SAA-C03 | The Renewal Guide To SAA-C03 Free Question

NEW QUESTION 1
A company wants an AWS Lambda function to call a third-party API and save the response to a private Amazon ROS DB instance in the same private subnet
What should a solutions architect do to meet these requirements?

• A. Create a NAT gatewa
• B. In the route table for the private subnet, add a route to the NAT gatewa
• C. Attach the Lambda function to the private subne
• D. Create an IAM role that includes the AWSLambdaBasicExecutionRole permissions policy Attach the role to the Lambda function
• E. Create an internet gateway In the route table for the private subnet, add a route to the internet gateway Attach the Lambda function to the private subnet Create an IAM role that includes me AWSLambdaBasicExecutionRole permissions policy Attach the role to the Lambda function
• F. Create a NAT gateway In the route table for the private subnet add a route to the NAT gateway Attach the Lambda function to the private subne
• G. Create an IAM role that includes the AWS LambdaVPCAccessExecutionRole permissions policy Attach the role to the Lambda function
• H. Create an internet gateway in the route table for the private subnet, add a route to the internet gateway Attach the Lambda function to the private subnet Create an IAM role that includes the AWSLambdaVPCAccessExecutionRole permissions policy Attach the role to the Lambda function

Answer: B

NEW QUESTION 2
A company is hosting a website from an Amazon S3 bucket that is configured for public hosting. The company’s security team mandates the usage of secure connections for access to the website. However; HTTP-based URLS and HTTPS-based URLS mist be functional.
What should a solution architect recommend to meet these requirements?

• A. Create an S3 bucket policy to explicitly deny non-HTTPS traffic.
• B. Enable S3 Transfer Acceleratio
• C. Select the HTTPS Only bucket property.
• D. Place thee website behind an Elastic Load Balancer that is configured to redirect HTTP traffic to HTTTPS.
• E. Serve the website through an Amazon CloudFront distribution that is configured to redirect HTTP traffic to HTTPS.

Answer: D

NEW QUESTION 3
A company hosts its web application on AWS using seven Amazon EC2 instances. The company requires that the IP addresses of all healthy EC2 instances be returned in response to DNS queries.
Which policy should be used to meet this requirement?

• A. Simple routing policy
• B. Latency routing policy
• C. Multivalue routing policy
• D. Geolocation routing policy

Answer: C

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/multivalue-versus-simple-policies/
"Use a multivalue answer routing policy to help distribute DNS responses across multiple resources. For example, use multivalue answer routing when you want to associate your routing records with a Route 53 health check."
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-multivalue

NEW QUESTION 4
A company is hosting a static website on Amazon S3 and is using Amazon Route 53 for DNS. The website is experiencing increased demand from around the world. The company must decrease latency for users who access the website.
Which solution meets these requirements MOST cost-effectively?

• A. Replicate the S3 bucket that contains the website to all AWS Region
• B. Add Route 53 geolocation routing entries.
• C. Provision accelerators in AWS Global Accelerato
• D. Associate the supplied IP addresses with the S3 bucke
• E. Edit the Route 53 entries to point to the IP addresses of the accelerators.
• F. Add an Amazon CloudFront distribution in front of the S3 bucke
• G. Edit the Route 53 entries to point to the CloudFront distribution.
• H. Enable S3 Transfer Acceleration on the bucke
• I. Edit the Route 53 entries to point to the new endpoint.

Answer: C

NEW QUESTION 5
A company is building a containerized application on premises and decides to move the application to AWS. The application will have thousands of users soon after li is deployed. The company Is unsure how to manage the deployment of containers at scale. The company needs to deploy the containerized application in a highly available architecture that minimizes operational overhead.
Which solution will meet these requirements?

• A. Store container images In an Amazon Elastic Container Registry (Amazon ECR) repositor
• B. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the AWS Fargate launch type to run the container
• C. Use target tracking to scale automatically based on demand.
• D. Store container images in an Amazon Elastic Container Registry (Amazon ECR) repositor
• E. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the Amazon EC2 launch type to run the container
• F. Use target tracking to scale automatically based on demand.
• G. Store container images in a repository that runs on an Amazon EC2 instanc
• H. Run the containers on EC2 instances that are spread across multiple Availability Zone
• I. Monitor the average CPU utilization in Amazon CloudWatc
• J. Launch new EC2 instances as needed
• K. Create an Amazon EC2 Amazon Machine Image (AMI) that contains the container image Launch EC2 Instances in an Auto Scaling group across multiple Availability Zone
• L. Use an Amazon CloudWatch alarm to scale out EC2 instances when the average CPU utilization threshold is breached.

Answer: A

NEW QUESTION 6
A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?

• A. Configure a CloudFront signed URL.
• B. Configure a CloudFront signed cookie.
• C. Configure a CloudFront field-level encryption profile.
• D. Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy.

Answer: C

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
"With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it."

NEW QUESTION 7
A company is running a publicly accessible serverless application that uses Amazon API Gateway and AWS Lambda. The application’s traffic recently spiked due to fraudulent requests from botnets.
Which steps should a solutions architect take to block requests from unauthorized users? (Select TWO.)

• A. Create a usage plan with an API key that it shared with genuine users only.
• B. Integrate logic within the Lambda function to ignore the requests lion- fraudulent IP addresses
• C. Implement an AWS WAF rule to target malicious requests and trigger actions to filler them out
• D. Convert the existing public API to a private API Update the DNS records to redirect users to the new API endpoint
• E. Create an IAM role tor each user attempting to access the API A user will assume the role when making the API call

Answer: CD

NEW QUESTION 8
A company is implementing a new business application The application runs on two Amazon EC2 instances and uses an Amazon S3 bucket for document storage A solutions architect needs to ensure that the EC? instances can access the S3 bucket
What should the solutions architect do to moot this requirement?

• A. Create an IAM role that grants access to the S3 bucke
• B. Attach the role to the EC2 Instances.
• C. Create an IAM policy that grants access to the S3 bucket Attach the policy to the EC2 Instances
• D. Create an IAM group that grants access to the S3 bucket Attach the group to the EC2 instances
• E. Create an IAM user that grants access to the S3 bucket Attach the user account to the EC2 Instances

Answer: C

NEW QUESTION 9
A company's web application consists o( an Amazon API Gateway API in front of an AWS Lambda function and an Amazon DynamoDB database. The Lambda function
handles the business logic, and the DynamoDB table hosts the data. The application uses Amazon Cognito user pools to identify the individual users of the application. A solutions architect needs to update the application so that only users who have a subscription can access premium content.

• A. Enable API caching and throttling on the API Gateway API
• B. Set up AWS WAF on the API Gateway API Create a rule to filter users who have a subscription
• C. Apply fine-grained 1AM permissions to the premium content in the DynamoDB table
• D. Implement API usage plans and API keys to limit the access of users who do not have a subscription.

Answer: C

NEW QUESTION 10
A company runs a global web application on Amazon EC2 instances behind an Application Load Balancer The application stores data in Amazon Aurora. The company needs to create a disaster recovery solution and can tolerate up to 30 minutes of downtime and potential data loss. The solution does not need to handle the load when the primary infrastructure is healthy
What should a solutions architect do to meet these requirements?

• A. Deploy the application with the required infrastructure elements in place Use Amazon Route 53 to configure active-passive failover Create an Aurora Replica in a second AWS Region
• B. Host a scaled-down deployment of the application in a second AWS Region Use Amazon Route 53 to configure active-active failover Create an Aurora Replica in the second Region
• C. Replicate the primary infrastructure in a second AWS Region Use Amazon Route 53 to configure active-active failover Create an Aurora database that is restored from the latest snapshot
• D. Back up data with AWS Backup Use the backup to create the required infrastructure in a second AWS Region Use Amazon Route 53 to configure active-passive failover Create an Aurora second primary instance in the second Region

Answer: C

NEW QUESTION 11
A company's order system sends requests from clients to Amazon EC2 instances The EC2 instances process the orders and then store the orders in a database on Amazon RDS. Users report that they must reprocess orders when the system fails. The company wants a resilient solution that can process orders automatically if a system outage occurs.
What should a solutions architect do to meet these requirements?

