CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL

Free AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL Exam Braindumps (page: 29)

Page 29 of 134
PDF with 528 Questions

A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company’s applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets.

A solutions architect must review the infrastructure. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.

What should the solutions architect do to meet these requirements?

  1. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
  2. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
  3. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
  4. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.

Answer(s): D

Explanation:

To reduce costs associated with NAT Gateway charges while maintaining application functionality:

D) Adding an interface VPC endpoint for Kinesis Data Streams allows the applications running in private subnets to send and receive data directly to and from Kinesis without routing the traffic through the NAT gateway. This setup significantly lowers the data transfer costs (NatGateway-Bytes charges) by eliminating the need for the NAT gateway for Kinesis communications, while ensuring that the applications continue to function as required.



A retail company has an on-premises data center in Europe. The company also has a multi-Region AWS presence that includes the eu-west-1 and us-east-1 Regions. The company wants to be able to route network traffic from its on-premises infrastructure into VPCs in either of those Regions. The company also needs to support traffic that is routed directly between VPCs in those Regions. No single points of failure can exist on the network.

The company already has created two 1 Gbps AWS Direct Connect connections from its on-premises data center. Each connection goes into a separate Direct Connect location in Europe for high availability. These two locations are named DX-A and DX-B, respectively. Each Region has a single AWS Transit Gateway that is configured to route all inter-VPC traffic within that Region.

Which solution will meet these requirements?

  1. Create a private VIF from the DX-A connection into a Direct Connect gateway. Create a private VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with the Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.
  2. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Associate the eu-west-1 transit gateway with this Direct Connect gateway. Create a transit VIF from the DX-8 connection into a separate Direct Connect gateway. Associate the us-east-1 transit gateway with this separate Direct Connect gateway. Peer the Direct Connect gateways with each other to support high availability and cross-Region routing.
  3. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Configure the Direct Connect gateway to route traffic between the transit gateways.
  4. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.

Answer(s): D

Explanation:

To meet the requirements of routing network traffic from the on-premises infrastructure into VPCs in both the eu-west-1 and us-east-1 Regions, while ensuring high availability and supporting direct traffic routing between VPCs:
D) Creating a transit VIF from both the DX-A and DX-B connections into the same Direct Connect gateway provides high availability and redundancy. Associating both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway allows for cross-Region routing. Peering the transit gateways facilitates inter-VPC communication across the Regions. This solution effectively eliminates single points of failure while ensuring that the network traffic is efficiently routed.



A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account.

Which combination of steps will meet these requirements? (Choose three.)

  1. Create an Amazon EventBridge (Amazon CloudWatch Events) rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.
  2. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.
  3. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.
  4. Invoke an AWS Step Functions state machine to remove access.
  5. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.
  6. Use Amazon Pinpoint to notify the security team.

Answer(s): A,D,E

Explanation:

To implement a solution that ensures all new IAM users require security team approval and that their access is removed automatically:

A) Creating an Amazon EventBridge rule allows monitoring of specific API calls via CloudTrail, specifically the CreateUser event. This setup captures the creation of new IAM users.

D) Invoking an AWS Step Functions state machine to remove access provides a controlled and automated way to handle the removal of permissions for the new IAM users. This approach allows for more complex workflows, including handling the approval process.

E) Using Amazon Simple Notification Service (SNS) to notify the security team ensures that they receive timely alerts for each new user creation, enabling them to take necessary actions for approval.

This combination effectively automates the IAM user creation process while maintaining the required security checks and balances.



A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups.

The company must create separate accounts for development. staging, production, and shared network. The production account and the shared network account must have connectivity to all accounts. The development account and the staging account must have access only to each other.

Which combination of steps should a solutions architect take 10 meet these requirements? (Choose three.)

  1. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.
  2. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
  3. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.
  4. Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.
  5. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
  6. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognoto user pools and Identity pools to manage access to accounts and between accounts.

Answer(s): A,C,D

Explanation:

To meet the company's requirements for a multi-account structure with centralized management and secure access, the following steps are recommended:

A) Deploying a landing zone environment using AWS Control Tower simplifies the setup of a multi-account structure and enables centralized management of accounts within AWS Organizations. It helps enforce best practices, including account enrollment and organization setup.

C) Creating transit gateways and VPC attachments allows for secure connectivity between the production account, shared network account, and other accounts. This setup ensures private network traffic and the necessary connectivity for resources across accounts.

D) Setting up AWS IAM Identity Center (formerly AWS Single Sign-On) provides centralized access management across accounts. Creating permission sets with required MFA ensures secure access for users when logging in, aligning with the company's security requirements.

This combination allows the company to manage access efficiently while ensuring compliance with security policies like MFA and traffic isolation.



Page 29 of 134



Post your Comments and Discuss Amazon AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL exam with other Community members:

Zak commented on June 28, 2024
@AppleKid, I manged to pass this exam after failing once. Do not set for your exam without memorizing these questions. These are what you will see in the real exam.
Anonymous
upvote

Apple Kid commented on June 26, 2024
Did anyone gave exam recently and tell if these are good?
Anonymous
upvote

Captain commented on June 26, 2024
This is so helpful
Anonymous
upvote

udaya commented on April 25, 2024
stulll learning and seem to be questions are helpful
Anonymous
upvote

Jerry commented on February 18, 2024
very good for exam !!!!
HONG KONG
upvote

AWS-Guy commented on February 16, 2024
Precise and to the point. I aced this exam and now going for the next exam. Very great full to this site and it's wonderful content.
CANADA
upvote

Jerry commented on February 12, 2024
very good exam stuff
HONG KONG
upvote

travis head commented on November 16, 2023
I gave the Amazon SAP-C02 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000
Anonymous
upvote

Weed Flipper commented on October 07, 2020
This is good stuff man.
CANADA
upvote

IT-Guy commented on September 29, 2020
Xengine software is good and free. Too bad it is only in English and no support for French.
FRANCE
upvote

pema commented on August 30, 2019
Can I have the latest version of this exam?
GERMANY
upvote

MrSimha commented on February 23, 2019
Thank you
Anonymous
upvote

Phil C. commented on November 12, 2018
To soon to tell, but I will be back to post a review after my exam.
Anonymous
upvote

MD EJAZ ALI TANWIR commented on August 20, 2017
This is valid dump in US. Thank you guys for providing this.
UNITED STATES
upvote

flypig commented on June 02, 2017
The Braindumps will short my ready time for this exam!
CHINA
upvote