[December-2023]100% Exam Pass-SCS-C02 PDF and VCE Free from Braindump2go[Q91-Q123]

December/2023 Latest Braindump2go SCS-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SCS-C02 Real Exam Questions!

QUESTION 91
A company is using Amazon Route 53 Resolver for its hybrid DNS infrastructure. The company has set up Route 53 Resolver forwarding rules for authoritative domains that are hosted on on-premises DNS servers.
A new security mandate requires the company to implement a solution to log and query DNS traffic that goes to the on-premises DNS servers. The logs must show details of the source IP address of the instance from which the query originated. The logs also must show the DNS name that was requested in Route 53 Resolver.
Which solution will meet these requirements?

A. Use VPC Traffic Mirroring. Configure all relevant elastic network interfaces as the traffic source, include amazon-dns in the mirror filter, and set Amazon CloudWatch Logs as the mirror target. Use CloudWatch Insights on the mirror session logs to run queries on the source IP address and DNS name.
B. Configure VPC flow logs on all relevant VPCs. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.
C. Configure Route 53 Resolver query logging on all relevant VPCs. Send the logs to Amazon CloudWatch Logs. Use CloudWatch Insights to run queries on the source IP address and DNS name.
D. Modify the Route 53 Resolver rules on the authoritative domains that forward to the on-premises DNS servers. Send the logs to an Amazon S3 bucket. Use Amazon Athena to run SQL queries on the source IP address and DNS name.

Answer: C
Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs.html

Continue reading

[March-2023]Instant Download Braindump2go ANS-C01 Dumps ANS-C01 102Q[Q35-Q75]

March/2023 Latest Braindump2go ANS-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go ANS-C01 Real Exam Questions!

QUESTION 35
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.
Which solution will meet these requirements?

A. Create a new VPC for the SD-WAN hub virtual appliance. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gateway. Configure BGP over the IPsec VPN connections.
B. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the GRE and BGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.
C. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Create two IPsec VPN connections between the SD-WAN hub virtual appliance and the transit gateway. Configure BGP over the IPsec VPN connections.
D. Assign a new CIDR block to the transit gateway. Create a new VPC for the SD-WAN hub virtual appliance. Attach the new VPC to the transit gateway with a VPC attachment. Add a transit gateway Connect attachment. Create a Connect peer and specify the VXLAN and BGP parameters. Create a route in the appropriate VPC for the SD-WAN hub virtual appliance to route to the transit gateway.

Answer: D

QUESTION 36
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission. How should a network engineer configure the AWS resources to meet these requirements?

A. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
B. Create a static source multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.
C. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow UDP traffic from the source to all receivers and to allow UDP traffic that is sent to the multicast group address.
D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway. Associate the VPCs and applicable subnets with the multicast domain. Register the multicast senders’ network interface with the multicast domain. Adjust the network ACLs to allow TCP traffic from the source to all receivers and to allow TCP traffic that is sent to the multicast group address.

Answer: C

QUESTION 37
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?

A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create an alarm to notify the network engineer.
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarm to notify the network engineer
C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.
D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as the destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the security group occurs.

Answer: A
Explanation:
Option A enables VPC Flow Logs on the ENI of each EC2 instance to capture REJECT traffic on port 443, which can help identify if there is any traffic getting rejected due to the incorrect security group configuration. Then a CloudWatch Logs metric filter is created for the log group to look for rejected traffic, and an alarm is created to notify the network engineer in case the rejected traffic count exceeds a certain threshold.

QUESTION 38
A security team is performing an audit of a company’s AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured.
The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team wants to limit the number of flow logs and wants to examine the traffic from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create VPC flow logs in the default format. Create a filter to gather flow logs only from the EKS nodes. Include the srcaddr field and the dstaddr field in the flow logs.
B. Create VPC flow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
C. Create VPC flow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.
D. Create VPC flow logs in a custom format. Create a filter to gather flow logs only from the EKS nodes. Include the pkt-srcaddr field and the pkt-dstaddr field in the flow logs.

Answer: D
Explanation:
Option B is the most appropriate solution to meet the requirements with the least operational overhead.
Creating VPC flow logs in a custom format and setting the EKS nodes as the resource will limit the number of flow logs and allow the security team to examine the traffic from only the two applications. Including the pkt-srcaddr and pkt-dstaddr fields in the flow logs will provide information on the source and destination IP addresses of the traffic, which will allow the security team to determine which POD IP addresses are communicating with which services throughout the VPC.

QUESTION 39
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company’s peak event at the end of the year.
The company is using two Amazon EC2 instances as primary DNS servers for the VPC. The EC2 instances are configured to forward queries to the default VPC resolver for Amazon Route 53 hosted domains and to the on-premises DNS servers for other on-premises hosted domain names. The company notices job failures and finds that DNS queries from the HPC cluster nodes failed when the nodes tried to resolve RDS and S3 bucket endpoints.
Which architectural change should a network engineer implement to provide the DNS service in the MOST scalable way?

A. Scale out the DNS service by adding two additional EC2 instances in the VPC. Reconfigure half of the HPC cluster nodes to use these new DNS servers. Plan to scale out by adding additional EC2 instance-based DNS servers in the future as the HPC cluster size grows.
B. Scale up the existing EC2 instances that the company is using as DNS servers. Change the instance size to the largest possible instance size to accommodate the current DNS load and the anticipated load in the future.
C. Create Route 53 Resolver outbound endpoints. Create Route 53 Resolver rules to forward queries to on-premises DNS servers for on premises hosted domain names. Reconfigure the HPC cluster nodes to use the default VPC resolver instead of the EC2 instance-based DNS servers. Terminate the EC2 instances.
D. Create Route 53 Resolver inbound endpoints. Create rules on the on-premises DNS servers to forward queries to the default VPC resolver. Reconfigure the HPC cluster nodes to forward all DNS queries to the on-premises DNS servers. Terminate the EC2 instances.

Answer: C

QUESTION 40
A company’s network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.
The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failover data center only in the case of an outage.
Which solution will meet these requirements?

A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100. Set the BGP community tag for all prefixes from the failover data center to 7224:7300
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300. Set the BGP community tag for all prefixes from the failover data center to 7224:7100
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300. Set the BGP community tag for all prefixes from the failover data center to 7224:9100
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100. Set the BGP community tag for all prefixes from the failover data center to 7224:9300

Answer: B
Explanation:
Option B is the correct solution. Set the BGP community tag for all prefixes from the primary data center to 7224:7300, and set the BGP community tag for all prefixes from the failover data center to 7224:7100. This way, the primary data center will have a lower BGP local preference, making it the preferred path. If there is an outage in the primary data center, the failover data center will have a higher BGP local preference and will become the preferred path. The other options do not provide the correct community tag values for the primary and failover data centers.

QUESTION 41
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly uploaded objects. The cluster will retrieve new objects, perform proprietary image and video recognition and classification update metadata in DynamoDB and replace the objects with new watermarked objects.
The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?

A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create an internet gateway. Attach the internet gateway to the VPC. In the public subnet’s route table, add a default route that points to the internet gateway.
B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internet gateway. Attach the internet gateway to the VPC. In the public subnet’s route table, add a default route that points to the internet gateway
C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints for Amazon S3 and DynamoDB.
D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints for Amazon S3 and DynamoDB.

Answer: C

QUESTION 42
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1. The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions with the lowest possible latency. How should the network engineer design the network architecture to meet these requirements?

A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
C. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.

Answer: B
Explanation:
This solution creates a new transit gateway in the eu-west-2 Region and connects it to the VPC in that Region. The Europe data center is connected to the new transit gateway using a Direct Connect gateway and a new transit VIF. The transit gateway in us-east-1 is associated with the same Direct Connect gateway, and both transit VIFs are enabled with SiteLink. The two transit gateways are then peered, allowing full connectivity between the data centers and Regions with the lowest possible latency. This solution is cost-effective and efficient as it does not require creating a new Direct Connect gateway.

QUESTION 43
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.
B. The security group is blocking traffic to the IP address range used by Amazon SQS
C. There is no interface VPC endpoint configured for Amazon SQS
D. The network ACL is blocking return traffic from Amazon SQS
E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS

Answer: BE
Explanation:
B. The security group is blocking traffic to the IP address range used by Amazon SQS: By default, Amazon SQS uses the Amazon S3 endpoint for the region. If the default security group applied to the instance is blocking outbound traffic to the Amazon S3 endpoint, then the EC2 instance cannot send messages to the Amazon SQS queue.
E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS: The EC2 instance in the private subnet requires a route to the Amazon SQS endpoint. If there is no route configured in the subnet route table, then the traffic will not be able to reach the Amazon SQS service.

QUESTION 44
A network engineer needs to standardize a company’s approach to centralizing and managing interface VPC endpoints for private communication with AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model. The company’s network services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account. The company wants to use this centralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without sending traffic over the public internet.
What should the network engineer do to meet these requirements?

A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.
B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate each private hosted zone with the shared services AWS account.
C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associate each private hosted zone with the shared services AWS account.
D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associate the private hosted zone with the spoke VPCs in each AWS account.

Answer: A
Explanation:
Option A is the correct answer because it creates a private hosted zone in the shared services account with an alias record that points to the interface endpoint, and associates the private hosted zone with the spoke VPCs in each AWS account. Disabling the private DNS name of the interface endpoint ensures that DNS resolution of the endpoint is restricted to the Amazon Route 53 private hosted zone. This option creates a centralized model for managing interface endpoints and Route 53 zones in a shared services AWS account, which simplifies administration and reduces complexity.

QUESTION 45
A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs. Which route table configurations on the transit gateway will meet these requirements?

A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC. Create an additional route table with only the shared services VPC attachment associated with propagated routes from each VPC.
C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.
D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled. Create an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs.

Answer: A

QUESTION 46
A company is using an AWS Site-to-Site VPN connection from the company’s on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.
Which solution will meet these requirements?

A. Edit the existing Site-to-Site VPN connection by enabling acceleration. Stop and start the VPN service on the customer gateway for the new setting to take effect.
B. Configure a transit gateway in the same AWS Region as the existing virtual private gateway. Create a new accelerated Site-to-Site VPN connection. Connect the new connection to the transit gateway by using a VPN attachment. Update the customer gateway device to use the new Site to Site VPN connection. Delete the existing Site-to-Site VPN connection
C. Create a new accelerated Site-to-Site VPN connection. Connect the new Site-to-Site VPN connection to the existing virtual private gateway. Update the customer gateway device to use the new Site-to-Site VPN connection. Delete the existing Site-to-Site VPN connection.
D. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Cloud. Update the customer gateway device to use the new Direct Connect connection. Delete the existing Site-to-Site VPN connection.

Answer: B

QUESTION 47
An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion. The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as proxies, firewalls, and logging.
The company plans to duplicate the infrastructure from ap-southeast-2 to the us-west-1 Region. A network engineer must establish connectivity between the various applications in the two Regions. The solution must maximize bandwidth, minimize latency and minimize operational overhead.
Which solution will meet these requirements?

A. Create VPN attachments between the two transit gateways. Configure the VPN attachments to use BGP routing between the two transit gateways.
B. Peer the transit gateways in each Region. Configure routing between the two transit gateways for each Region’s IP addresses.
C. Create a VPN server in a VPC in each Region. Update the routing to point to the VPN servers for the IP addresses in alternate Regions.
D. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2.

Answer: B
Explanation:
Peering the transit gateways in each region would establish a private network connection between the two regions, allowing the company to route traffic between the VPCs in different regions without going over the public internet. This would help minimize latency and maximize bandwidth while reducing the operational overhead of managing multiple VPN connections.

QUESTION 48
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company’s on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company’s global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

QUESTION 49
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.
What is the MOST operationally efficient solution that meets these requirements?

A. Configure the ALB to store logs in an Amazon S3 bucket. Download the files from Amazon S3, and use a spreadsheet application to analyze the logs.
B. Configure the ALB to push logs to Amazon Kinesis Data Streams. Use Amazon Kinesis Data Analytics to analyze the logs.
C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service). Use search operations in Amazon OpenSearch Service (Amazon Elasticsearch Service) to analyze the data.
D. Configure the ALB to store logs in an Amazon S3 bucket. Use Amazon Athena to analyze the logs in Amazon S3.

Answer: D
Explanation:
The most operationally efficient solution to collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application would be to configure the ALB to store logs in an Amazon S3 bucket and use Amazon Athena to analyze the logs in Amazon S3 (Option D). This solution allows for quick and easy analysis of log data without requiring manual download or manipulation of log files.

QUESTION 50
A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall. Which change should a network engineer implement to meet these requirements?

A. Update the DNS Firewall VPC configuration to disable fail open for the VPC.
B. Update the DNS Firewall VPC configuration to enable fail open for the VPC.
C. Create a new DHCP options set with parameter dns_firewall_fail_open=false. Associate the new DHCP options set with the VPC.
D. Create a new DHCP options set with parameter dns_firewall_fail_open=true. Associate the new DHCP options set with the VPC.

Answer: B

QUESTION 51
A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit.
Which solution will meet these requirements?

A. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to access Amazon S3. Use HTTPS for communication.
B. Create an IPsec VPN connection over the transit VIF. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.
C. Create a VPC and attach the VPC to the transit gateway. In the VPC, provision an interface VPC endpoint for Amazon S3. Use HTTPS for communication.
D. Create a Direct Connect public VIF. Set up an IPsec VPN connection over the public VIF to the transit gateway. Create an attachment for Amazon S3. Use HTTPS for communication.

Answer: B

QUESTION 52
A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring. Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB.
What should the network engineer do next to determine which errors the ALB is receiving?

A. Send the logs to Amazon CloudWatch Logs. Review the ALB logs in CloudWatch Insights to determine which error messages the ALB is receiving.
B. Configure the Amazon S3 bucket destination. Use Amazon Athena to determine which error messages the ALB is receiving.
C. Configure the Amazon S3 bucket destination. After Amazon CloudWatch Logs pulls the ALB logs from the S3 bucket automatically, review the logs in CloudWatch Logs to determine which error messages the ALB is receiving.
D. Send the logs to Amazon CloudWatch Logs. Use the Amazon Athena CloudWatch Connector to determine which error messages the ALB is receiving.

Answer: A

QUESTION 53
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company’s on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.
The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introducing additional latency because of the company’s global presence. As a result, the company decides to migrate its entire infrastructure from on premises to the AWS Cloud. The company needs to migrate without reconfiguring the hardware sensor modules that are already deployed across the world. The solution also must minimize latency. The company migrates the MQTT brokers to run on Amazon EC2 instances. What should the company do next to meet these requirements?

A. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Use Bring Your Own IP (BYOIP) from the on-premises network with the NLB.
B. Place the EC2 instances behind a Network Load Balancer (NLB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the NLUse Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator.
C. Place the EC2 instances behind an Application Load Balancer (ALB). Configure TCP listeners. Create an AWS Global Accelerator accelerator in front of the ALB. Use Bring Your Own IP (BYOIP) from the on-premises network with Global Accelerator
D. Place the EC2 instances behind an Amazon CloudFront distribution. Use Bring Your Own IP (BYOIP) from the on-premises network with CloudFront.

Answer: B

QUESTION 54
A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated customers. The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network engineer must design a solution that gives the web application the ability to identify authorized customers. What is the MOST operationally efficient solution that meets these requirements?

A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customized header to inform the web application of an authenticated customer request.
B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Configure the ALB listener to insert a customized header to inform the web application of an authenticated customer request.
C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edge function also to insert a customized header to inform the web application of an authenticated customer request.
D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload. Configure the tool to insert a customized header to inform the web application of an authenticated customer request.

Answer: C

QUESTION 55
A company’s network engineer is designing a hybrid DNS solution for an AWS Cloud workload. Individual teams want to manage their own DNS hostnames for their applications in their development environment. The solution must integrate the application-specific hostnames with the centrally managed DNS hostnames from the on-premises network and must provide bidirectional name resolution. The solution also must minimize management overhead. Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

A. Use an Amazon Route 53 Resolver inbound endpoint.
B. Modify the DHCP options set by setting a custom DNS server value.
C. Use an Amazon Route 53 Resolver outbound endpoint.
D. Create DNS proxy servers.
E. Create Amazon Route 53 private hosted zones.
F. Set up a zone transfer between Amazon Route 53 and the on-premises DNS.

Answer: ABE

QUESTION 56
A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.
A network engineer must implement connectivity between VPC-B and the on-premises data center in Dublin. Which solutions will meet these requirements? (Choose two.)

A. Configure inter-Region VPC peering between VPC-A and VPC-B. Add the required VPC peering routes. Add the VPC-B CIDR block in the allowed prefixes on the Direct Connect gateway association.
B. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes.
C. Configure another transit VIF on the Direct Connect connection and associate TGW-B. Advertise the VPC-B CIDR block under the allowed prefixes.
D. Configure inter-Region transit gateway peering between TGW-A and TGW-B. Add the peering routes in the transit gateway route tables. Add both the VPC-A and the VPC-B CIDR block under the allowed prefix list in the Direct Connect gateway association.
E. Configure an AWS Site-to-Site VPN connection over the transit VIF to TGW-B as a VPN attachment.

Answer: BC
Explanation:
B. Associate TGW-B with the Direct Connect gateway. Advertise the VPC-B CIDR block under the allowed prefixes. This will allow traffic from VPC-B to be sent over the Direct Connect connection to the on-premises data center via TGW-B.
C. Configure another transit VIF on the Direct Connect connection and associate TGW-B. Advertise the VPC-B CIDR block under the allowed prefixes. This will enable the use of the Direct Connect connection for VPC-B’s traffic by connecting TGW-B to the Direct Connect gateway.

QUESTION 57
A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead.
Which solution will meet these requirements?

A. Launch an Amazon EC2 instance in the VPC. Use Traffic Mirroring by specifying the NAT gateway as the source and the EC2 instance as the destination. Analyze the captured traffic by using open-source tools to identify the AWS resources that are generating the suspicious traffic.
B. Use VPC flow logs. Launch a security information and event management (SIEM) solution in the VPC. Configure the SIEM solution to ingest the VPC flow logs. Run queries on the SIEM solution to identify the AWS resources that are generating the suspicious traffic.
C. Use VPC flow logs. Publish the flow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the flow logs to identify the AWS resources that are generating the suspicious traffic.
D. Configure the VPC to stream the network traffic directly to an Amazon Kinesis data stream. Send the data from the Kinesis data stream to an Amazon Kinesis Data Firehose delivery stream to store the data in Amazon S3. Use Amazon Athena to query the data to identify the AWS resources that are generating the suspicious traffic.

Answer: C

QUESTION 58
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company’s data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.
How should the network engineer set up the Direct Connect connection to meet these requirements?

A. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct. Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
B. Create one hosted connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
C. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use one Direct Connect gateway for both VIFs to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.
D. Create one dedicated connection. Use a transit VIF to connect to the transit gateway in us-east-1. Use a private VIF to connect to the VPC in eu-west-1. Use two Direct Connect gateways, one for each VIF, to route from the Direct Connect locations to the corresponding AWS Region along the path that has the lowest latency.

Answer: B
Explanation:
This solution meets the requirements of the company by using a single Direct Connect connection with two VIFs, one connected to the transit gateway in us-east-1 and the other connected to the VPC in eu-west-1. Two Direct Connect gateways are used, one for each VIF, to route traffic from the Direct Connect location to the corresponding AWS Region along the path that has the lowest latency. This setup ensures that traffic between the VPCs in us-east-1 and on-premises databases is routed through the transit gateway, while traffic between the VPC in eu-west-1 and the on-premises server is routed directly through the private VIF.

QUESTION 59
A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.
What is the MOST scalable way to add VPCs with on-premises connectivity?

A. Provision a new Direct Connect connection to handle the additional VPCs. Use the new connection to connect additional VPCs.
B. Create virtual private gateways for each VPC that is over the service quota. Use AWS Site-to-Site VPN to connect the virtual private gateways to the corporate network.
C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs.
Configure a private VIF to connect to the corporate network.
D. Create a transit gateway, and attach the VPCs. Create a Direct Connect gateway, and associate it with the transit gateway. Create a transit VIF to the Direct Connect gateway.

Answer: D
Explanation:
When a company requires connectivity to multiple VPCs over AWS Direct Connect, a scalable solution is to use a transit gateway. A transit gateway is a hub that can interconnect multiple VPCs and VPN connections. The VPCs can communicate with each other over the transit gateway, and on-premises networks can communicate with the VPCs through the Direct Connect gateway. This solution provides a central point of management and simplifies the configuration of network routing. By associating the Direct Connect gateway with the transit gateway, traffic between the VPCs and the on-premises network can be routed through the Direct Connect connection.

QUESTION 60
A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response. Which configuration change should a network engineer implement to resolve this issue?

A. Configure the NAT gateway timeout to allow connections for up to 600 seconds.
B. Enable enhanced networking on the client EC2 instances.
C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds.
D. Close idle TCP connections through the NAT gateway.

Answer: C
Explanation:
When a TCP connection is idle for a long time, it may be terminated by network devices, including the NAT gateway. By enabling TCP keepalive, the client EC2 instances can periodically send packets to the third-party database to indicate that the connection is still active, preventing it from being terminated prematurely.

QUESTION 61
A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.
The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users report that they can log in but that they cannot use the application. Every new web request restarts the login process. What should a network engineer do to resolve this issue?

A. Modify the ALB listener configuration. Edit the rule that forwards traffic to the target group.
Change the rule to enable group-level stickiness. Set the duration to the maximum application session length.
B. Replace the ALB with a Network Load Balancer. Create a TLS listener. Create a new target group with the protocol type set to TLS Register the EC2 instances. Modify the target group configuration by enabling the stickiness attribute.
C. Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the maximum application session length.
D. Remove the ALB. Create an Amazon Route 53 rule with a failover routing policy for the application name. Configure ACM to issue certificates for each EC2 instance.

Answer: C

QUESTION 62
A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application vulnerability on one of the EC2 instances to gain access to the instance. The company fixed the application and launched a replacement EC2 instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a notification from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware. Which solution will meet this requirement with the LEAST operational effort?

A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs.
B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for traffic inspection.
D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic.

Answer: A
Explanation:
This solution involves using Amazon GuardDuty to monitor network traffic and analyze DNS requests and VPC flow logs for suspicious activity. This will allow the company to identify when an application is spreading malware by monitoring the network traffic patterns associated with the instance. GuardDuty is a fully managed threat detection service that continuously monitors for malicious activity and unauthorized behavior in your AWS accounts and workloads. It requires minimal setup and configuration and can be integrated with other AWS services for automated remediation. This solution requires the least operational effort compared to the other options.

QUESTION 63
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway. Which set of steps should the network engineer follow in each AWS account to meet these requirements?

A. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity account ID. Enable the feature to allow external accounts
2. In the Connectivity account: Accept the resource.
3. In the Connectivity account: Create an attachment to the VPC subnets.
4. In the Production account: Accept the attachment. Associate a route table with the attachment.
B. 1. In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity account ID. Enable the feature to allow external accounts.
2. In the Connectivity account: Accept the resource.
3. In the Production account: Create an attachment on the transit gateway to the VPC subnets.
4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
C. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production account ID. Enable the feature to allow external accounts.
2. In the Production account: Accept the resource.
3. In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets.
4. In the Production account: Accept the attachment. Associate a route table with the attachment.
D. 1. In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production account ID Enable the feature to allow external accounts.
2. In the Production account: Accept the resource.
3. In the Production account: Create an attachment to the VPC subnets.
4. In the Connectivity account: Accept the attachment. Associate a route table with the attachment.

Answer: A
Explanation:
Step 1: In the Production account, create a resource share in AWS Resource Access Manager for the transit gateway and provide the Connectivity account ID. Enabling the feature to allow external accounts is also required to share resources between accounts.
Step 2: In the Connectivity account, accept the shared resource. This action will allow the Production account to use the transit gateway in the Connectivity account.
Step 3: In the Connectivity account, create an attachment to the VPC subnets. This attachment will enable communication between the VPC in the Production account and the transit gateway in the Connectivity account.
Step 4: In the Production account, accept the attachment and associate a route table with the attachment. This will enable the VPC to route traffic through the transit gateway to other resources in the Connectivity account.

QUESTION 64
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route. The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that minimizes data transfer cost.
Which solution will meet these requirements?

A. Deploy the EC2 instances in the public subnets. Create an S3 interface endpoint in the VPC. Modify the application configuration to use the S3 endpoint-specific DNS hostname.
B. Deploy the EC2 instances in the private subnets. Create a NAT gateway in the VPC. Create default routes in the private subnets to the NAT gateway. Connect to Amazon S3 by using the NAT gateway.
C. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets during endpoint creation to create routes to Amazon S3.
D. Deploy the EC2 instances in the private subnets. Create an S3 interface endpoint in the VPC.
Modify the application configuration to use the S3 endpoint-specific DNS hostname.

Answer: C
Explanation:
Option C is the optimal solution as it involves deploying the EC2 instances in the private subnets, which provides additional security benefits. Additionally, creating an S3 gateway endpoint in the VPC will enable the EC2 instances to communicate with Amazon S3 directly, without incurring data transfer costs. This is because the S3 gateway endpoint uses Amazon’s private network to transfer data between the VPC and S3, which is not charged for data transfer. Furthermore, specifying the route table of the private subnets during endpoint creation will create routes to Amazon S3, which is required for the EC2 instances to communicate with S3.

QUESTION 65
A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture. The network engineer is configuring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the application to exchange traffic with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?

A. Configure the two network interfaces in the launch template. Define the primary network interface to be created in one of the private subnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IP addresses.
B. Configure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init script after boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambda function, assign a network interface to an AWS Global Accelerator endpoint.
D. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.

Answer: D
Explanation:
During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
This solution meets all of the requirements stated in the question. The primary network interface can be configured in a private subnet during creation of the Auto Scaling group. The user data option can be used to run a cloud-init script that will allocate a second network interface and associate an Elastic IP address from the BYOIP pool with it.

QUESTION 66
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group. The company’s operations team notices that traffic is being routed only to the instances in the first Availability Zone.
What is the MOST operationally efficient solution to resolve this issue?

A. Enable the new Availability Zone on the NLB
B. Create a new NLB for the instances in the second Availability Zone
C. Enable proxy protocol on the NLB
D. Create a new target group with the instances in both Availability Zones

Answer: A
Explanation:
When adding instances in a new Availability Zone to an existing Network Load Balancer (NLB), it is important to ensure that the new Availability Zone is enabled on the NLB. This will allow traffic to be routed to instances in both Availability Zones. This can be done by editing the settings of the NLB and selecting the new Availability Zone from the list of available zones.

QUESTION 67
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company’s customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.
The company’s security policy requires the traffic to be encrypted in transit at all times between the users and the backend.
Which combination of changes must the company make to meet this security requirement? (Choose three.)

A. Create a self-signed certificate for service.example.com. Import the certificate into AWS Certificate Manager (ACM). Configure CloudFront to use this imported SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
B. Create a certificate for service.example.com by using AWS Certificate Manager (ACM). Configure CloudFront to use this custom SSL/TLS certificate. Change the default behavior to redirect HTTP to HTTPS.
C. Create a certificate with any domain name by using AWS Certificate Manager (ACM) for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
D. Create a public certificate from a third-party certificate provider with any domain name for the EC2 instances. Configure the backend to use this certificate for its HTTPS listener. Specify the instance target type during the creation of a new target group that uses the HTTPS protocol for its targets. Attach the existing Auto Scaling group to this new target group.
E. Create a certificate for service-alb.example.com by using AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.
F. Create a self-signed certificate for service-alb.example.com. Import the certificate into AWS Certificate Manager (ACM). On the ALB add a new HTTPS listener that uses the new target group and the imported service-alb.example.com ACM certificate. Modify the CloudFront origin to use the HTTPS protocol only. Delete the HTTP listener on the ALB.

Answer: BDE

QUESTION 68
Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.
What are the minimum requirements for your router?

A. 1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
B. 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
C. IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5
D. BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel

Answer: B

QUESTION 69
Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

A. Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254
B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
D. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 443

Answer: C
Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
To view all categories of instance metadata from within a running instance, use the following URI.
http://169.254.169.254/latest/meta-data/

QUESTION 70
A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?

A. Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
B. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
C. Create a private VIF to the Management VPC, and peer this VPC to all other VPCs, enable source/destination NAT in the Management VPC.
D. Create a total of four private VIFs, and enable VPC peering between all VPCs.

Answer: D
Explanation:
-creating VPC peering is free of charge -traffic costs ~0.01/GB for VPC peering (IN + OUT) and ~0.02/GB for direct connect (OUT only). As the communication involved in monitoring will never
have IN == OUT, then 0.01 * (IN + OUT) will always be lower the 0.02 * OUT, ergo VPC peering will be cheaper

QUESTION 71
Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.
You must prepare the system for global expansion. The end users must access the application with lowest latency.
How should you use AWS services to meet these requirements?

A. Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
B. Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
C. Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
D. Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.

Answer: A
Explanation:
ELB also does not support UDP, only NLB does.

QUESTION 72
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
Protocol: TCP
Port: 80 inbound, nothing outbound
The Network ACL for the subnet is configured to allow as follows:
Protocol: TCP
Port: 80 inbound, nothing outbound
When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

Answer: D
Explanation:
To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port. The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

QUESTION 73
An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message:
“There are not enough free addresses in subnet `subnet-12345677′ to satisfy the requested number of instances.”
What action will resolve the availability problem?

A. Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
B. Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
C. Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
D. Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.

Answer: B
Explanation:
EC2 instances must have IPv4 in addition to IPv6, so is the IPv4 range which has to be extended. As a subnet CDIR cannot be modified we need to create a new one, associate the new IPv4 an the existing IPv6, and add it to the group.

QUESTION 74
An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

A. Use an internet connection.
B. Set up an AWS VPN connection.
C. Provision an AWS Direct Connection private virtual interface.
D. Provision a Direct Connect public virtual interface.

Answer: A
Explanation:
If minimal cost is the most important point, aws ingress internet traffic is free. Direct connect traffic is cheaper for outgoing traffic, but you’ll pay a fix fee for the connection. An no VPN is needed as the backup software take care of the encryption, etc.

QUESTION 75
All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

A. The NAT gateway does not support UDP traffic.
B. The authentication server is not accepting traffic.
C. The NAT gateway cannot allocate more ports.
D. The NAT gateway is launched in a private subnet.

Answer: C
Explanation:
A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html


Resources From:

1.2023 Latest Braindump2go ANS-C01 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/ans-c01.html

2.2023 Latest Braindump2go ANS-C01 PDF and ANS-C01 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1l_8zUaGGHOED0OZGVvaaxcDC_V1R6CWN?usp=sharing

3.2023 Free Braindump2go ANS-C01 Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/ANS-C01 PDF Dumps(35-75).pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!

[November-2022]Real SOA-C02 PDF Dumps and SOA-C02 VCE SOA-C02 380Q-Braindump2go[Q322-Q355]

November/2022 Latest Braindump2go SOA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SOA-C02 Real Exam Questions!

QUESTION 322
A company is creating a new multi-account architecture. A Sysops administrator must implement a login solution to centrally manage user access and permissions across all AWS accounts. The solution must be integrated with AWS Organizations and must be connected to a third-party Security Assertion Markup Language (SAML) 2.0 identity provider (IdP).
What should the SysOps administrator do to meet these requirements?

A. Configure an Amazon Cognito user pool. Integrate the user pool with the third-party IdP.
B. Enable and configure AWS Single Sign-On with the third-party IdP.
C. Federate the third-party IdP with AWS Identity and Access Management (IAM) for each AWS account in the organization.
D. Integrate the third-party IdP directly with AWS Organizations.

Answer: A

Continue reading

[September-2022]Real SAA-C03 PDF Dumps SAA-C03 210Q Free Download in Braindump2go[Q95-Q125]

September/2022 Latest Braindump2go SAA-C03 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SAA-C03 Real Exam Questions!

QUESTION 95
A company hosts its product information webpages on AWS. The existing solution uses multiple Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group. The website also uses a custom DNS name and communicates with HTTPS only using a dedicated SSL certificate. The company is planning a new product launch and wants to be sure that users from around the world have the best possible experience on the new website.
What should a solutions architect do to meet these requirements?

A. Redesign the application to use Amazon CloudFront
B. Redesign the application to use AWS Elastic Beanstalk
C. Redesign the application to use a Network Load Balancer.
D. Redesign the application to use Amazon S3 static website hosting

Answer: A
Explanation:
as CloudFront can help provide the best experience for global users. CloudFront integrates seamlessly with ALB and provides and option to use custom DNS and SSL certs.

Continue reading

[September-2022]Braindump2go SOA-C02 266Q SOA-C02 Dumps Offered for Free Downloading[Q219-Q249]

September/2022 Latest Braindump2go SOA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SOA-C02 Real Exam Questions!

QUESTION 219
A company’s customers are reporting increased latency while accessing static web content from Amazon S3.
A SysOps administrator observed a very high rate of read operations on a particular S3 bucket.
What will minimize latency by reducing load on the S3 bucket?

A. Migrate the S3 bucket to a region that is closer to end users’ geographic locations
B. Use cross-region replication to replicate all of the data to another region
C. Create an Amazon CloudFront distribution with the S3 bucket as the origin.
D. Use Amazon ElastiCache to cache data being served from Amazon S3

Answer: C

Continue reading

[September-2022]Full Version DVA-C01 Exam Dumps (PDF and VCE) DVA-C01 860Q for Free Download[Q824-Q846]

September/2022 Latest Braindump2go DVA-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go DVA-C01 Real Exam Questions!

QUESTION 824
A developer is building a web and mobile application for two types of users regular users and guest users.
Regular users are required to log in, but guest users do not log in. Users should see only their data regardless of whether they authenticate.
Users need AWS credentials before they can access AWS resources.
What is the MOST secure solution that the developer can implement to allow access for guest users?

A. Use an Amazon Cognito credentials provider to issue temporary credentials that are linked to an unauthenticated role that has access to the required resources.
B. Set up an IAM user that has permissions to the required resources.
Hardcode the IAM credentials in the web and mobile application
C. Generate temporary keys that are stored in AWS Key Management Service (AWS KMS).
Use the temporary keys to access the required resources
D. Generate temporary credentials. Store the temporary credentials in AWS Secrets Manager.
Use the temporary credentials to access the required resources

Answer: D

Continue reading

[June-2022]Valid SAA-C02 VCE Dumps Free Download in Braindump2go[Q999-Q1034]

June/2022 Latest Braindump2go SAA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SAA-C02 Real Exam Questions!

QUESTION 999
A company is planning to move its data to an Amazon S3 bucket.
The data must be encrypted when it is stored in the S3 bucket.
Additionally, the encryption key must be automatically rotated every year.
Which solution will meet these requirements with the LEAST operational overhead?

A. Move the data to the S3 bucket.
Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
Use the built-in key rotation behavior of SSE-S3 encryption keys.
B. Create an AWS Key Management Service (AWS KMS) customer managed key Enable automatic key rotation.
Set the S3 bucket’s default encryption
behavior to use the customer managed KMS key.
Move the data to the S3 bucket.
C. Create an AWS Key Management Service (AWS KMS) customer managed key.
Set the S3 bucket’s default encryption behavior to use the customer
managed KMS key Move the data to the S3 bucket Manually rotate the KMS key every year.
D. Encrypt the data with customer key material before moving the data to the S3 bucket.
Create an AWS Key Management Service (AWS KMS) key
without key material. Import the customer key material into the KMS key.
Enable automatic key rotation,

Answer: A

Continue reading

[March-2022]100% Exam Pass-SAP-C01 Exam Questions PDF Free from Braindump2go[Q983-Q1002]

March/2022 New Braindump2go SAP-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SAP-C01 Real Exam Questions!

QUESTION 983
A company in the United States (US) has acquired a company in Europe. Both companies use the AWS Cloud. The US company has built a new application with a microservices architecture. The US company is hosting the application across five VPCs in the us-east-2 Region. The application must be able to access resources in one VPC in the eu-west-1 Region. However, the application must not be able to access any other VPCs.
The VPCs in both Regions have no overlapping CIDR ranges. All Accounts are already consolidated in one organization in AWS Organizations.
Which solution will meet these requirements MOST cost-effectively?

A. Create one transit gateway in eu-west-1. Attach the VPCs in us-east-2 and the VPC in eu-west-1 to the transit gateway. Create the necessary route entries in each VPC so that the traffic is routed through the transit gateway.
B. Create one transit gateway in each Region. Attach the involved subnets to the regional transit gateway. Create the necessary route entries in the associated route tables for each subnet so that the traffic is routed through the regional transit gateway. Peer the two transit gateways.
C. Create a full mesh VPC peering connection configuration between all the VPCs. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.
D. Create one VPC peering connection for each VPC in us-east-2 to the VPC in eu-west-1. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.

Answer: B
Explanation:
https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

Continue reading

[January-2022]SAA-C02 Dumps PDF Free and SAA-C02 Dumps VCE Free Download from Braindump2go[Q874-Q897]

January/2022 Latest Braindump2go SAA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SAA-C02 Real Exam Questions!

QUESTION 874
A company needs to send large amounts of data from its data center to an Amazon S3 bucket on a regular basis.
The data must be encrypted and must be transferred over a network that provides consistent bandwidth and low latency.
What should a solutions architect do to meet these requirements?

