[Q27-Q51] Latest AWS-Solutions-Architect-Professional Exam with Accurate AWS Certified Solutions Architect - Professional PDF Questions [Jan 09, 2024]

[Jan 09, 2024] Latest AWS-Solutions-Architect-Professional Exam with Accurate AWS Certified Solutions Architect - Professional PDF Questions

Practice To AWS-Solutions-Architect-Professional - Prep4pass Remarkable Practice On your AWS Certified Solutions Architect - Professional Exam

NEW QUESTION # 27
A Solutions Architect is designing a highly available and reliable solution for a cluster of Amazon EC2 instances.
The Solutions Architect must ensure that any EC2 instance within the cluster recovers automatically after a system failure. The solution must ensure that the recovered instance maintains the same IP address.
How can these requirements be met?

• A. Create an Auto Scaling group for each EC2 instance that has a minimum and maximum size of 1.
• B. Create an AWS Lambda script to restart any EC2 instances that shut down unexpectedly.
• C. Create an Amazon CloudWatch alarm for the StatusCheckFailed_System metric, and then configure an EC2 action to recover the instance.
• D. Create a new t2.micro instance to monitor the cluster instances. Configure the t2.micro instance to issue an aws ec2 reboot-instances command upon failure.

Answer: C

NEW QUESTION # 28
A company has several Amazon EC2 instates to both public and private subnets within a VPC that is not connected to the corporate network. A security group associated with the EC2 instances allows the company to use the Windows remote desktop protocol (RDP) over the internet to access the instances. The security team has noticed connection attempts from unknown sources. The company wants to implement a more secure solution to access the EC2 instances.
Which strategy should a solutions architect implement?

• A. Establish a Site-to-Site VPN connecting the corporate network to the VPC update the security groups to allow access from the corporate network only.
• B. Deploy AWS Systems Manager Agent on the EC2 instances Access the EC2 instances using Session Manager restricting access to users with permission.
• C. Deploy a Linux bastion host on the corporate network that has access to all instances in the VPC.
• D. Deploy a Linux bastion host with an Elastic IP address in the public subnet Allow access to the bastion host from 0.0.0.0/0.

Answer: C

NEW QUESTION # 29
During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository . The security team wants to automatically find and remediate instances of this security vulnerability Which solution will ensure that the credentials are appropriately secured automatically?

• A. Configure Amazon Macie to scan for credentials in CodeCommit repositories If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user
• B. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances If found use AWS Secrets Manager to rotate the credentials.
• C. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit If credentials are found, generate new credentials and store them in AWS KMS
• D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials If credentials are found, disable them in AWS IAM and notify the user.

Answer: D

Explanation:
Explanation
CodeCommit may use S3 on the back end (and it also uses DynamoDB on the back end) but I don't think they're stored in buckets that you can see or point Macie to. In fact, there are even solutions out there describing how to copy your repo from CodeCommit into S3 to back it up:
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-event-driven-backups-from-codecom

NEW QUESTION # 30
You are designing a photo-sharing mobile app. The application will store all pictures in a single Amazon S3 bucket.
Users will upload pictures from their mobile device directly to Amazon S3 and will be able to view and download their own pictures directly from Amazon S3.
You want to configure security to handle potentially millions of users in the most secure manner possible.
What should your server-side application do when a new user registers on the photo-sharing mobile application?

• A. Record the user's information in Amazon DynamoDB. When the user uses their mobile app, create temporary credentials using AWS Security Token Service with appropriate permissions. Store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
• B. Record the user's information in Amazon RDS and create a role in IAM with appropriate permissions.
  When the user uses their mobile app, create temporary credentials using the AWS Security Token Service "AssumeRole" function. Store these credentials in the mobile app's memory and use them to access Amazon S3. Generate new credentials the next time the user runs the mobile app.
• C. Create an IAM user. Update the bucket policy with appropriate permissions for the IAM user. Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
• D. Create an IAM user. Assign appropriate permissions to the IAM user. Generate an access key and secret key for the IAM user, store them in the mobile app and use these credentials to access Amazon S3.
• E. Create a set of long-term credentials using AWS Security Token Service with appropriate permissions.
  Store these credentials in the mobile app and use them to access Amazon S3.

