AWS-SAA C03 题库 —— Part01

1.

A company recently migrated to AWS and wants to implement a solution to protect the traffic that flows in and out of the production VPC. The company had an inspection server in its on-premises data center. The inspection server performed specific operations such as traffic flow inspection and traffic filtering. The company wants to have the same functionalities in the AWS Cloud.
Which solution will meet these requirements?

A. Use Amazon GuardDuty for traffic inspection and traffic filtering in the production VPC.
B. Use Traffic Mirroring to mirror traffic from the production VPC for traffic inspection and filtering.
C. Use AWS Network Firewall to create the required rules for traffic inspection and traffic filtering for the production VPC. Most Voted
D. Use AWS Firewall Manager to create the required rules for traffic inspection and traffic filtering for the production VPC.

问题：一家公司最近迁移到了AWS，并希望实施一种解决方案来保护流入和流出生产VPC的流量。该公司在其本地数据中心中有一个检查服务器。检查服务器执行特定的操作，如流量流动检查和流量过滤。该公司希望在AWS云中具有相同的功能。请问哪种解决方案能够满足这些要求？

A. 使用Amazon GuardDuty来进行生产VPC中的流量检查和流量过滤。
B. 使用Traffic Mirroring来镜像生产VPC中的流量以进行流量检查和过滤。
C. 使用AWS Network Firewall为生产VPC创建所需的流量检查和过滤规则。
D. 使用AWS Firewall Manager为生产VPC创建所需的流量检查和过滤规则。

AWS Network Firewall是一项托管的网络层防火墙服务，它允许你定义高级规则来检查和过滤流经VPC边界的流量。通过配置适当的规则，你可以实现与检查服务器相同的流量检查和过滤功能。这使得AWS Network Firewall成为保护流入和流出生产VPC的流量的理想解决方案。

2.

A company hosts a data lake on AWS. The data lake consists of data in Amazon S3 and Amazon RDS for PostgreSQL. The company needs a reporting solution that provides data visualization and includes all the data sources within the data lake. Only the company's management team should have full access to all the visualizations. The rest of the company should have only limited access.
Which solution will meet these requirements?

A. Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate IAM roles.
B. Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate users and groups.
C. Create an AWS Glue table and crawler for the data in Amazon S3. Create an AWS Glue extract, transform, and load (ETL) job to produce reports. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.
D. Create an AWS Glue table and crawler for the data in Amazon S3. Use Amazon Athena Federated Query to access data within Amazon RDS for PostgreSQL. Generate reports by using Amazon Athena. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.

一个公司在AWS上托管了一个数据湖。该数据湖包括Amazon S3和Amazon RDS for PostgreSQL中的数据。公司需要一个提供数据可视化并包含数据湖中所有数据源的报告解决方案。只有公司的管理团队应该对所有可视化结果拥有完全访问权限。公司的其他人员应该只有有限的访问权限。

以下解决方案能够满足这些要求？

A. 在Amazon QuickSight中创建一个分析。连接所有数据源并创建新数据集。发布仪表盘以可视化数据。使用适当的IAM角色共享仪表盘。
B. 在Amazon QuickSight中创建一个分析。连接所有数据源并创建新数据集。发布仪表盘以可视化数据。与适当的用户和组共享仪表盘。
C. 为Amazon S3中的数据创建一个AWS Glue表格和爬虫。创建一个AWS Glue提取、转换和加载（ETL）作业来生成报告。将报告发布到Amazon S3。使用S3存储桶策略限制对报告的访问权限。
D. 为Amazon S3中的数据创建一个AWS Glue表格和爬虫。使用Amazon Athena联合查询来访问Amazon RDS for PostgreSQL中的数据。使用Amazon Athena生成报告。将报告发布到Amazon S3。使用S3存储桶策略限制对报告的访问权限。

3.

A company is implementing a new business application. The application runs on two Amazon EC2 instances and uses an Amazon S3 bucket for document storage. A solutions architect needs to ensure that the EC2 instances can access the S3 bucket.
What should the solutions architect do to meet this requirement?

A. Create an IAM role that grants access to the S3 bucket. Attach the role to the EC2 instances.
B. Create an IAM policy that grants access to the S3 bucket. Attach the policy to the EC2 instances.
C. Create an IAM group that grants access to the S3 bucket. Attach the group to the EC2 instances.
D. Create an IAM user that grants access to the S3 bucket. Attach the user account to the EC2 instances.

