来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
65 题 (No.901 ~ No.965) 只记录了 9 道首次碰到的、错误的或有疑问的题目,仅供自己复习使用。
与正式考试题量一样,总共耗时 101/(130+30) 分钟,正确率为 50/65。
如果侵权请联系删除。
一、S3 Access Points
A company manages a data lake in an Amazon S3 bucket that numerous applications access. The S3 bucket contains a unique prefix for each application. The company wants to restrict each application to its specific prefix and to have granular control of the objects under each prefix.
Which solution will meet these requirements with the LEAST operational overhead?
- ✅ Create dedicated S3 access points and access point policies for each application.
- Create an S3 Batch Operations job to set the ACL permissions for each object in the S3 bucket.
- Replicate the objects in the S3 bucket to new S3 buckets for each application. Create replication rules by prefix.
- ❌ Replicate the objects in the S3 bucket to new S3 buckets for each application. Create dedicated S3 access points for each application.
✨ 关键词:
4️⃣ ❌ -> 1️⃣ ✅
💡 解析:Amazon S3 访问点 - 轻松管理对 Amazon S3 上共享数据集的访问
S3 的 Amazon S3 访问点功能可简化在 S3 中存储数据的任何 AWS 服务或客户应用程序的数据访问。通过 S3 访问点,客户可以为每个访问点创建独有的访问控制策略,以轻松地控制对共享数据集的访问权限。
拥有共享数据集(包括数据湖、媒体存档和用户生成的内容)的客户可以通过创建针对每个应用程序定制名称和权限的个性化访问点,轻松扩展数百个应用程序的访问范围。
可以将任何访问点限制为 Virtual Private Cloud (VPC),以将 S3 数据访问范围限制在客户的防火墙之后,并且可以使用 AWS 服务控制策略确保所有访问点均受 VPC 限制。
S3 访问点可在所有区域免费使用。Amazon S3 接入点支持 AWS Identity and Access Management(IAM)资源策略,这些策略允许您按资源、用户或其他条件控制接入点的使用。要使应用程序或用户能够通过接入点访问对象,接入点和底层存储桶都必须允许请求。
使用
S3 Access Points和对应的策略就已经能解决题目的需求,不需要为每个应用程序再单独创建存储桶存储对象。
👨👨👦👦 社区讨论:Create dedicated S3 access points and access point policies for each application.
二、TCP-based and UDP-based
A company wants to improve the availability and performance of its hybrid application. The application consists of a stateful TCP-based workload hosted on Amazon EC2 instances in different AWS Regions and a stateless UDP-based workload hosted on premises.
Which combination of actions should a solutions architect take to improve availability and performance? (Choose two.)
- ✅ Create an accelerator using AWS Global Accelerator. Add the load balancers as endpoints.
- ❌ Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the load balancers.
- Configure two Application Load Balancers in each Region. The first will route to the EC2 endpoints, and the second will route to the on-premises endpoints.
- ✅ Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure a Network Load Balancer in each Region that routes to the on-premises endpoints.
- Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure an Application Load Balancer in each Region that routes to the on-premises endpoints.
✨ 关键词:
2️⃣ 4️⃣ ❌ -> 1️⃣ 4️⃣ ✅
💡 解析:
Network Load Balancer已经可以完成 TCP 和 UDP 流量的负载均衡。
Amazon CloudFront只能对 TCP 流量进行加速,而AWS Global Accelerator可以加速 TCP 和 UDP 流量。
👨👨👦👦 社区讨论:TCP >> NLB
non-http >> accelerator
三、DB IO performance
A company recently performed a lift and shift migration of its on-premises Oracle database workload to run on an Amazon EC2 memory optimized Linux instance. The EC2 Linux instance uses a 1 TB Provisioned IOPS SSD (io1) EBS volume with 64,000 IOPS.
The database storage performance after the migration is slower than the performance of the on-premises database.
Which solution will improve storage performance?
- ✅ Add more Provisioned IOPS SSD (io1) EBS volumes. Use OS commands to create a Logical Volume Management (LVM) stripe.
- ❌ Increase the Provisioned IOPS SSD (io1) EBS volume to more than 64,000 IOPS.
- Increase the size of the Provisioned IOPS SSD (io1) EBS volume to 2 TB.
- Change the EC2 Linux instance to a storage optimized instance type. Do not change the Provisioned IOPS SSD (io1) EBS volume.
✨ 关键词:
2️⃣ ❌ -> 1️⃣ ✅
💡 解析:已配置 IOPS SSD (io1) 卷
io1卷的大小范围从4 GiB到16 TiB,每个卷可以提供100 IOPS到64,000 IOPS。分配的IOPS与请求的卷大小(以GiB为单位)的最大比例为50:1。例如,100 GiB io1卷最多可以分配5000 IOPS。
You can achieve up to 64,000 IOPS only on instances built on the Nitro System. On other instances, you can achieve performance up to 32,000 IOPS.
这意味着 io1 卷的最大 IOPS 就是 64,000 了(在 Nitro 系统上),没法再通过普通的方式提升。因此 2️⃣ 和 3️⃣ 错误。
4️⃣ 切换到存储优化型实例显然是错的。拓展下 io2 最大能支持到 256,000 的 IOPS(在 Nitro 系统上):已配置 IOPS SSD (io2) Block Express 卷
Provisioned IOPS up to 256,000, with an IOPS:GiB ratio of 1,000:1. Maximum IOPS can be provisioned with volumes 256 GiB and larger (1,000 IOPS × 256 GiB = 256,000 IOPS).
通过在Nitro系统上构建实例,您可以实现高达256,000 IOPS的目标。在其他实例上,性能最高可达32,000 IOPS。
👨👨👦👦 社区讨论:A is correct, The maximum provisioned IOPS for io1 is 64000 and hence you can achieve higher aggregate performance by adding more io1 volumes
四、NLB Security
A company hosts a video streaming web application in a VPC. The company uses a Network Load Balancer (NLB) to handle TCP traffic for real-time data processing. There have been unauthorized attempts to access the application.
The company wants to improve application security with minimal architectural change to prevent unauthorized attempts to access the application.
Which solution will meet these requirements?
- ❌ Implement a series of AWS WAF rules directly on the NLB to filter out unauthorized traffic.
- ✅ Recreate the NLB with a security group to allow only trusted IP addresses.
- Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.
- Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.
✨ 关键词:
1️⃣ ❌ -> 2️⃣ ✅
💡 解析:NLB need to Attach AWS WAF
NLB is a Lyer 3/4 component while WAF is a Layer 7 protection component.
That is why WAF is only available for Application Load Balancer in the ELB portfolio. NLB does not terminate the TLS session therefore WAF is not capable of acting on the content. I would consider using AWS Shield at Layer 3/4.网络负载均衡器 (NLB) 现在支持安全组,这让您能够筛选 NLB 接受并转发到应用程序的流量。使用安全组,您可以配置规则,帮助确保 NLB 只接受来自可信 IP 地址的流量,并集中执行访问控制策略。这可以改善应用程序的安全状况,并简化操作。
社区提到了 4️⃣ 也是对的,当然,不过在这里 2️⃣ 有官方文档提供支持。
👨👨👦👦 社区讨论:I don’t think B is correct. if you only allow selected IPs to access then this company cannot host their video streaming service to the public.
D should be the correct answer. AWS shield advanced if I rmb correctly prevent unauthorised attempts
五、SNS encryption
A healthcare company is developing an AWS Lambda function that publishes notifications to an encrypted Amazon Simple Notification Service (Amazon SNS) topic. The notifications contain protected health information (PHI).
一家医疗保健公司正在开发一个AWS Lambda函数,用于向加密的Amazon Simple Notification Service (Amazon SNS)主题发布通知。通知包含受保护的健康信息(PHI)。
The SNS topic uses AWS Key Management Service (AWS KMS) customer managed keys for encryption. The company must ensure that the application has the necessary permissions to publish messages securely to the SNS topic.
SNS主题使用AWS密钥管理服务(AWS KMS)客户管理的密钥进行加密。公司必须确保应用程序具有将消息安全地发布到SNS主题所需的权限。
Which combination of steps will meet these requirements? (Choose three.)
-
✅ Create a resource policy for the SNS topic that allows the Lambda function to publish messages to the topic.
-
❌ Use server-side encryption with AWS KMS keys (SSE-KMS) for the SNS topic instead of customer managed keys.
对SNS主题使用带有AWS KMS密钥(SSE-KMS)的服务器端加密,而不是客户管理的密钥。
-
✅ Create a resource policy for the encryption key that the SNS topic uses that has the necessary AWS KMS permissions.
为SNS主题使用的具有必要AWS KMS权限的加密密钥创建资源策略。
-
Specify the Lambda function’s Amazon Resource Name (ARN) in the SNS topic’s resource policy.
在SNS主题的资源策略中指定Lambda函数的Amazon Resource Name (ARN)。
-
Associate an Amazon API Gateway HTTP API with the SNS topic to control access to the topic by using API Gateway resource policies.
-
✅ Configure a Lambda execution role that has the necessary IAM permissions to use a customer managed key in AWS KMS.
✨ 关键词:
1️⃣ 2️⃣ 6️⃣ ❌ -> 1️⃣ 3️⃣ 6️⃣ ✅
💡 解析:1️⃣ 和 6️⃣ 没有争议,社区在 2️⃣ 和 3️⃣ 间争议较大。
设置使用服务器端加密的 Amazon SNS 主题,这个题目似乎更注重 KMS 密钥策略。
👨👨👦👦 社区讨论:D is correct too and С is not clear, but seems like it is about KMS policy and adding permissions for sns service which has to be added in case of CMK
六、Cross Account SNS
A media company has a multi-account AWS environment in the us-east-1 Region. The company has an Amazon Simple Notification Service (Amazon SNS) topic in a production account that publishes performance metrics. The company has an AWS Lambda function in an administrator account to process and analyze log data.
The Lambda function that is in the administrator account must be invoked by messages from the SNS topic that is in the production account when significant metrics are reported.
Which combination of steps will meet these requirements? (Choose two.)
- ✅ Create an IAM resource policy for the Lambda function that allows Amazon SNS to invoke the function.
- ❌ Implement an Amazon Simple Queue Service (Amazon SQS) queue in the administrator account to buffer messages from the SNS topic that is in the production account. Configure the SQS queue to invoke the Lambda function.
- ✅ Create an IAM policy for the SNS topic that allows the Lambda function to subscribe to the topic.
- Use an Amazon EventBridge rule in the production account to capture the SNS topic notifications. Configure the EventBridge rule to forward notifications to the Lambda function that is in the administrator account.
- Store performance metrics in an Amazon S3 bucket in the production account. Use Amazon Athena to analyze the metrics from the administrator account.
✨ 关键词:
1️⃣ 2️⃣ ❌ -> 1️⃣ 3️⃣ ✅
💡 解析:How do I set up a cross-account AWS Lambda subscription with an SNS topic?
在开始之前,请确保:
- Lambda函数资源策略允许SNS调用该函数。
- SNS主题访问策略允许Lambda订阅主题。
注意:SNS主题驻留在帐户A中,Lambda函数驻留在帐户B中。
订阅跨帐户Lambda函数向SNS主题订阅跨帐户Lambda函数有两种可能的方法:
- 从帐户B中的Lambda控制台添加SNS触发器。
- 从帐户B(具有Lambda函数的帐户)的SNS控制台添加Lambda订阅
因此 1️⃣ 和 3️⃣ 是最简单最正确的,分别在两个账号允许 SNS 调用自己的 Lambda 函数、允许 Lambda 函数订阅自己的主题。
👨👨👦👦 社区讨论:No need to complicate stuff, AWS services already exist only permissions are missing. A&C will set up the necessary permissions and subscriptions for cross-account invocation of the Lambda function by the SNS topic.
七、Amazon VPC CNI plugin
A company is migrating an application from an on-premises location to Amazon Elastic Kubernetes Service (Amazon EKS). The company must use a custom subnet for pods that are in the company’s VPC to comply with requirements. The company also needs to ensure that the pods can communicate securely within the pods’ VPC.
Which solution will meet these requirements?
- Configure AWS Transit Gateway to directly manage custom subnet configurations for the pods in Amazon EKS.
- Create an AWS Direct Connect connection from the company’s on-premises IP address ranges to the EKS pods.
- ✅ Use the Amazon VPC CNI plugin for Kubernetes. Define custom subnets in the VPC cluster for the pods to use.
- ❌ Implement a Kubernetes network policy that has pod anti-affinity rules to restrict pod placement to specific nodes that are within custom subnets.
✨ 关键词:
4️⃣ ❌ -> 3️⃣ ✅
💡 解析:Amazon VPC CNI
Amazon VPC CNI plugin for Kubernetes 附加组件部署在 Amazon EKS 集群中的每个 Amazon EC2 节点上。附加组件会创建弹性网络接口并将其附加到 Amazon EC2 节点。附加组件还会将 VPC 中的私有 IPv4 或 IPv6 地址分配给每个 Pod。
How do I choose specific IP subnets to be used for pods in my Amazon EKS cluster?
解决方案
使用Amazon VPC CNI的自定义组网组件解决该问题。这个特性允许您在Amazon VPC集群中定义特定的子网,以供您的pod使用。它将您的子网与工作节点使用的子网区分开来。作为一个额外的好处,您可以为您的pod定义安全组。有关自定义网络用例的更多信息,请参阅教程:自定义网络。
👨👨👦👦 社区讨论:The Amazon VPC Container Network Interface (CNI) plugin is the default network plugin for Amazon EKS. It allows Kubernetes pods to receive IP addresses from a VPC’s subnet and enables pods to communicate securely within the VPC as if they were native VPC resources.
八、Kubernetes service access AWS resources
A company is using an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company must ensure that Kubernetes service accounts in the EKS cluster have secure and granular access to specific AWS resources by using IAM roles for service accounts (IRSA).
Which combination of solutions will meet these requirements? (Choose two.)
- Create an IAM policy that defines the required permissions Attach the policy directly to the IAM role of the EKS nodes.
- Implement network policies within the EKS cluster to prevent Kubernetes service accounts from accessing specific AWS services.
- ❌ Modify the EKS cluster’s IAM role to include permissions for each Kubernetes service account. Ensure a one-to-one mapping between IAM roles and Kubernetes roles.
- ✅ Define an IAM role that includes the necessary permissions. Annotate the Kubernetes service accounts with the Amazon ResourceName (ARN) of the IAM role.
- ✅ Set up a trust relationship between the IAM roles for the service accounts and an OpenID Connect (OIDC) identity provider.
✨ 关键词:
3️⃣ 4️⃣ ❌ -> 4️⃣ 5️⃣ ✅
💡 解析:4️⃣ 毫无疑问,需要创建 IAM 角色让服务代入。
5️⃣ 的出处为:服务账户的 IAM 角色2014 年,AWS Identity and Access Management 使用 OpenID Connect(OIDC)增加了对联合身份验证的支持。此功能允许您通过支持的身份提供商对 AWS API 调用进行身份验证,并获得有效的 OIDC JSON Web 令牌(JWT)。您可以将此令牌传递到 AWS STS AssumeRoleWithWebIdentity API 操作并接收 IAM 临时角色凭证。您可以使用这些凭证与任意 AWS 服务交互,包括 Amazon S3 和 DynamoDB。
👨👨👦👦 社区讨论:https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html
https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html
=> DE
九、AWS WAF
A company uses AWS to host its public ecommerce website. The website uses an AWS Global Accelerator accelerator for traffic from the internet. The Global Accelerator accelerator forwards the traffic to an Application Load Balancer (ALB) that is the entry point for an Auto Scaling group.
The company recently identified a DDoS attack on the website. The company needs a solution to mitigate future attacks.
Which solution will meet these requirements with the LEAST implementation effort?
- Configure an AWS WAF web ACL for the Global Accelerator accelerator to block traffic by using rate-based rules
- Configure an AWS Lambda function to read the ALB metrics to block attacks by updating a VPC network ACL
- ✅ Configure an AWS WAF web ACL on the ALB to block traffic by using rate-based rules
- ❌ Configure an Amazon CloudFront distribution in front of the Global Accelerator accelerator
✨ 关键词:
4️⃣ ❌ -> 3️⃣ ✅
您可以使用AWS WAF和具有全局加速器的应用程序负载平衡器来阻止对第7层HTTP方法和头的访问。在此架构中,AWS WAF将web访问控制列表(web ACL)规则与应用程序负载平衡器一起使用。负载平衡器成为全局加速器的一个端点。注意:AWS Global Accelerator本身不支持AWS WAF。
User —> Global Accelerator —> Application Load Balancer with AWS WAF —> EC2 instance
👨👨👦👦 社区讨论:WAF can be applied on ALB, API gateway or cloud front.