SAA 考试每日练习 - 2024/11/18

来源：Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
10 题 (No.11 ~ No.20)，仅供自己复习使用。
如果侵权请联系删除。

🌟 单词：

credential_{n. 凭证；国书 | adj. 〈罕〉信任的 | v. 提供证明书（或证件）}
maintenance_{n. 维护，保养；维持；（依法应负担的）生活费，抚养费}
rotate_{v. （使）旋转，（使）转动；（使）轮流}
ecommerce_{n. 电子商务（electronic commerce）}
degrade_{v. 贬低，侮辱；（使）降级；降解；退化}
inspection_{n. 检查，视察，查看，审视}
visualization_{n. 可视化，形象化}
durable_{adj. 耐用的，耐久的，长期的，长久的 | n. 耐久品}
track_{n. 小路，小径；足迹，踪迹；跑道；轨道；路线；一首歌曲；音轨；工作方向；思路 | v. 跟踪，追踪；留下印迹；沿轨道运行}
modification_{n. 修改；改造；改变；缓和；减轻；修改后的形式，变体；修饰，限定}
three-tier_{三层架构（表示层，应用层，数据层）}

一、AWS Secrets Manager

A company has an application that runs on Amazon EC2 instances and uses an Amazon Aurora database. The EC2 instances connect to the database by using user names and passwords that are stored locally in a file. The company wants to minimize the operational overhead of credential management.
What should a solutions architect do to accomplish this goal?

✅ Use AWS Secrets Manager. Turn on automatic rotation.
Use AWS Systems Manager Parameter Store. Turn on automatic rotation.
Create an Amazon S3 bucket to store objects that are encrypted with an AWS Key Management Service (AWS KMS) encryption key. Migrate the credential file to the S3 bucket. Point the application to the S3 bucket.
Create an encrypted Amazon Elastic Block Store (Amazon EBS) volume for each EC2 instance. Attach the new EBS volume to each EC2 instance. Migrate the credential file to the new EBS volume. Point the application to the new EBS volume.

✨ 关键词：AWS Secrets Manager

1️⃣ ✅

💡 解析：题目背景有有应用程序连接到 EC2 实例，之前使用账号密码作认真，公司希望改用更简单的。
使用 AWS Secrets Manager 显然是可以达到需求并且也是最简单的。
什么是 AWS Secrets Manager？

借助 AWS Secrets Manager，您可以在数据库凭证、应用程序凭证、OAuth 令牌、API 密钥和其他密钥的整个生命周期内对其进行管理、检索和轮换。

对于您的组织可能拥有的其他类型的密钥：

AWS 凭证 – 建议使用 AWS Identity and Access Management

加密密钥 – 建议使用 AWS Key Management Service

SSH 密钥 – 建议使用 Amazon EC2 Instance Connect

私有密钥和证书 – 建议使用 AWS Certificate Manager

回到题目，社区里有人提到了 2️⃣ 中的 AWS Systems Manager Parameter Store 不支持自动轮换，因此错误。
AWS Systems Manager Parameter Store

要实施密码轮换生命周期，请使用 AWS Secrets Manager。您可以使用 Secrets Manager 在数据库凭证、API 密钥和其他密钥的整个生命周期内对其进行轮换、管理和检索。

👨‍👨‍👦‍👦 社区讨论：B is wrong because parameter store does not support auto rotation, unless the customer writes it themselves, A is the answer.

READ!!! AWS Secrets Manager isa secrets management service that helps you protect access to your applications, services, and IT resources.This service enables you to rotate, manage,and retrieve database credentials, API keys,and other secrets throughout their lifecycle.

二、CloudFront

A global company hosts its web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The web application has static data and dynamic data. The company stores its static data in an Amazon S3 bucket. The company wants to improve performance and reduce latency for the static data and dynamic data. The company is using its own domain name registered with Amazon Route 53.
What should a solutions architect do to meet these requirements?

✅ Create an Amazon CloudFront distribution that has the S3 bucket and the ALB as origins. Configure Route 53 to route traffic to the CloudFront distribution.
Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint Configure Route 53 to route traffic to the CloudFront distribution.
Create an Amazon CloudFront distribution that has the S3 bucket as an origin. Create an AWS Global Accelerator standard accelerator that has the ALB and the CloudFront distribution as endpoints. Create a custom domain name that points to the accelerator DNS name. Use the custom domain name as an endpoint for the web application.
❌ Create an Amazon CloudFront distribution that has the ALB as an origin. Create an AWS Global Accelerator standard accelerator that has the S3 bucket as an endpoint. Create two domain names. Point one domain name to the CloudFront DNS name for dynamic content. Point the other domain name to the accelerator DNS name for static content. Use the domain names as endpoints for the web application.

✨ 关键词：static data and dynamic data、reduce latency

4️⃣ ❌ -> 1️⃣ ✅

💡 解析：全球公司希望对网站提速，网站有静态资源也有动态数据。
仅仅使用 CloudFront CDN 似乎就能解决问题（缓存静态资源、优化到源站的线路）。

题目的重点在辨别 CloudFront 和 Global Accelerator。 CloudFront 是 CDN，比较好理解了：缓存内容、优化线路、安全保护、集成 WAF 等 AWS 安全服务。

而关于 Global Accelerator：AWS Global Accelerator 使用 AWS 全球网络提升应用程序的可用性、性能和安全性

利用 AWS 全球基础设施的性能、安全性和可用性，在其中一个 Global Accelerator 边缘站点载入您的用户流量。用户可以通过静态 IP 地址访问您的应用程序端点，享受独立于 DNS 的确定性路由。

全局负载均衡：将来自全球不同地区的用户流量智能地路由至最近的AWS边缘位置，从而降低延迟并提供更快的响应速度。

客户 IP 保持：确保来自同一 IP 地址的请求始终路由到同一终端节点，适用于需要保持用户会话的应用程序。

TCP/UDP 支持：支持 TCP 和 UDP 协议，适用于各种应用程序，包括 HTTP、HTTPS、游戏、流媒体等。

非常适合 VoIP 语音应用等。

👨‍👨‍👦‍👦 社区讨论：Answer is A
Explanation - AWS Global Accelerator vs CloudFront

They both use the AWS global networkand itsedge locationsaround the world

Both services integrate with AWS Shield for DDoS protection.

CloudFront

Improves performance for both cacheable content (such as imagesand videos)

Dynamic content (such as API acceleration and dynamic site delivery)

Content is served at the edge

Global Accelerator

Improves performance for a wide range of applications over TCP or UDP

Proxying packetsat the edge to applications running in one or more AWS Regions.

Good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP

Good for HTTP use cases that require static IP addresses

Good for HTTP use cases that required deterministic, fast regional failover

三、AWS Secrets Manager

A company performs monthly maintenance_维护 on its AWS infrastructure. During these maintenance activities, the company needs to rotate_使流转 the credentials for its Amazon RDS for MySQL databases across multiple AWS Regions.
Which solution will meet these requirements with the LEAST operational overhead?

✅ Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule.
Store the credentials as secrets in AWS Systems Manager by creating a secure string parameter. Use multi-Region secret replication for the required Regions. Configure Systems Manager to rotate the secrets on a schedule.
Store the credentials in an Amazon S3 bucket that has server-side encryption (SSE) enabled. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function to rotate the credentials.
Encrypt the credentials as secrets by using AWS Key Management Service (AWS KMS) multi-Region customer managed keys. Store the secrets in an Amazon DynamoDB global table. Use an AWS Lambda function to retrieve the secrets from DynamoDB. Use the RDS API to rotate the secrets.

✨ 关键词：AWS Secrets Manager

1️⃣ ✅

💡 解析：公司计划每月轮转数据库认证密钥。
选 1️⃣ AWS Secrets Manager 完美符合需求。
AWS Systems Manager 不支持流转排除 2️⃣；密钥存储在 S3 中并非最佳实践排除 3️⃣；KMS 是用来存储管理加密密钥的而非认证密钥，4️⃣ 也不对。

👨‍👨‍👦‍👦 社区讨论：Keywords:

rotate the credentials for its Amazon RDS for MySQL databasesacross multiple AWS Regions

LEAST operational overhead

A: Correct - AWS Secrets Manager supports

Encrypt credential for RDS, DocumentDb, Redshift, other DBsand key/value secret.

multi-region replication.

Remote base on schedule

B: Incorrect - Secure string parameter onlyapply for ParameterStore. All the data in AWS Secrets Manager is encrypted
C: Incorrect - don’t mention about replicate S3 across region.
D: Incorrect - So many steps compare to answer A =))

四、More Database Replicas

A company runs an ecommerce_电子商务 application on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones. The Auto Scaling group scales based on CPU utilization metrics. The ecommerce application stores the transaction data in a MySQL 8.0 database that is hosted on a large EC2 instance.
The database’s performance degrades_{降低，劣化} quickly as application load increases. The application handles more read requests than write transactions. The company wants a solution that will automatically scale the database to meet the demand of unpredictable read workloads while maintaining high availability.
Which solution will meet these requirements?

Use Amazon Redshift with a single node for leader and compute functionality.
Use Amazon RDS with a Single-AZ deployment Configure Amazon RDS to add reader instances in a different Availability Zone.
✅ Use Amazon Aurora with a Multi-AZ deployment. Configure Aurora Auto Scaling with Aurora Replicas.
Use Amazon ElastiCache for Memcached with EC2 Spot Instances.

✨ 关键词：multiple Availability Zones、more read requests than write transactions、

3️⃣ ✅

💡 解析：应用程序运作在跨可用区的弹性扩容架构上，之前的数据库是 MySQL 8.0 并且运行在 EC2 实例上，公司希望数据库也能视工作负载自动扩容。
Amazon Aurora 是最佳选择，可以在多个可用去横向扩容，选 3️⃣。

👨‍👨‍👦‍👦 社区讨论：C, AURORA is 5x performance improvement over MySQL on RDS and handles more read requests than write,; maintaining high availability = Multi-AZ deployment

五、Traffic Mirroring

A company recently migrated to AWS and wants to implement a solution to protect the traffic that flows in and out of the production VPC. The company had an inspection_{检查，审查} server in its on-premises data center. The inspection server performed specific operations such as traffic flow inspection and traffic filtering. The company wants to have the same functionalities in the AWS Cloud.
Which solution will meet these requirements?

Use Amazon GuardDuty for traffic inspection and traffic filtering in the production VPC.
❌ Use Traffic Mirroring to mirror traffic from the production VPC for traffic inspection and filtering.
✅ Use AWS Network Firewall to create the required rules for traffic inspection and traffic filtering for the production VPC.
Use AWS Firewall Manager to create the required rules for traffic inspection and traffic filtering for the production VPC.

✨ 关键词：inspection

2️⃣ ❌ -> 3️⃣ ✅

💡 解析：公司需要对进出 VPC 的流量进行保护，之前公司有自己的托管审查机器，并希望在 AWS 云架构上使用一样的方案。
这里题目理解错了，以为是要事后审核，实际上是要进行实时的审查（和阻断），因此 3️⃣ 是最佳答案。
通过 AWS Network Firewall 建立规则审核进出 VPC 的流量。

GuardDuty 是一项服务，为您的 AWS 基础设施和资源提供智能威胁检测。它通过持续监控 AWS 环境中的网络活动和账户行为来识别威胁。

👨‍👨‍👦‍👦 社区讨论：AWS NetworkFirewall isa managed firewall service that provides filtering for both inbound and outbound networktraffic. It allows you to create rules for traffic inspection and filtering, which can help protect your production VPC.
Option 1️⃣: Amazon GuardDuty isa threat detection service, not a traffic inspection or filtering service.
Option 2️⃣:Traffic Mirroring isa feature that allows you to replicate and send a copy of networktraffic from a VPC to another VPC or on-premises location. It is not a service that performs traffic inspection or filtering.
Option 4️⃣: AWS Firewall Manager isa security management service that helps you to centrally configure and manage firewalls across your accounts. It is not a service that performs traffic inspection or filtering.

六、Data visualizations and policy

A company hosts a data lake on AWS. The data lake consists of data in Amazon S3 and Amazon RDS for PostgreSQL. The company needs a reporting solution that provides data visualization_可视化 and includes all the data sources within the data lake. Only the company’s management team should have full access to all the visualizations. The rest of the company should have only limited access.
Which solution will meet these requirements?

❌ Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate IAM roles.
✅ Create an analysis in Amazon QuickSight. Connect all the data sources and create new datasets. Publish dashboards to visualize the data. Share the dashboards with the appropriate users and groups.
Create an AWS Glue table and crawler for the data in Amazon S3. Create an AWS Glue extract, transform, and load (ETL) job to produce reports. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.
Create an AWS Glue table and crawler for the data in Amazon S3. Use Amazon Athena Federated Query to access data within Amazon RDS for PostgreSQL. Generate reports by using Amazon Athena. Publish the reports to Amazon S3. Use S3 bucket policies to limit access to the reports.

✨ 关键词：visualizations、policy

1️⃣ ❌ -> 2️⃣ ✅

💡 解析：需求是对数据湖（包括 S3 和 RDS for PostgreSQL 数据库的数据）生产报表，并只提供给公司管理层查看。
数据湖生产报表通过 Amazon QuickSight 实现，但是 Amazon QuickSight 控制面板只支持用户和组权限（这和 CloudWatch 的有点类似）。

您可以与账户中的特定用户或组或者 Amazon QuickSight 账户中的所有人共享控制面板和视觉对象。您也可以与互联网上的任何人共享。

Amazon QuickSight 超大规模的商业智能整合

而题目中的另一个服务 AWS Glue，则是一项完全托管的 ETL（提取、转换和加载）服务，使您能够轻松而经济高效地对数据进行分类、清理和扩充，并在各种数据存储和数据流之间可靠地移动数据。
什么是 AWS Glue？

AWS Glue 是一项无服务器数据集成服务，可让使用分析功能的用户轻松发现、准备、移动和集成来自多个来源的数据。您可以将其用于分析、机器学习和应用程序开发。它还包括用于编写、运行任务和实施业务工作流程的额外生产力和数据操作工具。
通过使用 AWS Glue，您可以发现并连接到 70 多个不同的数据来源，并在集中式数据目录中管理您的数据。您可以直观地创建、运行和监控“提取、转换、加载（ETL）”管道，以将数据加载到数据湖中。此外，您可以使用 Amazon Athena、Amazon EMR 和 Amazon Redshift Spectrum 立即搜索和查询已编目数据。

它更适合用来做汇总、转移和加载，而非生产报表。

👨‍👨‍👦‍👦 社区讨论：Keywords:

Data lake on AWS.

Consists of data in Amazon S3 and Amazon RDS for PostgreSQL.

The company needsa reporting solution that provides data VISUALIZATION and includes ALL the data sources within the data lake.

1️⃣ - Incorrect: Amazon QuickSight only support users(standard version) and groups (enterprise version). usersand groups only exists without QuickSight. QuickSight don’t support IAM. We use usersand groups to view the QuickSight dashboard
2️⃣ - Correct:asexplained in answer A and QuickSight is used to created dashboard from S3, RDS, Redshift, Aurora, Athena, OpenSearch, Timestream
3️⃣ - Incorrect:This way don’t support visulization and don’t mention how to process RDS data
4️⃣ - Incorrect:This way don’t support visulization and don’t mention how to combine data RDS and S3

七、EC2 instances connect S3 bucket with IAM roles

A company is implementing a new business application. The application runs on two Amazon EC2 instances and uses an Amazon S3 bucket for document storage. A solutions architect needs to ensure that the EC2 instances can access the S3 bucket.
What should the solutions architect do to meet this requirement?