一个公司正在实施一个新的业务应用程序。该应用程序在两个Amazon EC2实例上运行，并使用一个Amazon S3存储桶进行文档存储。解决方案架构师需要确保EC2实例能够访问S3存储桶。

为了满足这个要求，解决方案架构师应该怎么做？

A. 创建一个授予对S3存储桶访问权限的IAM角色。将角色附加到EC2实例上。
B. 创建一个授予对S3存储桶访问权限的IAM策略。将策略附加到EC2实例上。
C. 创建一个授予对S3存储桶访问权限的IAM组。将组附加到EC2实例上。
D. 创建一个授予对S3存储桶访问权限的IAM用户。将用户账号附加到EC2实例上。

4.

An application development team is designing a microservice that will convert large images to smaller, compressed images. When a user uploads an image through the web interface, the microservice should store the image in an Amazon S3 bucket, process and compress the image with an AWS Lambda function, and store the image in its compressed form in a different S3 bucket.
A solutions architect needs to design a solution that uses durable, stateless components to process the images automatically.
Which combination of actions will meet these requirements? (Choose two.)

A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the S3 bucket to send a notification to the SQS queue when an image is uploaded to the S3 bucket.
B. Configure the Lambda function to use the Amazon Simple Queue Service (Amazon SQS) queue as the invocation source. When the SQS message is successfully processed, delete the message in the queue.
C. Configure the Lambda function to monitor the S3 bucket for new uploads. When an uploaded image is detected, write the file name to a text file in memory and use the text file to keep track of the images that were processed.
D. Launch an Amazon EC2 instance to monitor an Amazon Simple Queue Service (Amazon SQS) queue. When items are added to the queue, log the file name in a text file on the EC2 instance and invoke the Lambda function.
E. Configure an Amazon EventBridge (Amazon CloudWatch Events) event to monitor the S3 bucket. When an image is uploaded, send an alert to an Amazon ample Notification Service (Amazon SNS) topic with the application owner's email address for further processing.

一个应用程序开发团队正在设计一个微服务，用于将大型图片转换为较小的、压缩的图片。当用户通过 Web 界面上传图片时，该微服务应该将图片存储在 Amazon S3 存储桶中，使用 AWS Lambda 函数处理和压缩图片，并将压缩后的图片存储在另一个 S3 存储桶中。

解决方案架构师需要设计一个使用持久性、无状态组件自动处理图片的解决方案。

哪种组合的操作将满足这些要求？（选择两个。）

A. 创建一个 Amazon Simple Queue Service (Amazon SQS) 队列。配置 S3 存储桶，当图片上传到 S3 存储桶时，向 SQS 队列发送通知。
B. 配置 Lambda 函数以使用 Amazon Simple Queue Service (Amazon SQS) 队列作为调用源。当成功处理 SQS 消息时，删除队列中的消息。
C. 配置 Lambda 函数以监控 S3 存储桶的新上传内容。当检测到已上传的图片时，将文件名写入内存中的一个文本文件，并使用该文本文件跟踪已处理的图片。
D. 启动一个 Amazon EC2 实例来监控 Amazon Simple Queue Service (Amazon SQS) 队列。当队列中添加了项目时，在 EC2 实例上的一个文本文件中记录文件名，并调用 Lambda 函数。
E. 配置 Amazon EventBridge (Amazon CloudWatch Events) 事件来监控 S3 存储桶。当上传图片时，将警报发送到一个 Amazon Simple Notification Service (Amazon SNS) 主题，其中包含应用程序所有者的电子邮件地址，以便进行进一步处理。

5.

A company has a three-tier web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.
Which solution will meet these requirements with the LEAST operational overhead?