A. Use an AWS Direct Connect connection
B. Use an AWS VPN CloudHub connection
C. Use HTTPS TLS tor encryption of data in transit
D. Use a gateway VPC endpoint to access Amazon S3

Answer: B

Continue reading

[November-2021]Free Braindump2go DAS-C01 PDF Dumps Download DAS-C01 140Q[Q122-Q132]

November/2021 Latest Braindump2go DAS-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new DAS-C01 Real Exam Questions!

QUESTION 122
A company has a marketing department and a finance department. The departments are storing data in Amazon S3 in their own AWS accounts in AWS Organizations. Both departments use AWS Lake Formation to catalog and secure their data. The departments have some databases and tables that share common names.
The marketing department needs to securely access some tables from the finance department.
Which two steps are required for this process? (Choose two.)

A. The finance department grants Lake Formation permissions for the tables to the external account for the marketing department.
B. The finance department creates cross-account IAM permissions to the table for the marketing department role.
C. The marketing department creates an IAM role that has permissions to the Lake Formation tables.

Answer: AB
Explanation:
Granting Lake Formation Permissions
Creating an IAM role (AWS CLI)
Reference:
https://docs.aws.amazon.com/lake-formation/latest/dg/lake-formation-permissions.html
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

Continue reading

[October-2021]Exam Pass 100%!Braindump2go SAA-C02 Exam VCE SAA-C02 711Q Instant Download[Q724-Q745]

October/2021 Latest Braindump2go SAA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SAA-C02 Real Exam Questions!

QUESTION 724
A company is building a new furniture inventory application. The company has deployed the application on a fleet of Amazon EC2 instances across multiple Availability Zones. The EC2 instances run behind an Application Load Balancer (ALB) in their VPC.
A solutions architect has observed that incoming traffic seems to favor one EC2 instance resulting in latency for some requests.
What should the solutions architect do to resolve this issue?

A. Disable session affinity (sticky sessions) on the ALB
B. Replace the ALB with a Network Load Balancer
C. increase the number of EC2 instances in each Availability Zone
D. Adjust the frequency of the health checks on the ALB’s target group

Answer: B

Continue reading

[October-2021]Real Exam Questions-Braindump2go SCS-C01 VCE and PDF SCS-C01 547Q Download[Q503-Q535]

October/2021 Latest Braindump2go SCS-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SCS-C01 Real Exam Questions!

QUESTION 503
A company needs to migrate several applications to AWS. This will require storing more than 5,000 credentials. To meet compliance requirements, the company will use its existing password management system for key rotation, auditing, and integration with third-party secrets containers. The company has a limited budget and is seeking the most cost-effective solution that is still secure.
How should the company accomplish this at the LOWEST cost?

A. Configure the company’s key management solution to integrate with AWS Systems Manager Parameter Store.
B. Configure the company’s key management solution to integrate with AWS Secrets Manager.
C. Use an Amazon S3 encrypted bucket to store the secrets and configure the applications with the appropriate roles to access the secrets.
D. Configure the company’s key management solution to integrate with AWS CloudHSM.

Answer: D

Continue reading

[October-2021]MLS-C01 VCE and PDF MLS-C01 181Q Instant Download in Braindump2go[Q158-Q171]

October/2021 Latest Braindump2go MLS-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new MLS-C01 Real Exam Questions!

QUESTION 158
A company needs to quickly make sense of a large amount of data and gain insight from it. The data is in different formats, the schemas change frequently, and new data sources are added regularly. The company wants to use AWS services to explore multiple data sources, suggest schemas, and enrich and transform the data. The solution should require the least possible coding effort for the data flows and the least possible infrastructure management.
Which combination of AWS services will meet these requirements?

A. Amazon EMR for data discovery, enrichment, and transformation
Amazon Athena for querying and analyzing the results in Amazon S3 using standard SQL
Amazon QuickSight for reporting and getting insights
B. Amazon Kinesis Data Analytics for data ingestion
Amazon EMR for data discovery, enrichment, and transformation
Amazon Redshift for querying and analyzing the results in Amazon S3
C. AWS Glue for data discovery, enrichment, and transformation
Amazon Athena for querying and analyzing the results in Amazon S3 using standard SQL
Amazon QuickSight for reporting and getting insights
D. AWS Data Pipeline for data transfer
AWS Step Functions for orchestrating AWS Lambda jobs for data discovery, enrichment, and transformation
Amazon Athena for querying and analyzing the results in Amazon S3 using standard SQL
Amazon QuickSight for reporting and getting insights

Answer: A

Continue reading

[September-2021]SOA-C02 Free Dumps SOA-C02 157Q from Braindump2go Guarantee 100% Passing SOA-C02 Exam[Q120-Q143]

September/2021 Latest Braindump2go SOA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SOA-C02 Real Exam Questions!

QUESTION 120
A SysOps administrator is troubleshooting connection timeouts to an Amazon EC2 instance that has a public IP address. The instance has a private IP address of 172.31.16.139. When the SysOps administrator tries to ping the instance’s public IP address from the remote IP address 203.0.113.12, the response is “request timed out.” The flow logs contain the following information:

What is one cause of the problem?

A. Inbound security group deny rule
B. Outbound security group deny rule
C. Network ACL inbound rules
D. Network ACL outbound rules

Answer: D

Continue reading

[June-2021]AWS-SysOps VCE and AWS-SysOps PDF Dumps Free Download in Braindump2go[Q967-Q983]

June/2021 Latest Braindump2go AWS-SysOps Exam Dumps with PDF and VCE Free Updated Today! Following are some new AWS-SysOps Real Exam Questions!

QUESTION 967
A company runs a multi-tier web application with two Amazon EC2 instances in one Availability Zone in the us-east-1 Region. A SysOps administrator must migrate one of the EC2 instances to a new Availability Zone.
Which solution will accomplish this?

A. Copy the EC2 instance to a different Availability Zone.
Terminate the original instance.
B. Create an Amazon Machine Image (AMI) from the EC2 instance and launch it in a different Availability Zone.
Terminate the original instance.
C. Move the EC2 instance to a different Availability Zone using the AWS CLI.
D. Stop the EC2 instance, modify the Availability Zone, and start the instance.

Answer: B

Continue reading

[June-2021]Braindump2go SAA-C02 Exam PDF and VCE SAA-C02 669Q for 100% Passing SAA-C02 Exam[Q654-Q669]

June/2021 Latest Braindump2go SAA-C02 Exam Dumps with PDF and VCE Free Updated Following are some new SAA-C02 Real Exam Questions!

QUESTION 654
A company is building a web-based application running on Amazon EC2 instances in multiple Availability Zones. The web application will provide access to a repository of text documents totaling about 900 TB in size. The company anticipates that the web application will experience periods of high demand. A solutions architect must ensure that the storage component for the text documents can scale to meet the demand of the application at all times. The company is concerned about the overall cost of the solution.
Which storage solution meets these requirements MOST cost-effectively?

A. Amazon Elastic Block Store (Amazon EBS)
B. Amazon Elastic File System (Amazon EFS)
C. Amazon Elasticsearch Service (Amazon ES)
D. Amazon S3

Answer: C

Continue reading

[April-2021]Free AWS-SysOps Exam VCE and PDF Dumps Offered by Braindump2go[Q953-Q966]

April/2021 Latest Braindump2go AWS-SysOps Exam Dumps with PDF and VCE Free Updated Today! Foloowing are some new AWS-SysOps Real Exam Questions!

QUESTION 953
A company is migrating its exchange server from its on-premises location to a VPC in the AWS Cloud. Users working from home connect using a secure, encrypted channel over the internet to the exchange server. However, after the migration to AWS, users are having trouble receiving email.
The VPC flow log records display the following.

A. SMTP traffic from the network interface was blocked by an outbound network ACL
B. SMTP traffic from the network interface was blocked by an outbound security group
C. SMTP traffic to the network interface was blocked by an inbound network ACL
D. SMTP traffic to the network interface was blocked by an inbound security group

Answer: A

QUESTION 954
A SysOps administrator is configuring an application on AWS to be used over the internet by departments in other countries. For remote locations, the company requires a static public IP address to be explicitly allowed as a target for outgoing internet traffic. How should the SysOps administrator deploy the application to meet this requirement?

A. Deploy the application on an Amazon Elastic Container Service (Amazon ECS) cluster Configure an AWS App Mesh service mesh.
B. Deploy the application as AWS Lambda functions behind an Application Load Balancer
C. Deploy the application on Amazon EC2 instances behind an internet-facing Network Load Balancer
D. Deploy the application on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster behind an Amazon API Gateway

Answer: C

QUESTION 955
A SysOps administrator needs to register targets for a Network Load Balancer (NL8) using IP addresses. Which prerequisite should the SysOps administrator validate to perform this task?

A. Ensure the NLB listener security policy is set to ELBSecuntyPohcy-TLS-1-2-Ext-2018-06, ELBSecuntyPolicy-FS-1-2-Res-2019-08 or ELBSecuntyPolicy-TLS-1-0-2015-04
B. Ensure the heath check setting on the NLB for the Matcher configuration is between 200 and 399
C. Ensure the targets are within any of these CIDR blocks: 10.0.0.0/8 (RFC I918)r 100.64.0.0/10 (RFC 6598): 172.16.0.0/12 (RFC 1918), or 192.168.0.0/16 (RFC 1918).
D. Ensure the NLB is exposed as an endpoint service before registering the targets using IP addresses

Answer: A

QUESTION 956
A SysOps administrator must deploy a company’s infrastructure as code (laC). The administrator needs to write a single template that can be reused for multiple environments in a safe, repeatable manner.
How should the administrator meet this requirement by using AWS Cloud Formation?

A. Use duplicate resource definitions for each environment selected based on conditions
B. Use nested stacks to provision the resources
C. Use parameter references and mappings for resource attributes
D. Use AWS Cloud Formation StackSets to provision the resources

Answer: B

QUESTION 957
Which type routing protocol operates by exchanging the entire routing information?

A. exterior gateway protocols
B. link-state protocols
C. distance-vector protocols
D. Path-vector protocols

Answer: B

QUESTION 958
Which component of an Ethernet frame is used to notify a host that traffic is coming?

A. Type field
B. preamable
C. Data field
D. start of frame delimiter

Answer: B

QUESTION 959
Which command must be present in a Cisco device configuration to enable the device to resolve an FQDN?

A. ip domain-name
B. ip domain-lookup
C. ip host
D. ip name-server

Answer: B

QUESTION 960
A company has an application that is hosted on two Amazon EC2 instances in different Availability Zones. Both instances contain data that is critical for the company’s business. Backups need to be retained for 7 days and need to be updated every 12 hours.
Which solution will meet these requirements with the LEAST amount of effort?

A. Use an Amazon EventBridge (Amazon CloudWatch Events) scheduled rule to create snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
B. Use Amazon Data Lifecycle Manager (Amazon DLM) to create a snapshot lifecycle policy for both instances.
C. Create a batch job to generate automated snapshots of the Amazon Elastic Block Store (Amazon EBS) volumes.
D. Create an AWS Lambda function to copy the data to Amazon S3 Glacier.

Answer: A
Explanation:
https://docs.aws.amazon.com/eventbridge/latest/userguide/take-scheduled-snapshot.html

QUESTION 961
A SysOps administrator is re-architecting an application. The SysOps administrator has moved the database from a public subnet, where the database used a public endpoint, into a private subnet to restrict access from the public network. After this change, an AWS Lambda function that requires read access to the database cannot connect to the database. The SysOps administrator must resolve this issue without compromising security.
Which solution meets these requirements?

A. Create an AWS PrivateLink interface endpoint for the Lambda function. Connect to the database using its private endpoint.
B. Connect the Lambda function to the database VPC. Connect to the database using its private endpoint.
C. Attach an IAM role to the Lambda function with read permissions to the database.
D. Move the database to a public subnet. Use security groups for secure access.

Answer: D
Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/internet-access-lambda-function/

QUESTION 962
A company that hosts a multi-tier ecommerce web application on AWS has been alerted to suspicious application traffic. The architecture consists of Amazon EC2 instances deployed across multiple Availability Zones behind an Application Load Balancer (ALB). After examining the instance logs, a SysOps administrator determines that the suspicious traffic is an attempted SQL injection attack.
What should the SysOps administrator do to prevent similar attacks?

A. Create an Amazon CloudFront distribution with the ALB as the origin. Enable AWS Shield Advanced to protect from SQL injection attacks at edge locations.
B. Create an AWS WAF web ACL, and configure a SQL injection rule to add to the web ACL. Associate the WAF web ACL with the ALB.
C. Enable Amazon GuardDuty. Use Amazon EventBridge (Amazon CloudWatch Events) to trigger an AWS Lambda function every time GuardDuty detects SQL injection.
D. Install Amazon Inspector on the EC2 instances, and configure a rules package. Use the findings reports to identify and block SQL injection attacks.

Answer: A

QUESTION 963
An Amazon EC2 instance has a secondary Amazon Elastic Block Store (EBS) volume attached that contains sensitive data. A new company policy requires the secondary volume to be encrypted at rest.
Which solution will meet this requirement?

A. Create a snapshot of the volume. Create a new volume from the snapshot with the Encrypted parameter set to true. Detach the original volume and attach the new volume to the instance.
B. Create an encrypted Amazon Machine Image (AMI) of the EC2 instance. Launch a new instance with the encrypted AMI. Terminate the original instance.
C. Stop the EC2 instance. Encrypt the volume with AWS CloudHSM. Start the instance and verify encryption.
D. Stop the EC2 instance. Modify the instance properties and set the Encrypted parameter to true. Start the instance and verify encryption.

Answer: A

QUESTION 964
A SysOps administrator recently launched an application consisting of web servers running on Amazon EC2 instances, an Amazon ElastiCache cluster communicating on port 6379, and an Amazon RDS for PostgreSQL DB instance communicating on port 5432. The web servers are in the security group web-sg, the ElastiCache cluster is in the security group cache-sg, and the DB instance is in the security group database-sg.
The application fails on start, with the error message “Unable to connect to the database”.
The rules in web-sg are as follows.

Which change should the SysOps administrator make to web-sg to correct the issue without compromising security?

A. Add a new inbound rule:
database-sg TCP 5432
B. Add a new outbound rule:
database-sg TCP 5432
C. Add a new outbound rule:
0.0.0.0/0 All Traffic 0-65535
D. Change the outbound rule to:
cache-sg TCP 5432

Answer: A

QUESTION 965
A kernel patch for AWS Linux has been released, and systems need to be updated to the new version. A SysOps administrator must apply an in-place update to an existing Amazon EC2 instance without replacing the instance.
How should the SysOps administrator apply the new software version to the instance?

A. Add the instance to a patch group and patch baseline containing the desired patch by using AWS Systems Manager Patch Manager.
B. Develop a new version of the instance’s Amazon Machine Image (AMI). Apply that new AMI to the instance.
C. Develop a new user data script containing the patch. Configure the instance with the new script.
D. Run commands on the instance remotely using the AWS CLI.

Answer: A

QUESTION 966
A company needs to implement a system for object-based storage in a write-once, read-many (WORM) model. Objects cannot be deleted or changed after they are stored, even by an AWS account root user or administrators.
Which solution will meet these requirements?

A. Set up Amazon S3 Cross-Region Replication and run daily updates.
B. Set up Amazon S3 Object Lock in governance mode with S3 Versioning enabled.
C. Set up Amazon S3 Object Lock in compliance mode with S3 Versioning enabled.
D. Set up an Amazon S3 Lifecycle policy to move the objects to Amazon S3 Glacier.

Answer: B
Explanation:
https://aws.amazon.com/blogs/storage/protecting-data-with-amazon-s3-object-lock/


Resources From:

1.2021 Latest Braindump2go AWS-SysOps Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/aws-sysops.html

2.2021 Latest Braindump2go AWS-SysOps PDF and AWS-SysOps VCE Dumps Free Share:
https://drive.google.com/drive/folders/1-kckNIRM9eMaU2urIinqFqegqkOXzZ8e?usp=sharing

3.2021 Free Braindump2go AWS-SysOps Exam Questions Download:
https://www.braindump2go.com/free-online-pdf/AWS-SysOps-PDF-Dumps(953-966).pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!

[March-2021]DVA-C01 Exam DVA-C01 PDF Dumps Free Download in Braindump2go[Q658-Q679]

2021/March Latest Braindump2go AWS-Developer-Associate Exam Dumps with PDF and VCE Free Updated Today! Following are some new AWS-Developer-Associate Real Exam Questions!

QUESTION 658
A developer is building an application that runs behind an application Load Balancer (ALB).
The application is configured as the origin for an Amazon CloudFront distribution.
Users will log in to the application using their social media accounts.
How can the developer authenticate and authorize users?

A. Validate the user by inspecting the tokens using AWS Lambda authorizers on the ALB
B. Configure the ALB to use Amazon Cognito as one of the authentication providers
C. Configure Cloudfron to use Amazon Cognito as one of the authentication providers
D. Authorize the users by calling the Amazon Cognito API in the AWS Lambda authorizer on the ALB

Answer: C

Continue reading

[2020-November-New]SAA-C02 Exam Dumps SAA-C02 445Q Free Shared by Braindump2go[Q402-Q425]

2020/November Latest Braindump2go SAA-C02 Exam Dumps with PDF and VCE Free Updated Today! Following are some new SAA-C02 Real Exam Questions!

QUESTION 402
A solutions architect is creating a new VPC design. There are two public subnet for the load balancer, two private subnets for web servers, and two private subnets for MySQL. The web serves use only HTTPS. The solutions architect has already created a security group for the load Balancer allowing port 443 from 0.0 0.0/0. Company policy requires that each resource has the least access required to still be able to perform its tasks.
Which additional configuration strategy should the solution architect use to meet these requirements?

A. Create a security group far the web servers and allow port 443 from 0.0.0.0/0.
Create a security group tor the MySQL serve’s aid allow port 3306 from the web servers security group.
B. Create a network ACL for the web servers and allow port 443 from 0.0.0.0/0.
Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group
C. Create a security group for the web servers and allow port 443 from the load balancer.
Create a security group tor the MySQL servers and allow port 3306 from the web sewers security group
D. Create a network ACL for the web servers and allow port 443 from the web balancer.
Create a network ACL for the MySQL servers and allow port 3306 from the web servers security group.

Answer: C

QUESTION 403
A company runs an application on an Amazon EC2 instance Backed by Amazon Elastic Block Store (Amazon EBS).
The instance needs to be available for 12 hours daily.
The company wants to save costs by making the instance unavailable outside the window required for the application.
However the contents of the instance’s memory must be preserved whenever the instance is unavailable.
What should a solutions architect do lo meet this requirement?

A. Stop the instance outside the application’s availability window.
Start up the Instance again when required.
B. Hibernate tie instance outside the application’s availability window.
Start up the instance again when required.
C. Use Auto Scaling to scale down the instance outside the application’s availability window.
Scale up the instance when required.
D. Terminate the instance outside the application’s availability window.
Launch the instance by using a preconfigured Amazon Machine Image (AMI) when required.

Answer: B

QUESTION 404
A company Is migrating lo the AWS Cloud. A file server is the first workload to migrate.
Users must be able to access the file share using the Server Message Block (SMB) protocol.
Which AWS managed service meets these requirements”

A. Amazon EBS
B. Amazon EC2
C. Amazon FSx
D. Amazon S3

Answer: B

QUESTION 405
A solutions architect needs to design a resilient solution for Windows users’ home directories.
The solution must provide fault tolerance, file-level backup and recovery, and access control, based upon the company’s Active Directory.
Which storage solution meets these requirements?

A. Configure Amazon S3 to store the users’ home directories.
Join Amazon S3 to Active Directory.
B. Configure a Multi-AZ file system with Amazon FSx for Windows File Server.
Join Amazon FSx to Active Directory.
C. Configure Amazon Elastic File System (Amazon EFS) for the users’ home directories.
Configure AWS Single Sign-On with Active Directory.
D. Configure Amazon Elastic Block Store (Amazon EBS) to store the users’ home directories.
Configure AWS Single Sign-On with Active Directory.

Answer: A

QUESTION 406
A company has a legacy application that processes data in two parts.
The second part of the process takes longer than the first, so the company has decided to rewrite the application as two microservices running on Amazon ECS that can scale independently.
How should a solutions architect integrate the microservices?

A. Implement code in microservice 1 to send data to an Amazon S3 bucket.
Use S3 event notifications to invoke microservice 2
B. Implement code in microservice 1 to publish data to an Amazon SNS topic.
Implement code In microservice 2 to subscribe to this topic.
C. Implement code in microservice 1 to send data to Amazon Kinesis Data Firehose.
Implement code in microservice 2 to read from Kinesis Data Firehose.
D. Implement code in microservice 1 to send data to an Amazon SOS queue.
Implement code in microservice 2 to process messages from the queue.

Answer: A

QUESTION 407
A company hosts its application using Amazon Elastic Container Service (Amazon ECS) and wants to ensure high availability.
The company wants to be able (o deploy updates to its application even if nodes in one Availability Zone are not accessible.
The expected request volume for the application is 100 requests per second, and each container task is able to serve at least 60 requests pet second.
The company set up Amazon ECS with a rolling update deployment type with the minimum healthy percent parameter set to 50% and the maximum percent set lo 100%.
Which configuration of tasks and Availability Zones meets these requirements?

A. Deploy the application across two Availability Zones, with one task in each Availability Zone
B. Deploy the application across two Availability Zones, with two tasks in each Availability Zone.
C. Deploy the application across three Availability Zones, with one task in each Availability Zone.
D. Deploy the application across three Availability Zones, with two tasks in each Availability Zone.

Answer: A

QUESTION 408
A web application runs on Amazon EC2 instances behind an Application Load Balancer.
The application allows users to create custom reports of historical weather data.
Generating a report can take up to 5 minutes.
These long-running requests use many of the available incoming connections, making the system unresponsive to other users.
How can a solutions architect make the system more responsive?

A. Use Amazon SOS with AWS Lambda to generate reports.
B. Increase the Idle timeout on the Application Load Balancer to 5 minutes.
C. Update the client-side application code to increase its request timeout to 5 minutes.
D. Publish the reports to Amazon S3 and use Amazon CloudFront for downloading lo the user.

Answer: A

QUESTION 409
A company is planning to use Amazon S3 to store images uploaded by its users.
The images must be encrypted at rest in Amazon S3.
The company does not want to spend time managing and rotating the keys, but it does want to control who can access those keys.
What should a solutions architect use to accomplish this?

A. Server-Side Encryption with keys stored in an S3 bucket
B. Server-Side Encryption with Customer-Provided Keys (SSE-C)
C. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
D. Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)

Answer: D

QUESTION 410
A company’s application is running on Amazon EC2 instances within an Auto Scaling group behind an Elastic Load Balancer.
Based on the application’s history, the company anticipates a spike in traffic during a holiday each year.
A solutions architect must design a strategy to ensure that the Auto Scaling group proactively increases capacity lo minimize any performance impact on application users.
Which solution will meet these requirements?

A. Create an Amazon CloudWatch alarm to scale up the EC2 instances when CPU utilization exceeds 90%.
B. Create a recurring scheduled action to scale up the Auto Scaling group before the expected period of peak demand.
C. Increase the minimum and maximum number of EC2 instances in the Auto Scaling group during the peak demand period.
D. Configure an Amazon Simple Notification Service (Amazon SNS) notification to send alerts when there ate autoscaling:EC2_INSTANCE_LAUNCH events.

Answer: B

QUESTION 411
A website runs a web application that receives a burst of traffic each day at noon.
The users upload new pictures and content daily, but have been complaining of timeouts.
The architecture uses Amazon EC2 Auto Seating groups, and the custom application consistently takes 1 minute to initiate upon boot up before responding to user requests
How should a solutions architect redesign the architecture to better respond to changing traffic?

A. Configure a Network Load Balancer with a slow start configuration.
B. Configure AWS ElastiCache for Redis to offload direct requests to the servers
C. Configure an Auto Scaling step scaling policy with an instance warmup condition.
D. Configure Amazon CloudFront to use an Application Load Balancer as the origin.

Answer: B

QUESTION 412
A solutions architect needs to design a managed storage solution for a company’s application that includes high-performance machine learning.
This application runs on AWS Fargate. and the connected storage needs to have concurrent access to files and deliver high performance.
Which storage option should the solutions architect recommend?

A. Create an Amazon S3 bucket for the application and establish an 1AM role for Fargate to communicate with Amazon S3.
B. Create an Amazon FSx for Lustre file share and establish an 1AM role that allows Fargate to communicate with FSx for Lustre
C. Create an Amazon Elastic File System (Amazon EFS> file share and establish an 1AM role that allows Fargate to communicate with Amazon EFS.
D. Create an Amazon Elastic Block Store (Amazon EBS) volume for the application and establish an 1AM role that allows Fargate to communicate with Amazon EBS.

Answer: B

QUESTION 413
A company Is launching an ecommerce website on AWS.
This website is built with a three-tier architecture that includes a MySQL database.
In a Multi-AZ deployment of Amazon Aurora MySQL.
The website application must be highly available and will initially be launched in an AWS Region with three Availability Zones.
The application produces a metric that describes the load the application experiences.
Which solution meets these requirements?

A. Configure an Application Load Balancer (ALB( with Amazon EC2 Auto Scaling behind the ALB with scheduled scaling
B. Configure an Application Load Balancer (ALB) and Amazon EC2 Auto Scaling behind the ALB with a simple scaling policy.
C. Configure a Network Load Balancer (NLB) and launch a Spot Fleet with Amazon EC2 Auto Scaling behind the NL8.
D. Configure an Application Load Balancer (ALB) and Amazon EC2 Auto Scaling behind the ALB with a target tracking scaling policy.

Answer: B

QUESTION 414
A company Is designing an internet-facing web application. The application runs on Amazon EC2 for Linux-based instances that store sensitive user data in Amazon RDS MySQL Multi-AZ DB instances.
The EC2 instances are in public subnets, and the RDS DB instances are in private subnets.
The security team has mandated that the DB instances be secured against web-based attacks.
What should a solutions architect recommend?

A. Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer.
Configure the EC2 instance iptables rules to drop suspicious web traffic.
Create a security group for the DB instances.
Configure the RDS security group to only allow port 3306 inbound from the individual EC2 instances.
B. Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer.
Move DB instances to the same subnets that EC2 instances are located in.
Create a security group for the DB instances.
Configure the RDS security group to only allow port 3306 inbound from the individual EC2 instances.
C. Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer.
Use AWS WAF to monitor inbound web traffic for threats.
Create a security group for the web application servers and a security group for the DB instances.
Configure the RDS security group to only allow port 3306 inbound from the web application server security group.
D. Ensure the EC2 instances are part of an Auto Scaling group and are behind an Application Load Balancer.
Use AWS WAF to monitor inbound web traffic for threats.
Configure the Auto Scaling group lo automatically create new DB instances under heavy traffic.
Create a security group for the RDS DB instances. Configure the RDS security group to only allow port 3306 inbound.

Answer: D

QUESTION 415
A start-up company has a web application based in the us-east-1 Region with multiple Amazon EC2 instances running behind an Application Load Balancer across multiple Availability Zones.
As the company’s user base grows in the us-west-1 Region, it needs 3 solution with low latency and high availability.
What should a solutions architect do to accomplish this?

A. Provision EC2 instances in us-west-1.
Switch me Application Load Balancer to a Network Load Balancer to achieve cross-Region load balancing.
B. Provision EC2 instances and an Application Load Balancer in us-west-1.
Make the load balancer distribute the traffic based on the location of the request
C. Provision EC2 instances and configure an Application Load Balancer in us-west-1.
Create an accelerator in AWS Global Accelerator that uses an endpoint group that includes the load balancer endpoints in both Regions.
D. Provision EC2 Instances and configure an Application Load Balancer in us-wesl-1.
Configure Amazon Route 53 with a weighted routing policy.
Create alias records in Route 53 that point to the Application Load Balancer

Answer: C
Explanation:
https://aws.amazon.com/global-accelerator/faqs/

QUESTION 416
A company has a custom application running on an Amazon EC2 instance that:
– Reads a large amount of data from Amazon S3
– Performs a multi-stage analysis.
– Writes the results to Amazon DynamoDB.
The application writes a significant number of large, temporary files during the multi-stage analysis.
The process performance depends on the temporary storage performance.
What would be the fastest storage option for holding the temporary files?

