DevOps/AWS

AWS Certified Solutions Architect Associate

prden 2023. 3. 25. 10:01

AWS - SAA 합격


1. AWS - SSA

Part 1. EC2, 컨테이너 : CH 5, 6, 7, 8, 18

* 부족 : EC2 배치그룹, ENI, EC2 Hibernate
 
124.A company is using Amazon EC2 to run its big data analytics workloads. These variable workloads run each night, and it is critical they finish by the start of business the following day. A solutions architect has been tasked with designing the MOST cost-effective solution.
Which solution will accomplish this?
 
답 : A. Spot Fleet
선택 : C. Reserved Instances
 
195. A website runs a web application that receives a burst of traffic each day at noon. The users upload new pictures and content daily, but have been complaining of timeouts. The architecture uses Amazon EC2 Auto Scaling groups, and the custom application consistently takes 1 minute to initiate upon boot up before responding to user requests.
How should a solutions architect redesign the architecture to better respond to changing traffic?
선택 : D. Configure Amazon CloudFront to use an Application Load Balancer as the origin.
답 : C. Configure an Auto Scaling step scaling policy with an instance warmup condition.
안되는 이유 확실히 알기 : CloudFront is CDN. Use case here users want upload n not download
 
DataSync : 
We recommend using AWS DataSync to transfer data between Amazon FSx for Windows File Server file systems. DataSync is a data transfer service that simplifies, automates, and accelerates moving and replicating data between on-premises storage systems and other AWS storage services over the internet or
AWS Direct Connect. 

Part 2. S3, CloudFront, StorageGateway : CH 12, 13, 14, 15, 16

1. 

{

    "Version": "2012-10-17",

    "Id": "Mystery policy",

    "Statement": [{

         "Sid": "What could it be?",

         "Effect": "Allow",

         "Principal": {

             "CanonicalUser": "CloudFront Origin Identity Canonical User ID"

         },

         "Action": "s3:GetObject",

         "Resource": "arn:aws:s3:::examplebucket/*"

    }]

}

-> CloudFront 배포 원본 액세스 ID에서 오는 S3 버킷 콘텐츠만이 평가될 수 있도록 허가
 
2. A company is deploying a media-sharing website to AWS. They are going to use CloudFront to deliver the context with low latency to their customers where they are located in both US and Europe only. After a while there a huge costs for CloudFront. Which CloudFront feature allows you to decrease costs by targeting only US and Europe?
-> CloudFront Price Classes 
 
115.A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's chief information officer wants to simplify the on- premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. The company must preserve the existing investment in the on- premises backup applications and workflows.
What should a solutions architect recommend?
 
D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.
 
116. A company hosts an application on an Amazon EC2 instance that requires a maximum of 200 GB storage space. The application is used infrequently, with peaks during mornings and evenings. Disk I/O varies, but peaks at 3,000 IOPS. The chief financial officer of the company is concerned about costs and has asked a solutions architect to recommend the most cost-effective storage option that does not sacrifice performance.
Which solution should the solutions architect recommend?
 
B. Amazon Elastic Block Store (Amazon EBS) General Purpose SSD (gp2)
 
123. A company has several business systems that require access to data stored in a file share. The business systems will access the file share using the Server Message Block (SMB) protocol. The file share solution should be accessible from both of the company's legacy on-premises environments and with AWS.
Which services meet the business requirements? (Choose two.)
C. Amazon FSx for Windows
E. AWS Storage Gateway file gateway
 
132는 논란여지 있음.
132. A media company is evaluating the possibility of moving its systems to the AWS Cloud. The company needs at least 10 TB of storage with the maximum possible
I/O performance for video processing, 300 TB of very durable storage for storing media content, and 900 TB of storage to meet requirements for archival media that is not in use anymore.
Which set of services should a solutions architect recommend to meet these requirements?
답 : A. Amazon Elastic Block Store (Amazon EBS) for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage
선택 : D. Amazon EC2 instance store for maximum performance, Amazon S3 for durable data storage, and Amazon S3 Glacier for archival storage
 
133. A company uses Amazon S3 as its object storage solution. The company has thousands of S3 buckets it uses to store data. Some of the S3 buckets have data that is accessed less frequently than others. A solutions architect found that lifecycle policies are not consistently implemented or are implemented partially, resulting in data being stored in high-cost storage.
Which solution will lower costs without compromising the availability of objects?
C. Use S3 Intelligent-Tiering storage.
 
134. An application is running on Amazon EC2 instances. Sensitive information required for the application is stored in an Amazon S3 bucket. The bucket needs to be protected from internet access while only allowing services within the VPC access to the bucket.
Which combination of actions should solutions archived take to accomplish this? (Choose two.)
C. Apply a bucket policy to restrict access to the S3 endpoint.
A. Create a VPC endpoint for Amazon S3.
선택 : E. Restrict users using the IAM policy to use the specific bucket.
 
 

Part 3. VPC, ROUTE53, 재해복구 : CH 10, 27, 28, 29

1. VPC EndPoint : VPC Endpoints(powere by AWS PrivateLink) allows you to connect to AWS services using a private network instead of using the public internet
Private Subnet -> VPC Endpoint -> CloudWatch or SNS or S3 or ...
종류 : Interface Endpoints(Provisions an ENI(private IP address) as an entry point and Gateway Endpoints(S3 or DynamoDB)
 
2. AWS Site to Site VPN
 기업의 온프레미스 데이터 센터와 AWS Cloud 내 VPC 사이에서 AWS site to site VPN 연결을 설정할 경우 이 연결을 구성하는 데에 있어서 가장 중요한 구성 요소는 가상 프라이빗 게이트웨이고객 게이트 웨이이다. 
 
3.AWS VPN 클라우드 허브
 AWS VPN을 통한 다수 사이트 간의 안전한 통신을 가능하게 해준다. 이는 VPC와 함께, 또는 VPC 없이 사용할 수 있는 단순한 허브 및 스포크 모델로 운용된다.
ex) 하나의 국가 내에 여러 개의 온프레미스 사이트를 갖고 있다. 이 사이트들은 현재 프라이빗 연결을 사용해 연결되어 있으나, 최근에는 프라이빗 연결 제공자가 불안정 해져서 온프레미스 사이트들 연결하기 위해 공용 인터넷을 사용하는 백업 연결을 생성하려할 때 AWS VPN 클라우드 허브 사용하면 된다. 
 
4. AWS Direct Connect : 온프레미스 기업의 데이터 센터와 AWS Cloud 간의 전용 연결을 설정해야 할 때 연결은 프라이빗이고 지속적이여야하며 트래픽이 인터넷을 통해 이동하면 안될 경우 aws 서비스
 
5. You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel's maximum limit of 1.25 Gbps. What should you do?
 - Use Transit Gateway
 
6. A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR 192.168.0.0/18. How do you configure the EC2 instances' security group to ensure only the ALB can access them on port 80?
답 : Add an Inbound Rule with port 80 and ALB's Security Group as the source
주의 :  Add an Inbound Rule with port 80 and 192.168.0.0/18 as the source
 
7. VPC에 새로운 서브넷을 생성할 때마다, AWS는 5개의 IP 주소를 예약합니다. CIDR 10.0.0.0/24로 서브넷을 생성할 경우, 다음 IP 주소들이 예약된다.
10.0.0.0
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.255
 
8. 기업의 데이터 센터와 AWS 간의 500Mbps Direct Connect 연결을 위해서는, .................. 연결을 선택해야 한다.

답 : 호스팅 Hosted

 

117. A company's application hosted on Amazon EC2 instances needs to access an Amazon S3 bucket. Due to data sensitivity, traffic cannot traverse the internet.
How should a solutions architect configure access?
B. Configure a VPC gateway endpoint for Amazon S3 in the VPC.
 
126. A company has created an isolated backup of its environment in another Region. The application is running in warm standby mode and is fronted by an Application Load Balancer (ALB). The current failover process is manual and requires updating a DNS alias record to point to the secondary ALB in another Region.
What should a solutions architect do to automate the failover process?
C. Crate an CNAME record on Amazon Route 53 pointing to the ALB endpoint.
선택 : B. Enable an Amazon Route 53 health check.
 
131.A company runs a website on Amazon EC2 instances behind an ELB Application Load Balancer. Amazon Route 53 is used for the DNS. The company wants to set up a backup website with a message including a phone number and email address that users can reach if the primary website is down.
How should the company deploy this solution?
답 : A. Use Amazon S3 website hosting for the backup website and Route 53 failover routing policy.
선택 : B. Use Amazon S3 website hosting for the backup website and Route 53 latency routing policy.
 
 

Part 4. CloudWatch(CloudTrail, AWS Config), IAM, 보안 : CH3, 4, 24, 25, 26

* 부족 :  AWS config, eventBridge, SCP(service control policies)
158. A company runs an application using Amazon ECS. The application creates resized versions of an original image and then makes Amazon S3 API calls to store the resized images in Amazon S3. How can a solutions architect ensure that the application has permission to access Amazon S3?
답 : B. Create an IAM role with S3 permissions, and then specify that role as the taskRoleArn in the task definition.
선택 : A. Update the S3 role in AWS IAM to allow read/write access from Amazon ECS, and then relaunch the container.
 
173.1만 re
 
189. A company needs to share an Amazon S3 bucket with an external vendor. The bucket owner must be able to access all objects.
Which action should be taken to share the S3 bucket?
함정 :
D. Create an IAM policy to require users to grant bucket-owner-full-control when uploading objects.
답 : C. Create a bucket policy to require users to grant bucket-owner-full-control when uploading objects.
해설 : By default, an S3 object is owned by the AWS account that uploaded it. This is true even when the bucket is owned by another account. To get access to the object, the object owner must explicitly grant you (the bucket owner) access. The object owner can grant the bucket owner full control of the object by updating the access control list (ACL) of the object. The object owner can update the ACL either during a put or copy operation, or after the object is added to the bucket.

