AWS-ASS考试中遇到的纠结题目们

annahw

开始刷题ing, 可是题目中各种小纠结们时而细节时而总体的被考验着。

比如，那么多那么能干的以神话人物命名的系统呀架构呀，我们如何选择？
下面一题就是这种范例的典型，EFS 是文件管理系统，非常好非常牛，IAM用户管理上也非常牛。可是它们在具体的应用中该如何选择？

有这么一题，我就纠结了。

A Solutions Architect is designing a shared file system for a company. Multiple users will be accessing it at any given time. Different teams will have their own directories, and the company wants to secure files so that users can access only files owned by their team.
How should the Solutions Architect design this?
A. Use Amazon EFS and control permissions by using file-level permissions.
B. Use Amazon S3 and control permissions by using ACLs.
C. Use Amazon EFS and control permissions by using security groups.
D. Use AWS Storage Gateway and control permissions by using AWS Identity and Access Management (IAM)

按说file system, 而且access的要求那么高，应该用EFS吧？ 一定是A 吧？ 可是是又是多个team 有自己的目录，而且每个成员组的人都只能取自己家的文件。 那IAM不就是identity  access 管理的吗？
A OR D ? 元芳怎么看。

scoopy

完全外行，按以前训练考试技巧，我选C

magichz

明显选C

joe7752

现实中最简单的方法还是S3 + bucket policy 吧，这题有点过期，现在基本都能用bucket policy都不用ACL了吧。

看错题目了，真是对AWS理解有限啊

magichz

这里有答案： https://www.lleicloud.com/index.php/aws-certified-solutions-architect-associate-20194/

MarkVRS

感觉也是C，这个是SAA的试题吗？
考试的时候要认真读题，找关键词。最烦的就是很多题目都很长，读几遍才能搞明白。

hbwork

这道题答案感觉到有点问题，我个人感觉A 比 C  更合适一些，原因如下：
Shared file system 这一要求排除了S3 和 Storage Gateway。
A  - EFS works, and NFS/SMB file-level permissions support user level file access control
B - S3 无法提供Shared file system
C - Security Group works at network layer (allow inbound/outbound traffic) and does not nothing with User access Control
D -  Storage Gateway 作为Filesystem Gateway时IAM Policy 仅用于控制对AWS Storage Gateway Appliance的访问，而无法控制前端Shared 的NFS/SMB用户权限，

上班ing

选c的明显不知道aws security group是什么

valpa

大家都在考AWS，看来要比数量了

leave0empty

只有A正确，B s3不是file system. C security group是用来管理stateful连接. D file gateway不是用iam来控制user permission

Fernando

我X， AWS大家都这么有兴趣，感觉回到了考OCP的日子

chn217

看到share file system，就知道是EFS了

再看security group, 这个就是防火墙，跟权限控制没关系

只能选A了

eltonfive

A, in D storage gateway does not need to use IAM to control  permissions, permission should be controlled by SMB/NFS.

annahw

再来一道题目，这道题目是群里伙伴放的。各位看官走过路过来评评理

A company is using an Amazon S3 bucket located in us-west-2 to serve videos to their customers. Their customers are located all around the world and the videos are requested a lot during peak hours. Customers in Europe complain about experiencing slow downloaded speeds, and during peak hours, customers in all locations report experiencing HTTP 500 errors. What can a Solutions Architect do to address these issues?
A. Place an elastic load balancer in front of the Amazon S3 bucket to distribute the load during peak hours.
B. Cache the web content with Amazon CloudFront and use all Edge locations for content delivery.
C. Replicate the bucket in eu-west-1 and use an Amazon Route 53 failover routing policy to determine which bucket it should serve the request to.
D. Use an Amazon Route 53 weighted routing policy for the CloudFront domain name to distribute the GET request between CloudFront and the Amazon S3 bucket directly.

hanxuema

B. Cache the web content with Amazon CloudFront and use all Edge locations for content delivery.

annahw

hanxuema 发表于 2019-12-18 13:59
B. Cache the web content with Amazon CloudFront and use all Edge locations for content delivery.

有空请评论一下为何不是D吧

joe7752

觉得这道题还是有点问题，S3就不能做shared filesystem? 那如果加个file gateway不就行了， 很多On-premise的server不都是这样做的， 难道就不能share?

eltonfive

weighted routing policy should not be used in this scenario.

OxxO

觉得那个答案都不对。真正的考试应该不会有这种题？

An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customers security policy requires that every outbound connection from these instances to any other service within the customers Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific instance-id.
In addition, an x 509 certificates must Designed by the customer's Key management service in order to be trusted for authentication.
Which of the following configurations will support these requirements?

    A. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3 upon first boot.
    B. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched instances generate a certificate signature request with the instance's assigned instance-id to the key management service for signature.
    C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key management service. Have the Key management service generate a signed certificate and send it directly to the newly launched instance.
    D. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service poll the Auto Scaling group for associated instances and send new instances a certificate signature

OxxO

OxxO 发表于 2019-12-18 17:24
觉得那个答案都不对。真正的考试应该不会有这种题？

An AWS customer is deploying an application mat i ...

A instance-id 是动态生成的，S3的cert 怎么生成的没有说清楚。

annahw

这个题目不知道为何没有A？route 53允许将alias 绑到ELB上的吧?

A company is launching a static website using the zone apex (mycompany.com). The company wants to
use Amazon Route 53 for DNS.
Which steps should the company perform to implement a scalable and cost-effective solution? (Choose
two.)
A. Host the website on an Amazon EC2 instance with ELB and Auto Scaling, and map a Route 53 alias
record to the ELB endpoint.
B. Host the website using AWS Elastic Beanstalk, and map a Route 53 alias record to the Beanstalk stack.
C. Host the website on an Amazon EC2 instance, and map a Route 53 alias record to the public IP address
of the Amazon EC2 instance.
D. Serve the website from an Amazon S3 bucket, and map a Route 53 alias record to the website
endpoint.
E. Create a Route 53 hosted zone, and set the NS records of the domain to use Route 53 name servers.

joe7752

annahw 发表于 2019-12-18 19:28
这个题目不知道为何没有A？route 53允许将alias 绑到ELB上的吧?

A company is launching a static website ...

这题目真奇怪，A当然是可行的，但是静态页面不是应该放S3吗，节省成本啊，前端加个Cloudfront和Route 53，才是经典构架吧

hanxuema

D. Serve the website from an Amazon S3 bucket, and map a Route 53 alias record to the website
endpoint.

annahw

今天要崩溃了，这题目的答案A我都看不懂什么意思了，明明说了A和B，答案里完全没提及。
Q49. Two Auto Scaling applications, Application A and Application B, currently run within a shared set of subnets. A Solutions Architect wants to make sure that Application A can make requests to Application B, but Application B should be denied from making requests to Application A.

Which is the SIMPLEST solution to achieve this policy?

A. Using security groups that the security groups of the other application
B. Using security groups that the application server’s IP addresses
C. Using Network Access Control Lists to allow/deny traffic based on application IP addresses
D. Migrating the applications to separate subnets from each other

hanxuema

A 的意思是一个security group 可以通过添加另一个security group的id来实现单向访问

B 的意思是一个security group 可以通过添加ip地址段来实现单向访问

hanxuema

hanxuema 发表于 2019-12-20 12:00
A 的意思是一个security group 可以通过添加另一个security group的id来实现单向访问

B 的意思是一个secur ...

子网是什么？subnet？问题没说subnet吧

annahw

又一个纠结的题目，A与B间纠结，说到底还是基本概念不清楚。
选A吧，deliver data to EC2 instances时会有CloudWatch events 吗？ 选B吧，SNS topic 可以fan out data to SQS吗？
An application uses an Amazon SQS queue as a transport mechanism to deliver data to a group of EC2
instances for processing. The application owner wants to add a mechanism to archive the incoming data
without modifying application code on the EC2 instances.
How can this application be re-architected to archive the data without modifying the processing instances?
A. Trigger a Lambda function by using Amazon CloudWatch Events to retrieve messages from the SQS
queue and archive to Amazon S3.
B. Use an Amazon SNS topic to fan out the data to the SQS queue in addition to a Lambda function that
records the data to an S3 bucket.
C. Set up an Amazon Kinesis Data Stream so that multiple instances can receive data. Add a separate
EC2 instance that is configured to archive all data it receives.
D. Write the data to an S3 bucket, and use an SQS queue for S3 event notifications to tell the instances
where to retrieve the data.

hanxuema

B. Use an Amazon SNS topic to fan out the data to the SQS queue in addition to a Lambda function that
records the data to an S3 bucket.

A.  1. if a message in SQS get processed by lambda, the message will be deleted from the SQS, your EC2 instances will not be able to retrieve. 2. you don't need CloudWatch event to trigger lambda, SQS can be integrated with lambda.

C. .........

D. Write the data to an S3 bucket means modifying the processing instances code, correct?

leave0empty

joe7752 发表于 2019-12-18 14:23
觉得这道题还是有点问题，S3就不能做shared filesystem? 那如果加个file gateway不就行了， 很多On-premise ...

题没问题，选项里没有是s3+file gateway+smb/nfs权限控制

annahw

再请教一个，感觉汉血马水平好高，期待再来做答……

A customer has written an application that uses Amazon S3 exclusively as a data store. The application
works well until the customer increases the rate at which the application is updating information. The
customer now reports that outdated data occasionally appears when the application accesses objects in
Amazon S3.
What could be the problem, given that the application logic is otherwise correct?
A. The application is reading parts of objects from Amazon S3 using a range header.
D. The application is updating records by overwriting existing objects with the same keys.