A. Create a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
B. Create an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
C. Deploy a transit gateway in the inspection VPConfigure route tables to route the incoming packets through the transit gateway.
D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

一家公司在AWS上部署了一个三层Web应用程序。Web服务器部署在VPC的公共子网中。应用服务器和数据库服务器部署在同一VPC的私有子网中。该公司在检查VPC中部署了一个来自AWS Marketplace的第三方虚拟防火墙设备。该设备配置了一个可以接受IP数据包的IP接口。

解决方案架构师需要将Web应用程序与设备集成在一起，以在流量到达Web服务器之前检查所有流量。

哪种解决方案将以最少的运营开销满足这些要求？

A. 在应用程序VPC的公共子网中创建一个网络负载均衡器，将流量路由到设备进行数据包检查。
B. 在应用程序VPC的公共子网中创建一个应用程序负载均衡器，将流量路由到设备进行数据包检查。
C. 在检查VPC中部署一个转发网关。配置路由表，将进入的数据包通过转发网关路由。
D. 在检查VPC中部署一个网关负载均衡器。创建一个网关负载均衡器端点，接收进来的数据包并将数据包转发到设备。

6.

A company wants to improve its ability to clone large amounts of production data into a test environment in the same AWS Region. The data is stored in Amazon EC2 instances on Amazon Elastic Block Store (Amazon EBS) volumes. Modifications to the cloned data must not affect the production environment. The software that accesses this data requires consistently high I/O performance.
A solutions architect needs to minimize the time that is required to clone the production data into the test environment.
Which solution will meet these requirements?

A. Take EBS snapshots of the production EBS volumes. Restore the snapshots onto EC2 instance store volumes in the test environment.
B. Configure the production EBS volumes to use the EBS Multi-Attach feature. Take EBS snapshots of the production EBS volumes. Attach the production EBS volumes to the EC2 instances in the test environment.
C. Take EBS snapshots of the production EBS volumes. Create and initialize new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment before restoring the volumes from the production EBS snapshots.
D. Take EBS snapshots of the production EBS volumes. Turn on the EBS fast snapshot restore feature on the EBS snapshots. Restore the snapshots into new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment.

一家公司希望提高在同一AWS区域将大量生产数据克隆到测试环境的能力。数据存储在Amazon Elastic Block Store（Amazon EBS）卷上的Amazon EC2实例中。对克隆数据的修改不能影响生产环境。访问此数据的软件需要始终保持高I/O性能。

解决方案架构师需要将克隆生产数据到测试环境所需的时间最小化。

哪种解决方案能满足这些要求？

A. 对生产EBS卷进行EBS快照。将快照还原到测试环境中的EC2实例存储卷上。
B. 配置生产EBS卷使用EBS多重附加功能。对生产EBS卷进行EBS快照。将生产EBS卷附加到测试环境中的EC2实例上。
C. 对生产EBS卷进行EBS快照。创建并初始化新的EBS卷。在从生产EBS快照还原卷之前，将新的EBS卷附加到测试环境中的EC2实例上。
D. 对生产EBS卷进行EBS快照。在EBS快照上打开EBS快速快照恢复功能。将快照还原到新的EBS卷上。将新的EBS卷附加到测试环境中的EC2实例上。

7.

An ecommerce company wants to launch a one-deal-a-day website on AWS. Each day will feature exactly one product on sale for a period of 24 hours. The company wants to be able to handle millions of requests each hour with millisecond latency during peak hours.
Which solution will meet these requirements with the LEAST operational overhead?

A. Use Amazon S3 to host the full website in different S3 buckets. Add Amazon CloudFront distributions. Set the S3 buckets as origins for the distributions. Store the order data in Amazon S3.
B. Deploy the full website on Amazon EC2 instances that run in Auto Scaling groups across multiple Availability Zones. Add an Application Load Balancer (ALB) to distribute the website traffic. Add another ALB for the backend APIs. Store the data in Amazon RDS for MySQL.
C. Migrate the full application to run in containers. Host the containers on Amazon Elastic Kubernetes Service (Amazon EKS). Use the Kubernetes Cluster Autoscaler to increase and decrease the number of pods to process bursts in traffic. Store the data in Amazon RDS for MySQL.
D. Use an Amazon S3 bucket to host the website's static content. Deploy an Amazon CloudFront distribution. Set the S3 bucket as the origin. Use Amazon API Gateway and AWS Lambda functions for the backend APIs. Store the data in Amazon DynamoDB.

一个电子商务公司想要在AWS上推出一个每天一个交易的网站。每天将展示一个特定产品的特惠销售，持续24小时。公司希望在高峰时段能够处理每小时数百万次请求，并且具有毫秒级的延迟。哪种解决方案可以以最少的运营开销满足这些要求？

A. 使用Amazon S3在不同的S3存储桶中托管完整的网站。添加Amazon CloudFront分发，将S3存储桶设置为分发的源。将订单数据存储在Amazon S3中。
B. 在跨多个可用区运行的Amazon EC2实例上部署完整的网站，这些实例在自动扩缩容组中运行。添加一个应用程序负载均衡器（ALB）以分发网站流量。添加另一个ALB用于后端API。将数据存储在Amazon RDS for MySQL中。
C. 将整个应用程序迁移到容器中运行。在Amazon Elastic Kubernetes Service（Amazon EKS）上托管容器。使用Kubernetes集群自动扩缩容器来处理流量突发。将数据存储在Amazon RDS for MySQL中。
D. 使用Amazon S3存储桶托管网站的静态内容。部署一个Amazon CloudFront分发，将S3存储桶设置为源。使用Amazon API Gateway和AWS Lambda函数作为后端API。将数据存储在Amazon DynamoDB中。

答案是D。

原因：
选项D提供了一种简化的解决方案来满足要求。使用Amazon S3存储桶托管网站的静态内容可以提供高性能且可扩展的静态内容交付。同时，通过部署Amazon CloudFront分发可以将内容缓存到全球边缘节点，提供低延迟的访问体验。

使用Amazon API Gateway和AWS Lambda函数作为后端API可以提供灵活且高度可扩展的API服务。Lambda函数的事件驱动特性可以根据请求量自动扩缩容，无需预配置或维护额外的服务器资源。

将数据存储在Amazon DynamoDB中可以提供高度可扩展和低延迟的数据库服务。DynamoDB可以很好地处理数百万次请求，并且能够在高峰时段提供毫秒级的响应时间。

因此，选项D是最佳选择，它提供了一个高性能、可扩展且低操作开销的解决方案来满足网站的需求。

8.

A solutions architect is using Amazon S3 to design the storage architecture of a new digital media application. The media files must be resilient to the loss of an Availability Zone. Some files are accessed frequently while other files are rarely accessed in an unpredictable pattern. The solutions architect must minimize the costs of storing and retrieving the media files.
Which storage option meets these requirements?
A. S3 Standard
B. S3 Intelligent-Tiering
C. S3 Standard-Infrequent Access (S3 Standard-IA)
D. S3 One Zone-Infrequent Access (S3 One Zone-IA)

一位解决方案架构师正在使用Amazon S3设计一个新的数字媒体应用程序的存储架构。媒体文件必须对一个可用区的损失具有冗余性。一些文件频繁访问，而其他文件以不可预测的模式很少访问。解决方案架构师必须将存储和检索媒体文件的成本降至最低。
哪种存储选项符合这些要求？

A. S3标准存储
**B. S3智能分层存储
**C. S3标准-低频访问存储 (S3 Standard-IA)
D. S3单可用区-低频访问存储 (S3 One Zone-IA)

答案是B。

原因：
选项B，S3智能分层存储，是满足这些要求的最佳选择。S3智能分层存储具有自动分层功能，根据对象的访问模式自动将数据从一种存储类别转移到另一种存储类别，以最大程度地降低存储费用。

对于频繁访问的媒体文件，它们会被保留在S3标准存储类别中，以提供低延迟和高吞吐量的访问。

对于很少访问的媒体文件，S3智能分层存储会自动将其转移到S3标准-低频访问存储 (S3 Standard-IA) 类别中。这种存储类别提供了较低的存储费用，但仍具备快速数据检索能力。

因此，选项B，S3智能分层存储，是满足成本最小化和媒体文件冗余性要求的最佳选择。

9.

A company is storing backup files by using Amazon S3 Standard storage. The files are accessed frequently for 1 month. However, the files are not accessed after 1 month. The company must keep the files indefinitely.
Which storage solution will meet these requirements MOST cost-effectively?

A. Configure S3 Intelligent-Tiering to automatically migrate objects.
B. Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month.
C. Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Standard-Infrequent Access (S3 Standard-IA) after 1 month.
D. Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 1 month.

