Amazon SAA-C03 AWS Certified Solutions Architect - Associate Exam Practice Test

Page: 1 / 14
Total 1000 questions

Want more questions? Get Premium Access.
()

Question 1

A company has a three-tier environment on AWS that ingests sensor data from its users' devices The traffic flows through a Network Load Balancer (NIB) then to Amazon EC2 instances for the web tier and finally to EC2 instances for the application tier that makes database calls

What should a solutions architect do to improve the security of data in transit to the web tier?

AConfigure a TLS listener and add the server certificate on the NLB

BConfigure AWS Shield Advanced and enable AWS WAF on the NLB

CChange the load balancer to an Application Load Balancer and attach AWS WAF to it

DEncrypt the Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instances using AWS Key Management Service (AWS KMS)

Answer : A

A: How do you protect your data in transit?

Best Practices:

Implement secure key and certificate management: Store encryption keys and certificates securely and rotate them at appropriate time intervals while applying strict access control; for example, by using a certificate management service, such as AWS Certificate Manager (ACM).

Enforce encryption in transit: Enforce your defined encryption requirements based on appropriate standards and recommendations to help you meet your organizational, legal, and compliance requirements.

Automate detection of unintended data access: Use tools such as GuardDuty to automatically detect attempts to move data outside of defined boundaries based on data classification level, for example, to detect a trojan that is copying data to an unknown or untrusted network using the DNS protocol.

Authenticate network communications: Verify the identity of communications by using protocols that support authentication, such as Transport Layer Security (TLS) or IPsec.

https://wa.aws.amazon.com/wat.question.SEC_9.en.html

Question 2

A financial services company has a two-tier consumer banking application. The frontend serves static web content. The backend consists of APIs. The company needs to migrate the frontend component to AWS. The backend of the application will remain on-premises. The company must protect the application from common web vulnerabilities and attacks.

AMigrate the frontend to Amazon EC2 instances. Deploy an Application Load Balancer (ALB) in front of the instances. Use the instances to invoke the on-premises APIs. Associate AWS WAF rules with the instances.

BDeploy the frontend as an Amazon CloudFront distribution that has multiple origins. Configure one origin to be an Amazon S3 bucket that serves the static web content. Configure a second origin to route traffic to the on-premises APIs based on the URL pattern. Associate AWS WAF rules with the distribution.

CMigrate the frontend to Amazon EC2 instances. Deploy a Network Load Balancer (NLB) in front of the instances. Use the instances to invoke the on-premises APIs. Create an AWS Network Firewall instance. Route all traffic through the Network Firewall instance.

DDeploy the frontend as a static website based on an Amazon S3 bucket. Use an Amazon API Gateway REST API and a set of Amazon EC2 instances to invoke the on-premises APIs. Associate AWS WAF rules with the REST API and the S3 bucket.

Answer : B

Key Requirements:

Host the frontend on AWS as a static website.

Protect the application from common web vulnerabilities.

Minimal operational overhead.

Analysis of Options:

Option A:

Hosting the frontend on EC2 with an ALB introduces unnecessary complexity for serving static content.

AWS WAF rules can protect the ALB, but managing EC2 instances adds operational overhead.

Incorrect Approach: High operational complexity for a simple static website.

Option B:

Amazon CloudFront: Acts as a global CDN, reducing latency and protecting against DDoS attacks.

Multiple Origins: Allows static content to be served from S3 while routing API traffic to the on-premises backend.

AWS WAF: Integrates with CloudFront to provide web application protection.

Correct Approach: Offers low operational overhead with optimal security and performance.

Option C:

Using NLB and Network Firewall is unnecessary for a static website. This approach increases cost and complexity without addressing the frontend requirements effectively.

Incorrect Approach: Over-engineered solution.

Option D:

Hosting the frontend on S3 and using API Gateway is a viable option, but managing AWS WAF rules separately for both the S3 bucket and the REST API increases complexity.

Incorrect Approach: Less efficient than using CloudFront with multiple origins.

AWS Solution Architect Reference:

Amazon CloudFront Overview

AWS WAF with CloudFront

Question 3

A company has a serverless web application that is comprised of AWS Lambda functions. The application experiences spikes in traffic that cause increased latency because of cold starts. The company wants to improve the application's ability to handle traffic spikes and to minimize latency. The solution must optimize costs during periods when traffic is low.

AConfigure provisioned concurrency for the Lambda functions. Use AWS Application Auto Scaling to adjust the provisioned concurrency.

BLaunch Amazon EC2 instances in an Auto Scaling group. Add a scheduled scaling policy to launch additional EC2 instances during peak traffic periods.

CConfigure provisioned concurrency for the Lambda functions. Set a fixed concurrency level to handle the maximum expected traffic.

DCreate a recurring schedule in Amazon EventBridge Scheduler. Use the schedule to invoke the Lambda functions periodically to warm the functions.

Answer : A

Key Requirements:

Handle traffic spikes efficiently and reduce latency caused by cold starts.

Optimize costs during low traffic periods.

Analysis of Options:

Option A:

Provisioned Concurrency: Reduces cold start latency by pre-warming Lambda environments for the required number of concurrent executions.

AWS Application Auto Scaling: Automatically adjusts provisioned concurrency based on demand, ensuring cost optimization by scaling down during low traffic.

Correct Approach: Provides a balance between performance during traffic spikes and cost optimization during idle periods.

Option B:

Using EC2 instances with Auto Scaling introduces unnecessary complexity for a serverless architecture. It requires additional management and does not address the issue of cold starts for Lambda.

Incorrect Approach: Contradicts the serverless design philosophy and increases operational overhead.

Option C:

Setting a fixed concurrency level ensures performance during spikes but does not optimize costs during low traffic. This approach would maintain provisioned instances unnecessarily.

Incorrect Approach: Lacks cost optimization.

Option D:

Using EventBridge Scheduler for periodic invocations may reduce cold starts but does not dynamically scale based on traffic demand. It also leads to unnecessary invocations during idle times.

Incorrect Approach: Suboptimal for high traffic fluctuations and cost control.

AWS Solution Architect Reference:

AWS Lambda Provisioned Concurrency

AWS Application Auto Scaling with Lambda

Question 4

A company has an e-commerce site. The site is designed as a distributed web application hosted in multiple AWS accounts under one AWS Organizations organization. The web application is comprised of multiple microservices. All microservices expose their AWS services either through Amazon CloudFront distributions or public Application Load Balancers (ALBs). The company wants to protect public endpoints from malicious attacks and monitor security configurations. Which solution will meet these requirements with the LEAST operational overhead?

AUse AWS WAF to protect the public endpoints. Use AWS Firewall Manager from a dedicated security account to manage rules in AWS WAF. Use AWS Config rules to monitor the Regional and global WAF configurations.

BUse AWS WAF to protect the public endpoints. Apply AWS WAF rules in each account. Use AWS Config rules and AWS Security Hub to monitor the WAF configurations of the ALBs and the CloudFront distributions.

CUse AWS WAF to protect the public endpoints. Use AWS Firewall Manager from a dedicated security account to manage the rules in AWS WAF. Use Amazon Inspector and AWS Security Hub to monitor the WAF configurations of the ALBs and the CloudFront distributions.

DUse AWS Shield Advanced to protect the public endpoints. Use AWS Config rules to monitor the Shield Advanced configuration for each account.

Answer : A

Key Requirements:

Protect public endpoints (CloudFront distributions and ALBs) from malicious attacks.

Centralized management across multiple accounts in an organization.

Ability to monitor security configurations effectively.

Minimize operational overhead.

Analysis of Options

Option A:

AWS WAF: Protects web applications by filtering and blocking malicious requests. Rules can be applied to both ALBs and CloudFront distributions.

AWS Firewall Manager: Enables centralized management of WAF rules across multiple accounts in an AWS Organizations organization. It simplifies rule deployment, avoiding the need to configure rules individually in each account.

AWS Config: Monitors compliance by using rules that check Regional and global WAF configurations. Ensures that security configurations align with organizational policies.

Operational Overhead: Centralized management and automated monitoring reduce the operational burden.

Correct Approach: Meets all requirements with the least overhead.

Option B:

This approach involves applying WAF rules in each account manually.

While AWS Config and AWS Security Hub provide monitoring capabilities, managing individual WAF configurations in multiple accounts introduces significant operational overhead.

Incorrect Approach: Higher overhead compared to centralized management with AWS Firewall Manager.

Option C:

Similar to Option A but includes Amazon Inspector, which is not designed for monitoring WAF configurations.

AWS Security Hub is appropriate for monitoring but is redundant when Firewall Manager and Config are already in use.

Incorrect Approach: Adds unnecessary complexity and does not focus on monitoring WAF specifically.

Option D:

AWS Shield Advanced: Focuses on mitigating large-scale DDoS attacks but does not provide the fine-grained web application protection offered by WAF.

AWS Config: Can monitor Shield Advanced configurations but does not fulfill the WAF monitoring requirements.

Incorrect Approach: Does not address the need for WAF or centralized rule management.

Why Option A is Correct

Protection:

AWS WAF provides fine-grained filtering and protection against SQL injection, cross-site scripting, and other web vulnerabilities.

Rules can be applied at both ALBs and CloudFront distributions, covering all public endpoints.

Centralized Management:

AWS Firewall Manager enables security teams to centrally define and manage WAF rules across all accounts in the organization.

Monitoring:

AWS Config ensures compliance with WAF configurations by checking rules and generating alerts for misconfigurations.

Operational Overhead:

Centralized management via Firewall Manager and automated compliance monitoring via AWS Config greatly reduce manual effort.

AWS Solution Architect Reference

AWS WAF Documentation

AWS Firewall Manager Documentation

AWS Config Best Practices

AWS Organizations Documentation

Question 5

A company hosts its applications in multiple private and public subnets in a VPC. The applications in the private subnets need to access an API. The API is available on the internet and is hosted in the company's on-premises data center. A solutions architect needs to establish connectivity for applications in the private subnets. Which solution will meet these requirements MOST cost-effectively?

ACreate a transit gateway to connect the VPC to the on-premises network. Use the transit gateway to route API calls from the private subnets to the on-premises data center.

BCreate a NAT gateway in the public subnet of the VPC. Use the NAT gateway to allow the private subnets to access the API over the internet.

CEstablish an AWS PrivateLink connection to connect the VPC to the on-premises network. Use PrivateLink to make API calls from the private subnets to the on-premises data center.

DImplement an AWS Site-to-Site VPN connection between the VPC and the on-premises data center. Use the VPN connection to make API calls from the private subnets to the on-premises data center.

Answer : B

Key Requirements:

Private subnets need to access an API on the internet.

Solution must be cost-effective.

Analysis of Options:

Option A: A transit gateway is a robust and scalable solution but involves higher costs compared to other options for this use case.

Option B: A NAT gateway allows instances in private subnets to access the internet while keeping them private. It is a simple and cost-effective solution.

Option C: AWS PrivateLink is designed for private service-to-service communications within AWS or between AWS and on-premises, but it is not cost-effective for this specific scenario.

Option D: A Site-to-Site VPN is not required because the API is hosted on the internet. VPN connections add unnecessary complexity and cost.

AWS Reference:

NAT Gateways

VPC Internet Connectivity Options

Question 6

A company stores sensitive customer data in an Amazon DynamoDB table. The company frequently updates the dat

a. The company wants to use the data to personalize offers for customers.

The company's analytics team has its own AWS account. The analytics team runs an application on Amazon EC2 instances that needs to process data from the DynamoDB tables. The company needs to follow security best practices to create a process to regularly share data from DynamoDB to the analytics team.

Which solution will meet these requirements?

AExport the required data from the DynamoDB table to an Amazon S3 bucket as multiple JSON files. Provide the analytics team with the necessary IAM permissions to access the S3 bucket.

BAllow public access to the DynamoDB table. Create an IAM user that has permission to access DynamoDB. Share the IAM user with the analytics team.

CAllow public access to the DynamoDB table. Create an IAM user that has read-only permission for DynamoDB. Share the IAM user with the analytics team.

DCreate a cross-account IAM role. Create an IAM policy that allows the AWS account ID of the analytics team to access the DynamoDB table. Attach the IAM policy to the IAM role. Establish a trust relationship between accounts.

Answer : D

Using cross-account IAM roles is the most secure and scalable way to share data between AWS accounts.

A trust relationship allows the analytics team's account to assume the role in the main account and access the DynamoDB table directly.

A is feasible but involves data duplication and additional costs for storing the JSON files in S3.

B and C violate security best practices by allowing public access to sensitive data and sharing credentials, which is highly discouraged.

AWS Documentation Reference:

Cross-Account Access with Roles

Best Practices for Amazon DynamoDB Security

Question 7

A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic. The notifications contain protected health information (PHI).

The SNS topic uses AWS Key Management Service (AWS KMS) customer-managed keys for encryption. The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic.

Which combination of steps will meet these requirements? (Select THREE.)

ACreate a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.

BUse server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer-managed keys.

CCreate a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.

DSpecify the Lambda function's Amazon Resource Name (ARN) in the SNS topic's resource policy.

EAssociate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies.

FConfigure a Lambda execution role that has the necessary IAM permissions to use a customer-managed key in AWS KMS.

Answer : A, C, F

To securely publish messages to an encrypted Amazon SNS topic, the following steps are required:

A . Resource policy for SNS topic: Ensures that the Lambda function is explicitly allowed to publish messages to the topic.

C . Resource policy for KMS key: Provides the necessary permissions to use the customer-managed key for encryption.

F . Lambda execution role: Grants the Lambda function the necessary IAM permissions to use the encryption key.

Other options:

B is invalid because using SSE-KMS does not eliminate the need for resource policies.

D overlaps with A, but specifying the ARN in the topic policy is covered by creating the resource policy.

E is unrelated as API Gateway is not required for this setup.

AWS Documentation Reference:

Amazon SNS and KMS Permissions