Free & Accurate Amazon AWS Certified Solutions Architect - Associate SAA-C03 Practice Questions | ExamTopics
www.examtopics.com
Question #104
A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)
오답:
D. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
정답:
A. Use AWS Shield Advanced to stop the DDoS attack.
C. Configure the website to use Amazon CloudFront for both static and dynamic content.
CloudFront는 기본적으로 네트워크 및 애플리케이션 계층 공격에 대한 보호를 제공한다.
Lambda 함수로 공격자 IP를 직접 ACL에 추가하는 것은 대규모 공격에 대한 방어로 적합하지 않다.
---
Question #107
A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform. A solutions architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API.
Which action meets these requirements for storing and retrieving location data?
정답:
B. Use Amazon API Gateway with AWS Lambda.
회사는 기존에 있는 데이터 분석 플렛폼을 사용하기 때문에 Kinesis Data Analytics를 추가할 필요가 없다.
또한 Lambda는 자동으로 프로비저닝 하기 때문에 peak time중 가장 viable 하다고 할 수 있다.
---
Question #108
A company has an automobile sales website that stores its listings in a database on Amazon RDS. When an automobile is sold, the listing needs to be removed from the website and the data must be sent to multiple target systems.
Which design should a solutions architect recommend?
오답:
D. Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets.
정답:
A.Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the information to an Amazon Simple Queue Service (Amazon SQS) queue for the targets to consume.
RDS -> SNS -> SQS의 Fan out pattern은 만들 수 있지만 RDS는 read, write 등의 DB 레벨에서의 이벤트에 대한 알림을 지원하지 않는다.
---
Question #110
A social media company allows users to upload images to its website. The website runs on Amazon EC2 instances. During upload requests, the website resizes the images to a standard size and stores the resized images in Amazon S3. Users are experiencing slow upload requests to the website.
The company needs to reduce coupling within the application and improve website performance. A solutions architect must design the most operationally efficient process for image uploads.
Which combination of actions should the solutions architect take to meet these requirements? (Choose two.)
정답:
C. Configure the application to upload images directly from each user's browser to Amazon S3 through the use of a presigned URL
D. Configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded. Use the function to resize the image.
presigned URL로 유저가 직접 S3로 파일을 업로드하게 하여 EC2에 부담을 줄일 수 있다.
EventBridge로 invokes Lambda on a schedule -> 업로드 직후 즉시 처리 x, 정기적 스케쥴링.
---
Question #113
A company uses 50 TB of data for reporting. The company wants to move this data from on premises to AWS. A custom application in the company’s data center runs a weekly data transformation job. The company plans to pause the application until the data transfer is complete and needs to begin the transfer process as soon as possible.
The data center does not have any available network bandwidth for additional workloads. A solutions architect must transfer the data and must configure the transformation job to continue to run in the AWS Cloud.
Which solution will meet these requirements with the LEAST operational overhead?
오답:
D. Order an AWS Snowball Edge Storage Optimized device that includes Amazon EC2 compute. Copy the data to the device. Create a new EC2 instance on AWS to run the transformation application.
정답:
C. Order an AWS Snowball Edge Storage Optimized device. Copy the data to the device. Create a custom transformation job by using AWS Glue.
AWS Glue를 사용하는 것이 EC2에 직접 어플리케이션을 배포하여 처리하는 것 보다 적은 오버헤드를 갖는다.
---
Question #120
A company has implemented a self-managed DNS solution on three Amazon EC2 instances behind a Network Load Balancer (NLB) in the us-west-2 Region. Most of the company's users are located in the United States and Europe. The company wants to improve the performance and availability of the solution. The company launches and configures three EC2 instances in the eu-west-1 Region and adds the EC2 instances as targets for a new NLB.
Which solution can the company use to route traffic to all the EC2 instances?
오답:
A. Create an Amazon Route 53 geolocation routing policy to route requests to one of the two NLBs. Create an Amazon CloudFront distribution. Use the Route 53 record as the distribution’s origin.
D. Replace the two NLBs with two Application Load Balancers (ALBs). Create an Amazon Route 53 latency routing policy to route requests to one of the two ALBs. Create an Amazon CloudFront distribution. Use the Route 53 record as the distribution’s origin.
