EC2 instances set up in a private subnet for security reasons. These
instances host applications that read and write large amounts of data to and from Amazon S3 regularly.
Currently, subnet routing directs all the traffic destined for the internet through a NAT gateway. The
company wants to optimize the overall cost without impacting the ability of the application to communicate
with Amazon S3 or the outside Internet. What should a solutions architect do to optimize costs?

A. Create an AWS Lambda function outside of the VPC to handle S3 requests. Attach an, lAM policy to the EC2
instances allowing them to invoke the Lambda function.

B. Create a VPC endpoint for Amazon S3. Attach an endpoint policy to the endpoint. Update the route
table to direct traffic to the VPC endpoint.

C. Create an Internet gateway. Update the route table to route traffic to the internet gateway. Update the
network ACL to allow S3 traffic.

D. Create an additional NAT gateway. Update the route table to route to the NAT gateway. Update the
network ACL to allow S3 traffic.

Answer: B

263. A company is using Site-to-Site VPN connections for secure connectivity to its AWS Cloud resources
from on premises. Due to an increase in traffic across the VPN connections to the Amazon EC2
instances, users are experiencing slower VPN connectivity. Which solution will improve the VPN
throughput?

A. Increase the number of tunnels in the VPN configuration to scale the throughput beyond the default limit.

B. Use a transit gateway with equal cost multipath routing and add additional VPN tunnels.

C. Configure a virtual private gateway with equal cost multipath routing and multiple channels.

D. Implement multiple customer gateways for the same network to scale the throughput.

Answer: B

264. A company maintains a searchable repository of items on its website. The data is stored in an Amazon
RDS for MySQL database table that contains over 10 million rows. The database has 2 TB of General Purpose
SSD (gp2) storage. There are millions of updates against this data every day through the company's website.
The company has noticed some operations are taking 10 seconds or longer, and has determined that the
database storage performance is the bottleneck. Which solution addresses the performance issue?

A. Change the instance to a burstable performance DB instance class.

B. Change the instance to a memory-optimized instance class.

C. Change the storage type to Provisioned lOPS SSD (101).

D. Enable Multi-AZ RDS read replicas with MySQL native asynchronous replication.

Answer: C
265. A company is running an application in a private subnet in a VPC with an attached internet gateway. The
company needs to provide the application access to the Internet while restricting public access to the
application. The company does not want to manage additional infrastructure and wants a solution that is
highly available and scalable. Which solution meets these requirements?

A. Create a NAT gateway in the private subnet. Create a route table entry from the private subnet to the
Internet gateway.

B. Launch a NAT instance in the private subnet. Create a route table entry from the private subnet to the
Internet gateway.

C. Create a NAT gateway in a public subnet Create a route table entry from the private subnet to the NAT
gateway.

D. Launch a NAT instance in a public subnet. Create a route table entry from the private subnet to the NAT
instance.

Answer: C

266. A company asks a solutions architect to review the architecture for its messaging application. The
application uses TCP and UDP traffic. The company is planning to deploy a new VoIP feature, but its 10 test
users in other countries are reporting poor call quality. The VoIP application runs on an Amazon EC2 instance
with more than enough resources. The HTTP portion of the company's application behind an Application Load
Balancer has no issues. What should the solutions architect recommend for the company to do to address the
VoIP performance issues?

A. Migrate from Application Load Balancers to Network Load Balancers.

B. Implement Amazon Cloud Front into the architecture.

C. Use an Amazon Route 53 geo proximity routing policy.

D. Use AWS Global Accelerator.

Answer: C

267. A company is developing a video conversion application hosted on AWS. The application will be available
in two tiers: a free tier and a paid tier. Users in the paid tier will have their videos converted first, and then
the free tier users will have their videos converted. Which solution meets these requirements and is MOST
cost-effective?

A. Two standard Amazon Simple Queue Service (Amazon SQS) queues with one for the paid tier and one
for the free tier.

B. One FIFO queue for the paid tier and one standard queue for the free tier.
C. A single standard Amazon Simple Queue Service (Amazon SQS) queue for all file types

D. A single FIFO Amazon Simple Queue Service (Amazon SQS) queue for all file types.

Answer: A

268. A company is running an online transaction processing (OLTP) workload on AWS. This workload
uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are
taken from this instance. What should a solutions architect do to ensure the database and snapshots are
always encrypted moving forward?

A. Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it
Enable encryption on the DB instance.

B. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted
snapshot.

C. Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key
Management Service (AWS KMS) managed keys (SSE-KMS).

D. Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS). Restore
encrypted snapshot to an existing DB instance.

Answer: A

269. A company that operates a web application on premises is preparing to launch a newer version of the
application on AWS. The company needs to route requests to either the AWS-hosted or the on-premises-
hosted application based on the URL query string. The on-premises application is not available from the
Internet, and a VPN connection is established between Amazon VPC and the company's data center. The
company wants to use an Application Load Balancer (ALB) for this launch. Which solution meets these
requirements?

A. Use two ALBs: one for on premises and one for the AWS resource. Add hosts to each target group of each
ALB. Route with Amazon Route. 53 based on the URL query string.

B. Use one ALB with two AWS Auto Scaling groups: one for the AWS resource and one for on premises. Add
hosts to each Auto Scaling group. Route with Amazon Route 53 based on the URL query string.

C. Use one AL B with two target groups: one for the AWS resource and one for on premises. Add hosts to
each target group of the ALB. Configure listener rules based on the URL query string.

D. Use two ALBs: one for on premises and one for the AWS resource. Add hosts to the target group of each
AB. Create a software router on an EC2 instance based on the URL query string.

Answer: D
270. A company is developing a new machine learning model solution in AWS. The models are
developed as independent microservices that fetch about 1 GB of model data from Amazon S3 at
startup and load the data into memory. Users access the models through an asynchronous API. Users
can send a request or a batch of requests and specify where the results should be sent. The company
provides models to hundreds of users. The usage patterns for the models are irregular. Some models
could be unused for days or weeks. Other models could receive batches of thousands of requests at a
time. Which solution meets these requirements?

A. The requests from the API are sent to the model's Amazon Simple Queue Service (Amazon SQS) queue.
Models are deployed as Amazon Elastic Container Service (Amazon ECS) services reading from the queue.
AWS App Mesh scales the instances of the ECS cluster based on the SOS queue size.

B. The requests from the API are sent to an Application Load Balancer (AL .B). Models are deployed as AWS
Lambda functions invoked by the ALB.

C. The requests from the API are sent to the model's Amazon Simple Queue Service (Amazon SQS) queue.
Models are deployed as Amazon Elastic Container Service (Amazon ECS) services reading from the queue.
AWS Auto Scaling is enabled on Amazon ECS for both the cluster and copies of the service based on the
queue size.

D. The requests from the API are sent to the model's Amazon Simple Queue Service (Amazon SOS) queue.
Models are deployed as AWS Lambda functions triggered by SQS events. AWS Auto Scaling is enabled on
Lambda to increase the number of vCPUs based on the SOS queue size.

Answer: C

271. A company is hosting its website by using Amazon EC2 instances behind an Elastic Load Balancer across
multiple Availability Zones. The instances run in an EC2 Auto Scaling group. The website uses Amazon Elastic
Block Store (Amazon EBS) volumes to store product manuals for users to download. The company updates
the product content often, so new instances launched by the Auto Scaling group often have old data. It can
take up to 30 minutes for the new instances to receive all the updates. The updates also require the EBS
volumes to be resized during business hours. The company wants to ensure that the product manuals are
always up to date on all instances and that the architecture adjusts quickly to increased user demand. A
solutions architect needs to meet these requirements without causing the company to update its application
code or adjust its website. What should the solutions architect do to accomplish this goal?

A. Store the product manuals in an Amazon Elastic File System (Amazon EFS) volume. Mount that volume
to the EC2 instances.

B. Store the product manuals in an Amazon S3 bucket. Redirect the downloads to this bucket.

C. Store the product manuals in an EBS volume. Mount that volume to the EC2 instances.

D. Store the product manuals in an Amazon S3 Standard-Infrequent Access (S3 Standard-IA) bucket. Redirect
the downloads to this bucket.
Answer: A

272. A company wants to reduce its Amazon S3 storage costs in its production environment without
impacting durability or performance of the stored objects. What is the FIRST step the company should take to
meet these objectives?

A. Migrate the objects in all S3 buckets to S3 Intelligent Tiering.

B. Enable Amazon Macie on the business-critical S3 buckets to classify the sensitivity of the objects.

C. Enable S3 analytics to identify S3 buckets that are candidates for transitioning to S3 Standard-Infrequent
Access (S3 Standard-1A).

D. Enable versioning on all business-critical S3 buckets.

Answer: A

273. A company has 700 TB of backup data stored in network attached storage (NAS) in its data center. This
backup data needs to be accessible for infrequent regulatory requests and must be retained 7 years. The
company has decided to migrate this backup data from its data center to AWS. The migration must be
complete within 1 month. The company has 500 Mbps of dedicated bandwidth on its public Internet
connection available for data transfer. What should a solutions architect do to migrate and store the data at
the LOWEST cost?

A. Deploy a VPN connection between the data center and Amazon VPC. Use the AWS CLl to copy the data
from on premises to Amazon S3 Glacier.

B. Order AWS Snowball devices to transfer the data. Use a lifecycle policy to transition the files to Amazon S3
Glacier Deep Archive,

C. Use AWS Data Sync to transfer the data and deploy a Data Sync agent on premises. Use the Data Sync task
to copy files from the on-premises NAC, storage to Amazon S3 Glacier.

D. Provision a 500 Mbps AWS Direct Connect connection and transfer the data to Amazon S3. Use a
lifecycle policy to transition the files to Amazon S3 Glacier Deep Archive.

Answer: D

274. A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must
be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every
year. Which solution meets these requirements and is the MOST operationally efficient?

A. Server-side encryption with Amazon S3 managed keys (SSE-S3)

B. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation

C. Server-side encryption with customer-provided keys (SSE-C)

D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation.

Answer: B

275. A company previously migrated its data warehouse solution to AWS. The company also has an AWS
Direct Connect connection. Corporate office users query the data warehouse using a visualization tool.
The average size of a query returned by the data warehouse is 50 MB and each webpage sent by the
visualization tool is approximately 500 KB. Result sets returned by the data warehouse are not cached.
Which solution provides the LOWEST data transfer egress cost for the company?

A. Host the visualization tool on premises and query the data warehouse directly over the Internet.

B. Host the visualization tool on premises and query the data warehouse directly over a Direct Connect
connection at a location in the same AWS Region.

C. Host the visualization tool in the same AWS Region as the data warehouse. Access it over the Internet.

D. Host the visualization tool in the same AWS Region as the data warehouse and access it over a Direct
Connect connection at a location in the same Region.

Answer: D

276. An application allows users at a company's headquarters to access product data. The product data is
stored in an Amazon RDS MySQL DB instance. The operations team has isolated an application performance
slowdown and wants to separate read traffic from write traffic. A solutions architect needs to optimize the
application's performance quickly. What should the solutions architect recommend?

A. Change the existing database to a Multi-AZ deployment. Serve the read requests from the primary
Availability Zone.

B. Create read replicas for the database. Configure the read replicas with half of the compute and storage
resources as the source database.

C. Change the existing database to a Multi-AZ deployment. Serve the read requests from the secondary
Availability Zone.

D. Create read replicas for the database. Configure the read replicas with the same compute and storage
resources as the source database.

Answer: D
27I. A solutions architect is developing a multiple-subnet VPC architecture. The solution will consist of six
subnets in two Availability Zones. The subnets are defined as public, private, and dedicated for databases.
Only the Amazon EC2 instances running in the private subnets should be able to access a database. Which
solution meets these requirements?

A. Create a security group that allows ingress from the security group used by instances in the private
subnets. Attach the security group to an Amazon RDS

B. Create a new route table that excludes the route to the public subnets' CI DR blocks. Associate the route
table to the database subnets.

C. Create a new peering connection between the public subnets and the private subnets. Create a different
peering connection between the private subnets and the database subnets.

D. Create a security group that denies ingress from the security group used by instances in the public subnets.
Attach the security group to an Amazon RDS DB instance.

Answer: A

218. A customer has a service based out of Oregon, US and Paris, France the application sores data in an
Amazon s3 bucket located in Oregon. That data is updated frequently The Paris office is experiencing slow
response times when retrieving objects. What should a solutions architect do to resolve the slow response
times for the Paris office?

A. Create an Amazon Cloud Front distribution with the bucket located in Oregon as the origin and set the
maximum m sing for the cache behavior to zero.

B. Set up an s3 bucket based in Pars, and enable a lifecycle management rule t transition data from the
Oregon bucket the Paris bucket.

C. Create an Application Load Balancer that load balances data retrieval between the OregonS3 buckets and
anew Pars S3 bucket.

D. Set up an S3 bucket based in Paris, and enable Cross Region Replication from the Oregon bucket to the
Paris bucket

Answer: A

219. During a review of business applications, a solutions architect identifies a critical application with a
relational database that was built by a business user and is running on the user's desktop. To reduce the
risk of a business interruption, the solutions architect wants to migrate the application to a highly
available, multi-tiered solution in AWS. What should the solutions architect do to accomplish this with
the LEAST amount of disruption to the business?

A. Create an import package of the application code for upload to AWS Lambda, and include a function to
create another Lambda function to migrate data into an Amazon RDS database.
B. Pre-stage new Amazon EC2 instances running the application code on AWS behind an Application Load
Balancer and an Amazon RDS Multi-AZ DB instance.

C. Use AWS Database Migration Service (AWS DMS) to migrate the backend database to an Amazon RDS
Multi-AZ DB instance. Migrate the application code to AWS Elastic Beanstalk.

D. Create an image of the user's desktop and migrate it to Amazon EC2 using VM Import Place the EC2
instance in an Auto Scaling group,

Answer: A

280. A company is running a multi-tier ecommerce web application in the AWS Cloud. The web application is
running on Amazon EC2 instances. The database tier is on a provisioned Amazon Aurora MySQL DB cluster
with a writer and a reader in a Multi-AZ environment the new requirement for the database tier is to serve
the application to achieve continuous write availability through an instance failover. What should a solutions
architect do to meet this new requirement?

A. Add a new reader in the same Availability Zone as the writer.

B. Migrate the database tier to an Aurora multi master cluster.

C. Add a new AWS Region to the DB cluster for multiple writes.

D. Migrate the database tier to an Aurora DB cluster with parallel query enabled.

Answer: B

281. A company has deployed a database in Amazon RDS for MySQL Due to increased transactions, the
database support team is reporting slow reads against the DB instance and recommends adding a read
replica. Which combination of actions should a solutions architect take before implementing this
change? (Select TWO.)

A. Create a global table and specify the AWS Regions where the table will be available.

B. Enable binlog replication on the RDS master.

C. Allow long-running transactions to complete on the source DB instance.

D. Enable automatic backups on the source instance by setting the backup retention period to a value
other than O.

E. Choose a failover priority for the source DB instance.

Answer: BD
282. A company receives data from different sources and implements multiple applications to consume this
data. There are many short-running jobs that run only on the weekend. The data arrives in batches rather
than throughout the entire weekend. The company needs an environment on AWS to ingest and process this
data while maintaining the order of the transactions. Which combination of AWS services meets these
requirements in the MOST cost-effective manner?

A. Amazon Simple Queue Service (Amazon SQS) with AWS Lambda

B. Amaz3n Kinesis Data Streams with Amazon EC2 Auto Scaling
C. Amazon Kinesis Data Streams with AWS Lambda
D. Amazon Simple Queue Service (Amazon SQS) with Amazon EC2 Auto Scaling.

Answer: A

283. A company is migrating a legacy application to the AWS Cloud. The application includes third party
software. As part of this migration, the company plans to use a previously signed licensing agreement with
the third party. This agreement allows the use of software licenses, priced on a per-CPU basis, on Amazon
EC2 instances. When setting up the environment on AWS, the company has to deploy a larger EC2 instance
type to have enough memory. The instances now have a surplus of unused vCPU capacity. Which action
should the company take to reduce costs for this architecture?

