Amazon SAA-C03 Practice Test - Questions Answers, Page 88

The combination of these solutions provides an efficient and automated way to migrate data while preserving metadata and ensuring cleanup:

Create a new S3 bucket with versioning enabled (Option A) to preserve object metadata like version IDs during migration.

Use S3 batch operations (Option B) to efficiently copy data from specific prefixes in the source bucket to the destination bucket, ensuring minimal overhead.

Use an S3 Lifecycle policy (Option F) to automatically delete the data from the source bucket after it has been migrated, reducing manual intervention.

Option C (CopyObject API): This approach would require more manual scripting and effort.

Option D (Same-Region Replication): SRR is designed for ongoing replication, not for one-time migrations.

Option E (DataSync): DataSync adds more complexity than necessary for this task.

AWS

Reference:

S3 Batch Operations

S3 Lifecycle Policies

Amazon EFS with Max I/O performance mode is designed for workloads that require high levels of parallelism, such as video processing across multiple EC2 instances. EFS provides shared file storage that can be mounted on both Windows and Linux EC2 instances, and the Max I/O mode ensures the best performance for handling large files and concurrent access across multiple instances.

Option A and B (FSx for Windows File Server): FSx for Windows File Server is optimized for Windows workloads and would not be ideal for Linux instances or high-throughput, parallel workloads.

Option D (EFS General Purpose mode): General Purpose mode offers lower latency but doesn't support the high throughput needed for large, concurrent workloads.

AWS

Reference:

Amazon EFS Performance Modes

AWS CloudFormation allows for the automated, repeatable setup of infrastructure, reducing human error and ensuring consistency. AWS Config provides the ability to track changes in the infrastructure, ensuring that all changes are logged and auditable, which satisfies the requirement for tracking incremental changes.

Option A and C (AWS Organizations): AWS Organizations manage multiple accounts, but they are not designed for infrastructure setup or change tracking.

Option D (Service Catalog): Service Catalog is used for deploying products, not for setting up infrastructure or tracking changes.

AWS

Reference:

AWS Config

AWS CloudFormation

Amazon CloudFront is a content delivery network (CDN) service that caches copies of your content at edge locations around the world. This helps improve performance by serving content from the edge nearest to the user. However, when the content in Amazon S3 (your origin) is updated, those updates may not immediately reflect on the website if they are cached at the CloudFront edge locations.

The issue described in the question suggests that the CI/CD pipeline is functioning correctly, and updates are being deployed to S3. However, since CloudFront caches this content, the edge locations may still be serving outdated content, causing the updates to not be reflected on the website.

To resolve this issue, you need to invalidate the CloudFront cache. By invalidating the cache, CloudFront will remove the outdated content and retrieve the latest version from the S3 origin.

AWS documentation on this process:

CloudFront cache invalidation allows you to clear items from the cache so that CloudFront retrieves the latest version from the origin. You can create invalidation requests via the AWS Management Console, AWS CLI, or SDKs.

AWS CloudFront Documentation

Why the other options are incorrect:

A . Add an Application Load Balancer: ALBs are used to distribute incoming application traffic and are not relevant to caching or serving content from CloudFront.

B . Add Amazon ElastiCache for Redis or Memcached: This would help in caching database queries but has no relation to static website content hosted on CloudFront and S3.

D . Use AWS Certificate Manager (ACM): ACM is used for managing SSL/TLS certificates and is unrelated to the issue of content not being updated on CloudFront.

The company is looking for a solution that provides single sign-on (SSO) across multiple AWS accounts while continuing to manage users and groups in their on-premises Active Directory (AD). AWS IAM Identity Center (formerly AWS SSO) is the recommended solution for this type of requirement.

AWS IAM Identity Center provides a centralized identity management solution, enabling single sign-on across multiple AWS accounts and other cloud applications. It can integrate with on-premises Active Directory to leverage existing users and groups.

By configuring a two-way forest trust relationship between AWS Directory Service for Microsoft Active Directory and the company's on-premises Active Directory, users can be authenticated by their on-premises AD and still access AWS resources through IAM Identity Center. This solution allows centralized management of AWS accounts within AWS Organizations.

The two-way trust allows mutual access between the on-premises AD and the AWS Directory Service. This means that users and groups in the on-premises AD can be used for authentication in AWS IAM Identity Center while maintaining the existing identity management system.

AWS

Reference:

AWS IAM Identity Center Documentation

AWS Directory Service for Microsoft Active Directory Trust Relationships

AWS Directory Service Integration with IAM Identity Center

Why the other options are incorrect:

A . Create an Enterprise Edition Active Directory in AWS Directory Service: This would require setting up a new directory and managing it in AWS, which adds unnecessary overhead. The requirement is to continue using the existing on-premises AD, making this option unsuitable.

C . Use AWS Directory Service and create a two-way trust relationship: While this approach establishes a trust between on-premises AD and AWS Directory Service, it does not address the single sign-on (SSO) requirements across multiple AWS accounts through IAM Identity Center.

D . Deploy an identity provider (IdP) on Amazon EC2: This is more complex than necessary and introduces more management overhead. AWS IAM Identity Center natively supports integration with on-premises Active Directory without requiring a custom IdP.

When designing a microservice architecture where each microservice interacts with different AWS services, it's essential to follow the principle of least privilege. This means granting each microservice only the permissions it needs to perform its tasks, reducing the risk of unauthorized access or accidental actions.

The recommended approach is to create individual IAM roles with policies that grant each microservice the specific permissions it requires. Then, these roles should be associated with the EC2 instances that run the corresponding microservice. By doing so, each EC2 instance will assume its specific IAM role, and permissions will be automatically managed by AWS.

IAM roles provide temporary credentials via the instance metadata service, eliminating the need to hard-code credentials in your application code, which enhances security.

AWS

Reference:

IAM Roles for Amazon EC2 explains how EC2 instances can use IAM roles to securely access AWS services without managing long-term credentials.

Best Practices for IAM includes recommendations for implementing the least privilege principle and using IAM roles effectively.

Why the other options are incorrect:

A . Assign an IAM user to each microservice: This requires managing long-term credentials (access keys), which should be avoided. Storing keys in application code is insecure and creates a maintenance burden.

B . Create a single IAM role: This violates the principle of least privilege, as a single role with broad permissions across all services is less secure.

C . Use AWS Organizations: This approach adds unnecessary complexity. Managing permissions at the account level for each microservice is excessive for this use case and doesn't adhere to the principle of least privilege.

This solution addresses the scalability needs of the workload while preventing failed processing attempts due to resource constraints.

Amazon S3 event notifications can be used to trigger a message to an SQS queue whenever a new video is uploaded.

The existing Auto Scaling group of EC2 instances can poll the SQS queue, ensuring that the EC2 instances only process videos when there is a job in the queue.

SQS decouples the video upload and processing steps, allowing the system to handle sudden spikes in video uploads without overloading EC2 instances.

The use of Auto Scaling ensures that the EC2 instances can scale in or out based on the demand, maintaining cost efficiency while avoiding processing failures due to insufficient resources.

AWS

Reference:

S3 Event Notifications details how to configure notifications for S3 events.

Amazon SQS is a fully managed message queuing service that decouples components of the system.

Auto Scaling EC2 explains how to manage automatic scaling of EC2 instances based on demand.

Why the other options are incorrect:

A . AWS Lambda functions: While Lambda can handle some workloads, video processing is often resource-intensive and long-running, making EC2 a more suitable solution.

B . Using SNS with Lambda: Similar to A, Lambda is not ideal for large-scale video processing due to its time and memory limitations.

D . AWS Step Functions: While a valid orchestration solution, this introduces more complexity and overhead compared to the simpler SQS-based solution.

The most secure solution for allowing EC2 instances to access an S3 bucket is by using IAM roles. An IAM role can be created with an access policy that grants the required permissions (e.g., to read and write to the S3 bucket). The IAM role is then associated with the EC2 instances through an IAM instance profile.

By associating the role with the instances, the EC2 instances can securely assume the role and receive temporary credentials via the instance metadata service. This avoids the need to store credentials (such as access keys) on the instances or within the application, enhancing security and reducing the risk of credentials being exposed.

AWS CloudFormation can be used to automate the creation of the entire infrastructure, including EC2 instances, IAM roles, and associated policies.

AWS

Reference:

IAM Roles for EC2 Instances outlines the use of IAM roles for secure access to AWS services.

AWS CloudFormation User Guide details how to create and manage resources using CloudFormation templates.

Why the other options are incorrect:

A . Save IAM access key in UserData: This is insecure because it involves storing long-term credentials in the instance user data, which can be exposed.

B . Store access keys in S3: This is also insecure, as it involves managing and distributing long-term credentials, which should be avoided.

D . Retrieve access keys via a script: This approach is unnecessarily complex and less secure than using IAM roles, which provide temporary credentials automatically.

A presigned URL allows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS

Reference:

Amazon S3 Presigned URLs explain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Security emphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A . Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B . Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.