What Highest Quality SAA-C03 Exam Topics Is

NEW QUESTION 1
A company uses a popular content management system (CMS) tot its corporate website. However, the required patching and maintenance are burdensome. The company is redesigning its website and wants a new solution. The website will be updated tour times a year and does not need to have any dynamic content available The solution must provide high scalability and enhanced security
Which combination of changes will meet those requirements with the LEAST operational overhead? (Select TWO)

• A. Deploy an AWS WAF web ACL in front of the website to provide HTTPS functionality
• B. Create and deploy an AWS Lambda function to manage and serve the website content
• C. Create the new website and an Amazon S3 bucket Deploy the website on the S3 bucket with static website hosting enabled
• D. Create the new websit
• E. Deploy the website by using an Auto Scaling group of Amazon EC2 instances behind an Application Load Balancer.

Answer: D

NEW QUESTION 2
A company's order system sends requests from clients to Amazon EC2 instances The EC2 instances process the orders and then store the orders in a database on Amazon RDS. Users report that they must reprocess orders when the system fails. The company wants a resilient solution that can process orders automatically if a system outage occurs.
What should a solutions architect do to meet these requirements?

• A. Move the EC2 instances Into an Auto Scaling grou
• B. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Elastic Container Service (Amazon ECS) task
• C. Move the EC2 instances into an Auto Seating group behind an Application Load Balancer (Al B) Update the order system to send message to the ALB endpoint
• D. Move the EC2 instances into an Auto Scaling grou
• E. Configure the order system to send messages to an Amazon Simple Queue Service (Amazon SGS) queu
• F. Configure the EC2 instances to consume messages from the queue.
• G. Create an Amazon Simple Notification Service (Amazon SNS) topi
• H. Create an AWS Lambda function, and subscribe the function to the SNS topic Configure (he order system to send messages to the SNS topi
• I. Send a command to the EC2 instances to process the messages by using AWS Systems Manager Run Command

Answer: C

NEW QUESTION 3
A company has on-premises servers that run a relational database The database serves high-read traffic for users in different locations The company wants to migrate the database to AWS with the least amount of effort The database solution must support high availability and must not affect the company's current traffic flow
Which solution meets these requirements?

• A. Use a database in Amazon RDS with Multi-AZ and at least one read replica.
• B. Use a database in Amazon RDS with Multi-AZ and at least one standby replica.
• C. Use databases that are hosted on multiple Amazon EC2 instances in different AWS Regions.
• D. Use databases that are hosted on Amazon EC2 instances behind an Application Load Balancer in different Availability Zones

Answer: A

Explanation:
https://aws.amazon.com/blogs/database/implementing-a-disaster-recovery-strategy-with-amazon-rds/

NEW QUESTION 4
A company hosts its product information webpages on AWS The existing solution uses multiple Amazon EC2 instances behind an Application Load Balancer in an Auto Scaling group. The website also uses a custom DNS name and communicates with HTTPS only using a dedicated SSL certificate The company is planning a new product launch and wants to be sure that users from around the world have the best possible experience on the new website
What should a solutions architect do to meet these requirements?

• A. Redesign the application to use Amazon CloudFront
• B. Redesign the application to use AWS Elastic Beanstalk
• C. Redesign the application to use a Network Load Balancer.
• D. Redesign the application to use Amazon S3 static website hosting

Answer: A

Explanation:
as CloudFront can help provide the best experience for global users. CloudFront integrates seamlessly with ALB and provides and option to use custom DNS and SSL certs.

NEW QUESTION 5
A company is building a containerized application on premises and decides to move the application to AWS. The application will have thousands of users soon after li is deployed. The company Is unsure how to manage the deployment of containers at scale. The company needs to deploy the containerized application in a highly available architecture that minimizes operational overhead.
Which solution will meet these requirements?

• A. Store container images In an Amazon Elastic Container Registry (Amazon ECR) repositor
• B. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the AWS Fargate launch type to run the container
• C. Use target tracking to scale automatically based on demand.
• D. Store container images in an Amazon Elastic Container Registry (Amazon ECR) repositor
• E. Use an Amazon Elastic Container Service (Amazon ECS) cluster with the Amazon EC2 launch type to run the container
• F. Use target tracking to scale automatically based on demand.
• G. Store container images in a repository that runs on an Amazon EC2 instanc
• H. Run the containers on EC2 instances that are spread across multiple Availability Zone
• I. Monitor the average CPU utilization in Amazon CloudWatc
• J. Launch new EC2 instances as needed
• K. Create an Amazon EC2 Amazon Machine Image (AMI) that contains the container image Launch EC2 Instances in an Auto Scaling group across multiple Availability Zone
• L. Use an Amazon CloudWatch alarm to scale out EC2 instances when the average CPU utilization threshold is breached.

Answer: A

NEW QUESTION 6
A company wants to migrate a Windows-based application from on premises to the AWS Cloud. The application has three tiers, a business tier, and a database tier with Microsoft SQL Server. The company wants to use specific features of SQL Server such as native backups and Data Quality Services. The company also needs to share files for process between the tiers.
How should a solution architect design the architecture to meet these requirements?

• A. Host all three on Amazon instance
• B. Use Mmazon FSx File Gateway for file sharing between tiers.
• C. Host all three on Amazon EC2 instance
• D. Use Amazon FSx for Windows file sharing between the tiers.
• E. Host the application tier and the business tier on Amazon EC2 instance
• F. Host the database tier on Amazon RD
• G. Use Amazon Elastic File system (Amazon EFS) for file sharing between the tiers.
• H. Host the application tier and the business tier on Amazon EC2 instance
• I. Host the database tier on Amazon RD
• J. Use a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume for file sharing between the tiers.

Answer: B

NEW QUESTION 7
A company uses NFS to store large video files in on-premises network attached storage. Each video file ranges in size from 1MB to 500 GB. The total storage is 70 TB and is no longer growing. The company decides to migrate the video files to Amazon S3. The company must migrate the video files as soon as possible while using the least possible network bandwidth.
Which solution will meet these requirements?

• A. Create an S3 bucket Create an 1AM role that has permissions to write to the S3 bucke
• B. Use the AWS CLI to copy all files locally to the S3 bucket.
• C. Create an AWS Snowball Edge jo
• D. Receive a Snowball Edge device on premise
• E. Use the Snowball Edge client to transfer data to the devic
• F. Return the device so that AWS can import the data intoAmazon S3.
• G. Deploy an S3 File Gateway on premise
• H. Create a public service endpoint to connect to the S3 File Gateway Create an S3 bucket Create a new NFS file share on the S3 File Gateway Point the new file share to the S3 bucke
• I. Transfer the data from the existing NFS file share to the S3 File Gateway.
• J. Set up an AWS Direct Connect connection between the on-premises network and AW
• K. Deploy an S3 File Gateway on premise
• L. Create a public virtual interlace (VIF) to connect to the S3 File Gatewa
• M. Create an S3 bucke
• N. Create a new NFS file share on the S3 File Gatewa
• O. Point the new file share to the S3 bucke
• P. Transfer the data from the existing NFS file share to the S3 File Gateway.

Answer: C

NEW QUESTION 8
A company's web application consists o( an Amazon API Gateway API in front of an AWS Lambda function and an Amazon DynamoDB database. The Lambda function
handles the business logic, and the DynamoDB table hosts the data. The application uses Amazon Cognito user pools to identify the individual users of the application. A solutions architect needs to update the application so that only users who have a subscription can access premium content.

• A. Enable API caching and throttling on the API Gateway API
• B. Set up AWS WAF on the API Gateway API Create a rule to filter users who have a subscription
• C. Apply fine-grained 1AM permissions to the premium content in the DynamoDB table
• D. Implement API usage plans and API keys to limit the access of users who do not have a subscription.

Answer: C

NEW QUESTION 9
A solutions architect is designing a two-tier web application The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet Security is a high priority for the company
How should security groups be configured in this situation? (Select TWO )

• A. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.
• B. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.
• C. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.
• D. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.
• E. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Answer: AC

Explanation:
"Security groups create an outbound rule for every inbound rule." Not completely right. Statefull does NOT mean that if you create an inbound (or outbound) rule, it will create an outbound (or inbound) rule. What it does mean is: suppose you create an inbound rule on port 443 for the X ip. When a request enters on port 443 from X ip, it will allow traffic out for that request in the port 443. However, if you look at the outbound rules, there will not be any outbound rule on port 443 unless explicitly create it. In ACLs, which are stateless, you would have to create an inbound rule to allow incoming requests and an outbound rule to allow your application responds to those incoming requests.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules

NEW QUESTION 10
A company is migrating applications to AWS. The applications are deployed in different accounts. The company manages the accounts centrally by using AWS Organizations. The company's security team needs a single sign-on (SSO) solution across all the company's accounts. The company must continue managing the users and groups in its on-premises self-managed Microsoft Active Directory.
Which solution will meet these requirements?

• A. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO consol
• B. Create a one-way forest trust or a one-way domain trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
• C. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO consol
• D. Create a two-way forest trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
• E. Use AWS Directory Servic
• F. Create a two-way trust relationship with the company's self-managed Microsoft Active Directory.
• G. Deploy an identity provider (IdP) on premise
• H. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.

Answer: A

NEW QUESTION 11
A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt
all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Create an S3 bucket in each Region Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) Configure replication between the S3 buckets.
• B. Create a customer managed multi-Region KMS ke
• C. Create an S3 bucket in each Regio
• D. Configure replication between the S3 bucket
• E. Configure the application to use the KMS key with client-side encryption.
• F. Create a customer managed KMS key and an S3 bucket in each Region Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) Configure replication between the S3 buckets.
• G. Create a customer managed KMS key and an S3 bucket m each Region Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS) Configure replication between the S3 buckets.

Answer: C

Explanation:
Explanation
From https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.htmlFor most users, the default AWS KMS key store, which is protected by FIPS 140-2 validatedcryptographic modules, fulfills their security requirements. There is no need to add an extra layer ofmaintenance responsibility or a dependency on an additional service. However, you might considercreating a custom key store if your organization has any of the following requirements: Key materialcannot be stored in a shared environment. Key material must be subject to a secondary, independentaudit path. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3.
https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

NEW QUESTION 12
A company has deployed a server less application that invokes an AWS Lambda function when new documents are uploaded to an Amazon S3 bucket The application uses the Lambda function to process the documents After a recent marketing campaign the company noticed that the application did not process many of The documents
What should a solutions architect do to improve the architecture of this application?

• A. Set the Lambda function's runtime timeout value to 15 minutes
• B. Configure an S3 bucket replication policy Stage the documents m the S3 bucket for later processing
• C. Deploy an additional Lambda function Load balance the processing of the documents across the two Lambda functions
• D. Create an Amazon Simple Queue Service (Amazon SOS) queue Send the requests to the queue Configure the queue as an event source for Lambda.

Answer: B

NEW QUESTION 13
A company has two VPCs named Management and Production The Management VPC uses VPNs through a customer gateway to connect to a single device in the data center. The Production VPC uses a virtual private gateway with two attached AWS Direct Connect connections The Management and Production VPCs both use a single VPC peering connection to allow communication between the applications.
What should a solutions architect do to mitigate any single point of failure in this architecture?

• A. Add a set of VPNs between the Management and Production VPCs
• B. Add a second virtual private gateway and attach it to the Management VPC.
• C. Add a second set of VPNs to the Management VPC from a second customer gateway device
• D. Add a second VPC peering connection between the Management VPC and the Production VPC.

Answer: C

Explanation:
https://docs.aws.amazon.com/vpn/latest/s2svpn/images/Multiple_Gateways_diagram.png
"To protect against a loss of connectivity in case your customer gateway device becomes unavailable, you can set up a second Site-to-Site VPN connection to your VPC and virtual private gateway by using a second customer gateway device." https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

NEW QUESTION 14
A company wants an AWS Lambda function to call a third-party API and save the response to a private Amazon ROS DB instance in the same private subnet
What should a solutions architect do to meet these requirements?

• A. Create a NAT gatewa
• B. In the route table for the private subnet, add a route to the NAT gatewa
• C. Attach the Lambda function to the private subne
• D. Create an IAM role that includes the AWSLambdaBasicExecutionRole permissions policy Attach the role to the Lambda function
• E. Create an internet gateway In the route table for the private subnet, add a route to the internet gateway Attach the Lambda function to the private subnet Create an IAM role that includes me AWSLambdaBasicExecutionRole permissions policy Attach the role to the Lambda function
• F. Create a NAT gateway In the route table for the private subnet add a route to the NAT gateway Attach the Lambda function to the private subne
• G. Create an IAM role that includes the AWS LambdaVPCAccessExecutionRole permissions policy Attach the role to the Lambda function
• H. Create an internet gateway in the route table for the private subnet, add a route to the internet gateway Attach the Lambda function to the private subnet Create an IAM role that includes the AWSLambdaVPCAccessExecutionRole permissions policy Attach the role to the Lambda function

Answer: B

NEW QUESTION 15
A company has a web-based map application that provides status information about ongoing repairs. The application sometimes has millions of users. Repair teams have a mobile app that sends current location and status in a JSON message to a REST-based endpoint.
Few repairs occur on most days. The company wants the application to be highly available and to scale when large numbers of repairs occur after nature disasters. Customer use the application most often during these times. The company does not want to pay for idle capacity.

• A. Create a webpage that is based on Amazon S3 to display informatio
• B. Use Amazon API Gateway and AWS Lambda to receive the JSON status data Store the JSON data m Amazon S3.
• C. Use Amazon EC2 instances as wad servers across multiple Availability Zone
• D. Run the EC2 instances inan Auto Scaling grou
• E. Use Amazon API Gateway and AWS Lambda to receive the JSON status data Store the JSON data In Amazon S3.
• F. Use Amazon EC2 instances as web servers across multiple Availability Zone
• G. Run the EC2 instances in an Auto Scaling grou
• H. Use a REST endpoint on the EC2 instances to receive the JSON status dat
• I. Store the JSON data in an Amazon RDS Mufti-AZ DB instance.
• J. Use Amazon EC? instances as web servers across multiple Availability zones Run the FC? instances in an Auto Scaling group Use a REST endpoint on the EC? instances to receive the JSON status data Store the JSON data in an Amazon DynamoDB table.

Answer: D

NEW QUESTION 16
An online retail company needs to run near-real-time analytics on website traffic to analyze top-selling products across different locations. The product purchase data and the user location details are sent to a third-party application that runs on premises The application processes the data and moves the data into the company's analytics engine
The company needs to implement a cloud-based solution to make the data available for near-real-time analytics.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Use Amazon Kinesis Data Streams to ingest the data Use AWS Lambda to transform the data Configure Lambda to write the data to Amazon Amazon OpenSearch Service (Amazon Elasticsearch Service)
• B. Configure Amazon Kinesis Data Streams to write the data to an Amazon S3 bucket Schedule an AWS Glue crawler job to enrich the data and update the AWS Glue Data Catalog Use Amazon Athena for analytics
• C. Configure Amazon Kinesis Data Streams to write the data to an Amazon S3 bucket Add an Apache Spark job on Amazon EMR to enrich the data in the S3 bucket and write the data to Amazon OpenSearch Service (Amazon Elasticsearch Service)
• D. Use Amazon Kinesis Data Firehose to ingest the data Enable Kinesis Data Firehose data transformation with AWS Lambda Configure Kinesis Data Firehose to write the data to Amazon OpenSearch Service (Amazon Elasticsearch Service).

Answer: C

NEW QUESTION 17
A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?

• A. Configure a CloudFront signed URL.
• B. Configure a CloudFront signed cookie.
• C. Configure a CloudFront field-level encryption profile.
• D. Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy.

Answer: C

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html
"With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it."

NEW QUESTION 18
......