Answer: B

Explanation:
Explanation
We can use either RDS or DynamoDB, however in our given answers, IAM role is mentioned only with RDS, so I would go with Answer B.
Question was explicitly focused on security, so IAM with RDS is the best choice.

NEW QUESTION # 31
A company is planning on deploying a newly built application on AWS in a default VPC. The application will consist of a web layer and database layer. The web server was created in public subnets, and the MySQL database was created in private subnets. All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.
The following are the key requirements:
* The web servers must be accessible only to users on an SSL connection.
* The database should be accessible to the web layer, which is created in a public subnet only.
* All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked.
Which combination of steps meets these requirements? (Select two.)

• A. Create a web server security group with inbound and outbound rules for HTTPS port 443 traffic to and from anywhere (0.0.0.0/0). Create a network ACL inbound deny rule for IP range 182.20.0.0/16.
• B. Create a web server security group with an inbound allow rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0) and an inbound deny rule for IP range 182.20.0.0/16.
• C. Create a database server security group with inbound and outbound rules for MySQL port 3306 traffic to and from anywhere (0 0.0.0/0).
• D. Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0). Create network ACL inbound and outbound deny rules for IP range 182.20.0.0/16.
• E. Create a database server security group with an inbound rule for MySQL port 3306 and specify the source as a web server security group.

Answer: D,E

NEW QUESTION # 32
A solutions architect is designing an application to accept timesheet entries from employees on their mobile devices. Timesheets will be submitted weekly, with most of the submissions occurring on Friday. The data must be stored in a format that allows payroll administrators to run monthly reports. The infrastructure must be highly available and scale to match the rate of incoming data and reporting requests.
Which combination of steps meets these requirements while minimizing operational overhead? (Select TWO.)

• A. Deploy the application to Amazon EC2 On-Demand Instances with load balancing across multiple Availability Zones. Use scheduled Amazon EC2 Auto Scaling to add capacity before the high volume of submissions on Fridays.
• B. Store the timesheet submission data in Amazon Redshift. Use Amazon QuickSight to generate the reports using Amazon Redshift as the data source.
• C. Store the timesheet submission data in Amazon S3 Use Amazon Athena and Amazon QuickSight to generate the reports using Amazon S3 as the data source.
• D. Deploy the application front end to an Amazon S3 bucket served by Amazon CloudFront. Deploy the application backend using Amazon API Gateway with an AWS Lambda proxy integration.
• E. Deploy the application in a container using Amazon Elastic Container Service (Amazon ECS) with load balancing across multiple Availability Zones. Use scheduled Service Auto Scaling to add capacity before the high volume of submissions on Fridays.

Answer: B,E

NEW QUESTION # 33
A company runs an application that gives users the ability to search for videos and related information by using keywords that are curated from content providers. The application data is stored in an on-premises Oracle database that is 800 GB in size.
The company wants to migrate the data to an Amazon Aurora MySQL DB instance. A solutions architect plans to use the AWS Schema Conversion Tool and AWS Database Migration Service (AWS DMS) for the migration. During the migration, the existing database must serve ongoing requests. The migration must be completed with minimum downtime Which solution will meet these requirements?

• A. Turn off automatic backups and logging of the target database until the migration and cutover processes are complete
• B. Use AWS DMS to run the conversion report for Oracle to Aurora MySQL. Remediate any issues Then use AWS DMS to migrate the data
• C. Use the M5 or CS DMS replication instance type for ongoing replication
• D. Create primary key indexes, secondary indexes, and referential integrity constraints in the target database before starting the migration process

Answer: B

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.Backups.html

NEW QUESTION # 34
Within an IAM policy, can you add an IfExists condition at the end of a Null condition?

• A. Yes, you can add an IfExists condition at the end of a Null condition but not in all Regions.
• B. No, you cannot add an IfExists condition at the end of a Null condition.
• C. Yes, you can add an IfExists condition at the end of a Null condition.
• D. Yes, you can add an IfExists condition at the end of a Null condition depending on the condition.

Answer: B

Explanation:
Explanation
Within an IAM policy, IfExists can be added to the end of any condition operator except the Null condition. It can be used to indicate that conditional comparison needs to happen if the policy key is present in the context of a request; otherwise, it can be ignored.
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

NEW QUESTION # 35
A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

• A. Create VPC with only one public subnet and launch instances in different AZs using that subnet.
• B. Create VPC with only one private subnet and launch instances in different AZs using that subnet.
• C. Create VPC subnets in two separate availability zones and launch instances in different subnets.
• D. Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC.

Answer: C

Explanation:
Explanation
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. The VPC is always specific to a region.
The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span across zones.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPCSubnet

NEW QUESTION # 36
A company is running a containerized application in the AWS Cloud. The application is running by using Amazon Elastic Container Service (Amazon ECS) on a set Amazon EC2 instances. The EC2 instances run in an Auto Scaling group.
The company uses Amazon Elastic Container Registry (Amazon ECRJ to store its container images When a new image version is uploaded, the new image version receives a unique tag The company needs a solution that inspects new image versions for common vulnerabilities and exposures The solution must automatically delete new image tags that have Cntical or High severity findings The solution also must notify the development team when such a deletion occurs Which solution meets these requirements'?

• A. Schedule an AWS Lambda function to start a manual image scan every hour Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke another Lambda function when a scan is complete. Use the second Lambda function to delete the image tag for images that have Cnocal or High severity findings. Notify the development team by using Amazon Simple Notification Service (Amazon SNS)
• B. Configure periodic image scan on the repository Configure scan results to be added to an Amazon Simple Queue Service (Amazon SQS) queue Invoke an AWS Step Functions state machine when a new message is added to the SQS queue Use the Step Functions state machine to delete the image tag for images that have Critical or High severity findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
• C. Configure scan on push on the repository Configure scan results to be pushed to an Amazon Simple Queue Service (Amazon SQS) queue Invoke an AWS Lambda function when a new message is added to the SOS queue Use the Lambda function to delete the image tag for images that have Critical or High seventy findings. Notify the development team by using Amazon Simple Email Service (Amazon SES).
• D. Configure scan on push on the repository. Use Amazon EventBndge (Amazon ClouoWatch Events) to invoke an AWS Step Functions state machine when a scan is complete for images that have Cntical or High severity findings Use the Step Functions state machine to delete the image tag for those images and to notify the development team through Amazon Simple Notification Service (Amazon SNS)

Answer: A

NEW QUESTION # 37
Your company is getting ready to do a major public announcement of a social media site on AWS. The
website is running on EC2 instances deployed across multiple Availability Zones with a Multi-AZ RDS
MySQL Extra Large DB Instance. The site performs a high number of small reads and writes per second
and relies on an eventual consistency model. After comprehensive tests you discover that there is read
contention on RDS MySQL. Which are the best approaches to meet these requirements? (Choose 2
answers)

• A. Deploy ElastiCache in-memory cache running in each availability zone
• B. Add an RDS MySQL read replica in each availability zone
• C. Increase the RDS MySQL Instance size and Implement provisioned IOPS
• D. Implement sharding to distribute load to multiple RDS MySQL instances

Answer: A,C

NEW QUESTION # 38
A Solutions Architect must design a solution that encrypts data in Amazon S3. Corporate policy mandates
encryption keys be generated and managed on premises.
Which solution should the Architect use to meet the security requirements?

• A. SSE-S3: Server-side encryption with Amazon-managed master key
• B. SSE-C: Server-side encryption with customer-provided encryption keys
• C. AWS CloudHSM
• D. SSE-KMS: Server-side encryption with AWS KMS managed keys

Answer: D

NEW QUESTION # 39
API gateway and Lambda non-proxy integrations have been chosen to implement an application by a software engineer. The application is a data analysis tool that returns some statistic results when the HTTP endpoint is called. The lambda needs to communicate with some back-end data services such as Keen.io however there are chances that error happens such as wrong data requested, bad communications, etc. The lambda is written using Java and two exceptions may be returned which are BadRequestException and InternalErrorException. What should the software engineer do to map these two exceptions in API gateway with proper HTTP return codes? For example, BadRequestException and InternalErrorException are mapped to HTTP return codes 400 and 500 respectively. Select 2.