A. Multiple Amazon S3 buckets with Transfer Acceleration for storage
B. Multiple Amazon EBS drives with Provisioned IOPS and EBS optimization.
C. Multiple Amazon EFS volumes using the Network File System version 4.1 (NFSv4.1) protocol.
D. Multiple instance store volumes with software RAID 0

Answer: D

QUESTION 417
A company built a food ordering application that captures user data and stores it for future analysis.
The application’s static front end is deployed on an Amazon EC? instance.
The front-end application sends the requests to the backend application running on separate EC2 instance.
The backend application then stores the data in Amazon RDS.
What should a solutions architect do to decouple the architecture and make it scalable?

A. Use Amazon S3 to serve the front-end application, which sends requests to Amazon EC2 to execute the backend application.
The backend application will process and store the data in Amazon RDS.
B. Use Amazon S3 to serve the front-end application and write requests to an Amazon Simple Notification Service (Amazon SNS) topic.
Subscribe Amazon EC2 instances to the HTTP/HTTPS endpoint o( the topic, and process and store the data in Amazon RDS.
C. Use an EC2 instance lo serve the front end and write requests to an Amazon SOS queue.
Place the backend Instance in an Auto Scaling group, and scale based on the queue depth to process and store the data in Amazon RDS.
D. Use Amazon S3 to serve the static front-end application and send requests lo Amazon API Gateway which writes the requests to an Amazon SQS queue.
Place the backend instances in an Auto Scaling group, and scale based on the queue depth to process and store the data in Amazon RDS.

Answer: D

QUESTION 418
A company has an on-premises application that collects data and stores it to an on-premises NFS server.
The company recently set up a 10 Gbps AWS Direct Connect connection.
The company is running out of storage capacity on premises.
The company needs to migrate the application data from on premises to the AWS Cloud while maintaining low-latency access to the data from the on- premises application.
What should a solutions architect do to meet these requirements?

A. Deploy AWS Storage Gateway for the application data, and use the file gateway to store the data in Amazon S3.
Connect the on-premises application servers to the file gateway using NFS.
B. Attach an Amazon Elastic File System (Amazon EFS) file system to the NFS server, and copy the application data to the EFS file system.
Then connect the on-premises application to Amazon EFS.
C. Configure AWS Storage Gateway as a volume gateway.
Make the application data available to the on-premises application from the NFS server and with Amazon Elastic Block Store (Amazon EBS) snapshots.
D. Create an AWS DataSync agent with the NFS server as the source location and an Amazon Elastic File System (Amazon EFS) file system as the destination for application data transfer.
Connect the on- premises application to the EFS file system.

Answer: A

QUESTION 419
A company wants to migrate a high performance computing (HPC) application and data from on- premises to the AWS Cloud.
The company uses tiered storage on-premises with hoi high-performance parallel storage to support the application during periodic runs of the application, and more economical cold storage to hold the data when the application is not actively running.
Which combination of solutions should a solutions architect recommend to support the storage needs of the application? (Select TWO)

A. Amazon S3 for cold data storage
B. Amazon EFS for cold data storage
C. Amazon S3 for high-performance parallel storage
D. Amazon FSx for clustre tor high-performance parallel storage
E. Amazon FSx for Windows for high-performance parallel storage

Answer: AD
Explanation:
https://aws.amazon.com/fsx/lustre/
Amazon FSx for Lustre makes it easy and cost effective to launch and run the world’s most popular high-performance file system. Use it for workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling.

QUESTION 420
A software vendor is deploying a new software-as-a-service (SaaS) solution that will be utilized by many AWS users.
The service is hosted in a VPC behind a Network Load Balancer.
The software vendor wants to provide access to this service to users with the least amount of administrative overhead and without exposing the service to the public internet.
What should a solutions architect do to accomplish this goal?

A. Create a peering VPC connection from each user’s VPC to the software vendor s VPC.
B. Deploy a transit VPC in the software vendor’s AWS account.
Create a VPN connection with each user account
C. Connect the service in the VPC with an AWS PrivateLink endpoint.
Have users subscribe to the endpoint.
D. Deploy a transit VPC in the software vendor’s AWS account.
Create an AWS Direct Connect connection with each user account.

Answer: C

QUESTION 421
A company uses Amazon S3 to store its confidential audit documents.
The S3 bucket uses bucket policies to restrict access to audit team 1AM user credentials according to the principle of least privilege.
Company managers are worried about accidental deletion of documents in the S3 bucket and want a more secure solution.
What should a solutions architect do to secure the audit documents?

A. Enable the versioning and MFA Delete features on the S3 bucket
B. Enable multi-factor authentication (MFA) on the 1AM user credentials for each audit team 1AM user account.
C. Add an S3 Lifecycle policy to the audit team’s 1AM user accounts to deny the s3:DeleteOb|ect action during audit dates.
D. Use AWS Key Management Service (AWS KMS> to encrypt the S3 bucket and restrict audit team 1AM user accounts from accessing the KMS key.

Answer: A

QUESTION 422
A solutions architect is helping a developer design a new ecommerce shopping cart application using AWS services.
The developer is unsure of the current database schema and expects to make changes as the ecommerce site grows.
The solution needs to be highly resilient and capable of automatically scaling read and write capacity.
Which database solution meets these requirements?

A. Amazon Aurora PostgreSQL
B. Amazon DynamoDB with on-demand enabled
C. Amazon DynamoDB with DynamoDB Streams enabled
D. Amazon SQS and Amazon Aurora PostgreSQL

Answer: B

QUESTION 423
A company Is seeing access requests by some suspicious IP addresses.
The security team discovers the requests are horn different IP addresses under the same CIDR range.
What should a solutions architect recommend to the team?

A. Add a rule in the inbound table of the security group to deny the traffic from that CIDR range.
B. Add a rule In the outbound table of the security group to deny the traffic from that CIDR range
C. Add a deny rule in the Inbound table of the network ACL with a lower rule number than other rules.
D. Add a deny rule in the outbound table of the network ACL with a tower rule number than other rules.

Answer: C

QUESTION 424
A company wants to run a hybrid workload for data processing.
The data needs to be accessed by on-premises applications for local data processing using an NFS protocol, and must also be accessible from the AWS Cloud for further analytics and batch processing.
Which solution will meet these requirements?

A. Use an AWS Storage Gateway fife gateway to provide file storage to AWS.
Then perform analytics on the data in the AWS Cloud.
B. Use an AWS Storage Gateway tape gateway to copy the backup of the local data to AWS.
Then perform analytics on this data in the AWS Cloud.
C. Use an AWS Storage Gateway volume gateway in a stored volume configuration to regularly take snapshots of the local data, then copy the data to AWS.
D. Use an AWS Storage Gateway volume gateway in a cached volume configuration to back up all the local storage in the AWS Cloud, then perform analytics on this data in the cloud.

Answer: C
Explanation:
https://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html

QUESTION 425
A solutions architect is designing a solution that requires frequent updates to a website that is hosted on Amazon S3 with versioning enabled.
For compliance reasons, older versions of the objects will not be accessed frequently and will need to be deleted after 2 years.
What should the solutions architect recommend to meet these requirements at the LOWEST cost?

A. Use S3 batch operations to replace object tags.
Expire the objects based on the modified tags
B. Configure an S3 Lifecycle policy to transition older versions of objects to S3 Glacier.
Expire the objects after 2 years
C. Enable S3 Event Notifications on the bucket that sends older objects to the Amazon Simple Queue Service (Amazon SOS) queue for further processing.
D. Replicate older object versions to a new bucket.
Use an S3 Lifecycle policy to expire the objects In the new bucket after 2 years

Answer: B


Resources From:

1.2020 Latest Braindump2go SAA-C02 Exam Dumps (PDF & VCE) Free Share:
https://www.braindump2go.com/saa-c02.html

2.2020 Latest Braindump2go SAA-C02 PDF and SAA-C02 VCE Dumps Free Share:
https://drive.google.com/drive/folders/1_5IK3H_eM74C6AKwU7sKaLn1rrn8xTfm?usp=sharing

3.2020 Free Braindump2go SAA-C02 PDF Download:
https://www.braindump2go.com/free-online-pdf/SAA-C02-Dumps(416-430).pdf
https://www.braindump2go.com/free-online-pdf/SAA-C02-PDF-Dumps(402-415).pdf
https://www.braindump2go.com/free-online-pdf/SAA-C02-VCE-Dumps(431-445).pdf

Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!

[November-2020]MLS-C01 Exam PDF and VCE Dumps MLS-C01 123Q from Braindump2go[Q82-Q102]

November/2020 Latest Braindump2go MLS-C01 Exam Dumps with PDF and VCE Free Updated Today! Following are some new MLS-C01 Real Exam Questions!

QUESTION 82
A Data Scientist is building a model to predict customer churn using a dataset of 100 continuous numerical features. The Marketing team has not provided any insight about which features are relevant for churn prediction. The Marketing team wants to interpret the model and see the direct impact of relevant features on the model outcome. While training a logistic regression model, the Data Scientist observes that there is a wide gap between the training and validation set accuracy.
Which methods can the Data Scientist use to improve the model performance and satisfy the Marketing team’s needs? (Choose two.)

A. Add L1 regularization to the classifier
B. Add features to the dataset
C. Perform recursive feature elimination
D. Perform t-distributed stochastic neighbor embedding (t-SNE)
E. Perform linear discriminant analysis

Answer: BE

Continue reading