Whizlabs SAA-C03 Section
Tests
1. You are building up a Lambda function that runs periodically and processes the data stored in a DynamoDB
table. As the data in the DynamoDB table grows fast, you need to estimate the cost of the Lambda function.
Which of the following two factors directly determine the monthly cost of Lambda?: 1) The memory allocated to
the Lambda function and 2) The total number of requests for the Lambda function
2. In your AWS account, you have configured three Application Load Bal- ancers to route the traffic, and each
ALB has its own target group. As the traffic keeps growing, the cost of the Elastic Load Balancers increases as
well. Which method would you take to reduce the load balancer cost?: Use one ALB instead of three. Attached all
three target groups to the ALB.
3. Your team creates an Application Load Balancer for a new application and registers a Lambda function as its
target. Three availability zones are enabled for the ALB. You want to take some actions to reduce the cost. Which
of the below options is most appropriate?: Optimize the Lambda function so that the function executes the code faster.
4. A web application is hosted on EC2 and serves global customers. As the application is getting more and more
popular, the data transfer cost keeps increasing.You plan to use AWS CloudFront to improve the latency and
reduce the cost. Which of the following services is free for CloudFront?: Data transfer from origin to CloudFront
edge locations (Amazon CloudFront "origin fetches")
5. Your application is deployed in EC2 instances and uses CloudFront to deliver the content. In order to reduce
the cost of requests to the origin, you plan to increase the cache duration for certain dynamic contents. Which of
the following is the most appropriate to achieve the requirement?: Modify the application to add a Cache-Control
header to control how long the objects stay in the CloudFront cache.
6. You use CloudFormation to create an auto-scaling group for a web applica- tion. The application needs to be
deployed in both production and non-pro- duction AWS accounts. You want to use Spot instances in the non-
production environment to save costs. Which of the following methods would you use?: In the CloudFormation
template, use a parameter to set the OnDemandPercentage- AboveBaseCapacity property. Set the parameter to be 0 in
non-production and 100 in production.
7. You are working as a Solutions Architect in an organization.You have peered VPC A and VPC B as a requestor
and an acceptor where both the VPCs can communicate with each other. Now you want the resources in the
private subnets of both of the VPCs to reach out to the internet. But no one on the internet should be able to reach
the resources within both the VPCs. Which
, Whizlabs SAA-C03 Section
Tests
of the below will achieve the desired outcome?: Create NAT Gateways in both VPCs and configure routes for each
VPC to use its own NAT gateway.
8. Your organization already had a VPC (10.10.0.0/16) setup with one public (10.10.1.0/24) and two private
subnets - private subnet 1 (10.10.2.0/24) and private subnet 2 (10.10.3.0/24). The public subnet has the main route
table, and two private subnets have two different route tables respectively. AWS SysOps team reports a problem
starting the EC2 instance in private subnet 1 cannot communicate to the RDS MySQL database on private subnet
2. What are the possible reasons (choose two options)?: 1) RDS security group inbound rule
is incorrectly configured with 10.10.1.0/24 instead of 10.10.2.0/24. 2) 10.10.3.0/24 subnet's NACL denies inbound on
port 3306 from subnet 10.10.2.0/24.
9. *A new VPC with CIDR range 10.10.0.0/16 has been setup with a public and private subnet, Internet Gateway
and a custom route table have been created and a route has been added with the 'Destination' as '0.0.0.0/0' and
the 'Target' with Internet Gateway (igw-id). A new Linux EC2 instance has been launched on the public subnet
with the auto-assign public IP option enabled, but when trying to SSH into the machine, the connection is getting
failed. What could be the reason?*
* Elastic IP is not assigned.
* Both the subnets are associated with the main route talbe, no subnet is explicitly associated with the custom
route table which has internet gateway route.
* Public IP address is not assigned.
* None of the above.: The NACL of the public subnet disallows the ingress SSH traffic
10.You are an AWS architect in your organization. Your organization would want to upload files to the AWS
S3 bucket. In a VPC, you create a private subnet and VPC endpoint for S3. You also create one route table that
routes the traffic from the private subnet to a NAT gateway for the internet access. In AWS S3 server logs, you
notice the requests to the S3 bucket from an EC2 instance in the VPC do not go through the NAT gateway. What
could cause this situation?: The requests are routed through the VPC endpoint.
11.Your organization has an existing VPC with an AWS S3 endpoint created and serving certain S3 buckets.
You were asked to create a new S3 bucket and reuse the existing VPC endpoint to route requests to the new S3
bucket. However, after creating a new S3 bucket and sending requests from an EC2 instance via the VPC
endpoint, you found the requests are failing with the "Access Denied" error. What could be the issue?: 1) VPC
endpoint contains a
, Whizlabs SAA-C03 Section
Tests
policy, currently restricted to certain S3 buckets, and does not contain a new S3 bucket. 2) AWS IAM role/user does not
have access to the S3 bucket.
