AWS Certified Solutions Architect Professional - Practice Exam 2
This credential helps certified individuals showcase advanced knowledge and skills in providing complex solutions to complex problems, optimizing security, cost, and performance, and automating manual processes. This certification is a means for organizations to identify and develop talent with these critical skills for implementing cloud initiatives.
PDF Exam Questions
Cheat Sheet
Q1
A company wants to reduce the costs associated with a containerized ECS application as much as possible while reducing the probability of service interruptions.
How can a Solutions Architect configure the solution?
Q2
A retail company runs a web application in a VPC. The web application runs on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is using AWS WAF.
Due to new requirements, external companies need to connect to the web application. The retail company must provide IP addresses to all external companies.
Which solution will meet these requirements with the LEAST operational overhead?
Q3
A company with a management account and several accounts in an AWS Organization wishes to restrict access to a specific set of AWS services in the existing member accounts.
What is the most efficient method to fulfill this requirement?
Q4
A new on-demand video application based on microservices has been deployed on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate. The application will have 5 million users at launch and 20 million after 12 months. The company developed the application using ECS services that use the HTTPS protocol.
A solutions architect needs to implement updates to the application by using blue/green deployments. The solution must distribute traffic to each ECS service through a load balancer. The application must automatically adjust the number of tasks in response to an Amazon CloudWatch alarm.
Which solution will meet these requirements?
Q5
A Solutions Architect is designing a publicly accessible web application from an Amazon S3 website endpoint. The S3 website is the origin of an Amazon CloudFront distribution. When the solution is deployed, the website returns the following error:
Error 403: Access Denied
Which steps should the solutions architect take to fix the issue? (Select THREE.)
Q6
During a security audit, a username and password for an Amazon RDS database were found in clear text in the Lambda function code.
The Solutions Architect is concerned about this security issue and wants to better secure the service.
Which change should the Solutions Architect make to improve the solution's security?
Q7
A Solutions Architect wants to ensure that only IAM users or roles with appropriate permissions can access a new Amazon API Gateway endpoint.
The Solutions Architect must also see an end-to-end view of each request, analyze its latency, and create service maps.
How can the Solutions Architect design the API Gateway access control to meet this requirement?
Q8
A company is planning to migrate an on-premises transaction-processing application running inside Docker containers to AWS. The Docker containers are hosted on VMs in the company's data center and have a shared storage where the application records transaction data.
The transactions are time-sensitive, and the volume of transactions inside the application is unpredictable. The company must implement a low-latency storage solution that will automatically scale throughput to meet increased demand.
How should the company migrate the application to AWS to meet these requirements?
Q9
A company is using AWS Organizations. Its flagship web app runs in the 'us-east-1' region, uses AWS Lambda functions, and stores data in an Amazon Aurora database. The application deploys the Lambda functions by using a deployment package. The company has configured automated backups for Aurora.
The company wants to move the application to another AWS account within the same AWS organization. The application processes critical data, and the company must minimize downtime.
Which solution will meet the requirements for moving this application from the source account to the target account?
Q10
A new employee has just joined a new team. The employee initially requires access to manage Amazon S3, Amazon RDS, and Amazon EC2. All the other team members belong to an IAM group, which provides additional permissions to manage all other AWS services.
The team manager initially wants to restrict the new employee's permissions until the employee assumes additional responsibilities. As the employee's role evolves, the manager needs to be able to easily expand their access, eventually providing the same permissions as the rest of the team.
How can the manager limit the permissions assigned to the new user account while minimizing complexity?
Q11
A company's Solutions Architect is re-engineering its CI/CD practices to update a critical web application deployed in a fleet of Amazon EC2 instances behind an Application Load Balancer. The application manager requires that deployments happen as quickly as possible with minimal downtime. In the case of errors, there must be an ability to roll back quickly.
The company currently uses AWS CodeCommit to host the application source code and has configured an AWS CodeBuild project to build the application. The company also plans to use AWS CodePipeline to trigger builds from CodeCommit commits using the existing CodeBuild project.
What CI/CD configuration meets all of the requirements?
Q12
A company stores highly confidential information in an Amazon S3 bucket. After suffering an attack and experiencing a breach of information, the security team came up with new requirements that must be met:
- Identify remote IP addresses that are accessing the bucket objects.
- Receive alerts when the security policy on the bucket is changed.
- Remediate the policy changes automatically.
Which strategies should a Solutions Architect use to meet these requirements?
Q13
A company runs a processing engine in the AWS Cloud. The engine processes data to calculate complex results. Millions of devices send information to the processing engine through a RESTful API. Lately, the API has experienced unpredictable bursts of traffic.
The company must implement a solution to process all data that the devices send to the processing engine. Data loss is unacceptable.
Which solution will meet these requirements?
Q14
During a security audit, IAM secret access keys were found in clear text in AWS CodeCommit repositories. The security team requires measures to automatically find and remediate this vulnerability on an ongoing basis.
Which solution meets these requirements?
Q15
A company hosts an application on Amazon EC2 instances in a private subnet within an Amazon VPC. The application stores files in a specific Amazon S3 bucket. Due to some new regulations, the files should not traverse the internet, and only application instances should be granted access to save files in the S3 bucket. A gateway endpoint has been created for Amazon S3 and connected to the Amazon VPC.
What additional steps should a Solutions Architect take to meet these requirements?
Q16
A health company stores Personally Identifiable Information (PII) in an Amazon S3 bucket. The current configuration encrypts the objects with server-side encryption with S3-managed encryption keys (SSE-S3). Versioning is not enabled in the bucket.
According to a new requirement, all current and future objects in the S3 bucket must be encrypted by keys that the company's security team manages.
Which solution will meet these requirements?
Q17
A company is designing an application that requires cross-region disaster recovery with an RTO of 5 minutes and an RPO of 1 hour. The application runs on Amazon EC2 instances and a MySQL database.
Which option could a Solutions Architect recommend to meet the company’s disaster recovery requirements?
Q18
A company needs to deploy an application. The application is deployed on Amazon EC2 instances across multiple Availability Zones in the eu-west-1 Region. The solution must meet these constraints:
1) The application requires access to 300 GB of static data before the application starts.
2) The application layer must quickly scale on demand.
3) Startup time must be minimized as much as possible.
4) The development team must be able to change the code multiple times in a day.
5) Any critical OS patches must be installed within 48 hours of release.
Which deployment strategy meets these requirements?
Which deployment strategy meets these requirements?
Q19
A highly available web application is being deployed on multiple Amazon EC2 instances. It requires users to authenticate before accessing the content.
A Solutions Architect needs to design a solution that allows users to remain authenticated even if an underlying instance fails.
Which solution will meet these requirements?
Q20
A company wants to migrate its existing on-premises Oracle database to Amazon Aurora PostgreSQL using AWS DMS. The migration must be completed with minimal downtime and impact on the source database. The company has hired an AWS Certified Solutions Architect to carry out the migration and validate that the data was migrated accurately from the source to the target before the cutover.
Which approach will MOST effectively meet these requirements?
Q21
A company runs an application on Amazon EC2 instances in an Amazon VPC and must access an external service that runs on an HTTPS REST API.
After contacting the provider of the external API, they can only grant access to a single source public IP address per customer.
Which configuration can enable access to the API service using a single IP address without modifying the company’s application?
Q22
A company's flagship web application runs on AWS using a three-tier web architecture. The application is PHP-based and comprises an Apache Tomcat web server layer of Amazon EC2 instances in an Auto-Scaling group. The database layer runs on an Amazon Aurora MySQL database.
The application was working fine, but users reported errors and timeouts during a marketing event. The operations team reviewed the web application logs and the Amazon Aurora DB metrics. However, some web servers were terminated before logs could be collected, and the Aurora metrics were insufficient for query performance analysis.
Which combination of steps must a Solutions Architect take to improve application performance visibility during peak traffic marketing events? (Select THREE.)
Q23
A Solutions Architect plans to migrate the application to the AWS Cloud. The application consists of a series of components, and each component processes data within a few seconds before passing it on to the next component.
The Solutions Architect must refactor the application into serverless microservices and be fully coordinated using cloud-native services.
Which approach meets these requirements in the most cost-effective way?
Q24
A fleet of EC2 instances back up a large quantity of data by uploading it to an Amazon S3 bucket in another region daily.
Some S3 uploads have been failing, and the storage costs have significantly increased.
How can a Solutions Architect configure the backup jobs to efficiently backup data to S3 while reducing storage costs?
Q25
A company's on-premises data center is connected to AWS over a minimally used 10-Gbps Direct Connect connection using a private virtual interface to its virtual private cloud (VPC).
The company performs a data archival workflow once a month. It has an internet connection of 100 Mbps, and the usual archive size is around 150 TB. The workflow is executed on the first Friday of each month and must be transferred and available on Amazon S3 by Monday morning.
Which option would you recommend as the LEAST expensive way to address the given use case?
Q26
A company has an application used for storing marketing data. The data is unstructured and stored in a MySQL database running on a single Amazon EC2 instance.
The application's front end is composed of six EC2 instances in three Availability Zones (AZs). Each week, the application receives bursts of traffic, and its performance suffers.
A Solutions Architect must design a solution to address scalability and reliability.
Which set of actions should the Solutions Architect take?
Q27
A company must migrate its on-premises data processing application to the AWS Cloud. The application processes input files that users upload through a web portal.
A web server stores the uploaded files on NAS and messages the processing server over a message queue. Each file can take up to 1 hour to process, and the number of files awaiting to be processed is significantly higher during business hours. The number of files drops after business hours.
Which of the following is the MOST cost-effective migration recommendation?
Q28
A company is mounting IoT sensors in all of its stores worldwide. During the manufacturing of each sensor, the company’s private certificate authority (CA) issues an X.509 certificate that contains a unique serial number. The company then deploys each certificate to its respective sensor.
The company hired you as a Solutions Architect to give the sensors the ability to send data to AWS after they are installed. Sensors must not be able to send data to AWS until they are installed.
Which solution will meet these requirements?
Q29
A company has many separate AWS accounts, each hosting services for different departments. The company also has a Microsoft Azure Active Directory deployed.
A Solutions Architect needs to centralize billing and management of the company’s AWS accounts. The company wants to start using identity federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys.
Which combination of steps will meet these requirements? (Choose three.)
Q30
A Solutions Architect must design a solution to provide private connectivity from a company's WAN network to multiple AWS Regions. The company has offices worldwide, and its main data center is in California. Traffic must not traverse the public internet at any time, and the solution must also be highly available.
How can the Solutions Architect meet these requirements?
Q31
A company has a web application that uses Amazon API Gateway and AWS Lambda. A recent marketing campaign has increased demand, requiring the application to support thousands of simultaneous invocations.
A Solutions Architect noticed that requests fail multiple times before succeeding. Application logs indicate that AWS Lambda has no errors.
What is the most likely root cause of this problem?
Q32
To reduce the cost of several AWS Elastic Beanstalk environments, a Solutions Architect has to design a highly available solution that will spin up an Elastic Beanstalk environment in the morning and terminate it at the end of the day.
The solution should be designed with minimal operational overhead and to minimize costs. It should also be able to handle the increased use of Elastic Beanstalk environments among different teams and must provide a one-stop scheduler solution for all teams to keep operational costs as low as possible.
Which of the following solutions will meet these requirements?
Q33
A tech company operates a cloud-based application on AWS. The application includes an Amazon API Gateway API that exposes an HTTPS endpoint. The API uses AWS Lambda functions to process data, which is subsequently stored in an Amazon Aurora Serverless v1 database.
The company deployed the application using the AWS SAM, ensuring deployment across multiple Availability Zones, but currently lacks a disaster recovery (DR) strategy. Our mission is to design a DR strategy plan that can recover the application in a different AWS Region. It requires a Recovery Time Objective (RTO) of 5 minutes and a Recovery Point Objective (RPO) of 1 minute.
What actions should we take to fulfill these requirements?
Q34
An Amazon CloudFront distribution has been configured with an Amazon S3 bucket as the origin. After some testing, this has caused users to receive HTTP 307 Temporary Redirect responses from Amazon S3.
What might be causing this behavior, and how would you resolve it? (Select TWO.)
Q35
A tech company that recently migrated to AWS is building a hybrid DNS solution. To achieve this, they've set up an AWS Direct Connect (DX) connection linking their on-premises corporate network with an AWS Transit Gateway.
The solution will use an Amazon Route 53 private hosted zone for the domain 'tech.corporation.local' to manage resources within Amazon VPCs. The company has the following DNS resolution prerequisites:
- On-premises systems should be able to resolve and connect to 'tech.corporation.local'.
- All VPCs should be able to resolve 'tech.corporation.local'.
Which architecture should the company use to meet these requirements with the HIGHEST performance?
Q36
A company runs 50 Proof-of-Concept (PoC) applications on virtual servers in an on-premises data center. Most of the applications are simple Node.js and Python web applications that are no longer actively developed and serve a low number of concurrent users.
The applications use an average of 1 GB of memory, up to 3 GB during peak processing periods, which can last several hours.
What is the MOST cost-effective solution for these requirements?
Q37
An IoT company has IoT sensors in various locations. Each device sends data to the company’s Node.js API servers, which are hosted on Amazon EC2 instances behind an Application Load Balancer.
The data is stored in an Amazon RDS MySQL database, utilizing a 4 TB General Purpose SSD volume.
As the company expands its sensor network, the load on the API servers has steadily increased, resulting in consistent overloading. Additionally, RDS performance metrics indicate high write latency.
Which of the following steps would effectively resolve these issues in a sustainable manner, facilitating continued growth with the addition of new sensors while also maintaining cost-efficiency for the platform?
Q38
A company offers a membership program for its flagship application. Members need to download all files in a secured Amazon S3 bucket. An Amazon CloudFront distribution has been created to serve content from the Amazon S3 bucket to users worldwide.
Access should be restricted to members and not be available to anyone else.
What is the most efficient method a Solutions Architect should use to securely enable access to the files in the S3 bucket?
Q39
A new security mandate requires all personnel data held in the cloud to be encrypted at rest. Which two methods allow you to encrypt data stored in S3 buckets at rest cost-efficiently? (Select TWO)
Q40
A company has several Amazon RDS databases, each with over 80 TB of data. The company is building a data query platform for the Business Intelligence Analysts' team, which requires generating a weekly business report from the databases. The system should support ad-hoc SQL queries.
What is the MOST cost-effective solution?
Q41
A company saves confidential exports as CSV files in an Amazon S3 bucket. The data can only be accessed by IAM users.
Due to new requirements, an individual CSV file must be shared with an external organization.
A Solutions Architect used an IAM user account to attempt to perform a PUT Object call to enable a public ACL on the object, and it failed with "insufficient permissions."
What is the most likely cause of this issue?
Q42
A company hosts the front end of an application on AWS and the back end REST API in an on-premises environment. The back end and the front end will be connected over an AWS Direct Connect (DX) connection through a private virtual interface. The application requires consistent, redundant, and reliable connectivity between both servers.
Which design would provide the MOST reliable connection to the backend API?
Q43
A marketing company runs an application that stores ad invoices in an Amazon S3 bucket and metadata about the invoices in an Amazon DynamoDB table.
The application software runs in us-east-1 and eu-central-1. The S3 bucket and DynamoDB table are in us-east-1.
A Solutions Architect has been asked to implement protection from data corruption and the loss of connectivity to either Region.
Which solution meets these requirements?
Q44
An Amazon RDS database was created with encryption enabled using an AWS-managed CMK, but it does not require encryption anymore.
How can a Solutions Architect unencrypt the database with the LEAST operational overhead?
Q45
A company is deploying a web application on AWS. The application is packaged as a Docker image and is deployed as an AWS Fargate service in Amazon ECS behind an Application Load Balancer (ALB).
The company needs to allow only a specific list of users to access the application from the Internet. The company cannot change or integrate the application with an identity provider. All users must be authenticated through multi-factor authentication (MFA).
Which solution will meet these requirements?
Q46
A company must host a highly available and secure application in an AWS VPC. The VPC extends across two Availability Zones, each AZ consisting of a public and a private subnet.
The application is hosted on Amazon EC2 instances in the private subnet. It needs to communicate with the Internet via two NAT gateways and uses an Application Load Balancer in the public subnet. The service uses Amazon S3 for storage, adding an average of 1 TB in new objects daily.
A solutions architect must reduce the associated cost of the solution and reduce manual effort while maintaining security.
How can this be accomplished?
Q47
A company hosts a blog application on AWS utilizing Amazon API Gateway, Amazon DynamoDB, and AWS Lambda. Currently, the application does not use API keys to authorize requests.
Users provide feedback on various articles. These are the main API endpoints:
GET /articles/{articleId}: to retrieve article details
GET /users/{userId}: to retrieve user user details
GET /feedback/{feedbackId}: to retrieve feedback details
The company aims to boost user engagement by displaying feedback in real time.
Which design should be implemented to reduce feedback latency and improve user experience?
Q48
A company has deployed an application to multiple AWS accounts, including production and staging accounts.
