We provide aws certified solutions architect professional salary in two formats. Download PDF & Practice Tests. Pass Amazon AWS-Certified-Solutions-Architect-Professional Exam quickly & easily. The AWS-Certified-Solutions-Architect-Professional PDF type is available for reading and printing. You can print more and practice many times. With the help of our aws certified solutions architect professional salary product and material, you can easily pass the AWS-Certified-Solutions-Architect-Professional exam.

Amazon AWS-Certified-Solutions-Architect-Professional Free Dumps Questions Online, Read and Test Now.

NEW QUESTION 1
In the context of policies and permissions in AWS IAM, the Condition element is .

  • A. crucial while writing the IAM policies
  • B. an optional element
  • C. always set to null
  • D. a mandatory element

Answer: B

Explanation: The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EIementDescriptions.html

NEW QUESTION 2
An organization has 4 people in the IT operations team who are responsible to manage the AWS infrastructure. The organization wants to setup that each user will have access to launch and manage an instance in a zone which the other user cannot modify. Which of the below mentioned options is the best solution to set this up?

  • A. Create four AWS accounts and give each user access to a separate account.
  • B. Create an IAM user and allow them permission to launch an instance of a different sizes only.
  • C. Create four IAM users and four VPCs and allow each IAM user to have access to separate VPCs.
  • D. Create a VPC with four subnets and allow access to each subnet for the indMdual IAM use

Answer: D

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also work with IAM and the organization can create IAM users who have access to various VPC services. The organization can setup access for the IAM user who can modify the security groups of the VPC. The sample policy is given below:
{
"Version": "2012-10-I7",
"Statement":
[{ "Effect": "AIIow", "Action": "ec2:RunInstances", "Resource":
["arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:accountzsubnet/subnet-1a2b3c4d", "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:vo|ume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/sg-123abc123" ]
}l I
With this policy the user can create four subnets in separate zones and provide IAM user access to each subnet
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IANI.htmI

NEW QUESTION 3
A user has configured EBS volume with PIOPS. The user is not experiencing the optimal throughput. Which of the following could not be factor affecting I/O performance of that EBS volume?

  • A. EBS bandwidth of dedicated instance exceeding the PIOPS
  • B. EC2 bandwidth
  • C. EBS volume size
  • D. Instance type is not EBS optimized

Answer: C

Explanation: If the user is not experiencing the expected IOPS or throughput that is provisioned, ensure that the EC2 bandwidth is not the limiting factor, the instance is EBS-optimized (or include 10 Gigabit network
connectMty) and the instance type EBS dedicated bandwidth exceeds the IOPS more than he has provisioned.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html

NEW QUESTION 4
You need a persistent and durable storage to trace call actMty of an IVR (Interactive Voice Response) system. Call duration is mostly in the 2-3 minutes timeframe. Each traced call can be either active or terminated. An external application needs to know each minute the list of currently active calls. Usually there are a few calls/second, but once per month there is a periodic peak up to 1000 calls/second for a few hours. The system is open 24/7 and any downtime should be avoided. Historical data is periodically archived to files. Cost saving is a priority for this project.
What database implementation would better fit this scenario, keeping costs as low as possible?

  • A. Use DynamoDB with a "CaIIs" table and a Global Secondary Index on a "State" attribute that can equal to "active" or "terminated". In this way the Global Secondary Index can be used for all items in the table.
  • B. Use RDS Multi-AZ with a "CALLS" table and an indexed "STATE" field that can be equal to "ACT|VE"or 'TERMINATED". In this way the SQL query is optimized by the use of the Index.
  • C. Use RDS Nlulti-AZ with two tables, one for "ACT|VE_CALLS" and one for "TERMINATED_CALLS". In this way the "ACTIVE_CALLS" table is always small and effective to access.
  • D. Use DynamoDB with a "CaIIs" table and a Global Secondary Index on a "Is Active" attribute that is present for active calls onl
  • E. In this way the Global Secondary Index is sparse and more effective.

