71

A company runs a shopping application that uses Amazon DynamoDB to store customer information. In case of data corruption, a solutions architect needs to design a solution that meets a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 1 hour. What should the solutions architect recommend to meet these requirements?

B. Configure DynamoDB point-in-time recovery. For RPO recovery, restore to the desired point in time.

72

A company runs a photo processing application that needs to frequently upload and download pictures from Amazon S3 buckets that are located in the same AWS Region. A solutions architect has noticed an increased cost in data transfer fees and needs to implement a solution to reduce these costs. How can the solutions architect meet this requirement?

D. Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access to the S3 buckets.

73

A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

C. Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.

D. Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.

74

A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company. How should security groups be configured in this situation?
(Choose two.)

A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.

C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.

75

A company wants to move a multi-tiered application from on premises to the AWS Cloud to improve the application's performance. The application consists of application tiers that communicate with each other by way of RESTful services. Transactions are dropped when one tier becomes overloaded. A solutions architect must design a solution that resolves these issues and modernizes the application. Which solution meets these requirements and is the MOST operationally efficient?

A. Use Amazon API Gateway and direct transactions to the AWS Lambda functions as the application layer. Use Amazon Simple Queue Service (Amazon SQS) as the communication layer between application services.

D. Use Amazon Simple Queue Service (Amazon SQS) to handle the messaging between application servers running on Amazon EC2 in an Auto Scaling group. Use Amazon CloudWatch to monitor the SQS queue length and scale up when communication failures are detected.

76

A company receives 10 TB of instrumentation data each day from several machines located at a single factory. The data consists of JSON files stored on a storage area network (SAN) in an on-premises data center located within the factory. The company wants to send this data to Amazon S3 where it can be accessed by several additional systems that provide critical near-real-time analytics. A secure transfer is important because the data is considered sensitive. Which solution offers the MOST reliable data transfer?

B. AWS DataSync over AWS Direct Connect

77

A company needs to configure a real-time data ingestion architecture for its application. The company needs an API, a process that transforms data as the data is streamed, and a storage solution for the data. Which solution will meet these requirements with the LEAST operational overhead?

C. Configure an Amazon API Gateway API to send data to an Amazon Kinesis data stream. Create an Amazon Kinesis Data Firehose delivery stream that uses the Kinesis data stream as a data source. Use AWS Lambda functions to transform the data. Use the Kinesis Data Firehose delivery stream to send the data to Amazon S3

78

A company needs to keep user transaction data in an Amazon DynamoDB table. The company must retain the data for 7 years. What is the MOST operationally efficient solution that meets these requirements?

B. Use AWS Backup to create backup schedules and retention policies for the table.

AWS Backup

• AWS Backup은 정책을 기반으로 대규모 데이터를 간편하고 비용 효율적으로 보호할 수 있는 완전관리형 서비스입니다.
• 클라우드 네이티브 백업
  여러 AWS 서비스 간에 버킷, 볼륨, 데이터베이스, 파일 시스템 등의 주요 데이터 스토어를 백업합니다.

79

A company is planning to use an Amazon DynamoDB table for data storage. The company is concerned about cost optimization. The table will not be used on most mornings. In the evenings, the read and write traffic will often be unpredictable. When traffic spikes occur, they will happen very quickly. What should a solutions architect recommend?

A. Create a DynamoDB table in on-demand capacity mode.

80

A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs to share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots. What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?

B. Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.

launchPermission property of the AMI

• AMI를 퍼블릭으로 설정
• AMI를 모든 AWS 계정과 공유하여 공개적으로 사용할 수 있도록 할 수 있습니다.
• 퍼블릭으로 설정할 수 없는 일부 AMI - 다음 구성 요소 중 하나가 AMI에 있으면 퍼블릭으로 설정할 수 없습니다(단, 특정 AWS 계정과 AMI를 공유할 수는 있음).
  암호화된 볼륨
  암호화된 볼륨의 스냅샷
  제품 코드

81

A solutions architect is designing the cloud architecture for a new application being deployed on AWS. The process should run in parallel while adding and removing application nodes as needed based on the number of jobs to be processed. The processor application is stateless. The solutions architect must ensure that the application is loosely coupled and the job items are durably stored. Which design should the solutions architect
use?

C. Create an Amazon SQS queue to hold the jobs that need to be processed. Create an Amazon Machine Image (AMI) that consists of the processor application. Create a launch template that uses the AMI. Create an Auto Scaling group using the launch template. Set the scaling policy for the Auto Scaling group to add and remove nodes based on the number of items in the SQS queue

82

A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate. What should a solutions architect recommend to meet this requirement?

B. Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.

D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).

83

A company's dynamic website is hosted using on-premises servers in the United States. The company is launching its product in Europe, and it wants to optimize site loading times for
new European users. The site's backend must remain in the United States. The product is being launched in a few days, and an immediate solution is needed. What should the solutions architect recommend?

C. Use Amazon CloudFront with a custom origin pointing to the on-premises servers.

84

A company wants to reduce the cost of its existing three-tier web architecture. The web,application, and database servers are running on Amazon EC2 instances for the development, test, and production environments. The EC2 instances average 30% CPU
utilization during peak hours and 10% CPU utilization during non-peak hours. The production EC2 instances run 24 hours a day. The development and test EC2 instances run for at least 8 hours each day. The company plans to implement automation to stop the
development and test EC2 instances when they are not in use. Which EC2 instance purchasing solution will meet the company's requirements MOST cost-effectively?

B. Use Reserved Instances for the production EC2 instances. Use On-Demand Instances for the development and test EC2 instances.

EC2 인스턴스 할당 방식

1. On-demand instance

• 전세 내고 사용 하듯이 (할인은 전혀 받지 않고) 내가 원할 때 바로 사용할 수 있는 방식이다. 비용은 사용한 시간 단위로 청구된다.

2. Reserved instance

• 특정 기간동안 instance를 사용하겠다는 약정을 걸고 예약금을 미리 지불한 뒤 instance를 사용한다. 아무래도 (다른 일상생활에서의 것들과 비슷하게) 약정을 걸기 때문에 상당한 비용을 절감할 수 있다.

85

A company has a production web application in which users upload documents through a web interface or a mobile app. According to a new regulatory requirement. new documents cannot be modified or deleted after they are stored. What should a solutions architect do to meet this requirement?

A. Store the uploaded documents in an Amazon S3 bucket with S3 Versioning and S3 Object Lock enabled.

S3

1. Amazon S3 버전 관리
   S3 버전 관리: S3 버전 관리를 활성화하면 객체가 수정될 때마다 새로운 버전이 생성됩니다. 이를 통해 객체의 이전 버전을 보존할 수 있습니다. 하지만 버전 관리 자체로는 객체의 수정과 삭제를 막지는 못합니다.
   
   
2. S3 객체 잠금
   S3 객체 잠금(Object Lock): 이 기능은 객체를 잠그고, 삭제 및 수정을 방지합니다. 객체 잠금을 사용하면 규제 요구사항을 충족할 수 있습니다. 객체 잠금에는 두 가지 모드가 있습니다:
   Governance Mode (거버넌스 모드): 승인된 사용자만 객체를 수정하거나 삭제할 수 있습니다.
   Compliance Mode (준수 모드): 객체를 누구도 수정하거나 삭제할 수 없습니다. 이는 규제 요구사항을 완벽하게 충족할 수 있는 강력한 모드입니다.

86

A company has several web servers that need to frequently access a common Amazon RDS MySQL Multi-AZ DB instance. The company wants a secure method for the web servers to connect to the database while meeting a security requirement to rotate user credentials frequently. Which solution meets these requirements?

A. Store the database user credentials in AWS Secrets Manager Grant the necessary IAM permissions to allow the web servers to access AWS Secrets Manager.

87

A company hosts an application on AWS Lambda functions that are invoked by an Amazon API Gateway API. The Lambda functions save customer data to an Amazon Aurora MySQL database. Whenever the company upgrades the database, the Lambda functions fail to establish database connections until the upgrade is complete. The result is that customer data is not recorded for some of the event. A solutions architect needs to design a solution that stores customer data that is created during database upgrades. Which solution will meet these requirements?

