Daily AWS Solution Architect questions #18

Q91: A global company is using Amazon API Gateway to design REST APIs for its loyalty club users in the us-east-1 Region and the ap-southeast-2 Region. A solutions architect must design a solution to protect these API Gateway managed REST APIs across multiple accounts from SQL injection and cross-site scripting attacks. Which solution will meet these requirements with the LEAST amount of administrative effort?

• A.?Set up AWS WAF in both Regions. Associate Regional web ACLs with an API stage.
• B.?Set up AWS Firewall Manager in both Regions. Centrally configure AWS WAF rules.
• C.?Set up AWS Shield in bath Regions. Associate Regional web ACLs with an API stage.
• D.?Set up AWS Shield in one of the Regions. Associate Regional web ACLs with an API stage.
• Explain: If you want to use AWS WAF across accounts, accelerate WAF configuration, automate the protection of new resources, use Firewall Manager with AWS WAF

Q92: A company has implemented a self-managed DNS solution on three Amazon EC2 instances behind a Network Load Balancer (NLB) in the us-west-2 Region. Most of the company's users are located in the United States and Europe. The company wants to improve the performance and availability of the solution. The company launches and configures three EC2 instances in the eu-west-1 Region and adds the EC2 instances as targets for a new NLB. Which solution can the company use to route traffic to all the EC2 instances?

• A.?Create an Amazon Route 53 geolocation routing policy to route requests to one of the two NLBs. Create an Amazon CloudFront distribution. Use the Route 53 record as the distribution’s origin.
• B.?Create a standard accelerator in AWS Global Accelerator. Create endpoint groups in us-west-2 and eu-west-1. Add the two NLBs as endpoints for the endpoint groups.
• C.?Attach Elastic IP addresses to the six EC2 instances. Create an Amazon Route 53 geolocation routing policy to route requests to one of the six EC2 instances. Create an Amazon CloudFront distribution. Use the Route 53 record as the distribution's origin.
• D.?Replace the two NLBs with two Application Load Balancers (ALBs). Create an Amazon Route 53 latency routing policy to route requests to one of the two ALBs. Create an Amazon CloudFront distribution. Use the Route 53 record as the distribution’s origin.\
• Explain:

• AWS Global Accelerator provides global traffic optimization by routing requests to the closest region using the AWS global network. It enhances performance by reducing latency and availability by using multiple regions for redundancy.

• With Global Accelerator, user traffic is routed through the nearest AWS edge location and then sent over the AWS global network, providing lower latency than using the public internet.
• It allows you to set up endpoint groups for each region, in this case, us-west-2 and eu-west-1, ensuring users are directed to the region with the lowest latency based on their geographical location. It also provides built-in fault tolerance.

Q93: A company is running an online transaction processing (OLTP) workload on AWS. This workload uses an unencrypted Amazon RDS DB instance in a Multi-AZ deployment. Daily database snapshots are taken from this instance. What should a solutions architect do to ensure the database and snapshots are always encrypted moving forward?

• A.?Encrypt a copy of the latest DB snapshot. Replace existing DB instance by restoring the encrypted snapshot.
• B.?Create a new encrypted Amazon Elastic Block Store (Amazon EBS) volume and copy the snapshots to it. Enable encryption on the DB instance.
• C.?Copy the snapshots and enable encryption using AWS Key Management Service (AWS KMS) Restore encrypted snapshot to an existing DB instance.
• D.?Copy the snapshots to an Amazon S3 bucket that is encrypted using server-side encryption with AWS Key Management Service (AWS KMS) managed keys (SSE-KMS).
• Explain: AWS KMS is a fully managed service that makes it easy to create and manage encryption keys. It allows developers to easily encrypt and decrypt data in their applications, and it automatically handles the underlying key management tasks, such as key generation, key rotation, and key deletion. This can help to reduce the operational burden associated with key management.

Q94: A company has a dynamic web application hosted on two Amazon EC2 instances. The company has its own SSL certificate, which is on each instance to perform SSL termination. There has been an increase in traffic recently, and the operations team determined that SSL encryption and decryption is causing the compute capacity of the web servers to reach their maximum limit. What should a solutions architect do to increase the application's performance?

• A.?Create a new SSL certificate using AWS Certificate Manager (ACM). Install the ACM certificate on each instance.
• B.?Create an Amazon S3 bucket Migrate the SSL certificate to the S3 bucket. Configure the EC2 instances to reference the bucket for SSL termination.
• C.?Create another EC2 instance as a proxy server. Migrate the SSL certificate to the new instance and configure it to direct connections to the existing EC2 instances.
• D.?Import the SSL certificate into AWS Certificate Manager (ACM). Create an Application Load Balancer with an HTTPS listener that uses the SSL certificate from ACM.
• Explain: This issue is solved by SSL offloading, i.e. by moving the SSL termination task to the ALB. https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

Q95: A company has a highly dynamic batch processing job that uses many Amazon EC2 instances to complete it. The job is stateless in nature, can be started and stopped at any given time with no negative impact, and typically takes upwards of 60 minutes total to complete. The company has asked a solutions architect to design a scalable and cost-effective solution that meets the requirements of the job. What should the solutions architect recommend?

• A.?Implement EC2 Spot Instances.
• B.?Purchase EC2 Reserved Instances.
• C.?Implement EC2 On-Demand Instances.
• D.?Implement the processing on AWS Lambda.
• Explain: Spot Instances provide significant cost savings for flexible start and stop batch jobs. Purchasing Reserved Instances (B) is better for stable workloads, not dynamic ones. On-Demand Instances (C) are costly and lack potential cost savings like Spot Instances. AWS Lambda (D) is not suitable for long-running batch jobs.