• Home
  • Articles
  • Instant Download AWS-Solutions-Architect-Professional Dumps Q&As Provide PDF&Test Engine [Q103-Q124]

Instant Download AWS-Solutions-Architect-Professional Dumps Q&As Provide PDF&Test Engine [Q103-Q124]

Share

Instant Download AWS-Solutions-Architect-Professional Dumps Q&As Provide PDF&Test Engine

Fast Exam Updates AWS-Solutions-Architect-Professional dumps with PDF Test Engine Practice

NEW QUESTION # 103
A company operates a group of imaging satellites. The satellites stream data to one of the company's ground stations where processing creates about 5 GB of images per minute. This data is added to network-attached storage, where 2 PB of data are already stored.
The company runs a website that allows its customers to access and purchase the images over the Internet. This website is also running in the ground station. Usage analysis shows that customers are most likely to access images that have been captured in the last 24 hours.
The company would like to migrate the image storage and distribution system to AWS to reduce costs and increase the number of customers that can be served.
Which AWS architecture and migration strategy will meet these requirements?

  • A. Use multiple AWS Snowball appliances to migrate the existing imagery to Amazon S3. Create a
    1-Gb AWS Direct Connect connection from the ground station to AWS, and upload new data to Amazon S3 through the Direct Connect connection. Migrate the data distribution website to Amazon EC2 instances. By using Amazon S3 as an origin, have this website serve the data through Amazon CloudFront by creating signed URLs.
  • B. Create a 1-Gb Direct Connect connection from the ground station to AWS. Use the AWS Command Line Interface to copy the existing data and upload new data to Amazon S3 over the Direct Connect connection. Migrate the data distribution website to EC2 instances. By using Amazon S3 as an origin, have this website serve the data through CloudFront by creating signed URLs.
  • C. Use multiple Snowball appliances to migrate the existing images to an Amazon EFS file system.
    Create a 1-Gb Direct Connect connection from the ground station to AWS, and upload new data by mounting the EFS file system over the Direct Connect connection. Migrate the data distribution website to EC2 instances. By using webservers in EC2 that mount the EFS file system as the origin, have this website serve the data through CloudFront by creating signed URLs.
  • D. Use multiple Snowball appliances to migrate the existing images to Amazon S3. Upload new data by regularly using Snowball appliances to upload data from the network-attached storage. Migrate the data distribution website to EC2 instances. By using Amazon S3 as an origin, have this website serve the data through CloudFront by creating signed URLs.

Answer: A

Explanation:
B: This will take too long.
C: The users will not be able to access the data in the last 24 hours this way.
D: Although EFS would work and it has higher performance, it's almost 10x more expensive then S3 and hence does not meet the criteria of reducing cost.


NEW QUESTION # 104
A company is finalizing the architecture for its backup solution for applications running on AWS. All of the applications run on AWS and use at least two Availability Zones in each tier.
Company policy requires IT to durably store nightly backups of all its data in at least two locations: production and disaster recovery. The locations must be m different geographic regions. The company also needs the backup to be available to restore immediately at the production data center, and within 24 hours at the disaster recovery location AM backup processes must be fully automated.
What is the MOST cost-effective backup solution that will meet all requirements?

  • A. Back up all the data to a large Amazon EBS volume attached to the backup media server m the production region. Run automated scripts to snapshot these volumes nightly. and copy these snapshots to the disaster recovery region.
  • B. Back up all the data to Amazon Glacier in the production region. Set up cross-region replication of this data to Amazon Glacier in the disaster recovery region. Set up a lifecycle policy to delete any data o der than 60 days.
  • C. Back up all the data to Amazon S3 in the disaster recovery region Use a Lifecycle policy to move this data to Amazon Glacier in the production region immediately Only the data is replicated: remove the data from the S3 bucket in the disaster recovery region.
  • D. Back up all the data to Amazon S3 in the production region. Set up cross-region replication of this S3 bucket to another region and set up a lifecycle policy in the second region to immediately move this data to Amazon Glacier

Answer: D


NEW QUESTION # 105
A company experienced a breach of highly confidential personal information due to permission issues on an Amazon S3 bucket. The information security team has tightened the bucket policy to restrict access.
Additionally, to be better prepared for future attacks, these requirements must be met:
* Identity remote IP addresses that are accessing the bucket objects.
* Receive alerts when the security policy on the bucket is changed
* Remediate the policy changes automatically
Which strategies should the solutions architect use?

