SAA-C03 #2 Comprehensive
Questions with Verified Answers
Graded A+
1. A food company is building a high availability application to
collect customer feedback about its products. This application will be
deployed on 3 EC2 in- stances and will run for one year (24/7) then
be retired.
What is the MOST cost-effective way to purchase compute for this
platform? Spot Instances
Scheduled Reserved
Instances On-Demand
Instances
Standard Reserved Instances Answer: Standard Reserved Instances
2. You are a Solutions Architect at a travel agency and you need to give
secure access for the development team to the web servers which
reside in a private subnet and not accessible from the internet. The web
servers must be accessed via SSH connectivity originated from the
corporate network only.
What are the required steps to provide this secure access? (Choose 2
1/
56
,Configure inbound network ACL to accept all SSH traffic from the
corporate network
Create IAM roles with least permission to access to web servers and
assign to bastion host
Create IAM user with permission to access to web servers and assign to
bastion host
Create a bastion host with security group rules that only allow traffic
from the corporate network
Open an SSH port on the security group for web servers and set the
source to bastion host. Answer: Create a bastion host with security group rules that only allow
traflc from the corporate network
2/
56
, SAA-C03 #2 Comprehensive Questions with Verified Answers
Graded A+
Open an SSH port on the security group for web servers and set the source to bastion host.
3. A company has a VPC with private subnet. There are some
services running inside the private subnet which needs to access the
internet using IPv6 traffic.
Which service can be used to deliver this solution in the MOST cost-
effective & scalability manner?
Egress-only internet
gateway Proxy instance
NAT instance
NAT gateway Answer: Egress-only internet gateway
4. You are AWS Chief Architect in a startup company, the company
has a legacy application which is running in AWS and connects to
the on-premise data center through a VPN connection. You need
to log all traffic over the VPN.
Which AWS service can be used in this case?
Amazon VPC Flow Logs
ELB Access Logs
AWS CloudTrail
Logs
Amazon CloudWatch Logs Answer: Amazon VPC Flow Logs
5. A government university has two-tier web site, each tier consists
of Amazon EC2 instances behind an Application Load Balancer. All
of EC2 instances run in Auto Scaling groups across two
3/
56
, SAA-C03 #2 Comprehensive Questions with Verified Answers
Graded A+
Availability Zones. The web server's load balancer only will be
exposed to the Internet.
What is the best VPC subnet secure design in each Availability Zone?
4/
56
Questions with Verified Answers
Graded A+
1. A food company is building a high availability application to
collect customer feedback about its products. This application will be
deployed on 3 EC2 in- stances and will run for one year (24/7) then
be retired.
What is the MOST cost-effective way to purchase compute for this
platform? Spot Instances
Scheduled Reserved
Instances On-Demand
Instances
Standard Reserved Instances Answer: Standard Reserved Instances
2. You are a Solutions Architect at a travel agency and you need to give
secure access for the development team to the web servers which
reside in a private subnet and not accessible from the internet. The web
servers must be accessed via SSH connectivity originated from the
corporate network only.
What are the required steps to provide this secure access? (Choose 2
1/
56
,Configure inbound network ACL to accept all SSH traffic from the
corporate network
Create IAM roles with least permission to access to web servers and
assign to bastion host
Create IAM user with permission to access to web servers and assign to
bastion host
Create a bastion host with security group rules that only allow traffic
from the corporate network
Open an SSH port on the security group for web servers and set the
source to bastion host. Answer: Create a bastion host with security group rules that only allow
traflc from the corporate network
2/
56
, SAA-C03 #2 Comprehensive Questions with Verified Answers
Graded A+
Open an SSH port on the security group for web servers and set the source to bastion host.
3. A company has a VPC with private subnet. There are some
services running inside the private subnet which needs to access the
internet using IPv6 traffic.
Which service can be used to deliver this solution in the MOST cost-
effective & scalability manner?
Egress-only internet
gateway Proxy instance
NAT instance
NAT gateway Answer: Egress-only internet gateway
4. You are AWS Chief Architect in a startup company, the company
has a legacy application which is running in AWS and connects to
the on-premise data center through a VPN connection. You need
to log all traffic over the VPN.
Which AWS service can be used in this case?
Amazon VPC Flow Logs
ELB Access Logs
AWS CloudTrail
Logs
Amazon CloudWatch Logs Answer: Amazon VPC Flow Logs
5. A government university has two-tier web site, each tier consists
of Amazon EC2 instances behind an Application Load Balancer. All
of EC2 instances run in Auto Scaling groups across two
3/
56
, SAA-C03 #2 Comprehensive Questions with Verified Answers
Graded A+
Availability Zones. The web server's load balancer only will be
exposed to the Internet.
What is the best VPC subnet secure design in each Availability Zone?
4/
56