A. Disable multithreading on the EC2 instances by specifying a single thread for each CPU core.
B. Purchase the software Amazon Machine Image (AM) from the AWS Marketplace.
C. Customize the number of CPU cores of the EC2 instances to match the number of cores required to run
the software.
D. Use two EC2 instances, each with half the size of the originally selected instance, and deploy the software
on these two instances.

Answer: C

284. A company has many applications on Amazon EC2 instances running in Auto Scaling groups. Company
policy requires that the data on the attached Amazon Elastic Block Store (Amazon EBS) volumes be retained.
Which action will meet these requirements without impacting performance?

A. Disable the Delete on Termination attribute for the Amazon EBS volumes.

B. Change the Auto Scaling heath check to point to a source on the root volume.

C. Use Amazon EC2 user data to set up a synchronization job for rot volume data

D. Enable termination protection on the Amazon EC2 instances.

Answer: A
285. A company has an asynchronous web application where Amazon API Gateway triggers AWS Lambda
functions to perform write and update operations on an Amazon RDS DB instance. During periods of extreme
use, API Gateway and Lambda scale in response to the incoming workload, but service outages occur due to
congestion with Amazon RDS. The company is seeking a cost-effective design to alleviate this congestion.
What should a solutions architect recommend?

A. Implement RDS storage auto scaling with a larger instance type.

B. Create read replicas to alleviate the read requests on the database.

C. Use Amazon Kinesis to poll the incoming requests from API Gateway to the Lambda functions.

D. Use Amazon Simple Queue Service (Amazon SQS) to buffer the incoming requests before delivering
them to the Lambda functions.

Answer: D

286. A company wants to improve the performance of its web application after receiving customer reports.
An analysis concluded that the same complex database queries were causing increased latency. What should
a solutions architect recommend to improve the application's performance?

A. Migrate the database to MySQL

B. Integrate Amazon ElastiCache into the application.

C. Use an AWS Lambda initiated request to the backend database.

D. Use Amazon Redshift to analyze the queries.

Answer: D

287. A company's human resources (HR) department saves its sensitive documents in an Amazon S3
bucket named confidential bucket An IAM policy grants permission for all S3 actions to a group of which
each HR employee is a member. A solutions architect needs to make the objects secure and inaccessible
outside the company's AWS account and on premises L CDR range. The solutions architect adds the
following S3 bucket policy.

What is the effect of the added bucket policy?

A. The added bucket poky will have no effect because all the users from the HR department have full
permissions in Amazon 53.

B. The bucket can be accessible only if the source IP is from COR Naas 10 100 0.0/24 or 172.31 0.0/24 or if it
comes from services within the VPC that has endpoint vpce-0123456789 attached,

C. The bucket can be accessible only if the request is coming from the ClDR blocks 10 10020_0/24 and 172
31,0_0124. or if it comes from services within the VPC that has endpoint v pce-0123456789 attached
D. The bucket can be accessible only if the request is coming from the CIDR blocks 10 100.0 0/24 or 172.31
0.0/24 and if it comes from services within the VPC that has endpoint vpce-0123456789 attached.

Answer: D

288. A company has thousands of edge devices that collectively generate 1 TB of status alerts each day Each
alert is approximately 2 KB in size. A solutions architect needs to implement a solution to ingest and store the
alerts for future analysis. The company wants a highly available solution. However, the company needs to
minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to
keep 14 days of data available for immediate analysis and archive any data older than 14 days. What is the
MOST operationally efficient solution that meets these requirements?

A. Launch Amazon EC2 instances across two Availability Zones and place them behind an Elastic Load
Balancer to ingest the alerts. Create a script on the EC2 instances that will store the alerts in an Amazon S3
bucket Set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.

B. Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts. Configure the Kinesis Data
Firehose stream to deliver the alerts to an Amazon S3 bucket Set up an S3 Lifecycle configuration to
transition data to Amazon 53 Glacier after 14 days.

C. Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts, and set the
message retention period to 14 days. Configure consumers to poll the SQS queue, check the age of the
message, and analyze the message data as needed If the message is 14 days old, the consumer should copy
the message to an Amazon S3 bucket and delete the message from the SQS queue.

D. Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts. Configure the Kinesis Data
Firehose stream to deliver the alerts to an Amazon Elasticsearch Service (Amazon ES) cluster. Set up the
Amazon ES cluster to take manual snapshots every day and delete data from the cluster that is older than 14
days.

Answer: B

289. A company wants to share data that is collected from self-driving cars with the automobile community.
The data will be made available from within an Amazon S3 bucket. The company wants to minimize its cost of
making this data available to other AWS accounts. What should a solutions architect do to accomplish this
goal?

A. Configure the S3 bucket to be a Requester Pays bucket.

B. Create an S3 VPC endpoint for the bucket.

C. Require that the files be accessible only with the use of the BitTorrent protocol.

D. Create an Amazon Cloud Front distribution in front of the S3 bucket.

Answer: A
290. A solutions architect needs to host a high-performance computing (HPC) workload in the AWS Cloud.
The workload will run on hundreds of Amazon EC2 instances and will require parallel access to a shared file
system to enable distributed processing of large datasets. Datasets will be accessed across multiple instances
simultaneously. The workload requires access latency within 1 Ms. After processing has completed, engineers
will need access to the dataset for manual postprocessing. Which solution will meet these requirements?

A. Mount an Amazon S3 bucket to serve as the shared file system. Perform postprocessing directly from the
S3 bucket.

B. Use Amazon Elastic File System (Amazon EFS) as a shared file system. Access the dataset from Amazon EFS.

C. Configure AWS Resource Access Manager to share an Amazon S3 bucket so that it can be mounted to all
instances for processing and postprocessing

D. Use Amazon FSx for Lustre as a shared file system. Link the file system to an Amazon S3 bucket for
postprocessing.

Answer: D

291. A solutions architect is reviewing the cost of a company's scheduled nightly maintenance. The solutions
architect notices that three Amazon EC2 instances are being run to perform nine scripted tasks that take less
than 5 minutes each to complete. The scripts are all written in Python. Which action should the company
take to optimize costs of the nightly maintenance?

A. Consolidate the scripts from the three EC2 instances to run on one EC2 instance.

B. Convert the scripts to AWS Lambda functions and schedule them with Amazon Event Bridge (Amazon
Cloud Watch Events).

C. Create a Spot Fleet to replace the running EC2 instances for executing the scripts.

D. Purchase a Compute Savings Plan for the running EC2 instances.

Answer: B

292. A user is designing a new service that receives location updates from 3,600 rental cars every hour. The
cars upload their location to an Amazon S3 bucket. Each location must be checked for distance from the
original rental location. Which services will process the updates and automatically scale?

A. Amazon EC2 and Amazon Elastic Block Store (Amazon EBS)

B. Amazon Kinesis Data Firehose and Amazon S3

C. Amazon S3 events and AWS Lambda

D. Amazon Elastic Container Service (Amazon ECS) and Amazon RDS

Answer: B

293. An application runs on Amazon EC2 instances in multiple Availability Zones (AZs) behind an Application
Load Balancer. The load balancer is in public subnets; the EC2 instances are in private subnets and must not
be accessible from the Internet. The EC2 instances must call external services on the internet. if one
Availability Zone becomes unavailable, the remaining EC2 instances must still be able to call the external
services. How should these requirements be met?

A. Create a NAT instance in the private subnet of each Availability Zone. Update the route tables for each
private subnet to direct internet-bound traffic to the NAT instance.

B. Create a NAT gateway attached to the VPC. Add a route to the gateway that connects to each private
subnet route table.

C. Configure an Internet gateway. Add a route to the gateway that connects to each private subnet route
table.

D. Create a NAT gateway in each Availability Zone. Update the route tables for each private subnet to direct
internet-bound traffic to the NAT gateway.

Answer: A

294. A company has an application that scans millions of connected devices for security threats and
pushes the scan logs to an Amazon S3 bucket. A total of 70 GB of data is generated each week, and the
company needs to store 3 years of data for historical reporting. The company must process, aggregate,
and enrich the data from Amazon S3 by performing complex analytical queries and joins in the least
amount of time. The aggregated dataset is visualized on an Amazon Quick Sight dashboard. What should
a solutions architect recommend to meet these requirements?

A. Use AWS Lambda functions based on S3 Put Object event triggers to copy the incremental changes to
Amazon DynamoDB. Perform the aggregation

B. Create and run an ETL job in AWS Glue to process the data from Amazon S3 and load it into Amazon
Redshift. Perform the aggregation queries on Amazon queries on DynamoDB. Redshift.

C. Use AWS Lambda functions based on S3 Put Object event triggers to copy the incremental changes to
Amazon Aurora MySQL. Perform the aggregation queries on Aurora MySQL.

D. Use AWS Glue to catalog the data in Amazon S3. Perform the aggregation queries on the cataloged tables
by using Amazon Athena. Query the data directly from Amazon S3.

Answer: A
295. A company has users all around the world accessing its HTTP based application deployed on Amazon EC2
instances in multiple AWS Regions. The company wants to improve the availability and performance of the
application. The company also wants to protect the application against common web exploits that may affect
availability, compromise security, or consume excessive resources. Static IP addresses are required. What
should a solutions architect recommend to accomplish this?

A. Put the EC2 instances behind Application Load Balancers (AL Bs) in each Region. Deploy AWS WAF on the
AL Bs. Create an accelerator using AWS Global Accelerator and register the ALBs as endpoints.

B. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the
NLBs. Create an accelerator using AWS Global Accelerator and register the NL Bs as endpoints.

C. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create an Amazon Cloud
Front distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the
ALBs. Deploy AWS WAF on the Cloud Front distribution.

D. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the
NLBs. Create an Amazon Cloud Front distribution with an origin that uses Amazon Route 53 latency-based
routing to route requests to the NLBs.
Answer: D

296. A solutions architect is designing a microservices based application using Amazon ECS. The application
includes a Web Socket component, and the traffic needs to be distributed between microservices based on
the URL. Which service should the architect choose to distribute the workload?

A. Application Load Balancer

B. Amazon Cloud Front

C. Network Load Balancer

D. Amazon Route 53 DNS

Answer: A

297. A global company plans to track and store information about local allergens in an Amazon DynamoDB
table and query this data from its website. The company anticipates that website traffic will fluctuate. The
company estimates that the combined read and write capacity units will range from 10-10,000 per second,
depending on the severity of the conditions for the given day. A solutions architect must design a solution
that avoids throttling issues and manages capacity efficiently. What should the solutions architect do to meet
these requirements MOST cost effectively?
A. Use on-demand capacity mode for a couple of months. Then switch to provisioned capacity mode.

B. Use on-demand capacity mode only. Configure DynamoDB Accelerator (DAX) to be in front of the table.

C. Use provisioned capacity mode. Set the table's read capacity units to 10,000.

D. 14 Use provisioned capacity mode and a scaling policy in DynamoDB auto scaling.

Answer: B

298. A solutions architect is investigating AWS file storage solutions that can be used with a company's on­
premises Linux servers and applications. The company has an existing VPN connection set up between the
company's VPC and its on-premises network. Which AWS services should the solutions architect use? (Select
TWO.)

A. AWS Snowball Edge

B. AWS Data Sync

C. AWS Storage Gateway

D. AWS Backup

E. Amazon Elastic File System (Amazon EFS)

Answer: DE

299. An LAM user made several configuration changes to AWS resources in their company's account during a
production deployment last week. A solutions architect learned that a couple of security group rules are not
configured as desired. The solutions architect wants to confirm which IAM user was responsible for making
changes. Which service should the solutions architect use to find the desired information?

A. Amazon Guard Duty

B. AWS Cloud Trail

C. Amazon inspector

D. AWS Config

Answer: C
300. A company is building a web-based application running on Amazon EC2 instances in multiple Availability
Zones. The web application will provide access to a repository of text documents totaling about 900 TB in
size. The company anticipates that the web application will experience periods of high demand. A solutions
architect must ensure that the storage component for the text documents can scale to meet the demand of
the application at all times. The company is concerned about the overall cost of the solution. Which storage
solution meets these requirements MOST cost effectively?

A. Amazon Elastic Block Store (Amazon EBS)

B. Amazon S3

C. Amazon Elasticsearch Service (Amazon ES)

D. Amazon Elastic File System (Amazon EFS)

Answer: D

301. A company is designing a website that will be hosted on Amazon S3. How should users be prevented
from linking directly to the assets in the S3 bucket?

A. Create an Amazon Cloud Front distribution with an Origin Access Identity (OAI) and update the bucket
policy to grant permission to the OAI only.

B. Create an Amazon Cloud Front distribution with an AWS WAF web ACL that permits access to the origin
server through the distribution only

C. Create a static website, then configure an Amazon Route 53 record set with an alias pointing to the static
website. Provide this URL to users

D. Create a static website, then update the bucket policy to require users to access the resources with the
static website URL.

Answer: A

302. A company has a web application that makes requests to a backend API service. The API service runs on
Amazon EC2 instances accessed behind an Elastic Load Balancer. Most backend API service endpoint calls
finish very quickly, but one endpoint that makes calls to create objects in an external service takes a long time
to complete. These long-running calls are causing client timeouts and increasing overall system latency. What
should be done to minimize the system throughput impact of the slow-running endpoint?

A. Change the EC2 instance size to increase memory and compute capacity.

B. Increase the load balancer idle timeout to allow the long-running requests to complete. C. Use Amazon
ElastiCache for Redis to cache responses from the external service.
D. Use Amazon Simple Queue Service (Amazon SQS) to offload the long-running requests for asynchronous
processing by separate workers.

Answer: D

303. An application running on AWS generates audit logs of operational activities. Compliance requirements
mandate that the application retain the logs for 5 years. How can these requirements be met?

A. Save the logs in an Amazon Elastic Block Store (Amazon EBS) volume and take monthly snapshots.
B. Save the logs in an Amazon Elastic File System (Amazon EFS) volume and use Network File System version 4
(NFSv4) locking with the volume.
C. Save the logs in an Amazon S3 Glacier vault and define a vault lock policy.
D. Save the logs in an Amazon S3 bucket and enable MFA Delete on the bucket.

Answer: C

304. A company is preparing to deploy a data lake on AWS. A solutions architect must define the encryption
strategy for data at rest in Amazon S3. The company's security policy states:

• Keys must be rotated every 90 days.

• Strict separation of duties between key users and key administrators must be implemented.
• Auditing key usage must be possible.
What should the solutions architect recommend?

A. Server-side encryption with Amazon S3 managed keys (SSE- S3) with AWS managed customer master keys
(CMKs)

B. Server-side encryption with Amazon S3 managed keys (SSE- S3) with customer managed customer
master keys (CMKs)

C. Server-side encryption with AWS KMS managed keys (SSE _KMS) with customer managed customer master
keys (CMKs)

D. Server-side encryption with AWS KMS managed keys (SSE _KMS) with AWS managed customer master
keys (CMKs)

Answer: B
305. A company wants to create an application that will transmit protected health information (PHI) to
thousands of service consumers in different AWS accounts. The application servers will sit in private VPC
subnets. The routing for the application must be fault tolerant. What should be done to meet these
requirements?

A. Create a proxy server in the service provider VPC to route requests from service consumers to the
application servers.

B. Create a VPC endpoint service and grant permissions to specific service consumers to create a connection.

C. Create an internal Application Load Balancer in the service provider VPC and put application servers
behind it.

D. Create a virtual private gateway connection between each pair of service provider VPCs and service
consumer VPCs.

Answer: C

306. An application launched on Amazon EC2 instances needs to publish personally identifiable information
(Pl) about customers using Amazon Simple Notification Service (Amazon SNS). The application is launched in
private subnets within an Amazon VPC. What is the MOST secure way to allow the application to access
service endpoints in the same AWS Region?

A. Use an Internet gateway.

B Use a NAT gateway.

C. Use a proxy instance.

D. Use AWS Private Link.

Answer: D

307. A solutions architect is designing a high-performance computing (HPC) workload on Amazon EC2. The
EC2 instances need to communicate to each other frequently and require network performance with low
latency and high throughput. Which EC2 configuration meets these requirements?

A. Launch the EC2 instance Siri a spread placement group in one Availability Zone.

B. Launch the EC2 instances in an Auto Scaling group spanning multiple Availability Zones.

C. Launch the EC2 instances in an Auto Staling group in two Regions and peer the VPCs.

D. Launch the EC2 instances in a cluster placement group in one Availability Zone.

Answer: D
308. A solutions architect is deploying a distributed database on multiple Amazon EC2 instances. The
database stores all data on multiple instances so it can withstand the loss of an instance. The database
requires block storage with latency and throughput to support several million transitions per server.
Which storage solution should the solutions architect use?

A. Amazon EC2 instance store

B. Amazon EBS

C. Amazon EFS

D. Amazon S3

Answer: A

309. A solutions architect is designing a new service behind Amazon API Gateway. The request patterns for
the service will be unpredictable and can change suddenly from 0 requests to over 500 per second. The total
size of the data that needs to be persisted in a backend database is currently less than 1 GB with
unpredictable future growth. Data can be queried using simple key-value requests.

Which combination of AWS services would meet these requirements? (Choose two.)

A. Amazon DynamoDB
B. Amazon EC2 Auto Scaling
C. AWS Faregate
D. MySQL-compatible Amazon Aurora
E. AWS Lambda

Answer: AE

310. A company's website is used to sell products to the public. The site runs on Amazon EC2 instances in an
Auto Scaling group behind an Application Load Balancer (ALB). There is also an Amazon CloudFront
distribution, and AWS WAF is being used to protect against SQL injection attacks. The ALB is the origin for the
CloudFront distribution. A recent review of security logs revealed an external malicious IP that needs to be
blocked from accessing the website. What should a solutions architect do to protect the application?

A. Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.

B. Modify the network ACL for the EC2 instances in the target groups behind the ALB to deny the malicious IP
address.

C. Modify the network ACL on the CloudFront distribution to add a deny rule for the malicious IP address.

D. Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the
malicious1?

Answer: A
311. A solutions architect is tasked with transferring 750 TB of data from a network-attached file system
located at a branch office Amazon S3 Glacier. The solution must avoid saturating the branch office's low-
bandwidth internet connection.

What is the MOST cost-effective solution?

A. Mount the network-attached file system to Amazon S3 and copy the files directly. Create a lifecycle policy
to transition the S3 objects to Amazon S3 Glacier.

B. Order 10 AWS Snowball appliances and select an Amazon S3 bucket as the destination. Create a lifecycle
policy to transition the S3 objects to Amazon S3 Glacier.

C. create a site-to-site VPN tunnel to an Amazon S3 bucket and transfer the files directly.

D. Create a bucket policy Snowball appliances and select an S3 Glacier vault as the destination. Create a
bucket policy to enforce a VPC endpoint.

Answer: B

312. A company allows its developers to attach existing IAM policies to existing IAM roles to enable faster
experimentation and agility. However, the security operations team is concerned that the developers could
attach the existing administrator policy, which would allow the developers to circumvent any other security
policies.

How should a solutions architect address this issue?

A. Set an IAM permissions boundary on the developer 1AM role that explicitly denies attaching the
administrator policy.

B. Use Service control policies to disable I AM activity across all account in the organizational Unit.

C. Prevent the developers from attaching any policies and assign all I AM duties to the security operations
team.

D. create an Amazon SNS topic to send an alert every time a developer creates a new policy.

Answer: A

313. A company runs an application on a group of Amazon Linux EC2 instances. For compliance reasons,
the company must retain all application log files for 7 years. The log will be analyzed by a reporting tool
that must access all files concurrently.

Which storage service should a solutions architect use to provide the MOST cost-effective solution?

A. Amazon EFS

B. Amazon EC2 instance store

C. Amazon EBS

D. Amazon S3

Answer: D

314. A healthcare company stores highly sensitive patient records. Compliance requires that multiple copies
be stored in different locations. Each record must be stored for 7 years. The company has a service level
agreement (SLA) to provide records to government agencies immediately for the first 30 days and then within
4 hours of a request thereafter.

What should a solutions architect recommend?

A. Use Amazon S3 with cross-origin resource sharing (CORS) enabled. After 30 days, transition the data
to AmazonS3Glacier using a lifecycle policy.

B. Use Amazon S3 with cross-origin resource sharing (CORS) enabled. After 30 days, transition the data
to Amazon S3 Glacier Deep Archive using a lifecycle policy.

C. Use Amazon S3 with cross-Region replication enabled. After 30 days, transition the data to Amazon S3
Glacier Deep Achieve using a lifecycle policy.

D. use Amazon S3 with cross-Region replication enabled. After 30 days, transition the data to Amazon S3
Glacier using lifecycle policy.

Answer: D

315. A company has a website running on Amazon EC2 instances across two Availability Zones. The company
is expecting spikes in traffic on specific holidays, and wants to provide a consistent user experience. How can
a solutions architect meet this requirement?

A. Use lifecycle hooks.

B. Use step scaling.

C. Use scheduled scaling.

D. Use simple scaling.

Answer: C
316. An ecommerce company is running a multi-tier application on AWS. The front-end and backend tiers
both run on Amazon EC2, and the database runs on Amazon RDS for MySQL. The backend tier communicates
with the RDS instance.

There are frequent calls to return identical datasets from the database that are causing performance
slowdowns. Which action should be taken to improve the performance of the backend?

A. implement Amazon Elastic Cache to cache the large datasets.

B. implement Amazon SNS to store the database calls.
c. implement Amazon Amazon Kinesis Data Firehose to stream the calls to the database.
D. implement Amazon RDS for MySQL read replica to cache database calls.

Answer: A

317. A company has an on-premises data center that is running out of storage capacity. The company wants
to migrate its storage infrastructure to AWS while minimizing bandwidth costs. The solution must allow for
immediate retrieval of data at no additional cost.

How can these requirements be met?

A. Deploy Amazon S3 Glacier Vault and enable expedited retrieval. Enable provisioned retrival capacity for
the workload.

B. Deploy AWS Storage Gateway using stored volumes to store data locally. Use Storage Gateway to
asynchronously back up point-in-time snapshots of the date to Amazon S3.

C. Deploy AWS Direct Connect to connect with the on-premises data center. Configure AWS Storage Gateway
to store data locally. Use Storage Gateway to asynchronously back up point in-time snapshots of the data to
Amazon S3.

D. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3
while retaining copies of frequently accessed data subsets locally.

Answer: D

318. A company delivers files in Amazon S3 to certain users who do not have AWS credentials. These users
must be given access for a limited time. What should a solutions architect do to securely meet these
requirements?

A. Encrypt files using AWS KMS and provide keys to the users.

B. Enable public access on an Amazon S3 bucket.

C. Create and assign 1AM roles that will grant Get Object permissions to the users.

D. Generate a presigned URL to share with the users.

Answer: D

319. A company has a mobile chat application with a data store based in Amazon DynamoDB. Users would
like new messages to be read with as little latency as possible. A solutions architect needs to design an
optimal solution that requires minimal application changes.

Which method should the solutions architect select?

A. Add an Amazon Elastic Cache for Redis cache to the application stack. Update the application to point to
the Redis cache endpoint instead DynamoDB.

B. Configure Amazon DynamoDB Accelerator (DAX) for the new messages table. Update the code to use
the DAX endpoint.

C. Add DynamoDB read replicas to handle the increased read load. Update the application to point to the
read endpoint for the read replicas.

D. Double the number of read capacity units for the new messages table in DynamoDB. Continue to use the
existing DynamoDB endpoint.

Answer: B

320. Application developers have noticed that a production application is very slow when business reporting
users run large production reports against the Amazon RDS instance backing the application. The CPU and
memory utilization metrics for the RDS instance do not exceed 60% while the reporting queries are running.
The business reporting users must be able to generate reports without affecting the applications
performance. Which action will accomplish this?

A. Increase the size of the RDS instance

B. Create a read replica and connect the business reports to it.

C. Enable multiple Availability Zones on the RDS instance

D. Create a read replica and connect the application to it.

Answer: B

321. A company has recently updated its internal security standards. The company must now ensure all
Amazon S3 buckets and Amazon Elastic Block Store (Amazon EBS) volumes are encrypted with keys
created and periodically rotated by internal security specialists. The company is looking for a native,
software- based AWS service to accomplish this goal.

What should a solutions architect recommend as a solution?

A. Use AWS Secrets Manager with customer master keys (CMKs) to store master key material and apply a
routine tri create a new CMK periodically and replace it in AWS Secrets Manager.
B. Use AWS Key Management Service (AWS KMS) with customer master keys (CMKs) to store master key
material and apply a routine to re-create it new periodically and replace it in AWS kms.

C. Use AWS Systems Manager Parameter Store with customer master keys (CMKs) to store master key
material and apply a routine to re-create a new key periodically and replaced in the Parameter Store.

D. Use an AWS Cloud HSM cluster with customer master keys (CMKs) to store master key material and apply
a routine to recreate a new key periodically and I replace the Cloud HSM cluster nodes.

Answer: A

322. A company hosts its website on AWS. To address the highly variable demand, the company has
implemented Amazon EC2 Auto Scaling. Management is concerned that the company is over-provisioning its
infrastructure, especially at the front end of the three-tier application. A solutions architect needs to ensure
costs are optimized without impacting performance.

What should the solutions architect do to accomplish this?

A. Use Auto Scaling with the suspend-resume feature

B. Use Auto Scaling with Reserved Instances.

C. Use Auto Scaling with a target tracking scaling policy.

D. Use Auto Scaling a scheduled scaling policy.

Answer. C

323. A company is developing a real-time multiplier game that uses UDP for communications between
client and servers in an Auto Scaling group. Spikes in demand are anticipated during the day, so the
game server platform must adapt accordingly. Developers want to store gamer scores and other non­
relational data in a database solution that will scale without intervention.

Which solution should a solutions architect recommend?

A. Use a Network Load Balancer for traffic distribution and Amazon DynamoDB on demand for data
storage.

B. Use an Application Load Balancer for traffic distribution and Amazon DynamoDB global table data storage.

C. Use Amazon Route 53 for traffic distribution and Amazon Aurora Serverless for data storage 's

D. Use a Network Load Balancer for traffic distribution and Amazon Aurora Gobel Database data storage.

Answer: A
324. A company wants to host a web application on AWS that will communicate to a database within a VPC.
The application should be highly available.

What should a solutions architect recommend?

A. Deploy two web servers with an Auto Scaling group, configure a domain that points to the two-web
servers and then deploy a database architecture in Availability Zones.

B. Deploy a load balancer in multiple Availability Zones with an Auto Scaling group for the web servers, and
then deploy Amazon RDS in multiple Availability Zones.

C. Deploy a load balancer in the public subnet with an Auto Scaling group for the web servers, and then
deploy the database on an Amazon EC2 instance in the private subnet

D. Amazon EC2 instances to host the web servers behind a load balancer, and then deploy the database on a
large instance

Answer: C

325. A company is migrating a NoSQL database cluster to Amazon EC2. The database automatically replicates
data to maintain at least three copies of the data. I/O throughput of the servers is the highest priority. Which
instance type should a solutions architect recommend for the migration?"

A. Burstable general-purpose instances with an Amazon Elastic Block; Store (Amazon EBS) volume

B. Memory optimized instances with Amazon Elastic Block Store (Amazon EBS) optimization enabled

C. Compute optimized instances with Amazon Elastic Block Store (Amazon EBS) optimization enabled

D. Storage optimized instances with instance store

Answer: D

326. A company has a large Microsoft SharePoint deployment running on-premises that requires Microsoft
Windows shared file storage. The company wants to migrate this workload to the AWS Cloud and is
considering various storage options. The storage solution must be highly available and integrated with Active
Directory for access control.

Which solution will satisfy these requirements?

A. Create Amazon S3 bucket and configure Microsoft Windows Server to mount it as a volume.

B. Create an SMB file share on an AWS Storage Gateway file gateway in two Availability Zone.

C. Create an Amazon FSx for Windows File Server file system on AWS and set the Active Directory domain
for authentication.

D. Configure Amazon EFS storage and set the Active Directory domain for authentication.

Answer. C
327. A solutions architect is designing the storage architecture for a new web application used for storing and
viewing engineering drawings. All application components win be deployed on the AWS infrastructure.

The application design must support caching to minimize the amount of time that users wait for the
engineering drawings to load. The application must be able to store petabytes of data. Which combination of
storage and caching should the solutions architect use?

A. Amazon S3 with Amazon CloudFront

B. Amazon S3 Glacier with Amazon Elastic Cache

C. Amazon Elastic Block Store (Amazon EBS) volumes with Amazon CloudFront

D. AWS Storage Gateway with Amazon Elastic Cache

Answer B

328. A solutions architect is creating an application that will handle batch processing of large amounts of H f
TK output data will be stored in a different S3 bucket. For processing, the application will transfer the data
over the network between multiple Amazon EC2 instances.

What Should the solutions architect do to reduce the overall data transfer costs?

A. Place all the EC2 instances innovate subnets in multiple Availability Zones.

B. Place all the EC2 instances in the same AWS Region.

C. Place all the EC2 instances in the same Availability Zone.

D. Place all the EC2 instances in Auto Scaling group.

Answer: B

329. A company receives inconsistent service from its data center provider because the company is
headquartered in an area affected by natural disasters. The company is not ready to fully migrate to the AWS
Cloud, but it wants a failure environment on AWS in case the on-premises data center fails.

The Company runs web servers that connect to external vendors. The data available on AWS and on premises
must be uniform. Which solution should a solutions architect recommend that has the LEAST amount of
downtime?

A. Configure an Amazon Route 53 failover record. Run an AWS Lambda function to execute an AWS Cloud
Format to launch two Amazon EC2 instances Set up AWS Storage Gateway with stored volumes to back up
data to Amazon S3. Set up an AWS Direct Connect connection a VPC web and the data center.
B. Configure an Amazon Route 53 failover record. Run application servers on Amazon EC2 instances behind
an Application Load Balancer in an Auto Scaling group. Set up AWS Storage Gateway with stored volumes
to back up data to Amazon, S3.

C. Configure an Amazon Route 53 failover record. Execute an AWS CloudFormation template from a script to
create Amazon EC2 instances behind an Application Load Balancer. Set up AWS Storage Gateway with stored
volumes to backup data to Amazon S3.

D. Configure an Amazon Route 53 affixer record. Set up an AWS Direct Connect connection between a VPC
and the datacenter. Run application servers on in an Auto Scaling group. Run an AWS Lambda function to
execute an AWS CloudFormation template cocreate an Application Load'EASaftcer.

Answer: B

330. A company hosts its static website content from an Amazon S3 bucket in the us-east-1 Region. Content
is made available through an Amazon CloudFront origin pointing to that bucket. Cross-Region replication is
set to create a second copy of the bucket in the ap-southeast-1 Region. Management wants a solution that
provides greater availability for the website. Which combination of actions should a solutions architect take
to increase availability? (Choose two.)

A. add both buckets to the CloudFront origin.

B. Create an additional CloudFront origin pointing to the ap-southeast-1 bucket.

C. Configure failover routing in Amazon Route 53.

D. Create it record in Amazon Route, 53. Pointing to the replica bucket.

E. Set up a CloudFront origin group with the us-east-1 bucket as the primary and the ap-southeast-1
bucket as the secondary.

Answer: CE

331. A company has an image processing workload running on Amazon Elastic Container Service
(Amazon ECS) in two private subnets. Each private subnet uses a NAT instance for internet access. All
images are stored in Amazon S3 buckets. The company is concerned about the data transfer costs
between Amazon ECS and Amazon S3.

What should a solutions architect do to reduce costs?

A. Configure a gateway endpoint More traffic destined to Amazon S3.

B. Configure Mazon CloudFront for the S3 bucket storing the images.

C. Configure an interface endpoint for traffic destined to Amazon S3.

D. Configure a NAT gateway to place The NAT instances.

Answer: C
332. A user wants to list the IAM role that is attached to their Amazon EC2 instance. The user has login access
to the EC2 instance but does not have IAM permissions. What should a solutions architect do to retrieve this
information?

A. Run the following AWS CLI command:

AWS iam get-instance-profile -instance-profile-name Example instance Profile

B. run the following EC2 command:

http://169.254.169.254/latest/dynamic/instance-identity/

C. Run the following EC2 command:

Curl http://169.254.169.254/latest/meta-data/iam/info

D. Run the following EC2 command:

Curl http://169.254.169.254/latest/user-data/iam/info

Answer: C

333. A company's security team requests that network traffic be captured in VPC Flow Logs. The logs will
be frequently accessed for 90 days and then accessed intermittently.

What should a solutions architect do to meet these requirements when configuring the logs?

A. Use Amazon CloudWatch as the target Set the CloudWatch log group with an expiration of 90 days.

B. Use Amazon S3 as the target. Enable an S3 Lifecycle policy to transition the logs to S3 Standard-lifeguard
Access (S3 Standard-IA) after 90 Days.

C. Use Amazon Kinesis as the target Configure the Kinesis stream to always retain the logs for 90 days.

D. Use AWS CloudTrail as the target. Configure CloudTrail to save to an Amazon S3 bucket, and enable S3
Intelligent-Tering.

Answer: D

334. A company is developing an internal application that uses a PostgreSQL database. The company has
decided to host the database on Amazon, application does not need to be highly available, but data must be
stored in multiple Availability Zones to maximize durabively.

Which database configuration meets these requirements MOST cost-effectively?

A. An Aurora PostgreSQL global database cluster

B. An Aurora PostgreSQL DB cluster with multi-AZ deployment enabled
C. An Aurora PostgreSQL DB cluster with a single DB. Instance
D. An Aurora PostgreSQL DB cluster with a primary DB instance and a read replica
Answer: B

335. A company hosts a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The
website serves static content Website traffic is increasing, and the company is concerned about a potential
increase in cost.

What should a solutions architect do to reduce the cost of the website?

A. Create a-second ALB in an alternative AWS Region. Route user traffic to the closest Region to minimize
data transfer costs.

B. Create an Amazon ElastiCache cluster. Connect the ALB to the ElastiCache cluster to serve cached files.

C. Create an AWS WAF web ACL, and associate it with the ALB. Add a rule to the web ACL to cache static
files.

D. Create an Amazon CloudFront distribution to cache static files at edge locations.

Answer: D

336. A company is reviewing a recent migration of a three-tier application to a VPC. The security team
discovers that the principle of least privilege is not being applied to Amazon EC2 security group ingress and
egress rules between the application tiers.

What should absolutions architect do to correct this issue?

A. Create security group rules using the VPC CIDR blocks as the source or destination.

B. Create security group rules using the subnet CIDR blocks as the source or destination.

C. Create security group rules using the security group ID as the source or destination.

D. Create security group rules using the instance ID as the source or destination.

Answer: C

337. A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help
with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI)
from an existing AWS account with the MSP Partner's AWS account The AMI is backed by Amazon Elastic
Block Store (Amazon EBS) and uses a customer managed customer master key (CMK) to encrypt EBS volume
snapshots.

What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS
account?
A. Modify the launch Permission property of the AMI. Share the AMI with the MSP Partner's AWS account
only. Modify the CMK's key policy to trust a new CMK that gowned by the MSP Partner for encryption.

B. Export the AMI from this source account to an Amazon S3 bucket in the MSP Partner's AWS account.
Encrypt theS3hucket with a CMK that is owned by the MSP Partner. Copy and launch the AMI in the MSP
Partner's AWS account

C. Make the encrypted AMI and snapshots publicly available. Modify the CMK's key policy to allow the MSP
Prather free account to use the key

D. Modify the launch Permission property of the AMI. Share the AMI with the MSP Partner's AWS account
only. Modify the CMK's key policy MSP E Partner's AWS account to use the key.

Answer: A

338. A solutions architect at a company is designing the architecture for a two-tiered web application.
The web application is composed of an internet-facing Application Load Balancer (ALB) that forwards
traffic to an Auto Scaling group of Amazon EC2 instances. The EC2 instances must be able to access a
database that runs on Amazon RDS.

The company has requested a defense-in-depth approach to the network layout The Company does not want
to rely solely on security groups or network ACLs. Only the minimum resources that are necessary should be
routable from the internet.

Which network design should the solutions architect recommend to meet these requirements?

A. Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets.

B. Place the ALB, EC2 instances, and RDS database in private subnets.

C. Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.

D. Place the ALB outside the VPC. Place the EC2 instances arid. RDS database in private subnets.

Answer: A

339. A company uses on-premises servers to host its applications. The company is running out of storage
capacity the applications use both block storage and NFS storage. The company needs a high-performing
solution that supports local caching without re-architecting its existing applications

Which combination of actions should a solutions architect take to meet these requirements? (Select TWO.)

A. Deploy an AWS Storage Gateway file gateway to replace NFS storage.

B. Deploy an AWS Storage Gateway volume gateway to replace the block storage.

C. Deploy Amazon Elastic File System (Amazon EFS) volumes and mount them to on-premises servers.

D. Deploy AA/yes Snowball Edge to provision NFS mounts to on-premises servers.

E. Mount Amazon S3 as a file system to the on-premises servers.

Answer: BC

340. A company is using a centralized AWS account to store log data in various Amazon S3 buckets. A
solutions architect needs to ensure that the data is encrypted at rest before the data is uploaded to the
S3 buckets. The data also must be encrypted in transit which solution meets these requirements?

A. Create bucket policies that require the use of server-side encryption with S3 managed encryption keys
(SSE-S3) for S3, uploads.

B Use server-side encryption to encrypt the data that is being uploaded to the S3 buckets.

C. Use client-side encryption to encrypt the data that is being uploaded to the S3 buckets.

D. Enable the security option to encrypt the S3 buckets through the use of a default AWS Key Management
Service key.

Answer: A

341. A solutions architect needs to design a system to store client case files. The files are core company
assets and are important the number of files will grow over time. The files must be simultaneously accessible
from multiple application servers that run on Amazon EC2 instances. The solution must have built-in i
redundancy.

Which solution meets these requirements?

A. AWS Backup

B. Amazon S3 Glacier Deep Archive

C. Amazon Elastic File System (Amazon EFS)

D. Amazon Elastic Store System (Amazon EBS)

Answer: C

342. A company maintains about 300 TB in Amazon S3 Standard storage months after month. The S3 objects
are each typically around 50 frequently replaced with multipart uploads by their global application. The
number and size of S3 objects remain constant. But the company S3 storage costs are increasing each month.

How should a solutions architect reduce costs in this situation?

A. Switch from multipart uploads to Amazon S3 Transfer Acceleration.

B. Enable and£3 Lifecycle policy that deletes incomplete multipart uploads.

C. Configure S3 inventory to prevent objects from being archived, too quickly.

D. Configure Amazon CloudFront to reduce the number of objects stored in Amazon S3.

Answer: D

343. A company wants to build an immutable infrastructure for its software applications. The company
wants to test the software applications before sending traffic to them. The company seeks an efficient
solution that limits the effects of application bugs.

Which combination of steps should a solutions architect recommend? (Select TWO.)

A. Use AWS CloudFormation to deploy the staging environment with a snapshot deletion policy and reuse
the resources in the production environment if the tests pass.

B. Use AWS CloudFormation to update the production infrastructure and roll back the stack if the update
fails.

C. Apply Amazon Route 53 failover routing to test the staging environment and fail over to the production
environment if the tests pass.

D. Use AWS CloudFormation with a parameter set to the staging value in a separate environment other than
the production environment.

E. Apply Amazon Route 53 weighted routing to test the staging environment and gradually increase the
traffic as the tests pass.

Answer: AE

344. A company with a single AWS account runs its internet-facing containerized web application on an
Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cluster is placed in a private subnet of a
VPC. System administrators access the EKS cluster through a bastion host on a public subnet A new corporate
security policy requires the company to avoid the use of bastion hosts. The company also must not allow
internet connectivity to the EKS cluster.

Which solution meets these requirements MOST cost effectively?

A. Establish a VPN connection.

B. Set up an AWS Direct Connect connection.
C. Create a transit gateway.
D. Use AWS Storage Gateway.

Answer: A
345. A solutions architect plans to convert a company's monolithic web application into a multi-tier
application. The infrastructure. The minimum requirements for the web application are high availability,
scalability, and regional also store and retrieve data with millisecond latency using the application's API.

Which solution meets these requirements? ‘

Company wants to avoid managing its own low latency during peak hours. The solution should

A. Use AWS Far gate to host the web application with backend Amazon RDS Multi-AZ DB instances.

B. Use Amazon API Gateway with an edge-optimized API endpoint, AWS Lambda for compute, and Amazon
DynamoDB as the data store.

C. Use an Amazon Route 53 routing policy with geolocation that points to an Amazon S3 bucket with static
website hosting and Amazon DynamoDB as the data Store.

D. Use an Amazon CloudFront distribution that points to an Elastic Load Balancer with1 an Amazon EC2 Auto
Scaling' group, along with Amazon RDS Multi-AZ DB instances.

Answer: A

346. A company has applications that are deployed in multiple AWS Regions. The applications use an
architecture that is based on Amazon EC2, Amazon Elastic Block Store (Amazon EBS), Amazon Elastic File
System (Amazon EFS), and Amazon DynamoDB.

The company lacks a mechanism for centralized data backup. A solutions architect must centralize data
backup with the least possible operational effort what should the solutions architect do to meet these
requirements?

A. Tag all resources by project create backup plans in AWS Backup to back up the data by tag name according
to eacfrproject's needs. <£

B. Use AWS Clouds Formation to create a template for every new project so that all resources can be
recreated at any time. Yet the template to take daily snapshots of each EC2 instance, EBS volume, and EFS file
system. Set the template to use DynamoDB on-demand backup for daily backups.

C. Tag all resources by project Use AWS Systems Manager to set up snapshots by project and set DynamoDB
incrementor backup.

D. Tag all resources by project Create an AWS Lambda function to run on schedule and take snapshots of
each EC2 instance, EBS volume; and EFS file system by project Configure the function to invoke DynamoDB
on-demand backup.

Answer: D
347. A company has an application that collects data from loT sensors on automobiles. The data is streamed
and stored in Amazon S3 through Amazon Kinesis Date Firehose. The data produces trillions of S3 objects
each year. Each morning, the company uses the data from the previous 30 days to retrain a suite of machine
learning (ML) models.

Four times each year, the company uses the data from the previous 12 months to perform analysis and train
other ML models. The data must be available with minimal delay for up to 1 year. After 1 year, the data must
be retained for archival purposes.

Which storage solution meets these requirements MOST cost-effectively?

A. Use the S3 Intelligent-Tiering storage class. Configure S3 Intelligent-Tiering to automatically move objects
to S3 Glacier Deep Archive fort year.

B. Use the S3 Standard storage class. Create an S3 Lifecycle policy to transition objects to S3 Standard-
Infrequent Access>$S3 Standard-IA) after 30 days, and then to S3 Glacier beep Archive after 1 year.

C. Use the S3 Intelligent-Tiering storage class. Create an S3 Lifecycle policy to transition objects to S3 Glacier
Deep Archive after 1 year.

D. Use the S3b6tandard-lnfrequent Access (S3 Standard-IA) storage class. Create an S3 Lifecycle policy to
transition objective to S3 Glacier Deep Archie after 1, year.

Answer: B

348. A company's HTTP application is behind a Network Load Balancer (NLB). The NLB'S target group is
configured to use an Amazon EC2 Auto Scaling group with multiple EC2 instances that run the web service.

The company notices that the NLB is not detecting HTTP errors for the application. These errors require a
manual restart of the EC2 instances that run the web service. The Company needs to improve the
application's availability without writing custom scripts or code.

What should a solutions architect do to meet these requirements?

A. Enable HTTP health checks on the NLB supplying the URL of the company's application.

B. Add a corn job to the EC2 instances to check the local application's logs once each minute. If HTTP errors
are detected 'the application will restartA

C. Replace the NLB with an Application Load Balancer. Enable HTTP health checks by supplying the URL of the
company's application. Configure an Auto vX Scaling action to replace unhealthy instances.

D. Create an Amazon CloudWatch alarm that monitors the Unhealthy Host Count metric for the NLB.
Configure an Auto Scaling action to replace unhealthy instances when the alarm is in the AL ARM state.

Answer: D
349. A company hosts a multi-tier web application that uses an Amazon Aurora MySQL DB cluster for storage.
The application tier is hosted on Amazon EC2 instances. The company's IT security guidelines mandate that
the database credentials be encrypted and rotated every 14 days.

What should a solutions architect do to meet this requirement with the LEAST operational effort?

A. Crate a new AWS Key Management Service (AWS KMS) encryption key. Use AWS Secrets Manager to
Create a New Secret that uses he KMS key with the appropriate credentials. Associate the secret with the
Aurora DB cluster. Configure a custom rotation period of days.

B. Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted
Amazon S3 bucket that the application OSes to load the credentials. Download the file to the application
regularly to ensure that the correct credentials are used. Implemental AWS Lambda function that rotates the
Aurora credentials every 14 days and uploads these credentials to the file in the S3 bucket.

C. Create two parameters in AWS Systems Manager Parameter Store: one for the user's name as a string
parameter and one that uses the Secure String type for the password. Select AWS Key Management
Service (AWS KMS) encryption for the password parameter, and load these parameters in the application
tier. Implement an AWS Lambda function that rotates the password every 14 days.
D. Store a file that contains the credentials in an AWS Key Management Service (AWS KMS) encrypted
Amazon Elastic gibe System (Amazon EFS) file system. Mount the EFS file system in all EC2 instances of the
application tier. Restrict the access to the file on the file system so that the application can read the file and
that only super users can modify the file. Implement an AWS Lambda function that rotates the key Aurora
every 14 days and writes new into the file.

Answer: C

350. A company is running an application on Amazon EC2 instances. Traffic to the workload increases
substantially during business hours and decreases afterward. The CPU utilization of an EC2 instance is a
strong indicator of end-user demand on the application. The company has configured an Auto Scaling
group to have a minimum group size of2 EC2 instances and a maximum group size of 10 EC2 instances.

The company is concerned that the current scaling policy that is associated with the Auto Scaling group might
not be correct. The company must avoid over provisioning EC2 instances and incurring unnecessary costs.

What should a solutions architect recommend to meet these requirements?

A. Configure AWS Auto Scaling to have a desired capacity of 5 EC2 instances, and disable any existing scaling
policies Monitor the CPU utilization metric for 1 week. Then create dynamic scaling policies that are based on
the observed values.

B. Configure a step scaling policy to add 4 EC2 instances at 50% CPU utilization and add another 4 EC2
instances at 90% CPU utilization. Configure scale-in policies to perform the reverse and remove EC2 instances
based on the two values.
C. Configure Amazon EC2 Auto Scaling to use a scheduled scaling plan and launch an additional 8 EC2
instances during business hours.

D. Configure AWS Auto Scaling to use a scaling plan that enables predictive scaling. Configure predictive
scaling with a scaling mode of forecast and scale, and to enforce the maximum capacity setting during
scaling.

Answer: D

351. A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS
Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for
this purpose during the night only.

What is the MOST cost-effective mechanism to move this data and meet the migration deadline?

A. Enable Amazon S3 Transfer Acceleration and securely upload the data.

B. Use AWS Snowmobile to ship the data to AWS.

C. Order multiple AWS Snowball devices to ship the data to AWS.

D. Create an Amazon S3 VPC endpoint and establish a VPN to upload the data.

Answer: C

352. A company currently has 250 TB of backup files stored in Amazon S3 in a vendor's proprietary format.
Using a Linux-based software application provided by the vendor, the company wants to retrieve files from
Amazon S3, transform the files to an industry-standard format, and re-unpoached to Amazon S3. The
company wants to minimize the data transfer charges associated with this conversation.

What should a solutions architect do to accomplish this?

A. Install the conversion software as an Amazon S3 batch operation so the data is transformed without
leaving Amazon

B. Install the conversion software onto an on-premises virtual machine. Perform the transformation and re­
upload the files tc0mazon S3 from the virtual machine.

C. use AWS Snowball Edge devices to export the data and install the conversion software onto the devices.
Perform the data transformation and re-upload the files to Amazon S3 from the Snowball Edge devices.

D. Launch an Amazon EC2 instance in the same Region as Amazon S3 and install the conversion software onto
tie Aristech. Perform the transformation and? Upload the files to Amazon S3 from the EC2 instance.

Answer: C
353. A company's packaged application dynamically creates and returns single-use text files in response to
user requests, the company is using Amazon CloudFront for distribution, but wants to future reduce data
transfer costs. The company cannot modify the application's source code.

What should a solutions architect do to reduce costs?

A. Use Amazon S3 multipart uploads to move the files to Amazon S3 before returning them to users.

B. Use Lambda@Edge to compress the files as they are sent to users.

C. Enable caching on the CloudFront distribution to store generated files at the edge.

D. Enable Amazon S3 Transfer Acceleration to reduce the response times.

Answer: A

354. A company has two applications: a sender application that sends messages with payloads to be
processed and a processing application intended to receive messages with payloads. The company
wants to implement an AWS service to handle messages between the two applications. The sender
application can send about 1,000 messages each hour. The messages may take up to 2 days to be
processed. If the messages fail to process, they must be retained so that they do not impact the
processing of any remaining messages. Which solution meets these requirements and is the MOST
operationally efficient?

A. subscribe the processing application to an Amazon Simple Notification Service (Amazon SNS) topic to
receive notifications to process. Integrate the lender application to write to the SNS topic.

B. Set up an Amazon EC2 instance running a Redis database. Configure both applications to use the instance.
Store, process, and delete the messages, respectively.

C. integrate the sender and processor applications with an Amazon Simple Queue Service (Amazon SQS)
queue Configure a dead-letter queue collect the messages that failed to process-

D. , Use an Amazon Kinesis data stream to receive the messages from the sender application. Integrate the
processing application with the Kinesis Client Library (KCL).

Answer: C

355. A company runs an application on amazon EC2 instances. The application is deployed in private subnets
in three Availability Zones of the us-east-1 Region. The instances must be able to connect to the internet to
download files. The company wants a design that is highly available across the Region.

Which solution should be implemented to ensure that there are no disruptions to Interne connectivity?

A. Deploy a transit gateway in a private subnet of each Availability Zone.

B. Deploy an internet gateway in a public subnet of each Availability Zone.

C. Deploy a NAT gateway in a public subnet of each Availability Zone.

D. Deploy a NAT Instance id a private subnet of each Availability Zone.

Answer: C

356. A company operates a website on Amazon EC2 Linux instances. Some of the instances are failing.
Troubleshooting points to insufficient swap space on the failed instances. The operations team lead
needs a solution to monitor this.

What should a solutions architect recommend?

A. Enable detailed monitoring in the EC2 console. Create an Amazon CloudWatch Swap Utilization custom
metric.
B. Install an Amazon CloudWatch agent on the instances. Run an appropriate script on a set schedule.
Monitor Swap Utilization metrics in CloudWatch.
C. Configure an Amazon CloudWatch Swap Usage metric dimension. Monitor the Swap Usage dimension in
the EC2 metrics in CloudWatch.
D. Use EC2 metadata to collect information, then publish it to Amazon CloudWatch custom metrics. Monitor
Swap Usage retries in CloudWatch.

Answer: B

357. A company has developed a micro services application. It uses a client-facing API with Amazon API
Gateway and multiple internal services hosted on Amazon EC2 instances to process user requests. The API is
designed to support unpredictable surges in traffic, but internal services may become overwhelmed and
unresponsive for a period of time during surges. A solutions architect needs to design a more reliable solution
that reduces errors when internal services become unresponsive or unavailable. Which solution meets these
requirements?

A. Use Amazon Simple Queue Service (Amazon SQS) to store user requests as they arrive. Change the
internal services to retrieve the requests from the queue for processing.

B. Use an Elastic Load Balancer to distribute the traffic between internal services. Configure

C. Use different Availability Zones to internal services send a notification to a system administrator when an
internal service become unresponsive.

D. Use AWS Auto Scaling to scale up internal services when there is a surge in traffic.

Answer: A
358. A company's near-real-time streaming application is running on AWS. As the data is ingested, a job runs
on the data and takes 30 minutes to complete. The workload frequently experiences high latency due to large
amounts of incoming data. A solutions architect needs to design a scalable and serverless solution to enhance
performance. Which combination of steps should the solutions architect take? (Choose two.)

A) Use AWS Fargate with Amazon Elastic Container Service (Amazon ECS) to process the data.

B) Use Amazon EC2 instances in an Auto Scaling group to process the data.

C) Use Amazon Kinesis Data Firehose to ingest the data.

D) Use AWS Lambda with AWS Step Functions to process the data.

E) Use AWS Database Migration Service (AWS DMS) to ingest the data.

Answer: CD

359. A company has created a multi-tier application for its ecommerce website. The website uses an
Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL
cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve
product catalog and pricing information that is hosted on the internet by a third-party provider. A solutions
architect must devices a strategy that maximizes security without increasing operational overhead. What
should the solutions architect do to meet these requirements?

A) Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet­
bound traffic to the NAT gateway.

B) Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to
direct internet-bound traffic to the virtual private gateway.

C) Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.

D) Configure an Internet gateway and attach it to the VPC. Modify the private subnet route table to direct
internet-bound traffic to the internet gateway.

Answer: D

360. A company must migrate 20 TB of data from a data center to the AWS Cloud within 30 days. The
company's network bandwidth is limited to 15 Mbps and cannot exceed 70% utilization. What should a
solutions architect do to meet these requirements?

A) Use AWS DataSync.

B) Use Amazon S3 Transfer Acceleration.
C) Use AWS Snowball.
D) Use a secure VPN connection.
Answer: C
361. A company runs a multi-tier web application that hosts news content. The application runs on Amazon
EC2 instances behind an Application Load Balancer. The instances run in an EC2 Auto Scaling group across
multiple Availability Zones and use an Amazon Aurora database. A solutions architect needs to make the
application more resilient to periodic increases in request rates. Which architecture should the solutions
architect implement? (Choose two.)

A) Add an Amazon CloudFront distribution in front of the Application Load Balancer.

B) Add AWS Global Accelerator.

C) Add Aurora Replica.

D) Add AWS Shield.

E) Add AWS Direct Connect.

Answer: AB

362. An application runs on Amazon EC2 instances across multiple Availability Zones. The instances run in an
Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when
the CPU utilization of the EC2 instances is at or near 40%. What should a solutions architect do to maintain
the desired performance across all instances in the group?

A) Use a target tracking policy to dynamically scale the Auto Scaling group.
B) Use an AWS Lambda function to update the desired Auto Scaling group capacity.
C) Use scheduled scaling actions to scale up and scale down the Auto Scaling group.
D) Use a simple scaling policy to dynamically scale the Auto Scaling group.
Answer: A

363. A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to
store a static website. The company's security policy requires that all website traffic be inspected by AWS
WAF. How should the solutions architect comply with these requirements?

A) Configure a security group that allows Amazon CloudFront IP addresses to access Amazon S3 only.
Associate AWS WAF to CloudFront.

B) Configure an S3 bucket policy to accept requests coming from the AWS WAF Amazon Resource Name
(ARN) only.

C) Configure Amazon CloudFront to forward all incoming requests to AWS WAF before requesting content
from the S3 origin.

D) Configure Amazon CloudFront and Amazon S3 to use an origin access identity (0AI) to restrict access to the
S3 bucket. Enable AWS WAF on the distribution.

Answer: C
364. A company recently implemented hybrid cloud connectivity using AWS Direct Connect and is migrating
data to Amazon S3. The company is looking for a fully managed solution that will automate and accelerate
the replication of data between the on-premises storage systems and AWS storage services. Which solution
should a solutions architect recommend to keep the data private?

A) Deploy an AWS Storage Gateway file gateway for the on-premises environment. Configure it to store data
locally, and asynchronously back up point-in-lime snapshots to AWS.

B) Deploy an AWS Storage Gateway volume gateway for the on-premises environment. Configure it to
store data locally, and asynchronously back up point-in- time snapshots to AWS.

C) Deploy an AWS DataSync agent for the on-premises environment. Configure a sync job to replicate the
data and connect it with an AWS service endpoint.

D) Deploy an AWS DataSync agent for the on-premises environment. Schedule a batch job to replicate point­
In-time snapshots to AWS.

Answer: B

365. A company is creating an architecture for a mobile app that requires minimal latency for its users. The
company's architecture consists of Amazon EC2 instances behind an Application Load Balancer running in an
Auto Scaling group. The EC2 instances connect to Amazon RDS. Application beta testing showed there was a
slowdown when reading the data. However the metrics indicate that the EC2 instances do not cross any CPU
utilization thresholds. How can this issue be addressed?

A) Add Multi-AZ support to the RDS instances and direct read traffic to the new EC2 instance.

B) Replace the Application Load Balancer with a Network Load Balancer.

C) Add read replicas for the RDS instances and direct read traffic to the replica.

D) Reduce the threshold for CPU utilization in the Auto Scaling group.

Answer C

366. A solutions architect must create a highly available bastion host architecture. The solution needs to
be resilient within a single AWS Region and should require only minimal effort to maintain. What should
the solutions architect do to meet these requirements?

A) Create a Network Load Balancer backed by an Auto Scaling group with a UDP listener.

B) Create a Network Load Balancer backed by an Auto Scaling group with instances in multiple Availability
zones as the target

C) Create a Network Load Balancer backed by the existing servers in different Availability Zones as the target.

D) Create a Network Load Balancer backed by a Spot Fleet with instances in a partition placement group.
Answer: B

367. An application running on AWS uses an Amazon Aurora Multi-AZ deployment for its database. When
evaluating performance metrics, a solutions architect discovered that the database reads are causing high I/O
and adding latency to the write requests against the database. What should the solutions architect do to
separate the read requests from the write requests?

A) Enable read-through caching on the Amazon Aurora database.

B) Create a read replica and modify the application to use the appropriate endpoint.

C) Create a second Amazon Aurora database and link it to the primary database as a read replica.

D) Update the application to read from the Multi-AZ standby instance.

Answer: B

368. A development team needs to host a website that will be accessed by other teams. The website
contents consist of HTML, CSS, client-side JavaScript, and images. Which method is the MOST cost-effective
for hosting the website?

A) Containerize the website and host it in AWS Fargate.

B) Create an Amazon S3 bucket and host the website there.

C) Configure Application Load Balancer with an AWS Lambda target that uses the Express is framework.

D) Deploy a web server on an Amazon EC2 instance to host the website.

Answer: B

369. A company is designing a new web service that will run on Amazon EC2 instances behind an Elastic
Load Balancer. However, many of the web service clients can only reach IP addresses whitelisted on
their firewalls. What should a solutions architect recommend to meet the client's needs?

A) An A record in an Amazon Route 53 hosted zone pointing to an Elastic IP address

B) An EC2 instance with a public IP address running as a proxy in front of the load balancer

C) A Network Load Balancer with an associated Elastic IP address.

D) An Application Load Balancer with an associated Elastic IP address

Answer: D
370. A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database.
Compliance regulations mandate that all personally identifiable information (P11) be encrypted at rest.
Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of
changes to the infrastructure?

A) Deploy AWS CloudHSM, generate encryption keys, and use the customer master key (CMK) to encrypt
database volumes.

B) Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS
Key Management Service (AWS KMS) keys to encrypt instance and database volumes.

C) Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database
volume.

D) Configure SSL encryption using AWS Key Management Service customer master keys (AWS KMS CMKs) to
encrypt database volumes.

Answer: B

371. An Amazon EC2 administrator created the following policy associated with an IAM group containing
several users:

"Version": '2012-10-17",

"Statement': {

{
"Effect": "Allow",

"Action": "ec2:TerminateInstances",

"Resource": "*",

"Condition': { "

IpAddress": {

"aws:Sourcelp": "10.100.100.0/24"

}
},

{
'Effect': 'Deny',

"Action": "ec2:*",

Resource": "*
 'Condition': {

"StringnotEquals": {

"ec2:Region": "us-east-1"

}
What is the effect of this policy?

A) Users can terminate an EC2 instance in any AWS Region except us-east-1.

B) Users can terminate an EC2 instance with the IP address 10.100.100.1 in the us-east-1 Region.

C) Users cannot terminate an EC2 instance in the us-east-1 Region when the user's source IP is
10.100.100254.

D) Users can terminate an EC2 instance in the us-east-1 Region when the user's source IP is 10.100.100.254.

Answer: D

372. What should a solutions architect do to ensure that all objects uploaded to an Amazon S3 bucket are
encrypted?

A) Update the bucket policy to deny if the PutObject does not have an aws:SecureTransport header set to
true.

B) Update the bucket policy to deny if the PutObject does not have an x-amz-server-side-encryption header
set.

C) Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set.

D) Update the bucket policy to deny if the PutObject does not have an s3:x-amz-acl header set to private.

Answer: B

373. A solutions architect is designing a security solution for a company that wants to provide developers
with individual AWS accounts through AWS Organizations, while also maintaining standard security controls.
Because the individual developers will have AWS account root user-level access to their own accounts, the
solutions architect wants to ensure that the mandatory AWS CloudTrail configuration that is applied to new
developer accounts is not modified. Which action meets these requirements?
A) Create a service control policy (SOP) the prohibits changes to CloudTrail, and attach it the developer
accounts.

B) Create a service-linked role for CloudTrail with a policy condition that allows changes only from an Amazon
Resource Name (ARN) in the master account

C) Create an lAM policy that prohibits changes to CloudTrail, and attach it to the root user.

D) Create a new trail in CloudTrail from within the developer accounts with the organization trails option
enabled.

Answer: A

374. A company's website runs on Amazon EC2 instances behind an Application Load Balancer (ALB).
The website has a mix of dynamic and static content. Users around the globe are reporting that the
website is slow. Which set of actions will improve website performance for users worldwide?

A) Host the website in an Amazon S3 bucket in the Regions closest to the users and delete the ALB and EC2
instances. Then update an Amazon Route 53 record to point to the S3 buckets.

B) Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger
instance sizes and register the instances with the ALB

C) Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon
Route 53 record to point to the CloudFront distribution

D) Launch new EC2 instances hosting the same web application in different Regions closer to the users. Then
register instances with the same ALB using cross- Region VPC peering.

Answer: C

375. A company is designing an interne-facing web application. The app cat n runs on Amazon EC2 for Linux­
based instances that store sensitive user data in Amazon RDS MySQL Multi-Az DB instances. The EC2
instances are in public subnets, and the RDS DB instances are in private subnets. The security team has
mandated that the DB instances be secured against web-based attacks. What should a solutions architect
recommend?

A) Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer
Move DB instances to the same subnets that EC2 instances are located in Create a security group for the DB
instances. Configure the RDS security group to only allow port 3306 inbound from the individual EC2
instances

B) Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer
Use AWS WAF to monitor inbound web traffic or threats. Configure the Auto Scaling group to automatically
create new DB instances under heavy traffic. Create a security group for the RDS DB instances Configure the
RDS security group to only allow port 3306 inbound
C) Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer
Use a WSW AF to monitor inbound web traffic for threats. Create a security group for the web application
servers and a security group for the DB instances. Configure the RDS security group to only allow port 3306
inbound from the web application server security group

D) Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer.
Configure the EC2 instance iptables rules to drop suspicious web traffic. Create a security group for the DB
instances Configure the RDS security group to only allow port 3306 inbound from the individual EC2
instances.

Answer: C

376. A company is automating an order mana cement application. The company's development team has
decided to use SFTP to transfer and sore the business-critical information files. The flies must be encrypted
and must be highly available. The files also must be automatically after they are created. Which solution
meets these requirements with the LEAST opera tonal overhead?

A) Configure an Amazon S3 bucket with encryption enabled Use AWS Transfer for SFTP to securely transfer
he files to the S3 bucket. Apply an AWS Transfer or SFTP file re tent on policy to delete the files after a
month.

B) Install an SFTP service on an Amazon EC2 instance. Mount an Amazon Elastic File System (Amazon EFS) file
share on the EC2 instance. Enable cron to delete the files after a month.

C) Configure an Amazon Elastic File System (Amazon EFS) file system with encryption enabled. Use AWS
Transfer for SFTP to securely transfer the files to the EFS file system. Apply an EFS lifecycle policy to
automatically delete the files after a month.

D) Configure an Amazon S3 bucket with encryption enabled. Use AWS Transfer for SFTP to securely transfer
the files to the S3 bucket Apply S3 Lifecycle rules to automatically delete the files after a month.

Answer: D

377. A company is building an ecommerce application and needs to store sensitive customer information.
The company needs to give customers the ability to complete purchase transactions on the website. The
company also needs to ensure that sensitive customer data is protected, even from data administrators.
Which solution meets these requirements?

A) Store sensitive data in an Amazon Elastic Bock Sore (Amazon EBS) volume. Use EBS encryption the data.
Use an lAM instance role to restrict access.

B) Store sensitive data in Amazon RDS or MySQL Use AWS Key Management Service (AWS KMS) client-side
encryption to encrypt the data.

C) Store sensitive data in Amazon FSX for Windows Server Mount the flesh are on application servers Use
Windows file permissions to restrict access
D) Store sensitive data in Amazon S3 Use AWSKey Management Service (AWS KMS) server-side encryption to
encrypt the data. Use S3 bucket policies to restrict access

Answer: B

378. A company runs an on-premises application that is powered by a MySQL database. The company is
migrating the application to AWS to increase the application's elasticity and availability. The current
architecture shows heavy read activity on the database during times of normal operation. Every 4 hours,
the company's development team pulls a full export of the production database to populate a database
in the staging environment. During this period, users experience unacceptable application latency The
development team is unable to use the staging environment until the procedure completes. A solutions
architect must recommend replacement architecture that alleviates the application latency issue. The
replacement architecture also must give the development team the ability to continue using the staging
environment without delay which solution meets these requirements?

A) Use Amazon RDS for MySQL with a Multi-AZ deployment and read replicas for production. Populate the
staging database by implementing a backup and restore process that uses the mysqldump utility

B) Use Amazon RDS for MySQL with a Multi-AZ deployment and read replicas for production. Use the standby
instance for the staging database

C) Use Amazon Aurora MySQL with Multi-AZ Aurora. Replicas for production populate the staging database
by implementing a backup and restore process that uses the mysqldump utility

D) Use Amazon Aurora MySQL with Mutt-AZ Aurora Replicas for production. Use database cloning to create
the staging database on-demand

Answer: A

379. A company has two VPCs named Management and Production. The Management VPC uses VPNs
through a customer gateway to connect to a single device in the data center. The Production VPC uses a
virtual private gateway with two attached AWS Direct Connect connections. The Management and
Production VPCs both use a single VPC peering connection to allow communication between the applications.
What should a solutions architect do to mitigate any single point of failure in this architecture?

A) Add a second set of VPNs to the Management VPC from a second customer gateway device

B) Add a second virtual private gateway and attach it to the Management VPC

C) Add a set of VPNs between the Management and Production VPCs

D) Add a second VPC peering connect on between the Management VPC and the Prockict on VPC

Answer: B
380. A company recently started using Amazon Aurora as the data store for its global ecommerce application.
When large reports are run, developers report that the ecommerce Application is performing porty. After
reviewing metrics Amazon CloudWatch, a solutions architect finds that the ReadlOPS and CPUUtiliztion
metrics are spiking when monthly report run. What is the MOST cost-effective solution?

A) Migrate the monthly reporting to an Aurora Replica

B) Migrate the Aurora database to a larger instance class

C) Increase the Provisioned lOPS on the Aurora instance

D) Migrate the monthly reporting to Amazon Red shit

Answer: C

381. A company has a customer relationship management (CRM) application that stores data in an Amazon
RDS DB instance that runs Microsoft SQL Server. The company's IT staff has administrative access to the
database. The database contains sensitive data. The company wants to ensure that the data is not accessible
to the IT Staff and that only authorized personnel can view the data. What should a solutions architect do to
secure the data?

A) Use client-side encryption with an Amazon RDS managed key

B) Use Amazon RDS encryption w than AWS Key Management Service (AWS KMS) customer managed key

C) Use Amazon RDS encryption with an AWS Key Management Service (AWS KMS) default encryption key

D) Use client-side encryption w than AWS Key Management Service (AWS KMS) customer managed key

Answer: D

382. A solutions architect must prove a fully managed replacement for an on-premise solution that allows
employees and partners to exchange files. The solution must be easily accessible to employees connecting
from on-premises systems, remote employees, and external partners. Which solution meets these
requirements?

A) Use AWS Transfer for SFTP to transfer files into and out of Amazon S3

B) Use AWS Snowball Edge for local storage and large-scale data transfers

C) Use Amazon FSx to store and transfer files to make them available remotely

D) Use AWS Storage Gateway to create a volume gateway to store and transfer files to Amazon S3

Answer: D
383. A disaster response team is using drones to collect images of recent storm damage. The response team's
laptops lack the storage and compute capacity to transfer the images and process the data. While the team
has Amazon EC2 instances for processing and Amazon S3 buckets for storage, network connectivity is
intermittent and unreliable. The images need to be processed to evaluate the damage. What should a
solutions architect recommend?

A) Configure Amazon Kinesis Data Firehose to create multiple every steams aimed separately at the S3
buckets for storage and the EC2 ns ancestor

B) Upload the images to Amazon Simple Queue Service (Amazon SQ5) during interment connectivity to EC2
instances

C) Use AWS Snowball Edge devices to process and store the images

D) Use AWS Storage Gateway pre-installed on a hardware appliance to cache the images locally for Amazon
S3 to process the images when connectivity becomes available.

Answer: C

384. A company has saved 5 years of data in an Amazon S3 bucket. The data is stored in structured objects
for multiple tables. The company needs a solution that will run complex queries on multiple joined tables as
quickly as possible. The solution also must minimize operational overhead. Which solution meets these
requirements?

A) Use a transient Apache Spark cluster on Amazon EMR to per to mm the queries

B) Use Amazon Athena on Amazon S3 to perform the queries

C) Use Amazon Quick Sight to create an interactive dashboard that queries the data

D) Use AWS Glue to transform the data into Amazon Redshift tables then perform the queries

Answer: D

385. An ecommerce company is creating an application that requires a connection to at third-party

payment service to process payments. The payment service needs to explicitly public internet allow the
public IP address of the server that is making the payment request. However, the company's security
policies do not allow any server to be exposed directly to the. Which solution will meet these
requirements?

A) Provision an Elastic IP address. Host the application servers on Amazon EC2 instances in a private subnet
Assign the public IP address to the application servers

B) Setup an AWS Client VPN connect on to the payment service Host the application on savers on Amazon
EC2 instances in a private subnet. Route the payment requests through the VPN

C) Create a NAT gateway in a public subnet Host the application servers on Amazon EC2 instances in a
private subnet. Route payment requests through the NAT gateway
D) Deploy an Application Load Balancer (ALB) Host the application serves on Amazon EC2 instances in a
private subnet Route the payment requests through the ALB

Answer: C

386. A company hosts it web applications in the AWS Cloud. The company configures Elastic Load Balancer to
use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be
no tied 30 days before the expiration of each certificate. What should a solutions architect recommend to
meet this requirement?

A) Create an Amazon Event Bridge (Amazon CloudWatch Events) rule to detect any certificates that will
expire within 30 days configure the rule to invoke an AWS Lambda function. Configure the Lambda function
to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS)

B) Create an AS Configure that checks for certificates that will expire, within 30 days. Configure Amazon
Event Bridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification
Service (Amazon SNS) when AWS Config reports a noncompliant resource.

C) Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS)
topic every day beginning 30 days before any certificate will expire.

D) Use AWS Trusted Advisor to check for certificates that will expire within 30 days create an Amazon
CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to
send a custom alert by way of Amazon Simple Notification Service (Amazon SNS)

Answer: B

387. A company is running a multi-tier web application on premises. The web application is
containerized and runs on a number of Linux hosts connected to a PostgreSQL database that contains
user records. The operational overhead of maintaining the infrastructure and capacity planning is liming
the company's growth. A solutions architect must improve the application's infrastructure. Which
combination of actions should the solutions architect take to accomplish this? (Select TWO)

A) Setup Amazon ElastiCache between the web application and the PostgreSQL database

B) Migrate the PostgreSQL database to Amazon Aurora

C) Migrate the web application to be hosted on Amazon EC2 instances

D) Setup an Amazon Cloud Front distribution for the web application content

E) Migrate the web application to be hosted on AWS Fargate with Amazon Elastic Container Service (Amazon
ECS)

Answer: AD
389. A company runs a three-or web application in a VPC across multiple Availability Zones. Amazon EC2
instances run in an Auto Scaling group for the application tier. The company needs to make an automated
scan a plan that will analyze each resource's day and weekly historical workload trends the configure must
scale resources appropriately according to both the forecast and live changes in utilization. Which scaling
strategy should a solutions architect recommend to meet these requirements?

A) Setup a simple scaling policy Increase the cooldown period based on the EC2 instance startup time

B. Create an automated scheduled scaling action based on the traffic patterns of the web application.

C) lmplement dynamic scaling with step scaling based on average CPU utilization from the EC2 instances

D) Enable predictive scaling to forecast and scale. Configure dynamic scaling with target tracking

Answer: D

390. A company needs to implement a relational database with a multi-Region ds aster recovery Recovery
Point Objective (RPO) of 1 second and an Recovery Time Objective (RTO) of 1 minute. Which AWS solution
can achieve this?

A) Amazon Aurora Global Database

B) Amazon RDS for MySQL with Multi-AZ enabled

C) Amazon Dynamo DB global tables

D) Amazon RDS for MySQL with a cross-Region snapshot copy

Answer: D

391. A social media company is building a feature for its website. The feature will give users the ability to
upload photos. The company expects significant increases in demand during large events and must ensure
that the website can handle the upload traffic from users. Which solution meets these requirements with the
MOST scalability?

A) Generate Amazon S3 presigned URLs in the application Upload files directly from the users browser into an
S3 bucket

B) Upload files from the users browser to the application servers. Transfer the files to an Amazon 33 bucket

C) Provision an AWS Storage Gateway file gateway Upload files directly from the users browser to the file
gateway

D) Provision an Amazon Elastic File System (Amazon EFS) file system Upload file directly from the user's
browser to the file system

Answer: D
392. A company hosts an app cation on AWS. The application interacts w than Amazon Dynamo DB table has
that has 10 read capacity units (RC Us) Data from Amazon CloudWatch alarms shows that throttling is
occurring on read requests to the Dynamo DB table. The company needs to prevent this issue from
happening in the future as the application continues to grow. What should a solutions architect recommend
to meet these requirements?

A) Provision 20 write capacity units (WC Us) for the Dynamo DB table to offset the throttling on read requests

B) Enable auto scaling for the Dynamo DB table

C) Change the RCUs for the Dynamo DB table to 20

D) Add an Elastic Load Balancer in front of the Dynamo DB table

Answer: C

393. A company is migrating its applications to AWS. Currently, applications that run on premises generate
hundreds of terabytes of data that is stored on a shared files system. The company is running an analytics
application in the cloud that runs hourly to generate insights from this data. The company needs a solution to
handle the ongoing data transfer between the on-premises shared fie system and Amazon 33. The solution a
so must be able to handle occasional interruptions in Internet connectivity. Which solution should the
company use for the data transfer to meet these requirements?

A) AWS Transfer for SFTP

B) AWS Migration Hub
C) AWS Data Sync
D) AWS Snowball Edge Storage Optimized
Answer: D

394. A company hosts its multi-tier, pubic web appl cation in the AWS Cloud. The web application runs on
Amazon EC2 instances, and its database runs on Amazon RDS The company is anticipating a large increase in
sales during an upcoming holiday weekend. A solutions architect needs to build a solution to analyze the
performance of the web application with a granularity of no more than 2 minutes. What should the solutions
architect do to meet this requirement?

A) Send Amazon Cloud Watch logs to Amazon Red shit Use Amazon Quick Sight to perform further analysis

B) Create an AWS Lambda function to fetch EC2 logs from Amazon Cloud Watch Logs Use Amazon
CloudWatch metrics to perform further a nays

C) Enable detailed monitoring on all EC2 instances. Use Amazon Cloud Watch metrics to perform further
analysis

D) Send EC2 logs to Amazon S3. Use Amazon Redshift to fetch log from the S3 bucket to process raw data for
future analysis with Amazon Quick Sight

Answer: C
395. A company's infrastructure consists of hundreds of Amazon EC2 instances that use Amazon Elastic Block
Store (Amazon EBS) storage. A solutions architect must ensure that every EC2 instance can be recovered after
a disaster. What should the solutions architect do to meet this requirement with the LEAST amount of effort?

A) Create an AWS Lambda function to take a snapshot of the EBS storage that is attached to each EC2
instance and copy the Amazon Machine images (AMis) Create another Lambda function to perform their
stores with the copied AM Is and attach the EBS storage

B) Take a snapshot of the EBS storage that is attached to each EC2 instance. Use AWS Elastic Beanstalk to set
the environment based on the EC2 template and attach the EBS storage

C) Take a snapshot of the EBS storage that is attached to each EC2 instance, Create an AWS Cloud
Formation template to launch new EC2 instances from the EBS storage

D) Use AWS Backup to setup a backup plan for each EC2 instance. Use the AWS Backup API or the AWS CLI to
speed up the restore process for multiple EC2 instances

Answer: C

396. A solutions architect is creating an application. The application will run on Amazon EC2 instances in
private subnets across multiple Availability Zones in a VPC. The EC2 instances will frequently access large
files that contain confidential information. These files are stored in Amazon S3 buckets for processing.
The solutions architect must optimize the network architecture to minimize data transfer costs. What
should the solutions architect do to meet these requirements?

A) Create a gateway endpoint for Amazon S3 in the VPC. In the route tables for the private subnets, add an
entry for the gateway endpoint.

B) Create a single NAT gateway in a public subnet. In the route tables for the private subnets, add a default
route that points to the NAT gateway.

C) Create one NAT gateway for each Availability Zone in public subnets. In each of the route tables for the
private subnets, add a default route that points to

D) Create an AWS PrivateLink interface endpoint for Amazon S3 in the VPC. In the route tables for the private
subnets, add an entry for the interface endpoint

Answer: B

397. A company is running a critical business application on an Amazon EC2 instance. The EC2 instance is
hosting an Apache web server and a MySQL database server. The application serves static content and
dynamic content to end users. The application is experiencing severe availability issues because of heavy user
demand. The company needs a solution that resolves the availability issues with the least operational effort
and the least change to the application. What should a solutions architect do to meet these requirements?
A) Create an Amazon Machine Image (AMI) from the current EC2 instance. Create an Auto Scaling group to
provide more capacity as needed. Use a Network Load Balancer to route traffic.

B) Host static content on Amazon S3. Deploy the application and the web server on AWS Fargate. Use an
Application Load Balancer to route traffic. Migrate the database to Amazon Aurora Serverless.

C) Deploy the application and the web server on AWS Fargate. Use a Network Load Balancer to route traffic.
Migrate the database to Amazon DynamoDB.

D) Host static content on Amazon S3. Deploy the application on EC2 instances that are configured in an Auto
Scaling group. Use an Application Load Balancer to route traffic. Migrate the database to Amazon DynamoDB.

Answer: B

398. A company is migrating a large, mission-critical database to AWS. A solutions architect has decided
to use an Amazon RDS for MySQL Multi-AZ DB instance that is deployed with 80,000 Provisioned lOPS
for storage. The solutions architect is using AWS Database Migration Service (AWS DMS) to perform the
data migration. The migration is taking longer than expected, and the company wants to speed up the
process. The company's network team has ruled out bandwidth as a limiting factor. Which actions
should the solutions architect take to speed up the migration? (Select TWO.)

A) Create a new DMS instance that has a larger instance size.

B) Restart the DMS task on a new DMS instance with transfer acceleration enabled.

C) Change the storage type on the target DB instance to Amazon Elastic Block Store (Amazon EBS) General
Purpose SSD (gp2).

D) Turn off logging on the target DB instance until the initial load is complete.

E) Disable Multi-AZ on the target DB instance.

Answer: CE

399. A solutions architect is designing the architecture for a software demonstration environment. The
environment will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer
(ALB). The system will experience significant increases in traffic during working hours but is not required to
operate on weekends. Which combination of actions should the solutions architect take to ensure that the
system can scale to meet demand? (Select TWO.)

A) Use a target tracking scaling policy to scale the Auto Scaling group based on instance CPU utilization.

B) Use AWS Auto Scaling to adjust the ALB capacity based on request rate.

C) Launch the EC2 instances in multiple AWS Regions to distribute the load across Regions.

D) Use AWS Auto Scaling to scale the capacity of the VPC internet gateway.
E) Use scheduled scaling to change the Auto Scaling group minimum, maximum, and desired capacity to
zero for weekends. Revert to the default values at the start of the week.

Answer: BE

400. A company is designing a web application using aws that processes insurance quotes. Users will
request quotes from the application. Quotes must be separated by quote type must be responded to
within 24 hours, and must not be lost. The solution should be simple to set up and maintain. Which
solution meets these requirements?

A. Create multiple amazon kinesis data firehouse delivery streams based on the quote type to deliver
data streams to an amazon elastic search service (amazon es) cluster. Configure the web application to send
messages from amazon es and process them accordingly.
B. Create a single amazon simple notification service (Amazon SNS ) topic and subscribe the amazon
SQS queues to the SNS topic. Configure SNS message filtering to publish messages to the proper SQS queue
based on the quote type. Configure each backend application server to work its own SQS queue.
C. Create multiple amazon kinesis data streams based on the quote type. Configure the web application
to send messages to the proper data stream configure each backend group of application servers to pool
messages from its on data stream using the kinesis client library (KCL)
D. Create a single amazon simple notification service (Amazon SNS) topic and subscribe the amazon SQS
queues to the SNS topic based on the quote type. Configure the web application to publish messages to the
SNS topic queue. Configure each backend application server to work its own SQS queue

Answer: B

401. An online gaming company is designing a game that is expected to be popular all over the world. A
solutions architect needs to dene an AWS Cloud architecture that supports near-real-time recording and
displaying of current game statistics for each player along with the names of the top 25 players in the
world, at any given time.

Which AWS database solution and configuration should the solutions architect use to meet these
requirements?
A. Use Amazon RDS for MySQL as the datastore for player activity. Configure the RDS DB instance for
Multi-AZ support
B. Use Amazon RDS for MySQL as the datastore for player activity. Configure cross-Region read
replicas in each required AWS Region based on player proximity
C. Use Amazon DynamoDB as the datastore for player activity. Configure global tables in each required
AWS Region for the player data
D. Use Amazon DynamoDB as the datastore for player activity. Configure Dynamo DB Accelerator (DAX)
for the player data

Answer: B
402. A company is using AWS Organizations with two AWS accounts Logistics and Sales the Logistics account
operates an Amazon Redshift cluster. The Sates account includes Amazon EC2 instances The Sales account
needs to access the Logistics account Amazon Redshift cluster what should a solutions architect recommend
to meet this requirement MOST cost-effectively?

A. Run COPY commands to load data from Amazon Redshift into Amazon S3bucketsintheLogisics
account Grant permissions to the Sales account, to access >the S3' buckets of the Logistics account
B. Setup VPC sharing with the Logistics account as the owner and the Sales account as the participant
to transfer the data
C. Create a snapshot of the Amazon Redshift cluster and share the snapshot with the Sales account In
the Sales account restore the cluster by using the snapshot lD that is shared by the Logistics account
D. Create an AWS Lambda function in the Logistics account to transfer data to the Amazon EC2
instances in the Sales account

Answer: A

403. A company is running a web application on Amazon EC2 instances in an Auto Scaling group. The
application uses a database that runs on an Amazon RDS for PostgreSQL DB instance. The application
performs slowly as traffic increases, and the database experiences a heavy read load during periods of
high traffic. Which actions should a solutions architect take to resolve these performance issues? (Select
TWO.)

A. Configure the Auto Scaling group subnets to ensure that the EC2 instances are provisioned in the
same Availability Zone asthe DB instance
B. Create an Amazon ElastiCache cluster. Configure the application to cache query results in the
ElastiCache clustel:
C. Create a read replica for the DB instance. Configure the application to send read traffic to the read
replica
D. Enable auto scaling for the DB instance
E. Enable Multi-AZ for the DB instance. Configure the application to send read traffic to the standby DB
instance

Answer: AC

404. A company needs to provide its employees with secure access to confidential and sensitive files. The
company wants to ensure that the files can be accessed only by authorized users. The files must be
downloaded securely to the employees’ devices. The files a restored in an on-premises Windows fileserver,
however, due to an increase in remote usage, the fileserver is running out of capacity.

Which solution will meet these requirements?

A. Migrate the files to Amazon S3, and create a public VPC endpoint. Allow employees to sign on with
AWS Single Sign-on
B. Migrate the files to an Amazon FSx for Windows File Server filesystem. Integrate the Amazon FSx
filesystem with the on-premises Active Directory. Configure AWS Client VPN
C. Migrate the fileserver to an Amazon EC2 instance in a public subnet Configure the security group to
limit inbound traffic toifie employees' IP addresses
D. Migrate the files to Amazon S3, and create a private VPC endpoint. Create a signed URL to allow
download

Answer: A

405. A company is using Amazon Redshift for analytics and to generate customer reports. The company
recently acquired 50TB of additional customer demographic data. The data is stored in csv files in
Amazon S3. The company needs a solution that joins the data and visualizes the results with the least
possible cost and effort.

What should a solutions architect recommend to meet these requirements?

A. lncrease the size of the Amazon Redshift cluster, and load the data from Amazon S3.Use Amazon
EMR Notebooks to query the data and build the visualizations in Amazon Redshift
B. A Use Amazon Red shit Spectrum to query the data in Amazon S3 directly and join that data with the
existing data in Amazon Redshift Use Amazon quick sign to build the visualizations in Amazon Redshift
C. Use Amazon Athena to query the data in Amazon S3. Use Amazon Quick Sight to join the data from
Athena with the existing data in Amazon Redshift and to build the visualizations
D. Export the data from the Amazon Redshift cluster into Apache Parquet files in Amazon S3. Use
Amazon Elastic search Service (Amazon ES) to query the data. Use Kibana to visualize the results

Answer: C

406. An application that runs on AWS uses a Multi AZ deployment of Amazon Aurora MySQL for its database.
A solutions architect discovers that database reads are causing high IO and are adding latency to the write
requests against the database.

How can the solutions architect separate the read requests from the write requests?

A. Create a new replica. Modify the application to use the new replica for writes

B. Create a second Aurora database Link it to the primary database as a read replica

C. Update the application to use the reader endpoint of the Aurora cluster

D. Activate read-through caching on the Aurora cluster

Answer: A
407. A company is hosting a high-traffic static website on Amazon S3wi than Amazon Cloud Front distribution
that has a default TTL of 0 seconds. The company wants to implement caching to improve performance for
the website. However, the company also wants to Aensure that stale content is not served for more than a
few minutes after a deployment.

Which-combination of caching methods should a solutions architect implement to meet these requirements?
(Select TWO)

A. Add a Cache-Control max-age directive of 24 hours to the objects in Amazon S3.On deployment, create
a CloudFront invalidation to purge any changed files from edge caches

B. Add a Cflfche-Control private directive to the objects in Amazon S3

C. Create an AWS Lambda@Edge function to add an Expires header to HTTP responses Configure the function
to run on viewer response

D. Set a default TTLof2 minutes on the S3 bucket

E. Set the Cloud Front default TTL to 2 minutes

Answer: AE

408. A company is testing an application that runs on an Amazon EC2 Linux instance. The instance contains a
data volume of 500GB that consists of a single Amazon Elastic Block Store (Amazon EBS) General Purpose SSD
(gp2) volume. The application is now ready for production use and will be installed on multiple EC2 instances
that run in an Auto Scaling group. All instances need access to the data that was stored on the 500GB volume.
The company needs a highly available and fault-tolerant solution that does not introduce any significant
changes to the application's code.

Which solution meets these requirements?

A. Provision an EC2 instance with NFS server software that is configured with a single 500GBgp 2 volume

B. Use an Amazon FSx for Windows File Server filesystem that is configured as an SMB file store within a
single Availability Zone

C. Migrate the data into an Amazon S3bucketUseanEC2 instance profile to access the contents of the bucket

D. Use an Amazon Elastic File System (Amazon EFS) filesystem that is configured with the General Purpose
performance mode

Answer: D
409. A company needs to transfer 600TB of data from its on-premises network-attached storage (NAS)
system to the AWS Cloud The data transfer must be complete within 2 weeks. The data is sensitive and must
be encrypted in transit the company's internet connection can support an upload speed of 100Mbps.

Which solution meets these requirements MOST cost-effectively?

A. Use the AWS Snow Family console to order several AWS Snowball Edge Storage Optimized devices
Use the devices to transfer the data to Amazon S3
B. Use Amazon S3 multi-part upload functionality to transfer the files over HTTPS
C. Setup a1Q0bpsAWS Direct Connect connection between the company location and the nearest AWS
Region Transfer the data over a VPN connection into the Region to store the data in Amazon S3
D. Create a VPN connection between the on-premises NAS system and the nearest AWS Region.
Transfer the data over the, VPN connection

Answer: D

410. A social media company allows users to upload images to its website The website runs on Amazon EC2
instances During upload requests, the website resizes the images to a standard size and stores the resized
images in Amazon S3.Users are experiencing slow upload requests to the website. The company needs to
reduce coupling within the application and improve website performance. A solutions architect must design
the most operationally efficient process for image uploads

Which combination of actions should the solutions architect take to meet these requirements? (Select TWO)

A. Configure the webserver to upload the original images to Amazon S3

B. Configure the application to upload images to S3 Glacier
C. Configure the application to upload images directly from each users browser to Amazon S3 through
the use of a presigned URL
D. Create an Amazon Event Bridge (Amazon Cloud Watch Events) rule that invokes an AWS Lambda
function on a schedule to resize uploaded images
E. Configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded Use
the function to Resize the image

Answer: CD
411. A company is building an online multiplayer game. The game communicates by using UDP and low
latency between the client and the backend is important the backend is hosted on Amazon EC2
instances that can be deployed to multiple AWS Regions to meet demand. The company needs the game
to be highly available so that users around the world can access the game at all times.

What should a solutions architect do to meet these requirements?

A. Deploy an Application Load Balancer in one Region to distribute traffic to EC2 instances in each
Region that hosts the game's backend instances
B. Deploy artwork Load Balancer in each Region to distribute the traffic Use AWS Global Accelerator to
route traffic to the correct Regional endpoint
C. Deploy Amazon Cloud Front to support an origin access identity (OAI). Associate the OA with EC2
instances In each Region to support global traffic
D. Deploy Amazon Cloud Front to support the global traffic Configure Cloud Front with an origin group
to allow access to EC2 instances in multiple Regions

Answer: D

412. A company is developing a new online gaming application .The application will run on Amazon EC2
instances in multiple AWS Regions and will have high number of globally distributed users. A solutions
architect must design the application to optimize network latency for the users.

Which actions should the solutions architect take to meet these requirements? (Select TWO.)

A. Configure an Amazon API Gateway endpoint in each Region where an EC2 fleet is hosted Instruct
users to select which Region is closes to them after they launch the application. Use the API Gateway
endpoint that is closest to them.
B. Configure AWS Global Accelerator. Create Regional endpoint groups in each Region where an EC2
fleet is hosted.
C. Integrate AWS Client VPN into the application Instruct users to select which Region is closest to them
after they launch the application: Establish a VPN connection to that region
D. Create an Amazon Route 53 weighted routing policy. Configure the routing policy to live the
highest weight to the EC2 instances in the Region that has the largest number of users.
E. Create content delivery network (CDN) by using Amazon CloudFront Enable caching for static and
dynamic content, and specify a high expiration period

Answer: BD
413. A company is running a legacy system on an Amazon EC2 instance. The application code cannot be
modified, and the system cannot run on more than one instance. A solutions architect must design a resilient
solution that can improve the recovery time for the system What should the solutions architect recommend
to meet these requirements?

A. Create an Amazon Cloud Watch alarm to recover the EC2 instance in case of failure

B. Configure the EC2 instance for Multi-AZ deployment

C. Launch the EC2 instance with two Amazon Elastic Block Store (Amazon EBS) volumes that use RAID
configurations for storage redundances

D. Enable termination protection for the EC2 instance

Answer: A

414. A manufacturing company has machine sensors that upload .csv files to an Amazon S3 bucket These, csv
files must be converted into images and must be made available as soon as possible for the automatic
generation of graphical reports. The images become irrelevant after 1 month, but the.csv files must be kept
to train machine learning (ML) models twice a year. The ML trainings and audits are planned weeks in
advance.

Which combination of steps will meet these requirements MOST cost-effectively? (Select TWO.)

A. Design an AWS Lambda function that converts the.csv files into images and stores the images in the S3
bucket. Invoke the Lambda function When a.csv file is uploaded

B. Create S3Lifecycle rules for.csv files and image files in the S3 bucket Transition the.csv files from S3
Standard to S3 Standard-ln frequent Access S3 standard-IA) 1day after they are uploaded. Keep the image
files in Reduced Redundancy Storage (RRS)

C. Create S3 Lifecycle rules for.csv files and image files in the S3 bucket. Transition the.csv files from
S3StandardtoS3OneZone-lnfrequent Access (S3 One Zone-IA) 1 day after they are uploaded. Expire the image
files after 30 days

D. Create S3 Lifecycle rules for.csv files and image files in the S3 bucket. Transition the.csv files from
S3StandardtoS3 Glacier 1 day after they are uploaded. Expire the image files after 30 days

E. Launch an Amazon EC2 Spot Instance that downloads the.csv files every hour, generates the image files,
and uploads the image to the S3 bucket

Answer: AD
415. A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2Au to
Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an
Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database
to retrieve product information the web application is not working as intended. The web application reports
that it cannot connect to the database. The database is confirmed to be up and running. All configurations for
the network ACLs, security groups, and route tables are still in their default states. What should a solutions
architect recommend to fix the application?

A. Add an inbound rule to the security group of the database tier's RDS instance to allow traffic from the
web tier’s security group

B. Deploy the web tier's EG2 instances and the database tier's RDS instance into two separate VPCs, and
configure VPC peering

C. Add an explicit rule to the private subnet's network ACL to allow traffic from the web tier's E<32instanAes.

D. Add a route in the VPC route table to allow traffic between the web tier's EC2 instances and the database
tier

Answer: A

416. An ecommerce company hosts its analytics application in the AWS Cloud. The application generates
about 300MB of data each month. The data is stored in JSON format, #he company is evaluating a disaster
recovery solution to back up the data. The data must be accessible in milliseconds if it is needed, and the data
must be kept for 30 days.

Which solution meets these requirements MOST cost-effectively?

A. Amazon S3 Standard

B. Amazon S3 Glacier

C. Amazon RDS for PostgreSQL

D. Amazon Elastic search Service (Amazon ES)

Answer: C
417. A medical records company is hosting an application on Amazon EC2 instances. The application
processes customer datafiles that a restored on Amazon S3. The EC2 instances are hosted in public subnets.
The EC2 instances access Amazon S3 over the internet, but they do not require any other network access A
new requirement mandates that the network traffic for file transfers take a private route and not be sent
over the internet.

Which change to the network architecture should a solutions architect recommend to meet this
requirement?

A. Configure the security group for the EC2 instances to restrict outbound traffic so that only traffic to
the S3 prefix list is permitted.

B. Remove the internet gateway from the VPC. Setup an AWS Direct Connect connection, and route
traffic to ArnazAS3 over the Direct Connect connection.

C. Create a NAT gateway. Configure the route table for the public subnets to send traffic to Amazon S3
through the NAT gateway

D. Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to
the route table for the private subnets

Answer: C

418. A company is implementing a shared storage solution for a media application that is hosted in the AWS
Cloud. The company needs the ability to use SMB clients to access data. The solution must be fully managed.

