AWS SAP-C02真题 No.1-100

1. A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain
cloud.example.com for the resources stored within VPCs.
The company has the following DNS resolution requirements:
On-premises systems should be able to resolve and connect to cloud.example.com.
All VPCs should be able to resolve cloud.example.com.
There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway.
Which architecture should the company use to meet these requirements with the HIGHEST performance?
A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the
transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.
B. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VPC. Attach all
VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional
forwarder.
C. Associate the private hosted zone to the shared services VPCreate a Route 53 outbound resolver in the shared services VPAttach all VPCs
to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the outbound resolver.
D. Associate the private hosted zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Attach the
shared services VPC to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the
inbound resolver.

一家公司需要设计一个混合DNS解决方案。该解决方案将为存储在VPC中的资源使用Amazon Route 53私有托管区域，域名为cloud.example.com。
该公司有以下DNS解析要求：
本地系统应能够解析并连接到cloud.example.com。
所有VPC都应能够解析cloud.example.com。
本地企业网络和AWS Transit Gateway之间已有一条AWS Direct Connect连接。
为了以最高性能满足这些要求，该公司应使用哪种架构？
A. 将私有托管区域关联到所有VPC。在共享服务VPC中创建一个Route 53 inbound解析器。将所有VPC附加到中转网关，并在本地DNS服务器中为cloud.example.com创建指向inbound解析器的转发规则。
B. 将私有托管区域关联到所有VPC。在共享服务VPC中部署一个Amazon EC2条件转发器。将所有VPC附加到中转网关，并在本地DNS服务器中为cloud.example.com创建指向条件转发器的转发规则。
C. 将私有托管区域关联到共享服务VPC。在共享服务VPC中创建一个Route 53 outbound解析器。将所有VPC附加到中转网关，并在本地DNS服务器中为cloud.example.com创建指向outbound解析器的转发规则。
D. 将私有托管区域关联到共享服务VPC。在共享服务VPC中创建一个Route 53 inbound解析器。将共享服务VPC附加到中转网关，并在本地DNS服务器中为cloud.example.com创建指向inbound解析器的转发规则。

2. A company is providing weather data over a REST-based API to several customers. The API is hosted by Amazon API Gateway and is integrated
with different AWS Lambda functions for each API operation. The company uses Amazon Route 53 for DNS and has created a resource record of
weather.example.com. The company stores data for the API in Amazon DynamoDB tables. The company needs a solution that will give the API the
ability to fail over to a different AWS Region.
Which solution will meet these requirements?
A. Deploy a new set of Lambda functions in a new Region. Update the API Gateway API to use an edge-optimized API endpoint with Lambda
functions from both Regions as targets. Convert the DynamoDB tables to global tables.
B. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a multivalue answer. Add both
API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.
C. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a failover record. Enable
target health monitoring. Convert the DynamoDB tables to global tables.
D. Deploy a new API Gateway API in a new Region. Change the Lambda functions to global functions. Change the Route 53 DNS record to a
multivalue answer. Add both API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.

一家公司正在通过基于REST的API向多个客户提供天气数据。该API由亚马逊API网关托管，并与每个API操作对应的不同AWS Lambda函数集成。
公司使用亚马逊Route 53进行DNS解析，并创建了weather.example.com的资源记录。该公司将API数据存储在亚马逊DynamoDB表中。
公司需要一个解决方案，使API能够故障转移到其他AWS区域。
哪个解决方案可以满足这些要求？
A. 在新区域部署一组新的Lambda函数。将API网关API更新为使用边缘优化的API端点，并将两个区域的Lambda函数作为目标。将DynamoDB表转换为全局表。
B. 在另一个区域部署新的API网关API和Lambda函数。将Route 53 DNS记录更改为多值应答。将两个API网关API添加到应答中。启用目标健康监测。将DynamoDB表转换为全局表。
C. 在另一个区域部署新的API网关API和Lambda函数。将Route 53 DNS记录更改为故障转移记录。启用目标健康监测。将DynamoDB表转换为全局表。
D. 在新区域部署新的API网关API。将Lambda函数更改为全局函数。将Route 53 DNS记录更改为多值应答。将两个API网关API添加到应答中。启用目标健康监测。将DynamoDB表转换为全局表。

3. A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the
Production OU. Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
The company recently acquired a new business unit and invited the new unit’s existing AWS account to the organization. Once onboarded, the
administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company’s policies.
Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term
maintenance?
A. Remove the organization’s root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company’s standard
AWS Config rules and deploy them throughout the organization, including the new account.
B. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the
new account to the Production OU when adjustments to AWS Config are complete.
C. Convert the organization’s root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to
the organization’s root that allows AWS Config actions for principals only in the new account.
D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the
organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.

一家公司使用AWS Organizations管理多个账户，这些账户都属于名为Production的单一OU（组织单元）。管理员在组织的根位置使用拒绝列表SCP（服务控制策略）来管理对受限服务的访问权限。

该公司最近收购了一个新的业务部门，并将该部门现有的AWS账户邀请加入了组织。加入后，新业务部门的管理员发现他们无法更新现有的AWS Config规则以满足公司的政策要求。

哪种方案能让管理员进行更改并继续执行当前政策，同时不会引入额外的长期维护工作？

A. 移除限制访问AWS Config的组织根SCP。为公司标准的AWS Config规则创建AWS Service Catalog产品，并在整个组织（包括新账户）中部署它们。

B. 为新账户创建一个名为Onboarding的临时OU。向Onboarding OU应用允许AWS Config操作的SCP。当对AWS Config的调整完成后，将新账户移至Production OU。

C. 将组织的根SCP从拒绝列表转换为仅允许必需服务的允许列表SCP。临时向组织根应用一个SCP，该SCP仅允许新账户中的主体执行AWS Config操作。

D. 为新账户创建一个名为Onboarding的临时OU。向Onboarding OU应用允许AWS Config操作的SCP。将组织的根SCP移至Production OU。当对AWS Config的调整完成后，将新账户移至Production OU。

4. A company is running a two-tier web-based application in an on-premises data center. The application layer consists of a single server running a
stateful application. The application connects to a PostgreSQL database running on a separate server. The application’s user base is expected to
grow signi cantly, so the company is migrating the application and database to AWS. The solution will use Amazon Aurora PostgreSQL, Amazon
EC2 Auto Scaling, and Elastic Load Balancing.
Which solution will provide a consistent user experience that will allow the application and database tiers to scale?
A. Enable Aurora Auto Scaling for Aurora Replicas. Use a Network Load Balancer with the least outstanding requests routing algorithm and
sticky sessions enabled.
B. Enable Aurora Auto Scaling for Aurora writers. Use an Application Load Balancer with the round robin routing algorithm and sticky sessions
enabled.
C. Enable Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions
enabled.
D. Enable Aurora Scaling for Aurora writers. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky
sessions enabled.

一家公司在本地数据中心运行着一个两层架构的基于网络的应用程序。应用层由运行着有状态应用程序的单个服务器组成。该应用程序连接到一个运行在独立服务器上的PostgreSQL数据库。预计该应用的用户群将显著增长，因此公司正将应用程序和数据库迁移至AWS。解决方案将采用Amazon Aurora PostgreSQL、Amazon EC2自动扩展以及弹性负载均衡。

哪种解决方案能提供一致的用户体验，使应用程序和数据库层都能扩展？

A. 为Aurora副本启用Aurora自动扩展。使用具有最少未完成请求路由算法并启用粘性会话的网络负载均衡器。

B. 为Aurora写入器启用Aurora自动扩展。使用具有轮询路由算法并启用粘性会话的应用程序负载均衡器。

C. 为Aurora副本启用Aurora自动扩展。使用具有轮询路由并启用粘性会话的应用程序负载均衡器。

D. 为Aurora写入器启用Aurora扩展。使用具有最少未完成请求路由算法并启用粘性会话的网络负载均衡器。

5. A company uses a service to collect metadata from applications that the company hosts on premises. Consumer devices such as TVs and
internet radios access the applications. Many older devices do not support certain HTTP headers and exhibit errors when these headers are
present in responses. The company has configured an on-premises load balancer to remove the unsupported headers from responses sent to
older devices, which the company identi ed by the User-Agent headers.
The company wants to migrate the service to AWS, adopt serverless technologies, and retain the ability to support the older devices. The company
has already migrated the applications into a set of AWS Lambda functions.
Which solution will meet these requirements?
A. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront
distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a
CloudFront function to remove the problematic headers based on the value of the User-Agent header.
B. Create an Amazon API Gateway REST API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each
type of request. Modify the default gateway responses to remove the problematic headers based on the value of the User-Agent header.
C. Create an Amazon API Gateway HTTP API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each
type of request. Create a response mapping template to remove the problematic headers based on the value of the User-Agent. Associate the
response data mapping with the HTTP API.
D. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront
distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a
Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.

一家公司使用一个服务从其本地托管的应用中收集元数据。消费设备如电视和网络收音机访问这些应用。
许多老旧设备不支持某些HTTP标头，当这些标头出现在响应中时会显示错误。公司已在本地负载均衡器上配置了从发送给老旧设备的响应中移除这些不受支持的标头，公司通过User-Agent标头来识别这些设备。
公司希望将该服务迁移到AWS，采用无服务器技术，并保留对老旧设备的支持能力。公司已将应用迁移为一组AWS Lambda函数。
哪种解决方案能满足这些需求？
A. 为元数据服务创建一个Amazon CloudFront分发。创建一个应用负载均衡器(ALB)。配置CloudFront分发将请求转发给ALB。配置ALB为每种请求类型调用正确的Lambda函数。创建一个CloudFront函数，根据User-Agent标头的值移除有问题的标头。
B. 为元数据服务创建一个Amazon API Gateway REST API。配置API Gateway为每种请求类型调用正确的Lambda函数。修改默认网关响应，根据User-Agent标头的值移除有问题的标头。
C. 为元数据服务创建一个Amazon API Gateway HTTP API。配置API Gateway为每种请求类型调用正确的Lambda函数。创建一个响应映射模板，根据User-Agent的值移除有问题的标头。将该响应数据映射与HTTP API关联。
D. 为元数据服务创建一个Amazon CloudFront分发。创建一个应用负载均衡器(ALB)。配置CloudFront分发将请求转发给ALB。配置ALB为每种请求类型调用正确的Lambda函数。创建一个Lambda@Edge函数，该函数将根据User-Agent标头的值在响应查看器请求时移除有问题的标头。

6. A company is running a traditional web application on Amazon EC2 instances. The company needs to refactor the application as microservices
that run on containers. Separate versions of the application exist in two distinct environments: production and testing. Load for the application is
variable, but the minimum load and the maximum load are known. A solutions architect needs to design the updated application with a serverless
architecture that minimizes operational complexity.
Which solution will meet these requirements MOST cost-effectively?
A. Upload the container images to AWS Lambda as functions. Configure a concurrency limit for the associated Lambda functions to handle
the expected peak load. Configure two separate Lambda integrations within Amazon API Gateway: one for production and one for testing.
B. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Container
Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two
separate Application Load Balancers to direct traffic to the ECS clusters.
C. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Kubernetes
Service (Amazon EKS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two
separate Application Load Balancers to direct traffic to the EKS clusters.
D. Upload the container images to AWS Elastic Beanstalk. In Elastic Beanstalk, create separate environments and deployments for production
and testing. Configure two separate Application Load Balancers to direct traffic to the Elastic Beanstalk deployments.

一家公司在亚马逊EC2实例上运行传统Web应用程序。公司需要将该应用程序重构为运行在容器中的微服务。
该应用程序的单独版本存在于两个不同的环境中：生产环境和测试环境。应用程序的负载是可变的，但最小负载和最大负载已知。
解决方案架构师需要使用无服务器架构设计更新后的应用程序，最大限度地降低运维复杂性。
哪种解决方案能最高性价比地满足这些需求？
A. 将容器镜像作为函数上传到AWS Lambda。为相关Lambda函数配置并发限制以处理预期的峰值负载。在Amazon API Gateway中配置两个独立的Lambda集成：一个用于生产环境，一个用于测试环境。
B. 将容器镜像上传到亚马逊弹性容器注册表（Amazon ECR）。配置两个具有Fargate启动类型的自动扩展亚马逊弹性容器服务（Amazon ECS）集群以处理预期负载。从ECR镜像部署任务。配置两个独立的应用程序负载均衡器将流量引导到ECS集群。
C. 将容器镜像上传到亚马逊弹性容器注册表（Amazon ECR）。配置两个具有Fargate启动类型的自动扩展亚马逊弹性Kubernetes服务（Amazon EKS）集群以处理预期负载。从ECR镜像部署任务。配置两个独立的应用程序负载均衡器将流量引导到EKS集群。
D. 将容器镜像上传到AWS Elastic Beanstalk。在Elastic Beanstalk中为生产环境和测试环境创建独立的环境和部署。配置两个独立的应用程序负载均衡器将流量引导到Elastic Beanstalk部署。

7. A company has a multi-tier web application that runs on a eet of Amazon EC2 instances behind an Application Load Balancer (ALB). The
instances are in an Auto Scaling group. The ALB and the Auto Scaling group are replicated in a backup AWS Region. The minimum value and the
maximum value for the Auto Scaling group are set to zero. An Amazon RDS Multi-AZ DB instance stores the application’s data. The DB instance
has a read replica in the backup Region. The application presents an endpoint to end users by using an Amazon Route 53 record.
The company needs to reduce its RTO to less than 15 minutes by giving the application the ability to automatically fail over to the backup Region.
The company does not have a large enough budget for an active-active strategy.
What should a solutions architect recommend to meet these requirements?
A. Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Create
an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon
CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch
alarm to invoke the Lambda function.
B. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Configure
Route 53 with a health check that monitors the web application and sends an Amazon Simple Notification Service (Amazon SNS) notification
to the Lambda function when the health check status is unhealthy. Update the application’s Route 53 record with a failover policy that routes
traffic to the ALB in the backup Region when a health check failure occurs.
C. Configure the Auto Scaling group in the backup Region to have the same values as the Auto Scaling group in the primary Region.
Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Remove the
read replica. Replace the read replica with a standalone RDS DB instance. Configure Cross-Region Replication between the RDS DB instances
by using snapshots and Amazon S3.
D. Configure an endpoint in AWS Global Accelerator with the two ALBs as equal weighted targets. Create an AWS Lambda function in the
backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on
the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.

一家公司在应用程序负载均衡器（ALB）后的一组Amazon EC2实例上运行一个多层Web应用程序。这些实例位于自动扩展组中。ALB和自动扩展组在备份AWS区域中进行了复制。自动扩展组的最小值和最大值均设置为零。Amazon RDS多可用区数据库实例存储应用程序的数据。该数据库实例在备份区域中有一个只读副本。应用程序通过使用Amazon Route 53记录向终端用户呈现一个端点。

公司需要通过赋予应用程序自动故障转移到备份区域的能力，将其RTO（恢复时间目标）减少到15分钟以内。公司没有足够的预算支持主动-主动策略。

解决方案架构师应推荐什么以满足这些需求？

选项：

A. 重新配置应用程序的Route 53记录，使用基于延迟的路由策略在两个ALB之间负载均衡流量。在备份区域创建一个AWS Lambda函数，用于提升只读副本并修改自动扩展组的值。创建一个基于主区域ALB的HTTPCode_Target_5XX_Count指标的Amazon CloudWatch报警。配置该CloudWatch报警以调用Lambda函数。

B. 在备份区域创建一个AWS Lambda函数，用于提升只读副本并修改自动扩展组的值。配置Route 53，设置一个监控Web应用程序的健康检查，并在健康检查状态不健康时向Lambda函数发送Amazon简单通知服务（Amazon SNS）通知。更新应用程序的Route 53记录，使用故障转移策略，在健康检查失败时将流量路由到备份区域的ALB。

C. 将备份区域的自动扩展组配置为与主区域的自动扩展组具有相同的值。重新配置应用程序的Route 53记录，使用基于延迟的路由策略在两个ALB之间负载均衡流量。移除只读副本，替换为独立的RDS数据库实例。使用快照和Amazon S3在RDS数据库实例之间配置跨区域复制。

D. 在AWS Global Accelerator中配置一个端点，将两个ALB作为等权重目标。在备份区域创建一个AWS Lambda函数，用于提升只读副本并修改自动扩展组的值。创建一个基于主区域ALB的HTTPCode_Target_5XX_Count指标的Amazon CloudWatch报警。配置该CloudWatch报警以调用Lambda函数。

8. A company is hosting a critical application on a single Amazon EC2 instance. The application uses an Amazon ElastiCache for Redis single-node
cluster for an in-memory data store. The application uses an Amazon RDS for MariaDB DB instance for a relational database. For the application
to function, each piece of the infrastructure must be healthy and must be in an active state.
A solutions architect needs to improve the application’s architecture so that the infrastructure can automatically recover from failure with the least
possible downtime.
Which combination of steps will meet these requirements? (Choose three.)
A. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are part of an Auto Scaling
group that has a minimum capacity of two instances.
B. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are configured in unlimited
mode.
C. Modify the DB instance to create a read replica in the same Availability Zone. Promote the read replica to be the primary DB instance in
failure scenarios.
D. Modify the DB instance to create a Multi-AZ deployment that extends across two Availability Zones.
E. Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum
capacity of two instances.
F. Create a replication group for the ElastiCache for Redis cluster. Enable Multi-AZ on the cluster.

一家公司在单个亚马逊EC2实例上托管了一个关键应用程序。该应用程序使用亚马逊ElastiCache for Redis单节点集群作为内存数据存储。应用程序还使用亚马逊RDS for MariaDB数据库实例作为关系型数据库。

为了使应用程序正常运行，基础设施的每个部分都必须保持健康且处于活动状态。

解决方案架构师需要改进应用程序的架构，使基础设施能够以最短的停机时间自动从故障中恢复。

下列哪三个步骤组合能够满足这些要求？（选择三项）

A. 使用弹性负载均衡器在多个EC2实例间分配流量。确保EC2实例属于一个最小容量为两个实例的自动扩展组。

B. 使用弹性负载均衡器在多个EC2实例间分配流量。确保EC2实例配置为无限制模式。

C. 修改数据库实例，在同一可用区创建读取副本。在故障情况下将读取副本提升为主数据库实例。

D. 修改数据库实例，创建跨两个可用区的多可用区部署。

E. 为ElastiCache for Redis集群创建复制组。将集群配置为使用最小容量为两个实例的自动扩展组。

F. 为ElastiCache for Redis集群创建复制组。在集群上启用多可用区功能。

9. A retail company is operating its ecommerce application on AWS. The application runs on Amazon EC2 instances behind an Application Load
Balancer (ALB). The company uses an Amazon RDS DB instance as the database backend. Amazon CloudFront is configured with one origin that
points to the ALB. Static content is cached. Amazon Route 53 is used to host all public zones.
After an update of the application, the ALB occasionally returns a 502 status code (Bad Gateway) error. The root cause is malformed HTTP
headers that are returned to the ALB. The webpage returns successfully when a solutions architect reloads the webpage immediately after the
error occurs.
While the company is working on the problem, the solutions architect needs to provide a custom error page instead of the standard ALB error
page to visitors.
Which combination of steps will meet this requirement with the LEAST amount of operational overhead? (Choose two.)
A. Create an Amazon S3 bucket. Configure the S3 bucket to host a static webpage. Upload the custom error pages to Amazon S3.
B. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Target.FailedHealthChecks is
greater than 0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a publicly accessible web server.
C. Modify the existing Amazon Route 53 records by adding health checks. Configure a fallback target if the health check fails. Modify DNS
records to point to a publicly accessible webpage.
D. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Elb.InternalError is greater than
0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a public accessible web server.
E. Add a custom error response by configuring a CloudFront custom error page. Modify DNS records to point to a publicly accessible web
page.

一家零售公司正在AWS上运营其电子商务应用程序。该应用程序在应用负载均衡器(ALB)后面的Amazon EC2实例上运行。公司使用Amazon RDS数据库实例作为数据库后端。亚马逊CloudFront配置了一个指向ALB的源站。静态内容已被缓存。亚马逊Route 53用于托管所有公共区域。

应用程序更新后，ALB偶尔会返回502状态码(网关错误)。根本原因是返回给ALB的HTTP消息头格式错误。当解决方案架构师在错误发生后立即重新加载网页时，网页能够成功返回。

在公司解决该问题的同时，解决方案架构师需要向访问者提供自定义错误页面，而不是标准的ALB错误页面。

哪两种步骤组合能够以最少的操作开销满足这一要求？（选择两项。）

A. 创建一个Amazon S3存储桶。配置S3存储桶以托管静态网页。将自定义错误页面上传到Amazon S3。

B. 创建一个Amazon CloudWatch警报，如果ALB健康检查响应Target.FailedHealthChecks大于0，则调用AWS Lambda函数。配置Lambda函数修改ALB的转发规则，指向一个可公开访问的Web服务器。

C. 修改现有的Amazon Route 53记录，添加健康检查。配置健康检查失败时的回退目标。修改DNS记录指向可公开访问的网页。

D. 创建一个Amazon CloudWatch警报，如果ALB健康检查响应Elb.InternalError大于0，则调用AWS Lambda函数。配置Lambda函数修改ALB的转发规则，指向一个可公开访问的Web服务器。

E. 通过配置CloudFront自定义错误页面来添加自定义错误响应。修改DNS记录指向可公开访问的网页。

10. A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the
company can use to share a common network across multiple accounts.
The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to
manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to
create AWS resources within subnets.
Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)
A. Create a transit gateway in the infrastructure account.
B. Enable resource sharing from the AWS Organizations management account.
C. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and
subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the speci c AWS Organizations OU that will
use the shared network. Select each subnet to associate with the resource share.
E. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the speci c AWS Organizations OU that will
use the shared network. Select each pre x list to associate with the resource share.

一家公司拥有多个AWS账户，并使用AWS Organizations来管理所有这些账户。
一位解决方案架构师需要实施一个解决方案，使公司能够在多个账户间共享一个公共网络。
公司的基础设施团队拥有一个专用基础设施账户，该账户包含一个VPC。基础设施团队必须使用该账户来管理网络。
个别账户不能拥有管理自己网络的能力。然而，个别账户必须能够在子网内创建AWS资源。
解决方案架构师应采取哪些组合操作来满足这些需求？（选择两项。）
A. 在基础设施账户中创建一个中转网关。
B. 从AWS Organizations管理账户启用资源共享。
C. 在AWS Organizations组织的每个AWS账户中创建VPC。将这些VPC配置为与基础设施账户中的VPC共享相同的CIDR范围和子网。将每个单独账户中的VPC与基础设施账户中的VPC对等连接。
D. 在基础设施账户的AWS资源访问管理器中创建一个资源共享。选择将使用共享网络的特定AWS Organizations组织单元。选择要与资源共享关联的每个子网。
E. 在基础设施账户的AWS资源访问管理器中创建一个资源共享。选择将使用共享网络的特定AWS Organizations组织单元。选择要与资源共享关联的每个前缀列表。

11. A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API
calls. The third-party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use
of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the
company’s VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?
A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application
provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to
limit access across the VPN tunnels.
C. Create a VPC peering connection between the third-party SaaS application and the company VPUpdate route tables by adding the needed
routes for the peering connection.
D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service.
Grant permissions for the endpoint service to the speci c account of the third-party SaaS provider.

一家公司希望使用第三方软件即服务(SaaS)应用程序。该第三方SaaS应用程序通过多个API调用来消费。
该第三方SaaS应用程序也在AWS内部的VPC中运行。
该公司将从其VPC内部消费该第三方SaaS应用程序。公司内部安全策略要求必须使用不经过互联网的私有连接。
不允许从公司VPC外部访问在公司VPC中运行的任何资源。所有权限必须符合最小权限原则。
哪个解决方案满足这些要求？
A. 创建一个AWS PrivateLink接口VPC终端节点。将此终端节点连接到第三方SaaS应用程序提供的终端节点服务。创建一个安全组来限制对该终端节点的访问。将该安全组与终端节点关联。
B. 在第三方SaaS应用程序和公司VPC之间创建AWS站点到站点VPN连接。配置网络ACL以限制跨VPN隧道的访问。
C. 在第三方SaaS应用程序和公司VPC之间创建VPC对等连接。通过添加对等连接所需的路由来更新路由表。
D. 创建一个AWS PrivateLink终端节点服务。要求第三方SaaS提供商为此终端节点服务创建一个接口VPC终端节点。向第三方SaaS提供商的特定账户授予对该终端节点服务的权限。

12. A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to
perform patching. Management requires a single report showing the patch status of all the servers and instances.
Which set of actions should a solutions architect take to meet these requirements?
A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch
compliance reports.
B. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use Amazon QuickSight integration with OpsWorks
to generate patch compliance reports.
C. Use an Amazon EventBridge rule to apply patches by scheduling an AWS Systems Manager patch remediation job. Use Amazon Inspector
to generate patch compliance reports.
D. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use AWS X-Ray to post the patch status to AWS
Systems Manager OpsCenter to generate patch compliance reports.

一家公司需要为其服务器实施补丁更新流程。本地服务器和亚马逊弹性计算云(EC2)实例使用多种工具进行补丁更新。管理层要求提供一份显示所有服务器和实例补丁状态的统一报告。

解决方案架构师应采取哪组操作来满足这些需求？

A. 使用AWS系统管理器管理本地服务器和EC2实例的补丁。使用系统管理器生成补丁合规性报告。

B. 使用AWS OpsWorks管理本地服务器和EC2实例的补丁。使用Amazon QuickSight与OpsWorks集成来生成补丁合规性报告。

C. 使用Amazon EventBridge规则通过安排AWS系统管理器补丁修复作业来应用补丁。使用Amazon Inspector生成补丁合规性报告。

D. 使用AWS OpsWorks管理本地服务器和EC2实例的补丁。使用AWS X-Ray将补丁状态发布到AWS系统管理器OpsCenter以生成补丁合规性报告。

13. A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on
the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied
to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2
instances.
Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?
A. Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and
an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the
autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to
copy the log les, and terminate the instance using the AWS SDK.
B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an
Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the
autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to
copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.
C. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user
data. Create an Amazon EventBridge rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge rule that
uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
D. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that
publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems
Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate
the instance.

一家公司在位于应用负载均衡器后面的自动扩展组中，使用多个Amazon EC2实例运行一个应用程序。该应用的负载在一天中不断变化，EC2实例会定期进行扩展和缩减。每隔15分钟，EC2实例中的日志文件会被复制到一个集中的Amazon S3存储桶。安全团队发现部分已终止的EC2实例中的日志文件丢失了。
以下哪一组操作能确保从已终止的EC2实例中复制日志文件到集中的S3存储桶？
A. 创建一个脚本将日志文件复制到Amazon S3，并把脚本存储在EC2实例的一个文件中。创建一个自动扩展生命周期钩子和一个Amazon EventBridge规则来检测自动扩展组的生命周期事件。在autoscaling:EC2_INSTANCE_TERMINATING转换时调用一个AWS Lambda函数，向自动扩展组发送ABANDON以阻止终止，运行脚本来复制日志文件，并使用AWS SDK终止实例。
B. 创建一个包含脚本的AWS Systems Manager文档，将日志文件复制到Amazon S3。创建一个自动扩展生命周期钩子和一个Amazon EventBridge规则来检测自动扩展组的生命周期事件。在autoscaling:EC2_INSTANCE_TERMINATING转换时调用一个AWS Lambda函数，通过AWS Systems Manager API的SendCommand操作运行文档来复制日志文件，并向自动扩展组发送CONTINUE以终止实例。
C. 将日志传送频率改为每5分钟一次。创建一个脚本将日志文件复制到Amazon S3，并将脚本添加到EC2实例的用户数据中。创建一个Amazon EventBridge规则来检测EC2实例终止事件。从EventBridge规则调用一个AWS Lambda函数，使用AWS CLI运行用户数据脚本复制日志文件并终止实例。
D. 创建一个包含脚本的AWS Systems Manager文档，将日志文件复制到Amazon S3。创建一个自动扩展生命周期钩子，向Amazon Simple Notification Service（Amazon SNS）主题发布消息。通过SNS通知，调用AWS Systems Manager API的SendCommand操作运行文档来复制日志文件，并向自动扩展组发送ABANDON以终止实例。

14. A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The
company’s applications and databases are running in Account B.
A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the
Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance.
The solutions architect con rmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)
A. Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance’s private IP in the private hosted zone.
B. Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
C. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.
D. Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
E. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.

一家公司正在使用多个AWS账户。DNS记录存储在账户A的Amazon Route 53私有托管区域中。
该公司的应用程序和数据库运行在账户B中。
解决方案架构师将在一个新的VPC中部署一个两层应用程序。为了简化配置，Amazon RDS端点的db.example.com CNAME记录集已在Amazon Route 53的私有托管区域中创建。
部署期间，应用程序启动失败。故障排查显示，在Amazon EC2实例上无法解析db.example.com。
解决方案架构师确认记录集已在Route 53中正确创建。
解决方案架构师应采取哪两个步骤组合来解决此问题？（选择两个。）
A. 在新的VPC中单独部署一个EC2实例上的数据库。在私有托管区域中为该实例的私有IP创建记录集。
B. 使用SSH连接到应用层EC2实例。将RDS端点IP地址添加到/etc/resolv.conf文件中。
C. 创建授权以将账户A中的私有托管区域与账户B中的新VPC关联。
D. 在账户B中为example.com域创建私有托管区域。在AWS账户之间配置Route 53复制。
E. 将账户B中的新VPC与账户A中的托管区域关联。在账户A中删除关联授权。

15. A company used Amazon EC2 instances to deploy a web eet to host a blog site. The EC2 instances are behind an Application Load Balancer
(ALB) and are configured in an Auto Scaling group. The web application stores all blog content on an Amazon EFS volume.
The company recently added a feature for bloggers to add video to their posts, attracting 10 times the previous user traffic. At peak times of day,
users report buffering and timeout issues while attempting to reach the site or watch videos.
Which is the MOST cost-e cient and scalable deployment that will resolve the issues for users?
A. Reconfigure Amazon EFS to enable maximum I/O.
B. Update the blog site to use instance store volumes for storage. Copy the site contents to the volumes at launch and to Amazon S3 at
shutdown.
C. Configure an Amazon CloudFront distribution. Point the distribution to an S3 bucket, and migrate the videos from EFS to Amazon S3.
D. Set up an Amazon CloudFront distribution for all site contents, and point the distribution at the ALB.

一家公司使用亚马逊EC2实例部署了一个网络集群来托管博客网站。这些EC2实例位于应用负载均衡器(ALB)后方，并配置在自动扩展组中。该网络应用程序将所有博客内容存储在亚马逊EFS卷上。

该公司最近新增了一项功能，允许博主在文章中添加视频，这带来了十倍于之前的用户流量。在每天的流量高峰时段，用户报告在尝试访问网站或观看视频时出现缓冲和超时问题。

以下哪种部署方案最具成本效益且可扩展，能够解决用户遇到的这些问题？

A. 重新配置亚马逊EFS以启用最大I/O模式。
B. 将博客网站更新为使用实例存储卷进行存储。在实例启动时将网站内容复制到存储卷，在关闭时复制到亚马逊S3。
C. 配置亚马逊CloudFront分发。将该分发指向一个S3存储桶，并将视频从EFS迁移到亚马逊S3。
D. 为所有网站内容设置亚马逊CloudFront分发，并将该分发指向ALB。

16. A company with global o ces has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company’s on-premises network
uses the connection to communicate with the company’s resources in the AWS Cloud. The connection has a single private virtual interface that
connects to a single VPC.
A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. The solution also must
provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.
Which solution meets these requirements?
A. Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct
Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct
Connect gateway. Connect the Direct Connect gateway to the single VPC.
B. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new private virtual interface on the new
connection, and connect the new private virtual interface to the single VPC.
C. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new public virtual interface on the new
connection, and connect the new public virtual interface to the single VPC.
D. Provision a transit gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect
connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the transit gateway.
Associate the transit gateway with the single VPC.

一家拥有全球办事处的公司通过单条1 Gbps的AWS Direct Connect专线连接至单个AWS区域。该公司利用这条专线使其本地网络能够与AWS云中的资源进行通信。
该专线配置了单一私有虚拟接口，连接到单一VPC。

解决方案架构师需要实施一个解决方案，在同一区域新增冗余的Direct Connect专线连接。同时该方案还需满足：随着公司业务扩展至其他区域时，可通过同一对Direct Connect专线提供与其他区域的连接能力。
下列哪种方案能满足这些需求？

A. 部署Direct Connect网关。删除现有专线上的私有虚拟接口。创建第二条Direct Connect专线。在每个专线上新建私有虚拟接口，并将这两个私有虚拟接口连接到Direct Connect网关。最后将Direct Connect网关与单一VPC连接。

B. 保留现有的私有虚拟接口。创建第二条Direct Connect专线。在新专线上创建新的私有虚拟接口，并将该虚拟接口连接到单一VPC。

C. 保留现有的私有虚拟接口。创建第二条Direct Connect专线。在新专线上创建新的公共虚拟接口，并将该虚拟接口连接到单一VPC。

D. 部署中转网关。删除现有专线上的私有虚拟接口。创建第二条Direct Connect专线。在每个专线上新建私有虚拟接口，并将这两个私有虚拟接口连接到中转网关。最后将中转网关与单一VPC进行关联。

17. A company has a web application that allows users to upload short videos. The videos are stored on Amazon EBS volumes and analyzed by
custom recognition software for categorization.
The website contains static content that has variable traffic with peaks in certain months. The architecture consists of Amazon EC2 instances
running in an Auto Scaling group for the web application and EC2 instances running in an Auto Scaling group to process an Amazon SQS queue.
The company wants to re-architect the application to reduce operational overhead using AWS managed services where possible and remove
dependencies on third-party software.
Which solution meets these requirements?
A. Use Amazon ECS containers for the web application and Spot instances for the Auto Scaling group that processes the SQS queue. Replace
the custom software with Amazon Rekognition to categorize the videos.
B. Store the uploaded videos in Amazon EFS and mount the file system to the EC2 instances for the web application. Process the SQS queue
with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.
C. Host the web application in Amazon S3. Store the uploaded videos in Amazon S3. Use S3 event notification to publish events to the SQS
queue. Process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.
D. Use AWS Elastic Beanstalk to launch EC2 instances in an Auto Scaling group for the web application and launch a worker environment to
process the SQS queue. Replace the custom software with Amazon Rekognition to categorize the videos.

一家公司拥有一个允许用户上传短视频的网络应用程序。这些视频存储在亚马逊EBS卷上，并通过定制识别软件进行分析以进行分类。
该网站包含静态内容，流量变化不定，在某些月份会出现高峰。当前架构包括运行在自动伸缩组中的亚马逊EC2实例用于网络应用程序，以及运行在自动伸缩组中的EC2实例用于处理亚马逊SQS队列。
该公司希望重新设计应用程序，尽可能使用AWS托管服务以减少操作负担，并消除对第三方软件的依赖。
哪种解决方案符合这些要求？
A. 使用亚马逊ECS容器来运行网络应用，并使用Spot实例作为处理SQS队列的自动伸缩组。用亚马逊Rekognition替换定制软件来对视频进行分类。
B. 将上传的视频存储在亚马逊EFS中，并将文件系统挂载到运行网络应用的EC2实例上。使用调用亚马逊Rekognition API的AWS Lambda函数处理SQS队列以对视频进行分类。
C. 将网络应用托管在亚马逊S3中。上传的视频存储在亚马逊S3中。使用S3事件通知将事件发布到SQS队列。使用调用亚马逊Rekognition API的AWS Lambda函数处理SQS队列以对视频进行分类。
D. 使用AWS Elastic Beanstalk在自动伸缩组中启动EC2实例来运行网络应用，并启动一个工作环境来处理SQS队列。用亚马逊Rekognition替换定制软件来对视频进行分类。

18. A company has a serverless application comprised of Amazon CloudFront, Amazon API Gateway, and AWS Lambda functions. The current
deployment process of the application code is to create a new version number of the Lambda function and run an AWS CLI script to update. If the
new function version has errors, another CLI script reverts by deploying the previous working version of the function. The company would like to
decrease the time to deploy new versions of the application logic provided by the Lambda functions, and also reduce the time to detect and revert
when errors are identi ed.
How can this be accomplished?
A. Create and deploy nested AWS CloudFormation stacks with the parent stack consisting of the AWS CloudFront distribution and API
Gateway, and the child stack containing the Lambda function. For changes to Lambda, create an AWS CloudFormation change set and deploy;
if errors are triggered, revert the AWS CloudFormation change set to the previous version.
B. Use AWS SAM and built-in AWS CodeDeploy to deploy the new Lambda version, gradually shift traffic to the new version, and use pre-traffic
and post-traffic test functions to verify code. Rollback if Amazon CloudWatch alarms are triggered.
C. Refactor the AWS CLI scripts into a single script that deploys the new Lambda version. When deployment is completed, the script tests
execute. If errors are detected, revert to the previous Lambda version.
D. Create and deploy an AWS CloudFormation stack that consists of a new API Gateway endpoint that references the new Lambda version.
Change the CloudFront origin to the new API Gateway endpoint, monitor errors and if detected, change the AWS CloudFront origin to the
previous API Gateway endpoint.

一家公司拥有一个由Amazon CloudFront、Amazon API Gateway和AWS Lambda函数组成的无服务器应用。
当前的应用程序代码部署流程是：创建一个新的Lambda函数版本号后运行AWS CLI脚本来更新。
如果新函数版本出现错误，则通过另一个CLI脚本回滚至之前可运行的函数版本。
公司希望缩短部署Lambda函数新版应用逻辑的时间，并减少错误识别和回滚所需时间。
如何实现这一目标？

A. 创建并部署嵌套的AWS CloudFormation堆栈，父堆栈包含AWS CloudFront分发和API Gateway，子堆栈包含Lambda函数。
对于Lambda变更，创建AWS CloudFormation变更集并进行部署；
如果触发错误，则将AWS CloudFormation变更集回滚至之前版本。

B. 使用AWS SAM和内置的AWS CodeDeploy部署新版Lambda函数，逐步将流量切换至新版本，
并通过预发布和后发布测试功能验证代码。
如果触发Amazon CloudWatch警报则执行回滚。

C. 将现有的AWS CLI脚本重构为单一脚本，用于部署新版Lambda函数。
部署完成后运行脚本测试，如检测到错误则回滚至旧版Lambda函数。

D. 创建并部署一个AWS CloudFormation堆栈，其中包含引用新版Lambda函数的新API Gateway端点。
将CloudFront源更改为新API Gateway端点，监测错误；
如发现错误，则将AWS CloudFront源切换回原API Gateway端点。

19. A company is planning to store a large number of archived documents and make the documents available to employees through the corporate
intranet. Employees will access the system by connecting through a client VPN service that is attached to a VPC. The data must not be accessible
to the public.
The documents that the company is storing are copies of data that is held on physical media elsewhere. The number of requests will be low.
Availability and speed of retrieval are not concerns of the company.
Which solution will meet these requirements at the LOWEST cost?
A. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 One Zone-Infrequent Access (S3 One Zone-IA) storage class as default.
Configure the S3 bucket for website hosting. Create an S3 interface endpoint. Configure the S3 bucket to allow access only through that
endpoint.
B. Launch an Amazon EC2 instance that runs a web server. Attach an Amazon Elastic File System (Amazon EFS) file system to store the
archived data in the EFS One Zone-Infrequent Access (EFS One Zone-IA) storage class Configure the instance security groups to allow access
only from private networks.
C. Launch an Amazon EC2 instance that runs a web server Attach an Amazon Elastic Block Store (Amazon EBS) volume to store the archived
data. Use the Cold HDD (sc1) volume type. Configure the instance security groups to allow access only from private networks.
D. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 Glacier Deep Archive storage class as default. Configure the S3 bucket
for website hosting. Create an S3 interface endpoint. Configure the S3 bucket to allow access only through that endpoint.

一家公司计划存储大量归档文件，并通过企业内部网向员工提供这些文档。
员工将通过连接附属于VPC的客户端VPN服务来访问该系统。
该数据必须不可被公众访问。
公司存储的文档是在其他物理介质上保存的数据副本。
访问请求数量会很少。
数据的可用性和检索速度不是公司关注的重点。
哪种解决方案能以最低成本满足这些要求？

A. 创建一个Amazon S3存储桶。
将S3存储桶默认配置为使用S3单区-低频访问（S3 One Zone-IA）存储类别。
为S3存储桶配置网站托管功能。
创建一个S3接口终端节点。
将该S3存储桶配置为仅允许通过该终端节点访问。

B. 启动一个运行Web服务器的Amazon EC2实例。
附加一个Amazon弹性文件系统（Amazon EFS）来存储归档数据，并使用EFS单区-低频访问（EFS One Zone-IA）存储类别。
配置实例安全组，仅允许来自私有网络的访问。

C. 启动一个运行Web服务器的Amazon EC2实例。
附加一个Amazon弹性块存储（Amazon EBS）卷来存储归档数据。
使用冷HDD（sc1）卷类型。
配置实例安全组，仅允许来自私有网络的访问。

D. 创建一个Amazon S3存储桶。
将S3存储桶默认配置为使用S3 Glacier Deep Archive存储类别。
为S3存储桶配置网站托管功能。
创建一个S3接口终端节点。
将该S3存储桶配置为仅允许通过该终端节点访问。

20. A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service
to sign in to the company’s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on
premises environment and all the company’s AWS accounts.
The company’s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a
single location.
Which solution will meet these requirements?
A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to Active Directory by using SAML 2.0. Enable automatic provisioning
by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using attribute-based
access controls (ABACs).
B. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM Identity Center as an identity source. Enable automatic provisioning
by using the System for Cross-domain Identity Management (SCIM) v2.0 protocol. Grant access to the AWS accounts by using IAM Identity
Center permission sets.
C. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use a SAML 2.0 identity provider.
Provision IAM users that are mapped to the federated users. Grant access that corresponds to appropriate groups in Active Directory. Grant
access to the required AWS accounts by using cross-account IAM users.
D. In one of the company’s AWS accounts, configure AWS Identity and Access Management (IAM) to use an OpenID Connect (OIDC) identity
provider. Provision IAM roles that grant access to the AWS account for the federated users that correspond to appropriate groups in Active
Directory. Grant access to the required AWS accounts by using cross-account IAM roles.

一家公司正在使用本地Active Directory服务进行用户身份验证。公司希望使用相同的身份验证服务来登录公司的AWS账户，这些账户正在使用AWS Organizations。在本地环境和公司所有的AWS账户之间已经存在AWS站点到站点VPN连接。

公司的安全策略要求基于用户组和角色对账户进行条件访问。用户身份必须在单一位置进行管理。

哪种解决方案能够满足这些要求？
A. 配置AWS IAM Identity Center（AWS单点登录）通过使用SAML 2.0连接到Active Directory。使用跨域身份管理系统(SCIM) v2.0协议启用自动配置。通过基于属性的访问控制(ABACs)授予对AWS账户的访问权限。
B. 通过使用IAM Identity Center作为身份源来配置AWS IAM Identity Center（AWS单点登录）。使用跨域身份管理系统(SCIM) v2.0协议启用自动配置。通过使用IAM Identity Center权限集授予对AWS账户的访问权限。
C. 在公司的某个AWS账户中，配置AWS身份和访问管理(IAM)以使用SAML 2.0身份提供者。映射到联合用户的IAM用户进行配置。授予与Active Directory中相应组对应的访问权限。通过使用跨账户IAM用户授予对所需AWS账户的访问权限。
D. 在公司的某个AWS账户中，配置AWS身份和访问管理(IAM)以使用OpenID Connect(OIDC)身份提供者。配置IAM角色，为与Active Directory中相应组对应的联合用户授予对AWS账户的访问权限。通过使用跨账户IAM角色授予对所需AWS账户的访问权限。

21. A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions, and an
Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a
small number of clients that are authenticated with speci c API keys.
A solutions architect has identi ed that a large number of the PUT requests originate from one client. The API is noncritical, and clients can
tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API’s reputation.
What should the solutions architect recommend to improve the customer experience?
A. Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and
handled with descriptive error messages.
B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without
error.
C. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is
appropriate for the workload.
D. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.

一家软件公司部署了一个应用程序，该应用程序通过使用Amazon API Gateway、AWS Lambda函数和一个Amazon DynamoDB表来消费REST API。该应用程序在PUT请求期间显示错误数量增加。大部分PUT调用来自少量使用特定API密钥进行认证的客户端。
一位解决方案架构师已确定大量PUT请求源自某一个客户端。该API是非关键的，客户端可以容忍不成功调用的重试。然而，错误会显示给客户，并对API的声誉造成损害。
解决方案架构师应建议采取什么措施来改善客户体验？
A. 在客户端应用程序中实现指数退避和不规则变化的重试逻辑。确保捕获错误并使用描述性错误消息进行处理。
B. 在API Gateway级别通过使用计划实现API限流。确保客户端应用程序处理429代码响应时不报错。
C. 启用API缓存以提高生产阶段的响应速度。运行10分钟负载测试。验证缓存容量是否适合工作负载。
D. 在Lambda函数级别实施预留并发，以在流量突然增加时提供所需的资源。

22. A company is running a data-intensive application on AWS. The application runs on a cluster of hundreds of Amazon EC2 instances. A shared le
system also runs on several EC2 instances that store 200 TB of data. The application reads and modi es the data on the shared file system and
generates a report. The job runs once monthly, reads a subset of the files from the shared file system, and takes about 72 hours to complete. The
compute instances scale in an Auto Scaling group, but the instances that host the shared file system run continuously. The compute and storage
instances are all in the same AWS Region.
A solutions architect needs to reduce costs by replacing the shared file system instances. The file system must provide high performance access
to the needed data for the duration of the 72-hour run.
Which solution will provide the LARGEST overall cost reduction while meeting these requirements?
A. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Intelligent-Tiering storage class. Before the
job runs each month, use Amazon FSx for Lustre to create a new file system with the data from Amazon S3 by using lazy loading. Use the new
file system as the shared storage for the duration of the job. Delete the file system when the job is complete.
B. Migrate the data from the existing shared file system to a large Amazon Elastic Block Store (Amazon EBS) volume with Multi-Attach
enabled. Attach the EBS volume to each of the instances by using a user data script in the Auto Scaling group launch template. Use the EBS
volume as the shared storage for the duration of the job. Detach the EBS volume when the job is complete
C. Migrate the data from the existing shared file system to an Amazon S3 bucket that uses the S3 Standard storage class. Before the job runs
each month, use Amazon FSx for Lustre to create a new file system with the data from Amazon S3 by using batch loading. Use the new le
system as the shared storage for the duration of the job. Delete the file system when the job is complete.
D. Migrate the data from the existing shared file system to an Amazon S3 bucket. Before the job runs each month, use AWS Storage Gateway
to create a file gateway with the data from Amazon S3. Use the file gateway as the shared storage for the job. Delete the file gateway when the
job is complete.

一家公司在AWS上运行一个数据密集型应用程序。该应用程序运行在由数百个亚马逊EC2实例组成的集群上。一个共享文件系统也运行在多个存储了200 TB数据的EC2实例上。应用程序读取并修改共享文件系统上的数据，并生成报告。
该任务每月运行一次，从共享文件系统中读取一部分文件，大约需要72小时完成。计算实例在自动扩展组中进行扩展，但托管共享文件系统的实例持续运行。计算和存储实例都位于同一个AWS区域。
一位解决方案架构师需要通过替换共享文件系统实例来降低成本。文件系统必须在72小时的运行期间提供对所需数据的高性能访问。
哪种解决方案能够在满足这些要求的同时，提供最大的总体成本节约？

A. 将数据从现有共享文件系统迁移到使用S3智能分层存储类别的亚马逊S3存储桶。每月任务运行前，使用Amazon FSx for Lustre通过懒加载从S3创建新的文件系统。在任务运行期间将新文件系统用作共享存储。任务完成后删除文件系统。

B. 将数据从现有共享文件系统迁移到启用了多附加功能的大型亚马逊弹性块存储（Amazon EBS）卷。使用自动扩展组启动模板中的用户数据脚本将EBS卷附加到每个实例。在任务运行期间将EBS卷用作共享存储。任务完成后分离EBS卷。

C. 将数据从现有共享文件系统迁移到使用S3标准存储类别的亚马逊S3存储桶。每月任务运行前，使用Amazon FSx for Lustre通过批量加载从S3创建新的文件系统。在任务运行期间将新文件系统用作共享存储。任务完成后删除文件系统。

D. 将数据从现有共享文件系统迁移到亚马逊S3存储桶。每月任务运行前，使用AWS存储网关创建一个包含S3数据的文件网关。在任务运行期间将文件网关用作共享存储。任务完成后删除文件网关。

23. A company is developing a new service that will be accessed using TCP on a static port. A solutions architect must ensure that the service is
highly available, has redundancy across Availability Zones, and is accessible using the DNS name my.service.com, which is publicly accessible.
The service must use xed address assignments so other companies can add the addresses to their allow lists.
Assuming that resources are deployed in multiple Availability Zones in a single Region, which solution will meet these requirements?
A. Create Amazon EC2 instances with an Elastic IP address for each instance. Create a Network Load Balancer (NLB) and expose the static
TCP port. Register EC2 instances with the NLB. Create a new name server record set named my.service.com, and assign the Elastic IP
addresses of the EC2 instances to the record set. Provide the Elastic IP addresses of the EC2 instances to the other companies to add to their
allow lists.
B. Create an Amazon ECS cluster and a service de nition for the application. Create and assign public IP addresses for the ECS cluster. Create
a Network Load Balancer (NLB) and expose the TCP port. Create a target group and assign the ECS cluster name to the NLCreate a new A
record set named my.service.com, and assign the public IP addresses of the ECS cluster to the record set. Provide the public IP addresses of
the ECS cluster to the other companies to add to their allow lists.
C. Create Amazon EC2 instances for the service. Create one Elastic IP address for each Availability Zone. Create a Network Load Balancer
(NLB) and expose the assigned TCP port. Assign the Elastic IP addresses to the NLB for each Availability Zone. Create a target group and
register the EC2 instances with the NLB. Create a new A (alias) record set named my.service.com, and assign the NLB DNS name to the record
set.
D. Create an Amazon ECS cluster and a service de nition for the application. Create and assign public IP address for each host in the cluster.
Create an Application Load Balancer (ALB) and expose the static TCP port. Create a target group and assign the ECS service de nition name
to the ALB. Create a new CNAME record set and associate the public IP addresses to the record set. Provide the Elastic IP addresses of the
Amazon EC2 instances to the other companies to add to their allow lists.

一家公司正在开发一项新服务，将使用TCP协议通过静态端口访问。解决方案架构师必须确保该服务具有高可用性，跨可用区冗余，并能通过公开可访问的DNS名称my.service.com进行访问。
该服务必须使用固定地址分配，以便其他公司可以将这些地址加入他们的允许列表。
假设资源部署在单个区域的多个可用区中，以下哪种解决方案满足这些要求？
A. 为每个实例创建带有弹性IP地址的亚马逊EC2实例。创建网络负载均衡器(NLB)并暴露静态TCP端口。将EC2实例注册到NLB。创建名为my.service.com的新名称服务器记录集，并将EC2实例的弹性IP地址分配给记录集。向其他公司提供EC2实例的弹性IP地址以加入他们的允许列表。
B. 为应用程序创建亚马逊ECS集群和服务定义。为ECS集群创建并分配公共IP地址。创建网络负载均衡器(NLB)并暴露TCP端口。创建目标组并将ECS集群名称分配给NLB。创建名为my.service.com的新A记录集，并将ECS集群的公共IP地址分配给记录集。向其他公司提供ECS集群的公共IP地址以加入他们的允许列表。
C. 为服务创建亚马逊EC2实例。为每个可用区创建一个弹性IP地址。创建网络负载均衡器(NLB)并暴露指定的TCP端口。为每个可用区将弹性IP地址分配给NLB。创建目标组并将EC2实例注册到NLB。创建名为my.service.com的新A(别名)记录集，并将NLB的DNS名称分配给记录集。
D. 为应用程序创建亚马逊ECS集群和服务定义。为集群中的每个主机创建并分配公共IP地址。创建应用负载均衡器(ALB)并暴露静态TCP端口。创建目标组并将ECS服务定义名称分配给ALB。创建新的CNAME记录集并将公共IP地址关联到记录集。向其他公司提供亚马逊EC2实例的弹性IP地址以加入他们的允许列表。

24. A company uses an on-premises data analytics platform. The system is highly available in a fully redundant configuration across 12 servers in the
company’s data center.
The system runs scheduled jobs, both hourly and daily, in addition to one-time requests from users. Scheduled jobs can take between 20 minutes
and 2 hours to nish running and have tight SLAs. The scheduled jobs account for 65% of the system usage. User jobs typically nish running in
less than 5 minutes and have no SLA. The user jobs account for 35% of system usage. During system failures, scheduled jobs must continue to
meet SLAs. However, user jobs can be delayed.
A solutions architect needs to move the system to Amazon EC2 instances and adopt a consumption-based model to reduce costs with no long
term commitments. The solution must maintain high availability and must not affect the SLAs.
Which solution will meet these requirements MOST cost-effectively?
A. Split the 12 instances across two Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand
Instances with Capacity Reservations. Run four instances in each Availability Zone as Spot Instances.
B. Split the 12 instances across three Availability Zones in the chosen AWS Region. In one of the Availability Zones, run all four instances as
On-Demand Instances with Capacity Reservations. Run the remaining instances as Spot Instances.
C. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run two instances in each Availability Zone as On-Demand
Instances with a Savings Plan. Run two instances in each Availability Zone as Spot Instances.
D. Split the 12 instances across three Availability Zones in the chosen AWS Region. Run three instances in each Availability Zone as On
Demand Instances with Capacity Reservations. Run one instance in each Availability Zone as a Spot Instance.

一家公司使用本地数据分析平台。该系统在公司数据中心的12台服务器中采用完全冗余配置，具有高可用性。

除了用户的一次性请求外，系统还运行按计划执行的作业，包括每小时和每日任务。预定作业的运行时间在20分钟到2小时之间完成，并有严格的SLA要求。预定作业占系统使用量的65%。用户作业通常在5分钟内完成运行，没有SLA要求。用户作业占系统使用量的35%。在系统故障期间，预定作业必须继续满足SLA，而用户作业可以延迟。

解决方案架构师需要将系统迁移到Amazon EC2实例，并采用基于消费的模式以降低成本且无需长期承诺。解决方案必须保持高可用性，并且不能影响SLA。

哪种解决方案能以最具成本效益的方式满足这些要求？
A. 在选择的AWS区域中将12个实例拆分到两个可用区。在每个可用区中运行两个按需实例（带容量预留），并在每个可用区中运行四个Spot实例。
B. 在选择的AWS区域中将12个实例拆分到三个可用区。在其中一个可用区中，将所有四个实例作为带容量预留的按需实例运行，其余实例作为Spot实例运行。
C. 在选择的AWS区域中将12个实例拆分到三个可用区。在每个可用区中运行两个按需实例（带节省计划），并在每个可用区中运行两个Spot实例。
D. 在选择的AWS区域中将12个实例拆分到三个可用区。在每个可用区中运行三个带容量预留的按需实例，并在每个可用区中运行一个Spot实例。

25. A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in
Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve
security:
The database must use strong, randomly generated passwords stored in a secure AWS managed service.
The application resources must be deployed through AWS CloudFormation.
The application must rotate credentials for the database every 90 days.
A solutions architect will generate a CloudFormation template to deploy the application.
Which resources speci ed in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational
overhead?
A. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the
database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
B. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda
function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password
every 90 days.
C. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the
database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
D. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync
DataSource resource to automatically rotate the database password every 90 days.

一位安全工程师确定某个现有应用程序从亚马逊S3中的加密文件获取亚马逊RDS MySQL数据库的凭据。
对于该应用程序的下一个版本，安全工程师希望实施以下应用程序设计变更以增强安全性:
数据库必须使用存储在安全AWS托管服务中的高强度随机生成密码。
应用程序资源必须通过AWS CloudFormation部署。
应用程序必须每90天轮换一次数据库凭据。
解决方案架构师将生成一个CloudFormation模板来部署应用程序。
CloudFormation模板中指定的哪些资源能以最少运维开销满足安全工程师的要求?

A. 使用AWS Secrets Manager将数据库密码生成为一个秘密资源。创建一个AWS Lambda函数资源来轮换数据库密码。指定一个Secrets Manager RotationSchedule资源每90天轮换一次数据库密码。

B. 使用AWS Systems Manager参数存储将数据库密码生成SecureString类型参数。创建一个AWS Lambda函数资源来轮换数据库密码。指定一个参数存储RotationSchedule资源每90天轮换一次数据库密码。

C. 使用AWS Secrets Manager将数据库密码生成为一个秘密资源。创建一个AWS Lambda函数资源来轮换数据库密码。创建一个Amazon EventBridge调度规则资源每90天触发一次Lambda函数密码轮换。

D. 使用AWS Systems Manager参数存储将数据库密码生成SecureString类型参数。指定一个AWS AppSync DataSource资源自动每90天轮换一次数据库密码。

26. A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data
accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.
Which solutions meet these requirements? (Choose two.)
A. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration
type.
B. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway’s AWS
integration type.
C. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the
DynamoDB tables.
D. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data
from the DynamoDB tables.
E. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions.

一家公司正在多个Amazon DynamoDB表中存储数据。解决方案架构师必须使用无服务器架构，以便通过简单的HTTPS API公开访问这些数据。该解决方案必须能够根据需求自动扩展。
哪些解决方案符合这些要求？（选择两个。）
A. 创建一个Amazon API Gateway REST API。通过使用API Gateway的AWS集成类型，配置该API与DynamoDB的直接集成。
B. 创建一个Amazon API Gateway HTTP API。通过使用API Gateway的AWS集成类型，配置该API与DynamoDB的直接集成。
C. 创建一个Amazon API Gateway HTTP API。配置该API与返回DynamoDB表中数据的AWS Lambda函数的集成。
D. 在AWS Global Accelerator中创建一个加速器。配置该加速器与返回DynamoDB表中数据的AWS Lambda@Edge函数集成。
E. 创建一个网络负载均衡器。配置侦听器规则以将请求转发到相应的AWS Lambda函数。

27. A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will
redirect online visitors to a speci c URL for each domain. All domains and target URLs are de ned in a JSON document. All DNS records are
managed by Amazon Route 53.
A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests.
Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose
three.)
A. Create a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with
the event message to look up and respond with a redirect URL.
B. Create an Application Load Balancer that includes HTTP and HTTPS listeners.
C. Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a
redirect URL.
D. Use an Amazon API Gateway API with a custom domain to publish an AWS Lambda function.
E. Create an Amazon CloudFront distribution. Deploy a Lambda@Edge function.
F. Create an SSL certi cate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names.

一家公司注册了10个新域名。
该公司将这些域名用于在线营销。
公司需要一个解决方案，能将在线访客重定向到每个域名对应的特定URL。
所有域名和目标URL都定义在一个JSON文档中。
所有DNS记录均由亚马逊Route 53管理。
解决方案架构师必须实现一个接收HTTP和HTTPS请求的重定向服务。
为了以最少的运营工作量满足这些要求，解决方案架构师应采取哪三种步骤组合？（选择三项）
A. 创建一个在亚马逊EC2实例上运行的动态网页。配置该网页使用JSON文档结合事件消息来查找并返回重定向URL。
B. 创建一个包含HTTP和HTTPS监听器的应用负载均衡器。
C. 创建一个使用JSON文档结合事件消息来查找并返回重定向URL的AWS Lambda函数。
D. 使用带有自定义域的亚马逊API网关API发布一个AWS Lambda函数。
E. 创建一个亚马逊CloudFront分发。部署Lambda@Edge功能。
F. 使用AWS证书管理器（ACM）创建一个SSL证书。将这些域名作为主题备用名称包含在内。

28. A company that has multiple AWS accounts is using AWS Organizations. The company’s AWS accounts host VPCs, Amazon EC2 instances, and
containers.
The company’s compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2
instances and send information to the AWS account that is dedicated for the compliance team. The company has tagged all the compliance
related resources with a key of “costCenter” and a value or “compliance”.
The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the
compliance team’s AWS account. The cost calculation must be as accurate as possible.
What should a solutions architect do to meet these requirements?
A. In the management account of the organization, activate the costCenter user-de ned tag. Configure monthly AWS Cost and Usage Reports
to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter
tagged resources.
B. In the member accounts of the organization, activate the costCenter user-de ned tag. Configure monthly AWS Cost and Usage Reports to
save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the
total cost for the costCenter tagged resources.
C. In the member accounts of the organization activate the costCenter user-de ned tag. From the management account, schedule a monthly
AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources.
D. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the
costCenter tagged resources in the compliance team’s AWS account.

一家拥有多个AWS账户的公司正在使用AWS Organizations。该公司的AWS账户托管了VPC、Amazon EC2实例和容器。

该公司的合规团队在每个部署有公司资源的VPC中都部署了一种安全工具。这些安全工具运行在EC2实例上，并将信息发送给专门为合规团队设置的AWS账户。公司已将所有合规相关资源标记为键”costCenter”和值”compliance”。

公司希望识别运行在EC2实例上的安全工具的成本，以便向合规团队的AWS账户收费。成本计算必须尽可能准确。

解决方案架构师应如何满足这些需求？

A. 在组织的管理账户中，激活costCenter用户定义标签。配置每月AWS成本和使用报告保存到管理账户中的Amazon S3存储桶。使用报告中的标签明细获取标记为costCenter资源的总成本。

B. 在组织的成员账户中，激活costCenter用户定义标签。配置每月AWS成本和使用报告保存到管理账户中的Amazon S3存储桶。安排一个每月运行的AWS Lambda函数来检索报告并计算标记为costCenter资源的总成本。

C. 在组织的成员账户中激活costCenter用户定义标签。从管理账户安排每月的AWS成本和使用报告。使用报告中的标签明细计算标记为costCenter资源的总成本。

D. 在AWS Trusted Advisor的组织视图中创建自定义报告。配置报告为合规团队AWS账户中标记为costCenter的资源生成每月账单摘要。

29. A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company
wants to use AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is
created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.
Which combination of steps will meet these requirements? (Choose two.)
A. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
B. From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP.
C. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway
attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway
ID.
D. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit
gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit
gateway service-linked role.
E. From the management account, share the transit gateway with member accounts by using AWS Service Catalog.

一家公司拥有50个AWS账户，这些账户都是AWS Organizations中某个组织的成员。每个账户包含多个虚拟私有云（VPC）。公司希望使用AWS Transit Gateway在各个成员账户的VPC之间建立连接。每当创建一个新的成员账户时，公司希望自动创建一个新的VPC和一个Transit Gateway附件。

以下哪两种步骤组合可以满足这些需求？（选择两项。）
A. 从管理账户中，使用AWS Resource Access Manager与成员账户共享Transit Gateway。
B. 从管理账户中，通过AWS Organizations SCP与成员账户共享Transit Gateway。
C. 从管理账户启动一个AWS CloudFormation堆栈集，自动在成员账户中创建一个新的VPC和一个VPC Transit Gateway附件。通过使用Transit Gateway ID将该附件与管理账户中的Transit Gateway关联起来。
D. 从管理账户启动一个AWS CloudFormation堆栈集，自动在成员账户中创建一个新的VPC和一个对等Transit Gateway附件。通过使用Transit Gateway服务关联角色将该附件与管理账户中的Transit Gateway共享。
E. 从管理账户中，使用AWS Service Catalog与成员账户共享Transit Gateway。

30. An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS
Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by
procurement managers. The procurement team’s policy indicates that developers should be able to obtain third-party software from an approved
list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The procurement team wants administration of Private
Marketplace to be restricted to a role named procurement-manager-role, which could be assumed by procurement managers. Other IAM users,
groups, roles, and account administrators in the company should be denied Private Marketplace administrative access.
What is the MOST e cient way to design an architecture to meet these requirements?
A. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to
the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the
AWSPrivateMarketplaceAdminFullAccess managed policy.
B. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed
policy to the role. De ne a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the
developer roles.
C. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the
AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer
Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny
permissions to create an IAM role named procurement-manager-role to everyone in the organization.
D. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the
AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer
Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the
organization.

一家企业公司希望允许其开发人员通过AWS Marketplace购买第三方软件。该公司启用了所有功能的AWS Organizations账户结构,每个组织单元(OU)中都有一个共享服务账户供采购经理使用。采购团队的政策要求开发人员只能从批准的列表中获取第三方软件,并使用AWS Marketplace中的私有市场(Private Marketplace)来实现这一要求。采购团队希望将私有市场的管理权限限制在名为procurement-manager-role的角色,该角色可由采购经理担任。公司中的其他IAM用户、组、角色和账户管理员应被拒绝访问私有市场的管理权限。

设计符合这些要求的架构,最高效的方法是什么?

A. 在组织中所有AWS账户中创建名为procurement-manager-role的IAM角色。为该角色添加PowerUserAccess托管策略。为每个AWS账户中的所有IAM用户和角色应用内联策略,拒绝他们对AWSPrivateMarketplaceAdminFullAccess托管策略的权限。

B. 在组织中所有AWS账户中创建名为procurement-manager-role的IAM角色。为该角色添加AdministratorAccess托管策略。定义一个以AWSPrivateMarketplaceAdminFullAccess托管策略为边界的权限边界,并将其附加到所有开发人员角色。

C. 在组织中所有共享服务账户中创建名为procurement-manager-role的IAM角色。为该角色添加AWSPrivateMarketplaceAdminFullAccess托管策略。创建一个组织根级别的SCP,拒绝除名为procurement-manager-role角色外的所有人管理私有市场的权限。创建另一个组织根级别的SCP,拒绝组织中的所有人创建名为procurement-manager-role的IAM角色。

D. 在开发人员将使用的所有AWS账户中创建名为procurement-manager-role的IAM角色。为该角色添加AWSPrivateMarketplaceAdminFullAccess托管策略。在Organizations中创建一个SCP,拒绝除名为procurement-manager-role角色外的所有人管理私有市场的权限。将该SCP应用到组织中所有共享服务账户。

31. A company is hosting a monolithic REST-based API for a mobile app on ve Amazon EC2 instances in public subnets of a VPC. Mobile clients
connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing
policy with the IP addresses of all the EC2 instances. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app
has not been able to keep up with the traffic.
A solutions architect needs to implement a solution so that the app can handle the new and varying load.
Which solution will meet these requirements with the LEAST operational overhead?
A. Separate the API into individual AWS Lambda functions. Configure an Amazon API Gateway REST API with Lambda integration for the
backend. Update the Route 53 record to point to the API Gateway API.
B. Containerize the API logic. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Run the containers in the cluster by using
Amazon EC2. Create a Kubernetes ingress. Update the Route 53 record to point to the Kubernetes ingress.
C. Create an Auto Scaling group. Place all the EC2 instances in the Auto Scaling group. Configure the Auto Scaling group to perform scaling
actions that are based on CPU utilization. Create an AWS Lambda function that reacts to Auto Scaling group changes and updates the Route
53 record.
D. Create an Application Load Balancer (ALB) in front of the API. Move the EC2 instances to private subnets in the VPC. Add the EC2
instances as targets for the ALB. Update the Route 53 record to point to the ALB.

一家公司正在VPC公共子网中的多台亚马逊EC2实例上为移动应用程序托管基于REST的整体式API。移动客户端通过使用托管在亚马逊Route 53上的域名连接到该API。

该公司已创建了一个包含所有EC2实例IP地址的Route 53多值应答路由策略。最近，应用程序因流量突然激增而不堪重负，无法跟上流量增长。

解决方案架构师需要实施一个方案，使应用程序能够应对这种新的变化负载。

哪种方案能在最少运维开销下满足这些需求？

A. 将API拆分为独立的AWS Lambda函数。配置具有Lambda集成的亚马逊API Gateway REST API作为后端。更新Route 53记录指向API Gateway API。

B. 将API逻辑容器化。创建亚马逊弹性Kubernetes服务（Amazon EKS）集群。使用亚马逊EC2在集群中运行容器。创建Kubernetes入口。更新Route 53记录指向Kubernetes入口。

C. 创建自动扩展组。将所有EC2实例加入自动扩展组。配置基于CPU利用率的扩展操作。创建响应自动扩展组变更并更新Route 53记录的AWS Lambda函数。

D. 在API前端创建应用负载均衡器(ALB)。将EC2实例迁移至VPC私有子网。将EC2实例添加为ALB目标。更新Route 53记录指向ALB。

32. A company has created an OU in AWS Organizations for each of its engineering teams. Each OU owns multiple AWS accounts. The organization
has hundreds of AWS accounts.
A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts.
Which solution meets these requirements?
A. Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager. Allow each team to visualize the CUR
through an Amazon QuickSight dashboard.
B. Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account. Allow each team to visualize the CUR
through an Amazon QuickSight dashboard.
C. Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account. Allow each team to visualize the CUR through an
Amazon QuickSight dashboard.
D. Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager. Allow each team to visualize the CUR through Systems
Manager OpsCenter dashboards.

一家公司为其每个工程团队在AWS Organizations中创建了一个OU。每个OU拥有多个AWS账户。该组织拥有数百个AWS账户。

一位解决方案架构师必须设计一个解决方案，使每个OU都能查看其AWS账户间的使用成本明细。

以下哪种解决方案满足这些需求？

A. 使用AWS Resource Access Manager为每个OU创建一份AWS成本和使用报告(CUR)。允许每个团队通过Amazon QuickSight仪表板查看CUR。

B. 从AWS Organizations管理账户创建一份AWS成本和使用报告(CUR)。允许每个团队通过Amazon QuickSight仪表板查看CUR。

C. 在每个AWS Organizations成员账户中创建一份AWS成本和使用报告(CUR)。允许每个团队通过Amazon QuickSight仪表板查看CUR。

D. 使用AWS Systems Manager创建一份AWS成本和使用报告(CUR)。允许每个团队通过Systems Manager OpsCenter仪表板查看CUR。

33. A company is storing data on premises on a Windows file server. The company produces 5 GB of new data daily.
The company migrated part of its Windows-based workload to AWS and needs the data to be available on a file system in the cloud. The company
already has established an AWS Direct Connect connection between the on-premises network and AWS.
Which data migration strategy should the company use?
A. Use the file gateway option in AWS Storage Gateway to replace the existing Windows file server, and point the existing file share to the new
file gateway.
B. Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon FSx.
C. Use AWS Data Pipeline to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File
System (Amazon EFS).
D. Use AWS DataSync to schedule a daily task to replicate data between the on-premises Windows file server and Amazon Elastic File System
(Amazon EFS).

一家公司将数据存储在本地Windows文件服务器上。该公司每天产生5 GB的新数据。

该公司已将其部分基于Windows的工作负载迁移到AWS，并需要这些数据在云中的文件系统上可用。该公司已经建立了本地网络与AWS之间的AWS Direct Connect连接。

该公司应该使用哪种数据迁移策略？
A. 使用AWS Storage Gateway中的文件网关选项替换现有的Windows文件服务器，并将现有文件共享指向新的文件网关。
B. 使用AWS DataSync安排每日任务，在本地Windows文件服务器和Amazon FSx之间复制数据。
C. 使用AWS Data Pipeline安排每日任务，在本地Windows文件服务器和Amazon Elastic File System (Amazon EFS)之间复制数据。
D. 使用AWS DataSync安排每日任务，在本地Windows文件服务器和Amazon Elastic File System (Amazon EFS)之间复制数据。

34. A company’s solutions architect is reviewing a web application that runs on AWS. The application references static assets in an Amazon S3
bucket in the us-east-1 Region. The company needs resiliency across multiple AWS Regions. The company already has created an S3 bucket in a
second Region.
Which solution will meet these requirements with the LEAST operational overhead?
A. Configure the application to write each object to both S3 buckets. Set up an Amazon Route 53 public hosted zone with a record set by using
a weighted routing policy for each S3 bucket. Configure the application to reference the objects by using the Route 53 DNS name.
B. Create an AWS Lambda function to copy objects from the S3 bucket in us-east-1 to the S3 bucket in the second Region. Invoke the Lambda
function each time an object is written to the S3 bucket in us-east-1. Set up an Amazon CloudFront distribution with an origin group that
contains the two S3 buckets as origins.
C. Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region. Set up an Amazon CloudFront
distribution with an origin group that contains the two S3 buckets as origins.
D. Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region. If failover is required, update
the application code to load S3 objects from the S3 bucket in the second Region.

一家公司的解决方案架构师正在审查一个运行在AWS上的Web应用程序。该应用程序引用了位于us-east-1区域中Amazon S3存储桶中的静态资产。该公司需要跨多个AWS区域实现弹性。公司已经在另一个区域创建了一个S3存储桶。
哪种解决方案能够在最少运营开销的情况下满足这些需求？
A. 配置应用程序将每个对象写入两个S3存储桶。使用Amazon Route 53公共托管区域设置记录集，为每个S3存储桶使用加权路由策略。配置应用程序通过Route 53 DNS名称引用对象。
B. 创建一个AWS Lambda函数，将对象从us-east-1区域的S3存储桶复制到第二个区域的S3存储桶。每次有对象写入us-east-1区域的S3存储桶时调用该Lambda函数。设置一个Amazon CloudFront分发，其中包含将两个S3存储桶作为源的源组。
C. 在us-east-1区域的S3存储桶上配置复制，将对象复制到第二个区域的S3存储桶。设置一个Amazon CloudFront分发，其中包含将两个S3存储桶作为源的源组。
D. 在us-east-1区域的S3存储桶上配置复制，将对象复制到第二个区域的S3存储桶。如果需要故障转移，更新应用程序代码以从第二个区域的S3存储桶加载S3对象。

35. A company is hosting a three-tier web application in an on-premises environment. Due to a recent surge in traffic that resulted in downtime and a
signi cant nancial impact, company management has ordered that the application be moved to AWS. The application is written in .NET and has a
dependency on a MySQL database. A solutions architect must design a scalable and highly available solution to meet the demand of 200,000
daily users.
Which steps should the solutions architect take to design an appropriate solution?
A. Use AWS Elastic Beanstalk to create a new application with a web server environment and an Amazon RDS MySQL Multi-AZ DB instance.
The environment should launch a Network Load Balancer (NLB) in front of an Amazon EC2 Auto Scaling group in multiple Availability Zones.
Use an Amazon Route 53 alias record to route traffic from the company’s domain to the NLB.
B. Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon EC2 Auto Scaling group
spanning three Availability Zones. The stack should launch a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a Retain
deletion policy. Use an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB.
C. Use AWS Elastic Beanstalk to create an automatically scaling web server environment that spans two separate Regions with an Application
Load Balancer (ALB) in each Region. Create a Multi-AZ deployment of an Amazon Aurora MySQL DB cluster with a cross-Region read replica.
Use Amazon Route 53 with a geoproximity routing policy to route traffic between the two Regions.
D. Use AWS CloudFormation to launch a stack containing an Application Load Balancer (ALB) in front of an Amazon ECS cluster of Spot
instances spanning three Availability Zones. The stack should launch an Amazon RDS MySQL DB instance with a Snapshot deletion policy.
Use an Amazon Route 53 alias record to route traffic from the company’s domain to the ALB.

一家公司在本地环境中托管着一个三层式网络应用程序。由于近期流量激增导致服务中断并造成重大财务影响，公司管理层已下令将该应用迁移至AWS。这个采用.NET编写的应用程序依赖MySQL数据库。解决方案架构师必须设计一个可扩展且高度可用的方案，以满足每日20万用户的需求。

解决方案架构师应采取哪些步骤来设计合适的解决方案？

A. 使用AWS Elastic Beanstalk创建一个新应用程序，包含网络服务器环境和一个亚马逊RDS MySQL多可用区数据库实例。该环境应在跨多个可用区的亚马逊EC2自动扩展组前部署网络负载均衡器(NLB)。使用亚马逊Route 53别名记录将公司域名流量路由至NLB。

B. 使用AWS CloudFormation启动一个堆栈，其中包含部署在跨三个可用区的亚马逊EC2自动扩展组前的应用负载均衡器(ALB)。该堆栈应启动采用”保留”删除策略的亚马逊Aurora MySQL数据库集群多可用区部署。使用亚马逊Route 53别名记录将公司域名流量路由至ALB。

C. 使用AWS Elastic Beanstalk创建一个跨两个独立区域自动扩展的网络服务器环境，每个区域配置应用负载均衡器(ALB)。部署具有跨区域读取副本的亚马逊Aurora MySQL数据库集群多可用区。使用带地理邻近路由策略的亚马逊Route 53在两个区域间分配流量。

D. 使用AWS CloudFormation启动一个堆栈，其中包含部署在跨三个可用区的亚马逊ECS Spot实例集群前的应用负载均衡器(ALB)。该堆栈应启动采用快照删除策略的亚马逊RDS MySQL数据库实例。使用亚马逊Route 53别名记录将公司域名流量路由至ALB。

36. A company is using AWS Organizations to manage multiple AWS accounts. For security purposes, the company requires the creation of an
Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations
member accounts.
A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of
CloudFormation stacks. Trusted access has been enabled in Organizations.
What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?
A. Create a stack set in the Organizations member accounts. Use service-managed permissions. Set deployment options to deploy to an
organization. Use CloudFormation StackSets drift detection.
B. Create stacks in the Organizations member accounts. Use self-service permissions. Set deployment options to deploy to an organization.
Enable the CloudFormation StackSets automatic deployment.
C. Create a stack set in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the
organization. Enable CloudFormation StackSets automatic deployment.
D. Create stacks in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the
organization. Enable CloudFormation StackSets drift detection.

一家公司正在使用AWS Organizations来管理多个AWS账户。出于安全目的，该公司需要在所有Organizations成员账户中创建一个Amazon Simple Notification Service（Amazon SNS）主题，以实现与第三方告警系统的集成。

解决方案架构师使用了一个AWS CloudFormation模板来创建SNS主题和堆栈集，以自动化部署CloudFormation堆栈。Organizations中已启用可信访问。

解决方案架构师应该采取什么措施来在所有AWS账户中部署CloudFormation StackSets？

A. 在Organizations成员账户中创建一个堆栈集。使用服务管理权限。将部署选项设置为部署到组织。使用CloudFormation StackSets漂移检测。

B. 在Organizations成员账户中创建堆栈。使用自助服务权限。将部署选项设置为部署到组织。启用CloudFormation StackSets自动部署。

C. 在Organizations管理账户中创建一个堆栈集。使用服务管理权限。将部署选项设置为部署到组织。启用CloudFormation StackSets自动部署。

D. 在Organizations管理账户中创建堆栈。使用服务管理权限。将部署选项设置为部署到组织。启用CloudFormation StackSets漂移检测。

37. A company wants to migrate its workloads from on premises to AWS. The workloads run on Linux and Windows. The company has a large on
premises infrastructure that consists of physical machines and VMs that host numerous applications.
The company must capture details about the system configuration, system performance, running processes, and network connections of its on
premises workloads. The company also must divide the on-premises applications into groups for AWS migrations. The company needs
recommendations for Amazon EC2 instance types so that the company can run its workloads on AWS in the most cost-effective manner.
Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)
A. Assess the existing applications by installing AWS Application Discovery Agent on the physical machines and VMs.
B. Assess the existing applications by installing AWS Systems Manager Agent on the physical machines and VMs.
C. Group servers into applications for migration by using AWS Systems Manager Application Manager.
D. Group servers into applications for migration by using AWS Migration Hub.
E. Generate recommended instance types and associated costs by using AWS Migration Hub.
F. Import data about server sizes into AWS Trusted Advisor. Follow the recommendations for cost optimization.

一家公司希望将其工作负载从本地迁移到AWS。这些工作负载运行在Linux和Windows系统上。
该公司拥有庞大的本地基础设施，包括托管众多应用的物理机和虚拟机。

该公司必须捕获关于其本地工作负载的系统配置、系统性能、运行进程和网络连接的详细信息。
该公司还需要将本地应用分组以便进行AWS迁移。
该公司需要关于Amazon EC2实例类型的建议，以便能够以最具成本效益的方式在AWS上运行其工作负载。

解决方案架构师应采取哪些步骤组合来满足这些需求？（选择三项）
A. 通过在实际机和虚拟机上安装AWS应用发现代理来评估现有应用。
B. 通过在实际机和虚拟机上安装AWS系统管理器代理来评估现有应用。
C. 使用AWS系统管理器应用程序管理器将服务器分组为应用进行迁移。
D. 使用AWS迁移中心将服务器分组为应用进行迁移。
E. 使用AWS迁移中心生成推荐的实例类型和相关成本。
F. 将服务器规格数据导入AWS可信顾问。按照成本优化的建议执行。

38. A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone
contains one public subnet and one private subnet.
The service runs on Amazon EC2 instances in the private subnets. An Application Load Balancer in the public subnets is in front of the service.
The service needs to communicate with the internet and does so through two NAT gateways. The service uses Amazon S3 for image storage. The
EC2 instances retrieve approximately 1 ТВ of data from an S3 bucket each day.
The company has promoted the service as highly secure. A solutions architect must reduce cloud expenditures as much as possible without
compromising the service’s security posture or increasing the time spent on ongoing operations.
Which solution will meet these requirements?
A. Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.
B. Move the EC2 instances to the public subnets. Remove the NAT gateways.
C. Set up an S3 gateway VPC endpoint in the VPAttach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.
D. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the images on the EFS volume.

一家公司在AWS的VPC中托管了一项图像处理服务。该VPC横跨两个可用区。

每个可用区包含一个公有子网和一个私有子网。

服务运行在私有子网中的Amazon EC2实例上。公有子网中的应用负载均衡器位于服务前端。

该服务需要与互联网通信，并通过两个NAT网关实现。服务使用Amazon S3进行图像存储。

EC2实例每天从S3存储桶中检索约1TB数据。

公司将该服务宣传为高度安全的。解决方案架构师必须在不影响服务安全态势或不增加持续运营时间的前提下，尽可能降低云支出。

以下哪种解决方案可以满足这些要求？

A. 用NAT实例替代NAT网关。在VPC路由表中创建一条从私有子网到NAT实例的路由。

B. 将EC2实例迁移到公有子网。移除NAT网关。

C. 在VPC中设置S3网关终端节点。向终端节点附加终端策略，允许对S3存储桶执行必要操作。

D. 为EC2实例挂载Amazon弹性文件系统(Amazon EFS)卷。将图像存储在EFS卷上。

39. A company recently deployed an application on AWS. The application uses Amazon DynamoDB. The company measured the application load and
configured the RCUs and WCUs on the DynamoDB table to match the expected peak load. The peak load occurs once a week for a 4-hour period
and is double the average load. The application load is close to the average load for the rest of the week. The access pattern includes many more
writes to the table than reads of the table.
A solutions architect needs to implement a solution to minimize the cost of the table.
Which solution will meet these requirements?
A. Use AWS Application Auto Scaling to increase capacity during the peak period. Purchase reserved RCUs and WCUs to match the average
load.
B. Configure on-demand capacity mode for the table.
C. Configure DynamoDB Accelerator (DAX) in front of the table. Reduce the provisioned read capacity to match the new peak load on the table.
D. Configure DynamoDB Accelerator (DAX) in front of the table. Configure on-demand capacity mode for the table.

一家公司最近在AWS上部署了一个应用程序。该应用程序使用Amazon DynamoDB。公司测量了应用程序的负载，并根据预期的峰值负载配置了DynamoDB表的读取容量单位(RCUs)和写入容量单位(WCUs)。
峰值负载每周出现一次，持续4小时，是平均负载的两倍。一周中的其余时间，应用程序负载接近平均负载。访问模式中，写入表的操作远多于读取表的操作。
解决方案架构师需要实施一个方案以最小化表的成本。
哪个方案能够满足这些需求？
A. 使用AWS应用程序自动扩展在峰值时段增加容量。购买预留的RCUs和WCUs以匹配平均负载。
B. 为表配置按需容量模式。
C. 在表前配置DynamoDB加速器(DAX)。减少预置的读取容量以匹配表上的新峰值负载。
D. 在表前配置DynamoDB加速器(DAX)。为表配置按需容量模式。

40. A solutions architect needs to advise a company on how to migrate its on-premises data processing application to the AWS Cloud. Currently, users
upload input files through a web portal. The web server then stores the uploaded files on NAS and messages the processing server over a
message queue. Each media file can take up to 1 hour to process. The company has determined that the number of media files awaiting
processing is signi cantly higher during business hours, with the number of files rapidly declining after business hours.
What is the MOST cost-effective migration recommendation?
A. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. When there are messages in the queue,
invoke an AWS Lambda function to pull requests from the queue and process the files. Store the processed files in an Amazon S3 bucket.
B. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are messages in the queue,
create a new Amazon EC2 instance to pull requests from the queue and process the files. Store the processed files in Amazon EFS. Shut down
the EC2 instance after the task is complete.
C. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are messages in the queue,
invoke an AWS Lambda function to pull requests from the queue and process the files. Store the processed files in Amazon EFS.
D. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. Use Amazon EC2 instances in an EC2
Auto Scaling group to pull requests from the queue and process the files. Scale the EC2 instances based on the SQS queue length. Store the
processed files in an Amazon S3 bucket.

一位解决方案架构师需要就如何将其本地数据处理应用程序迁移到AWS云向一家公司提供建议。目前，用户通过一个网络门户上传输入文件。然后，网络服务器将上传的文件存储在网络附加存储(NAS)上，并通过消息队列通知处理服务器。每个媒体文件的处理可能需要长达1小时。

该公司已经确定，在工作时间内等待处理的媒体文件数量显著增加，而下班后文件数量迅速减少。

最具成本效益的迁移建议是什么？

A. 使用Amazon SQS创建一个队列。配置现有的网络服务器以发布到新队列。当队列中有消息时，调用一个AWS Lambda函数从队列中提取请求并处理文件。将处理后的文件存储在Amazon S3存储桶中。

B. 使用Amazon MQ创建一个队列。配置现有的网络服务器以发布到新队列。当队列中有消息时，创建一个新的Amazon EC2实例从队列中提取请求并处理文件。将处理后的文件存储在Amazon EFS中。任务完成后关闭EC2实例。

C. 使用Amazon MQ创建一个队列。配置现有的网络服务器以发布到新队列。当队列中有消息时，调用一个AWS Lambda函数从队列中提取请求并处理文件。将处理后的文件存储在Amazon EFS中。

D. 使用Amazon SQS创建一个队列。配置现有的网络服务器以发布到新队列。在EC2自动扩展组中使用Amazon EC2实例从队列中提取请求并处理文件。根据SQS队列长度扩展EC2实例。将处理后的文件存储在Amazon S3存储桶中。

41. A company is using Amazon OpenSearch Service to analyze data. The company loads data into an OpenSearch Service cluster with 10 data nodes
from an Amazon S3 bucket that uses S3 Standard storage. The data resides in the cluster for 1 month for read-only analysis. After 1 month, the
company deletes the index that contains the data from the cluster. For compliance purposes, the company must retain a copy of all input data.
The company is concerned about ongoing costs and asks a solutions architect to recommend a new solution.
Which solution will meet these requirements MOST cost-effectively?
A. Replace all the data nodes with UltraWarm nodes to handle the expected capacity. Transition the input data from S3 Standard to S3 Glacier
Deep Archive when the company loads the data into the cluster.
B. Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the expected capacity. Configure the indexes to
transition to UltraWarm when OpenSearch Service ingests the data. Transition the input data to S3 Glacier Deep Archive after 1 month by using
an S3 Lifecycle policy.
C. Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the expected capacity. Configure the indexes to
transition to UltraWarm when OpenSearch Service ingests the data. Add cold storage nodes to the cluster Transition the indexes from
UltraWarm to cold storage. Delete the input data from the S3 bucket after 1 month by using an S3 Lifecycle policy.
D. Reduce the number of data nodes in the cluster to 2. Add instance-backed data nodes to handle the expected capacity. Transition the input
data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.

一家公司正在使用亚马逊OpenSearch服务分析数据。该公司将数据从一个使用S3标准存储的亚马逊S3桶加载到拥有10个数据节点的OpenSearch服务集群中。
数据在集群中保留1个月用于只读分析。1个月后，公司会从集群中删除包含该数据的索引。出于合规性要求，公司必须保留所有输入数据的副本。
公司担忧持续产生的成本，并请求解决方案架构师推荐一个新的解决方案。
哪个解决方案能够以最具成本效益的方式满足这些要求？
A. 将所有数据节点替换为UltraWarm节点以处理预期容量。当公司将数据加载到集群时，将输入数据从S3标准转换为S3 Glacier Deep Archive。
B. 将集群中的数据节点数量减少至2个。添加UltraWarm节点以处理预期容量。配置索引以便OpenSearch服务摄取数据时转换到UltraWarm。1个月后，通过S3生命周期策略将输入数据转换到S3 Glacier Deep Archive。
C. 将集群中的数据节点数量减少至2个。添加UltraWarm节点以处理预期容量。配置索引以便OpenSearch服务摄取数据时转换到UltraWarm。向集群添加冷存储节点。将索引从UltraWarm转换到冷存储。1个月后，通过S3生命周期策略从S3桶中删除输入数据。

D. 将集群中的数据节点数量减少至2个。添加基于实例的数据节点以处理预期容量。当公司将数据加载到集群时，将输入数据从S3标准转换为S3 Glacier Deep Archive。

42. A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong
to either the Prod OU or the NonProd OU.
The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic
when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS
topic.
For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0
as the source.
Which solution will meet this requirement with the LEAST operational overhead?
A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic.
Deploy the updated rule to the NonProd OU.
B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
C. Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0.
Apply the SCP to the NonProd OU.
D. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0.
Apply the SCP to the NonProd OU.

一家公司在AWS Organizations中有10个属于同一组织的账户。每个账户都配置了AWS Config。所有账户要么属于生产（Prod）组织单元（OU），要么属于非生产（NonProd）组织单元（OU）。

该公司在每个AWS账户中都设置了一个Amazon EventBridge规则，当创建以0.0.0.0/0作为来源的Amazon EC2安全组入站规则时，会通知一个Amazon Simple Notification Service（Amazon SNS）主题。该公司的安全团队订阅了这个SNS主题。

对于属于NonProd OU的所有账户，安全团队需要移除创建包含0.0.0.0/0作为来源的安全组入站规则的能力。

哪种解决方案能以最小的操作开销满足这一需求？

A. 修改EventBridge规则以调用一个AWS Lambda函数来移除安全组入站规则，并发布到SNS主题。将更新后的规则部署到NonProd OU。
B. 向NonProd OU添加vpc-sg-open-only-to-authorized-ports AWS Config托管规则。
C. 配置一个SCP，当aws:SourceIp条件键的值不是0.0.0.0/0时，允许ec2:AuthorizeSecurityGroupIngress操作。将该SCP应用于NonProd OU。
D. 配置一个SCP，当aws:SourceIp条件键的值是0.0.0.0/0时，拒绝ec2:AuthorizeSecurityGroupIngress操作。将该SCP应用于NonProd OU。

43. A company hosts a Git repository in an on-premises data center. The company uses webhooks to invoke functionality that runs in the AWS Cloud.
The company hosts the webhook logic on a set of Amazon EC2 instances in an Auto Scaling group that the company set as a target for an
Application Load Balancer (ALB). The Git server calls the ALB for the configured webhooks. The company wants to move the solution to a
serverless architecture.
Which solution will meet these requirements with the LEAST operational overhead?
A. For each webhook, create and configure an AWS Lambda function URL. Update the Git servers to call the individual Lambda function URLs.
B. Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. Update the Git servers to
call the API Gateway endpoint.
C. Deploy the webhook logic to AWS App Runner. Create an ALB, and set App Runner as the target. Update the Git servers to call the ALB
endpoint.
D. Containerize the webhook logic. Create an Amazon Elastic Container Service (Amazon ECS) cluster, and run the webhook logic in AWS
Fargate. Create an Amazon API Gateway REST API, and set Fargate as the target. Update the Git servers to call the API Gateway endpoint.

一家公司在本地数据中心托管了一个Git代码库。该公司使用webhook来调用运行在AWS云中的功能。

该公司将webhook逻辑托管在自动扩展组中的一组Amazon EC2实例上，并将这些实例设置为应用负载均衡器(ALB)的目标。Git服务器为配置好的webhook调用该ALB。现在公司希望将该解决方案迁移至无服务器架构。

以下哪个解决方案能以最小的运维开销满足这些需求？

A. 为每个webhook创建并配置一个AWS Lambda函数URL。更新Git服务器以调用各个Lambda函数URL。

B. 创建一个Amazon API Gateway HTTP API。在每个独立的AWS Lambda函数中实现各个webhook逻辑。更新Git服务器以调用API Gateway端点。

C. 将webhook逻辑部署到AWS App Runner。创建一个ALB，并将App Runner设为目标。更新Git服务器以调用ALB端点。

D. 将webhook逻辑容器化。创建一个Amazon Elastic Container Service(Amazon ECS)集群，并在AWS Fargate中运行webhook逻辑。创建一个Amazon API Gateway REST API，并将Fargate设为目标。更新Git服务器以调用API Gateway端点。

44. A company is planning to migrate 1,000 on-premises servers to AWS. The servers run on several VMware clusters in the company’s data center. As
part of the migration plan, the company wants to gather server metrics such as CPU details, RAM usage, operating system information, and
running processes. The company then wants to query and analyze the data.
Which solution will meet these requirements?
A. Deploy and configure the AWS Agentless Discovery Connector virtual appliance on the on-premises hosts. Configure Data Exploration in
AWS Migration Hub. Use AWS Glue to perform an ETL job against the data. Query the data by using Amazon S3 Select.
B. Export only the VM performance information from the on-premises hosts. Directly import the required data into AWS Migration Hub. Update
any missing information in Migration Hub. Query the data by using Amazon QuickSight.
C. Create a script to automatically gather the server information from the on-premises hosts. Use the AWS CLI to run the put-resource
attributes command to store the detailed server data in AWS Migration Hub. Query the data directly in the Migration Hub console.
D. Deploy the AWS Application Discovery Agent to each on-premises server. Configure Data Exploration in AWS Migration Hub. Use Amazon
Athena to run prede ned queries against the data in Amazon S3.

一家公司计划将1,000台本地服务器迁移到AWS。这些服务器运行在公司数据中心的多个VMware集群上。
作为迁移计划的一部分，公司希望收集服务器指标，例如CPU详情、内存使用情况、操作系统信息和运行中的进程。
然后公司希望查询和分析这些数据。
哪种解决方案能够满足这些需求？
A. 在本地主机上部署并配置AWS无代理发现连接器虚拟设备。在AWS Migration Hub中配置数据探索功能。
使用AWS Glue对数据执行ETL作业。通过Amazon S3 Select查询数据。
B. 仅从本地主机导出虚拟机性能信息。直接将所需数据导入AWS Migration Hub。
在Migration Hub中更新任何缺失的信息。使用Amazon QuickSight查询数据。
C. 创建一个脚本自动从本地主机收集服务器信息。使用AWS CLI运行put-resource-attributes命令将详细服务器数据存储在AWS Migration Hub中。
直接在Migration Hub控制台查询数据。
D. 在每个本地服务器上部署AWS Application Discovery代理。在AWS Migration Hub中配置数据探索功能。
使用Amazon Athena对Amazon S3中的数据运行预定义查询。

45. A company is building a serverless application that runs on an AWS Lambda function that is attached to a VPC. The company needs to integrate
the application with a new service from an external provider. The external provider supports only requests that come from public IPv4 addresses
that are in an allow list.
The company must provide a single public IP address to the external provider before the application can start using the new service.
Which solution will give the application the ability to access the new service?
A. Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway.
B. Deploy an egress-only internet gateway. Associate an Elastic IP address with the egress-only internet gateway. Configure the elastic
network interface on the Lambda function to use the egress-only internet gateway.
C. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the Lambda function to use the internet
gateway.
D. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the default route in the public VPC route
table to use the internet gateway.

一家公司正在构建一个运行在连接到VPC的AWS Lambda函数上的无服务器应用程序。该公司需要将该应用程序与外部提供商的一个新服务集成。
外部提供商仅支持来自允许列表中的公共IPv4地址的请求。
在应用程序开始使用新服务之前，公司必须向外部提供商提供一个唯一的公共IP地址。
哪种解决方案可以让应用程序访问新服务？
A. 部署一个NAT网关。将一个弹性IP地址与NAT网关关联。配置VPC使用该NAT网关。
B. 部署一个仅出站互联网网关。将一个弹性IP地址与仅出站互联网网关关联。配置Lambda函数的弹性网络接口以使用该仅出站互联网网关。
C. 部署一个互联网网关。将一个弹性IP地址与互联网网关关联。配置Lambda函数使用该互联网网关。
D. 部署一个互联网网关。将一个弹性IP地址与互联网网关关联。在公共VPC路由表中配置默认路由以使用该互联网网关。

46. A solutions architect has developed a web application that uses an Amazon API Gateway Regional endpoint and an AWS Lambda function. The
consumers of the web application are all close to the AWS Region where the application will be deployed. The Lambda function only queries an
Amazon Aurora MySQL database. The solutions architect has configured the database to have three read replicas.
During testing, the application does not meet performance requirements. Under high load, the application opens a large number of database
connections. The solutions architect must improve the application’s performance.
Which actions should the solutions architect take to meet these requirements? (Choose two.)
A. Use the cluster endpoint of the Aurora database.
B. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.
C. Use the Lambda Provisioned Concurrency feature.
D. Move the code for opening the database connection in the Lambda function outside of the event handler.
E. Change the API Gateway endpoint to an edge-optimized endpoint.

一位解决方案架构师开发了一个使用Amazon API Gateway区域终端节点和AWS Lambda函数的网络应用程序。
该网络应用程序的所有使用者都靠近应用程序将部署的AWS区域。Lambda函数仅查询Amazon Aurora MySQL数据库。
解决方案架构师已将数据库配置为具有三个读取副本。
在测试过程中，应用程序未达到性能要求。在高负载下，应用程序会打开大量数据库连接。
解决方案架构师必须提高应用程序的性能。
应采取哪些措施来满足这些要求？（选择两项。）
A. 使用Aurora数据库的集群终端节点。
B. 使用RDS代理为Aurora数据库的读取终端节点设置连接池。
C. 使用Lambda预置并发功能。
D. 将Lambda函数中打开数据库连接的代码移出事件处理程序。
E. 将API Gateway终端节点更改为边缘优化的终端节点。

47. A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of
the security requirements is to enable end-to-end encryption in transit between the client and the web server.
Which solution will meet this requirement?
A. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certi cate using AWS Certificate Manager (ACM),
and associate the SSL certi cate with the ALB. Export the SSL certi cate and install it on each EC2 instance. Configure the ALB to listen on
port 443 and to forward traffic to port 443 on the instances.
B. Associate the EC2 instances with a target group. Provision an SSL certi cate using AWS Certificate Manager (ACM). Create an Amazon
CloudFront distribution and configure it to use the SSL certi cate. Set CloudFront to use the target group as the origin server.
C. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certi cate using AWS Certificate Manager (ACM), and
associate the SSL certi cate with the ALB. Provision a third-party SSL certi cate and install it on each EC2 instance. Configure the ALB to
listen on port 443 and to forward traffic to port 443 on the instances.
D. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certi cate and install it on the NLB and on each
EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

一家公司计划在AWS上托管一个Web应用程序，并希望在多个Amazon EC2实例之间均衡分配流量。其中一个安全要求是启用客户端与Web服务器之间的端到端传输加密。
哪种解决方案能满足此要求？
A. 将EC2实例放置在应用程序负载均衡器(ALB)后面。使用AWS证书管理器(ACM)配置SSL证书，并将该SSL证书与ALB关联。导出SSL证书并安装在每个EC2实例上。配置ALB监听443端口并将流量转发到实例的443端口。
B. 将EC2实例与目标组关联。使用AWS证书管理器(ACM)配置SSL证书。创建一个Amazon CloudFront分配并配置其使用该SSL证书。设置CloudFront使用目标组作为源服务器。
C. 将EC2实例放置在应用程序负载均衡器(ALB)后面。使用AWS证书管理器(ACM)配置SSL证书，并将该SSL证书与ALB关联。配置第三方SSL证书并安装在每个EC2实例上。配置ALB监听443端口并将流量转发到实例的443端口。
D. 将EC2实例放置在网络负载均衡器(NLB)后面。配置第三方SSL证书并安装在NLB和每个EC2实例上。配置NLB监听443端口并将流量转发到实例的443端口。

48. A company wants to migrate its data analytics environment from on premises to AWS. The environment consists of two simple Node.js
applications. One of the applications collects sensor data and loads it into a MySQL database. The other application aggregates the data into
reports. When the aggregation jobs run, some of the load jobs fail to run correctly.
The company must resolve the data loading issue. The company also needs the migration to occur without interruptions or changes for the
company’s customers.
What should a solutions architect do to meet these requirements?
A. Set up an Amazon Aurora MySQL database as a replication target for the on-premises database. Create an Aurora Replica for the Aurora
MySQL database, and move the aggregation jobs to run against the Aurora Replica. Set up collection endpoints as AWS Lambda functions
behind a Network Load Balancer (NLB), and use Amazon RDS Proxy to write to the Aurora MySQL database. When the databases are synced,
disable the replication job and restart the Aurora Replica as the primary instance. Point the collector DNS record to the NLB.
B. Set up an Amazon Aurora MySQL database. Use AWS Database Migration Service (AWS DMS) to perform continuous data replication from
the on-premises database to Aurora. Move the aggregation jobs to run against the Aurora MySQL database. Set up collection endpoints
behind an Application Load Balancer (ALB) as Amazon EC2 instances in an Auto Scaling group. When the databases are synced, point the
collector DNS record to the ALDisable the AWS DMS sync task after the cutover from on premises to AWS.
C. Set up an Amazon Aurora MySQL database. Use AWS Database Migration Service (AWS DMS) to perform continuous data replication from
the on-premises database to Aurora. Create an Aurora Replica for the Aurora MySQL database, and move the aggregation jobs to run against
the Aurora Replica. Set up collection endpoints as AWS Lambda functions behind an Application Load Balancer (ALB), and use Amazon RDS
Proxy to write to the Aurora MySQL database. When the databases are synced, point the collector DNS record to the ALB. Disable the AWS
DMS sync task after the cutover from on premises to AWS.
D. Set up an Amazon Aurora MySQL database. Create an Aurora Replica for the Aurora MySQL database, and move the aggregation jobs to run
against the Aurora Replica. Set up collection endpoints as an Amazon Kinesis data stream. Use Amazon Kinesis Data Firehose to replicate the
data to the Aurora MySQL database. When the databases are synced, disable the replication job and restart the Aurora Replica as the primary
instance. Point the collector DNS record to the Kinesis data stream.

一家公司希望将其数据分析环境从本地迁移到AWS。该环境包含两个简单的Node.js应用程序。其中一个应用程序收集传感器数据并将其加载到MySQL数据库中。另一个应用程序将数据聚合生成报告。当聚合作业运行时，部分数据加载作业无法正确执行。

公司必须解决数据加载问题。同时，公司还要求迁移过程不能中断服务或对客户产生任何影响。

解决方案架构师应采取以下哪项措施来满足这些需求？
A. 将Amazon Aurora MySQL数据库设置为本地数据库的复制目标。为Aurora MySQL数据库创建Aurora只读副本，并将聚合作业迁移至该副本运行。通过网络负载均衡器(NLB)后面的AWS Lambda函数设置收集端点，并使用Amazon RDS Proxy写入Aurora MySQL数据库。当数据库同步完成后，停止复制作业并将Aurora只读副本重启为主实例。将收集器DNS记录指向NLB。

B. 建立Amazon Aurora MySQL数据库。使用AWS数据库迁移服务(DMS)实现从本地数据库到Aurora的持续数据复制。将聚合作业迁移至Aurora MySQL数据库运行。通过自动扩展组中的Amazon EC2实例在应用负载均衡器(ALB)后设置收集端点。当数据库同步完成后，将收集器DNS记录指向ALB。在从本地迁移至AWS的切换完成后，停用AWS DMS同步任务。

C. 建立Amazon Aurora MySQL数据库。使用AWS数据库迁移服务(DMS)实现从本地数据库到Aurora的持续数据复制。为Aurora MySQL数据库创建Aurora只读副本，并将聚合作业迁移至该副本运行。通过应用负载均衡器(ALB)后面的AWS Lambda函数设置收集端点，并使用Amazon RDS Proxy写入Aurora MySQL数据库。当数据库同步完成后，将收集器DNS记录指向ALB。在从本地迁移至AWS的切换完成后，停用AWS DMS同步任务。

D. 建立Amazon Aurora MySQL数据库。为Aurora MySQL数据库创建Aurora只读副本，并将聚合作业迁移至该副本运行。通过Amazon Kinesis数据流设置收集端点。使用Amazon Kinesis Data Firehose将数据复制到Aurora MySQL数据库。当数据库同步完成后，停止复制作业并将Aurora只读副本重启为主实例。将收集器DNS记录指向Kinesis数据流。

49. A health insurance company stores personally identi able information (PII) in an Amazon S3 bucket. The company uses server-side encryption
with S3 managed encryption keys (SSE-S3) to encrypt the objects. According to a new requirement, all current and future objects in the S3 bucket
must be encrypted by keys that the company’s security team manages. The S3 bucket does not have versioning enabled.
Which solution will meet these requirements?
A. In the S3 bucket properties, change the default encryption to SSE-S3 with a customer managed key. Use the AWS CLI to re-upload all
objects in the S3 bucket. Set an S3 bucket policy to deny unencrypted PutObject requests.
B. In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
Set an S3 bucket policy to deny unencrypted PutObject requests. Use the AWS CLI to re-upload all objects in the S3 bucket.
C. In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
Set an S3 bucket policy to automatically encrypt objects on GetObject and PutObject requests.
D. In the S3 bucket properties, change the default encryption to AES-256 with a customer managed key. Attach a policy to deny unencrypted
PutObject requests to any entities that access the S3 bucket. Use the AWS CLI to re-upload all objects in the S3 bucket.

一家健康保险公司将个人身份识别信息（PII）存储在Amazon S3存储桶中。该公司使用S3托管加密密钥的服务器端加密（SSE-S3）来加密对象。
根据新的要求，S3存储桶中的所有当前和未来对象必须由公司安全团队管理的密钥进行加密。该S3存储桶未启用版本控制。
哪种解决方案能满足这些要求？
A. 在S3存储桶属性中，将默认加密更改为使用客户托管密钥的SSE-S3。使用AWS CLI重新上传S3存储桶中的所有对象。设置S3存储桶策略以拒绝未加密的PutObject请求。
B. 在S3存储桶属性中，将默认加密更改为使用AWS KMS托管加密密钥的服务器端加密（SSE-KMS）。设置S3存储桶策略以拒绝未加密的PutObject请求。使用AWS CLI重新上传S3存储桶中的所有对象。
C. 在S3存储桶属性中，将默认加密更改为使用AWS KMS托管加密密钥的服务器端加密（SSE-KMS）。设置S3存储桶策略以在GetObject和PutObject请求上自动加密对象。
D. 在S3存储桶属性中，将默认加密更改为使用客户托管密钥的AES-256。附加策略以拒绝任何访问S3存储桶实体的未加密PutObject请求。使用AWS CLI重新上传S3存储桶中的所有对象。

50. A company is running a web application in the AWS Cloud. The application consists of dynamic content that is created on a set of Amazon EC2
instances. The EC2 instances run in an Auto Scaling group that is configured as a target group for an Application Load Balancer (ALB).
The company is using an Amazon CloudFront distribution to distribute the application globally. The CloudFront distribution uses the ALB as an
origin. The company uses Amazon Route 53 for DNS and has created an A record of www.example.com for the CloudFront distribution.
A solutions architect must configure the application so that itis highly available and fault tolerant.
Which solution meets these requirements?
A. Provision a full, secondary application deployment in a different AWS Region. Update the Route 53 A record to be a failover record. Add
both of the CloudFront distributions as values. Create Route 53 health checks.
B. Provision an ALB, an Auto Scaling group, and EC2 instances in a different AWS Region. Update the CloudFront distribution, and create a
second origin for the new ALCreate an origin group for the two origins. Configure one origin as primary and one origin as secondary.
C. Provision an Auto Scaling group and EC2 instances in a different AWS Region. Create a second target for the new Auto Scaling group in the
ALB. Set up the failover routing algorithm on the ALB.
D. Provision a full, secondary application deployment in a different AWS Region. Create a second CloudFront distribution, and add the new
application setup as an origin. Create an AWS Global Accelerator accelerator. Add both of the CloudFront distributions as endpoints.

一家公司在AWS云中运行一个网络应用程序。该应用程序由一组亚马逊EC2实例上生成的动态内容组成。
这些EC2实例运行在一个配置为应用负载均衡器(ALB)目标组的自动扩展组中。
公司使用亚马逊CloudFront分发全球分发该应用程序。CloudFront分发使用ALB作为源站。
公司使用亚马逊Route 53进行DNS解析，并已为CloudFront分发创建了www.example.com的A记录。
解决方案架构师需要配置该应用程序，使其具有高可用性和容错能力。
哪种解决方案能够满足这些要求？
A. 在不同AWS区域部署完整的辅助应用程序。将Route 53 A记录更新为故障转移记录。添加两个CloudFront分发作为值。创建Route 53健康检查。
B. 在不同AWS区域部署ALB、自动扩展组和EC2实例。更新CloudFront分发，并为新的ALB创建第二个源站。为这两个源站创建源站组。将一个源站配置为主源站，另一个为辅助源站。
C. 在不同AWS区域部署自动扩展组和EC2实例。在ALB中为新自动扩展组创建第二个目标。在ALB上设置故障转移路由算法。
D. 在不同AWS区域部署完整的辅助应用程序。创建第二个CloudFront分发，并将新应用程序设置添加为源站。创建AWS Global Accelerator加速器。将两个CloudFront分发添加为端点。

51. A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a
transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site-to-Site VPN connections are configured
between all of the company’s global o ces and the transit account. The company has AWS Config enabled on all of its accounts.
The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global o ces. Developers will
reference this list to gain access to their applications securely.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification
Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function
to the SNS topic to update all relevant security group rules with the updated IP address ranges.
B. Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each
of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant
security group that is detected.
C. In the transit account, create a VPC pre x list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the
pre x list with all of the other accounts. Use the shared pre x list to configure security group rules in the other accounts.
D. In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts
to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.

一家公司在AWS Organizations中拥有包含大量AWS账户的组织。其中有一个AWS账户被指定为传输账户，并设有一个与所有其他AWS账户共享的传输网关。公司在所有全球办公室与传输账户之间配置了AWS站点到站点VPN连接。公司在所有账户上都启用了AWS Config。
公司的网络团队需要集中管理属于全球办公室的内部IP地址范围列表。开发人员将参考此列表来安全访问他们的应用程序。
哪种解决方案能以最小的操作开销满足这些需求？
A. 创建一份列出所有内部IP地址范围的JSON文件，并将其托管在Amazon S3上。在每个账户中配置一个Amazon Simple Notification Service（Amazon SNS）主题，以便在JSON文件更新时调用。订阅一个AWS Lambda函数到SNS主题，以使用更新后的IP地址范围更新所有相关的安全组规则。
B. 创建一个包含所有内部IP地址范围的新AWS Config托管规则。使用该规则检查每个账户中的安全组，确保符合IP地址范围列表。配置规则以自动修正检测到的任何不合规安全组。
C. 在传输账户中，创建一个包含所有内部IP地址范围的VPC前缀列表。使用AWS Resource Access Manager将该前缀列表共享给所有其他账户。使用共享的前缀列表在其他账户中配置安全组规则。
D. 在传输账户中，创建一个包含所有内部IP地址范围的安全组。通过使用嵌套安全组引用“/sg-1a2b3c4d”，配置其他账户中的安全组以引用传输账户的安全组。

52. A company runs a new application as a static website in Amazon S3. The company has deployed the application to a production AWS account and
uses Amazon CloudFront to deliver the website. The website calls an Amazon API Gateway REST API. An AWS Lambda function backs each API
method.
The company wants to create a CSV report every 2 weeks to show each API Lambda function’s recommended configured memory, recommended
cost, and the price difference between current configurations and the recommendations. The company will store the reports in an S3 bucket.
Which solution will meet these requirements with the LEAST development time?
A. Create a Lambda function that extracts metrics data for each API Lambda function from Amazon CloudWatch Logs for the 2-week period.
Collate the data into tabular format. Store the data as a .csv file in an S3 bucket. Create an Amazon EventBridge rule to schedule the Lambda
function to run every 2 weeks.
B. Opt in to AWS Compute Optimizer. Create a Lambda function that calls the ExportLambdaFunctionRecommendations operation. Export the
.csv file to an S3 bucket. Create an Amazon EventBridge rule to schedule the Lambda function to run every 2 weeks.
C. Opt in to AWS Compute Optimizer. Set up enhanced infrastructure metrics. Within the Compute Optimizer console, schedule a job to export
the Lambda recommendations to a .csv file. Store the file in an S3 bucket every 2 weeks.
D. Purchase the AWS Business Support plan for the production account. Opt in to AWS Compute Optimizer for AWS Trusted Advisor checks. In
the Trusted Advisor console, schedule a job to export the cost optimization checks to a .csv file. Store the file in an S3 bucket every 2 weeks.

一家公司以静态网站的形式在亚马逊S3上运行一个新应用程序。该公司已将应用程序部署到生产环境的AWS账户中，并使用亚马逊CloudFront分发该网站。网站会调用亚马逊API网关的REST API，每个API方法背后都有一个AWS Lambda函数支持。

该公司希望每两周生成一次CSV报告，展示每个API Lambda函数推荐配置的内存大小、推荐成本以及当前配置与推荐配置之间的价格差异。报告将存储在S3存储桶中。

哪种方案能以最少的开发时间满足这些需求？

A. 创建一个Lambda函数，从亚马逊CloudWatch日志中提取两周内每个API Lambda函数的指标数据，将数据整理成表格格式后以.csv文件形式存入S3存储桶。创建亚马逊EventBridge规则按每两周的周期调度该Lambda函数运行。

B. 注册使用AWS Compute Optimizer服务。创建调用ExportLambdaFunctionRecommendations操作的Lambda函数，将.csv文件导出到S3存储桶。创建亚马逊EventBridge规则按每两周的周期调度该函数运行。

C. 注册使用AWS Compute Optimizer服务并设置增强基础设施指标。在Compute Optimizer控制台预定导出Lambda推荐配置到.csv文件的任务，每两周将文件存储到S3存储桶。

D. 为生产账户购买AWS商业支持计划，在AWS可信顾问检查中注册使用AWS Compute Optimizer服务。在可信顾问控制台预定导出成本优化检查结果的.csv文件任务，每两周将文件存储到S3存储桶。

53. A company’s factory and automation applications are running in a single VPC. More than 20 applications run on a combination of Amazon EC2,
Amazon Elastic Container Service (Amazon ECS), and Amazon RDS.
The company has software engineers spread across three teams. One of the three teams owns each application, and each time is responsible for
the cost and performance of all of its applications. Team resources have tags that represent their application and team. The teams use IAM
access for daily activities.
The company needs to determine which costs on the monthly AWS bill are attributable to each application or team. The company also must be
able to create reports to compare costs from the last 12 months and to help forecast costs for the next 12 months. A solutions architect must
recommend an AWS Billing and Cost Management solution that provides these cost reports.
Which combination of actions will meet these requirements? (Choose three.)
A. Activate the user-de ne cost allocation tags that represent the application and the team.
B. Activate the AWS generated cost allocation tags that represent the application and the team.
C. Create a cost category for each application in Billing and Cost Management.
D. Activate IAM access to Billing and Cost Management.
E. Create a cost budget.
F. Enable Cost Explorer.

一家公司的工厂与自动化应用程序运行在单个VPC中。超过20个应用程序同时在亚马逊EC2、亚马逊弹性容器服务(Amazon ECS)以及亚马逊关系数据库服务(Amazon RDS)上运行。
该公司软件工程师分布在三个团队中。三个团队之一拥有每个应用程序的所有权，每个团队需要对其所有应用程序的成本和性能负责。团队资源带有代表其应用程序和团队的标签。
团队在日常活动中使用IAM权限进行访问。
公司需要确定每月AWS账单中有哪些成本归属于各应用程序或团队。同时公司还必须能生成报告，用于对比过去12个月的成本并预测未来12个月的开支。解决方案架构师必须推荐一个能提供这些成本报告的AWS账单与成本管理解决方案。
以下哪些措施组合能满足这些需求？（选择三项。）
A. 激活代表应用程序和团队的用户自定义成本分配标签。
B. 激活代表应用程序和团队的AWS生成成本分配标签。

C. 在账单与成本管理中为每个应用程序创建成本类别。
D. 向账单与成本管理开通IAM访问权限。

E. 创建成本预算。

F. 启用成本资源管理器。

54. An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a rewall.
The third party accepts only one public CIDR block in each client’s allow list.
The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind
an Application Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT
gateways provide internet access to the private subnets.
How should a solutions architect ensure that the web application can continue to call the third-party API after the migration?
A. Associate a block of customer-owned public IP addresses to the VPC. Enable public IP addressing for public subnets in the VPC.
B. Register a block of customer-owned public IP addresses in the AWS account. Create Elastic IP addresses from the address block and
assign them to the NAT gateways in the VPC.
C. Create Elastic IP addresses from the block of customer-owned IP addresses. Assign the static Elastic IP addresses to the ALB.
D. Register a block of customer-owned public IP addresses in the AWS account. Set up AWS Global Accelerator to use Elastic IP addresses
from the address block. Set the ALB as the accelerator endpoint.

题目：

一位AWS客户拥有一个在本地运行的Web应用程序。该Web应用程序从一个位于防火墙后端的第三方API获取数据。
第三方仅接受每个客户允许列表中的一个公共CIDR地址块。
该客户希望将其Web应用程序迁移到AWS云。该应用程序将托管在VPC中位于应用负载均衡器（ALB）后的一组Amazon EC2实例上。
ALB位于公共子网中。EC2实例位于私有子网中。NAT网关为私有子网提供互联网访问。
解决方案架构师应如何确保Web应用程序在迁移后仍能继续调用第三方API？
A. 将一组客户拥有的公共IP地址关联到VPC。为VPC中的公共子网启用公共IP寻址。
B. 在AWS账户中注册一组客户拥有的公共IP地址。从该地址块创建弹性IP地址并将其分配给VPC中的NAT网关。
C. 从客户拥有的IP地址块创建弹性IP地址。将静态弹性IP地址分配给ALB。
D. 在AWS账户中注册一组客户拥有的公共IP地址。设置AWS Global Accelerator以使用该地址块中的弹性IP地址。将ALB设置为加速器终端节点。

55. A company has a monolithic application that is critical to the company’s business. The company hosts the application on an Amazon EC2
instance that runs Amazon Linux 2. The company’s application team receives a directive from the legal department to back up the data from the
instance’s encrypted Amazon Elastic Block Store (Amazon EBS) volume to an Amazon S3 bucket. The application team does not have the
administrative SSH key pair for the instance. The application must continue to serve the users.
Which solution will meet these requirements?
A. Attach a role to the instance with permission to write to Amazon S3. Use the AWS Systems Manager Session Manager option to gain
access to the instance and run commands to copy data into Amazon S3.
B. Create an image of the instance with the reboot option turned on. Launch a new EC2 instance from the image. Attach a role to the new
instance with permission to write to Amazon S3. Run a command to copy data into Amazon S3.
C. Take a snapshot of the EBS volume by using Amazon Data Lifecycle Manager (Amazon DLM). Copy the data to Amazon S3.
D. Create an image of the instance. Launch a new EC2 instance from the image. Attach a role to the new instance with permission to write to
Amazon S3. Run a command to copy data into Amazon S3.

一家公司拥有一个对其业务至关重要的单体应用程序。该公司将该应用程序托管在运行Amazon Linux 2的Amazon EC2实例上。公司的应用程序团队收到法律部门的指令，要求将实例上加密的Amazon Elastic Block Store（Amazon EBS）卷中的数据备份到Amazon S3存储桶。应用程序团队没有该实例的管理SSH密钥对。应用程序必须继续为用户提供服务。

哪种解决方案可以满足这些要求？
A. 将具有写入Amazon S3权限的角色附加到实例。使用AWS Systems Manager会话管理器选项获取实例访问权限，并运行命令将数据复制到Amazon S3。
B. 创建启用重启选项的实例映像。从映像启动新的EC2实例。将具有写入Amazon S3权限的角色附加到新实例。运行命令将数据复制到Amazon S3。
C. 使用Amazon Data Lifecycle Manager（Amazon DLM）创建EBS卷的快照。将数据复制到Amazon S3。
D. 创建实例的映像。从映像启动新的EC2实例。将具有写入Amazon S3权限的角色附加到新实例。运行命令将数据复制到Amazon S3。

56. A solutions architect needs to copy data from an Amazon S3 bucket m an AWS account to a new S3 bucket in a new AWS account. The solutions
architect must implement a solution that uses the AWS CLI.
Which combination of steps will successfully copy the data? (Choose three.)
A. Create a bucket policy to allow the source bucket to list its contents and to put objects and set object ACLs in the destination bucket.
Attach the bucket policy to the destination bucket.
B. Create a bucket policy to allow a user in the destination account to list the source bucket’s contents and read the source bucket’s objects.
Attach the bucket policy to the source bucket.
C. Create an IAM policy in the source account. Configure the policy to allow a user in the source account to list contents and get objects in the
source bucket, and to list contents, put objects, and set object ACLs in the destination bucket. Attach the policy to the user.
D. Create an IAM policy in the destination account. Configure the policy to allow a user in the destination account to list contents and get
objects in the source bucket, and to list contents, put objects, and set objectACLs in the destination bucket. Attach the policy to the user.
E. Run the aws s3 sync command as a user in the source account. Specify the source and destination buckets to copy the data.
F. Run the aws s3 sync command as a user in the destination account. Specify the source and destination buckets to copy the data.

一位解决方案架构师需要将数据从一个亚马逊S3存储桶（位于AWS账户中）复制到一个新的AWS账户中的新S3存储桶。
解决方案架构师必须实施一种使用AWS命令行界面的解决方案。
以下哪三个步骤组合可以成功复制数据？（选择三个。）
A. 创建一个存储桶策略，允许源存储桶列出其内容，并在目标存储桶中放置对象和设置对象ACL。
将该存储桶策略附加到目标存储桶。
B. 创建一个存储桶策略，允许目标账户中的用户列出源存储桶的内容并读取源存储桶中的对象。
将该存储桶策略附加到源存储桶。
C. 在源账户中创建一个IAM策略。配置该策略以允许源账户中的用户列出内容并获取源存储桶中的对象，以及列出内容、放置对象和在目标存储桶中设置对象ACL。
将该策略附加到用户。
D. 在目标账户中创建一个IAM策略。配置该策略以允许目标账户中的用户列出内容并获取源存储桶中的对象，以及列出内容、放置对象和在目标存储桶中设置对象ACL。
将该策略附加到用户。
E. 作为源账户中的用户运行aws s3 sync命令。指定源和目标存储桶以复制数据。
F. 作为目标账户中的用户运行aws s3 sync命令。指定源和目标存储桶以复制数据。

57. A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production release of the web
application introduced an issue that resulted in an outage lasting several minutes. A solutions architect must adjust the deployment process to
support a canary release.
Which solution will meet these requirements?
A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI update-alias command with the routing-config
parameter to distribute the load.
B. Deploy the application into a new CloudFormation stack. Use an Amazon Route 53 weighted routing policy to distribute the load.
C. Create a version for every new deployed Lambda function. Use the AWS CLI update-function-configuration command with the routing-config
parameter to distribute the load.
D. Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the Deployment configuration to distribute the load.

一家公司基于部署在AWS CloudFormation堆栈中的AWS Lambda构建了一个应用程序。
该Web应用程序的上一个生产版本出现问题，导致持续数分钟的中断。
解决方案架构师必须调整部署流程以支持金丝雀发布。

哪种解决方案可以满足这些需求？
A. 为每个新部署的Lambda函数版本创建别名。使用带有routing-config参数的AWS CLI update-alias命令来分配负载。
B. 将应用程序部署到新的CloudFormation堆栈中。使用Amazon Route 53加权路由策略来分配负载。
C. 为每个新部署的Lambda函数创建版本。使用带有routing-config参数的AWS CLI update-function-configuration命令来分配负载。
D. 配置AWS CodeDeploy，并在部署配置中使用CodeDeployDefault.OneAtATime来分配负载。

58. A nance company hosts a data lake in Amazon S3. The company receives nancial data records over SFTP each night from several third parties.
The company runs its own SFTP server on an Amazon EC2 instance in a public subnet of a VPC. After the files are uploaded, they are moved to the
data lake by a cron job that runs on the same instance. The SFTP server is reachable on DNS sftp.example.com through the use of Amazon Route
53.
What should a solutions architect do to improve the reliability and scalability of the SFTP solution?
A. Move the EC2 instance into an Auto Scaling group. Place the EC2 instance behind an Application Load Balancer (ALB). Update the DNS
record sftp.example.com in Route 53 to point to the ALB.
B. Migrate the SFTP server to AWS Transfer for SFTP. Update the DNS record sftp.example.com in Route 53 to point to the server endpoint
hostname.
C. Migrate the SFTP server to a file gateway in AWS Storage Gateway. Update the DNS record sftp.example.com in Route 53 to point to the le
gateway endpoint.
D. Place the EC2 instance behind a Network Load Balancer (NLB). Update the DNS record sftp.example.com in Route 53 to point to the NLB.

一家金融公司在亚马逊S3上托管了一个数据湖。该公司每晚通过SFTP从多个第三方接收金融数据记录。
公司在其VPC的公共子网中的亚马逊EC2实例上运行自己的SFTP服务器。文件上传后，由在同一实例上运行的cron作业将它们移动到数据湖。通过使用亚马逊Route 53，SFTP服务器可在DNS sftp.example.com上被访问到。
解决方案架构师应采取什么措施来提高SFTP解决方案的可靠性和可扩展性？
A. 将EC2实例移至自动扩展组中。将EC2实例置于应用负载均衡器(ALB)后面。更新Route 53中的DNS记录sftp.example.com以指向ALB。
B. 将SFTP服务器迁移至AWS SFTP传输服务。更新Route 53中的DNS记录sftp.example.com以指向服务器端点主机名。
C. 将SFTP服务器迁移至AWS存储网关中的文件网关。更新Route 53中的DNS记录sftp.example.com以指向文件网关端点。
D. 将EC2实例置于网络负载均衡器(NLB)后面。更新Route 53中的DNS记录sftp.example.com以指向NLB。

59. A company wants to migrate an application to Amazon EC2 from VMware Infrastructure that runs in an on-premises data center. A solutions
architect must preserve the software and configuration settings during the migration.
What should the solutions architect do to meet these requirements?
A. Configure the AWS DataSync agent to start replicating the data store to Amazon FSx for Windows File Server. Use the SMB share to host
the VMware data store. Use VM Import/Export to move the VMs to Amazon EC2.
B. Use the VMware vSphere client to export the application as an image in Open Virtualization Format (OVF) format. Create an Amazon S3
bucket to store the image in the destination AWS Region. Create and apply an IAM role for VM Import. Use the AWS CLI to run the EC2 import
command.
C. Configure AWS Storage Gateway for files service to export a Common Internet File System (CIFS) share. Create a backup copy to the shared
folder. Sign in to the AWS Management Console and create an AMI from the backup copy. Launch an EC2 instance that is based on the AMI.
D. Create a managed-instance activation for a hybrid environment in AWS Systems Manager. Download and install Systems Manager Agent on
the on-premises VM. Register the VM with Systems Manager to be a managed instance. Use AWS Backup to create a snapshot of the VM and
create an AMI. Launch an EC2 instance that is based on the AMI.

一家公司希望将一款应用程序从其本地数据中心的VMware基础架构迁移至亚马逊EC2。解决方案架构师必须在迁移过程中保留软件及配置设置。
解决方案架构师应采取何种措施以满足这些需求？
A. 配置AWS DataSync代理，开始将数据存储复制至Amazon FSx for Windows文件服务器。使用SMB共享托管VMware数据存储。使用VM导入/导出工具将虚拟机迁移至Amazon EC2。
B. 使用VMware vSphere客户端将应用程序导出为开放虚拟化格式（OVF）镜像。在目标AWS区域创建Amazon S3存储桶以存储该镜像。创建并应用用于VM导入的IAM角色。使用AWS CLI运行EC2导入命令。
C. 配置AWS存储网关的文件服务以导出通用互联网文件系统（CIFS）共享。创建共享文件夹的备份副本。登录AWS管理控制台，根据备份副本创建AMI。启动基于该AMI的EC2实例。
D. 在AWS系统管理器中为混合环境创建托管实例激活。在本地虚拟机上下载并安装系统管理器代理。向系统管理器注册该虚拟机作为托管实例。使用AWS备份创建虚拟机快照并生成AMI。启动基于该AMI的EC2实例。

60. A video processing company has an application that downloads images from an Amazon S3 bucket, processes the images, stores a transformed
image in a second S3 bucket, and updates metadata about the image in an Amazon DynamoDB table. The application is written in Node.js and
runs by using an AWS Lambda function. The Lambda function is invoked when a new image is uploaded to Amazon S3.
The application ran without incident for a while. However, the size of the images has grown signi cantly. The Lambda function is now failing
frequently with timeout errors. The function timeout is set to its maximum value. A solutions architect needs to refactor the application’s
architecture to prevent invocation failures. The company does not want to manage the underlying infrastructure.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
A. Modify the application deployment by building a Docker image that contains the application code. Publish the image to Amazon Elastic
Container Registry (Amazon ECR).
B. Create a new Amazon Elastic Container Service (Amazon ECS) task de nition with a compatibility type of AWS Fargate. Configure the task
de nition to use the new image in Amazon Elastic Container Registry (Amazon ECR). Adjust the Lambda function to invoke an ECS task by
using the ECS task de nition when a new file arrives in Amazon S3.
C. Create an AWS Step Functions state machine with a Parallel state to invoke the Lambda function. Increase the provisioned concurrency of
the Lambda function.
D. Create a new Amazon Elastic Container Service (Amazon ECS) task de nition with a compatibility type of Amazon EC2. Configure the task
de nition to use the new image in Amazon Elastic Container Registry (Amazon ECR). Adjust the Lambda function to invoke an ECS task by
using the ECS task de nition when a new file arrives in Amazon S3.
E. Modify the application to store images on Amazon Elastic File System (Amazon EFS) and to store metadata on an Amazon RDS DB
instance. Adjust the Lambda function to mount the EFS file share.

一家视频处理公司拥有一个应用程序，该程序从亚马逊简单存储服务（Amazon S3）存储桶下载图像，处理图像，将转换后的图像存储在第二个S3存储桶中，并在亚马逊DynamoDB表中更新有关图像的元数据。该应用程序使用Node.js编写，并通过AWS Lambda函数运行。当新图像上传到Amazon S3时，该Lambda函数会被调用。

应用程序运行了一段时间没有出现问题。然而，图像的大小显著增加。Lambda函数现在频繁因超时错误而失败。函数超时已设置为其最大值。解决方案架构师需要重构应用程序的架构以防止调用失败。公司不希望管理底层基础设施。

解决方案架构师应采取哪些组合步骤来满足这些要求？（选择两项。）

A. 修改应用程序部署，构建一个包含应用程序代码的Docker镜像。将镜像发布到亚马逊弹性容器注册表（Amazon ECR）。

B. 创建一个新的亚马逊弹性容器服务（Amazon ECS）任务定义，兼容类型为AWS Fargate。配置任务定义以使用Amazon ECR中的新镜像。调整Lambda函数，使其在Amazon S3中有新文件到达时通过ECS任务定义调用ECS任务。

C. 创建一个带有并行状态的AWS Step Functions状态机来调用Lambda函数。增加Lambda函数的预配置并发数。

D. 创建一个新的亚马逊弹性容器服务（Amazon ECS）任务定义，兼容类型为Amazon EC2。配置任务定义以使用Amazon ECR中的新镜像。调整Lambda函数，使其在Amazon S3中有新文件到达时通过ECS任务定义调用ECS任务。

E. 修改应用程序将图像存储在亚马逊弹性文件系统（Amazon EFS）上，并将元数据存储在Amazon RDS数据库实例上。调整Lambda函数以挂载EFS文件共享。

61. A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization.
The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB
instances that are not encrypted at rest in the company’s production OU.
Which solution will meet this requirement?
A. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.
B. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the
production OU.
C. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.
D. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.

一家公司在AWS Organizations中有一个组织。该公司正在使用AWS Control Tower为该组织部署登陆区。
该公司希望实施治理和政策执行。公司必须实施一项政策，用于检测公司生产OU中未启用静态加密的Amazon RDS数据库实例。
以下哪种解决方案能满足此要求？
A. 在AWS Control Tower中启用强制护栏。将这些强制护栏应用到生产OU。
B. 在AWS Control Tower的强烈推荐护栏列表中启用适当的护栏。将该护栏应用到生产OU。
C. 使用AWS Config创建一个新的强制护栏。将该规则应用到生产OU中的所有账户。
D. 在AWS Control Tower中创建一个自定义SCP。将该SCP应用到生产OU。

62. A startup company hosts a eet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company’s engineers rely
heavily on SSH access to the instances for troubleshooting.
The company’s existing architecture includes the following:
• A VPC with private and public subnets, and a NAT gateway.
• Site-to-Site VPN for connectivity with the on-premises environment.
• EC2 security groups with direct SSH access from the on-premises environment.
The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.
Which strategy should a solutions architect use?
A. Install and configure EC2 Instance Connect on the eet of EC2 instances. Remove all security group rules attached to EC2 instances that
allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
B. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon
CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for
EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes
to rules.
D. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances.
Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems
Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems
Manager.

一家初创公司使用最新的Amazon Linux 2 AMI在私有子网中托管了一组亚马逊EC2实例。公司的工程师严重依赖SSH访问这些实例进行故障排除。
公司现有的架构包括以下内容：
• 一个具有私有和公共子网的VPC，以及一个NAT网关。
• 用于与本地环境连接的站点到站点VPN。
• 允许从本地环境直接SSH访问的EC2安全组。
公司需要加强SSH访问的安全控制，并提供对工程师运行的命令进行审计。
解决方案架构师应采用哪种策略？
A. 在EC2实例组上安装并配置EC2 Instance Connect。移除所有附加到EC2实例上允许22端口入站TCP的安全组规则。建议工程师使用EC2 Instance Connect CLI远程访问实例。
B. 更新EC2安全组，仅允许工程师设备的IP地址对22端口进行入站TCP访问。在所有EC2实例上安装Amazon CloudWatch代理，并将操作系统审计日志发送到CloudWatch Logs。
C. 更新EC2安全组，仅允许工程师设备的IP地址对22端口进行入站TCP访问。为EC2安全组资源更改启用AWS Config。启用AWS Firewall Manager并应用自动修复规则更改的安全组策略。
D. 创建一个附加了AmazonSSMManagedInstanceCore托管策略的IAM角色。将该IAM角色附加到所有EC2实例。移除所有附加到EC2实例上允许22端口入站TCP的安全组规则。让工程师为其设备安装AWS Systems Manager Session Manager插件，并通过Systems Manager的start-session API调用远程访问实例。

63. A company that uses AWS Organizations allows developers to experiment on AWS. As part of the landing zone that the company has deployed,
developers use their company email address to request an account. The company wants to ensure that developers are not launching costly
services or running services unnecessarily. The company must give developers a xed monthly budget to limit their AWS costs.
Which combination of steps will meet these requirements? (Choose three.)
A. Create an SCP to set a xed monthly account usage limit. Apply the SCP to the developer accounts.
B. Use AWS Budgets to create a xed monthly budget for each developer’s account as part of the account creation process.
C. Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts.
D. Create an IAM policy to deny access to costly services and components. Apply the IAM policy to the developer accounts.
E. Create an AWS Budgets alert action to terminate services when the budgeted amount is reached. Configure the action to terminate all
services.
F. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount
is reached. Invoke an AWS Lambda function to terminate all services.

一家使用AWS组织的公司允许开发人员在AWS上进行实验。作为公司已部署的登陆区的一部分，
开发人员使用他们的公司电子邮件地址来申请账户。公司希望确保开发人员不会启动昂贵的服务或不必要地运行服务。
公司必须为开发人员提供固定的月度预算以限制他们的AWS成本。
哪些步骤组合可以满足这些要求？（选择三项。）
A. 创建一个SCP来设置固定的月度账户使用限制。将该SCP应用于开发人员账户。
B. 使用AWS预算在账户创建过程中为每个开发人员的账户创建固定的月度预算。
C. 创建一个SCP来拒绝对昂贵服务和组件的访问。将该SCP应用于开发人员账户。
D. 创建一个IAM策略来拒绝对昂贵服务和组件的访问。将该IAM策略应用于开发人员账户。
E. 创建一个AWS预算警报操作，当达到预算金额时终止服务。配置该操作以终止所有服务。
F. 创建一个AWS预算警报操作，当达到预算金额时发送Amazon简单通知服务（Amazon SNS）通知。调用一个AWS Lambda函数来终止所有服务。

64. A company has applications in an AWS account that is named Source. The account is in an organization in AWS Organizations. One of the
applications uses AWS Lambda functions and stores inventory data in an Amazon Aurora database. The application deploys the Lambda
functions by using a deployment package. The company has configured automated backups for Aurora.
The company wants to migrate the Lambda functions and the Aurora database to a new AWS account that is named Target. The application
processes critical data, so the company must minimize downtime.
Which solution will meet these requirements?
A. Download the Lambda function deployment package from the Source account. Use the deployment package and create new Lambda
functions in the Target account. Share the automated Aurora DB cluster snapshot with the Target account.
B. Download the Lambda function deployment package from the Source account. Use the deployment package and create new Lambda
functions in the Target account. Share the Aurora DB cluster with the Target account by using AWS Resource Access Manager {AWS RAM).
Grant the Target account permission to clone the Aurora DB cluster.
C. Use AWS Resource Access Manager (AWS RAM) to share the Lambda functions and the Aurora DB cluster with the Target account. Grant
the Target account permission to clone the Aurora DB cluster.
D. Use AWS Resource Access Manager (AWS RAM) to share the Lambda functions with the Target account. Share the automated Aurora DB
cluster snapshot with the Target account.

一家公司在名为Source的AWS账户中部署了应用程序。该账户属于AWS Organizations中的一个组织。其中有一个应用程序使用了AWS Lambda函数，并将库存数据存储在Amazon Aurora数据库中。该应用程序通过部署包来部署Lambda函数。公司已为Aurora配置了自动备份功能。

公司希望将这些Lambda函数和Aurora数据库迁移到一个名为Target的新AWS账户中。由于该应用程序处理关键数据，公司必须将停机时间降到最低。

哪种解决方案能够满足这些要求？

A. 从Source账户下载Lambda函数部署包。使用该部署包在Target账户中创建新的Lambda函数。将自动创建的Aurora数据库集群快照共享给Target账户。

B. 从Source账户下载Lambda函数部署包。使用该部署包在Target账户中创建新的Lambda函数。通过AWS资源访问管理器(AWS RAM)将Aurora数据库集群共享给Target账户。授予Target账户克隆Aurora数据库集群的权限。

C. 使用AWS资源访问管理器(AWS RAM)将Lambda函数和Aurora数据库集群共享给Target账户。授予Target账户克隆Aurora数据库集群的权限。

D. 使用AWS资源访问管理器(AWS RAM)将Lambda函数共享给Target账户。将自动创建的Aurora数据库集群快照共享给Target账户。

65. A company runs a Python script on an Amazon EC2 instance to process data. The script runs every 10 minutes. The script ingests files from an
Amazon S3 bucket and processes the files. On average, the script takes approximately 5 minutes to process each file The script will not reprocess
a
le that the script has already processed.
The company reviewed Amazon CloudWatch metrics and noticed that the EC2 instance is idle for approximately 40% of the time because of the
file processing speed. The company wants to make the workload highly available and scalable. The company also wants to reduce long-term
management overhead.
Which solution will meet these requirements MOST cost-effectively?
A. Migrate the data processing script to an AWS Lambda function. Use an S3 event notification to invoke the Lambda function to process the
objects when the company uploads the objects.
B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure Amazon S3 to send event notifications to the SQS queue. Create
an EC2 Auto Scaling group with a minimum size of one instance. Update the data processing script to poll the SQS queue. Process the S3
objects that the SQS message identi es.
C. Migrate the data processing script to a container image. Run the data processing container on an EC2 instance. Configure the container to
poll the S3 bucket for new objects and to process the resulting objects.
D. Migrate the data processing script to a container image that runs on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate.
Create an AWS Lambda function that calls the Fargate RunTaskAPI operation when the container processes the file. Use an S3 event
notification to invoke the Lambda function.

一家公司在亚马逊EC2实例上运行一个Python脚本来处理数据。该脚本每10分钟运行一次。脚本从亚马逊S3存储桶提取文件并处理这些文件。平均而言，脚本处理每个文件大约需要5分钟，且不会重复处理已经处理过的文件。

公司查看了亚马逊CloudWatch指标，发现由于文件处理速度的原因，EC2实例约有40%的时间处于空闲状态。公司希望使工作负载具有高可用性和可扩展性，同时还想减少长期管理开销。

以下哪种解决方案能够以最具成本效益的方式满足这些需求？

A. 将数据处理脚本迁移到AWS Lambda函数。使用S3事件通知在上传对象时调用Lambda函数来处理这些对象。

B. 创建一个亚马逊简单队列服务（Amazon SQS）队列。配置亚马逊S3向SQS队列发送事件通知。创建一个最小实例数为1的EC2自动扩展组。更新数据处理脚本以轮询SQS队列，处理SQS消息所标识的S3对象。

C. 将数据处理脚本迁移到一个容器镜像中。在EC2实例上运行该数据处理容器。配置容器轮询S3存储桶中的新对象并处理这些对象。

D. 将数据处理脚本迁移到在AWS Fargate上的亚马逊弹性容器服务（Amazon ECS）中运行的容器镜像。创建一个Lambda函数，在容器处理文件时调用Fargate的RunTaskAPI操作。使用S3事件通知调用Lambda函数。

66. A nancial services company in North America plans to release a new online web application to its customers on AWS. The company will launch
the application in the us-east-1 Region on Amazon EC2 instances. The application must be highly available and must dynamically scale to meet
user traffic. The company also wants to implement a disaster recovery environment for the application in the us-west-1 Region by using active
passive failover.
Which solution will meet these requirements?
A. Create a VPC in us-east-1 and a VPC in us-west-1. Configure VPC peering. In the us-east-1 VPC, create an Application Load Balancer (ALB)
that extends across multiple Availability Zones in both VPCs. Create an Auto Scaling group that deploys the EC2 instances across the multiple
Availability Zones in both VPCs. Place the Auto Scaling group behind the ALB.
B. Create a VPC in us-east-1 and a VPC in us-west-1. In the us-east-1 VPC, create an Application Load Balancer (ALB) that extends across
multiple Availability Zones in that VPC. Create an Auto Scaling group that deploys the EC2 instances across the multiple Availability Zones in
the us-east-1 VPC. Place the Auto Scaling group behind the ALSet up the same configuration in the us-west-1 VPC. Create an Amazon Route
53 hosted zone. Create separate records for each ALEnable health checks to ensure high availability between Regions.
C. Create a VPC in us-east-1 and a VPC in us-west-1. In the us-east-1 VPC, create an Application Load Balancer (ALB) that extends across
multiple Availability Zones in that VPCreate an Auto Scaling group that deploys the EC2 instances across the multiple Availability Zones in the
us-east-1 VPPlace the Auto Scaling group behind the ALB. Set up the same configuration in the us-west-1 VPCreate an Amazon Route 53
hosted zone. Create separate records for each ALB. Enable health checks and configure a failover routing policy for each record.
D. Create a VPC in us-east-1 and a VPC in us-west-1. Configure VPC peering. In the us-east-1 VPC, create an Application Load Balancer (ALB)
that extends across multiple Availability Zones in both VPCs. Create an Auto Scaling group that deploys the EC2 instances across the multiple
Availability Zones in both VPCs. Place the Auto Scaling group behind the ALB. Create an Amazon Route 53 hosted zone. Create a record for
the ALB.

一家位于北美的金融服务公司计划在AWS上向客户发布一款新的在线网络应用程序。该公司将在us-east-1区域的Amazon EC2实例上启动该应用程序。该应用程序必须具备高可用性，并且能够动态扩展以满足用户流量。公司还希望通过使用主动-被动故障转移在us-west-1区域为该应用程序实现灾难恢复环境。
以下哪种解决方案能够满足这些要求？
A. 在us-east-1和us-west-1中分别创建一个VPC。配置VPC对等连接。在us-east-1 VPC中，创建一个横跨两个VPC中多个可用区的应用程序负载均衡器（ALB）。创建一个在两VPC的多个可用区部署EC2实例的Auto Scaling组。将该Auto Scaling组放在ALB后面。
B. 在us-east-1和us-west-1中分别创建一个VPC。在us-east-1 VPC中，创建一个横跨该VPC多个可用区的应用程序负载均衡器（ALB）。创建一个在该VPC的多个可用区部署EC2实例的Auto Scaling组。将该Auto Scaling组放在ALB后面。在us-west-1 VPC中设置相同的配置。创建一个Amazon Route 53托管区域。为每个ALB创建单独的记录。启用健康检查以确保区域间的高可用性。
C. 在us-east-1和us-west-1中分别创建一个VPC。在us-east-1 VPC中，创建一个横跨该VPC多个可用区的应用程序负载均衡器（ALB）。创建一个在该VPC的多个可用区部署EC2实例的Auto Scaling组。将该Auto Scaling组放在ALB后面。在us-west-1 VPC中设置相同的配置。创建一个Amazon Route 53托管区域。为每个ALB创建单独的记录。启用健康检查并为每条记录配置故障转移路由策略。
D. 在us-east-1和us-west-1中分别创建一个VPC。配置VPC对等连接。在us-east-1 VPC中，创建一个横跨两个VPC中多个可用区的应用程序负载均衡器（ALB）。创建一个在两VPC的多个可用区部署EC2实例的Auto Scaling组。将该Auto Scaling组放在ALB后面。创建一个Amazon Route 53托管区域。为ALB创建一个记录。

67. A company has an environment that has a single AWS account. A solutions architect is reviewing the environment to recommend what the
company could improve speci cally in terms of access to the AWS Management Console. The company’s IT support workers currently access the
console for administrative tasks, authenticating with named IAM users that have been mapped to their job role.
The IT support workers no longer want to maintain both their Active Directory and IAM user accounts. They want to be able to access the console
by using their existing Active Directory credentials. The solutions architect is using AWS IAM Identity Center (AWS Single Sign-On) to implement
this functionality.
Which solution will meet these requirements MOST cost-effectively?
A. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in Organizations. Create and configure a directory in
AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active
Directory. Configure IAM Identity Center and set the AWS Managed Microsoft AD directory as the identity source. Create permission sets and
map them to the existing groups within the AWS Managed Microsoft AD directory.
B. Create an organization in AWS Organizations. Turn on the IAM Identity Center feature in Organizations. Create and configure an AD
Connector to connect to the company’s on-premises Active Directory. Configure IAM Identity Center and select the AD Connector as the
identity source. Create permission sets and map them to the existing groups within the company’s Active Directory.
C. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure a directory in AWS Directory
Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company’s on-premises Active Directory.
Configure IAM Identity Center and select the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map
them to the existing groups within the AWS Managed Microsoft AD directory.
D. Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure an AD Connector to connect to
the company’s on-premises Active Directory. Configure IAM Identity Center and set the AD Connector as the identity source. Create permission
sets and map them to the existing groups within the company’s Active Directory.

一家公司拥有一个使用单一AWS账户的环境。一位解决方案架构师正在审查该环境，以建议公司在访问AWS管理控制台方面能做出哪些具体改进。目前，该公司的IT支持人员通过映射到其工作角色的命名IAM用户进行身份验证，以执行管理任务访问控制台。
IT支持人员不再希望同时维护他们的Active Directory和IAM用户账户。他们希望能够使用现有的Active Directory凭据访问控制台。解决方案架构师正在使用AWS IAM Identity Center（AWS单点登录）来实现这一功能。
哪种解决方案最能以最具成本效益的方式满足这些需求？
A. 在AWS Organizations中创建一个组织。在Organizations中启用IAM Identity Center功能。在AWS Directory Service中为Microsoft Active Directory（AWS托管Microsoft AD）创建并配置一个目录，与公司的本地Active Directory建立双向信任。配置IAM Identity Center，并将AWS托管Microsoft AD目录设置为身份源。创建权限集并将其映射到AWS托管Microsoft AD目录中的现有组。
B. 在AWS Organizations中创建一个组织。在Organizations中启用IAM Identity Center功能。创建并配置一个AD Connector以连接公司的本地Active Directory。配置IAM Identity Center，并选择AD Connector作为身份源。创建权限集并将其映射到公司Active Directory中的现有组。
C. 在AWS Organizations中创建一个组织。为组织启用所有功能。在AWS Directory Service中为Microsoft Active Directory（AWS托管Microsoft AD）创建并配置一个目录，与公司的本地Active Directory建立双向信任。配置IAM Identity Center，并选择AWS托管Microsoft AD目录作为身份源。创建权限集并将其映射到AWS托管Microsoft AD目录中的现有组。
D. 在AWS Organizations中创建一个组织。为组织启用所有功能。创建并配置一个AD Connector以连接公司的本地Active Directory。配置IAM Identity Center，并将AD Connector设置为身份源。创建权限集并将其映射到公司Active Directory中的现有组。

68. A video streaming company recently launched a mobile app for video sharing. The app uploads various files to an Amazon S3 bucket in the us
east-1 Region. The files range in size from 1 GB to 10 GB.
Users who access the app from Australia have experienced uploads that take long periods of time. Sometimes the files fail to completely upload
for these users. A solutions architect must improve the app’s performance for these uploads.
Which solutions will meet these requirements? (Choose two.)
A. Enable S3 Transfer Acceleration on the S3 bucket. Configure the app to use the Transfer Acceleration endpoint for uploads.
B. Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region Replication to copy the files to the distribution S3
bucket.
C. Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket Region.
D. Configure the app to break the video files into chunks. Use a multipart upload to transfer files to Amazon S3.
E. Modify the app to add random pre xes to the files before uploading.

题目：
一家视频流媒体公司最近推出了一款用于视频分享的移动应用程序。该应用将各种大小的文件上传至位于us-east-1区域的Amazon S3存储桶中，文件大小范围从1GB到10GB不等。

来自澳大利亚的用户在使用该应用时经历了上传过程耗时过长的情况。有时这些用户甚至无法完全上传文件。解决方案架构师必须提升该应用在这类上传任务中的性能。

以下哪些方案能够满足这些需求？（选择两项）
A. 在S3存储桶上启用S3传输加速功能。配置应用程序使用传输加速终端节点进行文件上传。
B. 在每个区域配置一个S3存储桶接收上传文件。利用S3跨区域复制功能将文件同步至分发存储桶。
C. 配置基于延迟路由的Amazon Route 53服务，将上传请求路由至最近的S3存储桶区域。
D. 配置应用程序将视频文件分割为多个分块。采用分段上传方式将文件传输至Amazon S3。
E. 修改应用程序，在文件上传前为其添加随机前缀名。

69. An application is using an Amazon RDS for MySQL Multi-AZ DB instance in the us-east-1 Region. After a failover test, the application lost the
connections to the database and could not re-establish the connections. After a restart of the application, the application re-established the
connections.
A solutions architect must implement a solution so that the application can re-establish connections to the database without requiring a restart.
Which solution will meet these requirements?
A. Create an Amazon Aurora MySQL Serverless v1 DB instance. Migrate the RDS DB instance to the Aurora Serverless v1 DB instance. Update
the connection settings in the application to point to the Aurora reader endpoint.
B. Create an RDS proxy. Configure the existing RDS endpoint as a target. Update the connection settings in the application to point to the RDS
proxy endpoint.
C. Create a two-node Amazon Aurora MySQL DB cluster. Migrate the RDS DB instance to the Aurora DB cluster. Create an RDS proxy. Configure
the existing RDS endpoint as a target. Update the connection settings in the application to point to the RDS proxy endpoint.
D. Create an Amazon S3 bucket. Export the database to Amazon S3 by using AWS Database Migration Service (AWS DMS). Configure Amazon
Athena to use the S3 bucket as a data store. Install the latest Open Database Connectivity (ODBC) driver for the application. Update the
connection settings in the application to point to the Athena endpoint

一个应用程序正在使用位于美国东部（弗吉尼亚北部）区域（us-east-1）的Amazon RDS for MySQL多可用区数据库实例。在一次故障转移测试后，应用程序失去了与数据库的连接，并且无法重新建立连接。在重启应用程序后，应用程序重新建立了连接。
解决方案架构师必须实施一个解决方案，使应用程序能够在不需要重启的情况下重新建立与数据库的连接。
哪一个方案能够满足这些要求？
A. 创建一个Amazon Aurora MySQL Serverless v1数据库实例。将RDS数据库实例迁移到Aurora Serverless v1数据库实例。更新应用程序中的连接设置，指向Aurora读取器终端节点。
B. 创建一个RDS代理。将现有的RDS终端节点配置为目标。更新应用程序中的连接设置，指向RDS代理终端节点。
C. 创建一个两节点的Amazon Aurora MySQL数据库集群。将RDS数据库实例迁移到Aurora数据库集群。创建一个RDS代理。将现有的RDS终端节点配置为目标。更新应用程序中的连接设置，指向RDS代理终端节点。
D. 创建一个Amazon S3存储桶。使用AWS数据库迁移服务（AWS DMS）将数据库导出到Amazon S3。配置Amazon Athena使用S3存储桶作为数据存储。为应用程序安装最新的开放数据库连接（ODBC）驱动程序。更新应用程序中的连接设置，指向Athena终端节点。

70. A company is building a solution in the AWS Cloud. Thousands or devices will connect to the solution and send data. Each device needs to be able
to send and receive data in real time over the MQTT protocol. Each device must authenticate by using a unique X.509 certi cate.
Which solution will meet these requirements with the LEAST operational overhead?
A. Set up AWS IoT Core. For each device, create a corresponding Amazon MQ queue and provision a certi cate. Connect each device to
Amazon MQ.
B. Create a Network Load Balancer (NLB) and configure it with an AWS Lambda authorizer. Run an MQTT broker on Amazon EC2 instances in
an Auto Scaling group. Set the Auto Scaling group as the target for the NLConnect each device to the NLB.
C. Set up AWS IoT Core. For each device, create a corresponding AWS IoT thing and provision a certi cate. Connect each device to AWS IoT
Core.
D. Set up an Amazon API Gateway HTTP API and a Network Load Balancer (NLB). Create integration between API Gateway and the NLB.
Configure a mutual TLS certi cate authorizer on the HTTP API. Run an MQTT broker on an Amazon EC2 instance that the NLB targets.
Connect each device to the NLB.

一家公司正在AWS云中构建一个解决方案。将有数千台设备连接到该解决方案并发送数据。每台设备都需要能够通过MQTT协议实时发送和接收数据。每台设备必须使用唯一的X.509证书进行认证。
哪种解决方案能以最少的运营开销满足这些需求？
A. 设置AWS IoT Core。为每台设备创建相应的Amazon MQ队列并配置证书。将每台设备连接到Amazon MQ。
B. 创建一个网络负载均衡器（NLB）并使用AWS Lambda授权器进行配置。在Auto Scaling组中的Amazon EC2实例上运行MQTT代理。将Auto Scaling组设置为NLB的目标。将每台设备连接到NLB。
C. 设置AWS IoT Core。为每台设备创建相应的AWS IoT事物并配置证书。将每台设备连接到AWS IoT Core。
D. 设置一个Amazon API Gateway HTTP API和一个网络负载均衡器（NLB）。在API Gateway和NLB之间创建集成。在HTTP API上配置双向TLS证书授权器。在NLB目标的Amazon EC2实例上运行MQTT代理。将每台设备连接到NLB。

71. A company is running several workloads in a single AWS account. A new company policy states that engineers can provision only approved
resources and that engineers must use AWS CloudFormation to provision these resources. A solutions architect needs to create a solution to
enforce the new restriction on the IAM role that the engineers use for access.
What should the solutions architect do to create the solution?
A. Upload AWS CloudFormation templates that contain approved resources to an Amazon S3 bucket. Update the IAM policy for the engineers’
IAM role to only allow access to Amazon S3 and AWS CloudFormation. Use AWS CloudFormation templates to provision resources.
B. Update the IAM policy for the engineers’ IAM role with permissions to only allow provisioning of approved resources and AWS
CloudFormation. Use AWS CloudFormation templates to create stacks with approved resources.
C. Update the IAM policy for the engineers’ IAM role with permissions to only allow AWS CloudFormation actions. Create a new IAM policy
with permission to provision approved resources, and assign the policy to a new IAM service role. Assign the IAM service role to AWS
CloudFormation during stack creation.
D. Provision resources in AWS CloudFormation stacks. Update the IAM policy for the engineers’ IAM role to only allow access to their own
AWS CloudFormation stack.

一家公司正在单个AWS账户中运行多个工作负载。公司新政策规定，工程师只能配置已批准的
资源，并且必须使用AWS CloudFormation来配置这些资源。解决方案架构师需要创建一个解决方案，
以在工程师用于访问的IAM角色上强制执行这一新限制。
解决方案架构师应该采取什么措施来创建这个解决方案？
A. 将包含已批准资源的AWS CloudFormation模板上传到Amazon S3存储桶。更新工程师的IAM角色的IAM策略，仅允许访问Amazon S3和AWS CloudFormation。使用AWS CloudFormation模板来配置资源。
B. 更新工程师的IAM角色的IAM策略，仅允许配置已批准的资源和AWS CloudFormation。使用AWS CloudFormation模板创建包含已批准资源的堆栈。
C. 更新工程师的IAM角色的IAM策略，仅允许执行AWS CloudFormation操作。创建一个新的IAM策略，授予配置已批准资源的权限，并将该策略分配给一个新的IAM服务角色。在堆栈创建期间将该IAM服务角色分配给AWS CloudFormation。
D. 在AWS CloudFormation堆栈中配置资源。更新工程师的IAM角色的IAM策略，仅允许访问他们自己的AWS CloudFormation堆栈。

72. A solutions architect is designing the data storage and retrieval architecture for a new application that a company will be launching soon. The
application is designed to ingest millions of small records per minute from devices all around the world. Each record is less than 4 KB in size and
needs to be stored in a durable location where it can be retrieved with low latency. The data is ephemeral and the company is required to store the
data for 120 days only, after which the data can be deleted.
The solutions architect calculates that, during the course of a year, the storage requirements would be about 10-15 TB.
Which storage strategy is the MOST cost-effective and meets the design requirements?
A. Design the application to store each incoming record as a single .csv file in an Amazon S3 bucket to allow for indexed retrieval. Configure a
lifecycle policy to delete data older than 120 days.
B. Design the application to store each incoming record in an Amazon DynamoDB table properly configured for the scale. Configure the
DynamoDB Time to Live (TTL) feature to delete records older than 120 days.
C. Design the application to store each incoming record in a single table in an Amazon RDS MySQL database. Run a nightly cron job that runs
a query to delete any records older than 120 days.
D. Design the application to batch incoming records before writing them to an Amazon S3 bucket. Update the metadata for the object to
contain the list of records in the batch and use the Amazon S3 metadata search feature to retrieve the data. Configure a lifecycle policy to
delete the data after 120 days.

一位解决方案架构师正在为某公司即将推出的新应用程序设计数据存储和检索架构。
该应用程序需要每分钟从全球各地的设备接收数百万条小型记录，每条记录大小不足4KB。
这些数据需要存储在持久性位置，并能实现低延迟检索。数据具有临时性，公司仅需保留120天，之后即可删除。
架构师经计算得出，全年存储需求约为10-15TB。
以下哪种存储策略在满足设计要求的同时最具成本效益？
A. 设计应用程序将每条传入记录作为单独的.csv文件存储在Amazon S3存储桶中，以实现索引检索。配置生命周期策略删除超过120天的数据。
B. 设计应用程序将每条传入记录存储在经适当规模配置的Amazon DynamoDB表中。使用DynamoDB生存时间(TTL)功能删除超过120天的记录。
C. 设计应用程序将所有传入记录存储在Amazon RDS MySQL数据库的单个表中。设置每日运行的cron作业，通过查询删除超过120天的记录。
D. 设计应用程序先将传入记录分批处理，再写入Amazon S3存储桶。更新对象的元数据以包含批次记录列表，利用Amazon S3元数据搜索功能检索数据。配置生命周期策略在120天后删除数据。

73. A retail company is hosting an ecommerce website on AWS across multiple AWS Regions. The company wants the website to be operational at all
times for online purchases. The website stores data in an Amazon RDS for MySQL DB instance.
Which solution will provide the HIGHEST availability for the database?
A. Configure automated backups on Amazon RDS. In the case of disruption, promote an automated backup to be a standalone DB instance.
Direct database traffic to the promoted DB instance. Create a replacement read replica that has the promoted DB instance as its source.
B. Configure global tables and read replicas on Amazon RDS. Activate the cross-Region scope. In the case of disruption, use AWS Lambda to
copy the read replicas from one Region to another Region.
C. Configure global tables and automated backups on Amazon RDS. In the case of disruption, use AWS Lambda to copy the read replicas from
one Region to another Region.
D. Configure read replicas on Amazon RDS. In the case of disruption, promote a cross-Region and read replica to be a standalone DB instance.
Direct database traffic to the promoted DB instance. Create a replacement read replica that has the promoted DB instance as its source.

一家零售公司在多个亚马逊网络服务区域上托管一个电子商务网站。该公司希望网站能够始终在线运营，以便进行在线购买。该网站将数据存储在亚马逊关系数据库服务的MySQL数据库实例中。

哪种解决方案能为数据库提供最高可用性？

A. 在亚马逊关系数据库服务上配置自动备份。在发生中断时，将自动备份提升为独立的数据库实例。将数据库流量定向到提升后的数据库实例。创建一个以提升后的数据库实例为源的新读取副本。

B. 在亚马逊关系数据库服务上配置全局表和读取副本。激活跨区域范围。在发生中断时，使用亚马逊Lambda将读取副本从一个区域复制到另一个区域。

C. 在亚马逊关系数据库服务上配置全局表和自动备份。在发生中断时，使用亚马逊Lambda将读取副本从一个区域复制到另一个区域。

D. 在亚马逊关系数据库服务上配置读取副本。在发生中断时，将一个跨区域读取副本提升为独立的数据库实例。将数据库流量定向到提升后的数据库实例。创建一个以提升后的数据库实例为源的新读取副本。

74. Example Corp. has an on-premises data center and a VPC named VPC A in the Example Corp. AWS account. The on-premises network connects to
VPC A through an AWS Site-To-Site VPN. The on-premises servers can properly access VPC A. Example Corp. just acquired AnyCompany, which
has a VPC named VPC B. There is no IP address overlap among these networks. Example Corp. has peered VPC A and VPC B.
Example Corp. wants to connect from its on-premise servers to VPC B. Example Corp. has properly set up the network ACL and security groups.
Which solution will meet this requirement with the LEAST operational effort?
A. Create a transit gateway. Attach the Site-to-Site VPN, VPC A, and VPC B to the transit gateway. Update the transit gateway route tables for
all networks to add IP range routes for all other networks.
B. Create a transit gateway. Create a Site-to-Site VPN connection between the on-premises network and VPC B, and connect the VPN
connection to the transit gateway. Add a route to direct traffic to the peered VPCs, and add an authorization rule to give clients access to the
VPCs A and B.
C. Update the route tables for the Site-to-Site VPN and both VPCs for all three networks. Configure BGP propagation for all three networks.
Wait for up to 5 minutes for BGP propagation to nish.
D. Modify the Site-to-Site VPN’s virtual private gateway de nition to include VPC A and VPC B. Split the two routers of the virtual private
getaway between the two VPCs.

题目：

Example Corp. 拥有一个本地数据中心和一个名为VPC A的虚拟私有云（VPC），位于Example Corp.的AWS账户中。本地网络通过AWS站点到站点VPN连接到VPC A。本地服务器可以正常访问VPC A。Example Corp. 刚刚收购了AnyCompany，该公司拥有一个名为VPC B的虚拟私有云（VPC）。这些网络之间不存在IP地址重叠。Example Corp. 已将VPC A和VPC B进行了对等连接。

Example Corp. 希望从本地服务器连接到VPC B。Example Corp. 已经正确设置了网络ACL和安全组。

哪种解决方案能够以最少的操作工作量满足这一需求？

A. 创建一个传输网关。将站点到站点VPN、VPC A和VPC B附加到传输网关。更新所有网络的传输网关路由表，为所有其他网络添加IP范围路由。

B. 创建一个传输网关。在本地网络和VPC B之间创建站点到站点VPN连接，并将VPN连接连接到传输网关。添加一条路由以将对等VPC的流量定向，并添加授权规则以允许客户端访问VPC A和VPC B。

C. 为站点到站点VPN和两个VPC更新所有三个网络的路由表。为所有三个网络配置BGP传播。等待最多5分钟以完成BGP传播。

D. 修改站点到站点VPN的虚拟专用网关定义，以包含VPC A和VPC B。将虚拟专用网关的两个路由器拆分到两个VPC之间。

75. A company recently completed the migration from an on-premises data center to the AWS Cloud by using a replatforming strategy. One of the
migrated servers is running a legacy Simple Mail Transfer Protocol (SMTP) service that a critical application relies upon. The application sends
outbound email messages to the company’s customers. The legacy SMTP server does not support TLS encryption and uses TCP port 25. The
application can use SMTP only.
The company decides to use Amazon Simple Email Service (Amazon SES) and to decommission the legacy SMTP server. The company has
created and validated the SES domain. The company has lifted the SES limits.
What should the company do to modify the application to send email messages from Amazon SES?
A. Configure the application to connect to Amazon SES by using TLS Wrapper. Create an IAM role that has ses:SendEmail and
ses:SendRawEmail permissions. Attach the IAM role to an Amazon EC2 instance.
B. Configure the application to connect to Amazon SES by using STARTTLS. Obtain Amazon SES SMTP credentials. Use the credentials to
authenticate with Amazon SES.
C. Configure the application to use the SES API to send email messages. Create an IAM role that has ses:SendEmail and ses:SendRawEmail
permissions. Use the IAM role as a service role for Amazon SES.
D. Configure the application to use AWS SDKs to send email messages. Create an IAM user for Amazon SES. Generate API access keys. Use
the access keys to authenticate with Amazon SES.

一家公司最近通过重新平台化策略完成了从本地数据中心向AWS云的迁移。其中一台已迁移的服务器正在运行一项关键应用程序所依赖的传统简单邮件传输协议(SMTP)服务。该应用程序要向公司客户发送外发电子邮件。
传统SMTP服务器不支持TLS加密，并使用了TCP端口25。该应用程序只能使用SMTP。
公司决定使用Amazon Simple Email Service(Amazon SES)并停用传统SMTP服务器。公司已创建并验证了SES域名，同时提高了SES的使用限制。
公司应采取什么措施修改应用程序以通过Amazon SES发送电子邮件？
A. 配置应用程序使用TLS包装器连接到Amazon SES。创建具有ses:SendEmail和ses:SendRawEmail权限的IAM角色。将该IAM角色附加到Amazon EC2实例。
B. 配置应用程序使用STARTTLS连接到Amazon SES。获取Amazon SES SMTP凭证。使用这些凭证向Amazon SES进行认证。
C. 配置应用程序使用SES API发送电子邮件。创建具有ses:SendEmail和ses:SendRawEmail权限的IAM角色。将该IAM角色作为Amazon SES的服务角色使用。
D. 配置应用程序使用AWS SDK发送电子邮件。为Amazon SES创建IAM用户。生成API访问密钥。使用访问密钥向Amazon SES进行认证。

76. A company recently acquired several other companies. Each company has a separate AWS account with a different billing and reporting method.
The acquiring company has consolidated all the accounts into one organization in AWS Organizations. However, the acquiring company has found
it di cult to generate a cost report that contains meaningful groups for all the teams.
The acquiring company’s nance team needs a solution to report on costs for all the companies through a self-managed application.
Which solution will meet these requirements?
A. Create an AWS Cost and Usage Report for the organization. De ne tags and cost categories in the report. Create a table in Amazon Athena.
Create an Amazon QuickSight dataset based on the Athena table. Share the dataset with the nance team.
B. Create an AWS Cost and Usage Report for the organization. De ne tags and cost categories in the report. Create a specialized template in
AWS Cost Explorer that the nance department will use to build reports.
C. Create an Amazon QuickSight dataset that receives spending information from the AWS Price List Query API. Share the dataset with the
nance team.
D. Use the AWS Price List Query API to collect account spending information. Create a specialized template in AWS Cost Explorer that the
nance department will use to build reports.

一家公司最近收购了多家其他公司。每家公司都有一个独立的AWS账户，并使用不同的计费和报告方法。
收购方已将所有账户整合到AWS Organization中的一个组织内。然而，收购方发现很难生成包含所有团队有意义分组的成本报告。
收购方的财务团队需要一个解决方案，通过自主管理的应用程序报告所有公司的成本。
哪种解决方案能满足这些需求？
A. 为整个组织创建AWS成本与使用情况报告。在报告中定义标签和成本类别。在Amazon Athena中创建表格。
基于Athena表格创建Amazon QuickSight数据集。与财务团队共享该数据集。
B. 为整个组织创建AWS成本与使用情况报告。在报告中定义标签和成本类别。在AWS成本管理器中创建一个专门模板供财务部门用来生成报告。
C. 创建一个Amazon QuickSight数据集，从AWS价格列表查询API接收支出信息。与财务团队共享该数据集。
D. 使用AWS价格列表查询API收集账户支出信息。在AWS成本管理器中创建一个专门模板供财务部门用来生成报告。

77. A company runs an IoT platform on AWS. IoT sensors in various locations send data to the company’s Node.js API servers on Amazon EC2
instances running behind an Application Load Balancer. The data is stored in an Amazon RDS MySQL DB instance that uses a 4 TB General
Purpose SSD volume.
The number of sensors the company has deployed in the eld has increased over time, and is expected to grow signi cantly. The API servers are
consistently overloaded and RDS metrics show high write latency.
Which of the following steps together will resolve the issues permanently and enable growth as new sensors are provisioned, while keeping this
platform cost-e cient? (Choose two.)
A. Resize the MySQL General Purpose SSD storage to 6 TB to improve the volume’s IOPS.
B. Re-architect the database tier to use Amazon Aurora instead of an RDS MySQL DB instance and add read replicas.
C. Leverage Amazon Kinesis Data Streams and AWS Lambda to ingest and process the raw data.
D. Use AWS X-Ray to analyze and debug application issues and add more API servers to match the load.
E. Re-architect the database tier to use Amazon DynamoDB instead of an RDS MySQL DB instance.

一家公司在AWS上运行一个物联网平台。位于不同位置的物联网传感器将数据发送到该公司部署在Amazon EC2实例上的Node.js API服务器，这些实例运行在应用负载均衡器后面。
数据存储在一个使用4 TB通用型SSD卷的Amazon RDS MySQL数据库实例中。
随着时间的推移，该公司在野外部署的传感器数量不断增加，并且预计会显著增长。API服务器持续过载，RDS指标显示出高写入延迟。
以下哪两个步骤一起可以永久解决这些问题，并在添加新传感器时支持平台增长，同时保持成本效益？(选择两个。)
A. 将MySQL通用型SSD存储调整为6 TB以提高卷的IOPS。
B. 重新设计数据库层，使用Amazon Aurora替代RDS MySQL数据库实例并添加只读副本。
C. 利用Amazon Kinesis Data Streams和AWS Lambda来接收和处理原始数据。
D. 使用AWS X-Ray分析和调试应用程序问题，并添加更多API服务器以匹配负载。
E. 重新设计数据库层，使用Amazon DynamoDB替代RDS MySQL数据库实例。

78. A company is building an electronic document management system in which users upload their documents. The application stack is entirely
serverless and runs on AWS in the eu-central-1 Region. The system includes a web application that uses an Amazon CloudFront distribution for
delivery with Amazon S3 as the origin. The web application communicates with Amazon API Gateway Regional endpoints. The API Gateway APIs
call AWS Lambda functions that store metadata in an Amazon Aurora Serverless database and put the documents into an S3 bucket.
The company is growing steadily and has completed a proof of concept with its largest customer. The company must improve latency outside of
Europe.
Which combination of actions will meet these requirements? (Choose two.)
A. Enable S3 Transfer Acceleration on the S3 bucket. Ensure that the web application uses the Transfer Acceleration signed URLs.
B. Create an accelerator in AWS Global Accelerator. Attach the accelerator to the CloudFront distribution.
C. Change the API Gateway Regional endpoints to edge-optimized endpoints.
D. Provision the entire stack in two other locations that are spread across the world. Use global databases on the Aurora Serverless cluster.
E. Add an Amazon RDS proxy between the Lambda functions and the Aurora Serverless database.

一家公司正在构建电子文档管理系统，用户可以在其中上传自己的文档。应用程序堆栈完全采用无服务器架构，并在AWS的eu-central-1区域运行。系统包括一个使用Amazon CloudFront分发进行交付的Web应用程序，并使用Amazon S3作为源站。

Web应用程序与Amazon API Gateway的区域终端节点进行通信。API Gateway API会调用AWS Lambda函数，这些函数将元数据存储在Amazon Aurora Serverless数据库中，并将文档放入S3存储桶。

公司业务稳步增长，并与最大客户完成了概念验证。公司必须改善欧洲以外地区的延迟问题。

哪两种操作组合可以满足这些需求？（选择两项。）

A. 在S3存储桶上启用S3传输加速。确保Web应用程序使用传输加速签名URL。
B. 在AWS全球加速器中创建加速器。将加速器附加到CloudFront分发。
C. 将API Gateway的区域终端节点更改为边缘优化终端节点。
D. 在全球范围内分散的两个其他位置部署整个堆栈。在Aurora Serverless集群上使用全局数据库。
E. 在Lambda函数和Aurora Serverless数据库之间添加Amazon RDS代理。

79. An adventure company has launched a new feature on its mobile app. Users can use the feature to upload their hiking and rafting photos and
videos anytime. The photos and videos are stored in Amazon S3 Standard storage in an S3 bucket and are served through Amazon CloudFront.
The company needs to optimize the cost of the storage. A solutions architect discovers that most of the uploaded photos and videos are
accessed infrequently after 30 days. However, some of the uploaded photos and videos are accessed frequently after 30 days. The solutions
architect needs to implement a solution that maintains millisecond retrieval availability of the photos and videos at the lowest possible cost.
Which solution will meet these requirements?
A. Configure S3 Intelligent-Tiering on the S3 bucket.
B. Configure an S3 Lifecycle policy to transition image objects and video objects from S3 Standard to S3 Glacier Deep Archive after 30 days.
C. Replace Amazon S3 with an Amazon Elastic File System (Amazon EFS) file system that is mounted on Amazon EC2 instances.
D. Add a Cache-Control: max-age header to the S3 image objects and S3 video objects. Set the header to 30 days.

一家冒险公司在其移动应用中推出了一个新功能。用户可以随时使用该功能上传他们的徒步和漂流照片及视频。
这些照片和视频存储在Amazon S3标准存储的S3存储桶中，并通过Amazon CloudFront提供访问。
该公司需要优化存储成本。解决方案架构师发现，大多数上传的照片和视频在30天后很少被访问。
然而，部分上传的照片和视频在30天后仍然会被频繁访问。解决方案架构师需要实施一个解决方案，
既能保持照片和视频的毫秒级检索可用性，又能尽可能降低成本。
以下哪个解决方案能够满足这些要求？
A. 在S3存储桶上配置S3智能分层。
B. 配置S3生命周期策略，在30天后将图像对象和视频对象从S3标准存储转移到S3 Glacier Deep Archive。
C. 用挂载在Amazon EC2实例上的Amazon弹性文件系统（Amazon EFS）替代Amazon S3。
D. 为S3图像对象和S3视频对象添加Cache-Control: max-age头。将该头信息设置为30天。

80. A company uses Amazon S3 to store files and images in a variety of storage classes. The company’s S3 costs have increased substantially during
the past year.
A solutions architect needs to review data trends for the past 12 months and identity the appropriate storage class for the objects.
Which solution will meet these requirements?
A. Download AWS Cost and Usage Reports for the last 12 months of S3 usage. Review AWS Trusted Advisor recommendations for cost
savings.
B. Use S3 storage class analysis. Import data trends into an Amazon QuickSight dashboard to analyze storage trends.
C. Use Amazon S3 Storage Lens. Upgrade the default dashboard to include advanced metrics for storage trends.
D. Use Access Analyzer for S3. Download the Access Analyzer for S3 report for the last 12 months. Import the .csv file to an Amazon
QuickSight dashboard.

一家公司使用亚马逊S3存储多种存储类别的文件和图像。过去一年中，该公司的S3成本大幅增加。

解决方案架构师需要审查过去12个月的数据趋势，并为对象确定合适的存储类别。

哪种解决方案能够满足这些需求？

A. 下载过去12个月的S3使用情况的AWS成本和使用报告。查看AWS Trusted Advisor关于成本节约的建议。

B. 使用S3存储类别分析。将数据趋势导入到Amazon QuickSight仪表板中，以分析存储趋势。

C. 使用Amazon S3 Storage Lens。升级默认仪表板以包含存储趋势的高级指标。

D. 使用S3的Access Analyzer。下载过去12个月的S3 Access Analyzer报告。将.csv文件导入到Amazon QuickSight仪表板中。

81. A company has its cloud infrastructure on AWS. A solutions architect needs to de ne the infrastructure as code. The infrastructure is currently
deployed in one AWS Region. The company’s business expansion plan includes deployments in multiple Regions across multiple AWS accounts.
What should the solutions architect do to meet these requirements?
A. Use AWS CloudFormation templates. Add IAM policies to control the various accounts, Deploy the templates across the multiple Regions.
B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management account Use AWS Control Tower to manage
deployments across accounts.
C. Use AWS Organizations and AWS CloudFormation StackSets. Deploy a Cloud Formation template from an account that has the necessary
IAM permissions.
D. Use nested stacks with AWS CloudFormation templates. Change the Region by using nested stacks.

一家公司将其云基础设施部署在AWS上。一位解决方案架构师需要将基础设施定义为代码。当前基础设施仅部署在单个AWS区域中。根据公司业务扩展计划，需要在多个AWS账户的多个区域进行部署。
解决方案架构师应该采取什么措施来满足这些需求？
A. 使用AWS CloudFormation模板。添加IAM策略来控制各个账户，在多个区域部署这些模板。
B. 使用AWS Organizations。从管理账户部署AWS CloudFormation模板，使用AWS Control Tower来管理跨账户部署。
C. 使用AWS Organizations和AWS CloudFormation StackSets。从具有必要IAM权限的账户部署CloudFormation模板。
D. 在AWS CloudFormation模板中使用嵌套堆栈。通过嵌套堆栈来更改区域。

82. A company has its cloud infrastructure on AWS. A solutions architect needs to de ne the infrastructure as code. The infrastructure is currently
deployed in one AWS Region. The company’s business expansion plan includes deployments in multiple Regions across multiple AWS accounts.
What should the solutions architect do to meet these requirements?
A. Use AWS CloudFormation templates. Add IAM policies to control the various accounts, Deploy the templates across the multiple Regions.
B. Use AWS Organizations. Deploy AWS CloudFormation templates from the management account Use AWS Control Tower to manage
deployments across accounts.
C. Use AWS Organizations and AWS CloudFormation StackSets. Deploy a Cloud Formation template from an account that has the necessary
IAM permissions.
D. Use nested stacks with AWS CloudFormation templates. Change the Region by using nested stacks.

一家公司将其云基础设施部署在AWS上。一位解决方案架构师需要将基础设施定义为代码。目前该基础设施仅部署在一个AWS区域。
公司业务扩展计划包括在多个AWS账户的多个区域中进行部署。
解决方案架构师应采取什么措施来满足这些要求？
A. 使用AWS CloudFormation模板。添加IAM策略来控制各个账户，在多个区域中部署这些模板。
B. 使用AWS Organizations。从管理账户部署AWS CloudFormation模板，使用AWS Control Tower管理跨账户部署。
C. 使用AWS Organizations和AWS CloudFormation StackSets。从具有必要IAM权限的账户部署CloudFormation模板。
D. 使用嵌套堆栈配合AWS CloudFormation模板。通过嵌套堆栈来变更区域。

83. A company plans to refactor a monolithic application into a modern application design deployed on AWS. The CI/CD pipeline needs to be
upgraded to support the modern design for the application with the following requirements:
• It should allow changes to be released several times every hour.
• It should be able to roll back the changes as quickly as possible.
Which design will meet these requirements?
A. Deploy a CI/CD pipeline that incorporates AMIs to contain the application and their configurations. Deploy the application by replacing
Amazon EC2 instances.
B. Specify AWS Elastic Beanstalk to stage in a secondary environment as the deployment target for the CI/CD pipeline of the application. To
deploy, swap the staging and production environment URLs.
C. Use AWS Systems Manager to re-provision the infrastructure for each deployment. Update the Amazon EC2 user data to pull the latest code
artifact from Amazon S3 and use Amazon Route 53 weighted routing to point to the new environment.
D. Roll out the application updates as part of an Auto Scaling event using prebuilt AMIs. Use new versions of the AMIs to add instances. and
phase out all instances that use the previous AMI version with the configured termination policy during a deployment event.

一家公司计划将一个单体应用程序重构为部署在AWS上的现代应用程序设计。该持续集成/持续交付(CI/CD)流水线需要进行升级，以支持满足以下要求的现代应用程序设计：
• 它应该允许每小时多次发布更改。
• 它应该能够尽可能快速地回滚更改。
哪种设计能够满足这些要求？
A. 部署一个包含AMI(亚马逊机器镜像)的CI/CD流水线来封装应用程序及其配置。通过替换亚马逊EC2实例来部署应用程序。
B. 指定AWS Elastic Beanstalk在辅助环境中作为应用程序CI/CD流水线的部署目标。通过交换暂存环境和生产环境的URL来进行部署。
C. 使用AWS Systems Manager为每次部署重新配置基础设施。更新亚马逊EC2用户数据以从亚马逊S3拉取最新的代码制品，并使用亚马逊Route 53加权路由指向新环境。
D. 使用预构建的AMI作为自动扩展事件的一部分推出应用程序更新。使用新版本的AMI添加实例，并在部署事件期间通过配置的终止策略逐步淘汰所有使用旧版AMI的实例。

84. A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where
the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associated with the same security group. The DB cluster
is associated with its own security group.
The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.
Which combination of steps will meet these requirements? (Choose two.)
A. Add an inbound rule to the EC2 instances’ security group. Specify the DB cluster’s security group as the source over the default Aurora port.
B. Add an outbound rule to the EC2 instances’ security group. Specify the DB cluster’s security group as the destination over the default
Aurora port.
C. Add an inbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the source over the default Aurora port.
D. Add an outbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the destination over the default Aurora
port.
E. Add an outbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the destination over the ephemeral
ports.

一家公司在Amazon EC2实例上运行一个应用程序。解决方案架构师正在设计一个AWS区域的VPC基础设施，该应用程序需要访问Amazon Aurora数据库集群。

所有EC2实例都关联了同一个安全组。数据库集群关联了其自己的安全组。

解决方案架构师需要向安全组添加规则，以向应用程序提供对数据库集群的最小权限访问。

哪种步骤组合可以满足这些要求？（选择两个。）

A. 向EC2实例的安全组添加入站规则。指定数据库集群的安全组作为源，使用默认的Aurora端口。

B. 向EC2实例的安全组添加出站规则。指定数据库集群的安全组作为目标，使用默认的Aurora端口。

C. 向数据库集群的安全组添加入站规则。指定EC2实例的安全组作为源，使用默认的Aurora端口。

D. 向数据库集群的安全组添加出站规则。指定EC2实例的安全组作为目标，使用默认的Aurora端口。

E. 向数据库集群的安全组添加出站规则。指定EC2实例的安全组作为目标，使用临时端口。

85. A company wants to change its internal cloud billing strategy for each of its business units. Currently, the cloud governance team shares reports
for overall cloud spending with the head of each business unit. The company uses AWS Organizations to manage the separate AWS accounts for
each business unit. The existing tagging standard in Organizations includes the application, environment, and owner. The cloud governance team
wants a centralized solution so each business unit receives monthly reports on its cloud spending. The solution should also send notifications for
any cloud spending that exceeds a set threshold.
Which solution is the MOST cost-effective way to meet these requirements?
A. Configure AWS Budgets in each account and configure budget alerts that are grouped by application, environment, and owner. Add each
business unit to an Amazon SNS topic for each alert. Use Cost Explorer in each account to create monthly reports for each business unit.
B. Configure AWS Budgets in the organization’s management account and configure budget alerts that are grouped by application,
environment, and owner. Add each business unit to an Amazon SNS topic for each alert. Use Cost Explorer in the organization’s management
account to create monthly reports for each business unit.
C. Configure AWS Budgets in each account and configure budget alerts that are grouped by application, environment, and owner. Add each
business unit to an Amazon SNS topic for each alert. Use the AWS Billing and Cost Management dashboard in each account to create monthly
reports for each business unit.
D. Enable AWS Cost and Usage Reports in the organization’s management account and configure reports grouped by application, environment.
and owner. Create an AWS Lambda function that processes AWS Cost and Usage Reports, sends budget alerts, and sends monthly reports to
each business unit’s email list.

一家公司希望改变其每个业务部门的内部云计费策略。
目前，云治理团队会与每个业务部门的负责人共享整体云支出报告。
该公司使用AWS Organizations来管理每个业务部门的独立AWS账户。
Organizations中现有的标记标准包括应用程序、环境和所有者。
云治理团队需要一个集中式解决方案，以便每个业务部门都能收到关于其云支出的月度报告。
该解决方案还应在云支出超出设定阈值时发送通知。
哪种解决方案是最具成本效益的方式来满足这些要求？
A. 在每个账户中配置AWS Budgets，并配置按应用程序、环境和所有者分组的预算警报。
将每个业务部门添加到每个警报的Amazon SNS主题中。
在每个账户中使用Cost Explorer为每个业务部门创建月度报告。
B. 在组织的管理账户中配置AWS Budgets，并配置按应用程序、环境和所有者分组的预算警报。
将每个业务部门添加到每个警报的Amazon SNS主题中。
在组织的管理账户中使用Cost Explorer为每个业务部门创建月度报告。
C. 在每个账户中配置AWS Budgets，并配置按应用程序、环境和所有者分组的预算警报。
将每个业务部门添加到每个警报的Amazon SNS主题中。
在每个账户中使用AWS Billing and Cost Management仪表板为每个业务部门创建月度报告。
D. 在组织的管理账户中启用AWS Cost and Usage Reports，并配置按应用程序、环境和所有者分组的报告。
创建一个AWS Lambda函数来处理AWS Cost and Usage Reports，发送预算警报，并将月度报告发送到每个业务部门的电子邮件列表中。

86. A company is using AWS CloudFormation to deploy its infrastructure. The company is concerned that, if a production CloudFormation stack is
deleted, important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted.
How can the company prevent users from accidentally deleting data in this way?
A. Modify the CloudFormation templates to add a DeletionPolicy attribute to RDS and EBS resources.
B. Configure a stack policy that disallows the deletion of RDS and EBS resources.
C. Modify IAM policies lo deny deleting RDS and EBS resources that are tagged with an “aws:cloudformation:stack-name” tag.
D. Use AWS Config rules to prevent deleting RDS and EBS resources.

一家公司正在使用AWS CloudFormation部署其基础设施。该公司担心如果删除了生产环境的CloudFormation堆栈，存储在Amazon RDS数据库或Amazon EBS卷中的重要数据也可能被删除。

该公司应如何防止用户意外以这种方式删除数据？

A. 修改CloudFormation模板，为RDS和EBS资源添加DeletionPolicy属性。

B. 配置堆栈策略，禁止删除RDS和EBS资源。

C. 修改IAM策略以拒绝删除带有”aws:cloudformation:stack-name”标签的RDS和EBS资源。

D. 使用AWS Config规则防止删除RDS和EBS资源。

87. A company has VPC ow logs enabled for Its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP
address 198.51.100.2 destined for a private Amazon EC2 instance.
A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the
VPC CIDR block are 203.0.
Which set of steps should the solutions architect take to meet these requirements?
A. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s
elastic network interlace. Run a query to lter with the destination address set as “like 203.0” and the source address set as “like
198.51.100.2″. Run the stats command to lter the sum of bytes transferred by the source address and the destination address.
B. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway’s elastic network interface and the private
instance’s elastic network interface. Run a query to lter with the destination address set as “like 203.0” and the source address set as “like
198.51.100.2″. Run the stats command to lter the sum of bytes transferred by the source address and the destination address.
C. Open the AWS CloudTrail console. Select the log group that contains the NAT gateway’s elastic network interface and the private instance’s
elastic network interface. Run a query to lter with the destination address set as “like 198.51.100.2” and the source address set as “like
203.0″. Run the stats command to lter the sum of bytes transferred by the source address and the destination address.
D. Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway’s elastic network interface and the private
instance’s elastic network interface. Run a query to lter with the destination address set as “like 198.51.100.2” and the source address set as
“like 203.0”. Run the stats command to lter the sum of bytes transferred by the source address and the destination address.

一家公司为其NAT网关启用了VPC流日志。该公司观察到来自公有IP地址198.51.100.2、目标是私有Amazon EC2实例的入站流量显示Action = ACCEPT。
解决方案架构师必须确定该流量是否代表来自互联网的未经请求的入站连接。VPC CIDR块的前两个字节是203.0。
解决方案架构师应采取以下哪些步骤来满足这些要求？
A. 打开AWS CloudTrail控制台。选择包含NAT网关的弹性网络接口和私有实例的弹性网络接口的日志组。运行查询，将目标地址设为“like 203.0”，源地址设为“like 198.51.100.2”。运行stats命令，按源地址和目标地址筛选传输的字节总和。
B. 打开Amazon CloudWatch控制台。选择包含NAT网关的弹性网络接口和私有实例的弹性网络接口的日志组。运行查询，将目标地址设为“like 203.0”，源地址设为“like 198.51.100.2”。运行stats命令，按源地址和目标地址筛选传输的字节总和。
C. 打开AWS CloudTrail控制台。选择包含NAT网关的弹性网络接口和私有实例的弹性网络接口的日志组。运行查询，将目标地址设为“like 198.51.100.2”，源地址设为“like 203.0”。运行stats命令，按源地址和目标地址筛选传输的字节总和。
D. 打开Amazon CloudWatch控制台。选择包含NAT网关的弹性网络接口和私有实例的弹性网络接口的日志组。运行查询，将目标地址设为“like 198.51.100.2”，源地址设为“like 203.0”。运行stats命令，按源地址和目标地址筛选传输的字节总和。

88. A company consists or two separate business units. Each business unit has its own AWS account within a single organization in AWS
Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3
bucket in each account and configured low-way replication between the S3 buckets. The S3 buckets have millions of objects.
Recently, a security audit identi ed that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be
stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
What is the MOST operationally e cient solution that meets these requirements?
A. Turn on SSE-S3 on both S3 buckets. Use S3 Batch Operations to copy and encrypt the objects in the same location.
B. Create an AWS Key Management Service (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on
each S3 bucket by using the corresponding KMS key in that AWS account. Encrypt the existing objects by using an S3 copy command in the
AWS CLI.
C. Turn on SSE-S3 on both S3 buckets. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
D. Create an AWS Key Management Service, (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS)
on each S3 bucket by using the corresponding KMS key in that AWS account. Use S3 Batch Operations to copy the objects into the same
location.

一家公司由两个独立的业务部门组成。每个业务部门在AWS组织中的单个组织内拥有自己的AWS账户。这些业务部门经常相互共享敏感文件。为方便共享，公司在每个账户中创建了一个Amazon S3存储桶，并配置了这些S3存储桶之间的双向复制。这些S3存储桶包含数百万个对象。

最近的一次安全审计发现，这两个S3存储桶均未启用静态加密功能。公司政策要求所有文件必须使用静态加密存储。公司希望通过Amazon S3托管加密密钥(SSE-S3)实现服务器端加密。

以下哪项解决方案最能高效地满足这些要求？
A. 在两个S3存储桶上启用SSE-S3。使用S3批量操作将对象复制并加密到同一位置。
B. 在每个账户中创建一个AWS密钥管理服务(AWS KMS)密钥。通过使用每个AWS账户中相应的KMS密钥，在每个S3存储桶上启用AWS KMS密钥(SSE-KMS)的服务器端加密。使用AWS CLI中的S3复制命令加密现有对象。
C. 在两个S3存储桶上启用SSE-S3。使用AWS CLI中的S3复制命令加密现有对象。
D. 在每个账户中创建一个AWS密钥管理服务(AWS KMS)密钥。通过使用每个AWS账户中相应的KMS密钥，在每个S3存储桶上启用AWS KMS密钥(SSE-KMS)的服务器端加密。使用S3批量操作将对象复制到同一位置。

89. A company is running an application in the AWS Cloud. The application collects and stores a large amount of unstructured data in an Amazon S3
bucket. The S3 bucket contains several terabytes of data and uses the S3 Standard storage class. The data increases in size by several gigabytes
every day.
The company needs to query and analyze the data. The company does not access data that is more than 1 year old. However, the company must
retain all the data inde nitely for compliance reasons.
Which solution will meet these requirements MOST cost-effectively?
A. Use S3 Select to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
B. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old 10 S3 Glacier
Deep Archive.
C. Use an AWS Glue Data Catalog and Amazon Athena to query the data. Create an S3 Lifecycle policy to transition data that is more than 1
year old to S3 Glacier Deep Archive.
D. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3
Intelligent-Tiering.

一家公司在AWS云中运行一个应用程序。该应用程序收集并存储大量非结构化数据到Amazon S3存储桶中。该S3存储桶包含数TB的数据，并使用S3标准存储类别。数据量每天增加数GB。

公司需要查询和分析这些数据。公司不会访问超过1年的数据。然而，出于合规原因，公司必须永久保留所有数据。

哪种解决方案能够以最具成本效益的方式满足这些需求？
A. 使用S3 Select查询数据。创建一个S3生命周期策略，将超过1年的数据转移到S3 Glacier Deep Archive。
B. 使用Amazon Redshift Spectrum查询数据。创建一个S3生命周期策略，将超过1年的数据转移到S3 Glacier Deep Archive。
C. 使用AWS Glue Data Catalog和Amazon Athena查询数据。创建一个S3生命周期策略，将超过1年的数据转移到S3 Glacier Deep Archive。
D. 使用Amazon Redshift Spectrum查询数据。创建一个S3生命周期策略，将超过1年的数据转移到S3 Intelligent-Tiering。

90. A video processing company wants to build a machine learning (ML) model by using 600 TB of compressed data that is stored as thousands of
files in the company’s on-premises network attached storage system. The company does not have the necessary compute resources on premises
for ML experiments and wants to use AWS.
The company needs to complete the data transfer to AWS within 3 weeks. The data transfer will be a one-time transfer. The data must be
encrypted in transit. The measured upload speed of the company’s internet connection is 100 Mbps. and multiple departments share the
connection.
Which solution will meet these requirements MOST cost-effectively?
A. Order several AWS Snowball Edge Storage Optimized devices by using the AWS Management Console. Configure the devices with a
destination S3 bucket. Copy the data to the devices. Ship the devices back to AWS.
B. Set up a 10 Gbps AWS Direct Connect connection between the company location and the nearest AWS Region. Transfer the data over a VPN
connection into the Region to store the data in Amazon S3.
C. Create a VPN connection between the on-premises network attached storage and the nearest AWS Region. Transfer the data over the VPN
connection.
D. Deploy an AWS Storage Gateway file gateway on premises. Configure the file gateway with a destination S3 bucket. Copy the data to the le
gateway.

一家视频处理公司希望利用600 TB压缩数据构建一个机器学习（ML）模型，这些数据以数千个文件的形式存储在公司内部的网络附加存储系统中。公司缺乏本地机器学习实验所需的计算资源，因此决定采用AWS服务。

公司需要在三周内完成向AWS的数据迁移。这是一次性数据传输任务，且传输过程必须加密。经测量，公司互联网连接的上传速度为100 Mbps，且该连接由多个部门共享使用。

哪种解决方案能以最具成本效益的方式满足这些需求？

A. 通过AWS管理控制台订购多个AWS Snowball Edge存储优化设备。将设备配置为目标S3存储桶，将数据拷贝至设备后寄回AWS。

B. 在公司所在地与最近的AWS区域之间建立10 Gbps的AWS Direct Connect连接。通过VPN连接将数据传输至该区域的Amazon S3存储。

C. 在内部网络附加存储与最近的AWS区域之间创建VPN连接，通过该VPN连接传输数据。

D. 在本地部署AWS存储网关文件网关，将其配置为目标S3存储桶后复制数据到文件网关。

91. A company has migrated Its forms-processing application to AWS. When users interact with the application, they upload scanned forms as les
through a web application. A database stores user metadata and references to files that are stored in Amazon S3. The web application runs on
Amazon EC2 instances and an Amazon RDS for PostgreSQL database.
When forms are uploaded, the application sends notifications to a team through Amazon Simple Notification Service (Amazon SNS). A team
member then logs in and processes each form. The team member performs data validation on the form and extracts relevant data before entering
the information into another system that uses an API.
A solutions architect needs to automate the manual processing of the forms. The solution must provide accurate form extraction. minimize time
to market, and minimize tong-term operational overhead.
Which solution will meet these requirements?
A. Develop custom libraries to perform optical character recognition (OCR) on the forms. Deploy the libraries to an Amazon Elastic Kubernetes
Service (Amazon EKS) cluster as an application tier. Use this tier to process the forms when forms are uploaded. Store the output in Amazon
S3. Parse this output by extracting the data into an Amazon DynamoDB table. Submit the data to the target system’s APL. Host the new
application tier on EC2 instances.
B. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use arti cial intelligence
and machine learning (AI/ML) models that are trained and hosted on an EC2 instance to perform optical character recognition (OCR) on the
forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the application
tier. Submit the data to the target system’s API.
C. Host a new application tier on EC2 instances. Use this tier to call endpoints that host arti cial intelligence and machine teaming (AI/ML)
models that are trained and hosted in Amazon SageMaker to perform optical character recognition (OCR) on the forms. Store the output in
Amazon ElastiCache. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system’s
API.
D. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use Amazon Textract and
Amazon Comprehend to perform optical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3.
Parse this output by extracting the data that is required within the application tier. Submit the data to the target system’s API.

一家公司已将其表单处理应用程序迁移至AWS。当用户与该应用程序交互时，他们会通过网页应用程序上传扫描表单作为文件。
数据库存储用户元数据及对存储在Amazon S3中文件的引用。该网页应用程序运行在Amazon EC2实例上，并使用Amazon RDS for PostgreSQL数据库。
当表单上传后，应用程序会通过Amazon Simple Notification Service（Amazon SNS）向团队发送通知。随后，团队成员登录并处理每份表单。团队成员在将信息录入另一个使用API的系统之前，会对表单进行数据验证并提取相关数据。
解决方案架构师需要自动化表单的手动处理流程。该解决方案必须提供准确的表单提取，缩短上市时间，并尽量减少长期运维开销。
以下哪种解决方案可以满足这些需求？
A. 开发自定义库来对表单执行光学字符识别（OCR）。将这些库部署到Amazon Elastic Kubernetes Service（Amazon EKS）集群作为应用层。在表单上传时使用该层处理表单。将输出存储在Amazon S3中。通过将数据提取到Amazon DynamoDB表中来解析此输出。将数据提交至目标系统的API。在EC2实例上托管新的应用层。
B. 使用AWS Step Functions和AWS Lambda扩展系统，添加应用层。配置该层使用经过训练并托管在EC2实例上的人工智能和机器学习（AI/ML）模型，在表单上传时对表单执行光学字符识别（OCR）。将输出存储在Amazon S3中。在应用层内提取所需数据以解析此输出。将数据提交至目标系统的API。
C. 在EC2实例上托管新的应用层。使用该层调用托管在Amazon SageMaker中经过训练的人工智能和机器学习（AI/ML）模型的端点，对表单执行光学字符识别（OCR）。将输出存储在Amazon ElastiCache中。在应用层内提取所需数据以解析此输出。将数据提交至目标系统的API。
D. 使用AWS Step Functions和AWS Lambda扩展系统，添加应用层。配置该层使用Amazon Textract和Amazon Comprehend在表单上传时对表单执行光学字符识别（OCR）。将输出存储在Amazon S3中。在应用层内提取所需数据以解析此输出。将数据提交至目标系统的API。

92. A company is refactoring its on-premises order-processing platform in the AWS Cloud. The platform includes a web front end that is hosted on a
eet of VMs, RabbitMQ to connect the front end to the backend, and a Kubernetes cluster to run a containerized backend system to process the
orders. The company does not want to make any major changes to the application.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an AMI of the web server VM. Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer. Set
up Amazon MQ to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order
processing backend.
B. Create a custom AWS Lambda runtime to mimic the web server environment. Create an Amazon API Gateway API to replace the front-end
web servers. Set up Amazon MQ to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes Service (Amazon EKS)
to host the order-processing backend.
C. Create an AMI of the web server VM. Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer. Set
up Amazon MQ to replace the on-premises messaging queue. Install Kubernetes on a eet of different EC2 instances to host the order
processing backend.
D. Create an AMI of the web server VM. Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer. Set up
an Amazon Simple Queue Service (Amazon SQS) queue to replace the on-premises messaging queue. Configure Amazon Elastic Kubernetes
Service (Amazon EKS) to host the order-processing backend.

一家公司正在AWS云中重构其本地订单处理平台。该平台包括一个托管在一组虚拟机上的Web前端、用于连接前端和后端的RabbitMQ，以及一个运行容器化后端系统来处理订单的Kubernetes集群。公司不想对应用程序进行任何重大更改。

哪种解决方案能够以最少的运维开销满足这些要求？

A. 创建Web服务器虚拟机的AMI。创建一个使用该AMI和应用程序负载均衡器的Amazon EC2 Auto Scaling组。设置Amazon MQ以替换本地消息队列。配置Amazon Elastic Kubernetes Service（Amazon EKS）来托管订单处理后端。

B. 创建一个定制的AWS Lambda运行时来模拟Web服务器环境。创建一个Amazon API Gateway API来替换前端Web服务器。设置Amazon MQ以替换本地消息队列。配置Amazon Elastic Kubernetes Service（Amazon EKS）来托管订单处理后端。

C. 创建Web服务器虚拟机的AMI。创建一个使用该AMI和应用程序负载均衡器的Amazon EC2 Auto Scaling组。设置Amazon MQ以替换本地消息队列。在一组不同的EC2实例上安装Kubernetes来托管订单处理后端。

D. 创建Web服务器虚拟机的AMI。创建一个使用该AMI和应用程序负载均衡器的Amazon EC2 Auto Scaling组。设置一个Amazon Simple Queue Service（Amazon SQS）队列以替换本地消息队列。配置Amazon Elastic Kubernetes Service（Amazon EKS）来托管订单处理后端。

93. A company has developed a web application. The company is hosting the application on a group of Amazon EC2 instances behind an Application
Load Balancer. The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs. The solution must
not adversely affect legitimate traffic to the application.
How should a solutions architect configure the web ACLs to meet these requirements?
A. Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid
any false positive. Over time, change the action of the web ACL rules from Count to Block.
B. Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the
limit. De ne nested rules to narrow the scope of the rate tracking.
C. Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs. Evaluate the rule groups by using
Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
D. Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze the requests for false
positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block.

一家公司开发了一个网络应用程序。该公司将应用程序托管在一组位于应用负载均衡器后面的亚马逊EC2实例上。
公司希望提升应用程序的安全状况，并计划使用AWS WAF网络ACL。解决方案不能对应用程序的合法流量产生不利影响。
解决方案架构师应如何配置网络ACL以满足这些需求？
A. 将网络ACL规则的操作设置为计数。启用AWS WAF日志记录。分析请求中的误报情况。修改规则以避免任何误报。随着时间的推移，将网络ACL规则的操作从计数更改为阻止。
B. 在网络ACL中仅使用基于速率的规则，并将限制阈值设置得尽可能高。暂时阻止所有超过限制的请求。定义嵌套规则以缩小速率跟踪的范围。
C. 将网络ACL规则的操作设置为阻止。在网络ACL中仅使用AWS托管规则组。通过结合使用亚马逊CloudWatch指标与AWS WAF抽样请求或AWS WAF日志来评估规则组。
D. 在网络ACL中仅使用自定义规则组，并将操作设置为允许。启用AWS WAF日志记录。分析请求中的误报情况。修改规则以避免任何误报。随着时间的推移，将网络ACL规则的操作从允许更改为阻止。

94. A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company
manages common security group rules for the AWS accounts in the organization.
The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to and from the company’s on-premises
network. Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own
AWS account. Currently, the security team noti es the owners of the other AWS accounts when changes are made to the allow list.
The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team’s AWS account. Deploy an AWS Lambda function in
each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take
an IP address as input and add it to a list of security groups in the account. Instruct the security team to distribute changes by publishing
messages to its SNS topic.
B. Create new customer-managed pre x lists in each AWS account within the organization. Populate the pre x lists in each account with all
internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed pre x list IDs in their accounts in their
security groups. Instruct the security team to share updates with each AWS account owner.
C. Create a new customer-managed pre x list in the security team’s AWS account. Populate the customer-managed pre x list with all internal
CIDR ranges. Share the customer-managed pre x list with the organization by using AWS Resource Access Manager. Notify the owner of each
AWS account to allow the new customer-managed pre x list ID in their security groups.
D. Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in
the security team’s AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each
organization account, and add the list of IP addresses to the security groups in each account.

一家公司在AWS Organizations中拥有多个AWS账户。解决方案架构师必须改进公司如何管理组织中AWS账户的常用安全组规则。
公司在其每个AWS账户的允许列表中有一套共同的IP CIDR范围，用于允许进出公司本地网络的访问。每个账户内的开发人员负责将新的IP CIDR范围添加到他们的安全组中。安全团队拥有自己的AWS账户。目前，当允许列表发生变更时，安全团队会通知其他AWS账户的所有者。
解决方案架构师必须设计一个方案，在所有账户中分发这套共同的CIDR范围。
哪种解决方案能以最少的操作开销满足这些要求？
A. 在安全团队的AWS账户中设置一个Amazon Simple Notification Service (Amazon SNS)主题。在每个AWS账户中部署一个AWS Lambda函数。配置Lambda函数在每次SNS主题收到消息时运行。配置Lambda函数以IP地址作为输入并将其添加到账户的安全组列表中。指示安全团队通过向其SNS主题发布消息来分发变更。
B. 在组织内的每个AWS账户中创建新的客户管理前缀列表。用所有内部CIDR范围填充每个账户中的前缀列表。通知每个AWS账户的所有者在其安全组中允许新的客户管理前缀列表ID。指示安全团队与每个AWS账户所有者共享更新。
C. 在安全团队的AWS账户中创建一个新的客户管理前缀列表。用所有内部CIDR范围填充客户管理前缀列表。使用AWS Resource Access Manager将客户管理前缀列表共享给组织。通知每个AWS账户的所有者在其安全组中允许新的客户管理前缀列表ID。
D. 在组织中的每个账户中创建一个IAM角色。授予更新安全组的权限。在安全团队的AWS账户中部署一个AWS Lambda函数。配置Lambda函数以内部IP地址列表作为输入，在每个组织账户中担任角色，并将IP地址列表添加到每个账户的安全组中。

95. A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN. The company is
hosting internal applications with VPCs in multiple AWS accounts. Currently, the applications are accessible from the company’s on-premises
o ce network through an AWS Site-to-Site VPN connection. The VPC in the company’s main AWS account has peering connections established
with VPCs in other AWS accounts.
A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home.
What is the MOST cost-effective solution that meets these requirements?
A. Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications.
B. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.
C. Create a Client VPN endpoint in the main AWS account. Provision a transit gateway that is connected to each AWS account. Configure
required routing that allows access to internal applications.
D. Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site
VPN.

一家公司推出了一项新政策，允许员工在家远程办公，前提是他们使用VPN连接。
该公司在多个AWS账户的VPC中托管内部应用程序。目前，通过AWS站点到站点VPN连接，可以从公司本地办公室网络访问这些应用程序。
公司主AWS账户中的VPC与其他AWS账户中的VPC建立了对等连接。
解决方案架构师必须为在家办公的员工设计一个可扩展的AWS客户端VPN解决方案。
以下哪种方案在满足这些需求的同时最具成本效益？
A. 在每个AWS账户中创建客户端VPN终端节点。配置允许访问内部应用程序所需的路由。
B. 在主AWS账户中创建客户端VPN终端节点。配置允许访问内部应用程序所需的路由。
C. 在主AWS账户中创建客户端VPN终端节点。预置一个连接到每个AWS账户的传输网关。配置允许访问内部应用程序所需的路由。
D. 在主AWS账户中创建客户端VPN终端节点。建立客户端VPN终端节点与AWS站点到站点VPN之间的连接。

96. A company is running an application in the AWS Cloud. Recent application metrics show inconsistent response times and a signi cant increase in
error rates. Calls to third-party services are causing the delays. Currently, the application calls third-party services synchronously by directly
invoking an AWS Lambda function.
A solutions architect needs to decouple the third-party service calls and ensure that all the calls are eventually completed.
Which solution will meet these requirements?
A. Use an Amazon Simple Queue Service (Amazon SQS) queue to store events and invoke the Lambda function.
B. Use an AWS Step Functions state machine to pass events to the Lambda function.
C. Use an Amazon EventBridge rule to pass events to the Lambda function.
D. Use an Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke the Lambda function.

一家公司在AWS云中运行一个应用程序。最近的应用程序指标显示响应时间不一致且错误率显著增加。
对第三方服务的调用导致了这些延迟。目前，该应用程序通过直接调用AWS Lambda函数来同步调用第三方服务。
解决方案架构师需要解耦第三方服务调用，并确保所有调用最终完成。
哪种方案能够满足这些需求？
A. 使用Amazon Simple Queue Service (Amazon SQS)队列存储事件并调用Lambda函数。
B. 使用AWS Step Functions状态机将事件传递给Lambda函数。
C. 使用Amazon EventBridge规则将事件传递给Lambda函数。
D. 使用Amazon Simple Notification Service (Amazon SNS)主题存储事件并调用Lambda函数。

97. A company is running applications on AWS in a multi-account environment. The company’s sales team and marketing team use separate AWS
accounts in AWS Organizations.
The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The
marketing team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key
Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in
the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3
bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket.
B. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the
KMS key from the sates account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to
the S3 bucket.
C. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that
is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant
access to the S3 bucket.
D. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales
account to access the S3 bucket. Update the QuickSight rote, to create a trust relationship with the new IAM role in the sales account.

一家公司在AWS多账户环境中运行应用程序。该公司的销售团队和市场营销团队在AWS Organizations中使用独立的AWS账户。

销售团队将PB级数据存储在Amazon S3存储桶中。市场营销团队使用Amazon QuickSight进行数据可视化。市场营销团队需要访问销售团队存储在S3存储桶中的数据。公司已使用AWS密钥管理服务(AWS KMS)密钥对S3存储桶进行了加密。

市场营销团队已创建IAM服务角色，以便在市场营销AWS账户中为QuickSight提供访问权限。公司需要一个解决方案，能够跨AWS账户安全地访问S3存储桶中的数据。

哪种方案能够以最小的运维工作量满足这些需求？

A. 在市场营销账户中创建新的S3存储桶。在销售账户中创建S3复制规则，将对象复制到市场营销账户中的新S3存储桶。更新市场营销账户中的QuickSight权限以授予对新S3存储桶的访问权限。

B. 创建SCP以向市场营销账户授予对S3存储桶的访问权限。使用AWS资源访问管理器(AWS RAM)将KMS密钥从销售账户共享给市场营销账户。更新市场营销账户中的QuickSight权限以授予对S3存储桶的访问权限。

C. 更新市场营销账户中的S3存储桶策略以授予QuickSight角色访问权限。为S3存储桶中使用的加密密钥创建KMS授权。授予QuickSight角色解密访问权限。更新市场营销账户中的QuickSight权限以授予对S3存储桶的访问权限。

D. 在销售账户中创建IAM角色并授予对S3存储桶的访问权限。从市场营销账户承担销售账户中的IAM角色来访问S3存储桶。更新QuickSight角色，使其与销售账户中的新IAM角色建立信任关系。

98. A company is planning to migrate its business-critical applications from an on-premises data center to AWS. The company has an on-premises
installation of a Microsoft SQL Server Always On cluster. The company wants to migrate to an AWS managed database service. A solutions
architect must design a heterogeneous database migration on AWS.
Which solution will meet these requirements?
A. Migrate the SQL Server databases to Amazon RDS for MySQL by using backup and restore utilities.
B. Use an AWS Snowball Edge Storage Optimized device to transfer data to Amazon S3. Set up Amazon RDS for MySQL. Use S3 integration
with SQL Server features, such as BULK INSERT.
C. Use the AWS Schema Conversion Tool to translate the database schema to Amazon RDS for MySQL. Then use AWS Database Migration
Service (AWS DMS) to migrate the data from on-premises databases to Amazon RDS.
D. Use AWS DataSync to migrate data over the network between on-premises storage and Amazon S3. Set up Amazon RDS for MySQL. Use S3
integration with SQL Server features, such as BULK INSERT.

一家公司正计划将其业务关键应用程序从本地数据中心迁移到AWS。该公司在本地部署了Microsoft SQL Server Always On集群。该公司希望迁移到AWS托管的数据库服务。解决方案架构师必须在AWS上设计一个异构数据库迁移方案。

哪个解决方案能够满足这些需求？

A. 使用备份和恢复工具将SQL Server数据库迁移到Amazon RDS for MySQL。

B. 使用AWS Snowball Edge Storage Optimized设备将数据传输到Amazon S3。设置Amazon RDS for MySQL。利用SQL Server功能（如BULK INSERT）与S3集成。

C. 使用AWS Schema Conversion Tool将数据库架构转换为Amazon RDS for MySQL。然后使用AWS Database Migration Service (AWS DMS)将数据从本地数据库迁移到Amazon RDS。