AWS : Solutions Architect Professional Exam — Part 2

A Quick Review to Design for New Solutions

Part 2 : Design for New Solutions (31% of exam)

• Credentials Management
• Network & Security
• Reliability & Performance
• Deployment & Patch Management Strategy

1 — You are building a mobile app that allows users to to upload, view, and download their confidential, tax-related documents that need to be stored separately in their own S3 buckets.

How should you implement your mobile app ?

1. Create a role in IAM with appropriate permissions.
2. Record the user’s information in Amazon DynamoDB.
3. When the user uses his/her mobile app, create temporary credentials using the “AssumeRole” function in STS.
4. Store these credentials in the mobile app’s memory and use them to access the S3 bucket. Generate new credentials every time the user runs the mobile app.

Note — You should never store long-term credentials inside a mobile app, use temporary credentials created from AWS STS instead.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

2— There is a requirement to copy information to or from the shared resource in the other AWS account. You have to provide the other account access to several AWS resources such as S3, KMS and Amazon ES, in the form of a list of AWS account ID numbers. In addition, the user in the other account should still work in the trusted account and there is no need to give up his or her user permissions in place of the role permissions.

What is the most suitable solution for this scenario ?

Set up cross-account access with a resource-based policy.

Note — Cross-account access with a resource-based policy has some advantages over a role. With a resource that is accessed through a resource-based policy, the user still works in the trusted account and does not have to give up his or her user permissions in place of the role permissions.

In other words, the user continues to have access to resources in the trusted account at the same time as he or she has access to the resource in the trusting account. This is useful for tasks such as copying information to or from the shared resource in the other account.

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html

3— A company has an on-premises Active Directory and decide to deploy virtual desktops for their new employees in a virtual private cloud in AWS to save costs from purchasing physical workstations. The new cloud infrastructure should leverage on the existing security controls in AWS but can still communicate with their on-premises network.

Which set of AWS services should you use to meet these requirements ?

AWS Directory Services, VPN connection, and Amazon Workspaces.

First, you need a VPN connection to connect the VPC and your on-premises network. Second, you need AWS Directory Services to integrate with your on-premises Active Directory and lastly, you need to use Amazon WorkSpaces to create the needed virtual desktops in your VPC.

https://aws.amazon.com/directoryservice/

https://aws.amazon.com/workspaces/

4— Your manager instructed you to design the network architecture of their application in AWS. The system should allow access only authorized person over the Internet, whether they are in their hotel rooms, cafes or elsewhere.

How to design network meets the above requirements ?

• Create a private subnet in your VPC to place your application.
• Establish an SSL VPN solution in a public subnet of your VPC
• Install and configure SSL VPN client software on all the workstations/laptops of the users who need access to your application.

5— To ensure data security, you were instructed to implement an SSL solution. You have requested for an SSL/TLS certificate from 3rd-party certificate authority (CA). In this scenario, where can you safely import the SSL/TLS certificate into AWS ?

1. AWS Certificate Manager
2. IAM certificate store.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html#cnames-and-https-uploading-certificates

6— A fintech startup has developed a cloud-based payment processing system deployed in AWS which uses EC2, DynamoDB, S3, and CloudFront. Since they are accepting credit card information from the users, they are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS). On the recent 3rd-party audit, it was found that the credit card numbers are not properly encrypted and hence, their system failed the PCI DSS compliance test.
In this scenario, what is the best option to protect and encrypt the sensitive information ?

Configure the CloudFront to enforce secure end-to-end connections to origin servers by using HTTPS and field-level encryption.

Note — To use field-level encryption with asymmetric encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them.
When the request with field-level encryption is forwarded to the origin system, and the request is routed throughout your subsystems, the sensitive data is still encrypted, reducing the risk of a data breach. Only subsystems with private key can decrypt and access those sensitive data.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html

7 — An online learning platform which provides educational video courses is using CloudFront to distribute their images, videos, files, and other static contents to its users. Recently, they introduced a member-only access that provide access to multiple private files of their online courses without having to change their current URLs.

What should you do to satisfy the given requirement ?

Configuring your CloudFront to serve the private content using Signed Cookies.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html

8 — A company has a web application hosted in AWS. It leverages Amazon CloudFront to reliably scale and quickly serve requests globally.

Recently, the company is complained about slow response of web application. The monitoring team reports that the CloudFront cache hit ratio metric is steadily dropping for the past months. Because of inconsistent query strings on user requests and queries that contain upper-case or mixed-case letters, CloudFront sent unnecessary queries to origin.

What actions will increase the cache hit ratio of the CloudFront ?

Write a Lamda@Edge function that will normalize the query strings by sorting them in alphabetical order and converting them into lower case.

With the “viewer request” set as the trigger, the Lambda@Edge function will normalize the query strings before CloudFront processes it. CloudFront will then see the matching cache item for the normalized request, thus increasing the cache hit ratio.

Note — If you configure CloudFront to cache based on query strings, you can improve caching if you do the following:

• Use the same case — request with query string parameter1=A will be cached separately from paramter1=a.
• List parameters in the same order — request with query string parameter1=a&parameter2=b will be cached separately from parameter2=b&parameter1=a.

https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/cache-hit-ratio.html#cache-hit-ratio-query-string-parameters

9 — A company plans to create a self-service solution for the data scientists to access Amazon SageMaker on the company AWS accounts. The data scientists have limited knowledge of AWS cloud so the complex setup requirements should not be exposed to them.

Which AWS services will meet the company requirements ?

AWS Service Catalog.

Note — AWS Service Catalog allows organizations to create and centrally manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. Then, end users can quickly discover and deploy IT services using a self-service portal.

https://docs.aws.amazon.com/servicecatalog/latest/adminguide/introduction.html

10 — A company has production, development, and test environments in its software development department, and each environment contains tens to hundreds of EC2 instances, along with other AWS services.

Recently, Ubuntu released a series of security patches for a critical flaw that was detected in their OS. Although this is an urgent matter, there is no guarantee yet that these patches will be bug-free and production-ready.

The EC2 instances in the production environment will only be patched after it has been verified that the patches work effectively. Each environment also has different baseline patch requirements that needed to be satisfied.

How should you perform this task ?

• Tag each instance based on its environment and OS.
• Create a patch baseline in AWS Systems Manager Patch Manager for each environment.
• Categorize EC2 instances based on their tags using Patch Groups and apply the patches specified in the corresponding patch baseline to each Patch Group.

https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-patch-patchgroups.html

Related Articles

• AWS Solutions Architect Professional Exam — Part 1
• AWS Solutions Architect Professional Exam — Part 2
• AWS Solutions Architect Professional Exam — Part 3
• AWS Solutions Architect Professional Exam — Part 4
• AWS Solutions Architect Professional Exam — Part 5
• AWS Solutions Architect Professional Exam — Part 5

Reference

• [Udemy] AWS Certified Solutions Architect Professional Practice Exam