一家公司正在使用Amazon S3标准存储来存储备份文件。在一个月内，这些文件经常被访问。然而，一个月后就不再访问这些文件了。公司必须无限期地保留这些文件。
哪种存储解决方案将以最具成本效益的方式满足这些要求？

A. 配置S3智能分层存储以自动迁移对象。
B. 创建一个S3生命周期配置，在一个月后将对象从S3标准存储转移到S3 Glacier深度归档。
C. 创建一个S3生命周期配置，在一个月后将对象从S3标准存储转移到S3标准-低频访问存储(S3 Standard-IA)。
D. 创建一个S3生命周期配置，在一个月后将对象从S3标准存储转移到S3单可用区-低频访问存储(S3 One Zone-IA)。

答案是B。

原因：
选项B，创建一个S3生命周期配置，在一个月后将对象从S3标准存储转移到S3 Glacier深度归档，是满足这些要求的最佳选择。这种配置允许您根据对象的年龄将其从热存储转移到冷存储层次结构，以最大程度地降低存储成本。

在这种情况下，备份文件在一个月内经常被访问，因此最开始存储在S3标准存储中以提供快速访问。

然而，一个月后，这些备份文件不再被访问，因此将它们转移到S3 Glacier深度归档中可以极大地降低存储费用，因为S3 Glacier深度归档针对长期存储提供了更低的成本。

10.

A company observes an increase in Amazon EC2 costs in its most recent bill. The billing team notices unwanted vertical scaling of instance types for a couple of EC2 instances. A solutions architect needs to create a graph comparing the last 2 months of EC2 costs and perform an in-depth analysis to identify the root cause of the vertical scaling.
How should the solutions architect generate the information with the LEAST operational overhead?

A. Use AWS Budgets to create a budget report and compare EC2 costs based on instance types.
B. Use Cost Explorer's granular filtering feature to perform an in-depth analysis of EC2 costs based on instance types.
C. Use graphs from the AWS Billing and Cost Management dashboard to compare EC2 costs based on instance types for the last 2 months.
D. Use AWS Cost and Usage Reports to create a report and send it to an Amazon S3 bucket. Use Amazon QuickSight with Amazon S3 as a source to generate an interactive graph based on instance types.

一家公司在最近的账单中观察到Amazon EC2成本的增加。财务团队注意到了一些EC2实例的不必要的垂直扩展。解决方案架构师需要创建一个图表，比较过去2个月的EC2成本，并进行深入分析，以确定垂直扩展的根本原因。
解决方案架构师应该如何以最少的运营开销生成这些信息？

A. 使用AWS Budgets创建一个预算报告，并根据实例类型比较EC2成本。
B. 使用Cost Explorer的细粒度过滤功能，根据实例类型对EC2成本进行深入分析。
C. 使用AWS计费和成本管理仪表板的图形，比较过去2个月根据实例类型的EC2成本。
D. 使用AWS成本和使用报告创建报告，并将其发送到Amazon S3存储桶。使用Amazon QuickSight，并以Amazon S3为源，基于实例类型生成交互式图表。

答案是B。
原因：
选项B，使用Cost Explorer的细粒度过滤功能，根据实例类型对EC2成本进行深入分析，是以最少运营开销生成所需信息的最佳选择。

Cost Explorer提供了灵活的工具和过滤选项，可以对不同维度的成本数据进行深入分析。通过使用过滤功能，可以轻松地基于实例类型筛选和比较EC2成本，并创建一个图表来直观地显示成本的变化。

相比之下，选项A中的AWS Budgets是用于管理和跟踪成本的工具，而不是提供详细的分析和图表功能。选项C中的AWS计费和成本管理仪表板提供了图形，但可能没有足够的细节和灵活性来执行深入的分析。选项D中的AWS Cost and Usage Reports结合Amazon QuickSight可以生成交互式图表，但涉及到设置报告和集成第三方工具，增加了额外的操作开销。

11.

A company is designing an application. The application uses an AWS Lambda function to receive information through Amazon API Gateway and to store the information in an Amazon Aurora PostgreSQL database.
During the proof-of-concept stage, the company has to increase the Lambda quotas significantly to handle the high volumes of data that the company needs to load into the database. A solutions architect must recommend a new design to improve scalability and minimize the configuration effort.
Which solution will meet these requirements?

A. Refactor the Lambda function code to Apache Tomcat code that runs on Amazon EC2 instances. Connect the database by using native Java Database Connectivity (JDBC) drivers.
B. Change the platform from Aurora to Amazon DynamoDProvision a DynamoDB Accelerator (DAX) cluster. Use the DAX client SDK to point the existing DynamoDB API calls at the DAX cluster.
C. Set up two Lambda functions. Configure one function to receive the information. Configure the other function to load the information into the database. Integrate the Lambda functions by using Amazon Simple Notification Service (Amazon SNS).
D. Set up two Lambda functions. Configure one function to receive the information. Configure the other function to load the information into the database. Integrate the Lambda functions by using an Amazon Simple Queue Service (Amazon SQS) queue.