• A. Put the mapping logic into Lambda itself so that when exception happens, error codes are returned at the same time in a JSON body.
• B. Add Method Responses where regular expression patterns are set such as BadRequest or InternalError. Associate them with HTTP status codes 400 and 500.
• C. Add Integration Responses where regular expression patterns are set such as BadRequest or InternalError. Associate them with HTTP status codes
• D. Add the corresponding error codes (400 and 500) on the Method Response in API gateway.
• E. Add the corresponding error codes (400 and 500) on the Integration Response in API gateway

Answer: C,D

NEW QUESTION # 40
To abide by industry regulations, a solutions architect must design a solution that will store a company's critical data in multiple public AWS Regions, including in the United States, where the company's headquarters is located. The solutions architect is required to provide access to the data stored in AWS to the company's global WAN network. The security team mandates that no traffic accessing this data should traverse the public internet.
How should the solutions architect design a highly available solution that meets the requirements and is cost-effective?

• A. Establish two AWS Direct Connect connections from the company headquarters to an AWS Region.
  Use the company WAN to send traffic over a DX connection. Use inter-region VPC peering to access the data in other AWS Regions.
• B. Establish AWS Direct Connect connections from the company headquarters to all AWS Regions in use.
  Use the company WAN lo send traffic over to the headquarters and then to the respective DX connection to access the data.
• C. Establish two AWS Direct Connect connections from the company headquarters to an AWS Region.
  Use the company WAN to send traffic over a DX connection. Use Direct Connect Gateway to access data in other AWS Regions.
• D. Establish two AWS Direct Connect connections from the company headquarters to an AWS Region.
  Use the company WAN to send traffic over a DX connection. Use an AWS transit VPC solution to access data in other AWS Regions.

Answer: C

NEW QUESTION # 41
Your company has HQ in Tokyo and branch offices all over the world and is using a logistics software with a multi-regional deployment on AWS in Japan, Europe and US.
The logistic software has a 3-tier architecture and currently uses MySQL 5.6 for data persistence.
Each region has deployed its own database.
In the HQ region you run an hourly batch process reading data from every region to compute cross- regional reports that are sent by email to all offices.
This batch process must be completed as fast as possible to quickly optimize logistics.
How do you build the database architecture in order to meet the requirements?

• A. For each regional deployment, use MySQL on EC2 with a master in the region and send hourly EBS snapshots to the HQ region.
• B. For each regional deployment, use RDS MySQL with a master in the region and send hourly RDS snapshots to the HQ region.
• C. For each regional deployment, use RDS MySQL with a master in the region and a read replica In the HQ region.
• D. Use Direct Connect to connect all regional MySQL deployments to the HQ region and reduce network latency for the batch process.
• E. For each regional deployment, use MySQL on EC2 with a master in the region and use S3 to copy data files hourly to the HQ region.

Answer: C

NEW QUESTION # 42
A company is creating a web application that allows customers to view photos in their web browsers. The
website is hosted in us-east-1 on Amazon EC2 instances behind an Application Load Balancer. Users will
be located in many places around the world.
Which solution should provide all users with the fastest photo viewing experience?

• A. Implement an AWS Auto Scaling group for the web server instances behind the Application Load
  Balancer.
• B. Enable Amazon ElastiCache in the web server subnet.
• C. Move the photos into an Amazon S3 bucket and enable static website hosting.
• D. Enable Amazon CloudFront for the website and specify the Application Load Balancer as the origin.

Answer: A

Explanation:
Explanation/Reference:
Reference: http://jayendrapatil.com/tag/elb/

NEW QUESTION # 43
A company is moving a business-critical application onto AWS. It is a traditional three-tier web application using an Oracle database. Data must be encrypted in transit and at rest. The database hosts 12 TB of data.
Network connectivity to the source Oracle database over the internal is allowed, and the company wants to reduce the operational costs by using AWS Managed Services where possible. All resources within the web and application tiers have been migrated. The database has a few tables and a simple schema using primary keys only; however, it contains many Binary Large Object (BLOB) fields. It was not possible to use the database's native replication tools because of licensing restrictions.
Which database migration solution will result in the LEAST amount of impact to the application's availability?

• A. Provision an Amazon RDS for Oracle instance. Host the RDS database within a virtual private cloud (VPC) subnet with internet access, and set up the RDS database as an encrypted Read Replica of the source database. Use SSL to encrypt the connection between the two databases. Monitor the replication performance by watching the RDS ReplicaLag metric. During the application maintenance window, shut down the on-premises database and switch over the application connection to the RDS instance when there is no more replication lag. Promote the Read Replica into a standalone database instance.
• B. Use AWS DMS to load and replicate the dataset between the on-premises Oracle database and the replication instance hosted on AWS. Provision an Amazon RDS for Oracle instance with Transparent Data Encryption (TDE) enabled and configure it as target for the replication instance. Create a customer-managed AWS KMS master key to set it as the encryption key for the replication instance.
  Use AWS DMS tasks to load the data into the target RDS instance. During the application maintenance window and after the load tasks reach the ongoing replication phase, switch the database connections to the new database.
• C. Create a compressed full database backup on the on-premises Oracle database during an application maintenance window. While the backup is being performed, provision a 10 Gbps AWS Direct Connect connection to increase the transfer speed of the database backup files to Amazon S3, and shorten the maintenance window period. Use SSL/TLS to copy the files over the Direct Connect connection. When the backup files are successfully copied, start the maintenance window, and rise any of the Amazon RDS supported tools to import the data into a newly provisioned Amazon RDS for Oracle instance with encryption enabled. Wait until the data is fully loaded and switch over the database connections to the new database. Delete the Direct Connect connection to cut unnecessary charges.
• D. Provision an Amazon EC2 instance and install the same Oracle database software. Create a backup of the source database using the supported tools. During the application maintenance window, restore the backup into the Oracle database running in the EC2 instance. Set up an Amazon RDS for Oracle instance, and create an import job between the database hosted in AWS. Shut down the source database and switch over the database connections to the RDS instance when the job is complete.

Answer: B

Explanation:
Explanation
https://aws.amazon.com/blogs/apn/oracle-database-encryption-options-on-amazon-rds/https://docs.aws.amazon.c (DMS in transit encryption)https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Security.html

NEW QUESTION # 44
A media company has a 30-TB repository of digital news videos. These videos are stored on tape in an on-premises tape library and referenced by a Media Asset Management (MAM) system.
The company wants to enrich the metadata for these videos in an automated fashion and put them into a searchable catalog by using a MAM feature. The company must be able to search based on information in the video, such as objects, scenery items, or people's faces. A catalog is available that contains faces of people who have appeared in the videos that include an image of each person. The company would like to migrate these videos to AWS.
The company has a high-speed AWS Direct Connect connection with AWS and would like to move the MAM solution video content directly from its current file system.
How can these requirements be met by using the LEAST amount of ongoing management overhead and causing MINIMAL disruption to the existing system?

• A. Configure a video ingestion stream by using Amazon Kinesis Video Streams. Use the catalog of faces to build a collection in Amazon Rekognition. Stream the videos from the MAM solution into Kinesis Video Streams. Configure Amazon Rekognition to process the streamed videos. Then, use a stream consumer to retrieve the required metadata, and push the metadata into the MAM solution. Configure the stream to store the videos in Amazon S3.
• B. Set up an Amazon EC2 instance that runs the OpenCV libraries. Copy the videos, images, and face catalog from the one-premises library into an Amazon EBS volume mounted on this EC2 instance.
  Process the videos to retrieve the required metadata, and push the metadata into the MAM solution while also copying the video files to an Amazon S3 bucket.
• C. Set up an AWS Storage Gateway, file gateway appliance on premises. Use the MAM solution to extract the videos from the current archive and push them into the file gateway. Use the catalog of faces to build a collection in Amazon Rekognition. Build an AWS Lambda function that invokes the Rekognition Javascript SDK to have Rekognition pull the video from the Amazon S3 files backing the file gateway, retrieve the required metadata, and push the metadata into the MAM solution.
• D. Set up an AWS Storage Gateway, tape gateway appliance on-premises. Use the MAM solution to extract the videos from the current archive and push them into the tape gateway. Use the catalog of faces to build a collection in Amazon Rekognition. Build an AWS Lambda function that invokes the Rekognition Javascript SDK to have Amazon Rekognition process the video in the tape gateway, retrieve the required metadata, and push the metadata into the MAM solution.

Answer: C

Explanation:
A\B: By replacing the physical tape library with file gateway, it has the least amount of management and disruption. It would require us to restore the 30TB to another format (NFS\SMB style) in order to put it on the file gateway which cannot serve as a VTL. I don't think it's possible for Amazon Rekognition to process the video in the tape gateway which is on premise or access the data from S3 directly.
A: File gateway supports Linux clients connecting to the gateway using Network File System (NFS) versions 3 and 4.1 for Linux clients, and supports Windows clients connecting to the gateway using Server Message Block (SMB) versions 2 and 3.
B: No. You cannot access virtual tape data using Amazon S3 or Amazon S3 Glacier APIs.
However, you can use the tape gateway APIs to manage your virtual tape library and your virtual tape shelf.
https://aws.amazon.com/storagegateway/faqs/?nc=sn&loc=6
C: This is not possible because the data are in tape format.
D: This loosk more like the job for Rekognition.

NEW QUESTION # 45
A solutions architect is designing a solution to connect a company's on-premises network with all the company's current and future VPCs on AWS The company is running VPCs in five different AWS Regions and has at least 15 VPCs in each Region.
The company's AWS usage is constantly increasing and will continue to grow Additionally, all the VPCs throughout all five Regions must be able to communicate with each other The solution must maximize scalability and ease of management Which solution meets these requirements'?

• A. Create an AWS CloudFormation template for a redundant AWS Site-to-Site VPN tunnel to the on-premises network Deploy the CloudFormation template for each VPC Set up VPC peering between all the VPCs for VPC-to-VPC communication
• B. Set up a transit gateway in each Region Establish a redundant AWS Site-to-Site VPN connection between the on-premises firewalls and the transit gateway in the Region that is closest to the on-premises network Peer all the transit gateways with each other Connect all the VPCs to the transit gateway in their Region
• C. Set up a transit gateway in each Region Establish a redundant AWS Site-to-Site VPN connection between the on-premises firewalls and each transit gateway Route traffic between the different Regions through the company's on-premises firewalls Connect all the VPCs to the transit gateway in their Region
• D. Create an AWS CloudFormation template for a redundant AWS Site-to-Site VPN tunnel to the on-premises network Deploy the CloudFormation template for each VPC Route traffic between the different Regions through the company's on-premises firewalls

Answer: B

NEW QUESTION # 46
A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege.
A Solutions Architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster.
What steps are required after the deployment to meet the requirements? (Choose two.)

• A. Create tasks using the bridge network mode.
• B. Create tasks using the awsvpc network mode.
• C. Apply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access other resources.
• D. Apply security groups to the tasks, and pass IAM credentials into the container at launch time to access other resources.
• E. Apply security groups to the tasks, and use IAM roles for tasks to access other resources.

Answer: B,E

Explanation:
https://aws.amazon.com/about-aws/whats-new/2017/11/amazon-ecs-introduces-awsvpc- networking-mode-for-containers-to-support-full-networking-capabilities/

NEW QUESTION # 47
A company operates a proxy server on a fleet of Amazon EC2 instances. Partners in different countries use the proxy server to test the company's functionality. The EC2 instances are running in a VPC. and the instances have access to the internet.
The company's security policy requires that partners can access resources only from domains that the company owns.
Which solution will meet these requirements?

• A. Create an Amazon Route 53 outbound endpoint. Associate the outbound endpoint with the VPC.
  Configure a Route 53 traffic flow policy to forward requests for allowed domains to the outbound endpoint. Associate the traffic flow policy with the VPC.
• B. Create an Amazon Route 53 Resolver DNS Firewall domain list that contains the allowed domains.
  Configure a Route 53 outbound endpoint. Associate the outbound endpoint with the VPC. Associate the domain list with the outbound endpoint.
• C. Create an Amazon Route 53 traffic flow policy to match the allowed domains. Configure the traffic flow policy to forward requests that match to the Route 53 Resolver. Associate the traffic flow policy with the VPC.
• D. Create an Amazon Route 53 Resolver DNS Firewall domain list that contains the allowed domains.
  Configure a DNS Firewall rule group with a rule that has a high numeric value that blocks all requests.
  Configure a rule that has a low numeric value that allows requests for domains in the allowed list.
  Associate the rule group with the VPC.