• A. Move the EC2 instances Into an Auto Scaling grou
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Elastic Container Service (Amazon ECS) task
• C. Move the EC2 instances into an Auto Seating group behind an Application Load Balancer (Al B) Update the order system to send message to the ALB endpoint
• D. Move the EC2 instances into an Auto Scaling grou
• E. Configure the order system to send messages to an Amazon Simple Queue Service (Amazon SGS) queu
• F. Configure the EC2 instances to consume messages from the queue.
• G. Create an Amazon Simple Notification Service (Amazon SNS) topi
• H. Create an AWS Lambda function, and subscribe the function to the SNS topic Configure (he order system to send messages to the SNS topi
• I. Send a command to the EC2 instances to process the messages by using AWS Systems Manager Run Command

Answer: C

NEW QUESTION 12
A company has two applications: a sender application that sends messages with payloads to be processed and a processing application intended to receive the messages with payloads. The company wants to implement an AWS service to handle messages between the two applications. The sender application can send about 1.000 messages each hour. The messages may take up to 2 days to be processed. If the messages fail to process, they must be retained so that they do not impact the processing of any remaining messages.
Which solution meets these requirements and is the MOST operationally efficient?

• A. Set up an Amazon EC2 instance running a Redis databas
• B. Configure both applications to use the instanc
• C. Store, process, and delete the messages, respectively.
• D. Use an Amazon Kinesis data stream to receive the messages from the sender applicatio
• E. Integrate the processing application with the Kinesis Client Library (KCL).
• F. Integrate the sender and processor applications with an Amazon Simple Queue Service (Amazon SQS) queu
• G. Configure a dead-letter queue to collect the messages that failed to process.
• H. Subscribe the processing application to an Amazon Simple Notification Service (Amazon SNS) topic to receive notifications to proces
• I. Integrate the sender application to write to the SNS topic.

Answer: C

Explanation:
Explanation
https://aws.amazon.com/blogs/compute/building-loosely-coupled-scalable-c-applications-with-amazon-sqs-and- https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-dead-letter-queues.htm

NEW QUESTION 13
A company is preparing to store confidential data in Amazon S3 For compliance reasons the data must be encrypted at rest Encryption key usage must be logged tor auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and «the MOST operationally efferent?

• A. Server-side encryption with customer-provided keys (SSE-C)
• B. Server-side encryption with Amazon S3 managed keys (SSE-S3)
• C. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation
• D. Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automate rotation

Answer: D

Explanation:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html
When you enable automatic key rotation for a customer managed key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also saves the KMS key's older cryptographic material in perpetuity so it can be used to decrypt data that the KMS key encrypted.
Key rotation in AWS KMS is a cryptographic best practice that is designed to be transparent and easy to use.
AWS KMS supports optional automatic key rotation only for customer managed CMKs. Enable and disable key rotation. Automatic key rotation is disabled by default on customer managed CMKs. When you enable (or re-enable) key rotation, AWS KMS automatically rotates the CMK 365 days after the enable date and every 365 days thereafter.

NEW QUESTION 14
A company is migrating a distributed application to AWS The application serves variable workloads The legacy platform consists of a primary server trial coordinates jobs across multiple compute nodes The company wants to modernize the application with a solution that maximizes resiliency and scalability
How should a solutions architect design the architecture to meet these requirements?

