SAA 考试每日练习 - 2024/11/25

来源：Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
8 题 (No.58 ~ No.65)，仅供自己复习使用。
如果侵权请联系删除。

🌟 单词：

clickstream_点击流
separately_{adv. 单独地，分别地}
external_{adj. 外部的，外面的，外来的}
accommodate_{v. 容纳；适应；提供住宿；顾及}
rapidly_{adv. 迅速地；很快地；立即}
interact_{v. 交流，交往，互动；相互作用，相互影响}
significant_{adj. 重要的，意义重大的；意味深长的；相当数量的；显著的；表示…的}

一、Containers

A company wants to run its critical applications in containers to meet requirements for scalability and availability. The company prefers to focus on maintenance of the critical applications. The company does not want to be responsible for provisioning and managing the underlying infrastructure that runs the containerized workload.
What should a solutions architect do to meet these requirements?

Use Amazon EC2 instances, and install Docker on the instances.
Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 worker nodes.
✅ Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate.
Use Amazon EC2 instances from an Amazon Elastic Container Service (Amazon ECS)-optimized Amazon Machine Image (AMI).

✨ 关键词：containers、scalability and availability、does not want to be responsible for the containerized workload

3️⃣ ✅

💡 解析：应用运行在容器中，公司不希望管理运行容器的架构。
这是 Fargate 的最佳使用场景，同时注意它需要与 ECS 和 EKS 搭配使用。

AWS Fargate 适用于容器的无服务器计算

AWS Fargate 与 Amazon Elastic Container Service（Amazon ECS）和 Amazon Elastic Kubernetes Service（Amazon EKS）兼容。选择任何符合 OCI 标准的容器映像，定义内存和计算资源，然后使用无服务器计算运行容器。由于该服务支持多种 CPU 架构和操作系统，因此您可以在各种应用程序中享受这些好处。

👨‍👨‍👦‍👦 社区讨论：Good answer is C: AWS Fargate isa serverless, pay-as-you-go compute engine that lets you focus on building applications without having to manage servers. AWS Fargate is compatible with Amazon Elastic ContainerService (ECS) and Amazon Elastic Kubernetes Service (EKS).
https://aws.amazon.com/fr/fargate/

二、30 TB of clickstream

A company hosts more than 300 global websites and applications. The company requires a platform to analyze more than 30 TB of clickstream_点击流 data each day.
What should a solutions architect do to transmit_传输 and process the clickstream data?

Design an AWS Data Pipeline to archive the data to an Amazon S3 bucket and run an Amazon EMR cluster with the data to generate analytics.
Create an Auto Scaling group of Amazon EC2 instances to process the data and send it to an Amazon S3 data lake for Amazon Redshift to use for analysis.
Cache the data to Amazon CloudFront. Store the data in an Amazon S3 bucket. When an object is added to the S3 bucket. run an AWS Lambda function to process the data for analysis.
✅ Collect the data from Amazon Kinesis Data Streams. Use Amazon Kinesis Data Firehose to transmit the data to an Amazon S3 data lake. Load the data in Amazon Redshift for analysis.

✨ 关键词：30 TB of clickstream、transmit、analyze

4️⃣ ✅

💡 解析：公司运行了超过 300 个全球网页和应用，需要每天分析超过 30 TB 的点击流数据。
数据流首选 Amazon Kinesis Data 系应用，4️⃣ 的处理也不存在问题，通过 Amazon Kinesis Data Firehose 将数据传输到 S3 存储桶中再通过 Redshift 数据湖进行分析。

社区中有些学友选了 1️⃣，来看下 AWS Data Pipeline 和 Amazon EMR (Elastic MapReduce) cluster。
什么是 AWS Data Pipeline？

⚠ AWS Data Pipeline 服务处于维护模式，没有计划新功能或区域扩展。

AWS Data Pipeline 是一项 Web 服务，可用于自动移动和转换数据。使用 AWS Data Pipeline，您可以定义数据驱动的工作流程，以便任务可以依赖于先前任务的成功完成。您可以定义数据转换的参数并 AWS Data Pipeline 强制执行已设置的逻辑。

例如，您可以使用每天将网络服务器的日志存档 AWS Data Pipeline 到亚马逊简单存储服务 (Amazon S3)，然后在这些日志上运行每周一次的亚马逊 EMR (Amazon EMR) 集群以生成流量报告。

Amazon EMR 轻松运行和扩展 Apache Spark、Hive、Presto 以及其他大数据工作负载

Amazon EMR（以前称为 Amazon Elastic MapReduce）是一个托管集群平台，可简化在AWS上运行大数据框架（如 Apache Hadoop 和 Apache Spark）的过程，以处理和分析海量数据。

看起来 1️⃣ 也能解决问题，甚至题目完美符合官方推荐的使用场景。有些人指出了它不能实时处理数据流，有些人则指出它已经不被官方推荐了。总之 4️⃣ 在当前时间点优于 1️⃣。

👨‍👨‍👦‍👦 社区讨论：Option D is the most appropriate solution for transmitting and processing the clickstream data in this scenario.
Amazon Kinesis Data Streams isa highly scalable and durable service that enables real-time processing of streaming data at a high volume and high rate. You can use Kinesis Data Streams to collect and process the clickstream data in real-time.
Amazon Kinesis Data Firehose isa fully managed service that loads streaming data into data storesand analytics tools. You can use Kinesis Data Firehose to transmit the data from Kinesis Data Streams to an Amazon S3 data lake.
Once the data is in the data lake, you can use Amazon Redshift to load the data and perform analysis on it. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that allows you to quicklyand efficientlyanalyze data using SQL and yourexisting business intelligence tools.

Option A, which involves using AWS Data Pipeline to archive the data to an Amazon S3 bucket and running an Amazon EMR cluster with the data to generate analytics, is not the most appropriate solution because it does not involve real-time processing of the data.

A: Not sure how recent this question is but Data Pipeline is not reallya product AWS is recommending anymore.

三、Redirect HTTP to HTTPS

A company has a website hosted on AWS. The website is behind an Application Load Balancer (ALB) that is configured to handle HTTP and HTTPS separately_分别地. The company wants to forward all requests to the website so that the requests will use HTTPS.
What should a solutions architect do to meet this requirement?

Update the ALB’s network ACL to accept only HTTPS traffic.
Create a rule that replaces the HTTP in the URL with HTTPS.
✅ Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.
Replace the ALB with a Network Load Balancer configured to use Server Name Indication (SNI).

✨ 关键词：use HTTPS

3️⃣ ✅

💡 解析：有网站托管在 AWS，并前置 ALB 分开处理 HTTP 和 HTTPS 请求。现在希望让所有请求都使用 HTTPS。
将 HTTP 请求重定向为 HTTPS 就能够解决问题了，选 3️⃣。

如何使用应用程序负载均衡器将 HTTP 请求重定向至 HTTPS？

… 6. 选择一个负载均衡器，然后选择 HTTP 侦听器。 7. 在规则下，选择查看/编辑规则。 8. 选择编辑规则以修改现有默认规则，从而将所有 HTTP 请求重定向到 HTTPS。或者，在现有规则之间插入一个规则（如果适合您的用例）。 9. 在然后下，删除现有条件。然后，使用重定向到操作添加新条件。 10. 对于 HTTPS，请输入 443 端口。 …

👨‍👨‍👦‍👦 社区讨论：C. Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.
To meet the requirement of forwarding all requests to the website so that the requests will use HTTPS,a solutionsarchitect can create a listener rule on the ALB that redirects HTTP traffic to HTTPS.This can be done by creating a rule with a condition that matchesall HTTP traffic and a rule action that redirects the traffic to the HTTPS listener.The HTTPS listener should already be configured to accept HTTPS traffic and forward it to the target group.

四、Database credentials automatic rotation

A company is developing a two-tier web application on AWS. The company’s developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database. The company must not hardcode database credentials in the application. The company must also implement a solution to automatically rotate the database credentials on a regular basis.
Which solution will meet these requirements with the LEAST operational overhead?

Store the database credentials in the instance metadata. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.
Store the database credentials in a configuration file in an encrypted Amazon S3 bucket. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. Use S3 Versioning to ensure the ability to fall back to previous values.
✅ Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.
Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Store. Turn on automatic rotation for the encrypted parameters. Attach the required permission to the EC2 role to grant access to the encrypted parameters.

✨ 关键词：not hardcode database credentials in the application

3️⃣ ✅

💡 解析：双层架构的系统，并且不希望将数据库信息硬编码在应用程序中。定期轮转数据库认证信息。
涉及到密钥的轮转，优先考虑 AWS Secrets Manager，同时 3️⃣ 的解决方式也不存在问题：通过 AWS Secrets Manager 自动轮转数据库认证信息，授予 EC2 实例角色让它能访问密钥。

老生常谈的问题了，AWS Systems Manager Parameter Store 不支持自动轮转。

👨‍👨‍👦‍👦 社区讨论：Secrets manager supports Autorotation unlike Parameter store.

五、AWS Certificate Manager rotate certificate

A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSL/TLS certificate that is issued by an external_外部的 certificate authority (CA). The certificate must be rotated each year before the certificate expires.
What should a solutions architect do to meet these requirements?

Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Import the key material from the certificate. Apply the certificate to the ALUse the managed renewal feature to automatically rotate the certificate.
❌ Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
✅ Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.

✨ 关键词：external CA、rotated each year

3️⃣ ❌ -> 4️⃣ ✅

💡 解析：网页应用前置了 ALB，同时需要在边缘节点就开启 SSL 认证，证书来自外部 CA，证书需要每年更新。
首先需要明确 ACM 的证书是 区域 级别的。
1️⃣ 和 2️⃣ 使用 ACM 签发证书与题目描述的外部 CA 冲突，排除。
3️⃣ 和 4️⃣ 的差别在于 ACM 是否可以为外部 CA 自动（续）签发证书，答案是不可以，因此选 4️⃣。

Amazon Certificate Manager 常见问题

问：可以使用 ACM 创建和管理哪些类型的证书？
使用 ACM，您可以管理公有证书的生命周期。ACM 的功能取决于证书是否为公有证书、您获得证书的方式，以及证书的部署位置。请参阅“ACM 公有证书”，了解有关公有证书的更多信息。
公有证书 – ACM 管理用于 ACM 集成服务（包括 Elastic Load Balancing 和 Amazon API Gateway）的公有证书的续订和部署。
已导入证书 – 如果想将第三方证书与 Elastic Load Balancing 或 Amazon API Gateway 配合使用，您可以使用亚马逊云科技管理控制台、Amazon CLI 或 ACM API 将该证书导入 ACM。ACM 不会管理已导入证书的续订流程。您负责监控所导入证书的到期日期，并在到期之前续订。您可以使用亚马逊云科技管理控制台监控已导入证书的到期日期，并导入新的第三方证书来替换即将到期的证书。

👨‍👨‍👦‍👦 社区讨论：It’sa third-party certificate, hence AWS cannot manage renewal automatically.The closest thing you can do is to send a notification to renew the 3rd party certificate.

六、Cost-effectively stroage

A company runs its infrastructure on AWS and has a registered base of 700,000 users for its document management application. The company intends to create a product that converts large .pdf files to .jpg image files. The .pdf files average 5 MB in size. The company needs to store the original files and the converted files. A solutions architect must design a scalable solution to accommodate_适应 demand that will grow rapidly_迅速地 over time.
Which solution meets these requirements MOST cost-effectively?

✅ Save the .pdf files to Amazon S3. Configure an S3 PUT event to invoke an AWS Lambda function to convert the files to .jpg format and store them back in Amazon S3.
Save the .pdf files to Amazon DynamoDB. Use the DynamoDB Streams feature to invoke an AWS Lambda function to convert the files to .jpg format and store them back in DynamoDB.
Upload the .pdf files to an AWS Elastic Beanstalk application that includes Amazon EC2 instances, Amazon Elastic Block Store (Amazon EBS) storage, and an Auto Scaling group. Use a program in the EC2 instances to convert the files to .jpg format. Save the .pdf files and the .jpg files in the EBS store.
Upload the .pdf files to an AWS Elastic Beanstalk application that includes Amazon EC2 instances, Amazon ElasticFile System (Amazon EFS) storage, and an Auto Scaling group. Use a program in the EC2 instances to convert the file to .jpg format. Save the .pdf files and the .jpg files in the EBS store.

✨ 关键词：converts large .pdf files to .jpg image files、grow rapidly、MOST cost-effectively

1️⃣ ✅

💡 解析：将 .pdf 文件转换为 .jpg 文件，原始文件和转换后的文件都需要保存，文件数量上涨很快。需要最便宜的方案。
最便宜的存储方案就是 S3，1️⃣ 的操作也没有问题：S3 的上传操作触发 Lambda 的转换，并将转换后的文件存回 S3。

拓展下，社区讨论中提到了 DynamoDB 有 400 KB 的最大文件大小限制。
Amazon DynamoDB 中的服务、账户和表限额

DynamoDB 中的项目大小上限为 400 KB，包括属性名称二进制长度（UTF-8 长度）和属性值长度（同为二进制长度）。属性名称也包含在此大小限制之内。

👨‍👨‍👦‍👦 社区讨论：Option A.Elastic BeanStalkisexpensive,and DynamoDB has a 400KB max to upload files.So Lambda and S3 should be the one.

七、Amazon FSx File Gateway

A company has more than 5 TB of file data on Windows file servers that run on premises. Users and applications interact_交互 with the data each day.
The company is moving its Windows workloads to AWS. As the company continues this process, the company requires access to AWS and on-premises file storage with minimum latency. The company needs a solution that minimizes operational overhead and requires no significant_重大的 changes to the existing file access patterns. The company uses an AWS Site-to-Site VPN connection for connectivity to AWS.
What should a solutions architect do to meet these requirements?

Deploy and configure Amazon FSx for Windows File Server on AWS. Move the on-premises file data to FSx for Windows File Server. Reconfigure the workloads to use FSx for Windows File Server on AWS.
Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to the S3 File Gateway. Reconfigure the on-premises workloads and the cloud workloads to use the S3 File Gateway.
Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to Amazon S3. Reconfigure the workloads to use either Amazon S3 directly or the S3 File Gateway. depending on each workload’s location.
✅ Deploy and configure Amazon FSx for Windows File Server on AWS. Deploy and configure an Amazon FSx File Gateway on premises. Move the on-premises file data to the FSx File Gateway. Configure the cloud workloads to use FSx for Windows File Server on AWS. Configure the on-premises workloads to use the FSx File Gateway.

✨ 关键词：5 TB、Windows file servers、on-premises file storage、minimum latency

4️⃣ ✅

💡 解析：应用程序需要与 5 TB 大小的文件数据交互，文件存储在 Windows 文件服务器上。需要将应用程序迁移到 AWS，同时需要连接到 AWS 和本地托管文件存储都拥有低延迟。最少操作且对文件访问方式不要有重大变化。公司已经使用了 AWS Site-to-Site VPN 连接到 AWS。
这种场景下，需要考虑 AWS 文件网关，又因为是 Windows 系统，因此不能选择 S3 文件网关，2️⃣ 和 3️⃣ 肯定是错了，先排除。
然后又要求低延迟，FSx File Gateway 由于拥有缓存属性，因此一定是最好的选择，选 4️⃣。

AWS Storage Gateway 文档

Amazon S3 File Gateway

Amazon FSx File Gateway：它提供从本地部署的设施中访问云中的 Amazon FSx for Windows File Server 共享的功能。

Tape Gateway

Volume Gateway

不过社区指出了选项 4️⃣ 中存在的 “Move the on-premises file data to the FSx File Gateway” 行为不合理，因为将文件拷贝到缓存中是不合常理的。
但是题目考点似乎就是 Amazon FSx File Gateway。

👨‍👨‍👦‍👦 社区讨论：Agree answer is D)

Requirementsare:

“Usersand applications interact with the data each day”

“the company requiresaccess to AWS and on-premises file storage with minimum latency”

Explanation: Answer A) will work with the same on-prem <> aws latencyas in answer D) as both use the VPN Connection.
Having said this, by using an Amazon FSx File Gateway on premise as the D) scenario mentioned,all users will have a great benefit on using the cache that the FSx File Gateway has on their daily workloads. And that is part of the requierements: “users”, “each day”, “latency”

🙅：D IS WRONG - Its used for caching. you cannot ‘Move the on-premises file data to the FSx File Gateway.’ which is stated in answer D. It pretty sure AWS employee’sare spamming this site with the wrong answers intentionally.

八、Protected health information

A hospital recently deployed a RESTful API with Amazon API Gateway and AWS Lambda. The hospital uses API Gateway and Lambda to upload reports that are in PDF format and JPEG format. The hospital needs to modify the Lambda code to identify protected health information (PHI) in the reports.
Which solution will meet these requirements with the LEAST operational overhead?

Use existing Python libraries to extract the text from the reports and to identify the PHI from the extracted text.
Use Amazon Textract to extract the text from the reports. Use Amazon SageMaker to identify the PHI from the extracted text.
✅ Use Amazon Textract to extract the text from the reports. Use Amazon Comprehend Medical to identify the PHI from the extracted text.
Use Amazon Rekognition to extract the text from the reports. Use Amazon Comprehend Medical to identify the PHI from the extracted text.

✨ 关键词：API Gateway、Lambda、turn PDF format and JPEG format、identify protected health information

3️⃣ ✅

💡 解析：医院部署了 API 网关 并在后端使用 Lambda 将 PDF 转为 JPEG，现在需要添加识别保护的医疗数据的功能。要求最简单的方法。
Amazon Textract 是从 PDF 中提取文字数据的 AI 服务，Rekognition 是识别照片中敏感信息的 AI 服务，SageMaker 是供科学家训练机器学习模型的服务，Amazon Comprehend Medical 摘取文本中医疗数据的 AI 服务。
选 3️⃣，先提取文字，再摘取医疗信息。

什么是 Amazon Textract？

Amazon Textract 是一种机器学习（ML）服务，从扫描的文档（如PDF）中自动提取文本、手写内容、布局元素和数据。它不是简单的光学字符识别技术（OCR），而是可以识别、理解并提取文档中的特定数据。

Amazon Rekognition 图像识别

Amazon Rekognition 是一项基于云的图像和视频分析服务，可以轻松地向应用程序添加高级计算机视觉功能。

Amazon SageMaker 机器学习面向每位开发人员和数据科学家

Amazon SageMaker 是一项完全托管的服务，可以帮助开发人员和数据科学家快速构建、训练和部署机器学习 (ML) 模型。SageMaker 完全消除了机器学习过程中每个步骤的繁重工作，让开发高质量模型变得更加轻松。

什么是 Amazon Comprehend Medical？

Amazon Comprehend Medical 可以检测并返回非结构化临床文本中的有用信息，例如医生记录、出院摘要、检验结果、病例记录等。Amazon Comprehend Medical 使用自然语言处理 (NLP) 模型来检测实体，这些实体是对医疗信息 [例如医学状况、药物或受保护的健康信息 (PHI)] 的文本引用。

👨‍👨‍👦‍👦 社区讨论：The correct solution is C: Use Amazon Textract to extract the text from the reports. Use Amazon Comprehend Medical to identify the PHI from the extracted text.

Option C: Using Amazon Textract to extract the text from the reports,and Amazon Comprehend Medical to identify the PHI from the extracted text, would be the most efficient solution as it would involve the least operational overhead.Textract is specifically designed forextracting text from documents,and Comprehend Medical isa fully managed service that can accurately identify PHI in medical text.This solution would require minimal maintenance and would not incur anyadditional costs beyond the usage fees forTextract and Comprehend Medical.