D. Store the customer data in an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Create a new Lambda function that polls the queue and stores the customer data in the database

A. Provision an Amazon RDS proxy to sit between the Lambda functions and the database. Configure the Lambda functions to connect to the RDS proxy.

Amazon RDS 프록시

RDS 프록시는 데이터베이스 연결을 관리하고, 연결 풀링을 통해 Lambda 함수의 연결을 최적화합니다.
그러나 데이터베이스가 업그레이드 중일 때 RDS 프록시도 영향을 받을 수 있으며, 이는 여전히 연결 문제를 초래할 수 있습니다.
RDS 프록시는 데이터베이스 연결 관리에 도움을 주지만, 데이터베이스가 사용 불가능한 상태일 때 데이터를 임시로 저장하는 기능을 제공하지는 않습니다.

88

A survey company has gathered data for several years from areas in the United States. The
company hosts the data in an Amazon S3 bucket that is 3 TB in size and growing. The
company has started to share the data with a European marketing firm that has S3 buckets.
The company wants to ensure that its data transfer costs remain as low as possible. Which
solution will meet these requirements?

B. Configure S3 Cross-Region Replication from the company's S3 bucket to one of the marketing firm's S3 buckets.

A. Configure the Requester Pays feature on the company's S3 bucke

89

A company uses Amazon S3 to store its confidential audit documents. The S3 bucket uses
bucket policies to restrict access to audit team IAM user credentials according to the
principle of least privilege. Company managers are worried about accidental deletion of
documents in the S3 bucket and want a more secure solution. What should a solutions
architect do to secure the audit documents?

A. Enable the versioning and MFA Delete features on the S3 bucket.

90

A company is using a SQL database to store movie data that is publicly accessible. The database runs on an Amazon RDS Single-AZ DB instance. A script runs queries at random intervals each day to record the number of new movies that have been added to the database. The script must report a final total during business hours. The company's development team notices that the database performance is inadequate for development tasks when the script is running. A solutions architect must recommend a solution to resolve this issue. Which solution will meet this requirement with the LEAST operational
overhead?

B. Create a read replica of the database. Configure the script to query only the read replica.

91

A company has applications that run on Amazon EC2 instances in a VPC. One of the applications needs to call the Amazon S3 API to store and read objects. According to the company's security regulations, no traffic from the applications is allowed to travel across the internet. Which solution will meet these requirements?

A. Configure an S3 gateway endpoint.

92

A company is storing sensitive user information in an Amazon S3 bucket. The company
wants to provide secure access to this bucket from the application tier running on Amazon
EC2 instances inside a VPC. Which combination of steps should a solutions architect take to
accomplish this? (Choose two.)

A. Configure a VPC gateway endpoint for Amazon S3 within the VPC.

C. Create a bucket policy that limits access to only the application tier running in the VPC.

93

A company runs an on-premises application that is powered by a MySQL database. The company is migrating the application to AWS to increase the application's elasticity and availability. The current architecture shows heavy read activity on the database during times of normal operation. Every 4 hours, the company's development team pulls a full export of the production database to populate a database in the staging environment. During this period, users experience unacceptable application latency. The development team is unable to use the staging environment until the procedure completes. A solutions architect must recommend replacement architecture that alleviates the application latency issue. The replacement architecture also must give the development team the ability to continue using the staging environment without delay. Which solution meets these requirements?

B. Use Amazon Aurora MySQL with Multi-AZ Aurora Replicas for production. Use database cloning to create the staging database on-demand.

94

A company is designing an application where users upload small files into Amazon S3. After a user uploads a file, the file requires one-time simple processing to transform the data and save the data in JSON format for later analysis. Each file must be processed as quickly as possible after it is uploaded. Demand will vary. On some days, users will upload a high number of files. On other days, users will upload a few files or no files. Which solution meets these requirements with the LEAST operational overhead?

C. Configure Amazon S3 to send an event notification to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function to read from the queue and process the data. Store the resulting JSON file in Amazon DynamoDB.

D. Configure Amazon EventBridge (Amazon CloudWatch Events) to send an event to Amazon Kinesis Data Streams when a new file is uploaded. Use an AWS Lambda function to consume the event from the stream and process the data. Store the resulting JSON file in an Amazon Aurora DB cluster.

95

An application allows users at a company's headquarters to access product data. The
product data is stored in an Amazon RDS MySQL DB instance. The operations team has
isolated an application performance slowdown and wants to separate read traffic from
write traffic. A solutions architect needs to optimize the application's performance quickly.
What should the solutions architect recommend?

D. Create read replicas for the database. Configure the read replicas with the same compute
and storage resources as the source database.

97

A company has a large Microsoft SharePoint deployment running on-premises that requires
Microsoft Windows shared file storage. The company wants to migrate this workload to the
AWS Cloud and is considering various storage options. The storage solution must be highly
available and integrated with Active Directory for access control. Which solution will satisfy
these requirements?

D. Create an Amazon FSx for Windows File Server file system on AWS and set the Active
Directory domain for authentication.

98

An image-processing company has a web application that users use to upload images. The application uploads the images into an Amazon S3 bucket. The company has set up S3 event notifications to publish the object creation events to an Amazon Simple Queue Service (Amazon SQS) standard queue. The SQS queue serves as the event source for an AWS Lambda function that processes the images and sends the results to users through email.
Users report that they are receiving multiple email messages for every uploaded image. A solutions architect determines that SQS messages are invoking the Lambda function more than once, resulting in multiple email messages. What should the solutions architect do to resolve this issue with the LEAST operational overhead?

C. Increase the visibility timeout in the SQS queue to a value that is greater than the total of the function timeout and the batch window timeout.

99

A company is implementing a shared storage solution for a gaming application that is hosted in an on-premises data center. The company needs the ability to use Lustre clients to access data. The solution must be fully managed. Which solution meets these requirements?

D. Create an Amazon FSx for Lustre file system. Attach the file system to the origin server. Connect the application server to the file system.

100

A company's containerized application runs on an Amazon EC2 instance. The application needs to download security certificates before it can communicate with other business applications. The company wants a highly secure solution to encrypt and decrypt the certificates in near real time. The solution also needs to store data in highly available storage after the data is encrypted. Which solution will meet these requirements with the LEAST operational overhead?

C. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon S3.

D. Create an AWS Key Management Service (AWS KMS) customer managed key. Allow the EC2 role to use the KMS key for encryption operations. Store the encrypted data on Amazon Elastic Block Store (Amazon EBS) volumes.

101

A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets.The private subnets require access to the internet to allow Amazon EC2 instances to download software updates. What should the solutions architect do to enable Internet access for the private subnets?

A. Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ

NAT 게이트웨이

• NAT 게이트웨이는 NAT(네트워크 주소 변환) 서비스입니다. 프라이빗 서브넷의 인스턴스가 VPC 외부의 서비스에 연결할 수 있지만 외부 서비스에서 이러한 인스턴스와의 연결을 시작할 수 없도록 NAT 게이트웨이를 사용할 수 있습니다.

1. 세 개의 NAT 게이트웨이 생성:
   각 가용 영역(AZ)의 퍼블릭 서브넷에 NAT 게이트웨이를 생성합니다. 이렇게 하면 프라이빗 서브넷에서 인터넷으로 나가는 트래픽이 각각의 AZ 내의 NAT 게이트웨이를 통해 처리됩니다.
2. 각 AZ에 대한 프라이빗 라우트 테이블 설정:
   각 AZ에 대해 프라이빗 서브넷의 라우트 테이블을 생성하고, 비-VPC 트래픽(인터넷 트래픽)을 해당 AZ의 NAT 게이트웨이로 포워딩하도록 설정합니다.
   -> 각 가용 영역(AZ)마다 NAT 게이트웨이를 설정하여 프라이빗 서브넷의 EC2 인스턴스가 인터넷에 접근할 수 있도록 하는 방법

102

A company wants to migrate an on-premises data center to AWS. The data center hosts an SFTP server that stores its data on an NFS-based file system. The server holds 200 GB of data that needs to be transferred. The server must be hosted on an Amazon EC2 instance that uses an Amazon Elastic File System (Amazon EFS) file system. Which combination of steps should a solutions architect take to automate this task? (Choose two.)

B. Install an AWS DataSync agent in the on-premises data center.
E. Use AWS DataSync to create a suitable location configuration for the on-premises SFTP server.

103

A company has an AWS Glue extract, transform, and load (ETL) job that runs every day at
the same time. The job processes XML data that is in an Amazon S3 bucket. New data is
added to the S3 bucket every day. A solutions architect notices that AWS Glue is processing
all the data during each run. What should the solutions architect do to prevent AWS Glue
from reprocessing old data?

A. Edit the job to use job bookmarks.

104

A solutions architect must design a highly available infrastructure for a website. The
website is powered by Windows web servers that run on Amazon EC2 instances. The
solutions architect must implement a solution that can mitigate a large-scale DDoS attack
that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an
attack? (Choose two.)

A. Use AWS Shield Advanced to stop the DDoS attack.
C. Configure the website to use Amazon CloudFront for both static and dynamic content.

105

A company is preparing to deploy a new serverless workload. A solutions architect must use
the principle of least privilege to configure permissions that will be used to run an AWS
Lambda function. An Amazon EventBridge (Amazon CloudWatch Events) rule will invoke
the function. Which solution meets these requirements?

D. Add a resource-based policy to the function with lambda:InvokeFunction as the action and
Service: events.amazonaws.com as the principal.

106

A company is preparing to store confidential data in Amazon S3. For compliance reasons,
the data must be encrypted at rest. Encryption key usage must be logged for auditing
purposes. Keys must be rotated every year. Which solution meets these requirements and is
the MOST operationally efficient?

D. Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

107

A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform. A solutions architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API. Which action meets these requirements for storing and retrieving location data?

A. Use Amazon Athena with Amazon S3.

Amazon Athena

Amazon Athena는 표준 SQL을 사용하여 Amazon S3(Amazon Simple Storage Service)에 있는 데이터를 직접 간편하게 분석할 수 있는 대화형 쿼리 서비스입니다.
Athena에서 Amazon S3에 저장된 데이터를 지정하고 표준 SQL을 사용하여 임시 쿼리를 실행하여 몇 초 안에 결과를 얻을 수 있습니다.

B. Use Amazon API Gateway with AWS Lambda.

cf. #75

• multi tier 이야기 나오면 api gateway with Lambda?

cf. # 77

• 스트리밍 데이터 - api gateway, kenesis stream

108

A company has an automobile sales website that stores its listings in a database on Amazon RDS. When an automobile is sold, the listing needs to be removed from the website and the data must be sent to multiple target systems. Which design should a solutions architect recommend?

A. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the information to an Amazon Simple Queue Service (Amazon SQS) queue for the targets to consume.

B. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the information to an Amazon Simple Queue Service (Amazon SQS) FIFO queue for the targets to consume.

Amazon SQS FIFO queue

• FIFO(First-In-First-Out) 대기열은 표준 대기열의 모든 기능을 갖추고 있지만 작업 및 이벤트의 순서가 중요하거나 중복이 허용되지 않을 때 애플리케이션 간의 메시징이 향상되도록 설계되었습니다.

D. Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets.

109

A company needs to store data in Amazon S3 and must prevent the data from being changed. The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects. Only specific users in the company's AWS account can have the ability 10 delete the objects. What should a solutions architect do to meet these requirements?

D. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.

110

A social media company allows users to upload images to its website. The website runs on Amazon EC2 instances. During upload requests, the website resizes the images to a standard size and stores the resized images in Amazon S3. Users are experiencing slow upload requests to the website. The company needs to reduce coupling within the application and improve website performance. A solutions architect must design the most
operationally efficient process for image uploads. Which combination of actions should the solutions architect take to meet these requirements? (Choose two.)

B. Configure the web server to upload the original images to Amazon S3.

C. Configure the application to upload images directly from each user's browser to Amazon S3 through the use of a presigned URL

presigned URL

• 미리 서명된 URL을 사용하여 다른 사람이 Amazon S3 버킷에 객체를 업로드하도록 허용할 수 있습니다. 미리 서명된 URL을 사용하면 상대방에게 AWS 보안 자격 증명이나 권한이 없어도 업로드할 수 있습니다

D. Configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded. Use the function to resize the image.