• A. Configure an Amazon Simple Queue Service (Amazon SQS) queue as a destination for the jobs Implement the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling grou
• B. Configure EC2 Auto Scaling to use scheduled scaling
• C. Configure an Amazon Simple Queue Service (Amazon SQS) queue as a destination for the jobs Implement the compute nodes with Amazon EC2 Instances that are managed in an Auto Scaling group Configure EC2 Auto Scaling based on the size of the queue
• D. Implement the primary server and the compute nodes with Amazon EC2 instances that are managed In an Auto Scaling grou
• E. Configure AWS CloudTrail as a destination for the fobs Configure EC2 Auto Scaling based on the load on the primary server
• F. implement the primary server and the compute nodes with Amazon EC2 instances that are managed in an Auto Scaling group Configure Amazon EventBridge (Amazon CloudWatch Events) as a destination for the jobs Configure EC2 Auto Scaling based on the load on the compute nodes

Answer: B

NEW QUESTION 15
A company has enabled AWS CloudTrail logs to deliver log files to an Amazon S3 bucket for each of its developer accounts. The company has created a central AWS account for streamlining management and audit reviews An internal auditor needs to access the CloudTrail logs yet access needs to be restricted for all developer account users The solution must be secure and optimized
How should a solutions architect meet these requirements?

• A. Configure an AWS Lambda function m each developer account to copy the log files to the central account Create an IAM role in the central account for the auditor Attach an IAM policy providing read-only permissions to the bucket
• B. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket m the central account Create an IAM user in the central account for the auditor Attach an IAM policy providing full permissions to the bucket
• C. Configure CloudTrail from each developer account to deliver the log files to an S3 bucket in the central account Create an IAM role in the central account for the auditor Attach an IAM policy providingread-only permissions to the bucket
• D. Configure an AWS Lambda function in the central account to copy the log files from the S3 bucket m each developer account Create an IAM user m the central account for the auditor Attach an IAM policy providing full permissions to the bucket

Answer: C

Explanation:
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-sharing-logs.html

NEW QUESTION 16
A company is designing a new web application that the company will deploy into a single AWS Region. The application requires a two-tier architecture that will include Amazon EC2 instances and an Amazon RDS DB instance. A solutions architect needs to design the application so that all components are highly available.

• A. Deploy EC2 instances In an additional Region Create a DB instance with the Multi-AZ option activated
• B. Deploy all EC2 instances in the same Region and the same Availability Zon
• C. Create a DB instance with the Multi-AZ option activated.
• D. Deploy the fcC2 instances across at least two Availability Zones within the some Regio
• E. Create a DB instance in a single Availability Zone
• F. Deploy the EC2 instances across at least Two Availability Zones within the same Regio
• G. Create a DB instance with the Multi-AZ option activated

Answer: D

NEW QUESTION 17
A company hosts an application on multiple Amazon EC2 instances The application processes messages from an Amazon SQS queue writes to an Amazon RDS table and deletes the message from the queue Occasional duplicate records are found in the RDS table. The SQS queue does not contain any duplicate messages.
What should a solutions architect do to ensure messages are being processed once only?

• A. Use the CreateQueue API call to create a new queue
• B. Use the Add Permission API call to add appropriate permissions
• C. Use the ReceiveMessage API call to set an appropriate wail time
• D. Use the ChangeMessageVisibility APi call to increase the visibility timeout

Answer: D

Explanation:
Explanation
The visibility timeout begins when Amazon SQS returns a message. During this time, the consumer processes and deletes the message. However, if the consumer fails before deleting the message and your system doesn't call the DeleteMessage action for that message before the visibility timeout expires, the message becomes visible to other consumers and the message is received again. If a message must be received only once, your consumer should delete it within the duration of the visibility timeout. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.html
Keyword: SQS queue writes to an Amazon RDS From this, Option D best suite & other Options ruled out [Option A - You can't intruduce one more Queue in the existing one; Option B - only Permission & Option C - Only Retrieves Messages] FIF O queues are designed to never introduce duplicate messages. However, your message producer might introduce duplicates in certain scenarios: for example, if the producer sends a message, does not receive a response, and then resends the same message. Amazon SQS APIs provide deduplication functionality that prevents your message producer from sending duplicates. Any duplicates introduced by the message producer are removed within a 5-minute deduplication interval. For standard queues, you might occasionally receive a duplicate copy of a message (at-least- once delivery). If you use a standard queue, you must design your applications to be idempotent (that is, they must not be affected adversely when processing the same message more than once).

NEW QUESTION 18
......