SAA 考试每日练习 - 2024/11/19

来源：Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
10 题 (No.21 ~ No.30)，仅供自己复习使用。
如果侵权请联系删除。

🌟 单词：

1. on-premises_{就地部署，本地部署}
2. directory_{n. 目录，名录；指南；电话号码簿}
3. one-deal-a-day_当日折扣
4. operational_{adj. 操作上的，运作中的}
5. infinitely_{adv. 非常，极其；无限地，无穷地}
6. scalable_{adj. 可扩展的}
7. resilient_{adj. 可迅速恢复的，有适应力的，有弹性（或弹力）的，能复原的}
8. unpredictable_{adj. 无法预言的，不可预测的，难以预料的，（人）善变的}
9. frequently_{adv. 频繁地, 时常, 不断地}
10. indefinitely_{adv. 无限期地}
11. vertical_{adj. 垂直的，纵向的}
12. in-depth_{深入细致地, 深入详尽的}
13. identify_{v. 确认；认出；鉴定；察觉，发现；显示；说明身份}
14. cause_{n. 原因，事业，病因，理由 | v. 导致，使，引起，产生}
15. proof-of-concept_概念验证
16. quotas_{n. 配额，定额，指标，限额}
17. significantly_{adv. 极大地, 显著地, 大幅度地, 意味深长地; 值得注意的是（用于表示某事非常重要）}
18. metrics_指标
19. periodically_{adv. 定期, 周期性, 定期出版地}
20. single sign-on (SSO)_单点登录

    单点登录（SSO）是一种身份验证解决方案，可让用户通过一次性用户身份验证登录多个应用程序和网站。鉴于当今的用户经常直接从其浏览器访问应用程序，因此组织正在优先考虑改善安全性和用户体验的访问管理策略。SSO 兼具这两方面的优点，因为一旦验证身份，用户就可以访问所有受密码保护的资源，而无需重复登录。

21. automated_{adj. 自动化的}
22. failover_故障转移
23. resource-intensive_{资源密集型}
24. low-capacity_低容量的

一、One-deal-a-day Website

An ecommerce company wants to launch a one-deal-a-day website on AWS. Each day will feature exactly one product on sale for a period of 24 hours. The company wants to be able to handle millions of requests each hour with millisecond latency during peak hours.
Which solution will meet these requirements with the LEAST operational overhead?

1. Use Amazon S3 to host the full website in different S3 buckets. Add Amazon CloudFront distributions. Set the S3 buckets as origins for the distributions. Store the order data in Amazon S3.
2. Deploy the full website on Amazon EC2 instances that run in Auto Scaling groups across multiple Availability Zones. Add an Application Load Balancer (ALB) to distribute the website traffic. Add another ALB for the backend APIs. Store the data in Amazon RDS for MySQL.
3. Migrate the full application to run in containers. Host the containers on Amazon Elastic Kubernetes Service (Amazon EKS). Use the Kubernetes Cluster Autoscaler to increase and decrease the number of pods to process bursts in traffic. Store the data in Amazon RDS for MySQL.
4. ✅ Use an Amazon S3 bucket to host the website’s static content. Deploy an Amazon CloudFront distribution. Set the S3 bucket as the origin. Use Amazon API Gateway and AWS Lambda functions for the backend APIs. Store the data in Amazon DynamoDB.

✨ 关键词：LEAST operational overhead

4️⃣ ✅

💡 解析：题目背景是每天销售一款商品的网站（每日更新），同时能接受住百万级别的访问量并要求低延迟，并且用最简单的架构。
首选 S3 + CloudFront 以应对这种大访问量的简单页面需求。
1️⃣ 错在不需要存储在多个桶中；2️⃣ 和 3️⃣ 过于复杂。

👨‍👨‍👦‍👦 社区讨论：D because all of the componentsare infinitely scalabledynamoDB, API Gateway, Lambda,and of course s3+cloudfront

二、S3 Intelligent-Tiering

A solutions architect is using Amazon S3 to design the storage architecture of a new digital media application. The media files must be resilient_{可迅速恢复的} to the loss of an Availability Zone. Some files are accessed frequently_频繁地 while other files are rarely accessed in an unpredictable_{不可预测的} pattern. The solutions architect must minimize the costs of storing and retrieving the media files.
Which storage option meets these requirements?

1. S3 Standard
2. ✅ S3 Intelligent-Tiering
3. S3 Standard-Infrequent Access (S3 Standard-IA)
4. S3 One Zone-Infrequent Access (S3 One Zone-IA)

✨ 关键词：be resilient to the loss of an Availability Zone、Some files are accessed frequently while other files are rarely accessed in an unpredictable pattern

2️⃣ ✅

💡 解析：需要可恢复，同时有的文件需要频繁访问有的则不可预测。
因此 S3 Intelligent-Tiering 这种可以监测对象的访问模式并自动转移文件到不同访问类型的更加合适。

👨‍👨‍👦‍👦 社区讨论：Amazon S3 Intelligent Tiering isa storage class that automatically moves data to the most cost-effective storage tier based on access patterns. It can store objects in two access tiers: the frequent access tier and the infrequent access tier.The frequent access tier is optimized for frequentlyaccessed objectsand is charged at the same rate asS3 Standard.The infrequent access tier is optimized for objects that are not accessed frequentlyand are charged at a lower rate than S3 Standard.

三、S3 Lifecycle configuration

A company is storing backup files by using Amazon S3 Standard storage. The files are accessed frequently_频繁地 for 1 month. However, the files are not accessed after 1 month. The company must keep the files indefinitely_无限期地.
Which storage solution will meet these requirements MOST cost-effectively?

1. Configure S3 Intelligent-Tiering to automatically migrate objects
2. ✅ Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month.
3. Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Standard-Infrequent Access (S3 Standard-IA) after 1 month.
4. Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 1 month.

✨ 关键词：accessed frequently for 1 month、not accessed after 1 month

2️⃣ ✅

💡 解析：文件第一个月频繁访问，而之后需要无限期存储，使用最便宜的方案。
使用 S3 Lifecycle 指定策略将文件从 S3 标准 迁移到 S3 Glacier Deep Archive 深度归档是最佳方案。

👨‍👨‍👦‍👦 社区讨论：The storage solution that will meet these requirements most cost-effectively is B: Create an S3 Lifecycle configuration to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month.

Amazon S3 Glacier Deep Archive isa secure, durable,and extremely low-cost Amazon S3 storage class for long-term retention of data that is rarelyaccessed and for which retrieval times of several hoursare acceptable. It is the lowest-cost storage option in Amazon S3, making it a cost-effective choice for storing backup files that are not accessed after 1 month.

You can use an S3 Lifecycle configuration to automatically transition objects from S3 Standard to S3 Glacier Deep Archive after 1 month.This will minimize the storage costs for the backup files that are not accessed frequently.

四、AWS Cost Explorer

A company observes an increase in Amazon EC2 costs in its most recent bill. The billing team notices unwanted vertical_垂直地 scaling of instance types for a couple of EC2 instances. A solutions architect needs to create a graph comparing the last 2 months of EC2 costs and perform an in-depth_细致的 analysis to identify_确认 the root cause_原因 of the vertical scaling.
How should the solutions architect generate the information with the LEAST operational overhead?

1. Use AWS Budgets to create a budget report and compare EC2 costs based on instance types.
2. ✅ Use Cost Explorer’s granular filtering feature to perform an in-depth analysis of EC2 costs based on instance types.
3. Use graphs from the AWS Billing and Cost Management dashboard to compare EC2 costs based on instance types for the last 2 months.
4. Use AWS Cost and Usage Reports to create a report and send it to an Amazon S3 bucket. Use Amazon QuickSight with Amazon S3 as a source to generate an interactive graph based on instance types.

✨ 关键词：perform an in-depth analysis to identify the root cause of the vertical scaling

2️⃣ ✅

💡 解析：AWS Cost Explorer 可让您直观看到、理解和管理随着时间变化的 AWS 成本和使用情况。
通过创建分析成本和使用情况数据的自定义报告，快速入门。高水平分析数据（例如，所有账户的总成本和使用情况），或者更深入地研究成本和使用情况数据，从而发现趋势，查明成本动因素并检测异常情况。

Cost Explorer 通过以下三个功能提供每小时和资源级粒度：

• 每日粒度的资源级数据
• 每小时粒度下所有 AWS 服务的成本和使用情况数据（不包括资源级数据）
• EC2-每小时粒度的实例（弹性计算云）资源级数据 精细数据

👨‍👨‍👦‍👦 社区讨论：https://www.examtopics.com/discussions/amazon/view/68306-exam-aws-certified-solutions-architect-associate-saa-c02/

还有选 3️⃣ 的，理由是图表只在 14 天内可用？ The requested result is a graph, so…
A - can’t be as the result isa report
B - can’t be as it is limited to 14 days visibility and the graph has to cover 2 months
C - seems to provide graphsand the best option available,as…
D - could provide graphs, BUT involves operational overhead, which has been requested to be minimised.

