I’m currently two days into the Advanced Architecting on AWS class and am looking forward to taking the AWS Certified Solutions Architect – Professional Level exam later this month. Since I noticed there is quite some interest in this certification I want to use this blog post to discuss the sample exam questions you can download from AWS. If you haven’t figured them out for yourself you might want to try them first before continue reading as this post is a huge spoiler.
Question 1 – CMS DR:
A: This is the correct answer. RMAN is recovered from the backup in S3 and the gateway stored volume can be attached to EC2 as EBS volume created from the Storage Gateway volume.
B: Restoring from Glacier is not meeting the requirement of best RTO. Also RDS is not a feature complete replacement for Oracle RMAN but the Glacier issue already gave away that B ist wrong.
C: Restoring the content via Storage Gateway in EC2 is not only unnecessarily complex but attaching the volume via iSCSI is simply not supported.
D: There is no VTL in the scenario. Eliminating this one is easy.
Question 2 – ERP Backup:
A: This answer is easily dismissed. Glacier is just not up to the task of an RPO of 15 minutes. Glacier is designed for a retrieval time of 3 to 5 hours.
B: A synchronous master-slave buys you nothing in case your data corrupts as the slave will contain the same corruptions.
C: This is the correct answer. S3 is AWS’s designated reliable storage.
D: EC2 instance store volumes are ephemeral disks and therefore not suitable for storing any kind of backup.
Question 3 – JS App:
A: The credentials should be mapped to an IAM role. The answer says user which makes me suspect this is wrong.
B: I think this is the correct answer. Using a Web Identity Provider is also potentially cheaper than having your own TVM.
C and D: These answers make use of EC2 instances which implies cost and the task requests optimizing for cost effectiveness.
Question 4 – Website:
A: Logs are accessible from the web-server as the disk is mounted. Encryption of volumes only protects data at rest.
B: The key is retrieved to the instance and accessible there which disqualifies this answer.
C: This is the correct answer. The key is secure in CloudHSM and logs are sent to S3 encrypted.
D: Same issue as in answer A.
Question 5 – Fat Client:
A: Direct Connect is not for Road-warriors and placing the application servers in a public subnet is contrary to the scenario which demands to not place them on the public Internet.
B: This doesn’t make any sense. Also SSL terminating ELB is public Internet.
C: IPSec will most probably not work an all public networks. Also trusting the users to setup the IPSec client isn’t necessarily a good idea. Not to mention that placing the application servers in a public subnet is placing them on the public Internet.
D: This is the correct answer. SSL VPN will most probably work with all public networks as it doesn’t use special protocol. Setting up the client can be done by corporate IT and placing the application servers in a private subnet will meet the requirement to not have them on the public Internet.
Question 6 – Migration:
A: Reworking the application with the developers on the weekend? No way!
B: Could work but would maybe still take too long.
C: Import/Export service is a nice idea but is not gonna keep the time frame for the migration.
D: This is the correct answer. It also emphasizes on the feature of Storage Gateway to sync local volumes to AWS and create EBS volumes from them.