 

Part 5. Messaging : CH 17(SNS, SQS, Kinesis), CH22

- kinesis Data Streams : Amazon Kinesis Data Streams(KDS)는 엄청난 규모로 확장할 수 있는 견고한 실시간 데이터 스트리밍 서비스이다. KDS는 웹사이트 클릭스트림, 데이터베이스 이벤트 스트림, 재무 거래, 소셜미디어 피드, IT 로그, 위치추적 이벤트 등 수십만 가지 소스에서 초당 수 기가바이트에 이르는 데이터를 연속적으로 수집할 수 있다. 기본값으로 스트림 데이터를 소비하는 모든 애플리케이션 간에 2MB/초/샤드의 출력이 공유됩니다. 스트림으로부터 병렬로 데이터를 검색하는 다수의 컨슈머가 있다면 향상된 팬아웃 기능을 사용해야한다. 향상된 팬아웃 기능을 사용하여 개발자는 스트림 컨슈머를 등록하여 향상된 팬아웃 기능을 사용하고 샤드당 2MB/초라는 읽기 처리 속도로 수신할 수 있으며 이러한 처리 속도는 스트림 안의 샤드 개수에 맞춰 자동으로 스케일된다.
 
- kinesis Data Firehose : Amazon Kinesis Data Firehose는 스트리밍 데이터를 데이터 레이크, 데이터 스토어, 분석 도구에 안정적으로 로딩하는 가장 간편한 방법이다. 데이터 처리 속도에 맞춰 자동으로 스케일이 조정되고, 지속적인 관리가 필요하지 않은 완벽히 관리되는 서비스입니다. 데이터를 로딩하기 전에 배치화, 압축, 변환, 암호화도 할 수 있어서 사용되는 스토리지의 양이 최소화되고 보안이 향상됩니다. Kinesis Data Firehose는 S3, Redshift, Elasticsearch 또는 Splunk에만 쓸 수 있다. 여러분은 Kinesis Data Firehose에서 나오는 데이터를 소비하는 애플리케이션을 가질 수 없습니다. 그것은 Kinesis Data Streams의 역할이다.
 
- SQS :  마이크로서비스, 분산 시스템, 서버리스 애플리케이션을 디커플링하고 스케일링할 수 있게 해주는 완벽히 관리되는 메시지 대기열화 서비스이다. SQS는 두 가지 유형의 메시지 대기열을 제공합니다. 표준 대기열은 처리 속도가 극대화되고 순서가 최적화되며 최소한 한 번 전달이 이루어집니다. SQS FIFO 대기열은 메시지가 전송된 순서대로 정확히 한 번 처리되도록 보장하기 위해 고안되었다. 
 
- Kinesis Data Streams vs. SQS

Part 6. Serverless, Lamda : CH 19, 20

 
135.A web application runs on Amazon EC2 instances behind an Application Load Balancer. The application allows users to create custom reports of historical weather data. Generating a report can take up to 5 minutes. These long-running requests use many of the available incoming connections, making the system unresponsive to other users.
How can a solutions architect make the system more responsive?
A. Use Amazon SQS with AWS Lambda to generate reports.
선택 : D. Publish the reports to Amazon S3 and use Amazon CloudFront for downloading to the user.

 

Part 7. DB : CH 9, 21

Redshift Spectrum : 
Amazon Redshift는 대규모 데이터셋의 저장과 분석을 위해 고안된 완전히 관리되는 페타바이트 스케일 클라우드 기반 데이터 웨어하우스 제품이다.
Amazon Redshift 스펙트럼을 이용하면 Amazon Redshift 테이블에 데이터를 로딩할 필요 없이 Amazon S3 안의 파일에서 구조화/반구조화 데이터를 효율적으로 쿼리하고 검색할 수 있습니다.
Amaozn Redshift 스펙트럼은 전용 Amaozn Redshift 서버에 상주하며, 여러분의 클러스터와 독립되어 있습니다. Redshift 스펙트럼은 조건 필터링, 집계처럼 연산집약적인 많은 작업을 Redshift 스펙트럼 레이어까지 푸시합니다. 따라서 Redshift 스펙트럼 쿼리는 다른 쿼리에 비해 여러분 클러스터의 처리 능력을 훨씬 덜 사용합니다.
 
127.
A company has a mobile chat application with a data store based in Amazon DynamoDB. Users would like new messages to be read with as little latency as possible. A solutions architect needs to design an optimal solution that requires minimal application changes.
Which method should the solutions architect select?
 
A. Configure Amazon DynamoDB Accelerator (DAX) for the new messages table. Update the code to use the DAX endpoint. 

 

120. A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest.
Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?
 
답 : D. Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.
선택 : C. Configure SSL encryption using AWS Key Management Service (AWS KMS) to encrypt database volumes.