Free AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL Exam Braindumps (page: 50)

Page 50 of 134

A company is using an organization in AWS Organizations to manage hundreds of AWS accounts. A solutions architect is working on a solution to provide baseline protection for the Open Web Application Security Project (OWASP) top 10 web application vulnerabilities. The solutions architect is using AWS WAF for all existing and new Amazon CloudFront distributions that are deployed within the organization.

Which combination of steps should the solutions architect take to provide the baseline protection? (Choose three.)

  1. Enable AWS Config in all accounts
  2. Enable Amazon GuardDuty in all accounts
  3. Enable all features for the organization
  4. Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions
  5. Use AWS Shield Advanced to deploy AWS WAF rules in all accounts for all CloudFront distributions
  6. Use AWS Security Hub to deploy AWS WAF rules in all accounts for all CloudFront distributions

Answer(s): A,C,D

Explanation:

-A) Enable AWS Config in all accounts: AWS Config is essential for tracking configuration changes and compliance across all accounts. It ensures that security measures like AWS WAF and other services are properly monitored and consistently applied across the organization.
-C) Enable all features for the organization: Enabling all features in AWS Organizations allows centralized management and the use of AWS Security and Compliance services like AWS Firewall Manager across all AWS accounts. This step is necessary for organization-wide security control.
-D) Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions: AWS Firewall Manager simplifies the deployment and management of AWS WAF rules across multiple AWS accounts and resources, including CloudFront distributions, ensuring baseline protection against OWASP top 10 vulnerabilities.
This combination ensures centralized, consistent security policies across all accounts with minimal operational overhead.



A solutions architect has implemented a SAML 2.0 federated identity solution with their company's on-premises identity provider (IdP) to authenticate users' access to the AWS environment. When the solutions architect tests authentication through the federated identity web portal, access to the AWS environment is granted. However, when test users attempt to authenticate through the federated identity web portal, they are not able to access the AWS environment.

Which items should the solutions architect check to ensure identity federation is properly configured? (Choose three.)

  1. The IAM user's permissions policy has allowed the use of SAML federation for that user.
  2. The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal.
  3. Test users are not in the AWSFederatedUsers group in the company's IdP.
  4. The web portal calls the AWS STS AssumeRoleWithSAML API with the ARN of the SAML provider, the ARN of the IAM role, and the SAML assertion from IdP.
  5. The on-premises IdP's DNS hostname is reachable from the AWS environment VPCs.
  6. The company's IdP defines SAML assertions that properly map users or groups. In the company to IAM roles with appropriate permissions.

Answer(s): B,C,E

Explanation:

-B) The IAM roles created for the federated users' or federated groups' trust policy have set the SAML provider as the principal: The trust policy of the IAM roles must properly set the SAML provider as the principal to allow federated users access to AWS resources. Without this, the SAML assertions won't map correctly, causing access issues.
-C) Test users are not in the AWSFederatedUsers group in the company's IdP: Federated users must belong to the correct group in the IdP for their SAML assertions to map to the corresponding IAM roles in AWS. Ensuring the users are in the right group is critical for proper access.
-F) The company's IdP defines SAML assertions that properly map users or groups to IAM roles with appropriate permissions: The SAML assertions from the IdP must be correctly configured to map users or groups to corresponding IAM roles with appropriate permissions in AWS. This ensures that users receive the permissions they are entitled to when authenticating.
These checks ensure proper configuration for the federated identity solution.



A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application’s operations insert records into the database. The application currently stores credentials in a text-based configuration file.

The solutions architect needs to implement a solution so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis.

Which solution will meet these requirements?

  1. Deploy an Amazon RDS Proxy layer. In front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
  2. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store
  3. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager
  4. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store.

Answer(s): A

Explanation:

-A) Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager: RDS Proxy helps manage and pool database connections efficiently, which can reduce the load on the database by reusing connections. Storing the credentials in AWS Secrets Manager ensures that the credentials are kept secure and can be rotated automatically. This solution addresses both the connection load issue and the need for secure and regularly rotated credentials.
This approach meets the requirements for connection load management and credential security with minimal operational complexity.



A company needs to build a disaster recovery (DR) solution for its ecommerce website. The web application is hosted on a fleet of t3.large Amazon EC2 instances and uses an Amazon RDS for MySQL DB instance. The EC2 instances are in an Auto Scaling group that extends across multiple Availability Zones.

In the event of a disaster, the web application must fail over to the secondary environment with an RPO of 30 seconds and an RTO of 10 minutes.

Which solution will meet these requirements MOST cost-effectively?

  1. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create a cross-Region read replica for the DB instance. Set up a backup plan in AWS Backup to create cross-Region backups for the EC2 instances and the DB instance. Create a cron expression to back up the EC2 instances and the DB instance every 30 seconds to the DR Region. Recover the EC2 instances from the latest EC2 backup. Use an Amazon Route 53 geolocation routing policy to automatically fail over to the DR Region in the event of a disaster.
  2. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create a cross-Region read replica for the DB instance. Set up AWS Elastic Disaster Recovery to continuously replicate the EC2 instances to the DR Region. Run the EC2 instances at the minimum capacity in the DR Region. Use an Amazon Route 53 failover routing policy to automatically fail over to the DR Region in the event of a disaster. Increase the desired capacity of the Auto Scaling group.
  3. Set up a backup plan in AWS Backup to create cross-Region backups for the EC2 instances and the DB instance. Create a cron expression to back up the EC2 instances and the DB instance every 30 seconds to the DR Region. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Manually restore the backed-up data on new instances. Use an Amazon Route 53 simple routing policy to automatically fail over to the DR Region in the event of a disaster.
  4. Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create an Amazon Aurora global database. Set up AWS Elastic Disaster Recovery to continuously replicate the EC2 instances to the DR Region. Run the Auto Scaling group of EC2 instances at full capacity in the DR Region. Use an Amazon Route 53 failover routing policy to automatically fail over to the DR Region in the event of a disaster.

Answer(s): B

Explanation:

-B) Use infrastructure as code (IaC) to provision the new infrastructure in the DR Region. Create a cross-Region read replica for the DB instance. Set up AWS Elastic Disaster Recovery to continuously replicate the EC2 instances to the DR Region. Run the EC2 instances at the minimum capacity in the DR Region. Use an Amazon Route 53 failover routing policy to automatically fail over to the DR Region in the event of a disaster. Increase the desired capacity of the Auto Scaling group: This solution is cost-effective and meets the RPO of 30 seconds and the RTO of 10 minutes. The cross-Region read replica ensures near-real-time data availability in the DR Region, and AWS Elastic Disaster Recovery ensures continuous replication of EC2 instances. Running EC2 instances at the minimum capacity in the DR Region saves costs while ensuring quick recovery. Route 53 failover routing allows for automatic failover to the DR Region in case of a disaster.
This solution balances cost and performance while meeting the RPO and RTO requirements.



Page 50 of 134



Post your Comments and Discuss Amazon AWS-SOLUTIONS-ARCHITECT-PROFESSIONAL exam with other Community members:

Zak commented on June 28, 2024
@AppleKid, I manged to pass this exam after failing once. Do not set for your exam without memorizing these questions. These are what you will see in the real exam.
Anonymous
upvote

Apple Kid commented on June 26, 2024
Did anyone gave exam recently and tell if these are good?
Anonymous
upvote

Captain commented on June 26, 2024
This is so helpful
Anonymous
upvote

udaya commented on April 25, 2024
stulll learning and seem to be questions are helpful
Anonymous
upvote

Jerry commented on February 18, 2024
very good for exam !!!!
HONG KONG
upvote

AWS-Guy commented on February 16, 2024
Precise and to the point. I aced this exam and now going for the next exam. Very great full to this site and it's wonderful content.
CANADA
upvote

Jerry commented on February 12, 2024
very good exam stuff
HONG KONG
upvote

travis head commented on November 16, 2023
I gave the Amazon SAP-C02 tests and prepared from this site as it has latest mock tests available which helped me evaluate my performance and score 919/1000
Anonymous
upvote

Weed Flipper commented on October 07, 2020
This is good stuff man.
CANADA
upvote

IT-Guy commented on September 29, 2020
Xengine software is good and free. Too bad it is only in English and no support for French.
FRANCE
upvote

pema commented on August 30, 2019
Can I have the latest version of this exam?
GERMANY
upvote

MrSimha commented on February 23, 2019
Thank you
Anonymous
upvote

Phil C. commented on November 12, 2018
To soon to tell, but I will be back to post a review after my exam.
Anonymous
upvote

MD EJAZ ALI TANWIR commented on August 20, 2017
This is valid dump in US. Thank you guys for providing this.
UNITED STATES
upvote

flypig commented on June 02, 2017
The Braindumps will short my ready time for this exam!
CHINA
upvote