Answer: C

NEW QUESTION 5
An EC2 instance that performs source/destination checks by default is launched in a private VPC subnet. All security, NACL, and routing definitions are configured as expected. A custom NAT instance is launched.
Which of the following must be done for the custom NAT instance to work?

  • A. The source/destination checks should be disabled on the NAT instance.
  • B. The NAT instance should be launched in public subnet.
  • C. The NAT instance should be configured with a public IP address.
  • D. The NAT instance should be configured with an elastic IP addres

Answer: A

Explanation: Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
Reference:
http://docs.aws.amazon.com/AmazonVPC/Iatest/UserGuide/VPC_NAT_|nstance.htm|#EIP_Disab|e_Src DestCheck

NEW QUESTION 6
A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending against this attack?

  • A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway)
  • B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Nlain Route Table with the new EIP
  • C. Create 15 Security Group rules to block the attacking IP addresses over port 80
  • D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

Answer: D

NEW QUESTION 7
An organization is planning to host a Wordpress blog as well a joomla CMS on a single instance launched with VPC. The organization wants to have separate domains for each application and assign them using Route 53. The organization may have about ten instances each with two applications as mentioned above. While launching the instance, the organization configured two separate network interfaces (primary + ENI) and wanted to have two elastic IPs for that instance.
It was suggested to use a public IP from AWS instead of an elastic IP as the number of elastic IPs is restricted. What action will you recommend to the organization?

  • A. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
  • B. I do not agree as it is required to have only an elastic IP since an instance has more than one ENI and AWS does not assign a public IP to an instance with multiple ENIs.
  • C. I do not agree as AWS VPC does not attach a public IP to an ENI; so the user has to use only an elastic IP only.
  • D. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.

Answer: B

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.
The user can attach up to two ENIs with a single instance. However, AWS cannot assign a public IP when there are two ENIs attached to a single instance. It is recommended to assign an elastic IP in this scenario. If the organization wants more than 5 E|Ps they can request AWS to increase the number.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI

NEW QUESTION 8
An IAM user is trying to perform an action on an object belonging to some other root account’s bucket. Which of the below mentioned options will AWS S3 not verify?

  • A. The object owner has provided access to the IAM user
  • B. Permission provided by the parent of the IAM user on the bucket
  • C. Permission provided by the bucket owner to the IAM user
  • D. Permission provided by the parent ofthe IAM user

Answer: B

Explanation: If the IAM user is trying to perform some action on the object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.
Reference:
http://docs.aws.amazon.com/AmazonS3/Iatest/dev/access-control-auth-workflow-object-operation.htmI

NEW QUESTION 9
Which of the following cannot be used to manage Amazon EIastiCache and perform administrative tasks?

  • A. AWS software development kits (SDKs)
  • B. Amazon S3
  • C. EIastiCache command line interface (CLI)
  • D. AWS CIoudWatch

Answer: D

Explanation: CIoudWatch is a monitoring tool and doesn't give users access to manage Amazon EIastiCache. Reference: http://docs.aws.amazon.com/AmazonEIastiCache/Iatest/UserGuide/Whatls.NIanaging.htmI

NEW QUESTION 10
How can multiple compute resources be used on the same pipeline in AWS Data Pipeline?

  • A. You can use multiple compute resources on the same pipeline by defining multiple cluster objects in your definition file and associating the cluster to use for each actMty via its runsOn field.
  • B. You can use multiple compute resources on the same pipeline by defining multiple cluster definition files.
  • C. You can use multiple compute resources on the same pipeline by defining multiple clusters for your actMty.
  • D. You cannot use multiple compute resources on the same pipelin

Answer: A

Explanation: MuItipIe compute resources can be used on the same pipeline in AWS Data Pipeline by defining multiple cluster objects in your definition file and associating the cluster to use for each actMty via its runsOn field, which allows pipelines to combine AWS and on-premise resources, or to use a mix of instance types for their actMties.
Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 11
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

  • A. Create IAM users in the Master account with full Admin permission
  • B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
  • C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
  • D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
  • E. Link the accounts using Consolidated Billin
  • F. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Answer: C

NEW QUESTION 12
Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? Choose 3 answers

  • A. Implement third party volume encryption tools
  • B. Implement SSL/TLS for all services running on the sewer
  • C. Encrypt data inside your applications before storing it on EBS
  • D. Encrypt data using native data encryption drivers at the file system level
  • E. Do nothing as EBS volumes are encrypted by default

Answer: ACD

NEW QUESTION 13
Auto Scaling requests are signed with a signature calculated from the request and the user’s private key.

  • A. SSL
  • B. AES-256
  • C. HMAC-SHA1
  • D. X.509

Answer: C

NEW QUESTION 14
Your customer is willing to consolidate their log streams (access logs application logs security logs etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours?
What is the best approach to meet your customer’s requirements?

  • A. Send all the log events to Amazon SQS, setup an Auto Scaling group of EC2 sewers to consume the logs and apply the heuristics.
  • B. Send all the log events to Amazon Kinesis, develop a client process to apply heuristics on the logs
  • C. Configure Amazon CIoudTraiI to receive custom logs, use EMR to apply heuristics the logs
  • D. Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3, use EMR to apply heuristics on the logs

Answer: B

NEW QUESTION 15
A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are behind a public lacing ELB Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API.
How should they architect their solution?

  • A. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances.
  • B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
  • C. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
  • D. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.

Answer: D

NEW QUESTION 16
After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in the private subnet, you are not successful. Which of the following steps could resolve the issue?

  • A. Disabling the Source/Destination Check attribute on the NAT instance
  • B. Attaching an Elastic IP address to the instance in the private subnet
  • C. Attaching a second Elastic Network Interface (ENI) to the NAT instance, and placing it in the private subnet
  • D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet

Answer: A

NEW QUESTION 17
With respect to AWS Lambda permissions model, at the time you create a Lambda function, you specify an IAM role that AWS Lambda can assume to execute your Lambda function on your behalf. This role is also referred to as the role.

  • A. configuration
  • B. execution
  • C. delegation
  • D. dependency

Answer: B

Explanation: Regardless of how your Lambda function is invoked, AWS Lambda always executes the function. At the time you create a Lambda function, you specify an IAM role that AWS Lambda can assume to execute your Lambda function on your behalf. This role is also referred to as the execution role.
Reference: http://docs.aws.amazon.com/Iambda/latest/dg/lambda-dg.pdf

NEW QUESTION 18
You are migrating a legacy client-server application to AWS. The application responds to a specific DNS domain (e.g. www.examp|e.com) and has a 2-tier architecture, with multiple application sewers and a database sewer. Remote clients use TCP to connect to the application servers. The application servers need to know the IP address of the clients in order to function properly and are currently taking that information from the TCP socket. A MuIti-AZ RDS MySQL instance will be used for the database. During the migration you can change the application code, but you have to file a change request.
How would you implement the architecture on AWS in order to maximize scalability and high availability?

  • A. File a change request to implement Alias Resource support in the applicatio
  • B. Use Route 53 Alias Resource Record to distribute load on two application servers in different Azs.
  • C. File a change request to implement Latency Based Routing support in the applicatio
  • D. Use Route 53 with Latency Based Routing enabled to distribute load on two application servers in different Azs.
  • E. File a change request to implement Cross-Zone support in the applicatio
  • F. Use an ELB with a TCP Listener and Cross-Zone Load Balancing enabled, two application servers in different AZs.
  • G. File a change request to implement Proxy Protocol support in the applicatio
  • H. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two application servers in different Azs.

Answer: D

Recommend!! Get the Full AWS-Certified-Solutions-Architect-Professional dumps in VCE and PDF From Surepassexam, Welcome to Download: https://www.surepassexam.com/AWS-Certified-Solutions-Architect-Professional-exam-dumps.html (New 272 Q&As Version)