SAA 考试每日练习 - 2024/12/12

来源：Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
100 题 (No.801 ~ No.900) 只记录了 18 道首次碰到的、错误的或有疑问的题目，仅供自己复习使用。
其中有 65 题与正式考试题量一样，总共耗时 93/(130+30) 分钟，正确率为 52/65。
如果侵权请联系删除。

一、MPP ML

A company has an Amazon S3 data lake. The company needs a solution that transforms the data from the data lake and loads the data into a data warehouse every day. The data warehouse must have massively parallel processing (MPP) capabilities.
Data analysts then need to create and train machine learning (ML) models by using SQL commands on the data. The solution must use serverless AWS services wherever possible.
Which solution will meet these requirements?

❌ Run a daily Amazon EMR job to transform the data and load the data into Amazon Redshift. Use Amazon Redshift ML to create and train the ML models.
Run a daily Amazon EMR job to transform the data and load the data into Amazon Aurora Serverless. Use Amazon Aurora ML to create and train the ML models.
✅ Run a daily AWS Glue job to transform the data and load the data into Amazon Redshift Serverless. Use Amazon Redshift ML to create and train the ML models.
Run a daily AWS Glue job to transform the data and load the data into Amazon Athena tables. Use Amazon Athena ML to create and train the ML models.

✨ 关键词：

1️⃣ ❌ -> 3️⃣ ✅

💡 解析：RedShift 具有 MPP 特性：Amazon Redshift 性能

大规模并行处理
大规模并行处理 (MPP) 支持对大量数据快速运行最复杂的查询。多个计算节点处理所有查询处理以获得最终结果聚合，运行相同的编译后查询的每个节点的每个核心在整个数据的各个部分进行分段。

因此 1️⃣ 和 3️⃣ 是合适的。
来看下 EMR job：任务运行状态

当您将作业运行提交到 Amazon EMR Serverless 作业队列时，作业运行将进入 SUBMITTED 状态。作业状态从 SUBMITTED 变为 RUNNING，直至达到 FAILED、SUCCESS 或 CANCELLING。

Glue 的：AWS Glue 概念

作业
执行 ETL 工作所需的业务逻辑。它由转换脚本、数据源和数据目标组成。作业运行通过可由事件计划或触发的触发器启动。

1️⃣ 和 3️⃣ 还是都符合的，那只能看存不存在 RedShift Serverless 了：Amazon Redshift Serverless

Amazon Redshift Serverless 可让您方便地运行和扩展分析，而无需预置和管理本地数据仓库。借助 Amazon Redshift Serverless，数据分析人员、开发人员和数据科学家现在通过将数据加载到云中的数据仓库并从其中查询记录，就可以使用 Amazon Redshift 在几秒钟内从数据中获取见解。Amazon Redshift 会自动预置和扩展数据仓库容量，以便为要求苛刻且不可预测的工作负载提供快速性能。您仅需为实际使用的容量付费。您无需更改现有分析和商业智能应用程序，即可受益于这种简单性。

3️⃣ 更符合题目需求。

👨‍👨‍👦‍👦 社区讨论：Data Warehouse => redshift
Use AWS Services whereever possible => Redshift serverless

二、Batch job success call

A company uses an AWS Batch job to run its end-of-day sales process. The company needs a serverless solution that will invoke a third-party reporting application when the AWS Batch job is successful. The reporting application has an HTTP API interface that uses username and password authentication.
Which solution will meet these requirements?

✅ Configure an Amazon EventBridge rule to match incoming AWS Batch job SUCCEEDED events. Configure the third-party API as an EventBridge API destination with a username and password. Set the API destination as the EventBridge rule target.
Configure Amazon EventBridge Scheduler to match incoming AWS Batch job SUCCEEDED events. Configure an AWS Lambda function to invoke the third-party API by using a username and password. Set the Lambda function as the EventBridge rule target.
❌ Configure an AWS Batch job to publish job SUCCEEDED events to an Amazon API Gateway REST API. Configure an HTTP proxy integration on the API Gateway REST API to invoke the third-party API by using a username and password.
Configure an AWS Batch job to publish job SUCCEEDED events to an Amazon API Gateway REST API. Configure a proxy integration on the API Gateway REST API to an AWS Lambda function. Configure the Lambda function to invoke the third-party API by using a username and password.

✨ 关键词：

3️⃣ ❌ -> 1️⃣ ✅

💡 解析：EventBridge 支持将 HTTP 终端节点作为目标这个没什么好疑惑的：API将目的地作为亚马逊的目标 EventBridge

Amazon EventBridge API目标是您可以作为事件总线规则或管道目标调用的HTTP终端节点，类似于调用 AWS 服务或资源作为目标的方式。使用API目的地，您可以使用API呼叫在 AWS 服务、集成软件即服务 (SaaS) 应用程序和外部应用程序之间路由事件。

API目标不支持私有目标，例如接口VPC终端节点，包括使用私有网络的虚拟私有云 (VPC) HTTPS APIs 中的私有目标、Application Load Balancer 以及接口端点。

当然它也支持认证。
我比较好奇的是 AWS Batch job 没有成功的 Hook 吗？尝试搜了下好像只能将 EventBridge 作为作业状态的输出：AWS Batch 事件

AWS Batch将作业状态更改事件发送到 EventBridge。AWS Batch会跟踪作业的状态。如果先前提交的作业的状态发生变化，则会调用一个事件。例如，如果状态为RUNNING的作业变为FAILED状态。这些事件归类为作业状态更改事件。

那么这种情况下就最好选 1️⃣ 了。

👨‍👨‍👦‍👦 社区讨论：https://aws.amazon.com/blogs/compute/using-api-destinations-with-amazon-eventbridge/
Amazon EventBridge enables developers to route events between AWS services, integrated software asa service (SaaS) applications,and your own applications. It can help decouple applicationsand produce more extensible, maintainable architectures. With the new API destinations feature,EventBridge can now integrate with services outside of AWS using REST API calls.

三、AWS Glue Studio visual canvas

A company hosts a data lake on Amazon S3. The data lake ingests data in Apache Parquet format from various data sources. The company uses multiple transformation steps to prepare the ingested data. The steps include filtering of anomalies, normalizing of data to standard date and time values, and generation of aggregates for analyses.
The company must store the transformed data in S3 buckets that data analysts access. The company needs a prebuilt solution for data transformation that does not require code. The solution must provide data lineage and data profiling. The company needs to share the data transformation steps with employees throughout the company.
Which solution will meet these requirements?

❌ Configure an AWS Glue Studio visual canvas to transform the data. Share the transformation steps with employees by using AWS Glue jobs.
Configure Amazon EMR Serverless to transform the data. Share the transformation steps with employees by using EMR Serverless jobs.
✅ Configure AWS Glue DataBrew to transform the data. Share the transformation steps with employees by using DataBrew recipes.
Create Amazon Athena tables for the data. Write Athena SQL queries to transform the data. Share the Athena SQL queries with employees.

✨ 关键词：

1️⃣ ❌ -> 3️⃣ ✅

💡 解析：AWS Glue 可视化 (Visual) 任务 API

AWS Glue 提供了一个 API，允许客户使用 AWS Glue API 从表示可视化步骤工作流的 JSON 对象创建数据集成任务。然后，客户可以使用 AWS Glue Studio 中的可视化编辑器来处理这些任务。

什么是 AWS Glue DataBrew？

AWS Glue DataBrew 是一种可视化数据准备工具，让用户无需编写任何代码即可清理数据并实现标准化。与定制开发的数据准备相比，使用 DataBrew 可将准备用于分析和机器学习 (ML) 的数据所需的时间缩短多达 80%。您可以从 250 多种现成的转换功能中进行选择，以自动执行数据准备任务，例如筛选异常、将数据转换为标准格式以及更正无效值。

创建和使用 AWS Glue DataBrew 食谱 (Recipes)

在继续开发食谱时，您可以通过发布食谱来保存您所做的工作。 DataBrew 为您的食谱维护已发布版本的列表。您可以在配方作业中使用任何已发布的版本来运行配方（在配方作业中）来转换您的数据集。您也可以下载配方步骤的副本，以便可以在其他项目或其他数据集转换中重复使用该配方。

这意味着 AWS Glue DataBrew 完美符合可视化机器学习数据准备步骤和分享这些转换步骤的需求。

👨‍👨‍👦‍👦 社区讨论：AWS Glue DataBrew:This isa visual data preparation tool that allows you to clean and normalize data without writing code. It has built-in transformations for common tasks like filtering anomalies, normalizing dates,and generating aggregates. It also provides data lineage and profiling capabilities, which are required by the company. DataBrew Recipes:These are reusable workflows that define the data transformation steps.They can be easily shared with other employees, making it simple to collaborate on data preparation tasks.

四、S3 encryption automatically rotate

A company is planning to migrate data to an Amazon S3 bucket. The data must be encrypted at rest within the S3 bucket. The encryption key must be rotated automatically every year.
Which solution will meet these requirements with the LEAST operational overhead?

❌ Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket.
✅ Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket. Manually rotate the KMS key every year.
Use customer key material to encrypt the data. Migrate the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.

✨ 关键词：

1️⃣ ❌ -> 3️⃣ ✅

💡 解析：SSE-S3 不支持自动轮转：

并且已经存在于桶中的文件在之后开启加密后，不会被加密。

👨‍👨‍👦‍👦 社区讨论：The anwser can’t be A. In addition to other justifications written here in the comments, if the data is copied before enabling encryption, this data will not be encrypted.

五、Aurora storage configuration

A company is planning to deploy its application on an Amazon Aurora PostgreSQL Serverless v2 cluster. The application will receive large amounts of traffic. The company wants to optimize the storage performance of the cluster as the load on the application increases.
Which solution will meet these requirements MOST cost-effectively?

Configure the cluster to use the Aurora Standard storage configuration.
❌ Configure the cluster storage type as Provisioned IOPS.
Configure the cluster storage type as General Purpose.
✅ Configure the cluster to use the Aurora I/O-Optimized storage configuration.

✨ 关键词：

2️⃣ ❌ -> 4️⃣ ✅

💡 解析：Amazon Aurora 数据库集群的存储配置

Amazon Aurora 有两种数据库集群存储配置：

Aurora I/O-Optimized – 提高了 I/O 密集型应用程序的性价比和可预测性。您只需为数据库集群的使用量和存储付费，而无需为读取和写入 I/O 操作支付额外费用。
当您的 I/O 支出占 Aurora 数据库总支出的 25% 或更多时，Aurora I/O-Optimized 是最佳选择。
当您使用支持 Aurora I/O-Optimized 集群配置的数据库引擎版本创建或修改数据库集群时，可以选择 Aurora I/O-Optimized。您可以随时从 Aurora I/O-Optimized 切换到 Aurora Standard。

Aurora Standard – 为许多 I/O 使用率适中的应用程序提供经济实惠的定价。除了数据库集群的使用量和存储外，您还需要为每 100 万个 I/O 操作请求支付标准费率。
当您的 I/O 支出低于 Aurora 数据库总支出的 25% 时，Aurora Standard 是最佳选择。您可以每 30 天从 Aurora Standard 切换到 Aurora I/O-Optimized 一次。从 Aurora Standard 切换到 Aurora I/O-Optimized 或从 Aurora I/O-Optimized 切换到 Aurora Standard 时不会出现停机。

👨‍👨‍👦‍👦 社区讨论：Aurora only have:
-> Standard
-> I/O-Optimized (need optimise storage thats why i chose this)

六、AWS Security Hub

A financial services company that runs on AWS has designed its security controls to meet industry standards. The industry standards include the National Institute of Standards and Technology (NIST) and the Payment Card Industry Data Security Standard (PCI DSS).
The company’s third-party auditors need proof that the designed controls have been implemented and are functioning correctly. The company has hundreds of AWS accounts in a single organization in AWS Organizations. The company needs to monitor the current state of the controls across accounts.
Which solution will meet these requirements?

Designate one account as the Amazon Inspector delegated administrator account from the Organizations management account. Integrate Inspector with Organizations to discover and scan resources across all AWS accounts. Enable Inspector industry standards for NIST and PCI DSS.
❌ Designate one account as the Amazon GuardDuty delegated administrator account from the Organizations management account. In the designated GuardDuty administrator account, enable GuardDuty to protect all member accounts. Enable GuardDuty industry standards for NIST and PCI DSS.
Configure an AWS CloudTrail organization trail in the Organizations management account. Designate one account as the compliance account. Enable CloudTrail security standards for NIST and PCI DSS in the compliance account.
✅ Designate one account as the AWS Security Hub delegated administrator account from the Organizations management account. In the designated Security Hub administrator account, enable Security Hub for all member accounts. Enable Security Hub standards for NIST and PCI DSS.

✨ 关键词：

2️⃣ ❌ -> 4️⃣ ✅

💡 解析：什么是 AWS Security Hub？

AWS Security Hub 为您提供了 AWS 中安全状态的全面视图，可帮助您评测您的 AWS 环境是否符合安全行业标准和最佳实践。

Security Hub 可跨 AWS 账户、AWS 服务、和受支持的第三方产品收集安全数据，并可帮助您分析安全趋势，以及确定最高优先级的安全问题。

为了帮助您管理组织的安全状态，Security Hub 支持多种安全标准。其中包括由 AWS 制定的 AWS 基础安全最佳实践 (FSBP) 和外部合规性框架，如 Center for Internet Security (CIS)、支付卡行业数据安全标准 (PCI DSS) 和美国国家标准与技术研究所 (NIST)。每个标准都包含多个安全控件，每种控件都代表一种安全最佳实践。Security Hub 对安全控件进行检查并生成控件调查发现，以帮助您评测您是否符合安全最佳实践。

针对是否符合行业标准的评判，需要通过 AWS Security Hub 实现。
涉及到的其他安全服务：

Amazon Inspector - 是一项自动化漏洞管理服务，可近乎实时地持续扫描 Amazon Elastic Compute Cloud（EC2）、Amazon Lambda 函数以及 Amazon ECR 中的容器映像以及持续集成和持续交付（CI/CD）工具中的软件漏洞和意外网络暴露。

Amazon GuardDuty - 威胁检测服务，可持续监控恶意活动和未经授权的行为。
GuardDuty 可检测出账户盗用的迹象，例如在一天之中的非典型时间从异常地理位置访问 AWS 资源。对于编程 AWS 账户，GuardDuty 能够检查异常 API 调用，例如试图通过禁用 CloudTrail 日志记录或从恶意 IP 地址创建数据库快照掩盖账户活动。

AWS CloudTrail - 可帮助您实现 AWS 账户的运营和风险审计、治理和合规性。用户、角色或 AWS 服务执行的操作将记录为 CloudTrail 中的事件。事件包括在 AWS Management Console、AWS Command Line Interface 和 AWS 开发工具包和 API 中执行的操作。

👨‍👨‍👦‍👦 社区讨论：Security Hub: assess your AWS environment against security industry standardsand best practices.

七、Amazon EventBridge event bus

A company is designing an event-driven order processing system. Each order requires multiple validation steps after the order is created. An idempotent AWS Lambda function performs each validation step. Each validation step is independent from the other validation steps. Individual validation steps need only a subset of the order event information.

某公司正在设计一个事件驱动订单处理系统。创建订单后，每个订单都需要多个验证步骤。一个幂等 AWS Lambda 函数执行每个验证步骤。每个验证步骤都独立于其他验证步骤。单个验证步骤只需要订单事件信息的一个子集。

The company wants to ensure that each validation step Lambda function has access to only the information from the order event that the function requires. The components of the order processing system should be loosely coupled to accommodate future business changes.

公司希望确保每个验证步骤的 Lambda 函数只能访问该函数所需的订单事件信息。订单处理系统的各个组件应松散耦合，以适应未来的业务变化。

Which solution will meet these requirements?

❌ Create an Amazon Simple Queue Service (Amazon SQS) queue for each validation step. Create a new Lambda function to transform the order data to the format that each validation step requires and to publish the messages to the appropriate SQS queues. Subscribe each validation step Lambda function to its corresponding SQS queue.
Create an Amazon Simple Notification Service (Amazon SNS) topic. Subscribe the validation step Lambda functions to the SNS topic. Use message body filtering to send only the required data to each subscribed Lambda function.
✅ Create an Amazon EventBridge event bus. Create an event rule for each validation step. Configure the input transformer to send only the required data to each target validation step Lambda function.
Create an Amazon Simple Queue Service (Amazon SQS) queue. Create a new Lambda function to subscribe to the SQS queue and to transform the order data to the format that each validation step requires. Use the new Lambda function to perform synchronous invocations of the validation step Lambda functions in parallel on separate threads

✨ 关键词：

1️⃣ ❌ -> 3️⃣ ✅

💡 解析：Event buses in Amazon EventBridge

事件总线是接收事件并将其传送到零个或多个目的地或目标的路由器。事件总线非常适合将事件从多个源路由到多个目标，在将事件传送到目标之前可以选择转换事件。

活动总线的工作原理 EventBridge
它的工作方式可概括如下：

事件源

EventBridge 然后根据为该事件总线定义的每条规则评估事件。
对于每个与规则匹配的事件， EventBridge 然后将该事件发送到为该规则指定的目标。或者，作为规则的一部分，您还可以指定在将事件发送到目标之前 EventBridge 应如何转换事件。

活动巴士可以将事件分解为不同的小事件，并支持对消息进行拆分。
而 SNS 无法对消息进行拆分：亚马逊SNS邮件过滤

如果某个订阅没有筛选策略，则订阅者将接收发布到其主题的每条消息。当您向已设置筛选策略的主题发布消息时，Amazon 会将消息属性或消息正文与每个主题订阅的筛选策略中的属性进行SNS比较。如果所有消息属性或消息正文属性都满足筛选策略中指定的条件，Amazon SNS 会将消息发送给订阅者。否则，Amazon SNS 不会向该订阅者发送消息。

👨‍👨‍👦‍👦 社区讨论：not B because SNS cannot make messages manipulation, the option “message body filtering” will make discard or forward the FULL message if there isa matching field:
https://docs.aws.amazon.com/sns/latest/dg/sns-message-filtering.html
C - eventbus instead can manipulate event:
https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-bus.html
D - Works, but too much operation IMO

八、Encrypt at rest

A company is running a highly sensitive application on Amazon EC2 backed by an Amazon RDS database. Compliance regulations mandate that all personally identifiable information (PII) be encrypted at rest.
Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?

Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database volume.
❌ Deploy AWS CloudHSM, generate encryption keys, and use the keys to encrypt database volumes.
Configure SSL encryption using AWS Key Management Service (AWS KMS) keys to encrypt database volumes.
✅ Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.

✨ 关键词：

2️⃣ ❌ -> 4️⃣ ✅

💡 解析：什么是 AWS CloudHSM？

AWS CloudHSM 将 AWS 云的优势与硬件安全模块 (HSM, Hardware security module) 的安全性相结合。硬件安全模块 (HSM) 是一种计算设备，可处理加密操作并提供加密密钥的安全存储。您可通过 AWS CloudHSM 全面控制 Amazon Web Services Cloud 中的高可用性 HSM，以获得低延迟访问，以及可自动执行 HSM 管理（包括备份、预配、配置和维护）的安全信任根。

其他 AWS 产品是否可以使用 AWS CloudHSM 存储和管理密钥？

AWS 服务与 AWS Key Management Service 集成，后者又通过 KMS 自定义密钥存储功能与 AWS CloudHSM 集成。如果要使用许多 AWS 服务（例如 EBS、S3 或 Amazon RDS）提供的服务器端加密，可以通过在 AWS KMS 中配置自定义密钥存储来实现。

AWS CloudHSM 似乎是在用户提供密钥的场景下工作的，并且 4️⃣ 已经能处理当前问题场景，选 4️⃣ 没有问题。同时 4️⃣ 还是最简单的操作方式。

👨‍👨‍👦‍👦 社区讨论：SSL/Certificate => encrypt in transit, so A and C are wrong.
so i feel the answer is between B and D.

九、EBS Snapshots

A company uses Amazon EC2 instances and Amazon Elastic Block Store (Amazon EBS) to run its self-managed database. The company has 350 TB of data spread across all EBS volumes. The company takes daily EBS snapshots and keeps the snapshots for 1 month. The daily change rate is 5% of the EBS volumes.
Because of new regulations, the company needs to keep the monthly snapshots for 7 years. The company needs to change its backup strategy to comply with the new regulations and to ensure that data is available with minimal administrative effort.
Which solution will meet these requirements MOST cost-effectively?

Keep the daily snapshot in the EBS snapshot standard tier for 1 month. Copy the monthly snapshot to Amazon S3 Glacier Deep Archive with a 7-year retention period.
✅ Continue with the current EBS snapshot policy. Add a new policy to move the monthly snapshot to Amazon EBS Snapshots Archive with a 7-year retention period.
❌ Keep the daily snapshot in the EBS snapshot standard tier for 1 month. Keep the monthly snapshot in the standard tier for 7 years. Use incremental snapshots.
Keep the daily snapshot in the EBS snapshot standard tier. Use EBS direct APIs to take snapshots of all the EBS volumes every month. Store the snapshots in an Amazon S3 bucket in the Infrequent Access tier for 7 years.

✨ 关键词：

3️⃣ ❌ -> 2️⃣ ✅

💡 解析：亚马逊EBS快照

您可以通过制作 point-in-time副本（称为亚马逊EBS快照）来备份您的 Amazon EBS 卷上的数据。快照是增量备份，这意味着我们仅保存卷上自最新快照之后发生更改的块。由于无需复制数据，这将最大限度缩短创建快照所需的时间和增加存储成本节省。

需要注意的是，默认的托管给 AWS 的快照备份是增量的。
如果你将快照移动到 S3 等存储时，它是全量的因此容量会提升，从而提升费用。

👨‍👨‍👦‍👦 社区讨论：AnswerB
The problem is that we need to choose best solution which is most cost-effective and have minimal administrative effort. Glacier is the best choice for 1st look, but there is one problem with that solution. From what I know there is no easy way to copy from EBS to Glacier and additionally curent strategy is to make incremental snapshots. To copy file from EBS to (s3) Glacier we would need to run linux to which we will mount EBS and we will need copy everything to S3 and then move to glaceir deep archive. And what is more you will have only incremental snapshot. Hence every solution which will say copy/move to S3 is not minimal administrative effort. Not mentionig that you will not have full snapshot
https://repost.aws/questions/QUsaCoBAfbR6WMOz6BH3vqHA/move-ebs-to-glacier

十、AWS Backup

A company runs an application on several Amazon EC2 instances that store persistent data on an Amazon Elastic File System (Amazon EFS) file system. The company needs to replicate the data to another AWS Region by using an AWS managed service solution.
Which solution will meet these requirements MOST cost-effectively?

❌ Use the EFS-to-EFS backup solution to replicate the data to an EFS file system in another Region.
Run a nightly script to copy data from the EFS file system to an Amazon S3 bucket. Enable S3 Cross-Region Replication on the S3 bucket.
Create a VPC in another Region. Establish a cross-Region VPC peer. Run a nightly rsync to copy data from the original Region to the new Region.
✅ Use AWS Backup to create a backup plan with a rule that takes a daily backup and replicates it to another Region. Assign the EFS file system resource to the backup plan.

✨ 关键词：

1️⃣ ❌ -> 4️⃣ ✅

💡 解析：备份 EFS 文件系统

Amazon EFS与AWS Backup原生集成，这是一种完全托管的基于策略的服务，您可以使用它来创建和管理备份策略，以保护Amazon EFS中的数据。
使用AWS Backup for Amazon EFS，您可以执行以下操作：

通过配置备份计划来管理自动备份调度和保留。您可以指定备份频率、何时进行备份、保留备份的时间以及备份的生命周期策略。

恢复Amazon EFS数据的备份。您可以将文件系统数据恢复到新的或现有的文件系统。您还可以选择是执行完整还原还是项级还原。

官方也推荐使用 AWS Backup 进行 EFS 的备份操作。

👨‍👨‍👦‍👦 社区讨论：Answer D: AWS Backup is a managed service that handles backup operations. If AWS Backup is not available in your region, you can consider using EFS-to-EFS backup.

十一、Amazon Aurora Serverless cluster

A large company wants to provide its globally located developers separate, limited size, managed PostgreSQL databases for development purposes. The databases will be low volume. The developers need the databases only when they are actively working.

一家大公司希望为其全球范围内的开发人员提供独立的、有限大小的、托管的 PostgreSQL 数据库，用于开发目的。数据库将是小容量的。开发人员只有在积极工作时才需要数据库。

Which solution will meet these requirements MOST cost-effectively?

Give the developers the ability to launch separate Amazon Aurora instances. Set up a process to shut down Aurora instances at the end of the workday and to start Aurora instances at the beginning of the next workday.
❌ Develop an AWS Service Catalog product that enforces size restrictions for launching Amazon Aurora instances. Give the developers access to launch the product when they need a development database.
✅ Create an Amazon Aurora Serverless cluster. Develop an AWS Service Catalog product to launch databases in the cluster with the default capacity settings. Grant the developers access to the product.
Monitor AWS Trusted Advisor checks for idle Amazon RDS databases. Create a process to terminate identified idle RDS databases.

✨ 关键词：

2️⃣ ❌ -> 3️⃣ ✅

💡 解析：3️⃣ 的费用相对 2️⃣ 会更低。

👨‍👨‍👦‍👦 社区讨论：(A,B,D) eliminated. Aurora instances & Amazon RDS use On-Demand or Reserved INSTANCES. These are more expensive than a serverless solution.
(C) is correct. Amazon Aurora Serverless automatically starts up, shuts down & scales capacity up or down based on your application’s needs; you pay only for capacity consumed.

十二、ACM Region

A company wants to configure its Amazon CloudFront distribution to use SSL/TLS certificates. The company does not want to use the default domain name for the distribution. Instead, the company wants to use a different domain name for the distribution.
Which solution will deploy the certificate without incurring any additional costs?

Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-east-1 Region.
Request an Amazon issued private certificate from AWS Certificate Manager (ACM) in the us-west-1 Region.
✅ Request an Amazon issued public certificate from AWS Certificate Manager (ACM) in the us-east-1 Region.
❌ Request an Amazon issued public certificate from AWS Certificate Manager (ACM) in the us-west-1 Region.

✨ 关键词：

4️⃣ ❌ -> 3️⃣ ✅

💡 解析：获取 SSL/TLS 证书

建议您使用 ACM 在 AWS 托管资源上预置、管理和部署 SSL/TLS 证书。您必须在美国东部（弗吉尼亚州北部）(us-east-1) 区域申请 ACM 证书。

👨‍👨‍👦‍👦 社区讨论：Have to use east-1 region for ACM, and it should be public SSL/TLS for domain, so it should be C

十三、Amazon QuickSight dashboard

A company that uses AWS Organizations runs 150 applications across 30 different AWS accounts. The company used AWS Cost and Usage Report to create a new report in the management account. The report is delivered to an Amazon S3 bucket that is replicated to a bucket in the data collection account.
The company’s senior leadership wants to view a custom dashboard that provides NAT gateway costs each day starting at the beginning of the current month.
Which solution will meet these requirements?

Share an Amazon QuickSight dashboard that includes the requested table visual. Configure QuickSight to use AWS DataSync to query the new report.
✅ Share an Amazon QuickSight dashboard that includes the requested table visual. Configure QuickSight to use Amazon Athena to query the new report.
Share an Amazon CloudWatch dashboard that includes the requested table visual. Configure CloudWatch to use AWS DataSync to query the new report.
❌ Share an Amazon CloudWatch dashboard that includes the requested table visual. Configure CloudWatch to use Amazon Athena to query the new report.

✨ 关键词：

4️⃣ ❌ -> 2️⃣ ✅

💡 解析：什么是 Amazon QuickSight？

Amazon QuickSight 是一项快速且易于使用的依托云的商业分析服务，它能让组织内的所有员工随时在任何设备上更轻松地构建可视化内容、执行临时分析并快速从数据中获取商业见解。上传 CSV 和 Excel 文件；访问本地数据库（如 SQL Server、MySQL 和 PostgreSQL）；连接到数据湖和数据仓库（如 Databricks、Snowflake 和 Teradat）以及无缝发现亚马逊云科技数据来源，如 Amazon Redshift、Amazon Relational Database Service（Amazon RDS）、Amazon Aurora、Amazon Athena 和 Amazon Simple Storage Service（Amazon S3）。借助 QuickSight，组织能够将其业务分析功能扩展到数十万用户，并通过使用强大的内存引擎（SPICE）实现快速且响应灵敏的查询性能。

Amazon QuickSight 图库 - 探索由 Amazon QuickSight 客户构建的特定于行业和领域的分析示例。联系我们，帮助您开始自己的分析。

使用 Amazon CloudWatch 控制面板

Amazon CloudWatch 控制面板是 CloudWatch 控制台中的可自定义主页，可用于在单个视图中监控资源，即便是分布到不同区域的资源，也能对其进行监控。您可以使用 CloudWatch 控制面板创建 AWS 资源的指标和告警的自定义视图。
利用控制面板，您可以创建以下各项：

所选指标和告警的单一视图，用于帮助您跨一个或多个区域评估资源和应用程序的运行状况。您可以在每个图表上选择用于每个指标的颜色，以便轻松地跨多个图表跟踪同一指标。

一个操作手册，为团队成员提供有关如何对操作事件期间发生的特定事故做出响应的指南。

关键资源与应用程序测量的公共视图，团队成员可以共享该视图，以便在操作事件期间加快通信流。

👨‍👨‍👦‍👦 社区讨论：QuickSight for dashboard and Athena for query each month so it is B

十四、Cache

A company is hosting a high-traffic static website on Amazon S3 with an Amazon CloudFront distribution that has a default TTL of 0 seconds. The company wants to implement caching to improve performance for the website. However, the company also wants to ensure that stale content is not served for more than a few minutes after a deployment.
Which combination of caching methods should a solutions architect implement to meet these requirements? (Choose two.)

✅ Set the CloudFront default TTL to 2 minutes.
Set a default TTL of 2 minutes on the S3 bucket.
✅ Add a Cache-Control private directive_指令 to the objects in Amazon S3.
❌ Create an AWS Lambda@Edge function to add an Expires header to HTTP responses. Configure the function to run on viewer response.
Add a Cache-Control max-age directive of 24 hours to the objects in Amazon S3. On deployment, create a CloudFront invalidation to clear any changed files from edge caches.

✨ 关键词：

1️⃣ 4️⃣ ❌ -> 1️⃣ 3️⃣ ✅

💡 解析：社区在 1️⃣ 3️⃣ 和 1️⃣ 5️⃣ 间争议较大。我猜测 1️⃣ 的目的是让 CloudFront 缓存 2 分钟内容，而 3️⃣ 的目的是让 CloudFront 每次回源 S3 都获取到最新文件，我认为这样的话就没什么问题。但是我不确定是不是可以这么理解。

👨‍👨‍👦‍👦 社区讨论：AE. By default, each file automatically expires after 24 hours, but you can change the default behavior in two ways:

To change the cache duration for all files that match the same path pattern, you can change the CloudFront settings for Minimum TTL, Maximum TTL, and Default TTL for a cache behavior.

To change the cache duration for an individual file, you can configure your origin to add a Cache-Control header with the max-age or s-maxage directive, or an Expires header to the file.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Expiration.html#expiration-individual-objects

十五、Babelfish

A company uses a Microsoft SQL Server database. The company’s applications are connected to the database. The company wants to migrate to an Amazon Aurora PostgreSQL database with minimal changes to the application code.
Which combination of steps will meet these requirements? (Choose two.)

Use the AWS Schema Conversion Tool (AWS SCT) to rewrite the SQL queries in the applications.
✅ Enable Babelfish on Aurora PostgreSQL to run the SQL queries from the applications.
✅ Migrate the database schema and data by using the AWS Schema Conversion Tool (AWS SCT) and AWS Database Migration Service (AWS DMS).
Use Amazon RDS Proxy to connect the applications to Aurora PostgreSQL.
Use AWS Database Migration Service (AWS DMS) to rewrite the SQL queries in the applications.

✨ 关键词：

2️⃣ 3️⃣ ✅

💡 解析：Babelfish for Aurora PostgreSQL - 在 PostgreSQL 上运行 Microsoft SQL Server 应用程序，只需很少甚至无需进行代码更改

借助 Babelfish，Aurora PostgreSQL 现在可以理解 Microsoft SQL Server 专有的 SQL 语言 T-SQL，并支持相同的通信协议，因此您最初为 SQL Server 编写的应用程序现在可以与 Aurora 一起使用，并且所需进行的代码更改更少。因此，修改 SQL Server 2005 或更高版本上运行的应用程序并将其移动到 Aurora 所需的工作量将减少，从而可实现更快、风险更低且更具成本效益的迁移。

👨‍👨‍👦‍👦 社区讨论：DMS + SCT is correct, but ” rewrite the SQL queries in the applications.” is wrong so A + E are out.
Then only left B + C -> DMS + SCT + Babekfish (for SQL Server)

十六、EBS encryption

A company plans to rehost an application to Amazon EC2 instances that use Amazon Elastic Block Store (Amazon EBS) as the attached storage.
A solutions architect must design a solution to ensure that all newly created Amazon EBS volumes are encrypted by default. The solution must also prevent the creation of unencrypted EBS volumes.
Which solution will meet these requirements?

✅ Configure the EC2 account attributes to always encrypt new EBS volumes.
❌ Use AWS Config. Configure the encrypted-volumes identifier. Apply the default AWS Key Management Service (AWS KMS) key.
Configure AWS Systems Manager to create encrypted copies of the EBS volumes. Reconfigure the EC2 instances to use the encrypted volumes.
Create a customer managed key in AWS Key Management Service (AWS KMS). Configure AWS Migration Hub to use the key when the company migrates workloads.

✨ 关键词：

2️⃣ ❌ -> 1️⃣ ✅

💡 解析：How do I turn on automatic encryption for new Amazon EBS volumes and snapshot copies created in my account?

Newly created Amazon EBS volumes aren’t encrypted by default. However, you can turn on default encryption for new EBS volumes and snapshot copies that are created within a specified Region. To turn on encryption by default, use the Amazon Elastic Compute Cloud (Amazon EC2) console.
Before you turn on encryption by default, note the following:

Encryption by default is a Region-specific setting. After you turn on encryption for a Region, you can’t turn encryption off for individual volumes or snapshots in that Region.

After you turn on encryption by default, you can launch an instance only if the instance type supports Amazon EBS encryption.

When you turn on encryption by default, that change doesn’t affect existing unencrypted or encrypted resources. The encryption configuration change affects only volumes and snapshot copies that you create after you turn on encryption by default.

If encryption by default is turned on and you experience delta replication failures when you use AWS Server Migration Service, then turn off encryption by default. For lift-and-shift migration, it’s a best practice to use Application Migration Service.

默认情况下，新创建的Amazon EBS卷不加密。但是，您可以为在指定区域内创建的新EBS卷和快照副本启用默认加密。要默认开启加密，请使用Amazon Elastic Compute Cloud （Amazon EC2）控制台。
在启用默认加密之前，请注意以下事项：

默认加密是特定于区域的设置。在为一个区域开启加密后，无法关闭该区域中单个卷或快照的加密。

默认开启加密后，只有实例类型支持Amazon EBS加密，才能启动实例。

当默认情况下启用加密时，该更改不会影响现有的未加密或加密资源。默认情况下，加密配置更改仅影响在启用加密后创建的卷和快照副本。

如果默认开启加密，并且在使用AWS Server Migration Service时遇到增量复制失败，则默认关闭加密。对于升降迁移，使用应用程序迁移服务是最佳实践。

因此开启区域的自动加密后，就无法再启动不带加密卷的 EC2 实例了。

👨‍👨‍👦‍👦 社区讨论：Answer A The task is to force automatic encryption for every new EBS volume and prevent possibility of creation any unencrypted volume
https://docs.aws.amazon.com/ebs/latest/userguide/work-with-ebs-encr.html#ebs-encryption_ mgmt

To enable encryption by default for a Region Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/

From the navigation pane, select EC2 Dashboard.
In the upper-right corner of the page, choose Account Attributes, Data protection and security.
Choose Manage.
Select Enable. You keep the AWS managed key with the alias alias/aws/ebs created on your behalf as the default encryption key, or choose a symmetric customer managed encryption key.
Choose Update EBS encryption.

十七、AWS Resource Access Manager (RAM)

A company wants to isolate its workloads by creating an AWS account for each workload. The company needs a solution that centrally manages networking components for the workloads. The solution also must create accounts with automatic security controls (guardrails).
Which solution will meet these requirements with the LEAST operational overhead?

✅ Use AWS Control Tower to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
Use AWS Organizations to deploy accounts. Create a networking account that has a VPC with private subnets and public subnets. Use AWS Resource Access Manager (AWS RAM) to share the subnets with the workload accounts.
❌ Use AWS Control Tower to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.
Use AWS Organizations to deploy accounts. Deploy a VPC in each workload account. Configure each VPC to route through an inspection VPC by using a transit gateway attachment.

✨ 关键词：

3️⃣ ❌ -> 1️⃣ ✅

💡 解析：什么是 AWS Resource Access Manager？

AWS Resource Access Manager (AWS RAM) 可帮助您跨 AWS 账户、在组织或组织单位 (OU) 内以及与 AWS Identity and Access Management (IAM) 角色和用户针对受支持资源类型安全地共享资源。如果您有多个 AWS 账户，可以一次性创建一个资源，然后使用 AWS RAM 使该资源可供其他账户使用。如果您的账户由 AWS Organizations 管理，则您可以与组织中的所有其他账户共享资源，也可以仅与一个或多个指定组织单位 (OU) 所包含的账户共享资源。您还可以根据账户 ID 与特定 AWS 账户共享，而不管该账户是否属于组织。一些支持的资源类型还允许您与指定的 IAM 角色和用户进行共享。

RAM 可共享的资源 - Amazon VPC

集中创建和管理子网，并与组织内的 AWS 账户共享这些子网。这样，多个用户就可以将其应用程序资源 AWS 账户启动到集中管理状态VPCs。这些资源包括亚马逊EC2实例、亚马逊关系数据库服务 (RDS) 数据库、Amazon Redshift 集群和 AWS Lambda 函数。

👨‍👨‍👦‍👦 社区讨论：Statement:

The solution also must create accounts with automatic security controls (guardrails).

https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html AWS Control Tower provides a pre-packaged set of guardrails (policies) and blueprints (best-practice configurations) to ensure that the environment complies with security and compliance standards. It’s designed to simplify the process of creating and managing a multi-account AWS environment while maintaining security and compliance.

十八、Amazon Security Lake

A company runs workloads in the AWS Cloud. The company wants to centrally collect security data to assess security across the entire company and to improve workload protection.
Which solution will meet these requirements with the LEAST development effort?

Configure a data lake in AWS Lake Formation. Use AWS Glue crawlers to ingest the security data into the data lake.
Configure an AWS Lambda function to collect the security data in .csv format. Upload the data to an Amazon S3 bucket.
✅ Configure a data lake in Amazon Security Lake to collect the security data. Upload the data to an Amazon S3 bucket.
Configure an AWS Database Migration Service (AWS DMS) replication instance to load the security data into an Amazon RDS cluster.

✨ 关键词：

3️⃣ ✅

💡 解析：什么是 Amazon Security Lake？

Amazon Security Lake 是一项完全托管的安全数据湖服务。您可以使用 Security Lake 自动将来自 AWS 环境、SaaS 提供商、本地、云源和第三方来源的安全数据集中到存储在您的专用的数据湖中。 AWS 账户 Security Lake 可以帮助您分析安全数据，让您更全面地了解整个组织的安全状况。借助 Security Lake，您还可以改善对工作负载、应用程序和数据的保护。
数据湖由 Amazon Simple Storage Service (Amazon S3) 存储桶提供支持，您保留数据的所有权。

👨‍👨‍👦‍👦 社区讨论：A, B, D are senseless + . Amazon Security Lake automatically centralizes security data from AWS environments, you can get a more complete understanding of your security data across your entire organization. You can also improve the protection.