  • A. Use Amazon Macie with an S3 bucket to identity access patterns and remote IP addresses. Use AWS Lambda with Macie to automatically remediate S3 bucket policy changes Use Macie automatic alerting capabilities for alerts.
  • B. Use Amazon CloudWatch Logs with CloudWatch filters to identify remote IP addresses. Use CloudWatch Events rules with aws Lambada to automatically remediate S3 bucket policy changes Use Amazon SES with CloudWatch Events rules for alerts
  • C. Use Amazon Athena with S3 access logs to identity remote IP addresses Use AWS Config rules with AWS Systems Manager Automation to automatically remediate S3 bucket policy changes. Use Amazon SNS with AWS Config rules for alerts.
  • D. Use S3 access logs with Amazon Elasticsearch Service and Kibana to identify remote IP addresses.
    Use an Amazon Inspector assessment template to automatically remediate S3 bucket policy changes.
    Use Amazon SNS for alerts.

Answer: C


NEW QUESTION # 106
A company receives clickstream data files to Amazon S3 every five minutes. A Python script runs as a cron job once a day on an Amazon EC2 instance to process each file and load it into a database hosted on Amazon RDS. The cron job takes 15 to 30 minutes to process 24 hours of data. The data consumers ask for the data be available as soon as possible.
Which solution would accomplish the desired outcome?

  • A. Convert the cron job to an AWS Lambda function and trigger this new function using a cron job on an EC2 instance.
  • B. Create an AWS Lambda function that runs when a file is delivered to Amazon S3 using S3 event notifications.
  • C. Convert the cron job to an AWS Lambda function and schedule it to run once an hour using Amazon CloudWatch events.
  • D. Increase the size of the instance to speed up processing and update the schedule to run once an hour.

Answer: B

Explanation:
A: Will not help.
B: Not feasible since it is based on a schedule not event.
C: This is still based on schedule.
https://docs.aws.amazon.com/lambda/latest/dg/with-s3.html


NEW QUESTION # 107
A company has deployed an application to multiple environments in AWS, including production and testing. The company has separate accounts for production and testing, and users are allowed to create additional application users for team members or services, as needed. The Security team has asked the Operations team for better isolation between production and testing with centralized controls on security credentials and improved management of permissions between environments.
Which of the following options would MOST securely accomplish this goal?

  • A. Create a script that runs on each account that checks user accounts for adherence to a security policy.
    Disable any user or service accounts that do not comply.
  • B. Modify permissions in the production and testing accounts to limit creating new IAM users to members of the Operations team.
    Set a strong IAM password policy on each account.
    Create new IAM users and groups in each account to limit developer access to just the services required to complete their job function.
  • C. Create a new AWS account to hold user and service accounts, such as an identity account.
    Create users and groups in the identity account.
    Create roles with appropriate permissions in the production and testing accounts. Add the identity account to the trust policies for the roles.
  • D. Create all user accounts in the production account.
    Create roles for access in the production account and testing accounts.
    Grant cross-account access from the production account to the testing account.

Answer: C

Explanation:
A: By centralizing users to a single account, a user can access the prod and test using assume role. This ensures that all actions are properly logged and is the most secure. Adapted from this article: https://aws.amazon.com/blogs/security/how-to-centralize-and-automate-iam-policy- creation-in-sandbox-development-and-test-environments/ B: This means the test users will still need to be created. The problem with test users is always security. Who is the actual person behind the scene carrying out that specific actions? This is unlikely the most secure option.
C: Any answers that is asking you to write a script is very unlikely to be the answer.
D: This seems to be able to work too which is similar to A.
But the Security team already asked for "better isolation with centralized controls".


NEW QUESTION # 108
A company has developed a web application. The company is hosting the application on a group of Amazon EC2 instances behind an Application Load Balancer. The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs. The solution must not adversely affect legitimate traffic to the application.
How should a solutions architect configure the web ACLs to meet these requirements?

  • A. Set the action o' the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
  • B. Use only custom rule groups in the web ACLs. and set the action to Allow Enable AWS WAF logging Analyze the requests tor false positives Modify the rules to avoid any false positive Over time, change the action of the web ACL rules from Allow to Block.
  • C. Set the action of the web ACL rules to Count Enable AWS WAF logging Analyze the requests for false positives Modify the rules to avoid any false positive Over time change the action of the web ACL rules from Count to Block.
  • D. Use only rate-based rules in the web ACLs. and set the throttle limit as high as possible Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.

Answer: D


NEW QUESTION # 109
A company wants to use Amazon Workspaces in combination with thin client devices to replace aging desktops Employees use the desktops to access applications that work with clinical trial data Corporate security policy states that access to the applications must be restricted to only company branch office locations. The company is considering adding an additional branch office in the next 6 months.
Which solution meets these requirements with the MOST operational efficiency?

  • A. Create an IP access control group rule with the list of public addresses from the branch offices Associate the IP access control group with the Workspaces directory
  • B. Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list of public addresses from the branch office locations Associate the web ACL with the Workspaces directory
  • C. Create a custom Workspace image with Windows Firewall configured to restrict access to the public addresses of the branch offices Use the image to deploy the Workspaces.
  • D. Use AWS Certificate Manager (ACM) to issue trusted device certificates to the machines deployed in the branch office locations Enable restricted access on the Workspaces directory

Answer: D


NEW QUESTION # 110
A user is planning to host a web server as well as an app server on a single EC2 instance which is a part of the public subnet of a VPC.
How can the user setup to have two separate public IPs and separate security groups for both the application as well as the web server?

  • A. Launch VPC with two separate subnets and make the instance a part of both the subnets.
  • B. Launch a VPC instance with two network interfaces. Assign a separate security group to each and AWS will assign a separate public IP to them.
  • C. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subnet.
  • D. Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them.

Answer: D

Explanation:
Explanation
If you need to host multiple websites (with different IPs) on a single EC2 instance, the following is the suggested method from AWS.
Launch a VPC instance with two network interfaces.
Assign elastic IPs from VPC EIP pool to those interfaces (Because, when the user has attached more than one network interface with an instance, AWS cannot assign public IPs to them.) Assign separate Security Groups if separate Security Groups are needed This scenario also helps for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html


NEW QUESTION # 111
A company CFO recently analyzed the company's AWS monthly bill and identified an opportunity to reduce the cost for AWS Elastic Beanstalk environments in use. The CFO has asked a Solutions Architect to design a highly available solution that will spin up an Elastic Beanstalk environment in the morning and terminate it at the end of the day.
The solution should be designed with minimal operational overhead and to minimize costs. It should also be able to handle the increased use of Elastic Beanstalk environments among different teams, and must provide a one-stop scheduler solution for all teams to keep the operational costs low.
What design will meet these requirements?

  • A. Set up a Linux EC2 Micro instance. Configure an IAM role to allow the start and stop of the Elastic Beanstalk environment and attach it to the instance. Create scripts on the instance to start and stop the Elastic Beanstalk environment. Configure cron jobs on the instance to execute the scripts.
  • B. Configure a time-based Auto Scaling group. In the morning, have the Auto Scaling group scale up an Amazon EC2 instance and put the Elastic Beanstalk environment start command in the EC2 instance user date. At the end of the day, scale down the instance number to 0 to terminate the EC2 instance.
  • C. Develop AWS Lambda functions to start and stop the Elastic Beanstalk environment. Configure a Lambda execution role granting Elastic Beanstalk environment start/stop permissions, and assign the role to the Lambda functions. Configure cron expression Amazon CloudWatch Events rules to trigger the Lambda functions.
  • D. Develop an AWS Step Functions state machine with "wait" as its type to control the start and stop time.
    Use the activity task to start and stop the Elastic Beanstalk environment. Create a role for Step Functions to allow it to start and stop the Elastic Beanstalk environment. Invoke Step Functions daily.

Answer: C

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/schedule-elastic-beanstalk-stop- restart/


NEW QUESTION # 112
When does an AWS Data Pipeline terminate the AWS Data Pipeline-managed compute resources?

