ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 627 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional
Question #: 627
Topic #: 1
[All AWS Certified Solutions Architect - Professional Questions]

A healthcare company runs a production workload on AWS that stores highly sensitive personal information. The security team mandates that, for auditing purposes, any AWS API action using AWS account root user credentials must automatically create a high-priority ticket in the company's ticketing system. The ticketing system has a monthly 3-hour maintenance window when no tickets can be created.
To meet security requirements, the company enabled AWS CloudTrail logs and wrote a scheduled AWS Lambda function that uses Amazon Athena to query API actions performed by the root user. The Lambda function submits any actions found to the ticketing system API. During a recent security audit, the security team discovered that several tickets were not created because the ticketing system was unavailable due to planned maintenance.
Which combination of steps should a solutions architect take to ensure that the incidents are reported to the ticketing system even during planned maintenance?
(Choose two.)

  • A. Create an Amazon SNS topic to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to invoke the Lambda function.
  • B. Create an Amazon SQS queue to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to publish to the SQS queue.
  • C. Modify the Lambda function to be triggered by messages published to an Amazon SNS topic. Update the existing application code to retry every 5 minutes if the ticketing system's API endpoint is unavailable.
  • D. Modify the Lambda function to be triggered when there are messages in the Amazon SQS queue and to return successfully when the ticketing system API has processed the request.
  • E. Create an Amazon EventBridge rule that triggers on all API events where the invoking user identity is root. Configure the EventBridge rule to write the event to an Amazon SQS queue.
Show Suggested Answer Hide Answer
Suggested Answer: DE 🗳️
by liono at Nov. 4, 2020, 6:34 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Rajarshi
Highly Voted 3 years, 7 months ago
D and E
upvoted 24 times
DashL
3 years, 6 months ago
A - Uses SNS topics. Will not work. B - Uses CloudWatch Alarms. It is required to use a CloudWatch Event/EventBridge rule C - Correct. D - doesn't have reties to address the situation when the ticketing system is down. E - Correct
upvoted 4 times
tekkart
3 years, 6 months ago
You are right, but following your logic, it should be A & C because C requires SNS C offers a solution for the Ticketing System unavailable. None of the solution based on SQS triggers a solution based on its availability
upvoted 1 times
tekkart
3 years, 6 months ago
But the phrasal of answer A is not OK : "CW Alarm to invoke the Lambda function" Why need an Event and a queue, the Lambda is already scheduled... unless when the event is "the ticketing system is available" not "the invoking user identity is root" in question E... E does not address the main concern which is the unavailability of ticketing system
upvoted 1 times
tekkart
3 years, 6 months ago
Considering D&E as answers. 1 - SQS, as Event source mapping for Lambda, where errors such as unavailable ticketing system block processing until errors are solved or items expire. https://docs.aws.amazon.com/lambda/latest/dg/invocation-retries.html https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventsourcemapping.html https://docs.aws.amazon.com/lambda/latest/dg/invocation-async.html#invocation-async-destinations With Dead Letter Queuing option as an alternative solution for on-failure destination : https://docs.aws.amazon.com/lambda/latest/dg/with-sqs.html 2 - SNS is possible as a destination from Event Source Mapping, having SQS->SNS->Lambda, plus for multiple destination notifications such as email sending would be useful, hence C&E could be feasible assuming this link between SQS and SNS.
upvoted 3 times
...
...
...
...
...
beso
Highly Voted 3 years, 7 months ago
B and D, CloudWatch--> SQS--> Lambda-->Ticketing system
upvoted 13 times
shammous
3 years, 6 months ago
You need EventBridge to trigger root API calls only and then take action. Option B is too broad and doesn't satisfy the requirement of detecting "API actions performed by the root user".
upvoted 1 times
...
Kelvin
3 years, 6 months ago
You need CloudWatch Events (aka EventBridge) but not CloudWatch Alarm in this case. So D and E.
upvoted 4 times
...
...
evargasbrz
Most Recent 2 years, 4 months ago
Selected Answer: DE
D and E
upvoted 1 times
...
hilft
2 years, 9 months ago
B and D, CloudWatch--> SQS--> Lambda
upvoted 1 times
...
bobsmith2000
2 years, 11 months ago
Selected Answer: DE
Right by the book!
upvoted 1 times
...
jj22222
3 years, 2 months ago
D and E
upvoted 1 times
...
CloudChef
3 years, 3 months ago
Selected Answer: DE
D and E
upvoted 2 times
...
Ni_yot
3 years, 3 months ago
D and E is good choice.
upvoted 2 times
...
cldy
3 years, 3 months ago
D and E.
upvoted 1 times
...
AzureDP900
3 years, 5 months ago
Selected Answer: DE
D,E The existing system can be modified to use Amazon EventBridge instead of using AWS CloudTrail with Amazon Athena. Eventbridge can be configured with a rule that checks all AWS API calls via CloudTrail. The rule can be configured to look for the usage or the root user account. Eventbridge can then be configured with an Amazon SQS queue as a target that puts a message in the queue waiting to be processed. The Lambda function can then be configured to poll the queue for messages (event-source mapping), process the event synchronously and only return a successful result when the ticketing system has processed the request. The message will be deleted only if the result is successful, allowing for retries. This system will ensure that the important events are not missed when the ticketing system is unavailable.
upvoted 4 times
...
niruk
3 years, 5 months ago
D & E Eventbridge => https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-what-is.html SQS permissions => https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-use-resource-based.html#eb-sqs-permissions Search for root => https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-logging-monitoring.html also look at the policy.
upvoted 3 times
kirrim
3 years, 5 months ago
+1 for citing documentation on how to make this work A & B are wrong because CloudWatch Alarms is based on metrics, not an event/action (that's CloudWatch Events) C is eliminated because it could have only worked in combo with A, and A is wrong D is valid per your links E is valid per your links (Note that you'd probably have to be careful with D that you don't have a Lambda function running for a LONG time trying to reach the API! Might require some extra work here to avoid that)
upvoted 1 times
...
...
andylogan
3 years, 5 months ago
It's D E Since we need CloudWatch Events (aka EventBridge) but not CloudWatch Alarm in this case.
upvoted 2 times
...
tgv
3 years, 5 months ago
DDD EEE ---
upvoted 1 times
...
denccc
3 years, 6 months ago
it's D and E
upvoted 1 times
...
DerekKey
3 years, 6 months ago
A& B - wrong -> CloudWatch alarms base on metrics C - wrong - no services in correct answers that write to SNS D - correct - Lambda -> SQS E - correct - EventBridge = CW Events -> SQS
upvoted 2 times
...
blackgamer
3 years, 6 months ago
I believe D and E.
upvoted 1 times
...
WhyIronMan
3 years, 6 months ago
I'll go with D,E SNS does not serve for this purpose
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago