top of page

Are AWS Certifications worth it? : AWS SA-Professional 3

Are AWS Certifications worth it? : AWS Solutions Architect - Profassional (SAP) Certification 3

AWS 자격증이 실무에서 쓰이나요? : AWS SA-Professional (SAP) Certification 3

Written by Minhyeok Cha



It's been a while since I've written AWS certification post, so let's get it started.


 

Question 1.

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts.


The company's infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own network. However, individual accounts must be able to create AWS resources within the subnet.


What combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

 

Create a transit gateway in the infrastructure account.


Enable resource sharing from the AWS Organizations management account.


Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.


Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.


Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix list to associate with the resource share.



Solutions

This question is about how to you want to manage multiple AWS accounts.

임의의 계정 2개와 1개의 인프라 전용 계정이 존재할 때의 니즈:

For example, in the picture above, we have two random accounts and one dedicated to infrastructure.

The needs in question are:


  1. These accounts must be used to manage the network. Individual accounts cannot manage their own network.

  2. The individual accounts need to be able to create AWS resources within the subnet.


Since the infrastructure account itself is not designed to manage the network, you can see that the intent is to share permissions with accounts 1 and 2 so that they can manage the VPC subnet resources.


A is wrong - create a Transit Gateway, and as you can see from the architecture of the problem, there is only one VPC mentioned in one account. TG, as you know, is a service that bundles multiple VPCs, so A is not a good fit for this problem.

C is wrong - because building the same environment on each account is not a shared task.

E is wrong - can't share resources via RAM using prefix lists.

D is correct - directly shares the subnets


Therefore, the remaining answers, B & D, are correct and can be solved in AWS Resource Access Manager (RAM).


Correct Answers: B, D


AWS Organizations 마스터 계정에서 리소스 공유를 활성화
💡 B. Enable resource sharing in the AWS Organizations master account.
인프라 계정의 AWS Resource Access Manager에서 리소스 공유를 생성

공유 네트워크를 사용할 특정 AWS Organizations OU를 선택합니다. 리소스 공유와 연결할 각 서브넷을 선택합니다.
💡 D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU for which you want to use the shared network. Select each subnet that you want to associate with the resource share.


Question 2.

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third- party SaaS application also runs on AWS inside a VPC.


The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege.


Which solution meets these requirements?

 

Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.


Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.


Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.


Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.



Solutions

The question has "does not traverse the Internet" in the question, so we're going to eliminate B and C because it involves PrivateLink.


The correct answer for #2 is A, because the perspective is consulting from the consumer's point of view, not the provider's. Account authorization for the endpoint service in D is the provider's responsibility.


Correct Answer : A


We need to create users and providers as per the above solution, so I've set up the following architecture.

문제 2번 - 풀이에 해당하는 아키텍처

On the Provider VPC side, where you have the third-party SaaS application, you must first create an endpoint service.

💡Before creating the endpoint service, it supports network, gateway LB. 
The health check of the load balancer should be normal, and the output is shown in the picture below, but since we created the NLB in advance, we'll skip the creation process.

1. Provider accounts - Create an endpoint service

제공자 계정 - 엔드포인트 서비스 생성

2. Provider Account - Add a Consumer IAM ARN

제공자 계정 - 소비자 IAM ARN 추가

3. Consumer account - Name the endpoint service created in the provider account and send a connection request

소비자 계정 - 제공자 계정에서 만든 엔드포인트 서비스 이름 기입 후 연결 요청 보내기

4. Provider account - Accept connection request

제공자 계정 - 연결 요청 수락

5. Consumer account - Check status

소비자 계정 - 상태를 확인


Question 3.

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:


✑ The database must use strong, randomly generated passwords stored in a secure AWS managed service.


✑ The application resources must be deployed through AWS CloudFormation.


✑ The application must rotate credentials for the database every 90 days.


A solutions architect will generate a CloudFormation template to deploy the application.


Which resources specified in the CloudFormation template will meet the security engineer's requirements with the LEAST amount of operational overhead?

 

Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.


Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.


Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.


Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.



Solution

This question is looking for a managed service for cryptographic key-levels in AWS. As you can see, there is AWS Secrets Manager and AWS Systems Manager Parameter Store, both of which are services that store key-values.


We need to know about each service before we can solve the problem, but as with any other problem, we can start by looking at the customer need in question

  • The database must use strong, randomly generated passwords stored in a secure AWS managed service.

  • Application resources must be deployed through AWS CloudFormation.

  • The application needs to replace the credentials to the database every 90 days.

  • The solutions architect generates a CloudFormation template to deploy the application.

B and D are excluded here because the ability to periodically replace credentials is a feature of AWS Secrets Manager, and additionally, they are using resources that are not supported by Cloudformation.


Parameter Store RotationSchedule 리소스는 존재하지 않으며 문서 확인 결과 AWS Secrets Manager에서 "RotationSchedule"를 확인할 수 있습니다.
💡 The Parameter Store RotationSchedule resource does not exist, and documentation checks show "RotationSchedule" in AWS Secrets Manager.

AWS CloudFormation은 현재 매개변수 유형 생성을 지원하지 않음
💡 AWS CloudFormation does not currently support creating a SecureString parameter type. 

Then we have to look at the remaining A and C, which is really just a problem of how we trigger the replacement cycle, and the answer is A because we don't have to use Amazon EventBridge, we have our own replacement capabilities.


Correct Answer : A


AWS Secrets Manager refresh cycle

AWS Secrets Manager의 교체 주기
💡 These days, IaCmetas need to be general purpose, so don't use CloudFormation very often. but I included it just in case there's a surprise CloudFormation question on t he AWS exam.


Conclusion

I hope the AWS SA certification questions we covered today have been helpful to you. If you have any questions about the solutions, notice any errors, or have additional queries, please feel free to contact us anytime at partner@smileshark.kr.

38 views0 comments

Comments


bottom of page