AWS SAA-C03真题 No.401-600

1. A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to
perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.
What should a solutions architect do to grant the permissions?
A. Add required IAM permissions in the resource policy of the Lambda function.
B. Create a signed request using the existing IAM credentials in the Lambda function.
C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

一名开发者拥有一个使用AWS Lambda功能将文件上传至Amazon S3的应用程序，需要获得执行该任务所需的权限。开发者已经拥有一个IAM用户，具备适用于Amazon S3的有效IAM凭证。

解决方案架构师该如何授予这些权限？

A. 在Lambda功能的资源策略中添加所需的IAM权限。
B. 使用Lambda功能中现有的IAM凭证创建签名请求。
C. 创建一个新的IAM用户并在Lambda功能中使用现有的IAM凭证。
D. 创建一个具有所需权限的IAM执行角色并将该IAM角色附加到Lambda功能上。

2. A company has deployed a serverless application that invokes an AWS Lambda function when new documents are uploaded to an Amazon S3
bucket. The application uses the Lambda function to process the documents. After a recent marketing campaign, the company noticed that
the application did not process many of the documents.
What should a solutions architect do to improve the architecture of this application?
A. Set the Lambda function’s runtime timeout value to 15 minutes.
B. Configure an S3 bucket replication policy. Stage the documents in the S3 bucket for later processing.
C. Deploy an additional Lambda function. Load balance the processing of the documents across the two Lambda functions.
D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send the requests to the queue. Configure the queue as an event
source for Lambda.

一家公司部署了一个无服务器应用程序，当有新文档上传到亚马逊S3存储桶时，该程序会调用AWS Lambda函数。
应用程序使用Lambda函数来处理这些文档。在最近的一次营销活动后，公司发现该应用程序未能处理大量文档。
解决方案架构师应采取什么措施来改进该应用程序的架构？
A. 将Lambda函数的运行超时值设置为15分钟。
B. 配置S3存储桶复制策略。先将文档暂存在S3存储桶中稍后处理。
C. 部署额外的Lambda函数。在两个Lambda函数之间均衡分配文档处理负载。
D. 创建一个亚马逊简单队列服务（Amazon SQS）队列。将请求发送到队列。配置该队列作为Lambda的事件源。

3. A solutions architect is designing the architecture for a software demonstration environment. The environment will run on Amazon EC2
instances in an Auto Scaling group behind an Application Load Balancer (ALB). The system will experience signi cant increases in traffic
during working hours but is not required to operate on weekends.
Which combination of actions should the solutions architect take to ensure that the system can scale to meet demand? (Choose two.)
A. Use AWS Auto Scaling to adjust the ALB capacity based on request rate.
B. Use AWS Auto Scaling to scale the capacity of the VPC internet gateway.
C. Launch the EC2 instances in multiple AWS Regions to distribute the load across Regions.
D. Use a target tracking scaling policy to scale the Auto Scaling group based on instance CPU utilization.
E. Use scheduled scaling to change the Auto Scaling group minimum, maximum, and desired capacity to zero for weekends. Revert to the
default values at the start of the week.

一位解决方案架构师正在为一个软件演示环境设计架构。该环境将在应用负载均衡器(ALB)后面的自动扩展组中的亚马逊EC2实例上运行。
该系统在工作时间会遇到流量显著增加的情况，但在周末不需要运行。
解决方案架构师应采取哪两项措施组合来确保系统能够扩展以满足需求？(选择两项。)
A. 使用AWS自动扩展根据请求率调整ALB容量。
B. 使用AWS自动扩展调整VPC互联网网关的容量。
C. 在多个AWS区域启动EC2实例，将负载分布到不同区域。
D. 使用目标跟踪扩展策略，根据实例CPU利用率扩展自动扩展组。
E. 使用计划扩展功能，在周末将自动扩展组的最小、最大和所需容量改为零。在工作周开始时恢复为默认值。

4. A solutions architect is designing a two-tiered architecture that includes a public subnet and a database subnet. The web servers in the public
subnet must be open to the internet on port 443. The Amazon RDS for MySQL DB instance in the database subnet must be accessible only to
the web servers on port 3306.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
A. Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306.
B. Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306.
C. Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443.
D. Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306.
E. Create a security group for the DB instance. Add a rule to deny all traffic except traffic from the web servers’ security group on port
3306.

一位解决方案架构师正在设计一个两层架构，包含一个公共子网和一个数据库子网。
公共子网中的Web服务器必须在443端口上对互联网开放。
数据库子网中的Amazon RDS for MySQL数据库实例必须只能通过3306端口被Web服务器访问。
解决方案架构师应该采取哪两个步骤组合来满足这些要求？（选择两项）
A. 为公共子网创建一个网络ACL。添加一条规则拒绝到0.0.0.0/0的3306端口出站流量。
B. 为数据库实例创建一个安全组。添加一条规则允许来自公共子网CIDR块的3306端口流量。
C. 为公共子网中的Web服务器创建一个安全组。添加一条规则允许来自0.0.0.0/0的443端口流量。
D. 为数据库实例创建一个安全组。添加一条规则允许来自Web服务器安全组的3306端口流量。
E. 为数据库实例创建一个安全组。添加一条规则拒绝除来自Web服务器安全组的3306端口流量之外的所有流量。

5. A company is implementing a shared storage solution for a gaming application that is hosted in the AWS Cloud. The company needs the
ability to use Lustre clients to access data. The solution must be fully managed.
Which solution meets these requirements?
A. Create an AWS DataSync task that shares the data as a mountable file system. Mount the file system to the application server.
B. Create an AWS Storage Gateway file gateway. Create a file share that uses the required client protocol. Connect the application server
to the file share.
C. Create an Amazon Elastic File System (Amazon EFS) file system, and Configure it to support Lustre. Attach the file system to the origin
server. Connect the application server to the file system.
D. Create an Amazon FSx for Lustre file system. Attach the file system to the origin server. Connect the application server to the le
system.

一家公司正在为托管在AWS云上的游戏应用程序实施共享存储解决方案。该公司需要使用Lustre客户端访问数据的能力。解决方案必须完全托管。
以下哪种方案满足这些要求？

A. 创建一个AWS DataSync任务，将数据共享为可挂载的文件系统。将文件系统挂载到应用服务器上。


B. 创建一个AWS Storage Gateway文件网关。创建一个使用所需客户端协议的文件共享。将应用服务器连接到文件共享。


C. 创建一个Amazon Elastic File System（Amazon EFS）文件系统，并将其配置为支持Lustre。将文件系统附加到源服务器。将应用服务器连接到文件系统。


D. 创建一个Amazon FSx for Lustre文件系统。将文件系统附加到源服务器。将应用服务器连接到文件系统。

6. A company runs an application that receives data from thousands of geographically dispersed remote devices that use UDP. The application
processes the data immediately and sends a message back to the device if necessary. No data is stored.
The company needs a solution that minimizes latency for the data transmission from the devices. The solution also must provide rapid
failover to another AWS Region.
Which solution will meet these requirements?
A. Configure an Amazon Route 53 failover routing policy. Create a Network Load Balancer (NLB) in each of the two Regions. Configure the
NLB to invoke an AWS Lambda function to process the data.
B. Use AWS Global Accelerator. Create a Network Load Balancer (NLB) in each of the two Regions as an endpoint. Create an Amazon
Elastic Container Service (Amazon ECS) cluster with the Fargate launch type. Create an ECS service on the cluster. Set the ECS service as
the target for the NLProcess the data in Amazon ECS.
C. Use AWS Global Accelerator. Create an Application Load Balancer (ALB) in each of the two Regions as an endpoint. Create an Amazon
Elastic Container Service (Amazon ECS) cluster with the Fargate launch type. Create an ECS service on the cluster. Set the ECS service as
the target for the ALB. Process the data in Amazon ECS.
D. Configure an Amazon Route 53 failover routing policy. Create an Application Load Balancer (ALB) in each of the two Regions. Create an
Amazon Elastic Container Service (Amazon ECS) cluster with the Fargate launch type. Create an ECS service on the cluster. Set the ECS
service as the target for the ALB. Process the data in Amazon ECS.

一家公司运行着一个应用程序，该程序从数千个使用UDP协议且地理分布广泛的远程设备接收数据。应用程序会立即处理这些数据，并在必要时向设备发送回复消息。所有数据均不会被保存。

该公司需要一个能够最小化设备数据传输延迟的解决方案。该方案还必须能够快速故障切换到另一个AWS区域。

以下哪个解决方案可以满足这些需求？

A. 配置Amazon Route 53故障转移路由策略。在两个区域各创建一个网络负载均衡器(NLB)。配置NLB以调用AWS Lambda函数来处理数据。

B. 使用AWS Global Accelerator。在两个区域各创建一个网络负载均衡器(NLB)作为端点。创建一个采用Fargate启动类型的Amazon弹性容器服务(Amazon ECS)集群。在该集群上创建ECS服务。将ECS服务设置为NLB的目标。在Amazon ECS中处理数据。

C. 使用AWS Global Accelerator。在两个区域各创建一个应用负载均衡器(ALB)作为端点。创建一个采用Fargate启动类型的Amazon弹性容器服务(Amazon ECS)集群。在该集群上创建ECS服务。将ECS服务设置为ALB的目标。在Amazon ECS中处理数据。

D. 配置Amazon Route 53故障转移路由策略。在两个区域各创建一个应用负载均衡器(ALB)。创建一个采用Fargate启动类型的Amazon弹性容器服务(Amazon ECS)集群。在该集群上创建ECS服务。将ECS服务设置为ALB的目标。在Amazon ECS中处理数据。

7. A solutions architect must migrate a Windows Internet Information Services (IIS) web application to AWS. The application currently relies on a
file share hosted in the user’s on-premises network-attached storage (NAS). The solutions architect has proposed migrating the IIS web
servers to Amazon EC2 instances in multiple Availability Zones that are connected to the storage solution, and configuring an Elastic Load
Balancer attached to the instances.
Which replacement to the on-premises file share is MOST resilient and durable?
A. Migrate the file share to Amazon RDS.
B. Migrate the file share to AWS Storage Gateway.
C. Migrate the file share to Amazon FSx for Windows File Server.
D. Migrate the file share to Amazon Elastic File System (Amazon EFS).

一位解决方案架构师必须将一个Windows Internet信息服务(IIS)web应用程序迁移到AWS。目前该应用程序依赖于用户本地网络附加存储(NAS)中托管的文件共享。
解决方案架构师建议将IIS网络服务器迁移到多个可用区中的Amazon EC2实例，这些实例连接到存储解决方案，并配置一个附加到实例上的弹性负载均衡器。

以下哪种替代本地文件共享的方案最具弹性和耐用性？
A. 将文件共享迁移到Amazon RDS。
B. 将文件共享迁移到AWS Storage Gateway。
C. 将文件共享迁移到适用于Windows文件服务器的Amazon FSx。
D. 将文件共享迁移到Amazon弹性文件系统(Amazon EFS)。

8. A company is deploying a new application on Amazon EC2 instances. The application writes data to Amazon Elastic Block Store (Amazon EBS)
volumes. The company needs to ensure that all data that is written to the EBS volumes is encrypted at rest.
Which solution will meet this requirement?
A. Create an IAM role that speci es EBS encryption. Attach the role to the EC2 instances.
B. Create the EBS volumes as encrypted volumes. Attach the EBS volumes to the EC2 instances.
C. Create an EC2 instance tag that has a key of Encrypt and a value of True. Tag all instances that require encryption at the EBS level.
D. Create an AWS Key Management Service (AWS KMS) key policy that enforces EBS encryption in the account. Ensure that the key policy
is active.

一家公司正在亚马逊弹性计算云(Amazon EC2)实例上部署新应用。
该应用会将数据写入亚马逊弹性块存储(Amazon EBS)卷。
公司需要确保写入EBS卷的所有数据在静态时都经过加密。
哪种解决方案能满足这一需求？
A. 创建一个指定EBS加密的IAM角色。将该角色附加到EC2实例上。
B. 将EBS卷创建为加密卷。将这些EBS卷附加到EC2实例上。
C. 创建一个键为Encrypt、值为True的EC2实例标签。为所有需要在EBS层级加密的实例添加该标签。
D. 创建一个在账户中强制实施EBS加密的AWS密钥管理服务(AWS KMS)密钥策略。确保该密钥策略处于活跃状态。

9. A company has a web application with sporadic usage patterns. There is heavy usage at the beginning of each month, moderate usage at the
start of each week, and unpredictable usage during the week. The application consists of a web server and a MySQL database server running
inside the data center. The company would like to move the application to the AWS Cloud, and needs to select a cost-effective database
platform that will not require database modi cations.
Which solution will meet these requirements?
A. Amazon DynamoDB
B. Amazon RDS for MySQL
C. MySQL-compatible Amazon Aurora Serverless
D. MySQL deployed on Amazon EC2 in an Auto Scaling group

一家公司拥有一个使用模式零散的Web应用程序。每月初有大量使用，每周初有中等使用量，而一周内的使用量则难以预测。该应用程序由位于数据中心内的Web服务器和MySQL数据库服务器组成。公司希望将该应用程序迁移到AWS云，并需要选择一个成本效益高且无需修改数据库的平台。
以下哪种解决方案符合这些要求？
A. Amazon DynamoDB
B. 适用于MySQL的Amazon RDS
C. MySQL兼容的Amazon Aurora无服务器版本
D. 部署在Amazon EC2自动伸缩组中的MySQL

10. An image-hosting company stores its objects in Amazon S3 buckets. The company wants to avoid accidental exposure of the objects in the S3
buckets to the public. All S3 objects in the entire AWS account need to remain private.
Which solution will meet these requirements?
A. Use Amazon GuardDuty to monitor S3 bucket policies. Create an automatic remediation action rule that uses an AWS Lambda function
to remediate any change that makes the objects public.
B. Use AWS Trusted Advisor to nd publicly accessible S3 buckets. Configure email notifications in Trusted Advisor when a change is
detected. Manually change the S3 bucket policy if it allows public access.
C. Use AWS Resource Access Manager to nd publicly accessible S3 buckets. Use Amazon Simple Notification Service (Amazon SNS) to
invoke an AWS Lambda function when a change is detected. Deploy a Lambda function that programmatically remediates the change.
D. Use the S3 Block Public Access feature on the account level. Use AWS Organizations to create a service control policy (SCP) that
prevents IAM users from changing the setting. Apply the SCP to the account.

一家图片托管公司将其对象存储在Amazon S3存储桶中。该公司希望避免S3存储桶中的对象意外公开。整个AWS账户中的所有S3对象都需要保持私有。
哪种解决方案可以满足这些要求？
A. 使用Amazon GuardDuty监控S3存储桶策略。创建一个自动修复操作规则，使用AWS Lambda函数来修复任何导致对象公开的更改。
B. 使用AWS Trusted Advisor查找可公开访问的S3存储桶。在Trusted Advisor中配置电子邮件通知以检测更改。如果存储桶策略允许公开访问，则手动更改S3存储桶策略。
C. 使用AWS Resource Access Manager查找可公开访问的S3存储桶。使用Amazon Simple Notification Service（Amazon SNS）在检测到更改时调用AWS Lambda函数。部署一个Lambda函数以程序化方式修复更改。
D. 在账户级别使用S3阻止公共访问功能。使用AWS Organizations创建服务控制策略（SCP）以防止IAM用户更改设置。将该SCP应用于账户。

11. An ecommerce company is experiencing an increase in user traffic. The company’s store is deployed on Amazon EC2 instances as a two-tier
web application consisting of a web tier and a separate database tier. As traffic increases, the company notices that the architecture is
causing signi cant delays in sending timely marketing and order con rmation email to users. The company wants to reduce the time it spends
resolving complex email delivery issues and minimize operational overhead.
What should a solutions architect do to meet these requirements?
A. Create a separate application tier using EC2 instances dedicated to email processing.
B. Configure the web instance to send email through Amazon Simple Email Service (Amazon SES).
C. Configure the web instance to send email through Amazon Simple Notification Service (Amazon SNS).
D. Create a separate application tier using EC2 instances dedicated to email processing. Place the instances in an Auto Scaling group.

一家电子商务公司正在经历用户流量的增长。该公司的商店部署在亚马逊EC2实例上，作为一个由网络层和独立数据库层组成的两层网络应用程序。随着流量的增加，公司注意到当前的架构导致向用户发送及时的营销和订单确认电子邮件出现显著延迟。公司希望减少解决复杂电子邮件发送问题所花费的时间，并最小化运营开销。

为了满足这些需求，解决方案架构师应该怎么做？

A. 使用专门用于电子邮件处理的EC2实例创建独立的应用程序层。

B. 配置网络实例通过亚马逊简单电子邮件服务（Amazon SES）发送电子邮件。

C. 配置网络实例通过亚马逊简单通知服务（Amazon SNS）发送电子邮件。

D. 使用专门用于电子邮件处理的EC2实例创建独立的应用程序层，并将这些实例放入自动扩展组中。

12. A company has a business system that generates hundreds of reports each day. The business system saves the reports to a network share in
CSV format. The company needs to store this data in the AWS Cloud in near-real time for analysis.
Which solution will meet these requirements with the LEAST administrative overhead?
A. Use AWS DataSync to transfer the files to Amazon S3. Create a scheduled task that runs at the end of each day.
B. Create an Amazon S3 File Gateway. Update the business system to use a new network share from the S3 File Gateway.
C. Use AWS DataSync to transfer the files to Amazon S3. Create an application that uses the DataSync API in the automation work ow.
D. Deploy an AWS Transfer for SFTP endpoint. Create a script that checks for new files on the network share and uploads the new files by
using SFTP.

一家公司拥有一个每天生成数百份报告的业务系统。这些报告以CSV格式保存到网络共享文件夹中。
公司需要将这些数据近乎实时地存储到AWS云平台中以便进行分析。
以下哪种解决方案能够在满足需求的同时，将管理开销降至最低？
A. 使用AWS DataSync将文件传输到Amazon S3。创建一个在每天结束时运行的定时任务。
B. 创建一个Amazon S3文件网关。更新业务系统以使用来自S3文件网关的新网络共享。
C. 使用AWS DataSync将文件传输到Amazon S3。创建一个在自动化工作流中使用DataSync API的应用程序。
D. 部署一个AWS SFTP传输终端节点。创建一个脚本用于检查网络共享中的新文件，并通过SFTP上传这些新文件。

13. A company is storing petabytes of data in Amazon S3 Standard. The data is stored in multiple S3 buckets and is accessed with varying
frequency. The company does not know access patterns for all the data. The company needs to implement a solution for each S3 bucket to
optimize the cost of S3 usage.
Which solution will meet these requirements with the MOST operational e ciency?
A. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 Intelligent-Tiering.
B. Use the S3 storage class analysis tool to determine the correct tier for each object in the S3 bucket. Move each object to the identi ed
storage tier.
C. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 Glacier Instant Retrieval.
D. Create an S3 Lifecycle configuration with a rule to transition the objects in the S3 bucket to S3 One Zone-Infrequent Access (S3 One
Zone-IA).

一家公司在Amazon S3标准存储中存储了PB级的数据。这些数据存储在多个S3存储桶中，并且访问频率各不相同。
该公司并不了解所有数据的访问模式。公司需要为每个S3存储桶实施一个解决方案，以优化S3使用成本。
哪种解决方案能在最大程度上满足这些操作性效率要求？
A. 创建一个S3生命周期配置，设置规则将S3存储桶中的对象转移到S3智能分层存储。
B. 使用S3存储类别分析工具确定S3存储桶中每个对象的正确存储层级，然后将每个对象移动到已识别的存储层级。
C. 创建一个S3生命周期配置，设置规则将S3存储桶中的对象转移到S3 Glacier即时检索存储。
D. 创建一个S3生命周期配置，设置规则将S3存储桶中的对象转移到S3单区-不频繁访问存储(S3 One Zone-IA)。

14. A rapidly growing global ecommerce company is hosting its web application on AWS. The web application includes static content and dynamic
content. The website stores online transaction processing (OLTP) data in an Amazon RDS database The website’s users are experiencing slow
page loads.
Which combination of actions should a solutions architect take to resolve this issue? (Choose two.)
A. Configure an Amazon Redshift cluster.
B. Set up an Amazon CloudFront distribution.
C. Host the dynamic web content in Amazon S3.
D. Create a read replica for the RDS DB instance.
E. Configure a Multi-AZ deployment for the RDS DB instance.