Answer: A

Explanation:
Explanation
AWS documentation on how to use a traffic flow policy for Amazon Route 53 to control traffic to your Amazon EC2 instances: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/traffic-flow-policy-for-ec2-instances.htm

NEW QUESTION # 48
A company has multiple lines of business (LOBs) that roll up to the parent company. The company has asked its solutions architect to develop a solution with the following requirements:
* Produce a single AWS invoice for all of the AWS accounts used by its LOBs
* The costs for each LOB account should be broken out on the invoice
* Provide the ability to restrict services and features in the LOB accounts, as defined by the company's governance policy
* Each LOB account should be delegated full administrator permissions, regardless of the governance policy Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)

• A. Use AWS Organizations to create an organization in the parent account for each LOB Then invite each LOB account to the appropriate organization
• B. Implement service quotas to define the services and features that are permitted and apply the quotas to each LOB. as appropriate
• C. Create an SCP that allows only approved services and features, then apply the policy to the LOB accounts Enable consolidated billing in the parent account's billing console and link the LOB accounts
• D. Use AWS Organizations to create a single organization in the parent account Then, invite each LOB's AWS account to pin the organization

Answer: B,C

NEW QUESTION # 49
A company is running multiple workloads in the AWS Cloud The company has separate units for software development The company uses AWS Organizations and federation with SAML to give permissions to developers to manage resources in their AWS accounts The development units each deploy their production workloads into a common production account Recently, an incident occurred in the production account in which members of a development unit terminated an EC2 instance that belonged to a different development unit. A solutions architect must create a solution that prevents a similar incident from happening in the future. The solution also must a low developers the possibilityy to manage the instances used for their workloads.
Which strategy will meet these requirements?

• A. Create separate 1AM policies for each development unit For every 1AM policy add an allow action and a StringEquals condition for the DevelopmentUnit resource tag and the development unit name During SAML federation use AWS Security Token Service (AWS STS) to assign the 1AM policy and match the development unit name to the assumed IAM role
• B. Pass an attribute for DevelopmentUnit as an AWS Secunty Token Service (AWS STS) session tag during SAML federation Update the 1AM policy for the developers' assumed 1AM role with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag and aws PrincipalTag/DevelopmentUnit
• C. Create separate OUs in AWS Organizations for each development unit Assign the created OUs to the company AWS accounts Create separate SCPs with a deny action and a StringNotEquals condition for the DevelopmentUnit resource tag that matches the development unit name Assign the SCP to the corresponding OU
• D. Pass an attribute for DevelopmentUnit as an AWS Security Token Service (AWS STS) session tag during SAML federation Create an SCP with an allow action and a StrmgEquals condition for the DevelopmentUnit resource tag and aws Principal Tag 'DevelopmentUnit Assign the SCP to the root OU.

Answer: C

NEW QUESTION # 50
A Solutions Architect is designing a photo application on AWS. Every time a user uploads a photo to
Amazon S3, the Architect must insert a new item to a DynamoDB table.
Which AWS-managed service is the BEST fit to insert the item?

• A. Lambda@Edge
• B. Amazon EC2 instances
• C. Amazon API Gateway
• D. AWS Lambda

Answer: D

Explanation:
Explanation/Reference:
Reference https://aws.amazon.com/blogs/machine-learning/build-your-own-face-recognition-service-using-
amazon-rekognition/

NEW QUESTION # 51
......

Exam Questions and Answers for AWS-Solutions-Architect-Professional Study Guide Questions and Answers!: https://www.prep4pass.com/AWS-Solutions-Architect-Professional_exam-braindumps.html

Practice To AWS-Solutions-Architect-Professional - Prep4pass Remarkable Practice On your AWS Certified Solutions Architect - Professional Exam: https://drive.google.com/open?id=1fuG9KGXPHQVeedGSbPfm0MNHe2AKXnHW