AWS Certified Solutions Architect Associate

Domain: Design High-Performing Architectures

A company is planning on moving its applications to the AWS Cloud. They have some large SQL data sets that need to be hosted in a data store on the cloud. The data store needs to have features that support client connections with many types of applications, including business intelligence (BI), reporting, data, and analytics tools. Which of the following service should be considered for this requirement?

Correct Answer: B

The AWS Documentation mentions the following.

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data to acquire new insights for your business and customers.

Although Kinesis has capabilities for analyzing & transforming streaming data, the question refers to having a data store for storing data from different applications BI, Reporting …which is where a Data Lake or Data Warehouse solutions come into the picture. Kinesis would be more appropriate in situations where one needs to process streaming data.

Amazon Redshift supports client connections with many types of applications, including business intelligence (BI), reporting, data, and analytics tools.

• Option A is incorrect since DynamoDB is used for NoSQL datastore.

• Option C is incorrect since Kinesis is used for analyzing & transforming streaming data.

• Option D is incorrect since SQS is a message queue service used by distributed applications to exchange messages through a polling mode.

For more information on AWS Redshift, please visit the below URL-

• https://docs.aws.amazon.com/redshift/latest/mgmt/welcome.html

• https://aws.amazon.com/kinesis/data-streams/

AWS Certified Solutions Architect Associate

Domain: Design Secure Architectures

A startup company wants to launch an online learning portal on AWS using CloudFront and S3. They have different subscription models. One model where all the members will have access to basic content but another model where the company provides premium content that includes access to multiple private contents without changing their current links.

How should a Solution Architect design this solution to meet the requirements?

Answer: A

Option A is CORRECT. Use signed cookies in the following cases to provide access to multiple restricted files. For example, all the files for a video in HLS format or all of the files in the subscribers' area of the website. You don't want to change your current URLs.

Option B is incorrect.CloudFront signed URLs and signed cookies provide the same basic functionality, and they allow users to control who can access the content.

Use signed URLs in the following cases.

• You want to restrict access to individual files, for example, an installation download for your application-

• Your users are using a client (for example, a custom HTTP client) that doesn't support cookies.

Option C is incorrect because S3 pre-signed URLs won’t provide access without changing current links.

Option D is incorrect because the CloudFront geographic restrictions feature is used to prevent users in specific countries from accessing your content, but there is no such requirement in the question.

References:

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

• https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

docker stats displays a live stream of container/s resource usage statistics

Enable EKS Runtime Monitoring with GuardDuty.

Comments: This scenario requires a runtime monitoring solution to detect malicious activity while the containers are running in which GuardDuty's EKS Runtime Monitoring solution can be leveraged.

Comments: AWS Load Balancer Controller can only provision Application LoadBalancers from ingresses, and Network Load Balancers from Services

Comments: The Ingress Controller is responsible to provide external access to the cluster. Provide an ingress object with the right routing configuration (path/host)

AWS Certified DevOps Engineer Professional

Domain: SDLC Automation

The company you work for has a huge amount of infrastructure built on AWS. However, there have been some concerns recently about the security of this infrastructure. An external auditor has been given the task of running a thorough check of all of your company's AWS assets. The auditor will be in the USA while your company's infrastructure resides in the Asia Pacific (Sydney) region on AWS. Initially, he needs to check all of your VPC assets, specifically security groups and NACLs You have been assigned the task of providing the auditor with a login to be able to do this. Which of the following would be the best and most secure solution to provide the auditor to begin his initial investigations? Choose the correct answer from the options below.

Correct Answer: C

Generally, you should refrain from giving high-level permissions and give only the required permissions. In this case, option C fits well by just providing the relevant access which is required.

For more information on IAM, please see the below link:

• https://aws.amazon.com/iam/