ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 570 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 570
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A software as a service (SaaS) company offers a cloud solution for document management to private law firms and the public sector. A local government client recently mandated that highly confidential documents cannot be stored outside the country. The company CIO asks a Solutions Architect to ensure the application can adapt to this new requirement. The CIO also wants to have a proper backup plan for these documents, as backups are not currently performed.
What solution meets these requirements?

  • A. Tag documents that are not highly confidential as regular in Amazon S3. Create individual S3 buckets for each user. Upload objects to each user's bucket. Set S3 bucket replication from these buckets to a central S3 bucket in a different AWS account and AWS Region. Configure an AWS Lambda function triggered by scheduled events in Amazon CloudWatch to delete objects that are tagged as secret in the S3 backup bucket.
  • B. Tag documents as either regular or secret in Amazon S3. Create an individual S3 backup bucket in the same AWS account and AWS Region. Create a cross- region S3 bucket in a separate AWS account. Set proper IAM roles to allow cross-region permissions to the S3 buckets. Configure an AWS Lambda function triggered by Amazon CloudWatch scheduled events to copy objects that are tagged as secret to the S3 backup bucket and objects tagged as normal to the cross-region S3 bucket.
  • C. Tag documents as either regular or secret in Amazon S3. Create an individual S3 backup bucket in the same AWS account and AWS Region. Use S3 selective cross-region replication based on object tags to move regular documents to an S3 bucket in a different AWS Region. Configure an AWS Lambda function that triggers when new S3 objects are created in the main bucket to replicate only documents tagged as secret into the S3 bucket in the same AWS Region.
  • D. Tag highly confidential documents as secret in Amazon S3. Create an individual S3 backup bucket in the same AWS account and AWS Region. Use S3 selective cross-region replication based on object tags to move regular documents to a different AWS Region. Create an Amazon CloudWatch Events rule for new S3 objects tagged as secret to trigger an AWS Lambda function to replicate them into a separate bucket in the same AWS Region.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by wood_wood at Aug. 11, 2020, 3:17 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Ebi
Highly Voted 3 years, 7 months ago
Answer is C
upvoted 15 times
...
3a632a3
Most Recent 1 year, 4 months ago
Selected Answer: C
To use selective cross region replication, the regular objects need a tag. D does not tag regular items so cross region replication wouldn't work. https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-s3-announces-selective-crr-based-on-object-tags/ I don't like that Lambda + S3 events are used for SRR as that could be a compliance issue if the Lambda function fails. And SRR in S3 has been around for a long time with one of the use cases being data sovereignty compliance. https://docs.aws.amazon.com/AmazonS3/latest/userguide/replication.html#srr-scenario
upvoted 1 times
...
Jesuisleon
2 years ago
Selected Answer: C
The answer is C. We need tag to selectively copy objects, normal objects to another region S3 bucket and secrets objects to a S3 bucket in the same region, so A, B are out. New object in S3 event can directly trigger lambda, no need to use CloudWatch, see https://aws.amazon.com/blogs/aws/s3-event-notification/, so D is out.
upvoted 1 times
Jesuisleon
1 year, 12 months ago
I change to D since in the link above, search "Notification Details", there is no tag item inside. (Etag is just checksum not our tag here), so ordinary s3 event doesn't have tag item. So C is out, Still need CloudWatch events to trigger.
upvoted 1 times
vn_thanhtung
1 year, 9 months ago
https://docs.aws.amazon.com/AmazonS3/latest/userguide/EventNotifications.html#:~:text=Overview%20of%20Amazon%20S3%20Event%20Notifications
upvoted 1 times
...
...
...
Blackfry
2 years, 7 months ago
Selected Answer: C
The difference between C and D is that both regular and confidential documents are tagged or only confidential documents are tagged. But we can use Object tags, if there are any tag. So when we wants to use Selective Cross-Region Replication based on Object Tags about regular documents, we should tag 'regular documents'(or both).
upvoted 2 times
...
WayneYi
2 years, 8 months ago
I will go with C. Because option D says that we are moving regular documents into a different region, it makes no sense at all
upvoted 1 times
tomosabc1
2 years, 8 months ago
In fact, to move regular documents is an implicit requirement from the question. Even option C says "...... to move regular documents to an S3 bucket in a different AWS Region".
upvoted 1 times
wassb
2 years, 8 months ago
@Bulti answer : Answer is C. D looks like an option except for the fact that the regular objects are not tagged.
upvoted 1 times
...
...
...
Harithareddynn
2 years, 9 months ago
Selected Answer: D
The only difference between C and D is S3 events/Cloud watch events - In case of C, S3 events cannot be triggered selectively based on tag, so it would call Lambda for all documents - hence D is better.
upvoted 3 times
...
ciki
3 years, 5 months ago
I think answer is D cloudwatch verify that the application can adapt to this new demand
upvoted 1 times
...
vbal
3 years, 5 months ago
https://aws.amazon.com/blogs/mt/monitor-tag-changes-on-aws-resources-with-serverless-workflows-and-amazon-cloudwatch-events/ Even after reading above page I am still not sure if it would work or not. But If I can trigger even based upon Each Object's Tag being Put into S3, I would prefer D just because this is more efficient as Lambda would be triggered only for Secret documents and not for ALL the PUT Object Events which is in-efficient IMO.
upvoted 2 times
...
cldy
3 years, 6 months ago
C. Tag documents as either regular or secret in Amazon S3. Create an individual S3 backup bucket in the same AWS account and AWS Region. Use S3 selective cross-region replication based on object tags to move regular documents to an S3 bucket in a different AWS Region. Configure an AWS Lambda function that triggers when new S3 objects are created in the main bucket to replicate only documents tagged as secret into the S3 bucket in the same AWS Region.
upvoted 1 times
...
AzureDP900
3 years, 6 months ago
Use S3 selective cross-region replication , Answer is C.
upvoted 1 times
...
pcops
3 years, 6 months ago
I will go for C
upvoted 1 times
...
acloudguru
3 years, 6 months ago
Selected Answer: C
Answer = C. https://docs.aws.amazon.com/AmazonS3/latest/dev/replication.html
upvoted 2 times
...
WhyIronMan
3 years, 7 months ago
I'll go with C
upvoted 3 times
...
aws_arn_name
3 years, 7 months ago
I think answer is D. With C only new confidential object will be backup, what about old confidential object. Addition , S3 event has lag , although rarely but still can cause lost data, CloudWatch is more reliable
upvoted 2 times
wahlbergusa
3 years, 6 months ago
Wrong. Althought I got confused on the same point as well. The trick is for CloudWatch Event Rule you first need to enable CloudTrail Data Events = > https://docs.aws.amazon.com/codepipeline/latest/userguide/create-cloudtrail-S3-source-console.html Hence C is correct.
upvoted 2 times
...
...
Waiweng
3 years, 7 months ago
it's C
upvoted 4 times
...
blackgamer
3 years, 7 months ago
The answer is C. https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-s3-announces-selective-crr-based-on-object-tags/
upvoted 3 times
...
01037
3 years, 7 months ago
C. Region is treated as a country, though there are several Regions in US.
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel