来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
50 题 (No.286 ~ No.335) 只记录了 11 道首次碰到的、错误的或有疑问的题目,仅供自己复习使用。
如果侵权请联系删除。
🌟 单词:
- legacyn. 遗产,遗赠财物,遗留问题,后遗症 | adj. (计算机系统或产品)已停产的
- fully managed全托管
- thumbnailadj. 极小的, 简短的(论文等) | n. 拇指甲, 索引图像, (打印预览)略图
一、S3 share url
A media company uses Amazon CloudFront for its publicly available streaming video content. The company wants to secure the video content that is hosted in Amazon S3 by controlling who has access. Some of the company’s users are using a custom HTTP client that does not support cookies. Some of the company’s users are unable to change the hardcoded URLs that they are using for access.
Which services or methods will meet these requirements with the LEAST impact to the users? (Choose two.)
- ✅ Signed cookies
- ✅ Signed URLs
- AWS AppSync
- JSON Web Token (JWT)
- AWS Secrets Manager
✨ 关键词:a custom HTTP client that does not support cookies、unable to change the hardcoded URLs
1️⃣ 2️⃣ ✅
💡 解析:要将
S3存储桶中的文件分享给外部用户,有的用户使用着不支持 Cookies 的 HTTP 客户端,另一些无法改变硬编码后的访问 URL(例如写死在代码中)。
对于使用不支持 Cookies 客户端的用户,使用预签名 URL 和公开 URL 明显都可以。
而对于硬编码了的用户,明显也是公开 URL。
这里单纯选 2️⃣ 就行了。Amazon AppSync 利用全球范围内一个或多个数据源的适当数据为您的应用程序提供技术支持
借助 AppSync,您可以在 NoSQL 数据存储、关系数据库、HTTP API 等一系列数据源和您使用 Amazon Lambda 自定义的数据源上构建可扩展的应用程序,包括需要实时更新的应用程序。对于移动和 Web 应用程序,AppSync 会在设备离线时额外提供本地数据访问,并在设备重新上线时提供数据与可自定义冲突解决的同步。
👨👨👦👦 社区讨论:I thought that option A was totally wrong, because the question mentions “HTTP client does not support cookies”. However it is right,along with option B. Checkthe link bellow, first paragraph.
https://aws.amazon.com/blogs/media/secure-content-using-cloudfront-functions/
二、Data Stream ETL and save
A company is preparing a new data platform that will ingest real-time streaming data from multiple sources. The company needs to transform the data before writing the data to Amazon S3. The company needs the ability to use SQL to query the transformed data.
Which solutions will meet these requirements? (Choose two.)
- ✅ Use Amazon Kinesis Data Streams to stream the data. Use Amazon Kinesis Data Analytics to transform the data. Use Amazon Kinesis Data Firehose to write the data to Amazon S3. Use Amazon Athena to query the transformed data from Amazon S3.
- ✅ Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to stream the data. Use AWS Glue to transform the data and to write the data to Amazon S3. Use Amazon Athena to query the transformed data from Amazon S3.
- Use AWS Database Migration Service (AWS DMS) to ingest the data. Use Amazon EMR to transform the data and to write the data to Amazon S3. Use Amazon Athena to query the transformed data from Amazon S3.
- Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to stream the data. Use Amazon Kinesis Data Analytics to transform the data and to write the data to Amazon S3. Use the Amazon RDS query editor to query the transformed data from Amazon S3.
- Use Amazon Kinesis Data Streams to stream the data. Use AWS Glue to transform the data. Use Amazon Kinesis Data Firehose to write the data to Amazon S3. Use the Amazon RDS query editor to query the transformed data from Amazon S3.
✨ 关键词:real-time streaming data、multiple sources、ETL、S3
1️⃣ 2️⃣ ✅
💡 解析:来自多个源的近实时数据流,需要转换后写入
S3中。之后能够通过 SQL 进行查询。
首先S3使用 SQL 查询只能使用Amazon Athena实现,这样排除后只有 1️⃣ 2️⃣ 3️⃣ 可以选了。
2️⃣ 的操作非常标准,通过Amazon Managed Streaming将数据流式传输,使用Glue进行 ETL 操作之后存入S3中。
而 1️⃣ 的有些繁琐,其中对Amazon Kinesis Data Analytics能否转换数据:Examples: Transforming String ValuesAmazon Kinesis Data Analytics supports formats such as JSON and CSV for records on a streaming source.
是可以的,那么 1️⃣ 也就不存在问题了。
3️⃣ 的DMS是用来迁移数据库的,明显不对。Amazon Managed Streaming for Apache Kafka (MSK) 利用完全托管、高度可用的 Apache Kafka 服务安全地流式传输数据
Amazon Managed Streaming for Apache Kafka(Amazon MSK)是一项流式传输数据服务,可以管理 Apache Kafka 基础设施和运营。
Apache Kafka 是一个开源、高性能、可容错且可扩展的平台,用于构建实时流式传输数据管道和应用程序。Apache Kafka 是一个流数据存储,它将生成流数据的应用程序(生产者)与从其数据存储中使用流数据的应用程序(使用者)分离到其数据存储中。各个组织将 Apache Kafka 用作持续分析和响应流式传输数据的应用程序的数据来源。
👨👨👦👦 社区讨论:OK, for B I did some research, https://docs.aws.amazon.com/glue/latest/dg/add-job-streaming.html
”You can create streaming extract, transform,and load (ETL) jobs that run continuously, consume data from streaming sources like Amazon Kinesis Data Streams, Apache Kafka,and Amazon Managed Streaming for Apache Kafka (Amazon MSK).The jobs cleanse and transform the data,and then load the results into Amazon S3 data lakes or JDBC data stores.”
三、High performance file system
A research laboratory needs to process approximately 8 TB of data. The laboratory requires sub-millisecond latencies and a minimum throughput of 6 GBps for the storage subsystem. Hundreds of Amazon EC2 instances that run Amazon Linux will distribute and process the data.
Which solution will meet the performance requirements?
- Create an Amazon FSx for NetApp ONTAP file system. Sat each volume’ tiering policy to ALL. Import the raw data into the file system. Mount the fila system on the EC2 instances.
- ✅ Create an Amazon S3 bucket to store the raw data. Create an Amazon FSx for Lustre file system that uses persistent SSD storage. Select the option to import data from and export data to Amazon S3. Mount the file system on the EC2 instances.
- Create an Amazon S3 bucket to store the raw data. Create an Amazon FSx for Lustre file system that uses persistent HDD storage. Select the option to import data from and export data to Amazon S3. Mount the file system on the EC2 instances.
- ❌ Create an Amazon FSx for NetApp ONTAP file system. Set each volume’s tiering policy to NONE. Import the raw data into the file system. Mount the file system on the EC2 instances.
✨ 关键词:8 TB、sub-millisecond latencies、6 GBps
4️⃣ ❌ -> 2️⃣ ✅
💡 解析:8 TB 的数据需要存储在亚毫秒级读取、6Gbps 速率的文件系统上。
FSxfor Lustre 可以轻松且经济高效地启动和运行流行的高性能 Lustre 文件系统。您可以将 Lustre 用于速度至关重要的工作负载,例如机器学习、高性能计算 (HPC)、视频处理和财务建模。
开源 Lustre 文件系统专为需要快速存储的应用程序而设计,即希望存储能跟上计算速度。Lustre 的构建是为了解决既快又省地处理全球不断增长的数据集的问题。它是一个广泛使用的文件系统,专为世界上速度最快的计算机而设计。它提供亚毫秒级的延迟、高达数百的吞吐量和高达数百万GBps的吞吐量。
什么是 Amazon FSx for NetApp ONTAP
通过符合行业标准的 NFS、SMB、iSCSI 和 NVMe-over-TCP 协议向广泛的工作负载和用户提供您的数据。
- Auto(自动)- 该策略将所有冷数据(用户数据和快照)移至容量池层。数据的冷却速度由策略的冷却期决定,默认为 31 天,可配置值在 2-183 天之间。
- Snapshot Only(仅快照)- 此策略仅将快照数据移动到容量池存储层。快照分层到容量池的速度由策略的冷却期决定,默认设置为 2 天,可配置值在 2-183 天之间。
- All(全部)- 此策略将所有用户数据和快照数据标记为冷数据,并将其存储在容量池层中。
- None - 该策略可将卷的所有数据保留在主存储层上,并防止其转移到容量池存储。
👨👨👦👦 社区讨论:Keyword here isa minimum throughput of 6 GBps. Only the FSx for Lustre with SSD option gives the sub-milli response and throughput of 6 GBps or more.
B. Create an Amazon S3 bucket to store the raw data. Create an Amazon FSx for Lustre file system that uses persistentSSD storage.Select the option to import data from and export data to Amazon S3. Mount the file system on the EC2 instances.
Refrences:
https://aws.amazon.com/fsx/when-to-choose-fsx/
四、Data Transfer
A university research laboratory needs to migrate 30 TB of data from an on-premises Windows file server to Amazon FSx for Windows File Server. The laboratory has a 1 Gbps network link that many other departments in the university share.
The laboratory wants to implement a data migration service that will maximize the performance of the data transfer. However, the laboratory needs to be able to control the amount of bandwidth that the service uses to minimize the impact on other departments. The data migration must take place within the next 5 days.
Which AWS solution will meet these requirements?
- ❌ AWS Snowcone
- Amazon FSx File Gateway
- ✅ AWS DataSync
- AWS Transfer Family
✨ 关键词:30 TB、5 TB
1️⃣ ❌ -> 3️⃣ ✅
💡 解析:有 30 TB 的数据需要在 5 天迁移到 AWS。有 1 Gbsp 的网络连接并希望最大化网络使用,但还能保留对带宽的控制。
如果是 1 Gbps 的话每天能传输(1000 / 8) * 3600 * 24 / 1024 / 1024 = 10.3 TB,这意味着 5 天理论可以传输 51.5 TB,完全能满足文件传输的总大小要求。
选 3️⃣ 没有问题。并且Snowcone也无法在 5 天内寄到并传输完数据发送回 AWS。AWS Transfer Family 是一种安全的传输服务,使您能够将文件传入和传出 AWS 存储服务。Transfer Family 是该 AWS Cloud 平台的一部分。 AWS Transfer Family 为通过SFTP、AS2、FTPS以及FTP直接传入和传出 Amazon S3 或 Amazon 的文件提供完全托管的支持EFS。通过维护现有的客户端身份验证、访问和防火墙配置,您可以无缝迁移、自动化和监控文件传输工作流程,因此您的客户、合作伙伴和内部团队或其应用程序不会发生任何变化。
AWS Transfer Family主要功能是使用其他协议将文件传入传出到S3和EFS。
👨👨👦👦 社区讨论:AWS DataSync isa data transfer service that can copy large amounts of data between on-premises storage and Amazon FSx for Windows File Server at high speeds. It allows you to control the amount of bandwidth used during data transfer.
- DataSync usesagentsat the source and destination to automatically copy filesand file metadata over the network.This optimizes the data transfer and minimizes the impact on your network bandwidth.
- DataSync allows you to schedule data transfersand configure transfer rates to suit your needs. You can transfer 30 TB within 5 days while controlling bandwidth usage.
- DataSync can resume interrupted transfersand validate data to ensure integrity. It provides detailed monitoring and reporting on the progressand performance of data transfers.
五、Auto Scaling
A company is launching a new application deployed on an Amazon Elastic Container Service (Amazon ECS) cluster and is using the Fargate launch type for ECS tasks. The company is monitoring CPU and memory usage because it is expecting high traffic to the application upon its launch. However, the company wants to reduce costs when utilization decreases.
What should a solutions architect recommend?
- Use Amazon EC2 Auto Scaling to scale at certain periods based on previous traffic patterns.
- Use an AWS Lambda function to scale Amazon ECS based on metric breaches that trigger an Amazon CloudWatch alarm.
- Use Amazon EC2 Auto Scaling with simple scaling policies to scale when ECS metric breaches trigger an Amazon CloudWatch alarm.
- ✅ Use AWS Application Auto Scaling with target tracking policies to scale when ECS metric breaches trigger an Amazon CloudWatch alarm.
✨ 关键词:ECS、Auto Scaling
4️⃣ ✅
💡 解析:部署在
ECS和Fargate平台上的应用需要准备弹性扩容措施。
看看AWS Application Auto Scaling是什么:什么是 Application Auto Scaling?Application Auto Scaling 是一项网络服务,适用于需要一种解决方案来自动扩展其可扩展资源以用于亚马逊以外的各项 AWS 服务的开发人员和系统管理员EC2。使用 Application Auto Scaling,您可以为以下资源配置自动缩放:
- DynamoDB 表和全局二级索引
- 亚马逊 ECS 服务
- Lambda 函数预置并发
…等等大量服务
👨👨👦👦 社区讨论:Answer is D - Auto-scaling with target tracking
六、Bill and cost
A company has multiple AWS accounts that use consolidated billing. The company runs several active high performance Amazon RDS for Oracle On-Demand DB instances for 90 days. The company’s finance team has access to AWS Trusted Advisor in the consolidated billing account and all other AWS accounts.
The finance team needs to use the appropriate AWS account to access the Trusted Advisor check recommendations for RDS.
The finance team must review the appropriate Trusted Advisor check to reduce RDS costs.
Which combination of steps should the finance team take to meet these requirements? (Choose two.)
- Use the Trusted Advisor recommendations from the account where the RDS instances are running.
- ✅ Use the Trusted Advisor recommendations from the consolidated billing account to see all RDS instance checks at the same time.
- Review the Trusted Advisor check for Amazon RDS Reserved Instance Optimization.
- ✅ Review the Trusted Advisor check for Amazon RDS Idle DB Instances.
- Review the Trusted Advisor check for Amazon Redshift Reserved Node Optimization.
✨ 关键词:reduce RDS costs
2️⃣ 4️⃣ ✅
💡 解析:公司最近运行了 90 天的
RDS。财务团等需要使用AWS Trusted Advisor查看建议并减少费用。
AWS Trusted Advisor 优化成本、提高性能并解决安全漏洞AWS Trusted Advisor 可以帮助您优化成本、提升性能、提高安全性和韧性,并在云中大规模运营。Trusted Advisor 使用云成本优化、性能、韧性、安全性、卓越运营和服务限制等类别的最佳实践检查来持续评估您的 AWS 环境,并对任何偏离最佳实践的情况提出补救措施建议。
如何使用 AWS Trusted Advisor 优化成本?
- 对未充分利用的资源进行的成本优化检查
- 适用于预留的成本优化检查
- 其他成本优化检查
👨👨👦👦 社区讨论:B & D
https://aws.amazon.com/premiumsupport/knowledge-center/trusted-advisor-cost-optimization/
七、Static file transfer
A company sells datasets to customers who do research in artificial intelligence and machine learning (AI/ML). The datasets are large, formatted files that are stored in an Amazon S3 bucket in the us-east-1 Region. The company hosts a web application that the customers use to purchase access to a given dataset. The web application is deployed on multiple Amazon EC2 instances behind an Application Load Balancer. After a purchase is made, customers receive an S3 signed URL that allows access to the files.
The customers are distributed across North America and Europe. The company wants to reduce the cost that is associated with data transfers and wants to maintain or improve performance.
What should a solutions architect do to meet these requirements?
- Configure S3 Transfer Acceleration on the existing S3 bucket. Direct customer requests to the S3 Transfer Acceleration endpoint. Continue to use S3 signed URLs for access control.
- ✅ Deploy an Amazon CloudFront distribution with the existing S3 bucket as the origin. Direct customer requests to the CloudFront URL. Switch to CloudFront signed URLs for access control.
- ❌ Set up a second S3 bucket in the eu-central-1 Region with S3 Cross-Region Replication between the buckets. Direct customer requests to the closest Region. Continue to use S3 signed URLs for access control.
- Modify the web application to enable streaming of the datasets to end users. Configure the web application to read the data from the existing S3 bucket. Implement access control directly in the application.
✨ 关键词:
3️⃣ ❌ -> 2️⃣ ✅
💡 解析:大的数据集需要分发给北美和欧洲的用户,
S3存储桶位于 us-east-1。
看下 2️⃣ 提到的CloudFront signed URLs:使用签名 URL签名 URL 包括额外的信息,例如,过期日期和时间,为您提供内容访问方面的更多控制权。该额外信息出现在策略声明中,且是基于标准策略或自定义策略。标准策略和自定义策略之间的差别将在接下来的两节中予以说明。
那么显然是 2️⃣ 更好。
👨👨👦👦 社区讨论:To reduce the cost associated with data transfersand maintain or improve performance,a solutionsarchitect should use Amazon CloudFront,a content delivery network(CDN) service that securely delivers data, videos,applications,and APIs to customers globally with low latencyand high transfer speeds.
Deploying a CloudFront distribution with the existing S3 bucket as the origin will allow the company to serve the data to customers from edge locations that are closer to them, reducing data transfer costsand improving performance.
Directing customer requests to the CloudFront URL and switching to CloudFront signed URLs for access control will enable customers to access the data securelyand efficiently.
八、Vulnerabilities
A company experienced a breach that affected several applications in its on-premises data center. The attacker took advantage of vulnerabilities in the custom applications that were running on the servers. The company is now migrating its applications to run on Amazon EC2 instances. The company wants to implement a solution that actively scans for vulnerabilities on the EC2 instances and sends a report that details the findings.
Which solution will meet these requirements?
- Deploy AWS Shield to scan the EC2 instances for vulnerabilities. Create an AWS Lambda function to log any findings to AWS CloudTrail.
- Deploy Amazon Macie and AWS Lambda functions to scan the EC2 instances for vulnerabilities. Log any findings to AWS CloudTrail.
- ❌ Turn on Amazon GuardDuty. Deploy the GuardDuty agents to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
- ✅ Turn on Amazon Inspector. Deploy the Amazon Inspector agent to the EC2 instances. Configure an AWS Lambda function to automate the generation and distribution of reports that detail the findings.
✨ 关键词:vulnerabilities
3️⃣ ❌ -> 4️⃣ ✅
💡 解析:应用存在漏洞,需要进行防护。
AWS Shield是防 DDoS 的。
Amazon Macie是用来甄别敏感信息的。
Amazon GuardDuty是以 AWS 账号为对象的安全检测服务。GuardDuty 为您提供准确的账户盗用威胁检测,如果您没有以近乎实时的方式持续监控相关因素,可能难以快速发现这种情况。GuardDuty 可检测出账户盗用的迹象,例如在一天之中的非典型时间从异常地理位置访问 AWS 资源。对于编程 AWS 账户,GuardDuty 能够检查异常 API 调用,例如试图通过禁用 CloudTrail 日志记录或从恶意 IP 地址创建数据库快照掩盖账户活动。
Amazon Inspector是漏洞检测服务:Amazon Inspector 是什么?Amazon Inspector 是一项漏洞管理服务,可自动发现工作负载并持续扫描工作负载以查找软件漏洞和意外网络泄露。
👨👨👦👦 社区讨论:AWS Shield for DDOS
Amazon Macie for discover and protect sensitive date
Amazon GuardDuty for intelligent thread discovery to protect AWS account
Amazon Inspector for automated securityassessment. like known Vulnerability
九、Safe movement on AWS resources
A company recently migrated its entire IT environment to the AWS Cloud. The company discovers that users are provisioning oversized Amazon EC2 instances and modifying security group rules without using the appropriate change control process. A solutions architect must devise a strategy to track and audit these inventory and configuration changes.
Which actions should the solutions architect take to meet these requirements? (Choose two.)
- ✅ Enable AWS CloudTrail and use it for auditing.
- Use data lifecycle policies for the Amazon EC2 instances.
- Enable AWS Trusted Advisor and reference the security dashboard.
- ✅ Enable AWS Config and create rules for auditing and compliance purposes.
- Restore previous resource configurations with an AWS CloudFormation template.
✨ 关键词:without using the appropriate change control process
1️⃣ 4️⃣ ✅
💡 解析:用户对 AWS 资源的操作没有参照流程,安全问题。
CloudTrail会记录对 AWS 资源的操作历史,可以用来审计,没有疑问。
而AWS Config对用户操作的限制:使用 AWS Config 规则评估资源AWS Config 用于评估 AWS 资源的配置设置。为此,您可以创建 AWS Config 规则,这些规则代表您的理想配置设置。 AWS Config 提供名为托管规则的可自定义预定义规则,以帮助您入门。
AWS Config 规则是如何运作的
在 AWS Config 持续跟踪您的资源中出现的配置更改时,它会检查这些更改是否不符合规则中的任何条件。如果资源不符合规则,则会将该资源和规则 AWS Config 标记为不合规。
👨👨👦👦 社区讨论:A.Enable AWS CloudTrail and use it for auditing. CloudTrail providesevent history of your AWS account activity, including actions taken through the AWS Management Console, AWS Command Line Interface (CLI),and AWS SDKsand APIs. By enabling CloudTrail, the company can track user activityand changes to AWS resources,and monitor compliance with internal policiesand external regulations.
D.Enable AWS Config and create rules for auditing and compliance purposes. AWS Config providesa detailed inventory of the AWS resources in your account,and continuously records changes to the configurations of those resources. By creating rules in AWS Config, the company can automate the evaluation of resource configurationsagainst desired state,and receive alerts when configurations drift from compliance.
Options B, C,and E are not directly relevant to the requirement of tracking and auditing inventoryand configuration changes.
十、Amazon Cognito identity pool
A company is hosting a web application from an Amazon S3 bucket. The application uses Amazon Cognito as an identity provider to authenticate users and return a JSON Web Token (JWT) that provides access to protected resources that are stored in another S3 bucket.
Upon deployment of the application, users report errors and are unable to access the protected content. A solutions architect must resolve this issue by providing proper permissions so that users can access the protected content.
Which solution meets these requirements?
- ✅ Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.
- Update the S3 ACL to allow the application to access the protected content.
- Redeploy the application to Amazon S3 to prevent eventually consistent reads in the S3 bucket from affecting the ability of users to access the protected content.
- ❌ Update the Amazon Cognito pool to use custom attribute mappings within the identity pool and grant users the proper permissions to access the protected content.
✨ 关键词:
4️⃣ ❌ -> 1️⃣ ✅
💡 解析:应用使用
Amazon Cognito作为认证提供者,生成 JWT 供用户访问S3存储桶内的数据。部署应用后收到用户的信息说无法访问受保护的文件。
1️⃣ 的操作是更新Amazon Cognito的认证池赋予合适的IAM用户使其能够访问S3内受保护的文件。
4️⃣ 则是更新自定义的属性映射来赋予用户适当的权限访问受保护文件。Amazon Cognito 身份池为访客用户(未经身份验证)和已通过身份验证并收到令牌的用户提供临时 AWS 证书。身份池是指与您的外部身份提供商关联的用户标识符的存储。
1️⃣ 中更具体的、与
IAM角色相关的描述:IAM角色创建身份池时,系统会提示您更新用户所IAM扮演的角色。IAM角色的工作原理如下:当用户登录您的应用程序时,Amazon Cognito 会为该用户生成临时 AWS 证书。这些临时证书与特定IAM角色关联。使用该IAM角色,您可以定义一组访问 AWS 资源的权限。
您可以为经过身份验证和未经身份验证的用户指定默认IAM角色。
来看下 4️⃣ 描述的属性指的是什么:将属性用于访问控制
访问控制属性是 Amazon Cognito 身份池对基于属性的访问控制 (ABAC) 的实现。您可以使用 IAM 策略,根据用户属性通过 Amazon Cognito 身份池控制对 AWS 资源的访问。这些属性可以来自社会和企业身份提供商。您可以将提供商的访问和 ID 标记或 SAML 断言中的属性映射到可在 IAM 权限策略中引用的标记。
例如,假设您拥有一个具有免费和付费会员资格的媒体流式传输服务。您可以将媒体文件存储在 Amazon S3 中,并使用免费或高级标签对其贴标签。您可以将属性用于访问控制,以允许访问基于用户会员级别(这是用户配置文件的一部分)的免费和付费内容。您可以将成员资格属性映射到标签密钥,以便委托人传递给IAM权限策略。通过这种方式,您可以创建单个权限策略,并根据会员级别的值和内容文件上的标签有条件地允许对高级内容的访问。
看上去它只是一种身份的标签,用以区分不同用户的不同权限组。
👨👨👦👦 社区讨论:To resolve the issue and provide proper permissions for users to access the protected content, the recommended solution is:
A. Update the Amazon Cognito identity pool to assume the proper IAM role for access to the protected content.Explanation: Amazon Cognito providesauthentication and user management services for web and mobile applications.
In this scenario, the application is using Amazon Cognito asan identity provider to authenticate usersand obtain JSON Web Tokens (JWTs).
The JWTs are used to access protected resources stored in anotherS3 bucket.
To grant users access to the protected content, the proper IAM role needs to be assumed by the identity pool in Amazon Cognito.
By updating the Amazon Cognito identity pool with the appropriate IAM role, users will be authorized to access the protected content in the S3 bucket.Option D is incorrect because updating custom attribute mappings in Amazon Cognito will not directly grant users the proper permissions to access the protected content.
十一、ASG restore
A company is experiencing sudden increases in demand. The company needs to provision large Amazon EC2 instances from an Amazon Machine Image (AMI). The instances will run in an Auto Scaling group. The company needs a solution that provides minimum initialization latency to meet the demand.
Which solution meets these requirements?
- ❌ Use the aws ec2 register-image command to create an AMI from a snapshot. Use AWS Step Functions to replace the AMI in the Auto Scaling group.
- ✅ Enable Amazon Elastic Block Store (Amazon EBS) fast snapshot restore on a snapshot. Provision an AMI by using the snapshot. Replace the AMI in the Auto Scaling group with the new AMI.
- Enable AMI creation and define lifecycle rules in Amazon Data Lifecycle Manager (Amazon DLM). Create an AWS Lambda function that modifies the AMI in the Auto Scaling group.
- Use Amazon EventBridge to invoke AWS Backup lifecycle policies that provision AMIs. Configure Auto Scaling group capacity limits as an event source in EventBridge.
✨ 关键词:
1️⃣ ❌ -> 2️⃣ ✅
💡 解析:需要为
ASG准备AMI。最快的启动方式。
没有读懂题目。
但是明确下可以从EC2实例的根卷快照创建AMI(之后用于ASG等):创建 Amazon EBS-backed AMI可以从 Amazon EC2 实例或从 Amazon EC2 实例的根设备快照创建自己的 Amazon EBS-backed AMI。
要从实例创建 Amazon EBS-backed AMI,请先使用现有的 Amazon EBS-backed AMI 启动一个实例。此 AMI 可以是从 AWS Marketplace 获得的 AMI,可以是使用 VM Import/Export 创建的 AMI,也可以是能够访问的任何其他 AMI。自定义满足特定要求的实例后,创建新的 AMI 并加以注册。然后,即可使用新的 AMI 启动具有自定义项的新实例。
下述过程适用于由加密的 Amazon Elastic Block Store (Amazon EBS) 卷(包括根卷)支持的 Amazon EC2 实例,也适用于未加密卷。
👨👨👦👦 社区讨论:readed the question 5 times, didn’t understood a thing :(
Enabling Amazon Elastic BlockStore (Amazon EBS) fast snapshot restore on a snapshot allows you to quickly create a new Amazon Machine Image (AMI) from a snapshot, which can help reduce the initialization latency when provisioning new instances. Once the AMI is provisioned, you can replace the AMI in the Auto Scaling group with the new AMI.This will ensure that new instancesare launched from the updated AMI and are able to meet the increased demand quickly.
The question wording is pretty weird but the only thing of value is latency during initialisation which makes B the correct option.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-fast-snapshot-restore.htmlA only helps with creating the AMI
C and D will probably work(ambiguous language) but won’t handle initialising latency issues.