Which solution is most appropriate for implementing centralized control of security identities and permissions to access the environments?
Q49
A company urgently needs to migrate data to AWS. The data center has a 1 Gbps internet connection and a separate 500 Mbps AWS Direct Connect link. The company must transfer 20 TB of data from the data center to an Amazon S3 bucket.
What is the FASTEST way of transferring the data?
Q50
An Amazon EC2 instance is located in a public subnet with the IPv6 address 2024:2db:1:101::1. After some testing, developers reported they could not access the web content.
The VPC Flow Logs for the subnet contain the following entries:
2 123456789010 eni-1235b8ca123456789 2024:2db:1:200::2 2024:2db:1:101::1 0 0 58 236 42336 1551200195 1551200434 ACCEPT OK
2 123456789010 eni-1235b8ca123456789 2024:2db:1:101::1 2024:2db:1:200::2 0 0 58 236 42336 1551200195 1551200434 REJECT OK
Which of the following options will restore network reachability to the EC2 instance?
Q51
A company recently migrated from an on-premises data center to the AWS Cloud using a re-platforming strategy. One of the migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical application relies upon.
This application sends outbound email messages to the company’s customers using SMTP, but the legacy SMTP server does not support TLS encryption and uses TCP port 25.
The company has decided to use Amazon Simple Email Service (Amazon SES) and decommission the legacy SMTP server. They have created and validated the SES domain and have lifted the SES limits.
How should the company modify the application to send email messages through Amazon SES?
Q52
A company deploys JavaScript and Python applications to AWS using AWS CodePipeline and AWS CloudFormation. However, the company is looking for a new way of deploying the applications without using CloudFormation, as the developers don't want to learn new domain-specific languages. The developers also want to use features of JavaScript and Python, such as looping.
How can the company address the developer's concerns and quickly bring the applications up to deployment standards?
Q53
A company is planning to migrate its on-premises data center to AWS. Currently, the data center operates on Linux-based VMware VMs.
Due to some requirements, information about the network dependencies between these VMs must be gathered. This information must be presented in a diagram that includes the following information:
- Host IP addresses
- Hostnames
- Network connection details
Which solution will meet these requirements?
Q54
A data analytics company generates around 20 GB of statistical data daily, expected to increase over time.
They use Amazon S3 as the data lake to store the data. A Solutions Architect plans to use Amazon Athena to analyze this data by date ranges.
Which is the most optimal way to save this data to get the best performance as the data grows? (Select TWO.)
Q55
A company uses SSH to connect to EC2 instances hosted in private subnets from an on-premise environment. The EC2 instances are based on the latest Amazon Linux 2 AMI.
The company's architecture includes a VPC with private and public subnets and a NAT gateway. They also have a Site-to-Site VPN for connectivity with the on-premises environment and EC2 security groups with direct SSH access from the on-premises environment.
Which strategy should the company use to increase security control around SSH access and comply with auditing requirements?
Q56
A company uses an AWS CodeCommit repository and needs to store a backup copy of the repository data in a different AWS Region.
Which solution will meet these requirements?
Q57
A company is migrating a 30 TB PostgreSQL database from its on-premises data center to AWS. The database grows at the rate of 12 GB per day.
The data center is connected to AWS using a 50 Mbps internet connection and an IPSec VPN connection to the Amazon VPC. The company needs to migrate the database within 2 weeks.
Which combination of actions will meet the migration schedule with the LEAST downtime? (Select THREE.)
Q58
A company has deployed a web application on Amazon EC2 instances within a private subnet. An Application Load Balancer (ALB) is set up to manage traffic to these instances. The EC2 instances are associated with a security group named InstanceSG, while the ALB is assigned to a security group named ALBSG. The security team must lock down the security group rules according to best practices.
What rules should be configured in the security groups? (Select TWO.)
Q59
An application deployed using an AWS CloudFormation stack uses multiple AWS Lambda functions. A new version has been developed, and the engineering team is trying to implement a deployment process that supports a canary release. They want to test the new version incrementally using small incremental deployments.
Which solution will meet these requirements?
Q60
A company is developing a reporting tool with thousands of devices. The devices will send 8KB of data per second to a data platform that must process and analyze the data and provide information back. The data platform must support near real-time analytics of the inbound data, provide durability and parallelization for the data, and deliver results to a data warehouse.
Which strategy should the company use to meet these requirements?