✅ Create an IAM role that grants access to the S3 bucket. Attach the role to the EC2 instances.
Create an IAM policy that grants access to the S3 bucket. Attach the policy to the EC2 instances.
Create an IAM group that grants access to the S3 bucket. Attach the group to the EC2 instances.
❌ Create an IAM user that grants access to the S3 bucket. Attach the user account to the EC2 instances.

✨ 关键词：EC2 instances、S3

4️⃣ ❌ -> 1️⃣ ✅

💡 解析：很经典的赋予 EC2 IAM 角色 使其能够访问 S3 存储桶，临时密钥会由 STS 生成，选 1️⃣。

👨‍👨‍👦‍👦 社区讨论：Always remember that you should associate IAM roles to EC2 instances

八、SQS and Lambda

An application development team is designing a microservice that will convert large images to smaller, compressed images. When a user uploads an image through the web interface, the microservice should store the image in an Amazon S3 bucket, process and compress the image with an AWS Lambda function, and store the image in its compressed form in a different S3 bucket.
A solutions architect needs to design a solution that uses durable_耐用的, stateless components to process the images automatically.
Which combination of actions will meet these requirements? (Choose two.)

✅ Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure the S3 bucket to send a notification to the SQS queue when an image is uploaded to the S3 bucket.
✅ Configure the Lambda function to use the Amazon Simple Queue Service (Amazon SQS) queue as the invocation source. When the SQS message is successfully processed, delete the message in the queue.
Configure the Lambda function to monitor the S3 bucket for new uploads. When an uploaded image is detected, write the file name to a text file in memory and use the text file to keep track_踪迹 of the images that were processed.
Launch an Amazon EC2 instance to monitor an Amazon Simple Queue Service (Amazon SQS) queue. When items are added to the queue, log the file name in a text file on the EC2 instance and invoke the Lambda function.
Configure an Amazon EventBridge (Amazon CloudWatch Events) event to monitor the S3 bucket. When an image is uploaded, send an alert to an Amazon ample Notification Service (Amazon SNS) topic with the application owner’s email address for further processing.

✨ 关键词：SQS、Lambda

1️⃣ 2️⃣ ✅

💡 解析：需要将用户上传的图片存入 S3 存储桶，然后进行压缩，之后存入另一个 S3 存储桶。
非常适合引入 SQS 队列，大图片存储用 S3 存储桶发送消息，触发 Lambda 函数进行压缩之后存入压缩后的 S3 存储桶。

👨‍👨‍👦‍👦 社区讨论：To design a solution that uses durable, stateless components to process imagesautomatically,a solutionsarchitect could consider the following actions:
Option A involves creating an SQS queue and configuring the S3 bucket to send a notification to the queue when an image is uploaded.Thisallows the application to decouple the image upload process from the image processing processand ensures that the image processing process is triggered automatically when a new image is uploaded.
Option B involves configuring the Lambda function to use the SQS queue as the invocation source. When the SQS message is successfully processed, the message is deleted from the queue.Thisensures that the Lambda function is invoked only once per image and that the image is not processed multiple times.

九、Gateway Load Balancer

A company has a three-tier_{三层架构（表示层，应用层，数据层）} web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.
Which solution will meet these requirements with the LEAST operational overhead?

Create a Network Load Balancer in the public subnet of the application’s VPC to route the traffic to the appliance for packet inspection.
Create an Application Load Balancer in the public subnet of the application’s VPC to route the traffic to the appliance for packet inspection.
❌ Deploy a transit gateway in the inspection VPConfigure route tables to route the incoming packets through the transit gateway.
✅ Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

✨ 关键词：inspection

3️⃣ ❌ -> 4️⃣ ✅

💡 解析：Web 服务部署在公有子网，后端应用和数据库部署在私有子网，现在有一个第三方的虚拟防火墙应用部署在了审核 VPC 中，这个应用有一个 IP 接口并可以接受 IP 包。架构师需要让流量在到达 Web 服务之前经过防火墙。使用最简单的架构。
审核场景优先使用的就是 Gateway Load Balancer（网关负载均衡器）。
Gateway Load Balancer（网关负载均衡器）

网关负载均衡器可帮助您轻松部署、扩展和管理第三方虚拟设备。它为您提供了一个网关，用于在多个虚拟设备之间分配流量，同时根据需求增加或缩减流量。这样可以减少网络中潜在的故障点并提高可用性。

⭐ ALB (Application Load Balancer) 工作在 OSI 的第 7 层（应用层），通过请求内容（路径、HOST 和查询字符串等）做出路由决策；HTTP、HTTPS 协议。

⭐ NLB (Network Load Balancer) 工作在 OSI 的第 4 层（传输层），主要通过 IP 协议数据做出路由决策；适用于超高性能、极低延迟和大规模 TLS 卸载的使用场景；TCP、UDP、TLS 和 TCP_UDP 协议。

⭐ GLB (GWLB, Gateway Load Balancer) 工作在 OSI 的第 3 层（网络层），将进入流量转发到监听规则中指定的目标组；适用于虚拟设备前端，如防火墙、入侵检测、防御系统和深度数据包检测系统等；监听所有端口的所有数据包；与虚拟设备使用 Geneve 协议，6081 端口交换流量。

而 Transit Gateway 是用来组网的，类似 ZeroTier。

十、EBS snapshots

A company wants to improve its ability to clone large amounts of production data into a test environment in the same AWS Region. The data is stored in Amazon EC2 instances on Amazon Elastic Block Store (Amazon EBS) volumes. Modifications_{修改，改造} to the cloned data must not affect the production environment. The software that accesses this data requires consistently high I/O performance.
A solutions architect needs to minimize the time that is required to clone the production data into the test environment.
Which solution will meet these requirements?

Take EBS snapshots of the production EBS volumes. Restore the snapshots onto EC2 instance store volumes in the test environment.
Configure the production EBS volumes to use the EBS Multi-Attach feature. Take EBS snapshots of the production EBS volumes. Attach the production EBS volumes to the EC2 instances in the test environment.
Take EBS snapshots of the production EBS volumes. Create and initialize new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment before restoring the volumes from the production EBS snapshots.
✅ Take EBS snapshots of the production EBS volumes. Turn on the EBS fast snapshot restore feature on the EBS snapshots. Restore the snapshots into new EBS volumes. Attach the new EBS volumes to EC2 instances in the test environment.

✨ 关键词：clone large amounts of production data on EBS、minimize the time

4️⃣ ✅

💡 解析：公司需要迁移大量受保护的数据到同区域的测试环境中，数据目前存放在 EBS 卷上，克隆数据不能对生产环境造成影响，而生产环境的应用要求高 IO 标签。还要求尽可能快地完成数据拷贝。 无法之间拷贝，那就只能创建快照，再通过快照重建为 EBS 硬盘。
由于还需要尽可能快，因此这里还有个考点：Amazon EBS fast snapshot restore（Amazon EBS 快速快照还原）
Amazon EBS 快速快照还原

Amazon EBS 快速快照还原（FSR）使您能够从创建时已完全初始化的快照创建卷。这会消除首次访问块时对其执行 I/O 操作的延迟。使用快速快照还原创建的卷可以立即交付其所有预置性能。

👨‍👨‍👦‍👦 社区讨论：https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fast-snapshot-restore.html
Amazon EBS fast snapshot restore (FSR) enables you to create a volume from a snapshot that is fully initialized at creation.This eliminates the latency of I/O operations on a block when it isaccessed for the first time. Volumes that are created using fast snapshot restore instantly deliver all of their provisioned performance.