一家公司正在设计一个应用程序。该应用程序使用AWS Lambda函数通过Amazon API Gateway接收信息，并将信息存储在Amazon Aurora PostgreSQL数据库中。

在概念验证阶段，公司不得不显着增加Lambda的配额，以处理公司需要加载到数据库中的大量数据。解决方案架构师必须推荐一种新的设计，以提高可扩展性并最小化配置工作量。

哪种解决方案能满足这些要求？

A. 将Lambda函数代码重构为在Amazon EC2实例上运行的Apache Tomcat代码。使用本机Java数据库连接（JDBC）驱动程序连接数据库。
B. 将平台从Aurora更改为Amazon DynamoDB。配置一个DynamoDB加速器（DAX）集群。使用DAX客户端SDK将现有的DynamoDB API调用指向DAX集群。
C. 设置两个Lambda函数。配置一个函数来接收信息。配置另一个函数来将信息加载到数据库中。使用Amazon Simple Notification Service（Amazon SNS）来集成Lambda函数。
D. 设置两个Lambda函数。配置一个函数来接收信息。配置另一个函数来将信息加载到数据库中。使用Amazon Simple Queue Service（Amazon SQS）队列来集成Lambda函数。

答案是D。

原因：
选项D，设置两个Lambda函数，一个用于接收信息，另一个用于将信息加载到数据库中，并使用Amazon Simple Queue Service（Amazon SQS）队列进行Lambda函数之间的集成，是满足要求的最佳选择。

使用两个Lambda函数可以将处理逻辑分离，通过事件驱动的方式实现解耦。一个函数用于接收信息，另一个函数用于将信息加载到数据库中，这样可以实现更好的可维护性和可扩展性。

通过使用Amazon SQS队列来集成Lambda函数，可以确保消息在处理期间进行持久化和传递，保证了可靠性和数据完整性。这种异步消息队列的设计可以减少Lambda函数间的直接依赖和配置工作量，并提供更高的可伸缩性和弹性。

相比之下，选项A将引入EC2实例和Apache Tomcat，增加了配置和管理的工作量，不符合要求的最小配置努力原则。选项B通过切换到DynamoDB和使用DAX来提高性能，但没有提及数据加载至数据库的方案。选项C通过使用Amazon SNS进行函数间的集成，但不具备消息持久化和传递的特性，可能导致不可靠的数据处理。

因此，选项D，设置两个Lambda函数，并使用Amazon SQS队列进行集成，是满足要求的最佳选择。

12.

A company needs to review its AWS Cloud deployment to ensure that its Amazon S3 buckets do not have unauthorized configuration changes.
What should a solutions architect do to accomplish this goal?

A. Turn on AWS Config with the appropriate rules.
B. Turn on AWS Trusted Advisor with the appropriate checks.
C. Turn on Amazon Inspector with the appropriate assessment template.
D. Turn on Amazon S3 server access logging. Configure Amazon EventBridge (Amazon Cloud Watch Events).

一家公司需要审查其AWS云部署，以确保其Amazon S3存储桶没有未经授权的配置更改。

为了实现这个目标，解决方案架构师应该做什么？

A. 打开适当规则的AWS Config。
B. 打开适当检查的AWS Trusted Advisor。
C. 打开适当评估模板的Amazon Inspector。
D. 打开Amazon S3服务器访问日志记录。配置Amazon EventBridge（Amazon Cloud Watch Events）。

答案是A。

原因：
选项A，打开适当规则的AWS Config，是达到目标的最佳选择。

AWS Config是一项AWS服务，可以对资源配置和更改进行持续跟踪和评估。通过启用AWS Config并使用适当的规则，解决方案架构师可以监视和审查Amazon S3存储桶的配置更改情况。AWS Config可以记录关于每个配置更改的详细信息，并提供有关违规配置的警告和通知。

相比之下，选项B的AWS Trusted Advisor提供了有关服务使用的建议和最佳实践，但不直接关注Amazon S3存储桶的配置更改。

选项C的Amazon Inspector是一项安全评估服务，可通过自动化安全评估帮助发现潜在的安全问题，但不专注于Amazon S3存储桶的配置更改。

选项D的Amazon S3服务器访问日志记录和Amazon EventBridge（Amazon CloudWatch Events）可以记录存储桶的访问日志，并将日志数据发送到Amazon EventBridge进行处理，但无法提供对配置更改的监视和评估。

因此，选项A，打开适当规则的AWS Config，是实现目标的最佳选择。

13.

A company is launching a new application and will display application metrics on an Amazon CloudWatch dashboard. The company's product manager needs to access this dashboard periodically. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?

A. Share the dashboard from the CloudWatch console. Enter the product manager's email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
B. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
C. Create an IAM user for the company's employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
D. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.

一家公司正在推出一个新的应用程序，并将应用程序指标显示在Amazon CloudWatch仪表板上。公司的产品经理需要定期访问该仪表板。产品经理没有AWS账户。解决方案架构师必须按照最小特权原则为产品经理提供访问权限。

哪种解决方案能满足这些要求？

A. 从CloudWatch控制台共享仪表板。输入产品经理的电子邮件地址，并完成共享步骤。向产品经理提供可共享的仪表板链接。
B. 专门为产品经理创建一个IAM用户。将CloudWatchReadOnlyAccess AWS托管策略附加到该用户上。与产品经理共享新的登录凭据。向产品经理共享正确仪表板的浏览器URL。
C. 为公司的员工创建一个IAM用户。将ViewOnlyAccess AWS托管策略附加到IAM用户上。与产品经理共享新的登录凭据。要求产品经理在CloudWatch控制台中导航到仪表板部分，并按名称找到仪表板。
D. 在公共子网中部署一个堡垒机。当产品经理需要访问仪表板时，启动该服务器并共享RDP凭据。确保浏览器配置为使用具有适当权限以查看仪表板的缓存AWS凭证打开仪表板URL。

答案是A。

原因：
选项A，从CloudWatch控制台共享仪表板，并给出产品经理可共享的链接，是根据最小特权原则满足需求的最佳选择。

通过选择选项A，解决方案架构师可以将特定仪表板与产品经理分享，无需为产品经理创建AWS账户。在CloudWatch控制台中，可以通过在共享步骤中输入产品经理的电子邮件地址来进行共享。这样，产品经理将收到一封包含可共享仪表板链接的电子邮件，他们可以使用该链接访问仪表板。此方法遵循了最小特权原则，仅提供产品经理所需的访问权限，而无需为其创建单独的IAM用户。

相比之下，选项B要求为产品经理创建一个专门的IAM用户，并附加一个拥有只读访问CloudWatch权限的策略。这可能会给产品经理提供一些不必要的权限。

选项C中，为公司员工创建一个IAM用户，并附加一个只允许查看访问的策略。这样会给产品经理提供比他们实际需要的更广泛的权限。

选项D中，部署堡垒机可以提供一种访问仪表板的方法，但在安全性和复杂性方面可能是不必要的。另外，堡垒机仍然需要对仪表板具有适当权限的AWS凭证。

综上所述，选项A是满足需求的最佳选择，根据最小特权原则提供了合适的访问权限。

14.

A company is migrating applications to AWS. The applications are deployed in different accounts. The company manages the accounts centrally by using AWS Organizations. The company's security team needs a single sign-on (SSO) solution across all the company's accounts. The company must continue managing the users and groups in its on-premises self-managed Microsoft Active Directory.
Which solution will meet these requirements?

A. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
B. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company's self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
C. Use AWS Directory Service. Create a two-way trust relationship with the company's self-managed Microsoft Active Directory.
D. Deploy an identity provider (IdP) on premises. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.

一家公司正在将应用程序迁移到AWS。这些应用程序部署在不同的账户中。公司通过使用AWS Organizations集中管理这些账户。公司的安全团队需要在所有公司账户中使用单点登录（SSO）解决方案。公司必须继续在本地自管理的Microsoft Active Directory中管理用户和组。

哪种解决方案能满足这些要求？

A. 从AWS SSO控制台启用AWS单点登录（AWS SSO）。使用AWS Directory Service for Microsoft Active Directory创建一种单向森林信任或单向域信任，将公司的自管理Microsoft Active Directory与AWS SSO连接起来。
B. 从AWS SSO控制台启用AWS单点登录（AWS SSO）。使用AWS Directory Service for Microsoft Active Directory创建一种双向森林信任，将公司的自管理Microsoft Active Directory与AWS SSO连接起来。
C. 使用AWS Directory Service。与公司的自管理Microsoft Active Directory创建一种双向信任关系。
D. 在本地部署身份提供者（IdP）。从AWS SSO控制台启用AWS单点登录（AWS SSO）。

答案是B。

原因：
选项B，在AWS SSO控制台中启用AWS单点登录（AWS SSO），并通过AWS Directory Service for Microsoft Active Directory创建一个双向森林信任，与公司的自管理Microsoft Active Directory连接，可以满足需求。

通过选择选项B，公司可以使用AWS SSO提供一个跨所有公司账户的单点登录解决方案。通过使用AWS Directory Service for Microsoft Active Directory，可以创建一个双向森林信任，将公司的自管理Active Directory与AWS SSO连接起来。这样，用户可以使用他们在本地Active Directory中的凭据进行身份验证，并访问跨所有账户的资源。

选项A中的单向森林信任或单向域信任只允许一方访问另一方的资源，无法满足双向身份验证的要求。

选项C是使用AWS Directory Service与本地Active Directory创建双向信任关系，但没有提及AWS SSO，无法满足单点登录的需求。

选项D要求在本地部署身份提供者（IdP），但没有明确如何与AWS SSO集成，也没有利用AWS Directory Service for Microsoft Active Directory的优势。

综上所述，选项B是满足需求的最佳选择，通过AWS SSO和AWS Directory Service for Microsoft Active Directory提供了一个跨所有账户的单点登录解决方案。

15.

A company provides a Voice over Internet Protocol (VoIP) service that uses UDP connections. The service consists of Amazon EC2 instances that run in an Auto Scaling group. The company has deployments across multiple AWS Regions.
The company needs to route users to the Region with the lowest latency. The company also needs automated failover between Regions.
Which solution will meet these requirements?

A. Deploy a Network Load Balancer (NLB) and an associated target group. Associate the target group with the Auto Scaling group. Use the NLB as an AWS Global Accelerator endpoint in each Region.
B. Deploy an Application Load Balancer (ALB) and an associated target group. Associate the target group with the Auto Scaling group. Use the ALB as an AWS Global Accelerator endpoint in each Region.
C. Deploy a Network Load Balancer (NLB) and an associated target group. Associate the target group with the Auto Scaling group. Create an Amazon Route 53 latency record that points to aliases for each NLB. Create an Amazon CloudFront distribution that uses the latency record as an origin.
D. Deploy an Application Load Balancer (ALB) and an associated target group. Associate the target group with the Auto Scaling group. Create an Amazon Route 53 weighted record that points to aliases for each ALB. Deploy an Amazon CloudFront distribution that uses the weighted record as an origin.

CloudFront使用边缘位置来缓存内容，而Global Accelerator使用边缘位置来找到通往最近的区域端点的最佳路径。CloudFront设计用于处理HTTP协议，同时Global Accelerator最适合用于HTTP和非HTTP协议，如TCP和UDP。

16.

A development team runs monthly resource-intensive tests on its general purpose Amazon RDS for MySQL DB instance with Performance Insights enabled. The testing lasts for 48 hours once a month and is the only process that uses the database. The team wants to reduce the cost of running the tests without reducing the compute and memory attributes of the DB instance.
Which solution meets these requirements MOST cost-effectively?

A. Stop the DB instance when tests are completed. Restart the DB instance when required.
B. Use an Auto Scaling policy with the DB instance to automatically scale when tests are completed.
C. Create a snapshot when tests are completed. Terminate the DB instance and restore the snapshot when required.
D. Modify the DB instance to a low-capacity instance when tests are completed. Modify the DB instance again when required.

选项A(停止和重新启动)操作起来不那么复杂，提供了一种更快的恢复数据库的方法。如果主要关注的是操作的简单性和快速可用性，那么它是合适的。
选项c(快照、终止和恢复)可以提供更高的成本节约，特别是在实例很大且运行成本很高的情况下，因为您可以避免在实例关闭时收取费用。然而，它带来了更高的操作复杂性和更长的交付时间，以使数据库重新上线。