Visit Official SkillCertPro Website :-
For a full set of 730 questions. Go to
https://skillcertpro.com/product/aws-solutions-architect-professional-exam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Question 1:
You currently have developers who have access to your production AWS account? There is a concern raised that the developers could potentially delete the production-based EC2 resources. Which of the below options could help alleviate this concern?
Choose two options from the below:
A. Modify the IAM policy on the developers to require MFA before deleting EC2 instances and disable MFA access to the employee
B. Tag the production instances with a production-identifying tag and add resource-level permissions to the developers with an explicit deny on the terminate API call to instances with the production tag.
C. Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.
D. Modify the IAM policy on the developers to require MFA before deleting EC2 instances
Answer: B and C
Explanation:
To stop the users from manipulating any AWS resources, you can either create the applicable (allow/deny) resource level permissions and apply them to those users, or create an individual or group policy which explicitly denies the action on that resource and apply it to the individual user or the group.
Option A is CORRECT because it (a) identifies the instances with proper tag, and (b) creates a resource level permission and explicitly denies the user the terminate option.
Option B is CORRECT because it (a) identifies the instances with proper tag, and (b) creates a policy with explicit deny of terminating the instances and applies that policy to the group, which contains the employees (who are not supposed to have the access to terminate the instances).
Option C and D are incorrect because MFA is an additional layer of security given to the users for logging into AWS and accessing the resources. However, either enabling or disabling MFA cannot prevent the users from performing resource level actions.
More information on Tags Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or environment. This is useful when you have many resources of the same type you can quickly identify a specific resource based on the tags you have assigned to it. Each tag consists of a key and an optional value, both of which you define.
For more information on tagging AWS resources please refer to the below URL http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html
The correct answers are:
Tag the production instances with a production-identifying tag and add resource-level permissions to the developers with an explicit deny on the terminate API call to instances with the production tag., Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call.
Question 2:
There is a requirement to host a database server. This server should not be able to connect to the internet except in the case of downloading the required database patches. Which of the following solutions would be the best to satisfy all the above requirements? Choose the correct answer from the below options.
A. Set up the database in a local data center and use a private gateway to connect the application to the database.
B. Set up the database in a private subnet with a security group which only allows outbound traffic.
C. Set up the database in a private subnet which connects to the Internet via a NAT instance.
D. Set up the database in a public subnet with a security group which only allows inbound traffic.
Answer: C
Explanation:
A. Set up the database in a local data center and use a private gateway to connect the application to the database.
This option is not the best solution as it adds unnecessary complexity and cost by hosting the database outside of AWS and requiring a private gateway connection. The requirement is to host the database server within AWS.
B. Set up the database in a private subnet with a security group which only allows outbound traffic.
This is a valid option, but it does not fully meet the requirement of allowing the database server to download required patches from the internet. The security group would need to allow outbound traffic, which could potentially expose the database to unintended internet access.
C. Set up the database in a private subnet which connects to the Internet via a NAT instance.
This is the correct solution. By placing the database server in a private subnet and routing its outbound internet traffic through a NAT instance in the public subnet, you can allow the database to download patches while keeping it isolated from direct internet access. The NAT instance provides the necessary controlled internet connectivity.
D. Set up the database in a public subnet with a security group which only allows inbound traffic.
This option is not correct as it places the database server in a public subnet, which exposes it to potential internet-based attacks, even with a restrictive security group. The requirement is to keep the database isolated from the internet, except for necessary patch downloads.
Question 3:
A legacy application is being migrated to AWS. It works on the TCP protocol. There is a requirement to ensure scalability of the application and also ensure that records of the client IP using the application are recorded.
Which of the below-mentioned steps would you implement to fulfill the above requirement?
A. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs.
B. Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs.
C. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two or more application servers in different AZs.
D. Use Route 53 with Latency Based Routing enabled to distribute load on two or more application servers in different AZs.
Answer: C
Explanation:
Scalability: An Elastic Load Balancer (ELB) with a TCP listener distributes incoming traffic across multiple application servers in different Availability Zones (AZs), enhancing scalability.
Client IP Recording: Proxy Protocol, when enabled on the ELB, allows the application server to access the original client IP address even behind the load balancer. This is crucial for recording client IPs.
Let’s analyze why other options fall short:
A. ELB with TCP Listener and Cross-Zone Load Balancing: While this provides scalability, it doesn’t guarantee client IP capture without Proxy Protocol.
B. Route 53 Alias Record: Route 53 is a DNS service and doesn’t handle load balancing or client IP capture.
D. Route 53 with Latency Based Routing: This focuses on routing based on latency but doesn’t address load balancing or native client IP access within the application.
Proxy Protocol Consideration:
Legacy applications might need modifications to interpret the Proxy Protocol information and extract the client IP.
Additional Considerations for a Solutions Architect Professional:
Security Groups: Configure appropriate security groups to restrict inbound traffic to the application servers only from the ELB.
Health Checks: Implement health checks on the ELB to ensure it routes traffic only to healthy application servers.
Auto Scaling: Consider integrating Auto Scaling with the ELB to automatically scale application servers based on traffic demands.
Question 4:
A company has a requirement to host an application behind an AWS ELB. The application will be supporting multiple device platforms. Each device platform will need separate SSL certificates assigned to it.
Which of the below options is the best setup in AWS to fulfill the above requirement?
A. Set up one ELB for all device platforms to distribute load among multiple instance under it. Each EC2 instance implements will have different SSL certificates assigned to it.
B. You just need to set single ELB. Since it supports multiple SSL certificates, it should be sufficient enough for the different device platforms
C. Setup a hybrid architecture to handle multiple SSL certificates by using separate EC2 Instance groups running web applications for different platform types running in a VPC.
D. Create multiple ELB's for each type of certificate for each device platform.
Answer: D
Explanation:
“One ELB, EC2 instances with different SSL certificates” ❌
SSL termination happens at the ELB, not at the instance. EC2 cannot independently handle multiple SSL certs behind a single ELB listener.
“Single ELB supports multiple SSL certificates” ❌
Only valid if using ALB with SNI, but the question implies that device platforms need completely separate certificates; exam answer prefers separate ELBs.
“Hybrid architecture with separate EC2 groups for each platform” ❌
Overcomplicated and unnecessary; does not directly solve SSL handling.
“Create multiple ELBs, one for each certificate/platform” ✅
Correct: each ELB terminates SSL for one certificate, then routes to the backend.
Simple, compatible with classic ELB and ensures platform-specific SSL handling.
Question 5:
Which of the below components is used by AWS Data Pipeline to poll for tasks and then performs those tasks?
A. AWS OpsWork
B. S3
C. Definition Syntax File
D. Task Runner
Answer: D
Explanation:
Task Runner is a task agent application that polls AWS Data Pipeline for scheduled tasks and executes them on Amazon EC2 instances, Amazon EMR clusters, or other computational resources, reporting status as it does so. For more information on the Taskrunner in AWS pipeline, please refer to the below link http://docs.aws.amazon.com/datapipeline/latest/DeveloperGuide/dp-using-task-runner.html
For a full set of 730 questions. Go to
https://skillcertpro.com/product/aws-solutions-architect-professional-exam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.
Question 6:
An auditor has been called upon to carry out an audit of the configuration of your AWS accounts. The auditor has specified that they just want to read only access to the AWS resources on all accounts. Which of the below options would help the auditor get the required access?
A. Create a custom identity broker application that allows the auditor to use existing Amazon credentials to log into the AWS environments.
B. Create an IAM role with read-only permissions to all AWS services in each AWS account. Create one auditor IAM account and add a permissions policy that allows the auditor to assume the ARN role for each AWS account that has an assigned role.
C. Create an IAM user for each AWS account with read-only permission policies for the auditor, and disable each account when the audit is complete.
D. Configure an on-premise AD server and enable SAML and identify federation for single sign-on to each AWS account.
Answer: B
Explanation:
IAM Roles with Read-Only Permissions: Define roles in each AWS account with read-only access to specific services or all services depending on the audit requirements.
Auditor IAM Account: Create a single IAM account for the auditor.
AssumeRole Policy: Attach a policy to the auditor’s IAM account allowing it to assume the read-only roles in each AWS account using the AssumeRole action. This provides temporary access for the audit, enhancing security.
Let’s explore why other options are less suitable:
A. Custom Identity Broker: This is an overly complex solution for a simple audit scenario. It introduces additional security risks and management overhead.
C. IAM User per Account: Creates unnecessary user management overhead. Disabling accounts after the audit disrupts future access and isn’t scalable.
D. On-Premise AD with SAML: While offering single sign-on, it’s a complex setup for temporary audit access. It might require significant infrastructure changes and wouldn’t be cost-effective for this specific scenario.
Question 7:
There is a requirement to carry out the backup of an Oracle RAC cluster which is currently hosted on the AWS public cloud. How can this be achieved?
A. Create a script that runs snapshots against the EBS volumes to create backups and durability.
B. Enable automated backups on the RDS RAC cluster; enable auto snapshot copy to a backup region to reduce RPO and RTO.
C. Enable Multi-AZ failover on the RDS RAC cluster to reduce the RPO and RTO in the event of disaster or failure.
D. Create manual snapshots of the RDS backup and write a script that runs the manual snapshot
Answer: A
Explanation:
Currently, Oracle Real Application Cluster (RAC) is not supported as per the AWS documentation. However, you can deploy scalable RAC on Amazon EC2 using the recently-published tutorial and Amazon Machine Images (AMI). So, in order to take the backups, you need to take the backup in the form of EBS volume snapshots of the EC2 that is deployed for RAC.
Option A, B, and D are all incorrect because RDS does not support Oracle RAC.
Option C is CORRECT because Oracle RAC is supported via the deployment using Amazon EC2. Hence, for the data backup, you can create a script that takes the snapshots of the EBS volumes. For more information on Oracle RAC on AWS, please visit the below
URL:
https://aws.amazon.com/about-aws/whats-new/2015/11/self-managed-oracle-rac-on-ec2/
https://aws.amazon.com/articles/oracle-rac-on-amazon-ec2/
https://aws.amazon.com/blogs/database/amazon-aurora-as-an-alternative-to-oracle-rac/
Question 8:
An internal auditor has been assigned to view your companys internal AWS services. As an AWS administrator, what is the best solution to provide the auditor so that he can carry out the required auditing services? Choose the correct answer from the below options.
A. Create an IAM user with full VPC access but set a condition that will not allow him to modify anything if the request is from any IP other than his own.
B. Create an IAM user tied to an administrator role. Also, provide an additional level of security with MFA
C. Create an IAM Role with the read only permissions to access the AWS VPC infrastructure and assign that role to the auditor.
D. Give the auditor root access to your AWS Infrastructure.
Answer: C
Explanation:
Generally, you should refrain from giving high-level permissions and give only the required permissions.
In this case, option C fits well by just providing the relevant access which is required.
Option A is incorrect because you should create an IAM Role with the needed permissions.
Option B is incorrect because you should not give the root access as it will give the user full access to all AWS resources.
Option C is CORRECT because IAM Role gives just the minimum required permissions (read-only) to audit the VPC infrastructure to the auditor.
Option D is incorrect because you should not give the auditor full access to the VPC. For more information on IAM please see the below link https://aws.amazon.com/iam/
Question 9:
There is a requirement to have the read replica of a running MySQL RDS instance inside of AWS to an on-premise location. What is the securest way of performing this replication? Choose the correct answer from the below options.
A. Configure the RDS instance as the master and enable replication over the open internet using a secure SSL endpoint to the on-premise server.
B. Create a Data Pipeline that exports the MySQL data each night and securely downloads the data from an S3 HTTPS endpoint.
C. Create an IPSec VPN connection using either OpenVPN or VPN/VGW through the Virtual Private Cloud service.
D. RDS cannot replicate to an on-premise database server. Instead, first configure the RDS instance to replicate to an EC2 instance with core MySQL, and then configure replication over a secure VPN/VPG connection.
Answer: D
Explanation:
Option A is incorrect because SSL endpoint cannot be used here as it is used for securely accessing the database.
Option B is incorrect because replicating via EC2 instances is very time consuming and very expensive cost-wise.
Option C is incorrect because Data Pipeline is for batch jobs and not suitable for this scenario.
Option D is CORRECT because it is feasible to setup the secure IPSec VPN connection between the on premise server and AWS VPC using the VPN/Gateways. See the image below:
For more information on VPN connections , please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html
Question 10:
You created three S3 buckets “mydomain.com”, “downloads.mydomain.com”, and “www.mydomain.com”. You uploaded your files, enabled static website hosting, specified both of the default documents under the ‘enable static website hosting’ header, and set the ‘Make Public’ permission for the objects in each of the three buckets. All that is left for you to do is to create the Route 53 Aliases for the three buckets. You are going to have your end users test your websites by browsing to
http://mydomain.com/error.html, http://downloads.mydomain.com/index.html, and http://www.mydomain.com. What problems will your testers encounter?
A. http://downloads.mydomain.com/index.html will not work because the “downloads” prefix is not a supported prefix for S3 websites using Route 53 aliases
B. http://www.mydomain.com will not work because the URL does not include a file name at the end of it
C. http://mydomain.com/error.html will not work because you did not set a value for the error.html file
D. There will be no problems, all three sites should work
Answer: D
Explanation:
Previously only allowed domain prefix when we are creating AWS Route53 aliases for AWS S3 static websites was the www. However, this is no longer the case. You can now use other sub-domains. For more information on S3 web site hosting please visit the below link: http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html
For a full set of 730 questions. Go to
https://skillcertpro.com/product/aws-solutions-architect-professional-exam-questions/
SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.
It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.
SkillCertPro updates exam questions every 2 weeks.
You will get life time access and life time free updates
SkillCertPro assures 100% pass guarantee in first attempt.