然而官方很明确表示了会准备过去 12 个月的成本数据进行分析：

您可以在账单与成本管理控制台中利用此程序为您的账户启用 AWS Cost Explorer 成本管理服务。您无法通过 API 启用 AWS Cost Explorer 成本管理服务。在启用 AWS Cost Explorer 成本管理服务以后，AWS 会准备当月和最近 12 个月的成本数据，然后计算未来 12 个月的预测。当月数据在大约 24 个小时内可供查看。其他数据可能需要数天时间。AWS Cost Explorer 成本管理服务至少会每隔 24 小时对您的成本数据进行一次更新。

五、Amazon SQS

A company is designing an application. The application uses an AWS Lambda function to receive information through Amazon API Gateway and to store the information in an Amazon Aurora PostgreSQL database.
During the proof-of-concept_概念验证 stage, the company has to increase the Lambda quotas_{定额，配额} significantly_极大地 to handle the high volumes of data that the company needs to load into the database. A solutions architect must recommend a new design to improve scalability and minimize the configuration effort.
Which solution will meet these requirements?

1. Refactor the Lambda function code to Apache Tomcat code that runs on Amazon EC2 instances. Connect the database by using native Java Database Connectivity (JDBC) drivers.
2. Change the platform from Aurora to Amazon DynamoDProvision a DynamoDB Accelerator (DAX) cluster. Use the DAX client SDK to point the existing DynamoDB API calls at the DAX cluster.
3. Set up two Lambda functions. Configure one function to receive the information. Configure the other function to load the information into the database. Integrate the Lambda functions by using Amazon Simple Notification Service (Amazon SNS).
4. ✅ Set up two Lambda functions. Configure one function to receive the information. Configure the other function to load the information into the database. Integrate the Lambda functions by using an Amazon Simple Queue Service (Amazon SQS) queue.

✨ 关键词：minimize the configuration effort

4️⃣ ✅

💡 解析：使用 SNS 会引发同样的瓶颈，瓶颈不过是从单一 Lambda 函数转移到了接收 SNS 消息的 Lambda 函数。

👨‍👨‍👦‍👦 社区讨论：A - refactoring can be a solution, BUT requiresa LOT of effort - not the answer
B - DynamoDB is NoSQL and Aurora isSQL, so it requiresa DB migration…again a LOT of effort, so no the answer
C and D are similar in structure, but…
C usesSNS, which would notify the 2nd Lambda function… provoking the same bottleneck… not the solution
D usesSQS, so the 2nd lambda function can go to the queue when responsive to keep with the DB load process.
Usually the app decoupling helps with the performance improvement by distributing load. In this case, the bottleneckis solved by uses queues… so D is the answer.

六、AWS Config

A company needs to review its AWS Cloud deployment to ensure that its Amazon S3 buckets do not have unauthorized configuration changes.
What should a solutions architect do to accomplish this goal?

1. ✅ Turn on AWS Config with the appropriate rules.
2. Turn on AWS Trusted Advisor with the appropriate checks.
3. Turn on Amazon Inspector with the appropriate assessment template.
4. ❌ Turn on Amazon S3 server access logging. Configure Amazon EventBridge (Amazon Cloud Watch Events).

✨ 关键词：ensure Amazon S3 buckets do not have unauthorized configuration changes

4️⃣ ❌ -> 1️⃣ ✅

💡 解析：AWS Config 提供了您 AWS 账户中 AWS 资源配置的详细视图。这些信息包括资源之间的关联方式以及资源以前的配置方式，让您了解资源的配置和关系如何随着的时间的推移而更改。
解题的思路可以直白地：Configuration changes = AWS Config

👨‍👨‍👦‍👦 社区讨论：AWS Trusted Advisor (Option B) isa service that provides best practice recommendations for your AWS resources, but it does not monitor or record changes to the configuration of yourS3 buckets.

AWS Trusted Advisor 是一项 Web 服务，可以检查您的 AWS 环境并根据 AWS 最佳实践提供实时建议。Trusted Advisor 可以检查成本优化、性能、安全性、容错能力和服务限制五个类别，并将检查结果与 AWS 最佳实践进行比较。

Amazon Inspector (Option C) isa service that helps you assess the security and compliance of your applications. While it can be used to assess the security of yourS3 buckets, it does not monitor or record changes to the configuration of yourS3 buckets.

Amazon Inspector 是一项漏洞管理服务，可自动发现工作负载并持续扫描工作负载以查找软件漏洞和意外网络泄露。

Amazon S3 server access logging (Option D) enables you to log requests made to your S3 bucket. While it can help you identify changes to yourS3 bucket, it does not monitor or record changes to the configuration of yourS3 bucket.

七、CloudWatch dashboard’s share

A company is launching a new application and will display application metric_指标s on an Amazon CloudWatch dashboard. The company’s product manager needs to access this dashboard periodically_定期地. The product manager does not have an AWS account. A solutions architect must provide access to the product manager by following the principle of least privilege.
Which solution will meet these requirements?

1. ✅ Share the dashboard from the CloudWatch console. Enter the product manager’s email address, and complete the sharing steps. Provide a shareable link for the dashboard to the product manager.
2. Create an IAM user specifically for the product manager. Attach the CloudWatchReadOnlyAccess AWS managed policy to the user. Share the new login credentials with the product manager. Share the browser URL of the correct dashboard with the product manager.
3. Create an IAM user for the company’s employees. Attach the ViewOnlyAccess AWS managed policy to the IAM user. Share the new login credentials with the product manager. Ask the product manager to navigate to the CloudWatch console and locate the dashboard by name in the Dashboards section.
4. Deploy a bastion server in a public subnet. When the product manager requires access to the dashboard, start the server and share the RDP credentials. On the bastion server, ensure that the browser is configured to open the dashboard URL with cached AWS credentials that have appropriate permissions to view the dashboard.

✨ 关键词：access application metric、CloudWatch、PoLP

2️⃣ ❌ -> 1️⃣ ✅

💡 解析：Share a single dashboard and designate specific email addresses of the people who can view the dashboard.Each of these users creates their own password that they must enter to view the dashboard.

CloudWatch dashboards 的分享可以不需要 AWS 账户，具体的三种分享方式：

• （邮箱加密码）Share a single dashboard and designate as many as five email addresses of people who can view the dashboard. Each of these users creates their own password that they must enter to view the dashboard.
• （公开）Share a single dashboard publicly, so that anyone who has the link can view the dashboard.
• （使用三方认证等方式）Share all the CloudWatch dashboards in your account and specify a third-party single sign-on (SSO) provider for dashboard access. All users who are members of this SSO provider’s list can access all the dashboards in the account. To enable this, you integrate the SSO provider with Amazon Cognito. The SSO provider must support Security Assertion Markup Language (SAML). For more information about Amazon Cognito, see What is Amazon Cognito?

👨‍👨‍👦‍👦 社区讨论：Answere A
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/cloudwatch-dashboard-sharing.html
Share a single dashboard and designate specific email addresses of the people who can view the dashboard.Each of these users creates their own password that they must enter to view the dashboard.

八、On-premises self-managed Microsoft Active Directory

A company is migrating applications to AWS. The applications are deployed in different accounts. The company manages the accounts centrally by using AWS Organizations. The company’s security team needs a single sign-on (SSO) solution across all the company’s accounts. The company must continue managing the users and groups in its on-premises self-managed Microsoft Active Directory.
Which solution will meet these requirements?

1. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a one-way forest trust or a one-way domain trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
2. ✅ Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console. Create a two-way forest trust to connect the company’s self-managed Microsoft Active Directory with AWS SSO by using AWS Directory Service for Microsoft Active Directory.
3. Use AWS Directory Service. Create a two-way trust relationship with the company’s self-managed Microsoft Active Directory.
4. Deploy an identity provider (IdP) on premises. Enable AWS Single Sign-On (AWS SSO) from the AWS SSO console.

✨ 关键词：SSO、on-premises self-managed Microsoft Active Directory

2️⃣ ✅

💡 解析：题目背景是公司以及通过 AWS Organizations 进行了治理，希望增加一个 SSO 认证，并继续在自维护的 Microsoft AD 上管理用户和组等。
很显然需要开启 SSO 功能因此在 1️⃣ 和 2️⃣ 里选。
这里肯定要使用 AWS Directory Service 服务并至少建立单项信任管理（云信任本地托管），或者之间使用 AD Connector 将云端的作为代理。
都没有的话聚焦于 one-way（单向）还是 two-way（双向）认证，虽然我觉得单项也可以，但是 AWS 的文档里明确了需要双向认证： Creating a trust relationship between your AWS Managed Microsoft AD and self-managed AD

Amazon Chime、Amazon Connect、亚马逊、亚马逊、亚马逊 QuickSight、亚马 AWS IAM Identity Center逊 WorkSpaces、 WorkDocs WorkMail亚马逊等 AWS 企业应用程序需要双向信任。 AWS Management Console AWS 托管 Microsoft AD 必须能够查询你自行管理的用户和群组 Active Directory.

只能选 2️⃣ 了。

👨‍👨‍👦‍👦 社区讨论：Tricky question!!! forget one-way or two-way. In this scenario, AWS applications (Amazon Chime, Amazon Connect, Amazon QuickSight, AWS Single Sign-On, Amazon WorkDocs, Amazon WorkMail, Amazon WorkSpaces, AWS Client VPN, AWS Management Console, and AWS Transfer Family) need to be able to look up objects from the on-premises domain in order for them to function.This tells you that authentication needs to flow both ways.This scenario requiresa two-way trust between the on-premisesand AWS Managed Microsoft AD domains.
It isa requirement of the application
Scenario 2: https://aws.amazon.com/es/blogs/security/everything-you-wanted-to-know-about-trusts-with-aws-managed-microsoft-ad/

九、VoIP - Global Accelerator

A company provides a Voice over Internet Protocol (VoIP)_{基于IP的语音传输（英语：Voice over Internet Protocol，缩写为VoIP）是一种语音通话技术，经由网际协议（IP）来达成语音通话与多媒体会议，也就是经由互联网来进行通信。} service that uses UDP connections. The service consists of Amazon EC2 instances that run in an Auto Scaling group. The company has deployments across multiple AWS Regions.
The company needs to route users to the Region with the lowest latency. The company also needs automated_自动化的 failover_故障转移 between Regions.
Which solution will meet these requirements?

1. ✅ Deploy a Network Load Balancer (NLB) and an associated target group. Associate the target group with the Auto Scaling group. Use the NLB as an AWS Global Accelerator endpoint in each Region.
2. Deploy an Application Load Balancer (ALB) and an associated target group. Associate the target group with the Auto Scaling group. Use the ALB as an AWS Global Accelerator endpoint in each Region.
3. ❌ Deploy a Network Load Balancer (NLB) and an associated target group. Associate the target group with the Auto Scaling group. Create an Amazon Route 53 latency record that points to aliases for each NLB. Create an Amazon CloudFront distribution that uses the latency record as an origin.
4. Deploy an Application Load Balancer (ALB) and an associated target group. Associate the target group with the Auto Scaling group. Create an Amazon Route 53 weighted record that points to aliases for each ALB. Deploy an Amazon CloudFront distribution that uses the weighted record as an origin.

✨ 关键词：UDP connections、route users to the Region with the lowest latency

3️⃣ ❌ -> 1️⃣ ✅

💡 解析：考点是 AWS Global Accelerator（全球应用程序加速）。
AWS Global Accelerator 常见问题

AWS Global Accelerator 是一种联网服务，可以帮助您提高为全球用户提供的应用程序的可用性和性能。AWS Global Accelerator 可以轻松设置、配置和管理。它可以提供静态 IP 地址，从而为您的应用程序提供固定的入口点，并消除了为不同 AWS 区域和可用区管理特定 IP 地址的复杂性。AWS Global Accelerator 始终根据性能将用户流量路由到最佳终端节点，即时针对应用程序运行状况、用户位置和您配置的策略的变化做出反应。您可以从自己的位置使用速度比较工具测试性能优势。与其他 AWS 服务一样，AWS Global Accelerator 也是一种按用量付费的自助服务，无需长期承诺或最低费用。

👨‍👨‍👦‍👦 社区讨论：agree with A,
Global Accelerator hasautomatic failover and is perfect for this scenario with VoIP
https://aws.amazon.com/global-accelerator/faqs/

十、Snapshot

A development team runs monthly resource-intensive_{资源密集型} tests on its general purpose Amazon RDS for MySQL DB instance with Performance Insights enabled. The testing lasts for 48 hours once a month and is the only process that uses the database. The team wants to reduce the cost of running the tests without reducing the compute and memory attributes of the DB instance.
Which solution meets these requirements MOST cost-effectively?

1. Stop the DB instance when tests are completed. Restart the DB instance when required.
2. ❌ Use an Auto Scaling policy with the DB instance to automatically scale when tests are completed.
3. ✅ Create a snapshot when tests are completed. Terminate the DB instance and restore the snapshot when required.
4. Modify the DB instance to a low-capacity_低容量的 instance when tests are completed. Modify the DB instance again when required.

✨ 关键词：reduce the cost of running the tests without reducing the compute and memory attributes of the DB instance

2️⃣ ❌ -> 3️⃣ ✅

💡 解析：题目的需求只是每月在 AWS 进行一次数据库测试，用完即删，选择一个最便宜的方式。
由于实例等在停止后也依然收费，因此最便宜的方式是存储快照并在需要时重建。

Answer C, you still pay for storage when an RDS database is stopped

Not A - By stopping the DB although you are not paying for DB hours you are still paying for Provisioned IOPs , the storage for Stopped DB is more than Snapshot of underlying EBS vol.and Automated Back ups.
Not D - Is possible but not MOST cost effective, no need to run the RDS when not needed