정답:
B. Create a standard accelerator in AWS Global Accelerator. Create endpoint groups in us-west-2 and eu-west-1. Add the two NLBs as endpoints for the endpoint groups.
ALB는 7레이어에서 작동하고, DNS 솔루션에 필요한 기능을 제공하지 않는다.
CloudFront는 DNS 서비스에 적합하지 않다.
AWS Global Accelerator는 각 지역에 엔드포인트 그룹을 생성하고 각 그룹에 해당 지역의 NLB를 엔드포인트로 추가함으로써, 사용자 요청을 지리적으로 가장 가까운 NLB로 라우팅할 수 있다.
---
Question #121
A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance.
What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?
정답:
A. Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
암호화 되지 않은채로 생성된 RDS를 설정을 통해 enable encrypt할 수 없다. (새 RDS를 암호화 하여 생성할 수는 있다)
대신 암호화된 스냅샷을 생성하고 복구시키는 것으로 암호화 할 수 있다. (그 이후에도 계속 암호화 되어 있음)
암호화 S3에 스냅샷을 복사하는 것은 스냅샷 그 자체는 암호화 시키지만 스냅샷 내에 있는 데이터를 암호화 시키지는 않는다.
---
Question #128
A company wants to run applications in containers in the AWS Cloud. These applications are stateless and can tolerate disruptions within the underlying infrastructure. The company needs a solution that minimizes cost and operational overhead.
What should a solutions architect do to meet these requirements?
오답:
A. Use Spot Instances in an Amazon EC2 Auto Scaling group to run the application containers.
정답:
B. Use Spot Instances in an Amazon Elastic Kubernetes Service (Amazon EKS) managed node group.
EC2에서 Docker container image를 운영하기 위해서는 직접 설치하는 것이 필요하다.
operational overhead 면에서 B가 더 나은 선택이다.
---
Question #130
An application runs on Amazon EC2 instances across multiple Availability Zonas. The instances run in an Amazon EC2 Auto Scaling group behind an Application Load Balancer. The application performs best when the CPU utilization of the EC2 instances is at or near 40%.
What should a solutions architect do to maintain the desired performance across all instances in the group?
오답:
A. Use a simple scaling policy to dynamically scale the Auto Scaling group.
정답:
B. Use a target tracking policy to dynamically scale the Auto Scaling group.
simple scaling policy: 특정 CloudWatch 경보 조건(예: CPU 사용률)이 충족될 때 인스턴스 수를 조정하는 기본적인 Auto Scaling 정책.
target tracking policy: 지정된 지표(예: CPU 사용률)가 정해진 목표값을 유지하도록 인스턴스 수를 자동으로 조정하는 지능형 Auto Scaling 정책.
---
Question #131
A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL.
What should a solutions architect do to meet these requirements?
정답: Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.
Origin Access Identity (OAI)를 통해 CloudFront를 통해서만 S3 버킷 컨텐츠에 접근할 수 있도록 제한할 수 있다.
OAI를 사용하는게 권장되는 방식이다.
---
Question #133
A company runs an Oracle database on premises. As part of the company’s migration to AWS, the company wants to upgrade the database to the most recent available version. The company also wants to set up disaster recovery (DR) for the database. The company needs to minimize the operational overhead for normal operations and DR setup. The company also needs to maintain access to the database's underlying operating system.
Which solution will meet these requirements?
오답:
D. Migrate the Oracle database to Amazon RDS for Oracle. Create a standby database in another Availability Zone.
정답:
C. Migrate the Oracle database to Amazon RDS Custom for Oracle. Create a read replica for the database in another AWS Region.
RDS for Oracle은 운영체제 수준의 액세스를 제공하지 않는다. read replica도 데이터베이스의 지리적 분산, 백업 데이터베이스로의 전환, 비상 상황에서의 데이터 엑세스 기능으로 disaster recovery 기능을 한다.
---
Question #134
A company wants to move its application to a serverless solution. The serverless solution needs to analyze existing and new data by using SL. The company stores the data in an Amazon S3 bucket. The data requires encryption and must be replicated to a different AWS Region.
Which solution will meet these requirements with the LEAST operational overhead?
오답:
A. Create a new S3 bucket. Load the data into the new S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with AWS KMS multi-Region kays (SSE-KMS). Use Amazon Athena to query the data.
정답:
C. Load the data into the existing S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use Amazon Athena to query the data.
SSE-KMS 보다 SSE-S3가 더 오버헤드가 작다.
SSE-S3의 키는 S3에 의해 자동으로 생성되고 업로드 시 데이터에 적용되며 추가 작업이 필요하지 않다.
---
Question #135
A company runs workloads on AWS. The company needs to connect to a service from an external provider. The service is hosted in the provider's VPC. According to the company’s security team, the connectivity must be private and must be restricted to the target service. The connection must be initiated only from the company’s VPC.
Which solution will mast these requirements?
오답:
B. Ask the provider to create a virtual private gateway in its VPC. Use AWS PrivateLink to connect to the target service.
정답:
D. Ask the provider to create a VPC endpoint for the target service. Use AWS PrivateLink to connect to the target service.
AWS PrivateLink는 AWS 서비스 및 VPC 엔드포인트 서비스를 통해 개인적으로 연결할 수 있게 해주는 서비스이다.
- Virtual private gateway: 기업의 데이터 센터와 AWS VPC 간에 안전한 VPN 연결을 설정하는 것을 도와주는 게이트웨이.
- VPC endpoint: 인터넷을 거치지 않고 Private Network를 사용하여 VPC 내부에서 AWS 서비스에 연결하는 서비스.
VPC Peering은 인터넷을 거치지 않고 VPC간의 개인적 연결을 설정하지만 전체 VPC에 대한 엑세스를 제공한다.
---
Question #136
A company is migrating its on-premises PostgreSQL database to Amazon Aurora PostgreSQL. The on-premises database must remain online and accessible during the migration. The Aurora database must remain synchronized with the on-premises database.
Which combination of actions must a solutions architect take to meet these requirements? (Choose two.)
정답:
A. Create an ongoing replication task.
C. Create an AWS Database Migration Service (AWS DMS) replication server.
Ongoing replication task는 DMS의 설정으로 데이터베이스의 지속적 동기화를 지원한다.
DMS는 데이터 복제 도중 데이터베이스에 대한 접근을 지원한다.
---
Question #137
A company uses AWS Organizations to create dedicated AWS accounts for each business unit to manage each business unit's account independently upon request. The root email recipient missed a notification that was sent to the root user email address of one account. The company wants to ensure that all future notifications are not missed. Future notifications must be limited to account administrators.
Which solution will meet these requirements?
정답:
B. Configure all AWS account root user email addresses as distribution lists that go to a few administrators who can respond to alerts. Configure AWS account alternate contacts in the AWS Organizations console or programmatically.
root user email이 한 계정이었기 때문에 발생한 문제이다.
root user email addresses를 여러개로 설정하는 것으로 문제를 해결한다.
---
Question #139
A reporting team receives files each day in an Amazon S3 bucket. The reporting team manually reviews and copies the files from this initial S3 bucket to an analysis S3 bucket each day at the same time to use with Amazon QuickSight. Additional teams are starting to send more files in larger sizes to the initial S3 bucket.
The reporting team wants to move the files automatically analysis S3 bucket as the files enter the initial S3 bucket. The reporting team also wants to use AWS Lambda functions to run pattern-matching code on the copied data. In addition, the reporting team wants to send the data files to a pipeline in Amazon SageMaker Pipelines.
What should a solutions architect do to meet these requirements with the LEAST operational overhead?
오답:
C. Configure S3 replication between the S3 buckets. Create an S3 event notification for the analysis S3 bucket. Configure Lambda and SageMaker Pipelines as destinations of the event notification. Configure s3:ObjectCreated:Put as the event type.
정답: D. Configure S3 replication between the S3 buckets. Configure the analysis S3 bucket to send event notifications to Amazon EventBridge (Amazon CloudWatch Events). Configure an ObjectCreated rule in EventBridge (CloudWatch Events). Configure Lambda and SageMaker Pipelines as targets for the rule.
Event Notification: Amazon S3와 같은 서비스에서 특정 이벤트가 발생했을 때 자동으로 알림을 보내는 기능.
S3 replication을 쓰는 편이 효율적이며, ObjectCreated event는 기존 S3 객체를 복사해 새 객체를 생성할 때도 트리거할 수 있다.
S3 알림은 SageMaker를 대상으로 사용할 수 없다. 허용되는 대상에는 SQS, SNS, Lambda 및 Eventbridge가 있다.
---
Question #140
A solutions architect needs to help a company optimize the cost of running an application on AWS. The application will use Amazon EC2 instances, AWS Fargate, and AWS Lambda for compute within the architecture.
The EC2 instances will run the data ingestion layer of the application. EC2 usage will be sporadic and unpredictable. Workloads that run on EC2 instances can be interrupted at any time. The application front end will run on Fargate, and Lambda will serve the API layer. The front-end utilization and API layer utilization will be predictable over the course of the next year.
Which combination of purchasing options will provide the MOST cost-effective solution for hosting this application? (Choose two.)
오답:
D. Purchase 1-year All Upfront Reserved instances for the data ingestion layer.
정답:
A. Use Spot Instances for the data ingestion layer & Purchase a 1-year Compute Savings Plan for the front end and API layer.
C. Purchase a 1-year Compute Savings Plan for the front end and API layer.
EC2 사용은 때때로(sporadic) 일어나고 예측할 수 없다. 따라서 Spot Instance가 적절하다.
Compute Saving Plan: 인스턴스 패밀리, 사이즈, OS 등에 관계 없이 사용 가능하며, Lambda, Fargate 등에 대해서도 사용할 수 있다.
---
Question #145
A company hosts a website analytics application on a single Amazon EC2 On-Demand Instance. The analytics software is written in PHP and uses a MySQL database. The analytics software, the web server that provides PHP, and the database server are all hosted on the EC2 instance. The application is showing signs of performance degradation during busy times and is presenting 5xx errors. The company needs to make the application scale seamlessly.
Which solution will meet these requirements MOST cost-effectively?
정답:
D. Migrate the database to an Amazon Aurora MySQL DB instance. Create an AMI of the web application. Apply the AMI to a launch template. Create an Auto Scaling group with the launch template Configure the launch template to use a Spot Fleet. Attach an Application Load Balancer to the Auto Scaling group.
Scale seamlessly라는 요구사항이 있다. 따라서 Aurora와 ASG가 더 적합하다.
---
Question #151
A company wants to migrate its on-premises data center to AWS. According to the company's compliance requirements, the company can use only the ap-northeast-3 Region. Company administrators are not permitted to connect VPCs to the internet.
Which solutions will meet these requirements? (Choose two.)
오답:
E. Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3.
정답:
A. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3.
C. Use AWS Organizations to configure service control policies (SCPS) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
Control Tower의 Guardrail을 사용하여 특정 지역 외의 리소스 생성을 거부하고, VPC가 인터넷에 연결되는 것을 방지할 수 있다.
SCP를 사용하여 ap-northeast-3 지역 외의 리소스 생성을 제한하고, VPC의 인터넷 연결을 방지할 수 있다.
AWS Config managed rules를 사용하면 특정 리소스 및 구성을 감지하고 경고하는 데 도움이 될 수 있지만 인터넷 액세스를 직접 제한하거나 특정 리전에 대한 액세스를 거부할 수는 없다.
---
Question #153
A company sells ringtones created from clips of popular songs. The files containing the ringtones are stored in Amazon S3 Standard and are at least 128 KB in size. The company has millions of files, but downloads are infrequent for ringtones older than 90 days. The company needs to save money on storage while keeping the most accessed files readily available for its users.
Which action should the company take to meet these requirements MOST cost-effectively?
정답:
D. Implement an S3 Lifecycle policy that moves the objects from S3 Standard to S3 Standard-Infrequent Access (S3 Standard-1A) after 90 days.
Intelligent tiering은 n일 후와 같은 시간 기준으로 저장소를 바꾸지 않고 엑세스를 기준으로 저장소를 바꾼다.
Lifecycle policy를 사용하면 90일 후 저장소를 바꿀 수 있다.
S3 Inventory는 S3 버킷 내의 객체에 대한 상세한 리포트를 제공하는 기능을 한다.
자동으로 객체를 이동시키는 것은 S3 Lifecycle policy의 역할이다.
---
Question #154
A company needs to save the results from a medical trial to an Amazon S3 repository. The repository must allow a few scientists to add new files and must restrict all other users to read-only access. No users can have the ability to modify or delete any files in the repository. The company must keep every file in the repository for a minimum of 1 year after its creation date.
Which solution will meet these requirements?
정답:
B. Use S3 Object Lock in compliance mode with a retention period of 365 days.
Compliance mode: 어떠한 사용자도 객체를 덮어쓰거나 삭제할 수 없다.
Governance mode: 특별한 권한이 없는한 객체를 덮어쓰거나 삭제할 수 없다.
---
Question #156
A company produces batch data that comes from different databases. The company also produces live stream data from network sensors and application APIs. The company needs to consolidate all the data into one place for business analytics. The company needs to process the incoming data and then stage the data in different Amazon S3 buckets. Teams will later run one-time queries and import the data into a business intelligence tool to show key performance indicators (KPIs).
Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose two.).
오답:
D. Use an AWS Glue extract, transform, and load (ETL) job to convert the data into JSON format. Load the data into multiple Amazon OpenSearch Service (Amazon Elasticsearch Service) clusters.
정답:
A. Use Amazon Athena for one-time queries. Use Amazon QuickSight to create dashboards for KPIs.
E. Use blueprints in AWS Lake Formation to identify the data that can be ingested into a data lake. Use AWS Glue to crawl the source, extract the data, and load the data into Amazon S3 in Apache Parquet format.
데이터를 한 곳에 모으는 것은 Redshift이외에 Lake Formation도 가능하다.
D에는 ETL 및 쿼리에 대한 중요한 사용자 정의 코딩이 필요하며, OpenSearch에도 추가 설정 및 관리 오버헤드가 필요하다.
또한 위의 요구사항에 따라 최종적으로 S3로 데이터를 보내기 위해서는 E가 적합하다.
---
Question #157
A company stores data in an Amazon Aurora PostgreSQL DB cluster. The company must store all the data for 5 years and must delete all the data after 5 years. The company also must indefinitely keep audit logs of actions that are performed within the database. Currently, the company has automated backups configured for Aurora.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)
정답:
D. Configure an Amazon CloudWatch Logs export for the DB cluster.
E. Use AWS Backup to take the backups and to keep the backups for 5 years.
Audit Log: 시스템, 네트워크 또는 애플리케이션에서 발생하는 중요한 이벤트, 행위 또는 활동을 기록하는 로그 파일 또는 데이터 세트.
감사 로그의 주요 목적은 시스템의 보안과 무결성을 유지하고 사용자의 활동과 시스템의 변화를 추적하는 것.
사용자 활동(로그인, 아웃, 데이터 조회, 데이터 수정, 파일 엑세스 등), 시스템 변경, 엑세스 시도 및 권한 변경, 오류 및 예외, 트랜잭션 정보.
CloudWatch Logs: AWS 리소스와 실행 중인 애플리케이션에서 발생하는 로그를 실시간으로 모니터링하고 저장할 수 있게 해준다.
Aurora는 최대 백업 보관 기간이 35일 이다. 그 이상 보관하기 위해서는 AWS Backup을 이용해야 한다.
---
Question #158
A solutions architect is optimizing a website for an upcoming musical event. Videos of the performances will be streamed in real time and then will be available on demand. The event is expected to attract a global online audience.
Which service will improve the performance of both the real-time and on-demand streaming?
오답:
B. AWS Global Accelerator.
D. Amazon S3 Transfer Acceleration
정답:
A. Amazon CloudFront.
Amazon CloudFront는 실시간 전송에도 적합하다. (Media fragments을 edge에 캐싱할 수 있다)
지문에서 website를 이용한다고 했기 때문에 http를 사용하고, 따라서 cloudfront가 맞다. (website = http = cloudfront)
AWS Global Accelerator는 UDP 전송에 사용된다. (udp = global accelerator)
Amazon S3 Transfer Acceleration는 !! S3로 오고 가는 !! 데이터 전송을 가속화 하지만 사용자에게 콘텐츠를 스트리밍 하는 것의 속도에는 영향을 주지 않는다.
---
Question #159
A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application’s traffic recently spiked due to fraudulent requests from botnets.
Which steps should a solutions architect take to block requests from unauthorized users? (Choose two.)
오답:
B. Integrate logic within the Lambda function to ignore the requests from fraudulent IP addresses.
정답:
A. Create a usage plan with an API key that is shared with genuine users only.
C. Implement an AWS WAF rule to target malicious requests and trigger actions to filter them out.
사기성 IP를 감지하는 로직을 Lambda 내에 넣는 것은 매우 힘들다.
API Gateway에서는 API key와 usage plan을 통해 API 사용을 제어하고 제한할 수 있다.
---
Question #167
A company runs a production application on a fleet of Amazon EC2 instances. The application reads the data from an Amazon SQS queue and processes the messages in parallel. The message volume is unpredictable and often has intermittent traffic. This application should continually process messages without any downtime.
Which solution meets these requirements MOST cost-effectively?
오답:
C. Use Reserved Instances for the baseline capacity and use Spot Instances to handle additional capacity.
정답:
D. Use Reserved Instances for the baseline capacity and use On-Demand Instances to handle additional capacity.
"continually process messages without any downtime" -> spot instance를 사용할 수 없다.
---
Question #168
A security team wants to limit access to specific services or actions in all of the team’s AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.
What should a solutions architect do to accomplish this?
정답:
D. Create a service control policy in the root organizational unit to deny access to the services or actions.
Service Control Policy(SCP)를 루트 조직 단위에 적용하면 해당 조직의 모든 계정에 대한 서비스 또는 작업에 대한 액세스를 중앙에서 제어할 수 있다.
---
Question #170
A company’s web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only.
Which configuration will meet this requirement?
오답:
D. Configure the network ACL for the subnet that contains the EC2 instances.
정답:
C. Configure AWS WAF on the Application Load Balancer in a VPC.
AWS WAF를 Application Load Balancer에 연결하여 지리적 위치(국가)를 기반으로 하는 규칙을 설정할 수 있다.
이를 통해 특정 국가에서 오는 요청만을 허용하고 다른 국가의 요청을 차단할 수 있다.
보안 그룹은 IP 주소를 기반으로 액세스를 제어하지만, 국가별 트래픽을 구분하는 기능은 없다.
네트워크 ACL도 IP 주소를 기반으로 액세스를 제어하지만, 국가별 트래픽을 구분하는 기능은 없다.
---
Question #178
A company’s infrastructure consists of Amazon EC2 instances and an Amazon RDS DB instance in a single AWS Region. The company wants to back up its data in a separate Region.
Which solution will meet these requirements with the LEAST operational overhead?
정답:
A. Use AWS Backup to copy EC2 backups and RDS backups to the separate Region.
AWS Backup은 EC2, RDS, S3 등의 다양한 AWS 서비스를 백업할 수 있다.
EC2의 경우 EBS만 백업할 수도 있고, AMI 백업으로 EBS 를 포함한 전체 EC2 인스턴스를 백업할 수도 있다.
---
Question #179
A solutions architect needs to securely store a database user name and password that an application uses to access an Amazon RDS DB instance. The application that accesses the database runs on an Amazon EC2 instance. The solutions architect wants to create a secure parameter in AWS Systems Manager Parameter Store.
What should the solutions architect do to meet this requirement?
오답:
B. Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
정답:
A. Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
IAM Role -> AWS Service
IAM Policy -> AWS User, Group
---
Question #182
A company wants to migrate its MySQL database from on premises to AWS. The company recently experienced a database outage that significantly impacted the business. To ensure this does not happen again, the company wants a reliable database solution on AWS that minimizes data loss and stores every transaction on at least two nodes.
Which solution meets these requirements?
정답:
B. Create an Amazon RDS MySQL DB instance with Multi-AZ functionality enabled to synchronously replicate the data.
RDS multi AZ는 고가용성과 내구성을 제공한다. 다른 AZ에 있는 stand by instance와 sychronously(동기식)으로 복제를 한다.
RDS read replica는 주로 읽기 성능 향상을 위해 사용되고, asynchronously(비동기식)으로 복제를 한다.
---
Question #184
A company has an AWS account used for software engineering. The AWS account has access to the company’s on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic routes to the virtual private gateway.
A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company’s data center.
Which solution will meet these requirements?
정답:
A. Configure the Lambda function to run in the VPC with the appropriate security group.
이미 connection은 연결되어 있는 상황이다. security group만 수정 해주면 된다.
"All non-VPC traffic routes to the virtual private gatewa" 라는 표현은 S3, DynamoDB 등 VPC 내부에 존재하지 않는 리소스와의 통신을 말한다.
---
Question #185
A company runs an application using Amazon ECS. The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3.
How can a solutions architect ensure that the application has permission to access Amazon S3?
오답:
A. Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.
정답:
B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
S3 role은 ECS application과 연결되어 있지 않다.
ECR Task Definition: 컨테이너화된 어플리케이션을 실행할 때 필요한 설정과 매개변수를 지정하는 구성.
---
Question #188
A company uses Amazon S3 as its data lake. The company has a new partner that must use SFTP to upload data files. A solutions architect needs to implement a highly available SFTP solution that minimizes operational overhead.
Which solution will meet these requirements?
정답:
A. Use AWS Transfer Family to configure an SFTP-enabled server with a publicly accessible endpoint. Choose the S3 data lake as the destination.
Transfer Family: FTP, FTPS, SFTP 프로토콜을 사용하여 Amazon S3 또는 Amazon EFS와의 파일 전송을 위한 완전 관리형 서비스.
---
Question #189
A company needs to store contract documents. A contract lasts for 5 years. During the 5-year period, the company must ensure that the documents cannot be overwritten or deleted. The company needs to encrypt the documents at rest and rotate the encryption keys automatically every year.
Which combination of steps should a solutions architect take to meet these requirements with the LEAST operational overhead? (Choose two.)
정답:
B. Store the documents in Amazon S3. Use S3 Object Lock in compliance mode.
D. Use server-side encryption with AWS Key Management Service (AWS KMS) customer managed keys. Configure key rotation.
SSE-S3는 key rotation 주기를 사용자가 설정할 수 없다.
---
Question #193
A company is running a batch application on Amazon EC2 instances. The application consists of a backend with multiple Amazon RDS databases. The application is causing a high number of reads on the databases. A solutions architect must reduce the number of database reads while ensuring high availability.
What should the solutions architect do to meet this requirement?
오답:
A: Add Amazon RDS read replicas.
정답:
B. Use Amazon ElastiCache for Redis.
database reads를 줄여야 한다. 또한 redis는 Multi AZ와 Auto-Failover 기능이 내장되어 있다.
---
Question #194
A company needs to run a critical application on AWS. The company needs to use Amazon EC2 for the application’s database. The database must be highly available and must fail over automatically if a disruptive event occurs.
Which solution will meet these requirements?
오답:
C. Launch two EC2 instances, each in a different AWS Region. Install the database on both EC2 instances. Set up database replication. Fail over the database to a second Region.
정답:
A. Launch two EC2 instances, each in a different Availability Zone in the same AWS Region. Install the database on both EC2 instances. Configure the EC2 instances as a cluster. Set up database replication.
Region간 데이터 복제는 지연 시간이 길어질 수 있다.
---
Question #199
A telemarketing company is designing its customer call center functionality on AWS. The company needs a solution that provides multiple speaker recognition and generates transcript files. The company wants to query the transcript files to analyze the business patterns. The transcript files must be stored for 7 years for auditing purposes.
Which solution will meet these requirements?
정답:
B. Use Amazon Transcribe for multiple speaker recognition. Use Amazon Athena for transcript file analysis.
Transcribe: 자동 음성 인식(ASR) 서비스로, 오디오 파일에서 텍스트로 transcript를 생성할 수 있다.
Rekognition: 이미지 및 비디오 분석을 위한 서비스.
Translate: 언어 번역 서비스로, 음성 인식이나 대본 생성 기능을 제공하지 않는다.
'DevOps' 카테고리의 다른 글
| AWS SAA C03 덤프 오답 정리 (300 ~ 400) (2) | 2024.02.09 |
|---|---|
| AWS SAA C03 덤프 오답 정리 (200 ~ 300) (2) | 2024.01.30 |
| AWS SAA C03 덤프 오답 정리 (0 ~ 100) (0) | 2024.01.16 |
| github-action에서 변화된 모든 commit message를 추출하는 방법 (0) | 2023.07.23 |
| Docker와 Git Action을 이용한 AWS배포 (3) (0) | 2023.02.21 |