一家快速发展的全球电子商务公司正在AWS上托管其网络应用程序。该网络应用程序包含静态内容和动态内容。
网站在Amazon RDS数据库中存储在线交易处理（OLTP）数据。网站用户目前正经历页面加载缓慢的问题。
解决方案架构师应采取哪两项组合措施来解决这个问题？（选择两项。）
A. 配置Amazon Redshift集群。
B. 设置Amazon CloudFront分发。
C. 在Amazon S3中托管动态网页内容。
D. 为RDS数据库实例创建只读副本。
E. 为RDS数据库实例配置多可用区部署。

15. A company uses Amazon EC2 instances and AWS Lambda functions to run its application. The company has VPCs with public subnets and
private subnets in its AWS account. The EC2 instances run in a private subnet in one of the VPCs. The Lambda functions need direct network
access to the EC2 instances for the application to work.
The application will run for at least 1 year. The company expects the number of Lambda functions that the application uses to increase during
that time. The company wants to maximize its savings on all application resources and to keep network latency between the services low.
Which solution will meet these requirements?
A. Purchase an EC2 Instance Savings Plan Optimize the Lambda functions’ duration and memory usage and the number of invocations.
Connect the Lambda functions to the private subnet that contains the EC2 instances.
B. Purchase an EC2 Instance Savings Plan Optimize the Lambda functions’ duration and memory usage, the number of invocations, and
the amount of data that is transferred. Connect the Lambda functions to a public subnet in the same VPC where the EC2 instances run.
C. Purchase a Compute Savings Plan. Optimize the Lambda functions’ duration and memory usage, the number of invocations, and the
amount of data that is transferred. Connect the Lambda functions to the private subnet that contains the EC2 instances.
D. Purchase a Compute Savings Plan. Optimize the Lambda functions’ duration and memory usage, the number of invocations, and the
amount of data that is transferred. Keep the Lambda functions in the Lambda service VPC.

一家公司使用亚马逊EC2实例和AWS Lambda函数来运行其应用程序。该公司在其AWS账户中拥有包含公共子网和私有子网的VPC。EC2实例在其中一个VPC的私有子网中运行。Lambda函数需要直接网络访问EC2实例才能使应用程序正常工作。

该应用程序将至少运行1年。公司预计在此期间应用程序使用的Lambda函数数量会增加。公司希望在所有应用程序资源上最大化节省成本，并保持服务之间的网络延迟较低。

哪种解决方案能够满足这些需求？

A. 购买EC2实例节省计划。优化Lambda函数的持续时间和内存使用情况以及调用次数。将Lambda函数连接到包含EC2实例的私有子网。

B. 购买EC2实例节省计划。优化Lambda函数的持续时间、内存使用情况、调用次数以及传输的数据量。将Lambda函数连接到与EC2实例运行在相同VPC中的公共子网。

C. 购买计算节省计划。优化Lambda函数的持续时间、内存使用情况、调用次数以及传输的数据量。将Lambda函数连接到包含EC2实例的私有子网。

D. 购买计算节省计划。优化Lambda函数的持续时间、内存使用情况、调用次数以及传输的数据量。将Lambda函数保留在Lambda服务VPC中。

16. A solutions architect needs to allow team members to access Amazon S3 buckets in two different AWS accounts: a development account and
a production account. The team currently has access to S3 buckets in the development account by using unique IAM users that are assigned
to an IAM group that has appropriate permissions in the account.
The solutions architect has created an IAM role in the production account. The role has a policy that grants access to an S3 bucket in the
production account.
Which solution will meet these requirements while complying with the principle of least privilege?
A. Attach the Administrator Access policy to the development account users.
B. Add the development account as a principal in the trust policy of the role in the production account.
C. Turn off the S3 Block Public Access feature on the S3 bucket in the production account.
D. Create a user in the production account with unique credentials for each team member.

一位解决方案架构师需要允许团队成员访问两个不同的AWS账户中的Amazon S3存储桶：一个开发账户和一个生产账户。该团队目前通过使用分配给IAM组的唯一IAM用户来访问开发账户中的S3存储桶，该IAM组在该账户中具有适当的权限。

解决方案架构师已在生产账户中创建了IAM角色。该角色具有一个授予访问生产账户中S3存储桶权限的策略。

哪种解决方案能在符合最小权限原则的同时满足这些需求？

A. 将管理员访问策略附加到开发账户中的用户。

B. 在生产账户角色的信任策略中将开发账户添加为主体。

C. 关闭生产账户中S3存储桶的S3阻止公共访问功能。

D. 在生产账户中为每个团队成员创建具有唯一凭证的用户。

17. A company uses AWS Organizations with all features enabled and runs multiple Amazon EC2 workloads in the ap-southeast-2 Region. The
company has a service control policy (SCP) that prevents any resources from being created in any other Region. A security policy requires the
company to encrypt all data at rest.
An audit discovers that employees have created Amazon Elastic Block Store (Amazon EBS) volumes for EC2 instances without encrypting the
volumes. The company wants any new EC2 instances that any IAM user or root user launches in ap-southeast-2 to use encrypted EBS volumes.
The company wants a solution that will have minimal effect on employees who create EBS volumes.
Which combination of steps will meet these requirements? (Choose two.)
A. In the Amazon EC2 console, select the EBS encryption account attribute and de ne a default encryption key.
B. Create an IAM permission boundary. Attach the permission boundary to the root organizational unit (OU). De ne the boundary to deny
the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
C. Create an SCP. Attach the SCP to the root organizational unit (OU). De ne the SCP to deny the ec2:CreateVolume action whenthe
ec2:Encrypted condition equals false.
D. Update the IAM policies for each account to deny the ec2:CreateVolume action when the ec2:Encrypted condition equals false.
E. In the Organizations management account, specify the Default EBS volume encryption setting.

一家公司启用了所有功能的AWS Organizations，并在ap-southeast-2区域运行多个Amazon EC2工作负载。
这家公司有一个服务控制策略（SCP），防止在任何其他区域创建任何资源。一项安全政策要求该公司对所有静态数据进行加密。
审计发现，员工在为EC2实例创建Amazon Elastic Block Store（Amazon EBS）卷时未加密这些卷。公司希望任何IAM用户或根用户在ap-southeast-2区域启动的任何新EC2实例都使用加密的EBS卷。
公司希望解决方案对创建EBS卷的员工影响最小。
哪种步骤组合能够满足这些要求？（选择两个。）
A. 在Amazon EC2控制台中，选择EBS加密账户属性并定义默认加密密钥。
B. 创建一个IAM权限边界。将该权限边界附加到根组织单位（OU）。定义边界以在ec2:Encrypted条件等于false时拒绝ec2:CreateVolume操作。
C. 创建一个SCP。将该SCP附加到根组织单位（OU）。定义SCP以在ec2:Encrypted条件等于false时拒绝ec2:CreateVolume操作。
D. 更新每个账户的IAM策略，以在ec2:Encrypted条件等于false时拒绝ec2:CreateVolume操作。
E. 在Organizations管理账户中，指定默认EBS卷加密设置。

18. A company wants to use an Amazon RDS for PostgreSQL DB cluster to simplify time-consuming database administrative tasks for production
database workloads. The company wants to ensure that its database is highly available and will provide automatic failover support in most
scenarios in less than 40 seconds. The company wants to o oad reads off of the primary instance and keep costs as low as possible.
Which solution will meet these requirements?
A. Use an Amazon RDS Multi-AZ DB instance deployment. Create one read replica and point the read workload to the read replica.
B. Use an Amazon RDS Multi-AZ DB duster deployment Create two read replicas and point the read workload to the read replicas.
C. Use an Amazon RDS Multi-AZ DB instance deployment. Point the read workload to the secondary instances in the Multi-AZ pair.
D. Use an Amazon RDS Multi-AZ DB cluster deployment Point the read workload to the reader endpoint.

一家公司希望使用亚马逊RDS（PostgreSQL数据库集群）来简化生产数据库工作负载中耗时的数据库管理任务。

公司希望确保其数据库具有高可用性，并在大多数情况下提供在40秒以内的自动故障转移支持。

公司希望将读取负载从主实例上分流出去，并尽可能降低成本。

哪种解决方案能够满足这些需求？

A. 使用亚马逊RDS多可用区（Multi-AZ）数据库实例部署。创建一个只读副本，并将读取工作负载指向该只读副本。

B. 使用亚马逊RDS多可用区（Multi-AZ）数据库集群部署。创建两个只读副本，并将读取工作负载指向这些只读副本。

C. 使用亚马逊RDS多可用区（Multi-AZ）数据库实例部署。将读取工作负载指向多可用区对中的次要实例。

D. 使用亚马逊RDS多可用区（Multi-AZ）数据库集群部署。将读取工作负载指向读取器端点（reader endpoint）。

19. A company runs a highly available SFTP service. The SFTP service uses two Amazon EC2 Linux instances that run with elastic IP addresses to
accept traffic from trusted IP sources on the internet. The SFTP service is backed by shared storage that is attached to the instances. User
accounts are created and managed as Linux users in the SFTP servers.
The company wants a serverless option that provides high IOPS performance and highly configurable security. The company also wants to
maintain control over user permissions.
Which solution will meet these requirements?
A. Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume. Create an AWS Transfer Family SFTP service with a public
endpoint that allows only trusted IP addresses. Attach the EBS volume to the SFTP service endpoint. Grant users access to the SFTP
service.
B. Create an encrypted Amazon Elastic File System (Amazon EFS) volume. Create an AWS Transfer Family SFTP service with elastic IP
addresses and a VPC endpoint that has internet-facing access. Attach a security group to the endpoint that allows only trusted IP
addresses. Attach the EFS volume to the SFTP service endpoint. Grant users access to the SFTP service.
C. Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service with a public endpoint that
allows only trusted IP addresses. Attach the S3 bucket to the SFTP service endpoint. Grant users access to the SFTP service.
D. Create an Amazon S3 bucket with default encryption enabled. Create an AWS Transfer Family SFTP service with a VPC endpoint that
has internal access in a private subnet. Attach a security group that allows only trusted IP addresses. Attach the S3 bucket to the SFTP
service endpoint. Grant users access to the SFTP service.

一家公司运行着一个高可用的SFTP服务。该SFTP服务使用两个带有弹性IP地址的亚马逊EC2 Linux实例，

接收来自互联网上可信IP来源的流量。SFTP服务由附加到实例的共享存储支持。

用户账户在SFTP服务器上作为Linux用户创建和管理。

公司希望有一个无服务器的选项，提供高IOPS性能和高度可配置的安全性。公司还希望

保持对用户权限的控制。

哪种解决方案能够满足这些要求？

A. 创建一个加密的亚马逊弹性块存储（Amazon EBS）卷。创建一个AWS Transfer Family SFTP服务，

该服务具有仅允许可信IP地址的公共终端节点。将EBS卷附加到SFTP服务终端节点。授予用户访问SFTP服务的权限。

B. 创建一个加密的亚马逊弹性文件系统（Amazon EFS）卷。创建一个带有弹性IP地址的AWS Transfer Family SFTP服务，

以及一个具有面向互联网访问的VPC终端节点。将一个仅允许可信IP地址的安全组附加到终端节点。

将EFS卷附加到SFTP服务终端节点。授予用户访问SFTP服务的权限。

C. 创建一个启用默认加密的亚马逊S3存储桶。创建一个仅允许可信IP地址的公共终端节点的AWS Transfer Family SFTP服务。

将S3存储桶附加到SFTP服务终端节点。授予用户访问SFTP服务的权限。

D. 创建一个启用默认加密的亚马逊S3存储桶。创建一个在私有子网中具有内部访问权限的VPC终端节点的AWS Transfer Family SFTP服务。

附加一个仅允许可信IP地址的安全组。将S3存储桶附加到SFTP服务终端节点。授予用户访问SFTP服务的权限。

20. A company is developing a new machine learning (ML) model solution on AWS. The models are developed as independent microservices that
fetch approximately 1 GB of model data from Amazon S3 at startup and load the data into memory. Users access the models through an
asynchronous API. Users can send a request or a batch of requests and specify where the results should be sent.
The company provides models to hundreds of users. The usage patterns for the models are irregular. Some models could be unused for days
or weeks. Other models could receive batches of thousands of requests at a time.
Which design should a solutions architect recommend to meet these requirements?
A. Direct the requests from the API to a Network Load Balancer (NLB). Deploy the models as AWS Lambda functions that are invoked by
the NLB.
B. Direct the requests from the API to an Application Load Balancer (ALB). Deploy the models as Amazon Elastic Container Service
(Amazon ECS) services that read from an Amazon Simple Queue Service (Amazon SQS) queue. Use AWS App Mesh to scale the instances
of the ECS cluster based on the SQS queue size.
C. Direct the requests from the API into an Amazon Simple Queue Service (Amazon SQS) queue. Deploy the models as AWS Lambda
functions that are invoked by SQS events. Use AWS Auto Scaling to increase the number of vCPUs for the Lambda functions based on the
SQS queue size.
D. Direct the requests from the API into an Amazon Simple Queue Service (Amazon SQS) queue. Deploy the models as Amazon Elastic
Container Service (Amazon ECS) services that read from the queue. Enable AWS Auto Scaling on Amazon ECS for both the cluster and
copies of the service based on the queue size.

一家公司在AWS上开发新的机器学习（ML）模型解决方案。这些模型以独立的微服务形式开发，在启动时会从Amazon S3获取约1 GB的模型数据并加载到内存中。用户通过异步API访问这些模型。用户可以发送单个请求或批量请求，并指定结果应发送的位置。

该公司为数百名用户提供模型。模型的使用模式并不规律。某些模型可能数天或数周无人使用，而其他模型可能一次性接收数千个请求的批次。

解决方案架构师应推荐哪种设计来满足这些需求？

A. 将来自API的请求直接导向网络负载均衡器（NLB）。将模型部署为由NLB调用的AWS Lambda函数。

B. 将来自API的请求直接导向应用负载均衡器（ALB）。将模型部署为从Amazon Simple Queue Service（Amazon SQS）队列读取数据的Amazon Elastic Container Service（Amazon ECS）服务。使用AWS App Mesh基于SQS队列大小扩展ECS集群实例。

C. 将来自API的请求导入Amazon Simple Queue Service（Amazon SQS）队列。将模型部署为由SQS事件触发的AWS Lambda函数。使用AWS Auto Scaling根据SQS队列大小增加Lambda函数的vCPU数量。

D. 将来自API的请求导入Amazon Simple Queue Service（Amazon SQS）队列。将模型部署为从队列读取数据的Amazon Elastic Container Service（Amazon ECS）服务。基于队列大小，在Amazon ECS上为集群和服务副本启用AWS Auto Scaling。

21. A company is running a custom application on Amazon EC2 On-Demand Instances. The application has frontend nodes that need to run 24
hours a day, 7 days a week and backend nodes that need to run only for a short time based on workload. The number of backend nodes varies
during the day.
The company needs to scale out and scale in more instances based on workload.
Which solution will meet these requirements MOST cost-effectively?
A. Use Reserved Instances for the frontend nodes. Use AWS Fargate for the backend nodes.
B. Use Reserved Instances for the frontend nodes. Use Spot Instances for the backend nodes.
C. Use Spot Instances for the frontend nodes. Use Reserved Instances for the backend nodes.
D. Use Spot Instances for the frontend nodes. Use AWS Fargate for the backend nodes.

一家公司在Amazon EC2按需实例上运行一个定制应用程序。该应用程序具有需要每天24小时、每周7天持续运行的前端节点，以及只需根据工作量短期运行的后端节点。后端节点的数量在一天之中会不断变化。
公司需要根据工作量扩展或缩减更多实例。
哪种解决方案能够以最具成本效益的方式满足这些需求？
A. 前端节点使用预留实例。后端节点使用AWS Fargate。
B. 前端节点使用预留实例。后端节点使用竞价实例。
C. 前端节点使用竞价实例。后端节点使用预留实例。
D. 前端节点使用竞价实例。后端节点使用AWS Fargate。

22. A company uses high block storage capacity to runs its workloads on premises. The company’s daily peak input and output transactions per
second are not more than 15,000 IOPS. The company wants to migrate the workloads to Amazon EC2 and to provision disk performance
independent of storage capacity.
Which Amazon Elastic Block Store (Amazon EBS) volume type will meet these requirements MOST cost-effectively?
A. GP2 volume type
B. io2 volume type
C. GP3 volume type
D. io1 volume type

一家公司在本地运营其工作负载，使用高块存储容量。公司每日的峰值输入输出交易每秒不超过15,000次IOPS。
该公司希望将这些工作负载迁移到Amazon EC2，并配置与存储容量无关的磁盘性能。
哪种Amazon Elastic Block Store (Amazon EBS) 卷类型最能经济高效地满足这些要求？
A. GP2卷类型
B. io2卷类型
C. GP3卷类型
D. io1卷类型

23. A company needs to store data from its healthcare application. The application’s data frequently changes. A new regulation requires audit
access at all levels of the stored data.
The company hosts the application on an on-premises infrastructure that is running out of storage capacity. A solutions architect must
securely migrate the existing data to AWS while satisfying the new regulation.
Which solution will meet these requirements?
A. Use AWS DataSync to move the existing data to Amazon S3. Use AWS CloudTrail to log data events.
B. Use AWS Snowcone to move the existing data to Amazon S3. Use AWS CloudTrail to log management events.
C. Use Amazon S3 Transfer Acceleration to move the existing data to Amazon S3. Use AWS CloudTrail to log data events.
D. Use AWS Storage Gateway to move the existing data to Amazon S3. Use AWS CloudTrail to log management events.

一家公司需要存储其医疗保健应用程序的数据。该应用程序的数据经常变化。
一项新法规要求对存储数据的所有级别进行审计访问。
该公司将应用程序托管在本地的内部基础设施上，该基础设施的存储容量即将耗尽。
一名解决方案架构师必须安全地将现有数据迁移到AWS，同时满足新法规的要求。
以下哪种解决方案能够满足这些要求？

A. 使用AWS DataSync将现有数据迁移至Amazon S3。使用AWS CloudTrail记录数据事件。
B. 使用AWS Snowcone将现有数据迁移至Amazon S3。使用AWS CloudTrail记录管理事件。
C. 使用Amazon S3 Transfer Acceleration将现有数据迁移至Amazon S3。使用AWS CloudTrail记录数据事件。
D. 使用AWS Storage Gateway将现有数据迁移至Amazon S3。使用AWS CloudTrail记录管理事件。

24. A solutions architect is implementing a complex Java application with a MySQL database. The Java application must be deployed on Apache
Tomcat and must be highly available.
What should the solutions architect do to meet these requirements?
A. Deploy the application in AWS Lambda. Configure an Amazon API Gateway API to connect with the Lambda functions.
B. Deploy the application by using AWS Elastic Beanstalk. Configure a load-balanced environment and a rolling deployment policy.
C. Migrate the database to Amazon ElastiCache. Configure the ElastiCache security group to allow access from the application.
D. Launch an Amazon EC2 instance. Install a MySQL server on the EC2 instance. Configure the application on the server. Create an AMI.
Use the AMI to create a launch template with an Auto Scaling group.

一位解决方案架构师正在实施一个带有MySQL数据库的复杂Java应用程序。
该Java应用程序需要部署在Apache Tomcat上，并且必须具有高可用性。
解决方案架构师应该采取什么措施来满足这些需求？

A. 将应用程序部署在AWS Lambda中。配置一个Amazon API Gateway API来连接Lambda函数。
B. 使用AWS Elastic Beanstalk部署应用程序。配置一个负载均衡环境和一个滚动部署策略。
C. 将数据库迁移到Amazon ElastiCache。配置ElastiCache安全组以允许从应用程序访问。
D. 启动一个Amazon EC2实例。在EC2实例上安装MySQL服务器。在服务器上配置应用程序。创建一个AMI。
使用该AMI创建一个带有Auto Scaling组的启动模板。

25. A serverless application uses Amazon API Gateway, AWS Lambda, and Amazon DynamoDB. The Lambda function needs permissions to read
and write to the DynamoDB table.
Which solution will give the Lambda function access to the DynamoDB table MOST securely?
A. Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows read and write access to
the DynamoDB table. Store the access_key_id and secret_access_key parameters as part of the Lambda environment variables. Ensure
that other AWS users do not have read and write access to the Lambda function configuration.
B. Create an IAM role that includes Lambda as a trusted service. Attach a policy to the role that allows read and write access to the
DynamoDB table. Update the configuration of the Lambda function to use the new role as the execution role.
C. Create an IAM user with programmatic access to the Lambda function. Attach a policy to the user that allows read and write access to
the DynamoDB table. Store the access_key_id and secret_access_key parameters in AWS Systems Manager Parameter Store as secure
string parameters. Update the Lambda function code to retrieve the secure string parameters before connecting to the DynamoDB table.
D. Create an IAM role that includes DynamoDB as a trusted service. Attach a policy to the role that allows read and write access from the
Lambda function. Update the code of the Lambda function to attach to the new role as an execution role.

一个无服务器应用使用了亚马逊API网关、AWS Lambda和亚马逊DynamoDB。Lambda函数需要权限来读写DynamoDB表。

哪种解决方案能以最安全的方式给予Lambda函数对DynamoDB表的访问权限？

A. 创建一个对Lambda函数具有编程访问权限的IAM用户。为该用户附加一个允许读写DynamoDB表的策略。将access_key_id和secret_access_key参数作为Lambda环境变量的一部分存储。确保其他AWS用户没有对Lambda函数配置的读写权限。

B. 创建一个将Lambda列为可信服务的IAM角色。为该角色附加一个允许读写DynamoDB表的策略。更新Lambda函数的配置，将该新角色作为执行角色使用。

C. 创建一个对Lambda函数具有编程访问权限的IAM用户。为该用户附加一个允许读写DynamoDB表的策略。将access_key_id和secret_access_key参数作为安全字符串参数存储在AWS系统管理器参数存储中。更新Lambda函数代码，在连接DynamoDB表之前检索这些安全字符串参数。

D. 创建一个将DynamoDB列为可信服务的IAM角色。为该角色附加一个允许来自Lambda函数的读写访问权限的。更新Lambda函数的代码以将该新角色附加为执行角色。

26. A manufacturing company has machine sensors that upload .csv files to an Amazon S3 bucket. These .csv files must be converted into images
and must be made available as soon as possible for the automatic generation of graphical reports.
The images become irrelevant after 1 month, but the .csv files must be kept to train machine learning (ML) models twice a year. The ML
trainings and audits are planned weeks in advance.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)
A. Launch an Amazon EC2 Spot Instance that downloads the .csv files every hour, generates the image les, and uploads the images to
the S3 bucket.
B. Design an AWS Lambda function that converts the .csv files into images and stores the images in the S3 bucket. Invoke the Lambda
function when a .csv file is uploaded.
C. Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3 Standard to S3 Glacier 1 day
after they are uploaded. Expire the image files after 30 days.
D. Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3 Standard to S3 One Zone
Infrequent Access (S3 One Zone-IA) 1 day after they are uploaded. Expire the image files after 30 days.
E. Create S3 Lifecycle rules for .csv files and image files in the S3 bucket. Transition the .csv files from S3 Standard to S3 Standard
Infrequent Access (S3 Standard-IA) 1 day after they are uploaded. Keep the image files in Reduced Redundancy Storage (RRS).

一家制造公司的机器传感器将.csv文件上传到Amazon S3存储桶中。这些.csv文件必须转换为图像，并且必须尽快提供用于图形报告的自动生成。
这些图像在1个月后就会失效，但.csv文件必须保留下来以便每年两次用于训练机器学习（ML）模型。ML训练和审计工作会提前几周进行规划。
哪种步骤组合能以最具成本效益的方式满足这些要求？（选择两项。）
A. 启动一个Amazon EC2 Spot实例，每小时下载.csv文件，生成图像文件，并将图像上传到S3存储桶。
B. 设计一个AWS Lambda函数，将.csv文件转换为图像并将图像存储在S3存储桶中。当.csv文件上传时调用该Lambda函数。
C. 为S3存储桶中的.csv文件和图像文件创建S3生命周期规则。在.csv文件上传1天后将其从S3标准存储转换为S3 Glacier存储。图像文件在30天后过期。
D. 为S3存储桶中的.csv文件和图像文件创建S3生命周期规则。在.csv文件上传1天后将其从S3标准存储转换为S3单区低频访问存储（S3 One Zone-IA）。图像文件在30天后过期。
E. 为S3存储桶中的.csv文件和图像文件创建S3生命周期规则。在.csv文件上传1天后将其从S3标准存储转换为S3标准低频访问存储（S3 Standard-IA）。将图像文件保留在降低冗余存储（RRS）中。

27. A company has developed a new video game as a web application. The application is in a three-tier architecture in a VPC with Amazon RDS
for MySQL in the database layer. Several players will compete concurrently online. The game’s developers want to display a top-10 scoreboard
in near-real time and offer the ability to stop and restore the game while preserving the current scores.
What should a solutions architect do to meet these requirements?
A. Set up an Amazon ElastiCache for Memcached cluster to cache the scores for the web application to display.
B. Set up an Amazon ElastiCache for Redis cluster to compute and cache the scores for the web application to display.
C. Place an Amazon CloudFront distribution in front of the web application to cache the scoreboard in a section of the application.
D. Create a read replica on Amazon RDS for MySQL to run queries to compute the scoreboard and serve the read traffic to the web
application.

一家公司开发了一款新的网页游戏应用。
该应用采用三层架构部署在一个VPC中，数据库层使用Amazon RDS for MySQL。
多位玩家将在网上同时竞技。
游戏开发者希望近乎实时地显示前十名积分榜，并能够在保持当前分数的情况下暂停和恢复游戏。

解决方案架构师应采取什么措施来满足这些需求？

A. 建立Amazon ElastiCache for Memcached集群来缓存分数，供网页应用展示。
B. 建立Amazon ElastiCache for Redis集群来计算和缓存分数，供网页应用展示。
C. 在网页应用前部署Amazon CloudFront分发，来缓存应用部分的积分榜。
D. 在Amazon RDS for MySQL上创建只读副本，运行查询来计算积分榜并为网页应用提供读取流量。

28. An ecommerce company wants to use machine learning (ML) algorithms to build and train models. The company will use the models to
visualize complex scenarios and to detect trends in customer data. The architecture team wants to integrate its ML models with a reporting
platform to analyze the augmented data and use the data directly in its business intelligence dashboards.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Glue to create an ML transform to build and train models. Use Amazon OpenSearch Service to visualize the data.
B. Use Amazon SageMaker to build and train models. Use Amazon QuickSight to visualize the data.
C. Use a pre-built ML Amazon Machine Image (AMI) from the AWS Marketplace to build and train models. Use Amazon OpenSearch Service
to visualize the data.
D. Use Amazon QuickSight to build and train models by using calculated elds. Use Amazon QuickSight to visualize the data.

一家电子商务公司希望使用机器学习（ML）算法来构建和训练模型。该公司将利用这些模型
来可视化复杂场景并检测客户数据趋势。架构团队希望将ML模型与报表平台集成，
以分析增强数据并直接在商业智能仪表板中使用这些数据。
哪种方案能以最小的运维开销满足这些需求？
A. 使用AWS Glue创建ML转换来构建和训练模型。使用Amazon OpenSearch Service进行数据可视化。
B. 使用Amazon SageMaker构建和训练模型。使用Amazon QuickSight进行数据可视化。
C. 使用AWS Marketplace中的预构建ML亚马逊机器镜像（AMI）来构建和训练模型。使用Amazon OpenSearch Service
进行数据可视化。
D. 使用Amazon QuickSight通过计算字段构建和训练模型。使用Amazon QuickSight进行数据可视化。

29. A company is running its production and nonproduction environment workloads in multiple AWS accounts. The accounts are in an organization
in AWS Organizations. The company needs to design a solution that will prevent the modi cation of cost usage tags.
Which solution will meet these requirements?
A. Create a custom AWS Config rule to prevent tag modi cation except by authorized principals.
B. Create a custom trail in AWS CloudTrail to prevent tag modi cation.
C. Create a service control policy (SCP) to prevent tag modi cation except by authorized principals.
D. Create custom Amazon CloudWatch logs to prevent tag modi cation.

一家公司在多个AWS账户中运行其生产环境和非生产环境的工作负载。这些账户属于AWS Organizations中的一个组织。

该公司需要设计一个解决方案，防止成本使用标签被修改。

哪个解决方案能够满足这些要求？

A. 创建一个自定义的AWS Config规则，防止未经授权的主体修改标签。

B. 在AWS CloudTrail中创建自定义跟踪，防止标签被修改。

C. 创建一个服务控制策略（SCP），防止未经授权的主体修改标签。

D. 创建自定义的Amazon CloudWatch日志，防止标签被修改。

30. A company hosts its application in the AWS Cloud. The application runs on Amazon EC2 instances behind an Elastic Load Balancer in an Auto
Scaling group and with an Amazon DynamoDB table. The company wants to ensure the application can be made available in anotherAWS
Region with minimal downtime.
What should a solutions architect do to meet these requirements with the LEAST amount of downtime?
A. Create an Auto Scaling group and a load balancer in the disaster recovery Region. Configure the DynamoDB table as a global table.
Configure DNS failover to point to the new disaster recovery Region’s load balancer.
B. Create an AWS CloudFormation template to create EC2 instances, load balancers, and DynamoDB tables to be launched when needed
Configure DNS failover to point to the new disaster recovery Region’s load balancer.
C. Create an AWS CloudFormation template to create EC2 instances and a load balancer to be launched when needed. Configure the
DynamoDB table as a global table. Configure DNS failover to point to the new disaster recovery Region’s load balancer.
D. Create an Auto Scaling group and load balancer in the disaster recovery Region. Configure the DynamoDB table as a global table.
Create an Amazon CloudWatch alarm to trigger an AWS Lambda function that updates Amazon Route 53 pointing to the disaster recovery
load balancer.

一家公司将其应用程序托管在AWS云中。该应用程序运行在位于自动扩展组中弹性负载均衡器后方的Amazon EC2实例上，并配有一个Amazon DynamoDB表。公司希望确保该应用程序能够在另一个AWS区域以最短停机时间实现可用性。
解决方案架构师应该采取什么措施，以最少停机时间满足这些要求？
A. 在灾难恢复区域创建一个自动扩展组和负载均衡器。将DynamoDB表配置为全局表。配置DNS故障切换指向新的灾难恢复区域的负载均衡器。
B. 创建一个AWS CloudFormation模板，用于在需要时启动EC2实例、负载均衡器和DynamoDB表。配置DNS故障切换指向新的灾难恢复区域的负载均衡器。
C. 创建一个AWS CloudFormation模板，用于在需要时启动EC2实例和负载均衡器。将DynamoDB表配置为全局表。配置DNS故障切换指向新的灾难恢复区域的负载均衡器。
D. 在灾难恢复区域创建一个自动扩展组和负载均衡器。将DynamoDB表配置为全局表。创建一个Amazon CloudWatch警报以触发AWS Lambda函数更新指向灾难恢复负载均衡器的Amazon Route 53。

31. A company needs to migrate a MySQL database from its on-premises data center to AWS within 2 weeks. The database is 20 TB in size. The
company wants to complete the migration with minimal downtime.
Which solution will migrate the database MOST cost-effectively?
A. Order an AWS Snowball Edge Storage Optimized device. Use AWS Database Migration Service (AWS DMS) with AWS Schema Conversion
Tool (AWS SCT) to migrate the database with replication of ongoing changes. Send the Snowball Edge device to AWS to nish the
migration and continue the ongoing replication.
B. Order an AWS Snowmobile vehicle. Use AWS Database Migration Service (AWS DMS) with AWS Schema Conversion Tool (AWS SCT) to
migrate the database with ongoing changes. Send the Snowmobile vehicle back to AWS to nish the migration and continue the ongoing
replication.
C. Order an AWS Snowball Edge Compute Optimized with GPU device. Use AWS Database Migration Service (AWS DMS) with AWS Schema
Conversion Tool (AWS SCT) to migrate the database with ongoing changes. Send the Snowball device to AWS to nish the migration and
continue the ongoing replication
D. Order a 1 GB dedicated AWS Direct Connect connection to establish a connection with the data center. Use AWS Database Migration
Service (AWS DMS) with AWS Schema Conversion Tool (AWS SCT) to migrate the database with replication of ongoing changes.

一家公司需要在两周内将其本地数据中心的MySQL数据库迁移到AWS。该数据库的大小为20 TB。
公司希望以最小的停机时间完成迁移。
哪种解决方案能够以最具成本效益的方式迁移数据库？
A. 订购一个AWS Snowball Edge存储优化设备。使用AWS数据库迁移服务（AWS DMS）和AWS模式转换工具（AWS SCT）进行数据库迁移，并复制持续的变化。将Snowball Edge设备发送到AWS以完成迁移并继续进行持续复制。
B. 订购一辆AWS Snowmobile车辆。使用AWS数据库迁移服务（AWS DMS）和AWS模式转换工具（AWS SCT）进行数据库迁移，并复制持续的变化。将Snowmobile车辆送回AWS以完成迁移并继续进行持续复制。
C. 订购一个带有GPU的AWS Snowball Edge计算优化设备。使用AWS数据库迁移服务（AWS DMS）和AWS模式转换工具（AWS SCT）进行数据库迁移，并复制持续的变化。将Snowball设备发送到AWS以完成迁移并继续进行持续复制。
D. 订购一个1 GB的专用AWS Direct Connect连接以建立与数据中心的连接。使用AWS数据库迁移服务（AWS DMS）和AWS模式转换工具（AWS SCT）进行数据库迁移，并复制持续的变化。

32. A company moved its on-premises PostgreSQL database to an Amazon RDS for PostgreSQL DB instance. The company successfully launched
a new product. The workload on the database has increased. The company wants to accommodate the larger workload without adding
infrastructure.
Which solution will meet these requirements MOST cost-effectively?
A. Buy reserved DB instances for the total workload. Make the Amazon RDS for PostgreSQL DB instance larger.
B. Make the Amazon RDS for PostgreSQL DB instance a Multi-AZ DB instance.
C. Buy reserved DB instances for the total workload. Add another Amazon RDS for PostgreSQL DB instance.
D. Make the Amazon RDS for PostgreSQL DB instance an on-demand DB instance.

一家公司将其本地PostgreSQL数据库迁移到了Amazon RDS for PostgreSQL数据库实例。
公司成功推出了新产品，数据库的工作负载也随之增加。
公司希望在不增加基础设施的情况下适应更大的工作负载。

哪种解决方案能以最具成本效益的方式满足这些需求？

A. 为总工作负载购买预留数据库实例，扩大Amazon RDS for PostgreSQL数据库实例的规模。
B. 将Amazon RDS for PostgreSQL数据库实例设为多可用区数据库实例。
C. 为总工作负载购买预留数据库实例，添加另一个Amazon RDS for PostgreSQL数据库实例。
D. 将Amazon RDS for PostgreSQL数据库实例设为按需数据库实例。

33. A company operates an ecommerce website on Amazon EC2 instances behind an Application Load Balancer (ALB) in an Auto Scaling group.
The site is experiencing performance issues related to a high request rate from illegitimate external systems with changing IP addresses. The
security team is worried about potential DDoS attacks against the website. The company must block the illegitimate incoming requests in a
way that has a minimal impact on legitimate users.
What should a solutions architect recommend?
A. Deploy Amazon Inspector and associate it with the ALB.
B. Deploy AWS WAF, associate it with the ALB, and Configure a rate-limiting rule.
C. Deploy rules to the network ACLs associated with the ALB to block the incomingtraffic.
D. Deploy Amazon GuardDuty and enable rate-limiting protection when configuring GuardDuty.

一家公司在应用负载均衡器（ALB）后的自动扩展组中的亚马逊EC2实例上运营一个电子商务网站。
该网站正面临与来自不断变换IP地址的非法外部系统的高请求率相关的性能问题。
安全团队担心网站可能遭受DDoS攻击。公司必须以对合法用户影响最小的方式阻止非法传入请求。
解决方案架构师应推荐什么？
A. 部署Amazon Inspector并将其与ALB关联。
B. 部署AWS WAF，将其与ALB关联，并配置速率限制规则。
C. 向与ALB关联的网络ACL部署规则以阻止传入流量。
D. 部署Amazon GuardDuty并在配置GuardDuty时启用速率限制保护。

34. A company wants to share accounting data with an external auditor. The data is stored in an Amazon RDS DB instance that resides in a private
subnet. The auditor has its own AWS account and requires its own copy of the database.
What is the MOST secure way for the company to share the database with the auditor?
A. Create a read replica of the database. Configure IAM standard database authentication to grant the auditor access.
B. Export the database contents to text files. Store the files in an Amazon S3 bucket. Create a new IAM user for the auditor. Grant the user
access to the S3 bucket.
C. Copy a snapshot of the database to an Amazon S3 bucket. Create an IAM user. Share the user’s keys with the auditor to grant access to
the object in the S3 bucket.
D. Create an encrypted snapshot of the database. Share the snapshot with the auditor. Allow access to the AWS Key Management Service
(AWS KMS) encryption key.

一家公司希望与外部审计员共享会计数据。数据存储在一个位于私有子网中的Amazon RDS数据库实例中。
审计员拥有自己的AWS账户，并要求拥有自己的数据库副本。
该公司与审计员共享数据库的最安全方式是什么？
A. 创建数据库的只读副本。配置IAM标准数据库验证以授予审计员访问权限。
B. 将数据库内容导出为文本文件。将文件存储在一个Amazon S3桶中。为审计员创建新的IAM用户。授予该用户对S3桶的访问权限。
C. 将数据库的快照复制到一个Amazon S3桶中。创建一个IAM用户。与审计员共享用户的密钥以授予对S3桶中对象的访问权限。
D. 创建数据库的加密快照。与审计员共享快照。允许访问AWS密钥管理服务（AWS KMS）加密密钥。

35. A solutions architect Configured a VPC that has a small range of IP addresses. The number of Amazon EC2 instances that are in the VPC is
increasing, and there is an insu cient number of IP addresses for future workloads.
Which solution resolves this issue with the LEAST operational overhead?
A. Add an additional IPv4 CIDR block to increase the number of IP addresses and create additional subnets in the VPC. Create new
resources in the new subnets by using the new CIDR.
B. Create a second VPC with additional subnets. Use a peering connection to connect the second VPC with the first VPC Update the routes
and create new resources in the subnets of the second VPC.
C. Use AWS Transit Gateway to add a transit gateway and connect a second VPC with the first VPUpdate the routes of the transit gateway
and VPCs. Create new resources in the subnets of the second VPC.
D. Create a second VPC. Create a Site-to-Site VPN connection between the first VPC and the second VPC by using a VPN-hosted solution
on Amazon EC2 and a virtual private gateway. Update the route between VPCs to the traffic through the VPN. Create new resources in the
subnets of the second VPC.

一位解决方案架构师配置了一个具有小范围IP地址的VPC。当前VPC内的亚马逊EC2实例数量正在增加，现有IP地址数量已经无法满足未来工作负载的需求。

哪种解决方案能够以最小的操作开销解决这个问题？

A. 添加额外的IPv4 CIDR块以增加IP地址数量，并在VPC中创建新的子网。使用新的CIDR在新子网中创建新资源。

B. 创建具有额外子网的第二个VPC。使用对等连接将第二个VPC与第一个VPC相连，更新路由表并在第二个VPC的子网中创建新资源。

C. 使用AWS中转网关添加中转网关，并将第二个VPC与第一个VPC连接。更新中转网关和VPC的路由表。在第二个VPC的子网中创建新资源。

D. 创建第二个VPC。通过在亚马逊EC2上部署VPN托管解决方案和虚拟专用网关，在第一个VPC与第二个VPC之间建立站点到站点VPN连接。更新VPC间的路由使流量通过VPN传输。在第二个VPC的子网中创建新资源。

36. A company used an Amazon RDS for MySQL DB instance during application testing. Before terminating the DB instance at the end of the test
cycle, a solutions architect created two backups. The solutions architect created the first backup by using the mysqldump utility to create a
database dump. The solutions architect created the second backup by enabling the nal DB snapshot option on RDS termination.
The company is now planning for a new test cycle and wants to create a new DB instance from the most recent backup. The company has
chosen a MySQL-compatible edition ofAmazon Aurora to host the DB instance.
Which solutions will create the new DB instance? (Choose two.)
A. Import the RDS snapshot directly into Aurora.
B. Upload the RDS snapshot to Amazon S3. Then import the RDS snapshot into Aurora.
C. Upload the database dump to Amazon S3. Then import the database dump into Aurora.
D. Use AWS Database Migration Service (AWS DMS) to import the RDS snapshot into Aurora.
E. Upload the database dump to Amazon S3. Then use AWS Database Migration Service (AWS DMS) to import the database dump into
Aurora.

一家公司在应用程序测试期间使用了 Amazon RDS for MySQL 数据库实例。在测试周期结束时终止数据库实例之前，解决方案架构师创建了两个备份。解决方案架构师首先使用 mysqldump 工具创建数据库转储来进行第一个备份。解决方案架构师通过在 RDS 终止时启用最终数据库快照选项来创建第二个备份。

公司现在正在规划一个新的测试周期，并希望从最近的备份中创建一个新的数据库实例。公司选择了与 MySQL 兼容的 Amazon Aurora 版本来托管数据库实例。

哪些解决方案可以创建新的数据库实例？（选择两个。）
A. 直接将 RDS 快照导入到 Aurora。
B. 将 RDS 快照上传到 Amazon S3。然后将 RDS 快照导入到 Aurora。
C. 将数据库转储上传到 Amazon S3。然后将数据库转储导入到 Aurora。
D. 使用 AWS Database Migration Service (AWS DMS) 将 RDS 快照导入到 Aurora。
E. 将数据库转储上传到 Amazon S3。然后使用 AWS Database Migration Service (AWS DMS) 将数据库转储导入到 Aurora。

37. A company hosts a multi-tier web application on Amazon Linux Amazon EC2 instances behind an Application Load Balancer. The instances
run in an Auto Scaling group across multiple Availability Zones. The company observes that the Auto Scaling group launches more On-Demand
Instances when the application’s end users access high volumes of static web content. The company wants to optimize cost.
What should a solutions architect do to redesign the application MOST cost-effectively?
A. Update the Auto Scaling group to use Reserved Instances instead of On-Demand Instances.
B. Update the Auto Scaling group to scale by launching Spot Instances instead of On-Demand Instances.
C. Create an Amazon CloudFront distribution to host the static web contents from an Amazon S3 bucket.
D. Create an AWS Lambda function behind an Amazon API Gateway API to host the static website contents.

一家公司在位于应用负载均衡器后的Amazon Linux Amazon EC2实例上托管了一个多层Web应用程序。
这些实例在一个跨多个可用区的自动扩展组中运行。
公司发现当应用程序的最终用户访问大量静态Web内容时，自动扩展组会启动更多的按需实例。
公司希望优化成本。
解决方案架构师应如何重新设计应用程序才能最具成本效益？
A. 更新自动扩展组，改用预留实例而非按需实例。
B. 更新自动扩展组，通过启动Spot实例而非按需实例来进行扩展。
C. 创建一个Amazon CloudFront分发，从Amazon S3存储桶托管静态Web内容。
D. 在Amazon API Gateway API后面创建一个AWS Lambda函数来托管静态网站内容。

38. A company stores several petabytes of data across multiple AWS accounts. The company uses AWS Lake Formation to manage its data lake.
The company’s data science team wants to securely share selective data from its accounts with the company’s engineering team for analytical
purposes.
Which solution will meet these requirements with the LEAST operational overhead?
A. Copy the required data to a common account. Create an IAM access role in that account. Grant access by specifying a permission policy
that includes users from the engineering team accounts as trusted entities.
B. Use the Lake Formation permissions Grant command in each account where the data is stored to allow the required engineering team
users to access the data.
C. Use AWS Data Exchange to privately publish the required data to the required engineering team accounts.
D. Use Lake Formation tag-based access control to authorize and grant cross-account permissions for the required data to the engineering
team accounts.

一家公司在多个AWS账户中存储了数PB的数据，并使用AWS Lake Formation来管理其数据湖。
该公司的数据科学团队希望安全地将其账户中的部分数据共享给公司的工程团队用于分析目的。
哪种解决方案能在满足这些需求的同时实现最小的运维开销？
A. 将所需数据复制到一个共用账户。在该账户中创建一个IAM访问角色。通过指定一个包含来自工程团队账户的用户作为受信任实体的权限策略来授予访问权限。
B. 在每个存储数据的账户中使用Lake Formation权限授予命令，允许所需的工程团队用户访问数据。
C. 使用AWS Data Exchange私有发布所需数据到目标工程团队账户。
D. 使用Lake Formation基于标签的访问控制来授权并向工程团队账户授予跨账户访问所需数据的权限。

39. A company wants to host a scalable web application on AWS. The application will be accessed by users from different geographic regions of
the world. Application users will be able to download and upload unique data up to gigabytes in size. The development team wants a cost
effective solution to minimize upload and download latency and maximize performance.
What should a solutions architect do to accomplish this?
A. Use Amazon S3 with Transfer Acceleration to host the application.
B. Use Amazon S3 with CacheControl headers to host the application.
C. Use Amazon EC2 with Auto Scaling and Amazon CloudFront to host the application.
D. Use Amazon EC2 with Auto Scaling and Amazon ElastiCache to host the application.

一家公司希望在AWS上托管一个可扩展的Web应用程序。该应用程序将被来自世界不同地理区域的用户访问。应用程序用户将能够下载和上传高达GB大小的独特数据。开发团队需要一个经济有效的解决方案，以尽量减少上传和下载延迟并最大化性能。
解决方案架构师应该怎么做才能实现这一目标？
A. 使用带有传输加速功能的Amazon S3来托管应用程序。
B. 使用带有CacheControl标头的Amazon S3来托管应用程序。
C. 使用带有自动扩展功能的Amazon EC2和Amazon CloudFront来托管应用程序。
D. 使用带有自动扩展功能的Amazon EC2和Amazon ElastiCache来托管应用程序。

40. A company has hired a solutions architect to design a reliable architecture for its application. The application consists of one Amazon RDS DB
instance and two manually provisioned Amazon EC2 instances that run web servers. The EC2 instances are located in a single Availability
Zone.
An employee recently deleted the DB instance, and the application was unavailable for 24 hours as a result. The company is concerned with
the overall reliability of its environment.
What should the solutions architect do to maximize reliability of the application’s infrastructure?
A. Delete one EC2 instance and enable termination protection on the other EC2 instance. Update the DB instance to be Multi-AZ, and
enable deletion protection.
B. Update the DB instance to be Multi-AZ, and enable deletion protection. Place the EC2 instances behind an Application Load Balancer,
and run them in an EC2 Auto Scaling group across multiple Availability Zones.
C. Create an additional DB instance along with an Amazon API Gateway and an AWS Lambda function. Configure the application to invoke
the Lambda function through API Gateway. Have the Lambda function write the data to the two DB instances.
D. Place the EC2 instances in an EC2 Auto Scaling group that has multiple subnets located in multiple Availability Zones. Use Spot
Instances instead of On-Demand Instances. Set up Amazon CloudWatch alarms to monitor the health of the instances Update the DB
instance to be Multi-AZ, and enable deletion protection.

一家公司聘请了一位解决方案架构师来为其应用程序设计一个可靠的架构。该应用程序由一个亚马逊RDS数据库实例和两台手动配置的亚马逊EC2实例组成，这两台EC2实例运行着网络服务器。这些EC2实例位于单个可用区。
最近一名员工删除了数据库实例，导致应用程序停机了24小时。公司对其环境的整体可靠性感到担忧。
解决方案架构师应该采取什么措施来最大限度地提高应用程序基础设施的可靠性？
A. 删除一台EC2实例并对另一台EC2实例启用终止保护。将数据库实例更新为多可用区配置，并启用删除保护。
B. 将数据库实例更新为多可用区配置，并启用删除保护。将EC2实例置于应用负载均衡器后面，并在跨多个可用区的EC2自动扩展组中运行它们。
C. 创建一个额外的数据库实例，以及亚马逊API网关和AWS Lambda函数。配置应用程序通过API网关调用Lambda函数。让Lambda函数将数据写入两个数据库实例。
D. 将EC2实例放入一个包含位于多个可用区的多个子网的EC2自动扩展组中。使用Spot实例而不是按需实例。设置亚马逊CloudWatch警报来监控实例的健康状况。将数据库实例更新为多可用区配置，并启用删除保护。

41. A company is storing 700 terabytes of data on a large network-attached storage (NAS) system in its corporate data center. The company has a
hybrid environment with a 10 Gbps AWS Direct Connect connection.
After an audit from a regulator, the company has 90 days to move the data to the cloud. The company needs to move the data e ciently and
without disruption. The company still needs to be able to access and update the data during the transfer window.
Which solution will meet these requirements?
A. Create an AWS DataSync agent in the corporate data center. Create a data transfer task Start the transfer to an Amazon S3 bucket.
B. Back up the data to AWS Snowball Edge Storage Optimized devices. Ship the devices to an AWS data center. Mount a target Amazon S3
bucket on the on-premises file system.
C. Use rsync to copy the data directly from local storage to a designated Amazon S3 bucket over the Direct Connect connection.
D. Back up the data on tapes. Ship the tapes to an AWS data center. Mount a target Amazon S3 bucket on the on-premises file system.

一家公司在其企业数据中心的大型网络附加存储（NAS）系统中存储了700 TB的数据。该公司拥有一个混合环境，配备了10 Gbps的AWS Direct Connect连接。
在一次监管机构的审计后，该公司需要在90天内将数据迁移到云端。公司需要高效且无中断地迁移数据，同时在传输窗口期间仍能访问和更新数据。
哪个方案可以满足这些要求？
A. 在企业数据中心创建AWS DataSync代理，创建数据传输任务，开始将数据迁移到Amazon S3存储桶。
B. 将数据备份至AWS Snowball Edge存储优化设备，将设备运送至AWS数据中心，在本地文件系统上挂载目标Amazon S3存储桶。
C. 使用rsync通过Direct Connect连接直接将数据从本地存储复制到指定的Amazon S3存储桶。
D. 将数据备份至磁带，将磁带运送至AWS数据中心，在本地文件系统上挂载目标Amazon S3存储桶。

42. A company stores data in PDF format in an Amazon S3 bucket. The company must follow a legal requirement to retain all new and existing
data in Amazon S3 for 7 years.
Which solution will meet these requirements with the LEAST operational overhead?
A. Turn on the S3 Versioning feature for the S3 bucket. Configure S3 Lifecycle to delete the data after 7 years. Configure multi-factor
authentication (MFA) delete for all S3 objects.
B. Turn on S3 Object Lock with governance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Recopy all
existing objects to bring the existing data into compliance.
C. Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Recopy all
existing objects to bring the existing data into compliance.
D. Turn on S3 Object Lock with compliance retention mode for the S3 bucket. Set the retention period to expire after 7 years. Use S3 Batch
Operations to bring the existing data into compliance.

一家公司将数据以PDF格式存储在亚马逊S3存储桶中。公司必须遵守一项法律要求，即在亚马逊S3中保留所有新数据和现有数据7年。
哪种解决方案能够以最少的操作开销满足这些要求？
A. 为S3存储桶启用S3版本控制功能。配置S3生命周期策略在7年后删除数据。为所有S3对象配置多因素认证(MFA)删除功能。
B. 为S3存储桶启用采用治理保留模式的S3对象锁定功能。将保留期限设置为7年后过期。重新复制所有现有对象以使现有数据合规。
C. 为S3存储桶启用采用合规保留模式的S3对象锁定功能。将保留期限设置为7年后过期。重新复制所有现有对象以使现有数据合规。
D. 为S3存储桶启用采用合规保留模式的S3对象锁定功能。将保留期限设置为7年后过期。使用S3批量操作使现有数据合规。

43. A company has a stateless web application that runs on AWS Lambda functions that are invoked by Amazon API Gateway. The company wants
to deploy the application across multiple AWS Regions to provide Regional failover capabilities.
What should a solutions architect do to route traffic to multiple Regions?
A. Create Amazon Route 53 health checks for each Region. Use an active-active failover configuration.
B. Create an Amazon CloudFront distribution with an origin for each Region. Use CloudFront health checks to route traffic.
C. Create a transit gateway. Attach the transit gateway to the API Gateway endpoint in each Region. Configure the transit gateway to route
requests.
D. Create an Application Load Balancer in the primary Region. Set the target group to point to the API Gateway endpoint hostnames in
each Region.

一家公司在AWS Lambda函数上运行着一个无状态网络应用程序，这些函数由Amazon API Gateway调用。公司希望将该应用程序部署到多个AWS区域，以提供区域故障转移能力。

解决方案架构师应该采取什么措施将流量路由到多个区域？

A. 为每个区域创建Amazon Route 53健康检查。使用主动 主动故障转移配置。

B. 为每个区域创建一个带有源的Amazon CloudFront分配。使用CloudFront健康检查来路由流量。

C. 创建一个传输网关。将该传输网关连接到每个区域的API Gateway终端节点。配置传输网关以路由请求。

D. 在主区域创建一个应用负载均衡器。将目标组设置为指向每个区域的API Gateway终端节点主机名。

44. A company has two VPCs named Management and Production. The Management VPC uses VPNs through a customer gateway to connect to a
single device in the data center. The Production VPC uses a virtual private gateway with two attached AWS Direct Connect connections. The
Management and Production VPCs both use a single VPC peering connection to allow communication between the applications.
What should a solutions architect do to mitigate any single point of failure in this architecture?
A. Add a set of VPNs between the Management and Production VPCs.
B. Add a second virtual private gateway and attach it to the Management VPC.
C. Add a second set of VPNs to the Management VPC from a second customer gateway device.
D. Add a second VPC peering connection between the Management VPC and the Production VPC.

一家公司拥有两个分别名为”管理”和”生产”的虚拟私有云(VPC)。管理VPC通过客户网关使用VPN连接到数据中心中的单一设备。
生产VPC则使用带有两条AWS直连连接附加的虚拟私有网关。
管理VPC和生产VPC两者都使用单一的VPC对等连接来实现应用程序之间的通信。
在这个架构中，解决方案架构师应该采取什么措施来缓解任何单点故障问题？
A. 在管理VPC和生产VPC之间添加一组VPN
B. 添加第二个虚拟私有网关并将其附加到管理VPC
C. 从第二个客户网关设备向管理VPC添加第二组VPN
D. 在管理VPC和生产VPC之间添加第二个VPC对等连接

45. A company runs its application on an Oracle database. The company plans to quickly migrate to AWS because of limited resources for the
database, backup administration, and data center maintenance. The application uses third-party database features that require privileged
access.
Which solution will help the company migrate the database to AWS MOST cost-effectively?
A. Migrate the database to Amazon RDS for Oracle. Replace third-party features with cloud services.
B. Migrate the database to Amazon RDS Custom for Oracle. Customize the database settings to support third-party features.
C. Migrate the database to an Amazon EC2 Amazon Machine Image (AMI) for Oracle. Customize the database settings to support third
party features.
D. Migrate the database to Amazon RDS for PostgreSQL by rewriting the application code to remove dependency on Oracle APEX.

一家公司在Oracle数据库上运行其应用程序。
由于数据库、备份管理和数据中心维护方面的资源有限，该公司计划快速迁移到AWS。
该应用程序使用了需要特权访问的第三方数据库功能。
哪种解决方案能帮助该公司以最具成本效益的方式将数据库迁移到AWS？
A. 将数据库迁移到Amazon RDS for Oracle。用云服务替换第三方功能。
B. 将数据库迁移到Amazon RDS Custom for Oracle。自定义数据库设置以支持第三方功能。
C. 将数据库迁移到用于Oracle的Amazon EC2 Amazon Machine Image (AMI)。自定义数据库设置以支持第三方功能。
D. 通过重写应用程序代码以消除对Oracle APEX的依赖，将数据库迁移到Amazon RDS for PostgreSQL。

46. A company has a three-tier web application that is in a single server. The company wants to migrate the application to the AWS Cloud. The
company also wants the application to align with the AWS Well-Architected Framework and to be consistent with AWS recommended best
practices for security, scalability, and resiliency.
Which combination of solutions will meet these requirements? (Choose three.)
A. Create a VPC across two Availability Zones with the application’s existing architecture. Host the application with existing architecture
on an Amazon EC2 instance in a private subnet in each Availability Zone with EC2 Auto Scaling groups. Secure the EC2 instance with
security groups and network access control lists (network ACLs).
B. Set up security groups and network access control lists (network ACLs) to control access to the database layer. Set up a single Amazon
RDS database in a private subnet.
C. Create a VPC across two Availability Zones. Refactor the application to host the web tier, application tier, and database tier. Host each
tier on its own private subnet with Auto Scaling groups for the web tier and application tier.
D. Use a single Amazon RDS database. Allow database access only from the application tier security group.
E. Use Elastic Load Balancers in front of the web tier. Control access by using security groups containing references to each layer’s
security groups.
F. Use an Amazon RDS database Multi-AZ cluster deployment in private subnets. Allow database access only from application tier security
groups.

一家公司拥有一个三层架构的网页应用程序，目前运行在单台服务器上。该公司希望将应用程序迁移至亚马逊云科技（AWS）平台，同时要求该应用符合AWS完善架构框架标准，并遵循AWS在安全性、可扩展性和恢复能力方面的推荐最佳实践。
下列哪组解决方案组合能够满足这些需求？（选择三项）
A. 跨两个可用区创建虚拟私有云（VPC），保持应用程序现有架构。在各自可用区的私有子网中，通过EC2自动扩展组将应用程序以现有架构托管在亚马逊EC2实例上。使用安全组和网络访问控制列表（网络ACL）保护EC2实例。
B. 设置安全组和网络访问控制列表（网络ACL）来控制对数据库层的访问。在私有子网中配置单一亚马逊RDS数据库。
C. 跨两个可用区创建虚拟私有云（VPC）。重构应用程序以分别托管展现层、应用层和数据库层。为展现层和应用层配置自动扩展组，将每个层级部署在独立的私有子网中。
D. 使用单一亚马逊RDS数据库，仅允许来自应用层安全组的数据库访问。
E. 在展现层前端配置弹性负载均衡器，通过引用各层级安全组的安全组来控制访问权限。
F. 在私有子网中部署亚马逊RDS数据库多可用区集群，仅允许来自应用层安全组的数据库访问。

47. A company is migrating its applications and databases to the AWS Cloud. The company will use Amazon Elastic Container Service (Amazon
ECS), AWS Direct Connect, and Amazon RDS.
Which activities will be managed by the company’s operational team? (Choose three.)
A. Management of the Amazon RDS infrastructure layer, operating system, and platforms
B. Creation of an Amazon RDS DB instance and configuring the scheduled maintenance window
C. Configuration of additional software components on Amazon ECS for monitoring, patch management, log management, and host
intrusion detection
D. Installation of patches for all minor and major database versions for Amazon RDS
E. Ensure the physical security of the Amazon RDS infrastructure in the data center
F. Encryption of the data that moves in transit through Direct Connect

一家公司正在将其应用程序和数据库迁移到AWS云。
该公司将使用亚马逊弹性容器服务（Amazon ECS）、AWS直连和亚马逊关系数据库服务（Amazon RDS）。
哪些活动将由该公司的运维团队管理？（选择三项）
A. 管理Amazon RDS的基础架构层、操作系统和平台
B. 创建Amazon RDS数据库实例并配置计划的维护窗口
C. 在Amazon ECS上配置用于监控、补丁管理、日志管理和主机入侵检测的额外软件组件
D. 为Amazon RDS的所有次要和主要数据库版本安装补丁
E. 确保数据中心内Amazon RDS基础架构的物理安全
F. 对通过直连传输的数据进行加密

48. A company runs a Java-based job on an Amazon EC2 instance. The job runs every hour and takes 10 seconds to run. The job runs on a
scheduled interval and consumes 1 GB of memory. The CPU utilization of the instance is low except for short surges during which the job uses
the maximum CPU available. The company wants to optimize the costs to run the job.
Which solution will meet these requirements?
A. Use AWS App2Container (A2C) to containerize the job. Run the job as an Amazon Elastic Container Service (Amazon ECS) task on AWS
Fargate with 0.5 virtual CPU (vCPU) and 1 GB of memory.
B. Copy the code into an AWS Lambda function that has 1 GB of memory. Create an Amazon EventBridge scheduled rule to run the code
each hour.
C. Use AWS App2Container (A2C) to containerize the job. Install the container in the existing Amazon Machine Image (AMI). Ensure that
the schedule stops the container when the task nishes.
D. Configure the existing schedule to stop the EC2 instance at the completion of the job and restart the EC2 instance when the next job
starts.

一家公司在亚马逊EC2实例上运行基于Java的定时任务。
该任务每小时运行一次，每次耗时10秒，运行期间消耗1GB内存。
除任务运行期间的短暂高峰外，实例的CPU利用率一直很低，在任务运行时才会使用最大可用CPU资源。
公司希望优化该任务的运行成本。
以下哪种解决方案能满足这些需求？
A. 使用AWS App2Container (A2C)将任务容器化，并在配置0.5个虚拟CPU(vCPU)和1GB内存的AWS Fargate上以Amazon Elastic Container Service(Amazon ECS)任务形式运行
B. 将代码复制到配置1GB内存的AWS Lambda函数中，并创建Amazon EventBridge定时规则每小时执行该代码
C. 使用AWS App2Container (A2C)将任务容器化，并将容器安装到现有的Amazon Machine Image(AMI)中，同时确保任务完成后调度机制能停止容器
D. 配置现有调度策略，在任务完成后停止EC2实例，并在下次任务启动时重新启动该EC2实例

49. A company wants to implement a backup strategy for Amazon EC2 data and multiple Amazon S3 buckets. Because of regulatory requirements,
the company must retain backup files for a speci c time period. The company must not alter the files for the duration of the retention period.
Which solution will meet these requirements?
A. Use AWS Backup to create a backup vault that has a vault lock in governance mode. Create the required backup plan.
B. Use Amazon Data Lifecycle Manager to create the required automated snapshot policy.
C. Use Amazon S3 File Gateway to create the backup. Configure the appropriate S3 Lifecycle management.
D. Use AWS Backup to create a backup vault that has a vault lock in compliance mode. Create the required backup plan.

一家公司希望为亚马逊EC2数据和多个亚马逊S3存储桶实施备份策略。
由于监管要求，公司必须在特定时间段内保留备份文件，且在保留期内不得更改这些文件。

哪种解决方案可以满足这些要求？

A. 使用AWS Backup创建一个在治理模式下具有保管库锁的备份保管库，并创建所需的备份计划。

B. 使用亚马逊数据生命周期管理器创建所需的自动快照策略。

C. 使用亚马逊S3文件网关创建备份，并配置适当的S3生命周期管理。

D. 使用AWS Backup创建一个在合规模式下具有保管库锁的备份保管库，并创建所需的备份计划。

50. A company has resources across multiple AWS Regions and accounts. A newly hired solutions architect discovers a previous employee did not
provide details about the resources inventory. The solutions architect needs to build and map the relationship details of the various workloads
across all accounts.
Which solution will meet these requirements in the MOST operationally e cient way?
A. Use AWS Systems Manager Inventory to generate a map view from the detailed view report.
B. Use AWS Step Functions to collect workload details. Build architecture diagrams of the workloads manually.
C. Use Workload Discovery on AWS to generate architecture diagrams of the workloads.
D. Use AWS X-Ray to view the workload details. Build architecture diagrams with relationships.

一家公司在多个AWS区域和账户中拥有资源。一位新聘用的解决方案架构师发现前任员工没有提供关于资源清单的详细信息。该解决方案架构师需要构建并映射所有账户中各种工作负载的关系细节。

哪种解决方案能以最高效的方式满足这些要求？
A. 使用AWS Systems Manager Inventory从详细视图报告中生成地图视图。
B. 使用AWS Step Functions收集工作负载详情。手动构建工作负载的架构图。
C. 使用AWS上的Workload Discovery生成工作负载的架构图。
D. 使用AWS X-Ray查看工作负载详情。构建包含关系的架构图。

51. A company uses AWS Organizations. The company wants to operate some of its AWS accounts with different budgets. The company wants to
receive alerts and automatically prevent provisioning of additional resources on AWS accounts when the allocated budget threshold is met
during a speci c period.
Which combination of solutions will meet these requirements? (Choose three.)
A. Use AWS Budgets to create a budget. Set the budget amount under the Cost and Usage Reports section of the required AWS accounts.
B. Use AWS Budgets to create a budget. Set the budget amount under the Billing dashboards of the required AWS accounts.
C. Create an IAM user for AWS Budgets to run budget actions with the required permissions.
D. Create an IAM role for AWS Budgets to run budget actions with the required permissions.
E. Add an alert to notify the company when each account meets its budget threshold. Add a budget action that selects the IAM identity
created with the appropriate config rule to prevent provisioning of additional resources.
F. Add an alert to notify the company when each account meets its budget threshold. Add a budget action that selects the IAM identity
created with the appropriate service control policy (SCP) to prevent provisioning of additional resources.

一家公司使用AWS组织。该公司希望以不同的预算运营其部分AWS账户。该公司希望在特定时期内达到分配的预算阈值时，能够接收警报并自动防止在AWS账户上配置额外资源。

哪几种解决方案组合可以满足这些要求？（选择三个。）

A. 使用AWS预算创建预算。在所需AWS账户的”成本与使用报告”部分设置预算金额。

B. 使用AWS预算创建预算。在所需AWS账户的”结算仪表板”下设置预算金额。

C. 为AWS预算创建一个IAM用户，以运行具有所需权限的预算操作。

D. 为AWS预算创建一个IAM角色，以运行具有所需权限的预算操作。

E. 添加一个警报，当每个账户达到其预算阈值时通知公司。添加一个预算操作，选择使用适当配置规则创建的IAM身份以防止配置额外资源。

F. 添加一个警报，当每个账户达到其预算阈值时通知公司。添加一个预算操作，选择使用适当服务控制策略（SCP）创建的IAM身份以防止配置额外资源。

52. A company runs applications on Amazon EC2 instances in one AWS Region. The company wants to back up the EC2 instances to a second
Region. The company also wants to provision EC2 resources in the second Region and manage the EC2 instances centrally from one AWS
account.
Which solution will meet these requirements MOST cost-effectively?
A. Create a disaster recovery (DR) plan that has a similar number of EC2 instances in the second Region. Configure data replication.
B. Create point-in-time Amazon Elastic Block Store (Amazon EBS) snapshots of the EC2 instances. Copy the snapshots to the second
Region periodically.
C. Create a backup plan by using AWS Backup. Configure cross-Region backup to the second Region for the EC2 instances.
D. Deploy a similar number of EC2 instances in the second Region. Use AWS DataSync to transfer the data from the source Region to the
second Region.

一家公司在单个AWS区域的亚马逊EC2实例上运行应用程序。该公司希望将这些EC2实例备份到第二个区域。
同时，该公司还希望在第二个区域配置EC2资源，并通过一个AWS账户集中管理这些EC2实例。

以下哪种解决方案能以最具成本效益的方式满足这些需求？

A. 制定灾难恢复(DR)计划，在第二个区域部署相同数量的EC2实例。配置数据复制。
B. 创建EC2实例的亚马逊弹性块存储(Amazon EBS)时间点快照。定期将这些快照复制到第二个区域。
C. 使用AWS Backup创建备份计划。为EC2实例配置跨区域备份至第二个区域。
D. 在第二个区域部署相同数量的EC2实例。使用AWS DataSync将数据从源区域传输至第二个区域。

53. A company that uses AWS is building an application to transfer data to a product manufacturer. The company has its own identity provider
(IdP). The company wants the IdP to authenticate application users while the users use the application to transfer data. The company must
use Applicability Statement 2 (AS2) protocol.
Which solution will meet these requirements?
A. Use AWS DataSync to transfer the data. Create an AWS Lambda function for IdP authentication.
B. Use Amazon AppFlow ows to transfer the data. Create an Amazon Elastic Container Service (Amazon ECS) task for IdP authentication.
C. Use AWS Transfer Family to transfer the data. Create an AWS Lambda function for IdP authentication.
D. Use AWS Storage Gateway to transfer the data. Create an Amazon Cognito identity pool for IdP authentication.

一家使用亚马逊云服务（AWS）的公司正在构建一个向产品制造商传输数据的应用程序。该公司拥有自己的身份提供商（IdP）。
该公司希望用户在使用应用程序传输数据时，通过该IdP对应用程序用户进行身份验证。公司必须使用适用性声明2（AS2）协议。
以下哪种解决方案能够满足这些需求？
A. 使用AWS DataSync传输数据。创建一个AWS Lambda函数用于IdP身份验证。
B. 使用Amazon AppFlow传输数据。创建一个Amazon Elastic Container Service（Amazon ECS）任务用于IdP身份验证。
C. 使用AWS Transfer Family传输数据。创建一个AWS Lambda函数用于IdP身份验证。
D. 使用AWS Storage Gateway传输数据。创建一个Amazon Cognito身份池用于IdP身份验证。

54. A solutions architect is designing a RESTAPI in Amazon API Gateway for a cash payback service. The application requires 1 GB of memory and
2 GB of storage for its computation resources. The application will require that the data is in a relational format.
Which additional combination ofAWS services will meet these requirements with the LEAST administrative effort? (Choose two.)
A. Amazon EC2
B. AWS Lambda
C. Amazon RDS
D. Amazon DynamoDB
E. Amazon Elastic Kubernetes Services (Amazon EKS)

一位解决方案架构师正在为现金返现服务设计亚马逊API网关中的RESTAPI。该应用程序需要1GB内存和
2GB存储空间作为其计算资源。应用程序要求数据以关系格式存储。
以下哪两种AWS服务的组合能以最少的管理工作量满足这些要求？（选择两项）
A. 亚马逊弹性计算云（Amazon EC2）
B. AWS Lambda
C. 亚马逊关系数据库服务（Amazon RDS）
D. 亚马逊DynamoDB
E. 亚马逊弹性Kubernetes服务（Amazon EKS）

55. A company uses AWS Organizations to run workloads within multiple AWS accounts. A tagging policy adds department tags to AWS resources
when the company creates tags.
An accounting team needs to determine spending on Amazon EC2 consumption. The accounting team must determine which departments are
responsible for the costs regardless ofAWS account. The accounting team has access to AWS Cost Explorer for all AWS accounts within the
organization and needs to access all reports from Cost Explorer.
Which solution meets these requirements in the MOST operationally e cient way?
A. From the Organizations management account billing console, activate a user-de ned cost allocation tag named department. Create
one cost report in Cost Explorer grouping by tag name, and lter by EC2.
B. From the Organizations management account billing console, activate an AWS-de ned cost allocation tag named department. Create
one cost report in Cost Explorer grouping by tag name, and lter by EC2.
C. From the Organizations member account billing console, activate a user-de ned cost allocation tag named department. Create one cost
report in Cost Explorer grouping by the tag name, and lter by EC2.
D. From the Organizations member account billing console, activate an AWS-de ned cost allocation tag named department. Create one
cost report in Cost Explorer grouping by tag name, and lter by EC2.

一家公司使用AWS组织在多个AWS账户中运行工作负载。当公司创建标签时，标记策略会向AWS资源添加部门标签。

会计团队需要确定Amazon EC2消耗的支出。会计团队必须确定哪些部门应对成本负责，而不考虑AWS账户。会计团队有权访问组织内所有AWS账户的AWS成本资源管理器，并需要从成本资源管理器中获取所有报告。

哪种解决方案能以最具操作效率的方式满足这些要求？

A. 从组织管理账户的账单控制台，激活名为”department”的用户定义成本分配标签。在成本资源管理器中创建一个按标签名称分组并筛选EC2的成本报告。

B. 从组织管理账户的账单控制台，激活名为”department”的AWS定义成本分配标签。在成本资源管理器中创建一个按标签名称分组并筛选EC2的成本报告。

C. 从组织成员账户的账单控制台，激活名为”department”的用户定义成本分配标签。在成本资源管理器中创建一个按标签名称分组并筛选EC2的成本报告。

D. 从组织成员账户的账单控制台，激活名为”department”的AWS定义成本分配标签。在成本资源管理器中创建一个按标签名称分组并筛选EC2的成本报告。

56. A company wants to securely exchange data between its software as a service (SaaS) application Salesforce account and Amazon S3. The
company must encrypt the data at rest by using AWS Key Management Service (AWS KMS) customer managed keys (CMKs). The company
must also encrypt the data in transit. The company has enabled API access for the Salesforce account.
A. Create AWS Lambda functions to transfer the data securely from Salesforce to Amazon S3.
B. Create an AWS Step Functions work ow. De ne the task to transfer the data securely from Salesforce to Amazon S3.
C. Create Amazon AppFlow ows to transfer the data securely from Salesforce to Amazon S3.
D. Create a custom connector for Salesforce to transfer the data securely from Salesforce to Amazon S3.

一家公司希望在其软件即服务（SaaS）应用程序Salesforce账户与亚马逊S3之间安全地交换数据。
公司必须使用AWS密钥管理服务（AWS KMS）的客户托管密钥（CMKs）对静态数据进行加密。
同时，公司还必须对传输中的数据进行加密。公司已为Salesforce账户启用了API访问权限。
A. 创建AWS Lambda函数，将数据从Salesforce安全传输到Amazon S3。
B. 创建一个AWS Step Functions工作流。定义将数据从Salesforce安全传输到Amazon S3的任务。
C. 创建Amazon AppFlow流程，将数据从Salesforce安全传输到Amazon S3。
D. 为Salesforce创建一个自定义连接器，将数据从Salesforce安全传输到Amazon S3。

57. A company is developing a mobile gaming app in a single AWS Region. The app runs on multiple Amazon EC2 instances in an Auto Scaling
group. The company stores the app data in Amazon DynamoDB. The app communicates by using TCP traffic and UDP traffic between the users
and the servers. The application will be used globally. The company wants to ensure the lowest possible latency for all users.
Which solution will meet these requirements?
A. Use AWS Global Accelerator to create an accelerator. Create an Application Load Balancer (ALB) behind an accelerator endpoint that
uses Global Accelerator integration and listening on the TCP and UDP ports. Update the Auto Scaling group to register instances on the
ALB.
B. Use AWS Global Accelerator to create an accelerator. Create a Network Load Balancer (NLB) behind an accelerator endpoint that uses
Global Accelerator integration and listening on the TCP and UDP ports. Update the Auto Scaling group to register instances on the NLB.
C. Create an Amazon CloudFront content delivery network (CDN) endpoint. Create a Network Load Balancer (NLB) behind the endpoint
and listening on the TCP and UDP ports. Update the Auto Scaling group to register instances on the NLB. Update CloudFront to use the
NLB as the origin.
D. Create an Amazon CloudFront content delivery network (CDN) endpoint. Create an Application Load Balancer (ALB) behind the endpoint
and listening on the TCP and UDP ports. Update the Auto Scaling group to register instances on the ALB. Update CloudFront to use the
ALB as the origin.

一家公司正在单个AWS区域开发一款手机游戏应用程序。该应用程序在自动扩展组中的多个Amazon EC2实例上运行。公司使用Amazon DynamoDB存储应用程序数据。应用程序通过用户和服务器之间的TCP流量与UDP流量进行通信。该应用程序将在全球范围内使用。公司希望为所有用户确保尽可能低的延迟。
哪种解决方案可以满足这些需求？
A. 使用AWS Global Accelerator创建一个加速器。在具有Global Accelerator集成的加速器终端节点后面创建并监听TCP和UDP端口的应用程序负载均衡器（ALB）。更新自动扩展组以在ALB上注册实例。
B. 使用AWS Global Accelerator创建一个加速器。在具有Global Accelerator集成的加速器终端节点后面创建并监听TCP和UDP端口的网络负载均衡器（NLB）。更新自动扩展组以在NLB上注册实例。
C. 创建一个Amazon CloudFront内容分发网络（CDN）终端节点。在该终端节点后面创建并监听TCP和UDP端口的网络负载均衡器（NLB）。更新自动扩展组以在NLB上注册实例。更新CloudFront以使用NLB作为源站。
D. 创建一个Amazon CloudFront内容分发网络（CDN）终端节点。在该终端节点后面创建并监听TCP和UDP端口的应用程序负载均衡器（ALB）。更新自动扩展组以在ALB上注册实例。更新CloudFront以使用ALB作为源站。

58. A company has an application that processes customer orders. The company hosts the application on an Amazon EC2 instance that saves the
orders to an Amazon Aurora database. Occasionally when traffic is high the workload does not process orders fast enough.
What should a solutions architect do to write the orders reliably to the database as quickly as possible?
A. Increase the instance size of the EC2 instance when traffic is high. Write orders to Amazon Simple Notification Service (Amazon SNS).
Subscribe the database endpoint to the SNS topic.
B. Write orders to an Amazon Simple Queue Service (Amazon SQS) queue. Use EC2 instances in an Auto Scaling group behind an
Application Load Balancer to read from the SQS queue and process orders into the database.
C. Write orders to Amazon Simple Notification Service (Amazon SNS). Subscribe the database endpoint to the SNS topic. Use EC2
instances in an Auto Scaling group behind an Application Load Balancer to read from the SNS topic.
D. Write orders to an Amazon Simple Queue Service (Amazon SQS) queue when the EC2 instance reaches CPU threshold limits. Use
scheduled scaling of EC2 instances in an Auto Scaling group behind an Application Load Balancer to read from the SQS queue and
process orders into the database.

一家公司拥有一个处理客户订单的应用程序。该公司将应用程序托管在一个亚马逊EC2实例上，该实例将订单保存到一个亚马逊Aurora数据库中。偶尔当流量较高时，工作负载无法足够快速地处理订单。
解决方案架构师应该如何操作才能尽可能快速可靠地将订单写入数据库？
A. 在流量高时增加EC2实例的实例大小。将订单写入亚马逊简单通知服务(Amazon SNS)。将数据库端点订阅到SNS主题。
B. 将订单写入亚马逊简单队列服务(Amazon SQS)队列。使用应用程序负载均衡器后面的自动扩展组中的EC2实例从SQS队列读取并将订单处理到数据库中。
C. 将订单写入亚马逊简单通知服务(Amazon SNS)。将数据库端点订阅到SNS主题。使用应用程序负载均衡器后面的自动扩展组中的EC2实例从SNS主题读取。
D. 当EC2实例达到CPU阈值限制时将订单写入亚马逊简单队列服务(Amazon SQS)队列。使用应用程序负载均衡器后面的自动扩展组中的EC2实例的定时扩展从SQS队列读取并将订单处理到数据库中。

59. An IoT company is releasing a mattress that has sensors to collect data about a user’s sleep. The sensors will send data to an Amazon S3
bucket. The sensors collect approximately 2 MB of data every night for each mattress. The company must process and summarize the data for
each mattress. The results need to be available as soon as possible. Data processing will require 1 GB of memory and will nish within 30
seconds.
Which solution will meet these requirements MOST cost-effectively?
A. Use AWS Glue with a Scala job
B. Use Amazon EMR with an Apache Spark script
C. Use AWS Lambda with a Python script
D. Use AWS Glue with a PySpark job

一家物联网公司正在推出一款带有传感器的床垫，用于收集用户的睡眠数据。传感器将把数据发送到亚马逊S3存储桶。每张床垫每晚大约产生2 MB的数据。
公司需要对每张床垫的数据进行处理和汇总。处理结果需要尽快可用。数据处理需要1 GB内存并能在30秒内完成。
以下哪种解决方案能以最具成本效益的方式满足这些需求？
A. 使用带有Scala作业的AWS Glue
B. 使用带有Apache Spark脚本的Amazon EMR
C. 使用带有Python脚本的AWS Lambda
D. 使用带有PySpark作业的AWS Glue

60. A company hosts an online shopping application that stores all orders in an Amazon RDS for PostgreSQL Single-AZ DB instance. Management
wants to eliminate single points of failure and has asked a solutions architect to recommend an approach to minimize database downtime
without requiring any changes to the application code.
Which solution meets these requirements?
A. Convert the existing database instance to a Multi-AZ deployment by modifying the database instance and specifying the Multi-AZ
option.
B. Create a new RDS Multi-AZ deployment. Take a snapshot of the current RDS instance and restore the new Multi-AZ deployment with the
snapshot.
C. Create a read-only replica of the PostgreSQL database in another Availability Zone. Use Amazon Route 53 weighted record sets to
distribute requests across the databases.
D. Place the RDS for PostgreSQL database in an Amazon EC2 Auto Scaling group with a minimum group size of two. Use Amazon Route 53
weighted record sets to distribute requests across instances.

一家公司托管了一个在线购物应用程序，该应用程序将所有订单存储在亚马逊RDS for PostgreSQL单可用区数据库实例中。
管理层希望消除单点故障，并已要求解决方案架构师推荐一种方法来最大限度地减少数据库停机时间，且无需对应用程序代码进行任何更改。
哪种解决方案满足这些要求？
A. 通过修改数据库实例并指定多可用区选项，将现有数据库实例转换为多可用区部署。
B. 创建一个新的RDS多可用区部署。对当前RDS实例进行快照，并使用该快照恢复新的多可用区部署。
C. 在另一个可用区中创建一个PostgreSQL数据库的只读副本。使用亚马逊Route 53加权记录集在数据库之间分配请求。
D. 将RDS for PostgreSQL数据库放置在亚马逊EC2自动扩展组中，最小组大小为两个。使用亚马逊Route 53加权记录集在实例之间分配请求。

61. A company is developing an application to support customer demands. The company wants to deploy the application on multiple Amazon EC2
Nitro-based instances within the same Availability Zone. The company also wants to give the application the ability to write to multiple block
storage volumes in multiple EC2 Nitro-based instances simultaneously to achieve higher application availability.
Which solution will meet these requirements?
A. Use General Purpose SSD (gp3) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach
B. Use Throughput Optimized HDD (st1) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach
C. Use Provisioned IOPS SSD (io2) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach
D. Use General Purpose SSD (gp2) EBS volumes with Amazon Elastic Block Store (Amazon EBS) Multi-Attach

一家公司正在开发一个应用程序以支持客户需求。公司希望将应用程序部署在同一可用区内的多个基于Amazon EC2 Nitro的实例上。
公司还希望该应用程序能够同时向多个基于EC2 Nitro的实例中的多个块存储卷写入数据，以实现更高的应用程序可用性。
以下哪种解决方案可以满足这些要求？
A. 将通用型SSD (gp3) EBS卷与Amazon Elastic Block Store (Amazon EBS)多挂载功能一起使用
B. 将吞吐优化型HDD (st1) EBS卷与Amazon Elastic Block Store (Amazon EBS)多挂载功能一起使用
C. 将预配置IOPS SSD (io2) EBS卷与Amazon Elastic Block Store (Amazon EBS)多挂载功能一起使用
D. 将通用型SSD (gp2) EBS卷与Amazon Elastic Block Store (Amazon EBS)多挂载功能一起使用

62. A company designed a stateless two-tier application that uses Amazon EC2 in a single Availability Zone and an Amazon RDS Multi-AZ DB
instance. New company management wants to ensure the application is highly available.
What should a solutions architect do to meet this requirement?
A. Configure the application to use Multi-AZ EC2 Auto Scaling and create an Application Load Balancer
B. Configure the application to take snapshots of the EC2 instances and send them to a different AWS Region
C. Configure the application to use Amazon Route 53 latency-based routing to feed requests to the application
D. Configure Amazon Route 53 rules to handle incoming requests and create a Multi-AZ Application Load Balancer

一家公司设计了一个无状态双层应用程序，该程序在单个可用区中使用亚马逊EC2，并采用了亚马逊RDS多可用区数据库实例。新公司管理层希望确保该应用程序具有高可用性。

解决方案架构师应如何满足这一要求？

A. 配置应用程序以使用多可用区EC2自动扩展并创建应用程序负载均衡器
B. 配置应用程序对EC2实例制作快照，并将快照发送至不同的AWS区域
C. 配置应用程序使用亚马逊Route 53基于延迟的路由功能将请求导向应用程序
D. 配置亚马逊Route 53规则以处理传入请求，并创建一个多可用区应用程序负载均衡器

63. A company uses AWS Organizations. A member account has purchased a Compute Savings Plan. Because of changes in the workloads inside
the member account, the account no longer receives the full bene t of the Compute Savings Plan commitment. The company uses less than
50% of its purchased compute power.
A. Turn on discount sharing from the Billing Preferences section of the account console in the member account that purchased the
Compute Savings Plan.
B. Turn on discount sharing from the Billing Preferences section of the account console in the company’s Organizations management
account.
C. Migrate additional compute workloads from another AWS account to the account that has the Compute Savings Plan.
D. Sell the excess Savings Plan commitment in the Reserved Instance Marketplace.

一家公司使用了AWS组织（AWS Organizations）。某个成员账户购买了一个计算节约计划（Compute Savings Plan）。由于该成员账户内工作负载的变化，该账户不再能充分利用计算节约计划的承诺用量。目前公司使用的计算资源不到其购买计算能力的50%。
A. 在购买计算节约计划的成员账户中，从账户控制台的”账单偏好设置”（Billing Preferences）部分开启折扣共享功能。
B. 在公司的组织管理账户中，从账户控制台的”账单偏好设置”（Billing Preferences）部分开启折扣共享功能。
C. 将其他AWS账户中的额外计算工作负载迁移至拥有计算节约计划的账户。
D. 在预留实例市场（Reserved Instance Marketplace）出售多余的节约计划承诺用量。

64. A company is developing a microservices application that will provide a search catalog for customers. The company must use REST APIs to
present the frontend of the application to users. The REST APIs must access the backend services that the company hosts in containers in
private VPC subnets.
Which solution will meet these requirements?
A. Design a WebSocket API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service (Amazon ECS) in a
private subnet. Create a private VPC link for API Gateway to access Amazon ECS.
B. Design a REST API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service (Amazon ECS) in a private
subnet. Create a private VPC link for API Gateway to access Amazon ECS.
C. Design a WebSocket API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service (Amazon ECS) in a
private subnet. Create a security group for API Gateway to access Amazon ECS.
D. Design a REST API by using Amazon API Gateway. Host the application in Amazon Elastic Container Service (Amazon ECS) in a private
subnet. Create a security group for API Gateway to access Amazon ECS.

一家公司正在开发一个微服务应用程序，该程序将为客户提供一个搜索目录。公司必须使用REST API向用户展示应用程序的前端。这些REST API需要访问公司托管在私有VPC子网容器中的后端服务。
哪种解决方案能够满足这些要求？
A. 使用Amazon API Gateway设计一个WebSocket API。将应用程序托管在私有子网的Amazon Elastic Container Service (Amazon ECS)中。创建一个私有VPC链接让API Gateway访问Amazon ECS。
B. 使用Amazon API Gateway设计一个REST API。将应用程序托管在私有子网的Amazon Elastic Container Service (Amazon ECS)中。创建一个私有VPC链接让API Gateway访问Amazon ECS。
C. 使用Amazon API Gateway设计一个WebSocket API。将应用程序托管在私有子网的Amazon Elastic Container Service (Amazon ECS)中。创建一个安全组让API Gateway访问Amazon ECS。
D. 使用Amazon API Gateway设计一个REST API。将应用程序托管在私有子网的Amazon Elastic Container Service (Amazon ECS)中。创建一个安全组让API Gateway访问Amazon ECS。

65. A company stores raw collected data in an Amazon S3 bucket. The data is used for several types of analytics on behalf of the company’s
customers. The type of analytics requested determines the access pattern on the S3 objects.
The company cannot predict or control the access pattern. The company wants to reduce its S3 costs.
Which solution will meet these requirements?
A. Use S3 replication to transition infrequently accessed objects to S3 Standard-Infrequent Access (S3 Standard-IA)
B. Use S3 Lifecycle rules to transition objects from S3 Standard to Standard-Infrequent Access (S3 Standard-IA)
C. Use S3 Lifecycle rules to transition objects from S3 Standard to S3 Intelligent-Tiering
D. Use S3 Inventory to identify and transition objects that have not been accessed from S3 Standard to S3 Intelligent-Tiering

一家公司将收集的原始数据存储在亚马逊S3存储桶中。这些数据用于代表公司客户进行多种类型的分析。
请求的分析类型决定了S3对象的访问模式。
公司无法预测或控制访问模式。公司希望降低其S3成本。
哪种解决方案能够满足这些需求？
A. 使用S3复制将不常访问的对象转移至S3标准-低频访问（S3 Standard-IA）
B. 使用S3生命周期规则将对象从S3标准转移至标准-低频访问（S3 Standard-IA）
C. 使用S3生命周期规则将对象从S3标准转移至S3智能分层
D. 使用S3清单识别未访问对象并将其从S3标准转移至S3智能分层

66. A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other
external applications using the internet. However the company’s security policy states that any external service cannot initiate a connection
to the EC2 instances.
What should a solutions architect recommend to resolve this issue?
A. Create a NAT gateway and make it the destination of the subnet’s route table
B. Create an internet gateway and make it the destination of the subnet’s route table
C. Create a virtual private gateway and make it the destination of the subnet’s route table
D. Create an egress-only internet gateway and make it the destination of the subnet’s route table

一家公司在使用IPv6地址的Amazon EC2实例上托管应用程序。这些应用程序必须通过互联网与其他外部应用程序发起通信。然而，公司的安全策略规定任何外部服务都不得主动向EC2实例发起连接。

解决方案架构师应建议采取什么措施来解决此问题？
A. 创建NAT网关并将其设为子网路由表的目标
B. 创建互联网网关并将其设为子网路由表的目标
C. 创建虚拟专用网关并将其设为子网路由表的目标
D. 创建仅出口互联网网关并将其设为子网路由表的目标

67. A company is creating an application that runs on containers in a VPC. The application stores and accesses data in an Amazon S3 bucket.
During the development phase, the application will store and access 1 TB of data in Amazon S3 each day. The company wants to minimize
costs and wants to prevent traffic from traversing the internet whenever possible.
Which solution will meet these requirements?
A. Enable S3 Intelligent-Tiering for the S3 bucket
B. Enable S3 Transfer Acceleration for the S3 bucket
C. Create a gateway VPC endpoint for Amazon S3. Associate this endpoint with all route tables in the VPC
D. Create an interface endpoint for Amazon S3 in the VPC. Associate this endpoint with all route tables in the VPC

一家公司正在开发一个运行在虚拟私有云（VPC）中容器上的应用程序。该应用程序会在亚马逊简单存储服务（Amazon S3）存储桶中存储和访问数据。
在开发阶段，该应用程序每天将在亚马逊简单存储服务（Amazon S3）中存储和访问1TB的数据。公司希望尽可能降低成本，并尽可能避免流量通过公共互联网传输。
以下哪种解决方案能够满足这些需求？
A. 为S3存储桶启用S3智能分层（S3 Intelligent-Tiering）功能
B. 为S3存储桶启用S3传输加速（S3 Transfer Acceleration）功能
C. 为亚马逊简单存储服务（Amazon S3）创建一个网关型VPC终端节点（gateway VPC endpoint），并将该终端节点与VPC中的所有路由表关联
D. 在VPC中为亚马逊简单存储服务（Amazon S3）创建一个接口型终端节点（interface endpoint），并将该终端节点与VPC中的所有路由表关联

68. A company has a mobile chat application with a data store based in Amazon DynamoDB. Users would like new messages to be read with as
little latency as possible. A solutions architect needs to design an optimal solution that requires minimal application changes.
Which method should the solutions architect select?
A. Configure Amazon DynamoDB Accelerator (DAX) for the new messages table. Update the code to use the DAX endpoint.
B. Add DynamoDB read replicas to handle the increased read load. Update the application to point to the read endpoint for the read
replicas.
C. Double the number of read capacity units for the new messages table in DynamoDB. Continue to use the existing DynamoDB endpoint.
D. Add an Amazon ElastiCache for Redis cache to the application stack. Update the application to point to the Redis cache endpoint
instead of DynamoDB.

一家公司拥有一个基于Amazon DynamoDB数据存储的移动聊天应用程序。用户希望新消息能以尽可能低的延迟被读取。

解决方案架构师需要设计一个需要最少应用程序更改的最佳解决方案。

解决方案架构师应该选择哪种方法？

A. 为新消息表配置Amazon DynamoDB加速器(DAX)。更新代码以使用DAX端点。

B. 添加DynamoDB读取副本来处理增加的读取负载。更新应用程序以指向读取副本的读取端点。

C. 将DynamoDB中新消息表的读取容量单元数量增加一倍。继续使用现有的DynamoDB端点。

D. 在应用程序堆栈中添加Amazon ElastiCache for Redis缓存。更新应用程序以指向Redis缓存端点而非DynamoDB。

69. A company hosts a website on Amazon EC2 instances behind an Application Load Balancer (ALB). The website serves static content. Website
traffic is increasing, and the company is concerned about a potential increase in cost.
A. Create an Amazon CloudFront distribution to cache state files at edge locations
B. Create an Amazon ElastiCache cluster. Connect the ALB to the ElastiCache cluster to serve cached les
C. Create an AWS WAF web ACL and associate it with the ALB. Add a rule to the web ACL to cache static les
D. Create a second ALB in an alternative AWS Region. Route user traffic to the closest Region to minimize data transfer costs

一家公司在应用负载均衡器（ALB）后端的亚马逊EC2实例上托管了一个网站。该网站提供静态内容。
网站流量正在增加，公司对潜在的成本上升表示担忧。
A. 创建一个亚马逊CloudFront分发，在边缘位置缓存静态文件
B. 创建一个亚马逊ElastiCache集群。将ALB连接到ElastiCache集群以提供缓存文件
C. 创建一个AWS WAF Web ACL并将其与ALB关联。向Web ACL添加规则以缓存静态文件
D. 在另一个AWS区域创建第二个ALB。将用户流量路由至最近的区域以最小化数据传输成本

70. A company has multiple VPCs across AWS Regions to support and run workloads that are isolated from workloads in other Regions. Because
of a recent application launch requirement, the company’s VPCs must communicate with all other VPCs across all Regions.
Which solution will meet these requirements with the LEAST amount of administrative effort?
A. Use VPC peering to manage VPC communication in a single Region. Use VPC peering across Regions to manage VPC communications.
B. Use AWS Direct Connect gateways across all Regions to connect VPCs across regions and manage VPC communications.
C. Use AWS Transit Gateway to manage VPC communication in a single Region and Transit Gateway peering across Regions to manage
VPC communications.
D. Use AWS PrivateLink across all Regions to connect VPCs across Regions and manage VPC communications

一家公司在多个AWS区域拥有多个VPC，用于支持并运行与其他区域工作负载隔离的工作负载。由于最近的应用发布需求，公司的VPC必须与所有其他区域的所有VPC进行通信。
哪种解决方案能以最少的管理工作量满足这些需求？
A. 使用VPC对等连接管理单个区域内的VPC通信。使用跨区域VPC对等连接管理VPC间的通信。
B. 在所有区域使用AWS Direct Connect网关跨区域连接VPC并管理VPC通信。
C. 使用AWS Transit Gateway管理单个区域内的VPC通信，并通过跨区域Transit Gateway对等连接管理VPC通信。
D. 在所有区域使用AWS PrivateLink跨区域连接VPC并管理VPC通信。

71. A company is designing a containerized application that will use Amazon Elastic Container Service (Amazon ECS). The application needs to
access a shared file system that is highly durable and can recover data to another AWS Region with a recovery point objective (RPO) of 8
hours. The file system needs to provide a mount target m each Availability Zone within a Region.
A solutions architect wants to use AWS Backup to manage the replication to another Region.
Which solution will meet these requirements?
A. Amazon FSx for Windows File Server with a Multi-AZ deployment
B. Amazon FSx for NetApp ONTAP with a Multi-AZ deployment
C. Amazon Elastic File System (Amazon EFS) with the Standard storage class
D. Amazon FSx for OpenZFS

一家公司正在设计一个使用亚马逊弹性容器服务（Amazon ECS）的容器化应用程序。该应用需要访问一个高度耐用的共享文件系统，并且能够将数据恢复到另一个AWS区域，恢复点目标（RPO）为8小时。文件系统需要在每个区域的每个可用区内提供一个挂载目标。

一位解决方案架构师希望使用AWS Backup来管理跨区域复制。

哪个解决方案能够满足这些需求？

A. 采用多可用区部署的Amazon FSx for Windows File Server
B. 采用多可用区部署的Amazon FSx for NetApp ONTAP
C. 采用标准存储类的亚马逊弹性文件系统（Amazon EFS）
D. Amazon FSx for OpenZFS

72. A company is expecting rapid growth in the near future. A solutions architect needs to Configure existing users and grant permissions to new
users on AWS. The solutions architect has decided to create IAM groups. The solutions architect will add the new users to IAM groups based
on department.
Which additional action is the MOST secure way to grant permissions to the new users?
A. Apply service control policies (SCPs) to manage access permissions
B. Create IAM roles that have least privilege permission. Attach the roles to the IAM groups
C. Create an IAM policy that grants least privilege permission. Attach the policy to the IAM groups
D. Create IAM roles. Associate the roles with a permissions boundary that de nes the maximum permissions

一家公司预计在不久的将来会快速增长。
一位解决方案架构师需要配置现有用户并向AWS上的新用户授予权限。
解决方案架构师决定创建IAM组。
解决方案架构师将根据部门将新用户添加到IAM组中。

哪种额外操作是向新用户授予权限的最安全方式？

A. 应用服务控制策略(SCPs)来管理访问权限
B. 创建具有最小权限的IAM角色，将这些角色附加到IAM组
C. 创建授予最小权限的IAM策略，将该策略附加到IAM组
D. 创建IAM角色，将角色与定义最大权限的权限边界关联

73. A law rm needs to share information with the public. The information includes hundreds of files that must be publicly readable. Modi cations
or deletions of the files by anyone before a designated future date are prohibited.
Which solution will meet these requirements in the MOST secure way?
A. Upload all files to an Amazon S3 bucket that is Configured for static website hosting. Grant read-only IAM permissions to any AWS
principals that access the S3 bucket until the designated date.
B. Create a new Amazon S3 bucket with S3 Versioning enabled. Use S3 Object Lock with a retention period in accordance with the
designated date. Configure the S3 bucket for static website hosting. Set an S3 bucket policy to allow read-only access to the objects.
C. Create a new Amazon S3 bucket with S3 Versioning enabled. Configure an event trigger to run an AWS Lambda function in case of
object modi cation or deletion. Configure the Lambda function to replace the objects with the original versions from a private S3 bucket.
D. Upload all files to an Amazon S3 bucket that is Configured for static website hosting. Select the folder that contains the files. Use S3
Object Lock with a retention period in accordance with the designated date. Grant read-only IAM permissions to any AWS principals that
access the S3 bucket.

一家律师事务所需要与公众分享信息。这些信息包括数百个必须公开可读的文件。
在指定的未来日期之前，禁止任何人修改或删除这些文件。
以下哪种解决方案能以最安全的方式满足这些需求？
A. 将所有文件上传到配置了静态网站托管的亚马逊S3存储桶。在指定日期之前，授予访问该S3存储桶的任何AWS主体只读IAM权限。
B. 创建一个启用了S3版本控制的新亚马逊S3存储桶。根据指定日期使用S3对象锁定设置保留期。将该S3存储桶配置为静态网站托管。设置S3存储桶策略以允许对对象的只读访问。
C. 创建一个启用了S3版本控制的新亚马逊S3存储桶。配置一个事件触发器，在对象被修改或删除时运行AWS Lambda函数。配置Lambda函数以从私有S3存储桶中用原始版本替换被修改的对象。
D. 将所有文件上传到配置了静态网站托管的亚马逊S3存储桶。选择包含文件的文件夹。根据指定日期使用S3对象锁定设置保留期。授予访问该S3存储桶的任何AWS主体只读IAM权限。

74. A company is making a prototype of the infrastructure for its new website by manually provisioning the necessary infrastructure. This
infrastructure includes an Auto Scaling group, an Application Load Balancer and an Amazon RDS database. After the configuration has been
thoroughly validated, the company wants the capability to immediately deploy the infrastructure for development and production use in two
Availability Zones in an automated fashion.
What should a solutions architect recommend to meet these requirements?
A. Use AWS Systems Manager to replicate and provision the prototype infrastructure in two Availability Zones
B. De ne the infrastructure as a template by using the prototype infrastructure as a guide. Deploy the infrastructure with AWS
CloudFormation.
C. Use AWS Config to record the inventory of resources that are used in the prototype infrastructure. Use AWS Config to deploy the
prototype infrastructure into two Availability Zones.
D. Use AWS Elastic Beanstalk and Configure it to use an automated reference to the prototype infrastructure to automatically deploy new
environments in two Availability Zones.

一家公司正在通过手动配置必要的基础设施来为其新网站制作基础设施原型。该基础设施包括一个自动扩展组、一个应用负载均衡器和一个亚马逊RDS数据库。在全面验证配置后，公司希望能够以自动化方式立即在两个可用区部署该基础设施，供开发和生产使用。
解决方案架构师应推荐何种方案来满足这些需求？

A. 使用AWS Systems Manager在两个可用区复制并部署原型基础设施

B. 以原型基础设施为指导，将基础设施定义为模板。使用AWS CloudFormation部署该基础设施。

C. 使用AWS Config记录原型基础设施中使用的资源清单。使用AWS Config将原型基础设施部署到两个可用区。

D. 使用AWS Elastic Beanstalk并将其配置为通过自动化引用原型基础设施，从而自动在两个可用区部署新环境。

75. A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security o cer has
directed that no application traffic between the two services should traverse the public internet.
Which capability should the solutions architect use to meet the compliance requirements?
A. AWS Key Management Service (AWS KMS)
B. VPC endpoint
C. Private subnet
D. Virtual private gateway

题目：

一个业务应用程序托管在亚马逊EC2上，并使用亚马逊S3进行加密对象存储。首席信息安全官指示，这两个服务之间的应用程序流量不得通过公共互联网传输。
解决方案架构师应该使用哪种功能来满足合规性要求？
A. AWS密钥管理服务（AWS KMS）
B. VPC终端节点
C. 私有子网
D. 虚拟专用网关

76. A company hosts a three-tier web application in the AWS Cloud. A Multi-AZAmazon RDS for MySQL server forms the database layer Amazon
ElastiCache forms the cache layer. The company wants a caching strategy that adds or updates data in the cache when a customer adds an
item to the database. The data in the cache must always match the data in the database.
Which solution will meet these requirements?
A. Implement the lazy loading caching strategy
B. Implement the write-through caching strategy
C. Implement the adding TTL caching strategy
D. Implement the AWS AppConfig caching strategy

一家公司在AWS云中托管了一个三层网络应用程序。多可用区Amazon RDS for MySQL服务器构成了数据库层，
Amazon ElastiCache构成了缓存层。公司希望采用一种缓存策略，当客户向数据库添加项目时，能同时在缓存中添加或更新数据。
缓存中的数据必须始终与数据库中的数据保持一致。

哪种解决方案能满足这些要求？
A. 实施延迟加载缓存策略
B. 实施直写式缓存策略
C. 实施添加TTL的缓存策略
D. 实施AWS AppConfig缓存策略

77. A company wants to migrate 100 GB of historical data from an on-premises location to an Amazon S3 bucket. The company has a 100
megabits per second (Mbps) internet connection on premises. The company needs to encrypt the data in transit to the S3 bucket. The
company will store new data directly in Amazon S3.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use the s3 sync command in the AWS CLI to move the data directly to an S3 bucket
B. Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket
C. Use AWS Snowball to move the data to an S3 bucket
D. Set up an IPsec VPN from the on-premises location to AWS. Use the s3 cp command in the AWS CLI to move the data directly to an S3
bucket

一家公司希望将100 GB的历史数据从本地迁移到Amazon S3存储桶。该公司在本地拥有每秒100兆比特（Mbps）的互联网连接。公司需要对这些传输到S3存储桶的数据进行加密。未来新数据将直接存储在Amazon S3中。
哪种解决方案能以最小的运维工作量满足这些需求？
A. 使用AWS CLI中的s3 sync命令直接将数据移动到S3存储桶
B. 使用AWS DataSync将数据从本地位置迁移到S3存储桶
C. 使用AWS Snowball将数据移动到S3存储桶
D. 建立从本地位置到AWS的IPsec VPN。使用AWS CLI中的s3 cp命令直接将数据移动到S3存储桶

78. A company containerized a Windows job that runs on .NET 6 Framework under a Windows container. The company wants to run this job in the
AWS Cloud. The job runs every 10 minutes. The job’s runtime varies between 1 minute and 3 minutes.
Which solution will meet these requirements MOST cost-effectively?
A. Create an AWS Lambda function based on the container image of the job. Configure Amazon EventBridge to invoke the function every
10 minutes.
B. Use AWS Batch to create a job that uses AWS Fargate resources. Configure the job scheduling to run every 10 minutes.
C. Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate to run the job. Create a scheduled task based on the container
image of the job to run every 10 minutes.
D. Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate to run the job. Create a standalone task based on the container
image of the job. Use Windows task scheduler to run the job every
10 minutes.

一家公司将一个运行在.NET 6框架下的Windows作业进行了容器化，并在Windows容器中运行。该公司希望在AWS云中运行此作业。该作业每10分钟运行一次，运行时间在1分钟到3分钟之间。

哪种解决方案能以最具成本效益的方式满足这些需求？

A. 基于该作业的容器镜像创建一个AWS Lambda函数。配置Amazon EventBridge每10分钟调用该函数一次。

B. 使用AWS Batch创建一个使用AWS Fargate资源的作业。配置作业调度使其每10分钟运行一次。

C. 在AWS Fargate上使用Amazon Elastic Container Service (Amazon ECS)运行该作业。基于该作业的容器镜像创建一个定时任务，使其每10分钟运行一次。

D. 在AWS Fargate上使用Amazon Elastic Container Service (Amazon ECS)运行该作业。基于该作业的容器镜像创建一个独立任务。使用Windows任务计划程序每10分钟运行该作业一次。

79. A company wants to move from many standalone AWS accounts to a consolidated, multi-account architecture. The company plans to create
many new AWS accounts for different business units. The company needs to authenticate access to these AWS accounts by using a
centralized corporate directory service.
Which combination of actions should a solutions architect recommend to meet these requirements? (Choose two.)
A. Create a new organization in AWS Organizations with all features turned on. Create the new AWS accounts in the organization.
B. Set up an Amazon Cognito identity pool. Configure AWS IAM Identity Center (AWS Single Sign-On) to accept Amazon Cognito
authentication.
C. Configure a service control policy (SCP) to manage the AWS accounts. Add AWS IAM Identity Center (AWS Single Sign-On) to AWS
Directory Service.
D. Create a new organization in AWS Organizations. Configure the organization’s authentication mechanism to use AWS Directory Service
directly.
E. Set up AWS IAM Identity Center (AWS Single Sign-On) in the organization. Configure IAM Identity Center, and integrate it with the
company’s corporate directory service.

一家公司希望从多个独立的AWS账户转变为整合的多账户架构。公司计划为不同业务部门创建许多新的AWS账户，需要通过集中式企业目录服务对这些AWS账户进行访问认证。

解决方案架构师应推荐采取哪两项措施来满足这些要求？（选择两项）

A. 在AWS Organizations中创建一个启用所有功能的新组织，并在该组织内创建新的AWS账户。

B. 设置一个Amazon Cognito身份池，配置AWS IAM Identity Center（AWS单点登录）以接受Amazon Cognito认证。

C. 配置服务控制策略（SCP）来管理AWS账户，将AWS IAM Identity Center（AWS单点登录）添加到AWS Directory Service中。

D. 在AWS Organizations中创建一个新组织，并配置该组织直接使用AWS Directory Service作为认证机制。

E. 在组织中设置AWS IAM Identity Center（AWS单点登录），配置IAM Identity Center并与公司的企业目录服务集成。

80. A company is looking for a solution that can store video archives in AWS from old news footage. The company needs to minimize costs and
will rarely need to restore these files. When the files are needed, they must be available in a maximum of ve minutes.
What is the MOST cost-effective solution?
A. Store the video archives in Amazon S3 Glacier and use Expedited retrievals.
B. Store the video archives in Amazon S3 Glacier and use Standard retrievals.
C. Store the video archives in Amazon S3 Standard-Infrequent Access (S3 Standard-IA).
D. Store the video archives in Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA).

一家公司正在寻找一种解决方案，能够将旧新闻素材的视频档案存储到AWS中。
该公司需要尽可能降低成本，并且很少需要恢复这些文件。
但当需要这些文件时，必须在最多五分钟内可用。
哪种方案最具成本效益？

A. 将视频档案存储在Amazon S3 Glacier中，并使用快速检索功能。
B. 将视频档案存储在Amazon S3 Glacier中，并使用标准检索功能。
C. 将视频档案存储在Amazon S3标准不频繁访问（S3 Standard-IA）中。
D. 将视频档案存储在Amazon S3单一区域不频繁访问（S3 One Zone-IA）中。

81. A company is building a three-tier application on AWS. The presentation tier will serve a static website The logic tier is a containerized
application. This application will store data in a relational database. The company wants to simplify deployment and to reduce operational
costs.
Which solution will meet these requirements?
A. Use Amazon S3 to host static content. Use Amazon Elastic Container Service (Amazon ECS) with AWS Fargate for compute power. Use a
managed Amazon RDS cluster for the database.
B. Use Amazon CloudFront to host static content. Use Amazon Elastic Container Service (Amazon ECS) with Amazon EC2 for compute
power. Use a managed Amazon RDS cluster for the database.
C. Use Amazon S3 to host static content. Use Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate for compute power. Use
a managed Amazon RDS cluster for the database.
D. Use Amazon EC2 Reserved Instances to host static content. Use Amazon Elastic Kubernetes Service (Amazon EKS) with Amazon EC2 for
compute power. Use a managed Amazon RDS cluster for the database.

一家公司正在AWS上构建三层应用程序。展示层将服务静态网站，逻辑层是容器化应用程序。该应用程序会将数据存储在关系型数据库中。公司希望简化部署并降低运营成本。
哪个解决方案能满足这些需求？
A. 使用Amazon S3托管静态内容。使用Amazon Elastic Container Service（Amazon ECS）搭配AWS Fargate提供计算能力。使用托管的Amazon RDS集群作为数据库。
B. 使用Amazon CloudFront托管静态内容。使用Amazon Elastic Container Service（Amazon ECS）搭配Amazon EC2提供计算能力。使用托管的Amazon RDS集群作为数据库。
C. 使用Amazon S3托管静态内容。使用Amazon Elastic Kubernetes Service（Amazon EKS）搭配AWS Fargate提供计算能力。使用托管的Amazon RDS集群作为数据库。
D. 使用Amazon EC2预留实例托管静态内容。使用Amazon Elastic Kubernetes Service（Amazon EKS）搭配Amazon EC2提供计算能力。使用托管的Amazon RDS集群作为数据库。

82. A company seeks a storage solution for its application. The solution must be highly available and scalable. The solution also must function as
a file system be mountable by multiple Linux instances in AWS and on premises through native protocols, and have no minimum size
requirements. The company has set up a Site-to-Site VPN for access from its on-premises network to its VPC.
Which storage solution meets these requirements?
A. Amazon FSx Multi-AZ deployments
B. Amazon Elastic Block Store (Amazon EBS) Multi-Attach volumes
C. Amazon Elastic File System (Amazon EFS) with multiple mount targets
D. Amazon Elastic File System (Amazon EFS) with a single mount target and multiple access points

一家公司为其应用程序寻求存储解决方案。
该解决方案必须具备高可用性和可扩展性。
该解决方案还需能够作为文件系统使用，可通过原生协议在AWS和本地环境中被多个Linux实例挂载，并且没有最低容量要求。
该公司已设置了站点到站点VPN，以便从其本地网络访问其VPC。
哪种存储解决方案满足这些要求？
A. 亚马逊FSx多可用区部署
B. 亚马逊弹性块存储（Amazon EBS）多挂载卷
C. 配备多个挂载目标的亚马逊弹性文件系统（Amazon EFS）
D. 配备单个挂载目标和多个访问点的亚马逊弹性文件系统（Amazon EFS）

83. A 4-year-old media company is using the AWS Organizations all features feature set to organize its AWS accounts. According to the company’s
nance team, the billing information on the member accounts must not be accessible to anyone, including the root user of the member
accounts.
Which solution will meet these requirements?
A. Add all nance team users to an IAM group. Attach an AWS managed policy named Billing to the group.
B. Attach an identity-based policy to deny access to the billing information to all users, including the root user.
C. Create a service control policy (SCP) to deny access to the billing information. Attach the SCP to the root organizational unit (OU).
D. Convert from the Organizations all features feature set to the Organizations consolidated billing feature set.

一家拥有四年历史的媒体公司正在使用AWS Organizations的全功能集来组织其AWS账户。根据该公司的财务团队要求，包括成员账户的根用户在内，任何人都不得访问成员账户上的账单信息。
哪种解决方案能够满足这些要求？
A. 将所有财务团队用户添加到一个IAM组。将名为Billing的AWS托管策略附加到该组。
B. 附加基于身份的策略，拒绝所有用户（包括根用户）访问账单信息。
C. 创建一个服务控制策略（SCP）来拒绝对账单信息的访问。将该SCP附加到根组织单元（OU）。
D. 从Organizations的全功能集转换为Organizations的合并账单功能集。

84. An ecommerce company runs an application in the AWS Cloud that is integrated with an on-premises warehouse solution. The company uses
Amazon Simple Notification Service (Amazon SNS) to send order messages to an on-premises HTTPS endpoint so the warehouse application
can process the orders. The local data center team has detected that some of the order messages were not received.
A solutions architect needs to retain messages that are not delivered and analyze the messages for up to 14 days.
Which solution will meet these requirements with the LEAST development effort?
A. Configure an Amazon SNS dead letter queue that has an Amazon Kinesis Data Stream target with a retention period of 14 days.
B. Add an Amazon Simple Queue Service (Amazon SQS) queue with a retention period of 14 days between the application and Amazon
SNS.
C. Configure an Amazon SNS dead letter queue that has an Amazon Simple Queue Service (Amazon SQS) target with a retention period of
14 days.
D. Configure an Amazon SNS dead letter queue that has an Amazon DynamoDB target with a TTL attribute set for a retention period of 14
days.

一家电子商务公司在AWS云中运行一个应用程序，该程序与本地仓库解决方案集成。公司使用
Amazon Simple Notification Service（Amazon SNS）将订单消息发送到本地HTTPS端点，以便仓库应用程序
可以处理订单。本地数据中心团队发现部分订单消息未被接收。
解决方案架构师需要保留未送达的消息，并将消息保留分析长达14天。
以下哪种解决方案能以最少开发工作量满足这些需求？
A. 配置一个目标为Amazon Kinesis Data Stream且保留期为14天的Amazon SNS死信队列。
B. 在应用程序和Amazon SNS之间添加一个保留期为14天的Amazon Simple Queue Service（Amazon SQS）队列。
C. 配置一个目标为Amazon Simple Queue Service（Amazon SQS）且保留期为14天的Amazon SNS死信队列。
D. 配置一个目标为Amazon DynamoDB且TTL属性设置为14天保留期的Amazon SNS死信队列。

85. A gaming company uses Amazon DynamoDB to store user information such as geographic location, player data, and leaderboards. The
company needs to Configure continuous backups to an Amazon S3 bucket with a minimal amount of coding. The backups must not affect
availability of the application and must not affect the read capacity units (RCUs) that are de ned for the table.
Which solution meets these requirements?
A. Use an Amazon EMR cluster. Create an Apache Hive job to back up the data to Amazon S3.
B. Export the data directly from DynamoDB to Amazon S3 with continuous backups. Turn on point-in-time recovery for the table.
C. Configure Amazon DynamoDB Streams. Create an AWS Lambda function to consume the stream and export the data to an Amazon S3
bucket.
D. Create an AWS Lambda function to export the data from the database tables to Amazon S3 on a regular basis. Turn on point-in-time
recovery for the table.

一家游戏公司使用亚马逊DynamoDB来存储用户信息，例如地理位置、玩家数据和排行榜。
公司需要以最少的编码工作量配置将连续备份存储到亚马逊S3桶。备份不得影响应用程序的可用性，也不得影响表中定义的读取容量单位（RCUs）。
哪个解决方案符合这些要求？
A. 使用亚马逊EMR集群。创建一个Apache Hive作业将数据备份到亚马逊S3。
B. 直接从DynamoDB将数据导出到亚马逊S3，并启用连续备份。为表启用时间点恢复功能。
C. 配置亚马逊DynamoDB流。创建一个AWS Lambda函数来消费流并将数据导出到亚马逊S3桶。
D. 创建一个AWS Lambda函数定期将数据从数据库表导出到亚马逊S3。为表启用时间点恢复功能。

86. A solutions architect is designing an asynchronous application to process credit card data validation requests for a bank. The application
must be secure and be able to process each request at least once.
Which solution will meet these requirements MOST cost-effectively?
A. Use AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard queues as the event source. Use
AWS Key Management Service (SSE-KMS) for encryption. Add the kms:Decrypt permission for the Lambda execution role.
B. Use AWS Lambda event source mapping. Use Amazon Simple Queue Service (Amazon SQS) FIFO queues as the event source. Use SQS
managed encryption keys (SSE-SQS) for encryption. Add the encryption key invocation permission for the Lambda function.
C. Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) FIFO queues as the event source. Use
AWS KMS keys (SSE-KMS). Add the kms:Decrypt permission for the Lambda execution role.
D. Use the AWS Lambda event source mapping. Set Amazon Simple Queue Service (Amazon SQS) standard queues as the event source.
Use AWS KMS keys (SSE-KMS) for encryption. Add the encryption key invocation permission for the Lambda function.

一位解决方案架构师正在为一家银行设计一个异步应用程序，用于处理信用卡数据验证请求。
该应用程序必须安全且能够至少处理每个请求一次。
哪种解决方案能以最具成本效益的方式满足这些要求？

A. 使用AWS Lambda事件源映射。将Amazon Simple Queue Service (Amazon SQS)标准队列设置为事件源。
使用AWS密钥管理服务(SSE-KMS)进行加密。为Lambda执行角色添加kms:Decrypt权限。

B. 使用AWS Lambda事件源映射。将Amazon Simple Queue Service (Amazon SQS) FIFO队列作为事件源。
使用SQS托管加密密钥(SSE-SQS)进行加密。为Lambda函数添加加密密钥调用权限。

C. 使用AWS Lambda事件源映射。将Amazon Simple Queue Service (Amazon SQS) FIFO队列设置为事件源。
使用AWS KMS密钥(SSE-KMS)。为Lambda执行角色添加kms:Decrypt权限。

D. 使用AWS Lambda事件源映射。将Amazon Simple Queue Service (Amazon SQS)标准队列设置为事件源。
使用AWS KMS密钥(SSE-KMS)进行加密。为Lambda函数添加加密密钥调用权限。

87. A company has multiple AWS accounts for development work. Some staff consistently use oversized Amazon EC2 instances, which causes the
company to exceed the yearly budget for the development accounts. The company wants to centrally restrict the creation of AWS resources in
these accounts.
Which solution will meet these requirements with the LEAST development effort?
A. Develop AWS Systems Manager templates that use an approved EC2 creation process. Use the approved Systems Manager templates
to provision EC2 instances.
B. Use AWS Organizations to organize the accounts into organizational units (OUs). De ne and attach a service control policy (SCP) to
control the usage of EC2 instance types.
C. Configure an Amazon EventBridge rule that invokes an AWS Lambda function when an EC2 instance is created. Stop disallowed EC2
instance types.
D. Set up AWS Service Catalog products for the staff to create the allowed EC2 instance types. Ensure that staff can deploy EC2 instances
only by using the Service Catalog products.

一家公司拥有多个用于开发工作的AWS账户。部分员工持续使用过大的Amazon EC2实例，导致公司超出开发账户的年度预算。
公司希望集中限制这些账户中AWS资源的创建。
哪种解决方案能以最低开发工作量满足这些需求？
A. 开发使用已批准EC2创建流程的AWS Systems Manager模板。使用经批准的Systems Manager模板来配置EC2实例。
B. 使用AWS Organizations将账户组织到组织单元(OU)中。定义并附加服务控制策略(SCP)以控制EC2实例类型的使用。
C. 配置Amazon EventBridge规则，在创建EC2实例时调用AWS Lambda函数。停止不允许的EC2实例类型。
D. 为员工设置AWS Service Catalog产品以创建允许的EC2实例类型。确保员工只能通过Service Catalog产品部署EC2实例。

88. A company wants to use arti cial intelligence (AI) to determine the quality of its customer service calls. The company currently manages calls
in four different languages, including English. The company will offer new languages in the future. The company does not have the resources
to regularly maintain machine learning (ML) models.
The company needs to create written sentiment analysis reports from the customer service call recordings. The customer service call
recording text must be translated into English.
Which combination of steps will meet these requirements? (Choose three.)
A. Use Amazon Comprehend to translate the audio recordings into English.
B. Use Amazon Lex to create the written sentiment analysis reports.
C. Use Amazon Polly to convert the audio recordings into text.
D. Use Amazon Transcribe to convert the audio recordings in any language into text.
E. Use Amazon Translate to translate text in any language to English.
F. Use Amazon Comprehend to create the sentiment analysis reports.

一家公司希望使用人工智能（AI）来评估其客户服务通话的质量。该公司目前以四种不同的语言管理通话，包括英语。未来该公司还将提供更多语言的支持。该公司没有资源来定期维护机器学习（ML）模型。

公司需要根据客户服务通话录音创建书面情感分析报告。客户服务通话的录音文本必须翻译成英语。

以下哪种步骤组合能够满足这些需求？（选择三项。）
A. 使用Amazon Comprehend将音频录音翻译成英语。
B. 使用Amazon Lex创建书面情感分析报告。
C. 使用Amazon Polly将音频录音转换为文本。
D. 使用Amazon Transcribe将任何语言的音频录音转换为文本。
E. 使用Amazon Translate将任何语言的文本翻译成英语。
F. 使用Amazon Comprehend创建情感分析报告。

89. A company is conducting an internal audit. The company wants to ensure that the data in an Amazon S3 bucket that is associated with the
company’s AWS Lake Formation data lake does not contain sensitive customer or employee data. The company wants to discover personally
identi able information (PII) or nancial information, including passport numbers and credit card numbers.
Which solution will meet these requirements?
A. Configure AWS Audit Manager on the account. Select the Payment Card Industry Data Security Standards (PCI DSS) for auditing.
B. Configure Amazon S3 Inventory on the S3 bucket Configure Amazon Athena to query the inventory.
C. Configure Amazon Macie to run a data discovery job that uses managed identi ers for the required data types.
D. Use Amazon S3 Select to run a report across the S3 bucket.

一家公司正在进行内部审计。该公司希望确保与公司AWS Lake Formation数据湖相关联的Amazon S3存储桶中的数据不包含敏感的客户或员工数据。该公司希望发现个人可识别信息（PII）或财务信息，包括护照号码和信用卡号码。
哪种解决方案能够满足这些要求？
A. 在账户上配置AWS Audit Manager。选择支付卡行业数据安全标准（PCI DSS）进行审计。
B. 在S3存储桶上配置Amazon S3库存。配置Amazon Athena查询库存。
C. 配置Amazon Macie运行数据发现作业，使用托管标识符查找所需数据类型。
D. 使用Amazon S3 Select在整个S3存储桶上运行报告。

90. A company uses on-premises servers to host its applications. The company is running out of storage capacity. The applications use both block
storage and NFS storage. The company needs a high-performing solution that supports local caching without re-architecting its existing
applications.
Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)
A. Mount Amazon S3 as a file system to the on-premises servers.
B. Deploy an AWS Storage Gateway file gateway to replace NFS storage.
C. Deploy AWS Snowball Edge to provision NFS mounts to on-premises servers.
D. Deploy an AWS Storage Gateway volume gateway to replace the block storage.
E. Deploy Amazon Elastic File System (Amazon EFS) volumes and mount them to on-premises servers.

一家公司使用本地服务器来托管其应用程序。公司的存储容量即将耗尽。这些应用程序同时使用块存储和NFS存储。公司需要一个高性能的解决方案，支持本地缓存，且无需重新设计现有的应用程序。

解决方案架构师应该采取哪些组合行动来满足这些要求？（选择两个。）

A. 将Amazon S3作为文件系统挂载到本地服务器上。
B. 部署AWS Storage Gateway文件网关以替代NFS存储。
C. 部署AWS Snowball Edge以配置NFS挂载到本地服务器。
D. 部署AWS Storage Gateway卷网关以替代块存储。
E. 部署Amazon Elastic File System（Amazon EFS）卷并将其挂载到本地服务器。

91. A company has a service that reads and writes large amounts of data from an Amazon S3 bucket in the same AWS Region. The service is
deployed on Amazon EC2 instances within the private subnet of a VPC. The service communicates with Amazon S3 over a NAT gateway in the
public subnet. However, the company wants a solution that will reduce the data output costs.
Which solution will meet these requirements MOST cost-effectively?
A. Provision a dedicated EC2 NAT instance in the public subnet. Configure the route table for the private subnet to use the elastic network
interface of this instance as the destination for all S3 traffic.
B. Provision a dedicated EC2 NAT instance in the private subnet. Configure the route table for the public subnet to use the elastic network
interface of this instance as the destination for all S3 traffic.
C. Provision a VPC gateway endpoint. Configure the route table for the private subnet to use the gateway endpoint as the route for all S3
traffic.
D. Provision a second NAT gateway. Configure the route table for the private subnet to use this NAT gateway as the destination for all S3
traffic.

一家公司有一项服务，需要从同一AWS区域内的Amazon S3存储桶读取和写入大量数据。
该服务部署在VPC私有子网中的Amazon EC2实例上，并通过公有子网中的NAT网关与Amazon S3通信。
然而，该公司希望找到一种降低数据输出成本的解决方案。

以下哪种解决方案能够以最具成本效益的方式满足这些要求？

A. 在公有子网中配置专用的EC2 NAT实例。将私有子网的路由表配置为使用此实例的弹性网络接口作为所有S3流量的目的地。
B. 在私有子网中配置专用的EC2 NAT实例。将公有子网的路由表配置为使用此实例的弹性网络接口作为所有S3流量的目的地。
C. 配置VPC网关终端节点。将私有子网的路由表配置为使用该网关终端节点作为所有S3流量的路由。
D. 配置第二个NAT网关。将私有子网的路由表配置为使用此NAT网关作为所有S3流量的目的地。

92. A company uses Amazon S3 to store high-resolution pictures in an S3 bucket. To minimize application changes, the company stores the
pictures as the latest version of an S3 object. The company needs to retain only the two most recent versions of the pictures.
The company wants to reduce costs. The company has identi ed the S3 bucket as a large expense.
Which solution will reduce the S3 costs with the LEAST operational overhead?
A. Use S3 Lifecycle to delete expired object versions and retain the two most recent versions.
B. Use an AWS Lambda function to check for older versions and delete all but the two most recent versions.
C. Use S3 Batch Operations to delete noncurrent object versions and retain only the two most recent versions.
D. Deactivate versioning on the S3 bucket and retain the two most recent versions.

一家公司使用亚马逊S3存储高分辨率图片，并将这些图片保存在一个S3存储桶中。为了最小化应用程序的更改，该公司将图片存储为S3对象的最新版本。该公司只需要保留图片的两个最新版本。

该公司希望降低成本，并将S3存储桶确定为一项重大支出。

哪种解决方案能在最小操作负担的前提下降低S3成本？

A. 使用S3生命周期策略删除过期的对象版本，并保留两个最新版本。
B. 使用AWS Lambda函数检查旧版本，并删除除两个最新版本之外的所有版本。
C. 使用S3批量操作删除非当前对象版本，并仅保留两个最新版本。
D. 在S3存储桶上停用版本控制，并保留两个最新版本。

93. A company needs to minimize the cost of its 1 Gbps AWS Direct Connect connection. The company’s average connection utilization is less
than 10%. A solutions architect must recommend a solution that will reduce the cost without compromising security.
Which solution will meet these requirements?
A. Set up a new 1 Gbps Direct Connect connection. Share the connection with another AWS account.
B. Set up a new 200 Mbps Direct Connect connection in the AWS Management Console.
C. Contact an AWS Direct Connect Partner to order a 1 Gbps connection. Share the connection with another AWS account.
D. Contact an AWS Direct Connect Partner to order a 200 Mbps hosted connection for an existing AWS account.

一家公司需要最小化其1 Gbps AWS直连连接的成本。该公司的平均连接利用率低于10%。解决方案架构师必须推荐一个既能降低成本又不会影响安全性的解决方案。
哪种方案能够满足这些要求？
A. 建立一个新的1 Gbps直连连接，并与另一个AWS账户共享该连接。
B. 在AWS管理控制台中建立一个新的200 Mbps直连连接。
C. 联系AWS直连合作伙伴订购1 Gbps连接，并与另一个AWS账户共享该连接。
D. 联系AWS直连合作伙伴为现有AWS账户订购200 Mbps托管连接。

94. A company has multiple Windows file servers on premises. The company wants to migrate and consolidate its files into an Amazon FSx for
Windows File Server file system. File permissions must be preserved to ensure that access rights do not change.
Which solutions will meet these requirements? (Choose two.)
A. Deploy AWS DataSync agents on premises. Schedule DataSync tasks to transfer the data to the FSx for Windows File Server file system.
B. Copy the shares on each file server into Amazon S3 buckets by using the AWS CLI. Schedule AWS DataSync tasks to transfer the data to
the FSx for Windows File Server file system.
C. Remove the drives from each file server. Ship the drives to AWS for import into Amazon S3. Schedule AWS DataSync tasks to transfer
the data to the FSx for Windows File Server file system.
D. Order an AWS Snowcone device. Connect the device to the on-premises network. Launch AWS DataSync agents on the device. Schedule
DataSync tasks to transfer the data to the FSx for Windows File Server file system.
E. Order an AWS Snowball Edge Storage Optimized device. Connect the device to the on-premises network. Copy data to the device by
using the AWS CLI. Ship the device back to AWS for import into Amazon S3. Schedule AWS DataSync tasks to transfer the data to the FSx
for Windows File Server file system.

一家公司在本地拥有多台Windows文件服务器。该公司希望将其文件迁移并整合到Amazon FSx for Windows File Server文件系统中。必须保留文件权限，以确保访问权限不发生改变。
哪些解决方案能够满足这些要求？（选择两个。）
A. 在本地部署AWS DataSync代理。安排DataSync任务将数据传输到FSx for Windows File Server文件系统。
B. 使用AWS CLI将每个文件服务器上的共享复制到Amazon S3存储桶中。安排AWS DataSync任务将数据传输到FSx for Windows File Server文件系统。
C. 从每台文件服务器上卸下驱动器。将驱动器运送到AWS以导入Amazon S3。安排AWS DataSync任务将数据传输到FSx for Windows File Server文件系统。
D. 订购一台AWS Snowcone设备。将该设备连接到本地网络。在设备上启动AWS DataSync代理。安排DataSync任务将数据传输到FSx for Windows File Server文件系统。
E. 订购一台AWS Snowball Edge存储优化设备。将该设备连接到本地网络。使用AWS CLI将数据复制到设备上。将设备运回AWS以导入Amazon S3。安排AWS DataSync任务将数据传输到FSx for Windows File Server文件系统。

95. A company wants to ingest customer payment data into the company’s data lake in Amazon S3. The company receives payment data every
minute on average. The company wants to analyze the payment data in real time. Then the company wants to ingest the data into the data
lake.
Which solution will meet these requirements with the MOST operational e ciency?
A. Use Amazon Kinesis Data Streams to ingest data. Use AWS Lambda to analyze the data in real time.
B. Use AWS Glue to ingest data. Use Amazon Kinesis Data Analytics to analyze the data in real time.
C. Use Amazon Kinesis Data Firehose to ingest data. Use Amazon Kinesis Data Analytics to analyze the data in real time.
D. Use Amazon API Gateway to ingest data. Use AWS Lambda to analyze the data in real time.

一家公司希望将客户支付数据摄取到公司位于Amazon S3的数据湖中。公司平均每分钟都会收到支付数据。
公司希望实时分析这些支付数据，然后将数据摄取到数据湖中。
哪种解决方案能够以最高的运营效率满足这些需求？
A. 使用Amazon Kinesis Data Streams摄取数据，使用AWS Lambda实时分析数据。
B. 使用AWS Glue摄取数据，使用Amazon Kinesis Data Analytics实时分析数据。
C. 使用Amazon Kinesis Data Firehose摄取数据，使用Amazon Kinesis Data Analytics实时分析数据。
D. 使用Amazon API Gateway摄取数据，使用AWS Lambda实时分析数据。

96. A company runs a website that uses a content management system (CMS) on Amazon EC2. The CMS runs on a single EC2 instance and uses
an Amazon Aurora MySQL Multi-AZ DB instance for the data tier. Website images are stored on an Amazon Elastic Block Store (Amazon EBS)
volume that is mounted inside the EC2 instance.
Which combination of actions should a solutions architect take to improve the performance and resilience of the website? (Choose two.)
A. Move the website images into an Amazon S3 bucket that is mounted on every EC2 instance
B. Share the website images by using an NFS share from the primary EC2 instance. Mount this share on the other EC2 instances.
C. Move the website images onto an Amazon Elastic File System (Amazon EFS) file system that is mounted on every EC2 instance.
D. Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to provision new instances behind an Application
Load Balancer as part of an Auto Scaling group. Configure the Auto Scaling group to maintain a minimum of two instances. Configure an
accelerator in AWS Global Accelerator for the website
E. Create an Amazon Machine Image (AMI) from the existing EC2 instance. Use the AMI to provision new instances behind an Application
Load Balancer as part of an Auto Scaling group. Configure the Auto Scaling group to maintain a minimum of two instances. Configure an
Amazon CloudFront distribution for the website.

一家公司在Amazon EC2上运行一个使用内容管理系统(CMS)的网站。该CMS运行在单个EC2实例上，并使用Amazon Aurora MySQL多可用区数据库实例作为数据层。网站图片存储在安装于EC2实例内部的亚马逊弹性块存储(Amazon EBS)卷中。

解决方案架构师应采取以下哪两种措施组合来提高网站的性能和弹性？(选择两项。)

A. 将网站图片移动到挂载在每个EC2实例上的Amazon S3存储桶中

B. 使用主EC2实例的NFS共享分享网站图片。在其他EC2实例上挂载该共享。

C. 将网站图片转移到挂载在每个EC2实例上的亚马逊弹性文件系统(Amazon EFS)上

D. 从现有EC2实例创建亚马逊机器镜像(AMI)。使用该AMI在应用程序负载均衡器后配置新实例，作为自动扩展组的一部分。将自动扩展组配置为至少保持两个实例运行。为网站配置AWS全球加速器中的加速器

E. 从现有EC2实例创建亚马逊机器镜像(AMI)。使用该AMI在应用程序负载均衡器后配置新实例，作为自动扩展组的一部分。将自动扩展组配置为至少保持两个实例运行。为网站配置亚马逊CloudFront分发。

97. A company runs an infrastructure monitoring service. The company is building a new feature that will enable the service to monitor data in
customer AWS accounts. The new feature will call AWS APIs in customer accounts to describe Amazon EC2 instances and read Amazon
CloudWatch metrics.
What should the company do to obtain access to customer accounts in the MOST secure way?
A. Ensure that the customers create an IAM role in their account with read-only EC2 and CloudWatch permissions and a trust policy to the
company’s account.
B. Create a serverless API that implements a token vending machine to provide temporary AWS credentials for a role with read-only EC2
and CloudWatch permissions.
C. Ensure that the customers create an IAM user in their account with read-only EC2 and CloudWatch permissions. Encrypt and store
customer access and secret keys in a secrets management system.
D. Ensure that the customers create an Amazon Cognito user in their account to use an IAM role with read-only EC2 and CloudWatch
permissions. Encrypt and store the Amazon Cognito user and password in a secrets management system.

一家公司运营着基础设施监控服务。该公司正在构建一个能够监控客户亚马逊云科技（AWS）账户数据的新功能。此新功能将调用客户账户中的AWS应用程序接口（API），以描述亚马逊弹性计算云（Amazon EC2）实例和读取亚马逊云监控（Amazon CloudWatch）指标。

该公司应当采取哪项措施，以最安全的方式获取客户账户访问权限？

A. 确保客户在其账户中创建一个具有只读EC2和CloudWatch权限的身份与访问管理（IAM）角色，并设置对公司账户的信任策略。

B. 创建无服务器应用程序接口（API），实现凭证分发机制，为具有只读EC2和CloudWatch权限的角色提供临时AWS凭证。

C. 确保客户在其账户中创建一个具有只读EC2和CloudWatch权限的身份与访问管理（IAM）用户，并将客户的访问密钥和秘密密钥加密存储在密钥管理系统。

D. 确保客户在其账户中创建一个亚马逊Cognito用户，以使用具有只读EC2和CloudWatch权限的身份与访问管理（IAM）角色，并将亚马逊Cognito用户名和密码加密存储在密钥管理系统。

98. A company needs to connect several VPCs in the us-east-1 Region that span hundreds of AWS accounts. The company’s networking team has
its own AWS account to manage the cloud network.
What is the MOST operationally e cient solution to connect the VPCs?
A. Set up VPC peering connections between each VPC. Update each associated subnet’s route table
B. Configure a NAT gateway and an internet gateway in each VPC to connect each VPC through the internet
C. Create an AWS Transit Gateway in the networking team’s AWS account. Configure static routes from each VPC.
D. Deploy VPN gateways in each VPC. Create a transit VPC in the networking team’s AWS account to connect to each VPC.

一家公司需要连接位于美国东部1（us-east-1）区域的数百个AWS账户中的多个VPC。该公司的网络团队拥有自己的AWS账户来管理云网络。
在这些VPC之间建立连接，最具有操作效率的解决方案是什么？
A. 在每个VPC之间建立VPC对等连接，并更新每个关联子网的路由表
B. 在每个VPC中配置NAT网关和互联网网关，通过互联网连接每个VPC
C. 在网络团队的AWS账户中创建一个AWS中转网关（Transit Gateway），并从每个VPC配置静态路由
D. 在每个VPC中部署VPN网关，在网络团队的AWS账户中创建一个中转VPC（transit VPC）以连接到每个VPC

99. A company has Amazon EC2 instances that run nightly batch jobs to process data. The EC2 instances run in an Auto Scaling group that uses
On-Demand billing. If a job fails on one instance, another instance will reprocess the job. The batch jobs run between 12:00 AM and 06:00 AM
local time every day.
Which solution will provide EC2 instances to meet these requirements MOST cost-effectively?
A. Purchase a 1-year Savings Plan for Amazon EC2 that covers the instance family of the Auto Scaling group that the batch job uses.
B. Purchase a 1-year Reserved Instance for the speci c instance type and operating system of the instances in the Auto Scaling group that
the batch job uses.
C. Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances. Set a policy to scale out based on CPU
usage.
D. Create a new launch template for the Auto Scaling group. Increase the instance size. Set a policy to scale out based on CPU usage.

一家公司使用亚马逊EC2实例来运行夜间批处理作业以处理数据。这些EC2实例在一个使用按需计费的自动扩展组中运行。
如果在某个实例上作业失败，另一个实例将会重新处理该作业。这些批处理作业每天在本地时间的凌晨12:00到早上6:00之间运行。
哪种解决方案能够以最具成本效益的方式提供满足这些要求的EC2实例？
A. 为Amazon EC2购买一个1年期的节省计划，覆盖批处理作业所使用的自动扩展组的实例系列。
B. 为批处理作业所使用的自动扩展组中的实例的具体实例类型和操作系统购买一个1年期的预留实例。
C. 为自动扩展组创建一个新的启动模板。将实例设置为Spot实例。设置一个基于CPU使用率扩展的策略。
D. 为自动扩展组创建一个新的启动模板。增加实例大小。设置一个基于CPU使用率扩展的策略。

100. A social media company is building a feature for its website. The feature will give users the ability to upload photos. The company expects
signi cant increases in demand during large events and must ensure that the website can handle the upload traffic from users.
Which solution meets these requirements with the MOST scalability?
A. Upload files from the user’s browser to the application servers. Transfer the files to an Amazon S3 bucket.
B. Provision an AWS Storage Gateway file gateway. Upload files directly from the user’s browser to the file gateway.
C. Generate Amazon S3 presigned URLs in the application. Upload files directly from the user’s browser into an S3 bucket.
D. Provision an Amazon Elastic File System (Amazon EFS) file system. Upload files directly from the user’s browser to the file system.

一家社交媒体公司正在为其网站开发一项功能。该功能将赋予用户上传照片的能力。公司预计在大型活动期间需求会显著增加，必须确保网站能够处理用户的上传流量。

哪种解决方案能在最大可扩展性方面满足这些需求？

A. 将文件从用户浏览器上传至应用服务器，再传输到亚马逊S3存储桶。
B. 配置AWS存储网关文件网关，直接从用户浏览器上传文件至文件网关。
C. 在应用程序中生成亚马逊S3预签名URL，直接从用户浏览器上传文件至S3存储桶。
D. 配置亚马逊弹性文件系统(Amazon EFS)，直接从用户浏览器上传文件至文件系统。

101. A company has a web application for travel ticketing. The application is based on a database that runs in a single data center in North
America. The company wants to expand the application to serve a global user base. The company needs to deploy the application to multiple
AWS Regions. Average latency must be less than 1 second on updates to the reservation database.
The company wants to have separate deployments of its web platform across multiple Regions. However, the company must maintain a single
primary reservation database that is globally consistent.
Which solution should a solutions architect recommend to meet these requirements?
A. Convert the application to use Amazon DynamoDB. Use a global table for the center reservation table. Use the correct Regional
endpoint in each Regional deployment.
B. Migrate the database to an Amazon Aurora MySQL database. Deploy Aurora Read Replicas in each Region. Use the correct Regional
endpoint in each Regional deployment for access to the database.
C. Migrate the database to an Amazon RDS for MySQL database. Deploy MySQL read replicas in each Region. Use the correct Regional
endpoint in each Regional deployment for access to the database.
D. Migrate the application to an Amazon Aurora Serverless database. Deploy instances of the database to each Region. Use the correct
Regional endpoint in each Regional deployment to access the database. Use AWS Lambda functions to process event streams in each
Region to synchronize the databases.

一家公司拥有一个用于旅游票务的网页应用程序。该应用程序基于一个在北美单一数据中心运行的数据库。
公司希望扩大该应用以服务全球用户群体。他们需要将应用程序部署到多个AWS区域。
对于预订数据库的更新操作，平均延迟必须小于1秒。

公司希望在多个区域分别部署其网页平台。但必须维护一个具有全局一致性的主要预订数据库。

解决方案架构师应推荐哪种方案来满足这些需求？

A. 将应用程序转换为使用Amazon DynamoDB。为核心预订表使用全局表。在每个区域部署中使用正确的区域端点。

B. 将数据库迁移到Amazon Aurora MySQL数据库。在每个区域部署Aurora读取副本。在每个区域部署中使用正确的区域端点来访问数据库。

C. 将数据库迁移到Amazon RDS for MySQL数据库。在每个区域部署MySQL读取副本。在每个区域部署中使用正确的区域端点来访问数据库。

D. 将应用程序迁移到Amazon Aurora Serverless数据库。向每个区域部署数据库实例。在每个区域部署中使用正确的区域端点访问数据库。使用AWS Lambda函数处理各区域中的事件流以同步数据库。

102. A company has migrated multiple Microsoft Windows Server workloads to Amazon EC2 instances that run in the us-west-1 Region. The
company manually backs up the workloads to create an image as needed.
In the event of a natural disaster in the us-west-1 Region, the company wants to recover workloads quickly in the us-west-2 Region. The
company wants no more than 24 hours of data loss on the EC2 instances. The company also wants to automate any backups of the EC2
instances.
Which solutions will meet these requirements with the LEAST administrative effort? (Choose two.)
A. Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup based on tags. Schedule the backup to
run twice daily. Copy the image on demand.
B. Create an Amazon EC2-backed Amazon Machine Image (AMI) lifecycle policy to create a backup based on tags. Schedule the backup to
run twice daily. Configure the copy to the us-west-2 Region.
C. Create backup vaults in us-west-1 and in us-west-2 by using AWS Backup. Create a backup plan for the EC2 instances based on tag
values. Create an AWS Lambda function to run as a scheduled job to copy the backup data to us-west-2.
D. Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the EC2 instances based on tag values. De ne
the destination for the copy as us-west-2. Specify the backup schedule to run twice daily.
E. Create a backup vault by using AWS Backup. Use AWS Backup to create a backup plan for the EC2 instances based on tag values.
Specify the backup schedule to run twice daily. Copy on demand to us-west-2.

一家公司已将多个Microsoft Windows Server工作负载迁移至运行在us-west-1区域的Amazon EC2实例上。
该公司根据需要手动备份工作负载以创建镜像。
若us-west-1区域发生自然灾害时，该公司希望能在us-west-2区域快速恢复工作负载。
该公司要求EC2实例数据丢失不超过24小时，同时还希望自动化EC2实例的所有备份流程。
哪种解决方案能以最少的管理工作量满足这些要求？（选择两项）
A. 创建基于标签的Amazon EC2支持的Amazon Machine Image（AMI）生命周期策略以生成备份。将备份计划设置为每日运行两次。按需复制镜像。
B. 创建基于标签的Amazon EC2支持的Amazon Machine Image（AMI）生命周期策略以生成备份。将备份计划设置为每日运行两次。配置复制至us-west-2区域。
C. 使用AWS Backup在us-west-1和us-west-2创建备份存储库。基于标签值为EC2实例创建备份计划。创建AWS Lambda函数作为定时任务运行以将备份数据复制至us-west-2。
D. 使用AWS Backup创建备份存储库。基于标签值使用AWS Backup为EC2实例创建备份计划。将副本目标区域定义为us-west-2。指定每日运行两次的备份计划。
E. 使用AWS Backup创建备份存储库。基于标签值使用AWS Backup为EC2实例创建备份计划。指定每日运行两次的备份计划。按需复制至us-west-2区域。