  • A. When the final activity that uses the resources is running
  • B. AWS Data Pipeline terminates AWS Data Pipeline-managed compute resources every 12 hours.
  • C. When the final activity that uses the resources has completed successfully or failed
  • D. AWS Data Pipeline terminates AWS Data Pipeline-managed compute resources every 2 hours.

Answer: C

Explanation:
Explanation
Compute resources will be provisioned by AWS Data Pipeline when the first activity for a scheduled time that uses those resources is ready to run, and those instances will be terminated when the final activity that uses the resources has completed successfully or failed.
https://aws.amazon.com/datapipeline/faqs/


NEW QUESTION # 113
A solutions architect is performing a security review of a recently migrated workload. The workload is a web application that consists of Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The solutions architect must improve the security posture and minimize the impact of a DDoS attack on resources.
Which solution is MOST effective?

  • A. Create a custom AWS Lambda function that adds identified attacks into a common vulnerability pool to capture a potential DDoS attack. Use the identified information to modify a network ACL to block access.
  • B. Enable Amazon GuardDuty and configure findings written to Amazon CloudWatch. Create an event with CloudWatch Events for DDoS alerts that triggers Amazon Simple Notification Service (Amazon SNS).
    Have Amazon SNS invoke a custom AWS Lambda function that parses the logs, looking for a DDoS attack. Modify a network ACL to block identified source IP addresses.
  • C. Enable VPC Flow Logs and store then in Amazon S3. Create a custom AWS Lambda functions that parses the logs looking for a DDoS attack. Modify a network ACL to block identified source IP addresses.
  • D. Configure an AWS WAF ACL with rate-based rules. Create an Amazon CloudFront distribution that points to the Application Load Balancer. Enable the WAF ACL on the CloudFront distribution.

Answer: A


NEW QUESTION # 114
Regarding Identity and Access Management (IAM), Which type of special account belonging to your application allows your code to access Google services programmatically?

  • A. Simple Key
  • B. Code account
  • C. Service account
  • D. OAuth

Answer: C

Explanation:
Explanation
A service account is a special Google account that can be used by applications to access Google services programmatically. This account belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren't directly involved.
A service account can have zero or more pairs of service account keys, which are used to authenticate to Google. A service account key is a public/private key pair generated by Google. Google retains the public key, while the user is given the private key.
https://cloud.google.com/iam/docs/service-accounts


NEW QUESTION # 115
You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet.
The application must have a highly available architecture.
Which alternatives should you consider? (Choose 2)

  • A. Configure a NAT instance in your VPC. Create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT instance public IP address.
  • B. Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers. Configure a Route53 CNAME record to your CloudFront distribution.
  • C. Place all your web servers behind ELB. Configure a Route53 CNMIE to point to the ELB DNS name.
  • D. Assign EIPs to all web servers. Configure a Route53 record set with all EIPs, with health checks and DNS failover.
  • E. Configure ELB with an EIP. Place all your Web servers behind ELB. Configure a Route53 A record that points to the EIP.

Answer: C,D


NEW QUESTION # 116
A video streaming company recently launched a mobile app for video sharing. The app uploads various files to an Amazon S3 bucket in the us-east-1 Region. The files range in size from 1 GB to 10 GB.
Users who access the app from Australia have experienced uploads that take long periods of time Sometimes the files fail to completely upload for these users . A solutions architect must improve the app' performance for these uploads Which solutions will meet these requirements? (Select TWO.)

  • A. Configure the app to break the video files into chunks Use a multipart upload to transfer files to Amazon S3.
  • B. Modify the app to add random prefixes to the files before uploading
  • C. Enable S3 Transfer Acceleration on the S3 bucket Configure the app to use the Transfer Acceleration endpoint for uploads
  • D. Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket Region.
  • E. Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region Replication to copy the files to the distribution S3 bucket.