12.A company has its major applications deployed in AWS. The company is building a new office and requires
a high-performance network connection between the local office network and the AWS network. The connection
needs to have high bandwidth throughput and allow users in the office to connect with multiple AWS VPCs of
multiple AWS Regions. How would you establish the connection in the most appropriate way?: Create a Direct
Connect Gateway to connect the local network with multiple Amazon VPCs across different regions.
13.You are building a fleet of EC2 Linux instances in the AWS environment to manage heavy workloads and
write data into AWS Redshift. The developers and administrators need to login to these EC2 machines to develop,
fix, deploy and manage workloads within your organizational network ONLY. Which of the following would allow
only the personnel within the organization to access the resources most securely?: AWS VPN connection from your
organization to AWS VPC, a bastion host in VPN enabled subnet with secure SSH key to login, EC2 instances in private
subnet with secure SSH keys to login, Redshift in private subnet
14.Your company owns several EC2 Windows servers in production. In order to be compliant with recent
company security policies, you need to create an EC2 Windows bastion host for users to connect to the instances
via RDP. How would you ensure that users can perform remote administration for the Windows servers ONLY
through the new bastion host?: Configure the security groups of the Windows server instances to only accept
RDP/3389 connections from the security group of the Windows bastion host.
15.You have an existing VPC in us-east-1.You have created a VPC Endpoint for S3 and added it to the main
route table. You have launched an EC2 instance inside a subnet that is associated with the main route table. From
the new EC2 instance, when requesting the S3 bucket within us-east-1, you noticed the connection is failing. What
could be the reason?: 1) EC2 instance security group outbound rules are restricted and does not contain prefix list, 2)
Subnet's Network ACL inbound rule does not allow traffic from S3.
16.Your organization had asked to be cost-efficient in designing AWS solu- tions. You have created three VPCs
(VPC A, VPC B, VPC C), peered VPC A to VPC B and VPC B to VPC C. You have created a NAT gateway in
VPC B and would like to use the same NAT Gateway for resources within VPC A and VPC C. However, the
resources within VPC A and VPC C cannot communicate through the internet through NAT Gateway, but
resources in VPC B can com-
Tests
1. You are building up a Lambda function that runs periodically and processes the data stored in a DynamoDB
table. As the data in the DynamoDB table grows fast, you need to estimate the cost of the Lambda function.
Which of the following two factors directly determine the monthly cost of Lambda?: 1) The memory allocated to
the Lambda function and 2) The total number of requests for the Lambda function
2. In your AWS account, you have configured three Application Load Bal- ancers to route the traffic, and each
ALB has its own target group. As the traffic keeps growing, the cost of the Elastic Load Balancers increases as
well. Which method would you take to reduce the load balancer cost?: Use one ALB instead of three. Attached all
three target groups to the ALB.
3. Your team creates an Application Load Balancer for a new application and registers a Lambda function as its
target. Three availability zones are enabled for the ALB. You want to take some actions to reduce the cost. Which
of the below options is most appropriate?: Optimize the Lambda function so that the function executes the code faster.
4. A web application is hosted on EC2 and serves global customers. As the application is getting more and more
popular, the data transfer cost keeps increasing.You plan to use AWS CloudFront to improve the latency and
reduce the cost. Which of the following services is free for CloudFront?: Data transfer from origin to CloudFront
edge locations (Amazon CloudFront "origin fetches")
5. Your application is deployed in EC2 instances and uses CloudFront to deliver the content. In order to reduce
the cost of requests to the origin, you plan to increase the cache duration for certain dynamic contents. Which of
the following is the most appropriate to achieve the requirement?: Modify the application to add a Cache-Control
header to control how long the objects stay in the CloudFront cache.
6. You use CloudFormation to create an auto-scaling group for a web applica- tion. The application needs to be
deployed in both production and non-pro- duction AWS accounts. You want to use Spot instances in the non-
production environment to save costs. Which of the following methods would you use?: In the CloudFormation
template, use a parameter to set the OnDemandPercentage- AboveBaseCapacity property. Set the parameter to be 0 in
non-production and 100 in production.
7. You are working as a Solutions Architect in an organization.You have peered VPC A and VPC B as a requestor
and an acceptor where both the VPCs can communicate with each other. Now you want the resources in the
private subnets of both of the VPCs to reach out to the internet. But no one on the internet should be able to reach
the resources within both the VPCs. Which
, Whizlabs SAA-C03 Section
Tests
of the below will achieve the desired outcome?: Create NAT Gateways in both VPCs and configure routes for each
VPC to use its own NAT gateway.
8. Your organization already had a VPC (10.10.0.0/16) setup with one public (10.10.1.0/24) and two private
subnets - private subnet 1 (10.10.2.0/24) and private subnet 2 (10.10.3.0/24). The public subnet has the main route
table, and two private subnets have two different route tables respectively. AWS SysOps team reports a problem
starting the EC2 instance in private subnet 1 cannot communicate to the RDS MySQL database on private subnet
2. What are the possible reasons (choose two options)?: 1) RDS security group inbound rule
is incorrectly configured with 10.10.1.0/24 instead of 10.10.2.0/24. 2) 10.10.3.0/24 subnet's NACL denies inbound on
port 3306 from subnet 10.10.2.0/24.
9. *A new VPC with CIDR range 10.10.0.0/16 has been setup with a public and private subnet, Internet Gateway
and a custom route table have been created and a route has been added with the 'Destination' as '0.0.0.0/0' and
the 'Target' with Internet Gateway (igw-id). A new Linux EC2 instance has been launched on the public subnet
with the auto-assign public IP option enabled, but when trying to SSH into the machine, the connection is getting
failed. What could be the reason?*
* Elastic IP is not assigned.
* Both the subnets are associated with the main route talbe, no subnet is explicitly associated with the custom
route table which has internet gateway route.
* Public IP address is not assigned.
* None of the above.: The NACL of the public subnet disallows the ingress SSH traffic
10.You are an AWS architect in your organization. Your organization would want to upload files to the AWS
S3 bucket. In a VPC, you create a private subnet and VPC endpoint for S3. You also create one route table that
routes the traffic from the private subnet to a NAT gateway for the internet access. In AWS S3 server logs, you
notice the requests to the S3 bucket from an EC2 instance in the VPC do not go through the NAT gateway. What
could cause this situation?: The requests are routed through the VPC endpoint.
11.Your organization has an existing VPC with an AWS S3 endpoint created and serving certain S3 buckets.
You were asked to create a new S3 bucket and reuse the existing VPC endpoint to route requests to the new S3
bucket. However, after creating a new S3 bucket and sending requests from an EC2 instance via the VPC
endpoint, you found the requests are failing with the "Access Denied" error. What could be the issue?: 1) VPC
endpoint contains a
, Whizlabs SAA-C03 Section
Tests
policy, currently restricted to certain S3 buckets, and does not contain a new S3 bucket. 2) AWS IAM role/user does not
have access to the S3 bucket.
12.A company has its major applications deployed in AWS. The company is building a new office and requires
a high-performance network connection between the local office network and the AWS network. The connection
needs to have high bandwidth throughput and allow users in the office to connect with multiple AWS VPCs of
multiple AWS Regions. How would you establish the connection in the most appropriate way?: Create a Direct
Connect Gateway to connect the local network with multiple Amazon VPCs across different regions.
13.You are building a fleet of EC2 Linux instances in the AWS environment to manage heavy workloads and
write data into AWS Redshift. The developers and administrators need to login to these EC2 machines to develop,
fix, deploy and manage workloads within your organizational network ONLY. Which of the following would allow
only the personnel within the organization to access the resources most securely?: AWS VPN connection from your
organization to AWS VPC, a bastion host in VPN enabled subnet with secure SSH key to login, EC2 instances in private
subnet with secure SSH keys to login, Redshift in private subnet
14.Your company owns several EC2 Windows servers in production. In order to be compliant with recent
company security policies, you need to create an EC2 Windows bastion host for users to connect to the instances
via RDP. How would you ensure that users can perform remote administration for the Windows servers ONLY
through the new bastion host?: Configure the security groups of the Windows server instances to only accept
RDP/3389 connections from the security group of the Windows bastion host.
15.You have an existing VPC in us-east-1.You have created a VPC Endpoint for S3 and added it to the main
route table. You have launched an EC2 instance inside a subnet that is associated with the main route table. From
the new EC2 instance, when requesting the S3 bucket within us-east-1, you noticed the connection is failing. What
could be the reason?: 1) EC2 instance security group outbound rules are restricted and does not contain prefix list, 2)
Subnet's Network ACL inbound rule does not allow traffic from S3.
16.Your organization had asked to be cost-efficient in designing AWS solu- tions. You have created three VPCs
(VPC A, VPC B, VPC C), peered VPC A to VPC B and VPC B to VPC C. You have created a NAT gateway in
VPC B and would like to use the same NAT Gateway for resources within VPC A and VPC C. However, the
resources within VPC A and VPC C cannot communicate through the internet through NAT Gateway, but
resources in VPC B can com-
