Go back

SAA 考试每日练习 - 2024/12/14

| 0 Views Edit page

来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
53 题 (No.966 ~ No.1019) 只记录了 4 道首次碰到的、错误的或有疑问的题目,仅供自己复习使用。
如果侵权请联系删除。

一、Amazon RDS automated backups

A company is migrating its on-premises Oracle database to an Amazon RDS for Oracle database. The company needs to retain data for 90 days to meet regulatory requirements. The company must also be able to restore the database to a specific point in time for up to 14 days.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Create Amazon RDS automated backups. Set the retention period to 90 days.
  2. Create an Amazon RDS manual snapshot every day. Delete manual snapshots that are older than 90 days.
  3. ❌ Use the Amazon Aurora Clone feature for Oracle to create a point-in-time restore. Delete clones that are older than 90 days.
  4. ✅ Create a backup plan that has a retention period of 90 days by using AWS Backup for Amazon RDS.

✨ 关键词:

3️⃣ ❌ -> 4️⃣ ✅

💡 解析:使用 AWS Backup 备份和还原 Amazon RDS

g. Enable continuous backups for point-in-time recovery(启用连续备份以进行时间点恢复)- 使用连续备份,您可以通过选择恢复时间(精确到秒)来执行时间点还原 (PITR)。工作负载的当前状态与最近的时间点还原之间的最长时间间隔为 5 分钟。连续备份最多可存储 35 天。如果您不启用连续备份,AWS Backup 会为您进行快照备份。

连续备份只能最多保留 35 天,因此 3️⃣ 是错误的。

备份保留期

创建数据库实例或集群后,您可以修改备份保留期。您可以将数据库实例的备份保留期设置为在 0 到 35 天之间。要禁用自动备份,请将备份保留期设置为 0。对于多可用区数据库集群,可以将备份保留期设置为在 1 到 35 天之间。手动快照限制(每个区域 100 个)不适用于自动备份。

自动备份的保留期也是 35 天,因此只有 4️⃣ 正确。

👨‍👨‍👦‍👦 社区讨论:A: Amazon RDS automated backups support a maximum retention period of 35 days. This option does not meet the requirement to retain backups for 90 days.
B: This approach requires manual snapshot management, including scheduling snapshots and deleting old ones. This increases operational overhead and is prone to human error.
C: This option is not applicable as Aurora Clone is a feature specific to Amazon Aurora and not available for Amazon RDS for Oracle. Additionally, it would require manual management of clones, increasing complexity.
D: AWS Backup supports point-in-time recovery for Amazon RDS, enabling you to restore the database to any specific point within the defined retention period, up to 35 days. For the requirement of 14 days, AWS Backup easily supports this capability.

二、IAM Identity Center

A company is building a cloud-based application on AWS that will handle sensitive customer data. The application uses Amazon RDS for the database, Amazon S3 for object storage, and S3 Event Notifications that invoke AWS Lambda for serverless processing.
The company uses AWS IAM Identity Center to manage user credentials. The development, testing, and operations teams need secure access to Amazon RDS and Amazon S3 while ensuring the confidentiality of sensitive customer data. The solution must comply with the principle of least privilege.
Which solution meets these requirements with the LEAST operational overhead?

  1. Use IAM roles with least privilege to grant all the teams access. Assign IAM roles to each team with customized IAM policies defining specific permission for Amazon RDS and S3 object access based on team responsibilities.
  2. ✅ Enable IAM Identity Center with an Identity Center directory. Create and configure permission sets with granular access to Amazon RDS and Amazon S3. Assign all the teams to groups that have specific access with the permission sets.
  3. Create individual IAM users for each member in all the teams with role-based permissions. Assign the IAM roles with predefined policies for RDS and S3 access to each user based on user needs. Implement IAM Access Analyzer for periodic credential evaluation.
  4. Use AWS Organizations to create separate accounts for each team. Implement cross-account IAM roles with least privilege. Grant specific permission for RDS and S3 access based on team roles and responsibilities.

✨ 关键词:

2️⃣ ✅

💡 解析:IAM Identity Center 是什么?

AWS IAM Identity Center是一种AWS解决方案,用于将您的员工用户连接到AWS管理的应用程序(如Amazon Q Developer和Amazon QuickSight)以及其他AWS资源。您可以连接现有的身份提供者并从您的目录同步用户和组,或者直接在IAM identity Center中创建和管理您的用户。
然后,您可以使用IAM身份中心进行以下操作中的一项或两项:

  • 用户访问应用程序
  • 用户访问AWS帐户

使用IAM Identity Center访问AWS管理的应用程序无需对当前AWS帐户工作流进行任何更改。如果您正在与IAM或IAM用户使用federation来访问AWS帐户,则您的用户可以继续以相同的方式访问AWS帐户,并且您可以继续使用现有的工作流来管理该访问。

👨‍👨‍👦‍👦 社区讨论:IAM Identity Center: This service simplifies user management by centralizing credentials and access control.
Permission Sets: You can create granular permission sets that align with the principle of least privilege, ensuring that each team has only the access they need.

Permission Sets: 您可以创建符合最小权限原则的粒度权限集,确保每个团队只拥有所需的访问权限。

Group Assignments: By assigning teams to groups with specific permission sets, you streamline access management and reduce the complexity of individual user permissions.

Group Assignments: 通过将团队分配给具有特定权限集的组,可以简化访问管理并降低单个用户权限的复杂性。

This approach minimizes operational overhead while maintaining secure and compliant access to sensitive customer data

三、AWSEC2-PatchLoadBalancerInstance

A company uses AWS Systems Manager for routine management and patching of Amazon EC2 instances. The EC2 instances are in an IP address type target group behind an Application Load Balancer (ALB).
New security protocols require the company to remove EC2 instances from service during a patch. When the company attempts to follow the security protocol during the next patch, the company receives errors during the patching window.
Which combination of solutions will resolve the errors? (Choose two.)

  1. ❌ Change the target type of the target group from IP address type to instance type.
  2. Continue to use the existing Systems Manager document without changes because it is already optimized to handle instances that are in an IP address type target group behind an ALB.
  3. ✅ Implement the AWSEC2-PatchLoadBalanacerInstance Systems Manager Automation document to manage the patching process.
  4. ✅ Use Systems Manager Maintenance Windows to automatically remove the instances from service to patch the instances.
  5. ❌ Configure Systems Manager State Manager to remove the instances from service and manage the patching schedule. Use ALB health checks to re-route traffic.

✨ 关键词:

1️⃣ 5️⃣ ❌ -> 3️⃣ 4️⃣ ✅

💡 解析:AWSEC2-PatchLoadBalancerInstance

升级并修补附加到任何负载均衡器(经典、ALB 或 NLB)的 Amazon EC2 实例(Windows 或 Linux)的次要版本。在修补该实例之前,会应用默认的连接耗尽时间。您可以为 ConnectionDrainTime 参数输入以分钟 (1-59) 为单位的自定义耗尽时间,从而覆盖等待时间。
自动化工作流程如下所示:

  1. 确定实例所附加的负载均衡器或目标组,并验证该实例是否运行正常。
  2. 该实例已从负载均衡器或目标组移除。
  3. 此自动化将等待为连接耗尽时间指定的时间段。
  4. 调用 AWS-RunPatchBaseline 自动化以修补该实例。
  5. 该实例已从负载均衡器或目标组重新附加。

👨‍👨‍👦‍👦 社区讨论:https://docs.aws.amazon.com/systems-manager-automation-runbooks/latest/userguide/automation-awsec2-patch-load-balancer-instance.html

四、Allow IPs for API Gateway

A company is developing an application in the AWS Cloud. The application’s HTTP API contains critical information that is published in Amazon API Gateway. The critical information must be accessible from only a limited set of trusted IP addresses that belong to the company’s internal network.
Which solution will meet these requirements?

  1. Set up an API Gateway private integration to restrict access to a predefined set of IP addresses.
  2. ✅ Create a resource policy for the API that denies access to any IP address that is not specifically allowed.
  3. Directly deploy the API in a private subnet. Create a network ACL. Set up rules to allow the traffic from specific IP addresses.
  4. ❌ Modify the security group that is attached to API Gateway to allow inbound traffic from only the trusted IP addresses.

✨ 关键词:

4️⃣ ❌ -> 2️⃣ ✅

💡 解析:如何只允许特定的 IP 地址访问我的 API Gateway REST API?

创建并附加仅允许特定 IP 地址访问您的 API Gateway REST API 的资源策略

👨‍👨‍👦‍👦 社区讨论:answer B

Edit page
Share this post on:
Share this post via WhatsAppShare this post on FacebookShare this post on XShare this post via TelegramShare this post on PinterestShare this post via email
Previous Post
日语翻译 - 新闻 - 長崎の被爆者 朝長さん “核兵器廃絶に若い世代欠かせない”
Next Post
日语翻译 - 新闻 - “北朝鮮 IT技術者使い不正に収入得る”米司法当局 14人を起訴