Answer: A,C

Explanation:
Explanation
https://aws.amazon.com/premiumsupport/knowledge-center/s3-upload-large-files/ Enabling S3 Transfer Acceleration on the S3 bucket and configuring the app to use the Transfer Acceleration endpoint for uploads will improve the app's performance for these uploads by leveraging Amazon CloudFront's globally distributed edge locations to accelerate the uploads. Breaking the video files into chunks and using a multipart upload to transfer files to Amazon S3 will also improve the app's performance by allowing parts of the file to be uploaded in parallel, reducing the overall upload time.


NEW QUESTION # 117
Does Autoscaling automatically assign tags to resources?

  • A. No, it does not.
  • B. Yes, by default.
  • C. No, not unless they are configured via API.
  • D. Yes, it does.

Answer: D

Explanation:
Explanation
Tags don't have any semantic meaning to Amazon EC2 and are interpreted strictly as a string of characters.
Tags are assigned automatically to the instances created by an Auto Scaling group. Auto Scaling adds a tag to the instance with a key of aws: autoscaling:groupName and a value of the name of the Auto Scaling group.
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Using_Tags.html


NEW QUESTION # 118
You are designing a multi-platform web application for AWS The application will run on EC2 instances
and will be accessed from PCs. tablets and smart phones Supported accessing platforms are Windows,
MacOS, IOS and Android Separate sticky session and SSL certificate setups are required for different
platform types which of the following describes the most cost effective and performance efficient
architecture setup?

  • A. Assign multiple ELBS to an EC2 instance or group of EC2 instances running the common components
    of the web application, one ELB for each platform type Session stickiness and SSL termination are done
    at the ELBs.
  • B. Set up one ELB for all platforms to distribute load among multiple instance under it Each EC2 instance
    implements ail functionality for a particular platform.
  • C. Setup a hybrid architecture to handle session state and SSL certificates on-prem and separate EC2
    Instance groups running web applications for different platform types running in a VPC.
  • D. Set up two ELBs The first ELB handles SSL certificates for all platforms and the second ELB handles
    session stickiness for all platforms for each ELB run separate EC2 instance groups to handle the web
    application for each platform.

Answer: A


NEW QUESTION # 119
A user has created a VPC with CIDR 20.0.0.0/16 using the VPC wizard. The user has created public and VPN only subnets along with hardware VPN access to connect to the user's data centre. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC?

  • A. No, since the NAT instance is running, the user cannot delete the VPC.
  • B. Yes, the user can detach the virtual private gateway and then use the VPC console to delete the VPC.
  • C. No, the VPC console needs to be accessed using an administrator account to delete the VPC.
  • D. Yes, the user can use the CLI to delete the VPC that will detach the virtual private gateway automatically.

Answer: B

Explanation:
You can delete your VPC at any time (for example, if you decide it's too small). However, you must terminate all instances in the VPC first. When you delete a VPC using the VPC console, Amazon deletes all its components, such as subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options.If you have a VPN connection, you don't have to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway).
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPC_Deleting


NEW QUESTION # 120
A company deployed a three-tier web application in two regions: us-east-1 and eu-west-1. The application must be active in both regions at the same time. The database tier of the application uses a single Amazon RDS Aurora database globally, with a master in us-east-1 and a read replica in eu-west-1. Both regions are connected by a VPN.
The company wants to ensure that the application remains available even in the event of a region-level failure of all of the application's components. It is acceptable for the application to be in read-only mode for up to 1 hour. The company plans to configure two Amazon Route 53 record sets, one for each of the regions.
How should the company complete the configuration to meet its requirements while providing the lowest latency for the application end-users? (Choose two.)

  • A. Use weighted routing and configure each record set with a weight of 50. Configure an HTTP health check for each region, and attach it to the record set for that region.
  • B. Configure an Amazon CloudWatch alarm for the health checks in us-east-1, and have it invoke an AWS Lambda function that promotes the read replica in eu-west-1.
  • C. Use failover routing and configure the us-east-1 record set as primary and the eu-west-1 record set as secondary. Configure an HTTP health check for the web application in us-east-1, and associate it to the us-east-1 record set.
  • D. Use latency-based routing for both record sets. Configure a health check for each region and attach it to the record set for that region.
  • E. Configure an Amazon RDS event notifications to react to the failure of the database in us-east-1 by invoking an AWS Lambda function that promotes the read replica in eu-west-1.

Answer: C,E


NEW QUESTION # 121
A company runs a new application as a static website in Amazon S3. The company has deployed the application to a production AWS account and uses Amazon CloudFront to deliver the website. The website calls an Amazon API Gateway REST API. An AWS Lambda function backs each API method.
The company wants to create a CSV report every 2 weeks to show each API Lambda function's recommended configured memory, recommended cost, and the price difference between current configurations and the recommendations. The company will store the reports in an S3 bucket.
Which solution will meet these requirements with the LEAST development time?

  • A. Opt in to AWS Compute Optimizer. Create a Lambda function that calls the ExportLambdaFunctionRecommendatlons operation. Export the _csv file to an S3 bucket. Create an Amazon Eventaridge rule to schedule the Lambda function to run every 2 weeks.
  • B. Opt in to AWS Compute Optimizer. Set up enhanced infrastructure metrics. Within the Compute Optimizer console, schedule a job to export the Lambda recommendations to a _csvfile_ Store the file in an S3 bucket every 2 weeks.
  • C. Create a Lambda function that extracts metrics data for each API Lambda function from Amazon CloudWatch Logs for the 2-week penod_ Collate the data into tabular format. Store the data as a
    _csvfile in an S3 bucket. Create an Amazon Eventaridge rule to schedule the Lambda function to run every 2 weeks.
  • D. Purchase the AWS Business Support plan for the production account. Opt in to AWS Compute Optimizer for AWS Trusted Advisor checks. In the Trusted Advisor console, schedule a job to export the cost optimization checks to a _csvfile_ Store the file in an S3 bucket every 2 weeks.

Answer: A


NEW QUESTION # 122
A health insurance company stores personally identifiable information (PII) in an Amazon S3 bucket. The company uses server-side encryption with S3 managed encryption keys (SSE-S3) to encrypt the objects.
According to a new requirement, all current and future objects in the S3 bucket must be encrypted by keys that the company's security team manages. The S3 bucket does not have versioning enabled.
Which solution will meet these requirements?

  • A. In the S3 bucket properties, change the default encryption to AES-256 with a customer managed key.
    Attach a policy to deny unencrypted PutObject requests to any entities that access the S3 bucket. Use the AWS CLI to re-upload all objects in the S3 bucket.
  • B. In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to automatically encrypt objects on GetObject and PutObject requests.
  • C. In the S3 bucket properties, change the default encryption to server-side encryption with AWS KMS managed encryption keys (SSE-KMS). Set an S3 bucket policy to deny unencrypted PutObject requests.
    Use the AWS CLI to re-upload all objects in the S3 bucket.
  • D. In the S3 bucket properties, change the default encryption to SSE-S3 with a customer managed key. Use the AWS CLI to re-upload all objects in the S3 bucket. Set an S3 bucket policy to deny unencrypted PutObject requests.

Answer: A

Explanation:
Explanation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ServerSideEncryptionCustomerKeys.html Clearly says we need following header for SSE-C x-amz-server-side-encryption-customer-algorithm Use this header to specify the encryption algorithm. The header value must be AES256.


NEW QUESTION # 123
A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2. Amazon S3 and Amazon DynamoDB. The developers account resides In a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:

When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy. What should the solutions architect do to eliminate the developers' ability to use services outside the scope of this policy?

  • A. Add an explicit deny statement using a wildcard to the end of the SCP
  • B. Create an explicit deny statement for each AWS service that should be constrained
  • C. Remove the Full AWS Access SCP from the developer account's OU
  • D. Modify the Full AWS Access SCP to explicitly deny all services

Answer: C

Explanation:
Explanation
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_inheritance_auth.html


NEW QUESTION # 124
......

Exam Valid Dumps with Instant Download Free Updates: https://prep4sure.real4dumps.com/AWS-Solutions-Architect-Professional-prep4sure-exam.html

Related Articles

more
Amazon AWS-Solutions-Architect-Professional Certification Practice Exam

We are an official authorized large company offering exam prep, real test dumps and latest dumps which can help you pass exam surely. Your money is guaranteed and will be refunded if you fail the exam.

Latest Exam Questions

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 Real4dumps NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy