Go back

SAA 考试每日练习 - 2024/11/23

| 0 Views Edit page

来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
5 题 (No.46 ~ No.50),仅供自己复习使用。
如果侵权请联系删除。

🌟 单词:

  1. remediationn. 补救, 纠正, (尤指对环境破坏的)整改
  2. guaranteev. 确保;保证;担保 | n. 保证;担保(书);保修单
  3. capacityn. 容量,容积;能力;生产力;地位;职位,职责 | adj. (达到最大容量)满的
  4. catalogn. 目录册,产品样本,学校便览,一览表 | v. (为…)编目录,(把…)按目录分类
  5. durableadj. 耐用的,耐久的,长期的,长久的 | n. 耐久品
  6. infrequentlyadv. 不经常地

一、Personally Identifiable Information

A company has an application that provides marketing services to stores. The services are based on previous purchases by store customers. The stores upload transaction data to the company through SFTP, and the data is processed and analyzed to generate new marketing offers. Some of the files can exceed 200 GB in size.
Recently, the company discovered that some of the stores have uploaded files that contain personally identifiable information (PII) that should not have been included. The company wants administrators to be alerted if PII is shared again. The company also wants to automate remediation.
What should a solutions architect do to meet these requirements with the LEAST development effort?

  1. Use an Amazon S3 bucket as a secure transfer point. Use Amazon Inspector to scan the objects in the bucket. If objects contain PII, trigger an S3 Lifecycle policy to remove the objects that contain PII.
  2. ✅ Use an Amazon S3 bucket as a secure transfer point. Use Amazon Macie to scan the objects in the bucket. If objects contain PII, use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain PII.
  3. ❌ Implement custom scanning algorithms in an AWS Lambda function. Trigger the function when objects are loaded into the bucket. If objects contain PII, use Amazon Simple Notification Service (Amazon SNS) to trigger a notification to the administrators to remove the objects that contain PII.
  4. Implement custom scanning algorithms in an AWS Lambda function. Trigger the function when objects are loaded into the bucket. If objects contain PII, use Amazon Simple Email Service (Amazon SES) to trigger a notification to the administrators and trigger an S3 Lifecycle policy to remove the meats that contain PII.

✨ 关键词:transaction data through SFTP、files can exceed 200 GB in size、the LEAST development effort

3️⃣ ❌ -> 2️⃣ ✅

💡 解析:客户通过 SFTP 上传文件(可达 200 GB),公司依此创建订单。最近公司发现有文件存在个人信息,希望自动化处理。要求最少开发的架构。
1️⃣ 存在错误 Amazon Inspector 是用来检测实例和 Lambda 函数等的安全漏洞的。
2️⃣ 中使用的 Amazon Macie 是一种数据安全服务,它使用机器学习和模式匹配来发现敏感数据,提供对数据安全风险的可见性,并使您能够自动防御这些风险。这似乎是唯一的选择。
3️⃣ 和 4️⃣ 虽然可以实现,但是题目中指定了最少开发量,因此不选。

社区在 2️⃣ 和 4️⃣ 中有争议,不过 Amazon Macie 大规模发现和保护您的敏感数据 提到了:

以经济高效的方式查看存储在 Amazon S3 中的敏感数据。

毫无以为这个就是考点。

👨‍👨‍👦‍👦 社区讨论:Amazon Macie isa data securityand data privacy service that uses machine learning (ML) and pattern matching to discover and protect your sensitive data

Macie automatically detectsa large and growing list of sensitive data types, including personally identifiable information (PII) such as names,addresses,and credit card numbers. It also gives you constant visibility of the data securityand data privacy of your data stored in Amazon S3

二、Reserved Instances and guaranteed capacity

A company needs guaranteed确保 Amazon EC2 capacity容量 in three specific Availability Zones in a specific AWS Region for an upcoming event that will last 1 week.
What should the company do to guarantee the EC2 capacity?

  1. Purchase Reserved Instances that specify the Region needed.
  2. Create an On-Demand Capacity Reservation that specifies the Region needed.
  3. Purchase Reserved Instances that specify the Region and three Availability Zones needed.
  4. ✅ Create an On-Demand Capacity Reservation that specifies the Region and three Availability Zones needed.

✨ 关键词:last 1 week

4️⃣ ✅

💡 解析:公司需要确保跨三个可用区的、在同一区域的 EC2 实例的容量足够应对未来一周的活动。
考点是两种实例类型:

  • 按需付费 (On-Demand Instances):只需要按使用时间付费。
  • 预留实例 (Reserved Instances):承诺使用 1 或 3 年的 EC2 实例。最高可节省 75% 的成本。

持续一周的话就选择按需实例了。
之后为了确保容量,还需要采用 On-Demand Capacity Reservations(按需容量预留) 服务,它需要指定可用区,因此选 4️⃣。

通过使用容量预留,您可以为特定可用区中的 Amazon EC2 实例预留计算容量。对于不同的使用案例,有两种类型的容量预留。

以下是按需容量预留的一些常见使用案例:

  • 扩展事件 - 您可以在业务关键型事件之前创建按需容量预留,以确保在需要时进行扩展。
  • 监管要求和灾难恢复 - 使用按需容量预留来满足高可用性的监管要求,并在不同的可用区或区域中预留容量以进行灾难恢复。

👨‍👨‍👦‍👦 社区讨论:Reserved instancesare for long term so on-demand will be the right choice - Answer D

三、Durable storage and HA

A company’s website uses an Amazon EC2 instance store for its catalog目录 of items. The company wants to make sure that the catalog is highly available and that the catalog is stored in a durable耐用的 location.
What should a solutions architect do to meet these requirements?

  1. Move the catalog to Amazon ElastiCache for Redis.
  2. Deploy a larger EC2 instance with a larger instance store.
  3. Move the catalog from the instance store to Amazon S3 Glacier Deep Archive.
  4. ✅ Move the catalog to an Amazon ElasticFile System (Amazon EFS) file system.

✨ 关键词:highly available、store catalog in a durable location

4️⃣ ✅

💡 解析:需要使产品目录高度可用,且保存在长久可用的区域中。
3️⃣ 不能选应该深度归档后无法使其高度可用,EFS 可以解决这个需求,因此选 4️⃣。

Amazon Elastic File System 无服务器,完全弹性文件存储

Amazon Elastic File System (Amazon EFS) 是一种简单的、无服务器的、可设置且可忽略的弹性文件系统。没有最低消费和设置费用。您只需为实际使用的存储、对不频繁访问存储类中存储的数据的读写访问,以及任何已预置的吞吐量付费。

通过为获得 99.999999999%(11 个 9)的持久性和高达 99.99%(4 个 9)的可用性而设计的完全托管式文件系统,安全可靠地访问文件。

看社区讨论似乎 durable 关键词与高持久性有关。

👨‍👨‍👦‍👦 社区讨论:keyword is “durable” location
A and B is ephemeral storage
C takes forever so is not HA,
that leaves D

🙋‍♂️ 回复:Yes, if you open EFS home page (https://aws.amazon.com/efs/), Amazon state, “Securely and reliably access your files with a fully managed file system designed for 99.999999999 percent (11 9s) durability and up to 99.99 percent (4 9s) of availability.”

四、File stroage and access infrequently

A company stores call transcript files on a monthly basis. Users access the files randomly within 1 year of the call, but users access the files infrequently不经常地 after 1 year. The company wants to optimize its solution by giving users the ability to query and retrieve files that are less than 1-year-old as quickly as possible. A delay in retrieving older files is acceptable.
Which solution will meet these requirements MOST cost-effectively?

  1. Store individual files with tags in Amazon S3 Glacier Instant Retrieval. Query the tags to retrieve the files from S3 Glacier Instant Retrieval.
  2. ✅ Store individual files in Amazon S3 Intelligent-Tiering. Use S3 Lifecycle policies to move the files to S3 Glacier Flexible Retrieval after 1 year. Query and retrieve the files that are in Amazon S3 by using Amazon Athena. Query and retrieve the files that are in S3 Glacier by using S3 Glacier Select.
  3. Store individual files with tags in Amazon S3 Standard storage. Store search metadata for each archive in Amazon S3 Standard storage. Use S3 Lifecycle policies to move the files to S3 Glacier Instant Retrieval after 1 year. Query and retrieve the files by searching for metadata from Amazon S3.
  4. ❌ Store individual files in Amazon S3 Standard storage. Use S3 Lifecycle policies to move the files to S3 Glacier Deep Archive after 1 year. Store search metadata in Amazon RDS. Query the files from Amazon RDS. Retrieve the files from S3 Glacier Deep Archive.

✨ 关键词:cost-effectively、query and retrieve 1-year-old files quickly、delay in retrieving older files

4️⃣ ❌ -> 2️⃣ ✅

💡 解析:需要对存储少于 1 年的数据进行快速检索和获取,对存储超过 1 年的文件允许延迟提取。
通过 S3 生命周期策略结合使用 S3 Standard + Standard Glacier Deep Archive 可以解决存储问题,2️⃣ 和 4️⃣ 相比之下使用 Amazon RDS 存放元数据来提供对深度归档文件的检索,比 Amazon Athena + S3 Glacier Select 更贵,因此选 2️⃣。

Amazon Athena 灵活轻松地分析包含它的 PB 级数据

Amazon Athena 是一项基于开源框架的无服务器交互式分析服务,支持开源表和文件格式。Athena 提供了一种简化、灵活的方法来分析包含它的 PB 级数据。从 Amazon Simple Storage Service(S3)数据湖和超过 30 个数据来源(包括本地数据来源,或使用 SQL 或 Python 的其他云系统)分析数据或构建应用程序。Athena 基于开源 Trino 和 Presto 引擎以及 Apache Spark 框架构建,无需进行预配或配置。

S3 Glacier Select

Amazon Glacier Select 是对 Amazon Glacier 中的归档数据进行查询的全新方式。Glacier Select 允许直接对存储在 Amazon Glacier 中的数据运行查询,从而只从您的存档中检索所需数据来用于分析。这使您能够降低总体拥有成本,同时将您的数据湖大规模扩展到经济高效的存档存储。

社区对 3️⃣ 和 4️⃣ 存在争议,不过在 AWS 有完善的解决方案情况下,总是需要优先选择对应服务的。
这里活跃和非活跃存储的转换使用 Amazon S3 Intelligent-Tiering + S3 存储策略,各自的检索使用 Amazon AthenaS3 Glacier Select

👨‍👨‍👦‍👦 社区讨论:I thinkthe answer is B: Usersaccess the files randomly
S3 Intelligent-Tiering is the ideal storage class for data with unknown, changing, or unpredictable access patterns, independent of object size or retention period. You can use S3 Intelligent-Tiering as the default storage class for virtuallyany workload, especially data lakes, data analytics, new applications,and user-generated content.

https://aws.amazon.com/fr/s3/storage-classes/intelligent-tiering/

五、AWS Systems Manager

A company has a production workload that runs on 1,000 Amazon EC2 Linux instances. The workload is powered by third-party software. The company needs to patch the third-party software on all EC2 instances as quickly as possible to remediate a critical security vulnerability.
What should a solutions architect do to meet these requirements?

  1. Create an AWS Lambda function to apply the patch to all EC2 instances.
  2. Configure AWS Systems Manager Patch Manager to apply the patch to all EC2 instances.
  3. Schedule an AWS Systems Manager maintenance window to apply the patch to all EC2 instances.
  4. ✅ Use AWS Systems Manager Run Command to run a custom command that applies the patch to all EC2 instances.

✨ 关键词:1,000 Amazon EC2 Linux instances、third-party software、quickly

4️⃣ ✅

💡 解析:需要在 1000 EC2 实例上尽快都安装一款第三软件。

AWS Systems Manager 在 AWS 以及多云和混合环境中管理您的资源

AWS Systems Manager 是一种管理云和混合 IT 环境的新方法。AWS Systems Manager 提供了一个统一的用户界面,可以简化资源和应用程序管理,缩短检测和解决操作问题的时间,并使您能够轻松安全地大规模操作和管理基础设施。此服务包含了丰富的功能。它定义了围绕使用 Amazon EC2 Systems Manager (SSM) 等产品中的功能进行分组、可视化和问题响应的新体验,支持大量跨资源的操作。

  • Run Command:是一个用于对实例启用 SSH 的卓越替代品。它让您可以在不登录到服务器的情况下为您的实例提供安全可靠的大规模远程管理,从而取代了对 SSH 防御主机或远程 powershell 的需求。它具有精细的 IAM 权限,可让您限制可以运行某些命令的角色或用户。
  • 自动化操作:可让您将常见 IT 任务定义为一个指定了一系列任务的 JSON 文档。您还可以使用社区发布的文档。这些文档可通过控制台、CLI、软件开发工具包和计划的维护窗口来执行,或通过 CloudWatch 事件基于您的基础设施中的更改来触发。您可以跟踪并记录文档中的每个步骤的执行情况,并针对额外的审批进行提示。它还允许您逐步推出更改并在出现错误时自动停止。您可以直接在资源组上开始执行自动化操作,该操作能够将自身应用于它在组中了解的资源。
  • Patch Manager:使用 Patch Manager 可以通过安全性相关更新及其他类型的更新自动执行修补托管式节点的过程。您可以使用 Patch Manager 来应用操作系统和应用程序的补丁。(在 Windows Server 上,应用程序支持仅限于更新 Microsoft 发布的应用程序。)
  • 维护时段:可让您在特定时段内安排实例维护和其他中断性任务。
  • State Manager:让您控制各种服务器配置详情,例如防病毒定义、防火墙设置等。您可以在控制台中定义策略,也可以运行现有脚本、PowerShell 模块或者甚至直接从 S3 或 GitHub 运行 Ansible 操作手册。您可以随时查询 State Manager 以查看实例配置的状态。

虽然社区在 2️⃣ 和 4️⃣ 之间存在争议,但 Patch Manager 的主要设计意图在于在托管式节点上安装与安全性相关的操作系统更新,并且默认情况下,Patch Manager 只安装一小部分旨在提高安全性的补丁。
Run Command 显然更自由、更符合题目场景。

👨‍👨‍👦‍👦 社区讨论:The primary focus of Patch Manager,a capability of AWS Systems Manager, is on installing operating systems security-related updates on managed nodes. By default, Patch Manager doesn’t install all available patches, but rather a smaller set of patches focused on security. (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/patch-manager-how-it-works-selection.html)
Run Command allows you to automate common administrative tasksand perform one-time configuration changesat scale. (Ref https://docs.aws.amazon.com/systems-manager/latest/userguide/execute-remote-commands.html)
Seems like patch manager is meant for OS level patchesand not 3rd partyapplications. And this falls under run command wheelhouse to carry out one-time configuration changes (update of 3rd part application) at scale.

Edit page
Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
日语翻译 - 新闻 - 働く高齢者の労災防止対策 企業の努力義務へ 厚労省が方針
Next Post
AWS 实操 - IAM (Identity and Access Management)