SAA-CO3

Domain: Design Secure Architectures

You have planned to host a web application on AWS. You create an EC2 Instance in a public subnet that needs to connect to an EC2 Instance that will host an Oracle database. Which steps would ensure a secure setup? (SELECT TWO)

Correct Answer – B and C

The best and most secure option is to place the database in a private subnet. The below diagram from AWS Documentation shows this setup. Also, you ensure that access is not allowed from all sources but only from the web servers.

• Option A is incorrect because DB instances are placed in Private subnets and allowed to communicate with web servers in the public subnet as per the best practice guidelines. 

• Option D is incorrect because allowing all incoming traffic from the Internet to the DB instance is a security risk.

SAA-CO3

Domain: Design Secure Architectures

You have designed an application that uses AWS resources, such as S3, to operate and store users’ documents. You currently use Cognito identity pools and user pools. To increase usage and ease of signing up, you decide that adding social identity federation is the best path forward.

How would you differentiate the Cognito identity pool and the federated identity providers (e.g., Google)?

• - Option D is correct. Federated identity providers are used to authenticate users. Then the Cognito identity pool provides the temporary token that authorizes users to access AWS resources.

• - Option A is incorrect. Cognito identity pool and the federated identity providers are separate, independent authentication methods.

• - Option B is incorrect. Only one log-in event is needed, not two.

• - Option C is incorrect. Identity providers authenticate users, not authenticate services.

SAP-CO2

Domain: Accelerate Workload Migration and Modernization

Your company is running a business analytics service that uses RDS with MySQL as the main database. The database is configured with Multi-AZ. Most recently, the load on the database has increased rapidly with the launch of new features. By looking at the logs, most of the load is generated by read-only queries. Because of the heavy read loads, the operations team has decided to put a set of read replicas in place. The new application features are launched via a cluster of containers into the virtual machines, where all the containers are having access to the same set of configurations. How can you pair the read replicas together to make sure the application running in the containers can access them properly?

Correct Answer: A

• Option A is CORRECT because, in Route 53, you can create individual record sets for each DNS endpoint associated with your read replicas and give them the same weight. Then the read requests are distributed across multiple read replicas.

• Option B is INCORRECT because the ELB cannot point to multiple replicas.

• Option C is INCORRECT because this is not a workable solution. Elastic IP is an external resource, and routing the Elastic IP to read replica set is impossible.

• Option D is INCORRECT because it is possible to route internal Route53 multivalve answer records to a set of IPs.

SAP-CO2

Domain: Design for New Solutions

An IT firm has its employees running its built-in applications that access the company’s AWS resources. These employees have user credentials in the company’s authentication system, based on their roles, supported by SAML.2.0. Identify the ways in which the SSO setup can be designed to gain temporary access to AWS? (Select TWO)

Correct Answers: B and C

• Option A is incorrect because already a role-based setup is in place and it seems redundant here.

• Option B is the correct answer because (a) it creates a custom identity broker application for authenticating the users using their existing credentials, (b) it gets temporary access credentials using STS, and (c) it uses federated access for accessing the AWS resources.

• Option C is the correct answer because (a) creates a custom identity broker application for authenticating the users using their existing credentials, and (b) it uses AssumeRole API for accessing the resources using a temporary role.

• Option D is incorrect because the DecodeAuthorizationMessage API call only Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.

Amazon EKS Knowledge Badge Assessment

You manage an EKS Cluster with one autoscaling group using an instance type that has an EC2 Instance Savings Plan and other autoscaling group using instance types that are on demand.

In order to optimize costs, which feature of Cluster Autoscaler can favour the autoscaling group covered by Instance Savings Plan to be used first in an scale-out event?