来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
5 题 (No.36 ~ No.40),仅供自己复习使用。
如果侵权请联系删除。
🌟 单词:
- strategyn. 策略,战略,策划,战略部署
- repeatableadj. 可重复, 有礼貌, 不冒犯人
- burstable不稳定的,爆发的
- archiven. 档案,档案馆,档案室 | v. 把…存档,把…归档,将(不常用信息)存档
- deliveryn. 递送;交付;分娩
- ingestv. 食入, 摄入, 咽下
- operationallyadv. 操作上
- efficientadj. 效率高的,高效的
一、KMS over Regions
A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?
- Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
- ✅ Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
- Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
- ❌ Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.
✨ 关键词:S3、two AWS Regions、KMS(不支持跨区域)
4️⃣ ❌ -> 2️⃣ ✅
💡 解析:这题在 2️⃣ 和 4️⃣ 之间存在争议,不过官方文档中建议了在跨区域使用同一密钥的情况下,使用客户端加密方式。
Multi-Region keys in AWS KMSYou can use multi-Region keys with client-side encryption libraries, such as the AWS Encryption SDK, the AWS Database Encryption SDK, and Amazon S3 client-side encryption.
Client-side and server-side encryption
Server-side encryption:你的数据 AWS 帮你加密后再写入磁盘Client-side encryption:端到端加密,你来加密数据后再发往 AWS 进行保存等处理
二、Session Manager
A company recently launched a variety of new workloads on Amazon EC2 instances in its AWS account. The company needs to create a strategy策略 to access and administer the instances remotely and securely. The company needs to implement a repeatable可重复的 process that works with native AWS services and follows the AWS Well-Architected Framework.
Which solution will meet these requirements with the LEAST operational overhead?
- Use the EC2 serial console to directly access the terminal interface of each instance for administration.
- ✅ Attach the appropriate IAM role to each existing instance and new instance. Use AWS Systems Manager Session Manager to establish a remote SSH session.
- ❌ Create an administrative SSH key pair. Load the public key into each EC2 instance. Deploy a bastion host in a public subnet to provide a tunnel for administration of each instance.
- Establish an AWS Site-to-Site VPN connection. Instruct administrators to use their local on-premises machines to connect directly to the instances by using SSH keys across the VPN tunnel.
✨ 关键词:repeatable process
3️⃣ ❌ -> 2️⃣ ✅
💡 解析:
Session Manager是 AWS Systems Manager 的一项完全托管式功能。借助 Session Manager,您可以管理 Amazon Elastic Compute Cloud(Amazon EC2)实例、边缘设备、本地服务器和虚拟机(VM)。
更多信息:AWS Systems Manager Session Manager
这里考的其实就是Session Manager这项服务。
👨👨👦👦 社区讨论:Option A provides direct access to the terminal interface of each instance, but it may not be practical for administration purposesand can be cumbersome to manage,especially for multiple instances.
Option C adds operational overhead and introducesadditional infrastructure that needs to be managed, monitored,and secured. It also requiresSSH key management and maintenance.
Option D is complex and may not be necessary for remote administration. It also requiresadministrators to connect from their local on-premises machines, which adds complexityand potential security risks.
Therefore, option B is the recommended solution as it provides secure,auditable,and repeatable remote access using IAM rolesand AWS Systems ManagerSession Manager, with minimal operational overhead.
三、Static Website
A company is hosting a static website on Amazon S3 and is using Amazon Route 53 for DNS. The website is experiencing increased demand from around the world. The company must decrease latency for users who access the website.
Which solution meets these requirements MOST cost-effectively?
- Replicate the S3 bucket that contains the website to all AWS Regions. Add Route 53 geolocation routing entries.
- Provision accelerators in AWS Global Accelerator. Associate the supplied IP addresses with the S3 bucket. Edit the Route 53 entries to point to the IP addresses of the accelerators.
- ✅ Add an Amazon CloudFront distribution in front of the S3 bucket. Edit the Route 53 entries to point to the CloudFront distribution.
- Enable S3 Transfer Acceleration on the bucket. Edit the Route 53 entries to point to the new endpoint.
✨ 关键词:decrease latency for users、around the world
3️⃣ ✅
💡 解析:存储在
S3中因此是静态网站,使用CloudFrontCDN 可以解决延迟问题。
👨👨👦👦 社区讨论:Option A (replicating the S3 bucket to all AWS Regions) can be costlyand complex, requiring replication of data across multiple Regionsand managing synchronization. It may not provide a significant latency improvement compared to the CloudFront solution.
Option B (provisioning accelerators in AWS Global Accelerator) can be more expensive as it addsan extra layer of infrastructure (accelerators) and requiresassociating IP addresses with the S3 bucket. CloudFront already includes global edge locationsand provides similar acceleration capabilities.
Option D (enabling S3 Transfer Acceleration) can help improve upload speed to the S3 bucket but may not have a significant impact on reducing latency for website visitors.
Therefore, option C is the most cost-effective solution as it leverages CloudFront’s caching and global distribution capabilities to decrease latencyand improve website performance.
四、Slow insert on RDS for MySQL
A company maintains a searchable repository of items on its website. The data is stored in an Amazon RDS for MySQL database table that contains more than 10 million rows. The database has 2 TB of General Purpose SSD storage. There are millions of updates against this data every day through the company’s website.
The company has noticed that some insert operations are taking 10 seconds or longer. The company has determined that the database storage performance is the problem.
Which solution addresses this performance issue?
- ✅ Change the storage type to Provisioned IOPS SSD.
- Change the DB instance to a memory optimized instance class.
- Change the DB instance to a burstable(可)爆发的 performance instance class.
- Enable Multi-AZ RDS read replicas with MySQL native asynchronous replication.
✨ 关键词:database storage performance is the problem
1️⃣ ✅
💡 解析:IO 瓶颈提升硬盘性能。
Amazon EBS 预调配 IOPS SSD 卷 (Provisioned IOPS SSD volumes)
👨👨👦👦 社区讨论:A: Made for high levels of I/O opps for consistent, predictable performance.
B: Can improve performance of insert opps, but it’sa storage performance rather than processing power problem
C: for moderate CPU usage
D: for scale read-only replicasand doesn’t improve performance of insert opps on the primary DB instance
五、Kinesis Data & Analysis & Glacier
A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solutions architect needs to implement a solution to ingest and store the alerts for future analysis.
The company wants a highly available solution. However, the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive归档 any data older than 14 days.
What is the MOST operationally操作上的 efficient效率高的 solution that meets these requirements?
- ✅ Create an Amazon Kinesis Data Firehose delivery递交 stream to ingest the咽下,处理 alerts. Configure the Kinesis Data Firehose stream to deliver the alerts to an Amazon S3 bucket. Set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.
- Launch Amazon EC2 instances across two Availability Zones and place them behind an Elastic Load Balancer to ingest the alerts. Create a script on the EC2 instances that will store the alerts in an Amazon S3 bucket. Set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.
- Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts. Configure the Kinesis Data Firehose stream to deliver the alerts to an Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Set up the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster to take manual snapshots every day and delete data from the cluster that is older than 14 days.
- Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts, and set the message retention period to 14 days. Configure consumers to poll the SQS queue, check the age of the message, and analyze the message data as needed. If the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue.
✨ 关键词:keep 14 days of data available for immediate analysis、archive any data older than 14 days
1️⃣ ✅
💡 解析:1️⃣ 的数据通过
Amazon Kinesis Data Firehose存入S3,并通过生命周期策略在 14 天后更换存储策略为归档。
2️⃣ 启动了EC2和ELB来完成接受和存入数据这一步骤,过于繁琐。
3️⃣ 启动了Elasticsearch,但是选择删除 14 天后的数据。
4️⃣ 启动SQS不符合分析需求。
👨👨👦👦 社区讨论:Definitely A, it’s the most operationally efficient compared to D, which requiresa lot of code and infrastructure to maintain. A is mostly managed (firehose is fully managed and S3 lifecyclesare also managed)