CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL

Free AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL Exam Braindumps (page: 28)

Page 28 of 134
PDF with 528 Questions

A solutions architect is auditing the security setup or an AWS Lambda function for a company. The Lambda function retrieves, the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.

The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the Internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.

What should the solutions architect recommend to meet these requirements?

  1. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
  2. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.
  3. Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VP
  4. Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials from Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Answer(s): A

Explanation:

To enhance the security of the AWS Lambda function and mitigate the risks associated with compromised database credentials, the recommended approach is to enable IAM database authentication for the Amazon Aurora database and use an IAM role for the Lambda function. This eliminates the need to store sensitive credentials directly within the Lambda function's environment variables.
Option A effectively addresses these requirements by:
1.Enabling IAM Database Authentication: This allows the Lambda function to authenticate to the Aurora database using temporary security credentials, which reduces the risk associated with static credentials.
2.Changing the IAM Role: The Lambda function’s IAM role is modified to grant permissions necessary for accessing the database using IAM authentication.
3.Deploying a Gateway VPC Endpoint for S3: This ensures that all data transfers between the Lambda function and the S3 bucket occur over the AWS network without traversing the public internet, thereby enhancing security.
This solution minimizes the impact of any potential compromise of database credentials while ensuring that the data remains secure during transfers.
Other options, while they may provide some level of security, do not fully address the requirement to eliminate stored credentials or may not guarantee that data remains within the AWS network. For instance, Options C and D suggest using AWS Systems Manager Parameter Store or Secrets Manager, which are valid for managing credentials but do not directly address the request to minimize the impact of compromised credentials as effectively as IAM database authentication.



A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.

While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. The solutions architect finds out that the company’s developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.

The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.

Which solution will meet these requirements?

  1. Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.
  2. In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers’ IAM accounts.
  3. Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers
  4. Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.

Answer(s): C

Explanation:

To effectively control the instance types that developers can launch in Amazon EC2 while ensuring alignment with the organization's cost management strategy, the best approach is to use an IAM policy that explicitly restricts the allowed instance types.
Option C is the most suitable solution for the following reasons:
1.IAM Policy Creation: By creating a new IAM policy that specifies the allowed instance types, you can enforce which EC2 instance types developers are permitted to launch. This prevents them from launching more expensive or inappropriate instance types that lead to unnecessary costs.
2.Attaching to IAM Group: The policy can be attached to an IAM group that includes all the developers. This makes it easier to manage permissions collectively rather than having to adjust individual IAM accounts.
3.Least Privilege Principle: This approach adheres to the principle of least privilege by restricting access only to the necessary instance types required for their work, thereby reducing the likelihood of cost overruns due to unintentional usage of more expensive resources.
Other options, such as using AWS Config (Option A) or launch templates (Option B), do not provide the same level of direct control over the instance types allowed for specific users. Option D, using EC2 Image Builder, does not address the requirement of limiting instance types and is unrelated to the cost issue identified. Thus, Option C provides a targeted and effective solution for the problem at hand.



A company is developing and hosting several projects in the AWS Cloud. The projects are developed across multiple AWS accounts under the same organization in AWS Organizations. The company requires the cost for cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking the Project tag used for cost allocation.

Which actions should a solutions architect lake to resolve the problem and prevent it from happening in the future? (Choose three.)

  1. Create an AWS Config rule in each account to find resources with missing tags.
  2. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing.
  3. Use Amazon Inspector in the organization to find resources with missing tags.
  4. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is missing.
  5. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.
  6. Use AWS Security Hub to aggregate a list of EC2 instances with the missing Project tag.

Answer(s): A,B,E

Explanation:

To ensure all EC2 instances have the necessary Project tag for cost allocation:
-A. Create an AWS Config rule in each account to find resources with missing tags. This helps continuously monitor and report on instances that lack the required tag.
-B. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing. This enforces tagging at the account level, preventing instances from being launched without the Project tag.
-E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag. This allows centralized visibility across multiple accounts, facilitating easier management and compliance verification.
These actions collectively help enforce and monitor tagging compliance across AWS accounts.



A company has an on-premises monitoring solution using a PostgreSQL database for persistence of events. The database is unable to scale due to heavy ingestion and it frequently runs out of storage.

The company wants to create a hybrid solution and has already set up a VPN connection between its network and AWS. The solution should include the following attributes:
-Managed AWS services to minimize operational complexity.
-A buffer that automatically scales to match the throughput of data and requires no ongoing administration.
-A visualization tool to create dashboards to observe events in near-real time.
-Support for semi-structured JSON data and dynamic schemas.

Which combination of components will enable the company to create a monitoring solution that will satisfy these requirements? (Choose two.)

  1. Use Amazon Kinesis Data Firehose to buffer events. Create an AWS Lambda function to process and transform events.
  2. Create an Amazon Kinesis data stream to buffer events. Create an AWS Lambda function to process and transform events.
  3. Configure an Amazon Aurora PostgreSQL DB cluster to receive events. Use Amazon QuickSight to read from the database and create near-real-time visualizations and dashboards.
  4. Configure Amazon Elasticsearch Service (Amazon ES) to receive events. Use the Kibana endpoint deployed with Amazon ES to create near-real-time visualizations and dashboards.
  5. Configure an Amazon Neptune DB instance to receive events. Use Amazon QuickSight to read from the database and create near-real-time visualizations and dashboards.

Answer(s): A,D

Explanation:

To create a hybrid monitoring solution that meets the specified requirements:

A) Use Amazon Kinesis Data Firehose to buffer events. Create an AWS Lambda function to process and transform events. Kinesis Data Firehose automatically scales to match data throughput and can handle semi-structured JSON data, providing a reliable buffer for event ingestion.

D) Configure Amazon Elasticsearch Service (Amazon ES) to receive events. Use the Kibana endpoint deployed with Amazon ES to create near-real-time visualizations and dashboards. Amazon ES is designed for indexing and searching large volumes of data, including semi-structured JSON, and Kibana allows for creating interactive dashboards to visualize the data in real time.

This combination minimizes operational complexity while providing the necessary capabilities for the company's monitoring needs.



Page 28 of 134



Post your Comments and Discuss Amazon AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL exam with other Community members:

Zak commented on June 28, 2024
@AppleKid, I manged to pass this exam after failing once. Do not set for your exam without memorizing these questions. These are what you will see in the real exam.
Anonymous
upvote

Apple Kid commented on June 26, 2024
Did anyone gave exam recently and tell if these are good?
Anonymous
upvote

Captain commented on June 26, 2024
This is so helpful
Anonymous
upvote

udaya commented on April 25, 2024
stulll learning and seem to be questions are helpful
Anonymous
upvote

Jerry commented on February 18, 2024
very good for exam !!!!
HONG KONG
upvote

AWS-Guy commented on February 16, 2024
Precise and to the point. I aced this exam and now going for the next exam. Very great full to this site and it's wonderful content.
CANADA
upvote

Jerry commented on February 12, 2024
very good exam stuff
HONG KONG
upvote

travis head commented on November 16, 2023
I gave the Amazon SAP-C02 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000
Anonymous
upvote

Weed Flipper commented on October 07, 2020
This is good stuff man.
CANADA
upvote

IT-Guy commented on September 29, 2020
Xengine software is good and free. Too bad it is only in English and no support for French.
FRANCE
upvote

pema commented on August 30, 2019
Can I have the latest version of this exam?
GERMANY
upvote

MrSimha commented on February 23, 2019
Thank you
Anonymous
upvote

Phil C. commented on November 12, 2018
To soon to tell, but I will be back to post a review after my exam.
Anonymous
upvote

MD EJAZ ALI TANWIR commented on August 20, 2017
This is valid dump in US. Thank you guys for providing this.
UNITED STATES
upvote

flypig commented on June 02, 2017
The Braindumps will short my ready time for this exam!
CHINA
upvote