Which AWS solution meets these requirements?

A. Create an AWS Storage Gateway volume gateway. Create a file share that uses the required client
protocol. Connect the application server to the file share

B. Create an amazon FSx for Windows File Server filesystem. Attach the filesystem to the origin server.
Connect the application server to the file system

C. create an Amazon EC2 Windows instance. Install and configure a Windows file share role on the instances
Connect the application server to the file share

D. Create an AWS Storage Gateway tape gateway. Configure tapes to use Amazon S3. Connect the
application server to the tape gateway

Answer: A
419. An application running on AWS uses an Amazon Aurora Multi-AZ deployment for its database. When
evaluating performance metrics, a solutions architect discovered that the database reads are causing high I/O
and adding latency to the write requests against the database.

What should the solutions architect do to separate the read requests from the write requests?

A. Create a read replica and modify the application to use the appropriate endpoint.

B. Enable read-through caching on the Amazon Aurora database.

C. Create a second Amazon Aurora database and link it to the primary database as a read replica.

D. Update the application to read from the Multi-AZ standby instance.

Answer: A

420. A company has three VPCs named Development, Testing, and Production in the us-east-1 Region. The
three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain
security and prevent any resource sharing. A solutions architect needs to find a scalable and secure solution.

What should the solutions architect recommend?

A. Create a new VPC called Network. Within the Network VPC, create an AWS Transit Gateway with an AWS
Direct Connect connection back to the data center. Attach all the other VPCs to the Network VPC.

B. Create VPC peers from all the VPCs to the Production VPC. Use an AWS Direct Connect connection from
the Production VPC back to the data center.

C. Connect VPN connections from all the VPCs to a VPN in the Production VPC. Use a VPN connection from
the production vpc back to the data center.

D. Create an AWS Direct Connect connection and a VPN connection for each VPC to connect back to the data
center

Answer: B

421. A company serves content to its subscribers across the world using an application running on AWS. The
application has several Amazon EC2 instances in a private subnet behind an Application Load Balancer (ALB).
Due to a recent change in copyright restrictions, the chief information officer (CIO) wants to block access for
certain countries.

Which action will meet these requirements?

A. Modify the ALB security /group to deny incoming traffic from blocked countries.
B. Use Amazon CloudFront serve the application and deny access to blocked countries.
C. Use ALB listener rules to return access denied responses to incoming traffic from blocked countries.
D. Modify the security group for EC2 instances to deny incoming traffic from blocked countries
Answer: B

422. A company has three VPCs named Development, Testing, and Production in the us-east-1 Region. The
three VPCs need to be connected to an on-premises data center and are designed to be separate to maintain
security and prevent any resource sharing. A solutions architect needs to find a scalable and secure Solution.

What Should the Solutions architect recommend?

A. Create VPC peers from all the VPCs to the Production VPC. Use an AWS Direct Connect connection from
the Production VPC back to the data center.

B. create a new VPC called Network. Within the Network VPC, create an AWS Transit Gateway With an AWS
Direct connect connection back to the data A center. Attach all the other VPCs to the Network VPC.

C. Create an AWS Direct Connect connection and a VPN connection for each VPC to connect back to the data
center.

D. Connect VPN connections from all the VPCs to a VPN in the Production VPC. Use a VPN connection from all
the VPCs to a vpn in the production vpc. Use a vpn connection from the production vpc back to the data
center.

Answer: A

423. A company is building a mobile app on AWS. The company wants to expand is reach to millions of users.
The company needs to build a platform so that authorized users can watch the company's content on their
mobile devices.

What should a solutions architect recommend to meet these requirements?

A. Set up AWS Client VPN between the mobile app and the AWS environment to stream content.

B. Use Amazon CloudFront. Provide signed URLs to stream content.

C. Set up IPsec VPN between the mobile app and the AWS environment to stream content.

D. Publish content to a public Amazon S3 bucket Use AWS Key Management Service (AWS KMS) keys to
stream content

Answer: B
424. A company is launching a new application that will be hosted on Amazon EC2 instances. A solutions
architect needs to design a solution access that originates from the internet However, the solution must
allow the EC2 instances to make outbound IPv4 internet requests. The initial design proposal shows that the
EC2 instances would be located in two private subnets across two Availability Zones. The entre architecture
must Be highly available.

How should the solutions architect change the architecture to meet these requirements?

A. Deploy an egress-only internet gateway in public subnets in both Availability Zones. Create and configure
one route table for each private subnet

B. Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure one route table
for each private subnet

C. Deploy an internet gateway in public subnets in both Availability Zones. Create and configure a shared
route table for the private subnet

D. Deploy a NAT gateway in public subnets in both Availability Zones. Create and configure a shared route
table for the private subnets. A:

Answer: D

425. A company uses Amazon RDS for PostgreSQL databases for its data tier. The company must implement
password rotation for the databases. Which solution meets this requirement with the LEAST operational
overhead?

A. Store the password in AWS Key Management Service (AWS KMS) Enable automatic rotation on the
customer master key (CMK)

B. Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation oh the
parameter

C. Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that
rotates the password

D. Store The password in AWS Secrets Manager. Enable automatic rotation on the secret.

Answer: A
426. A company needs the ability to analyze the log files of its proprietary application The logs are stored in
JSON format in an Amazon S3 bucket Queries will be simple and will run on-demand. A solutions architect
needs to perform the analysis with minimal changes to the existing architecture.

What should the solutions architect do to meet these requirements with the LEAST amount of operational
overhead?

A. Use Amazon Athena directly with Amazon s3 to run the queries as needed.

B. Use Amazon Redshift to load all the content into one place and run the SQL queries as needed.

C. Use Amazon CloudWatch Logs to store the logs. Run SQL queries as needed from the Amazon CloudWatch
console

D. Use AWS Glue to catalog the logs. Use a transient Apache Spark cluster on Amazon EMR to run the SQL
queries as needed

Answer: B

427. A company needs a storage solution for an application that runs on a high performance computing (HPC)
cluster. The cluster ishosted on AWS Fargate for Amazon Elastic Container service (Amazon ECS). The
company needs a mountable fie system that provides concurrent access to flies while delivering hundreds of
GBps of throughput at sub-millisecond latencies.

Which solution meets these requirements?

A. Create an Amazon Elastic Fie System (Amazon EFS) file share for the application data Create an 1AM
role that allows Fargate to access the EFS file share.

B. Create an amazon FSx for Lustre files share for the application data Create an AM role that allows
Fargate to access the FSx for Lustre file share

C. Create an Amazon Elastic block store (amazon es) provisioned iops ssd (io2) volume for the application
data create an am ole that allows fargate to access the volume

D. Create an s3 bucket policy that allows fargate to access the s3 bucket

Answer: C
428. A solutions architect is designing the cloud architecture for a new application that is being deployed on
AWS. The application's users will interactively download and upload files. Files that are more than 910 days
old will be accessed less frequently than newer files, but all files need to be instantly available. The solutions
architect must ensure that the application can scale to store petabytes of data with maximum durability.

Which solution meets these requirements?

A. Store the files in Amazon S3 Standard. Create an S3 Lifecycle policy that moves objects that are more than
90 days old to S3 Glacier.

B. Store the files in Amazon Elastic Block Store (Amazon EBS) volumes. Schedule snapshots of the volumes
Use the snapshots to archive data that is more than 90 days old

C: Store the file in RAID-stiped Amazon Elastic Block Store (Amazon EBS) volumes. Schedule snapshots of the
volumes. use the snapshots to archive data that is more than 90 days old.

D, Stre the files in Amazon S3 Standard. Create an S3 Lifecycle policy that moves objects that are more than
90 days old to S3 Standard-Infrequent Access (S3 Standard-1 A).

Answer: D

429. A development team uses multiple AWVS accounts for is development staging, and production
environments. Team members have been lunching large Amazon EC2 instances that are underutilized. A
solutions architect must prevent large instances from being launched in all accounts, ?

How can the solutions architect meet this requirement with the LEAST operational overhead?

A. Update the IAM policies to deny the launch of large EC2 instances. Apply the policies to all users.

B. Define a resource in AWS Resource Access Manager that prevents the launch of large EC2 instances.

C. Create an jAM role in each account that denies the launch of large EC2 instances. Grant the developers
IAM group access to the role

D. Create an organization in AWS Organizations in the master account with the default policy. Create a
service control policy (SCP) that denies the launch of large EC2 instances, and apply it to the AWS accounts

Answer: D

430. A company has a stateless web application that runs on AWS Lambda functions that are invoked by
Amazon API Gateway. The company wants to deploy the application across multiple AWS Regions to provide
Regional failover capabilities.

What should a solutions architect do to route traffic to multiple Regions?

A. Use AWS Global Accelerator to create an accelerator with endpoints in each Region. Allow Global
Accelerator to automatically monitor the health of endpoints and route requests.
B. Create an Amazon CloudFront distribution with an origin for each Region. Use CloudFront health checks
to route traffic.

C. Create an AVS Transit Gateway Attach the transit gateway to the API Gateway endpoint in each Region.
Configure the transit gateway to route requests.

D. Configure Amazon Route 53 health checks for each Region. Use an active-active failover configuration.

Answer: B

431. A company is planning to migrate a TCP-based application into the company's VPC. The application
is publicly accessible on a nonstandard TCP port through a hardware appliance in the company's data
center. This public endpoint can process up to 3 million requests per second with low latency. The
company requires the same level of performance for the new public endpoint in AWS.

What should a solutions architect recommend to meet this requirement?

A. Deploy a Network Load Balancer (NLB). Configure the NLB to be publicly accessible over the TCP port that
the application requires. I

B. Deploy an Amazon API Gateway API that is configured with the TCP port that the application requires.
Configure AWS Lambda functions with provisioned concurrency to process the requests.

C. Deploy an Application Load Balancer (ALB). Configure the ALB to be publicly accessible over the TCP port
that the application requires

Amazon CloudFront distribution that listens on the TCP port that the application requires. Use an Application
load Balancer as the origin.

D. Deploy an amazon cloudfront distribution that listens on the tcp port that the application requires Use an
Application load Balancer as the origin

Answer: B

432. A company wants to provide users with access to AWS resources. The company has 1,500 users and
manages their access to on-premises resources through Active Directory user groups on the corporate
network. However, the company does not want users to have to maintain another identity to access the
resources. A solutions architect must manage user access to the AWS resources while preserving access to
the on-premises resources. What should the solutions architect do to meet these requirements?
A. Use Amazon Cognito with an Active Directory user pool. Create roles with the appropriate policies
attached

B. Define cross-account roles with the appropriate policies attached. Map the roles to the Active Directory
groups.

C. Configure Security Assertion Markup Language (SAML) 2.0-based federation. Create roles with the
appropriate policies attached. Map the roles to the Active Directory groups.

D. Create an AM user for each user in the company. Attach the appropriate policies to each user.

Answer: C

433. A company is concerned about the security of its public web application due to recent web attacks.
The application uses an Application Load Balancer (ALB). A solutions architbet must reduce the risk of
DDoS attacks against the application.

What should the solutions architect do to meet this requirement?

A. Add an amazon Inspector agent to the ALB.

B. Configure Amazon Macie to prevent attacks.

C. Configure Amazon Guard Duty to monitor the ALB.

D. Enable Aws Shield Advanced to prevent attacks.

Answer: D

434. A solutions architect is designing a multi-tier application for a company. The application's users upload
images from a mobile device. The application generates a thumbnail of each image and returns a message to
the user to confirm that the image was uploaded successfully. The thumbnail generation can take up to 60
seconds, but the company wants to provide a faster response time to its users to notify them that the original
image was received. The solutions architect must design the application to asynchronously dispatch requests
to the different application tiers.

What should the solutions architect do to meet these requirements?

A. Create an Amazon Simple Queue Service (Amazon SQS) message queue. As images are uploaded, place a
message on the SQS queue for thumbnail

I generation. Alert the user through an application message that the image was received.

B. Write a custom AWS Lambda function to generate the thumbnail and alert the user. Use the image upload
process as an event source to invoke lambda function
C. Create an AWS Step Functions workflow. Configure Step Functions to handle the orchestration between
the application tiers and alert the user when Thumbnail Generation is complete.

D. Create Amazon Simple Notification Service (Amazon SNS) notification topics and subscriptions. Use one
subscription with the application to generate the thumbnail after the image upload is complete. Use a second
subscription to message the user's mobile app by way of a push notification after thumbnail generation is
completed

Answer: A

435. A company uses GPS trackers to document the migration patterns of thousands of sea turtles. The
trackers check every 5 minutes to see if a turtle has moved more than 100 yards (91.4 meters) f a turtle
has moved, its tracker sends the new coordinates to a web application running on three Amazon EC2
instances that are in multiple Availability Zones in one AWS Region. Recently, the web application was
overwhelmed while processing an unexpected volume of tracker data. Data was lost with no way to
replay the events. A solutions architect must prevent this problem from happening again and needs a
solution with the least operation overhead.

What should the solutions architect do to meet these requirements?

A. Create an Amazon Simple Queue Service (Amazon SQS) queue to store the incoming data. Configure the
application to poll for new messages for? k processing.

B. Create an Amazon API Gateway endpoint to handle transmitted location coordinates. Use an AWS Lambda
function to process each item concurrently.

C. Create an Amazon S3 bucket to store the data. Configure the application to scan for new data in the bucket
for processing.

D. Create an Amazon Dynamo DB table to store transmitted location coordinates. Configure the application
to query the table for new data for processing. Use TTL to, remove data that has been processed.

Answer: A

436. A company is expanding a secure, on-premises network that has no direct internet access to AWS. The
company will setup an AWS Direct Connect connection between the on-premises network and AWS. An
application that runs in the on-premises network needs to use the AWS software development kit (SDK) to
make calls to Amazon EC2API endpoint a solutions architect must design a solution that supports this
connectivity but that does not incur additional cost beyond the Direct Connect connection.

Which solution meets these requirements?

A. Create a VRC and a NAT gateway. Route the AWS traffic from on premises to the NAT gateway
B. Create public virtual interface. Route the AWS traffic over the public virtual interface
C. Create a vpc and an interface VPC endpoint for Amazon EC2. Route the AWS traffic from on premises
to the interface vpc endpoint
D. Create a vpc peering connection between the on-premises network and Direct Connect. Route the
AWS traffic over the peering connection

Answer: D

437. A company is deploying an application that processes large quantities of data in parallel. The
company plans to use Amazon EC2 instances for the workload. The network architecture must be
configurable to prevent groups of nodes from sharing the same underlying hardware.

Which networking solution meets these requirements?

A. Run the EC2 instances in a spread placement group

B. Configure the EC2 instances with dedicated tenancy

C. Group the EC2 instances in separate accounts

D. Configure the EC2 instances with shared tenancy

Answer: B

438. A security team needs to enforce the rotation of fall 1AM users' access keys every 90 days. If an access
key is found to be older, the key must be made inactive and removed. A solutions architect must create a
solution that will check for and remediate any keys older than 90 days.

Which solution meets these requirements with the LEAST operational effort?

A. Create an AWS Config rule to check for the key age. Define an Amazon Event Bridge (Amazon Cloud Watch
Events) rule to schedule an AWS Lambda

Function to remove the key.

B. Create an AWS Config rule to check for the key age. Configure the AWS Config rule to run an AWS Batch
job to remove the key.

C. Create an Amazon Event Bridge (Amazon Cloud Watch Events) rule to check for the key age. Define an
Event Bridge (Cloud Watch Events) rule to run an} AWS Batch job to remove the key.

D. Create an Amazon Event Bridge (Amazon Cloud Watch Events) rule to check for the key age. Configure the
rule to run an AWS Batch job to remove the key

Answer: C
439. A company's website provides users with downloadable historical performance reports. The website
needs a solution that will scale to meet the company's website demands globally. The solution should be cost
effective, limit the provisioning of infrastructure resources and provide the fastest possible response time.
Which combination should a solution architect recommend to meet these requirements?
A. Amazon route 53 with internal application load balancers
B. Amazon CloudFront and Amazon S3
C. Application load balancer with amazon EC2 Auto Scaling
D. AWS Lambda and Amazon DynamoDB

Answer: B