Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 131:

  A development team has created a new flight tracker application that provides near-real-time data to users. The application has a front end that consists of an Application Load Balancer (ALB) in front of two large Amazon EC2 instances in a single Availability Zone. Data is stored in a single Amazon RDS MySQL DB instance. An Amazon Route 53 DNS record points to the ALB.

  Management wants the development team to improve the solution to achieve maximum reliability with the least amount of operational overhead.

  Which set of actions should the team take?

  A. Create RDS MySQL read replicas. Deploy the application to multiple AWS Regions. Use a Route 53 latency-based routing policy to route to the application.

  B. Configure the DB instance as Multi-AZ. Deploy the application to two additional EC2 instances in different Availability Zones behind an ALB.

  C. Replace the DB instance with Amazon DynamoDB global tables. Deploy the application in multiple AWS Regions. Use a Route 53 latency-based routing policy to route to the application.

  D. Replace the DB instance with Amazon Aurora with Aurora Replicas. Deploy the application to multiple smaller EC2 instances across multiple Availability Zones in an Auto Scaling group behind an ALB.

  Correct Answer: D

  Multi AZ ASG + ALB + Aurora = Less over head and automatic scaling

  Reference: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html

• Question 132:

  A multimedia company with a single AWS account is launching an application for a global user base. The application storage and bandwidth requirements are unpredictable. The application will use Amazon EC2 instances behind an Application Load Balancer as the web tier and will use Amazon DynamoDB as the database tier. The environment for the application must meet the following requirements: Low latency when accessed from any part of the world WebSocket support End-to-end encryption Protection against the latest security threats Managed layer 7 DDoS protection

  Which actions should the solutions architect take to meet these requirements? (Choose two.)

  A. Use Amazon Route 53 and Amazon CloudFront for content distribution. Use Amazon S3 to store static content

  B. Use Amazon Route 53 and AWS Transit Gateway for content distribution. Use an Amazon Elastic Block Store (Amazon EBS) volume to store static content

  C. Use AWS WAF with AWS Shield Advanced to protect the application

  D. Use AWS WAF and Amazon Detective to protect the application

  E. Use AWS Shield Standard to protect the application

  Correct Answer: BC

• Question 133:

  A company is using AWS Organizations to manage 15 AWS accounts. A solutions architect wants to run advanced analytics on the company's cloud expenditures. The cost data must be gathered and made available from an analytics account. The analytics application runs in a VPC and must receive the raw cost data each night to run the analytics.

  The solutions architect has decided to use the Cost Explorer API to fetch the raw data and store the data in Amazon S3 in JSON format. Access to the raw cost data must be restricted to the analytics application. The solutions architect has already created an AWS Lambda function to collect data by using the Cost Explorer API.

  Which additional actions should the solutions architect take to meet these requirements?

  A. Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.

  B. Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create a gateway endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC by using the aws:SourceVpc condition.

  C. Create an IAM role in the Organizations master account with permissions to use the Cost Explorer API, and establish trust between the role and the analytics account. Update the Lambda function role and add sts:AssumeRole permissions. Assume the role in the master account from the Lambda function code by using the AWS Security Token Service (AWS STS) AssumeRole API call. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the analytics VPC private CIDR range by using the aws:SourceIp condition.

  D. Create an IAM role in the analytics account with permissions to use the Cost Explorer API. Update the Lambda function and assign the new role. Create an interface endpoint for Amazon S3 in the analytics VPC. Create an S3 bucket policy that allows access only from the S3 endpoint.

  Correct Answer: B

• Question 134:

  A company wants to migrate a 30 TB Oracle data warehouse from on premises to Amazon Redshift. The

  company used the AWS Schema Conversion Tool (AWS SCT) to convert the schema of the existing data

  warehouse to an Amazon Redshift schema. The company also used a migration assessment report to

  identify manual tasks to complete.

  The company needs to migrate the data to the new Amazon Redshift cluster during an upcoming data

  freeze period of 2 weeks. The only network connection between the on-premises data warehouse and

  AWS is a 50 Mbps internet connection.

  Which migration strategy meets these requirements?

  A. Create an AWS Database Migration Service (AWS DMS) replication instance. Authorize the public IP address of the replication instance to reach the data warehouse through the corporate firewall. Create a migration task to run at the beginning of the fata freeze period.

  B. Install the AWS SCT extraction agents on the on-premises servers. Define the extract, upload, and copy tasks to send the data to an Amazon S3 bucket. Copy the data into the Amazon Redshift cluster. Run the tasks at the beginning of the data freeze period.

  C. Install the AWS SCT extraction agents on the on-premises servers. Create a Site-to-Site VPN connection. Create an AWS Database Migration Service (AWS DMS) replication instance that is the appropriate size. Authorize the IP address of the replication instance to be able to access the on-premises data warehouse through the VPN connection.

  D. Create a job in AWS Snowball Edge to import data into Amazon S3. Install AWS SCT extraction agents on the on-premises servers. Define the local and AWS Database Migration Service (AWS DMS) tasks to send the data to the Snowball Edge device. When the Snowball Edge device is returned to AWS and the data is available in Amazon S3, run the AWS DMS subtask to copy the data to Amazon Redshift.

  Correct Answer: D

  AWS Database Migration Service (AWS DMS) can use Snowball Edge and Amazon S3 to migrate large databases more quickly than by other methods https://docs.aws.amazon.com/dms/latest/userguide/ CHAP_LargeDBs.html https:// www.calctool.org/CALC/prof/computing/transfer_time

• Question 135:

  A company that tracks medical devices in hospitals wants to migrate its existing storage solution to the AWS Cloud. The company equips all of its devices with sensors that collect location and usage information. This sensor data is sent in unpredictable patterns with large spikes. The data is stored in a MySQL database running on premises at each hospital. The company wants the cloud storage solution to scale with usage.

  The company's analytics team uses the sensor data to calculate usage by device type and hospital. The team needs to keep analysis tools running locally while fetching data from the cloud. The team also needs to use existing Java application and SQL queries with as few changes as possible.

  How should a solutions architect meet these requirements while ensuring the sensor data is secure?

  A. Store the data in an Amazon Aurora Serverless database. Serve the data through a Network Load Balancer (NLB). Authenticate users using the NLB with credentials stored in AWS Secrets Manager.

  B. Store the data in an Amazon S3 bucket. Serve the data through Amazon QuickSight using an IAM user authorized with AWS Identity and Access Management (IAM) with the S3 bucket as the data source.

  C. Store the data in an Amazon Aurora Serverless database. Serve the data through the Aurora Data API using an IAM user authorized with AWS Identity and Access Management (IAM) and the AWS Secrets Manager ARN.

  D. Store the data in an Amazon S3 bucket. Serve the data through Amazon Athena using AWS PrivateLink to secure the data in transit.

  Correct Answer: C

  https://aws.amazon.com/blogs/aws/new-data-api-for-amazon-aurora- serverless/ https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/ https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html#data-api.access

  The data is currently stored in a MySQL database running on-prem. Storing MySQL data in S3 doesn't sound good so B and D are out. Aurora Data API "enables the SQL HTTP endpoint, a connectionless Web Service API for running SQL queries against this database. When the SQL HTTP endpoint is enabled, you can also query your database from inside the RDS console (these features are free to use)."

• Question 136:

  The following AWS Identity and Access Management (IAM) customer managed policy has been attached to an IAM user:

  

  Which statement describes the access that this policy provides to the user?

  A. The policy grants access to all Amazon S3 actions, including all actions in the prod-data S3 bucket

  B. This policy denies access to all Amazon S3 actions, excluding all actions in the prod-data S3 bucket

  C. This policy denies access to the Amazon S3 bucket and objects not having prod-data in the bucket name

  D. This policy grants access to all Amazon S3 actions in the prod-data S3 bucket, but explicitly denies access to all other AWS services

  Correct Answer: D

• Question 137:

  A company has implemented an ordering system using an event driven architecture. During initial testing, the system stopped processing orders. Further log analysis revealed that one order message in an Amazon Simple Queue Service (Amazon SQS) standard queue was causing an error on the backend and blocking all subsequent order messages. The visibility timeout of the queue is set to 30 seconds, and the backend processing timeout is set to 10 seconds. A solutions architect needs to analyze faulty order messages and ensure that the system continues to process subsequent messages.

  Which step should the solutions architect take to meet these requirements?

  A. Increase the backend processing timeout to 30 seconds to match the visibility timeout.

  B. Reduce the visibility timeout of the queue to automatically remove the faulty message.

  C. Configure a new SQS FIFO queue as a dead-letter queue to isolate the faulty messages.

  D. Configure a new SQS standard queue as a dead-letter queue to isolate the faulty messages.

  Correct Answer: D

  Reference: https://aws.amazon.com/blogs/compute/using-amazon-sqs-dead-letter-queues-to-controlmessage-failure/

• Question 138:

  A large company has a business-critical application that runs in a single AWS Region. The application consists of multiple Amazon EC2 instances and an Amazon RDS Multi-AZ DB instance. The EC2 instances run in an Amazon EC2 Auto Scaling group across multiple Availability Zones.

  A solutions architect is implementing a disaster recovery (DR) plan for the application. The solutions architect has created a pilot light application deployment in a new Region, which is referred to as the DR Region. The DR environment has an Auto Scaling group with a single EC2 instance and a read replica of the RDS DB instance.

  The solutions architect must automate a failover from the primary application environment to the pilot light environment in the DR Region.

  Which solution meets these requirements with the MOST operational efficiency?

  A. Publish an application availability metric to Amazon CloudWatch in the DR Region from the application environment in the primary Region. Create a CloudWatch alarm in the DR Region that is invoked when the application availability metric stops being delivered. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic in the DR Region. Add an email subscription to the SNS topic that sends messages to the application owner. Upon notification, instruct a systems operator to sign in to the AWS Management Console and initiate failover operations for the application.

  B. Create a cron task that runs every 5 minutes by using one of the application's EC2 instances in the primary Region. Configure the cron task to check whether the application is available. Upon failure, the cron task notifies a systems operator and attempts to restart the application services.

  C. Create a cron task that runs every 5 minutes by using one of the application's EC2 instances in the primary Region. Configure the cron task to check whether the application is available. Upon failure, the cron task modifies the DR environment by promoting the read replica and by adding EC2 instances to the Auto Scaling group.

  D. Publish an application availability metric to Amazon CloudWatch in the DR Region from the application environment in the primary Region. Create a CloudWatch alarm in the DR Region that is invoked when the application availability metric stops being delivered. Configure the CloudWatch alarm to send a notification to an Amazon Simple Notification Service (Amazon SNS) topic in the DR Region. Use an AWS Lambda function that is invoked by Amazon SNS in the DR Region to promote the read replica and to add EC2 instances to the Auto Scaling group.

  Correct Answer: D

• Question 139:

  An education company is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service (Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike in the number of failed login attempts, which overwhelm the application's authentication service. All the failed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the failed login attempts from overwhelming the authentication service.

  Which solution meets these requirements with the MOST operational efficiency?

  A. Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses

  B. Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB

  C. Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges

  D. Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB

  Correct Answer: B

  The IP set match statement inspects the IP address of a web request against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from. By default, AWS WAF uses the IP address from the web request origin, but you can configure the rule to use an HTTP header like X- Forwarded-For instead.

  Reference: https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html

• Question 140:

  A company needs to store and process image data that will be uploaded from mobile devices using a custom mobile app. Usage peaks between 8 AM and 5 PM on weekdays, with thousands of uploads per minute. The app is rarely used at any other time. A user is notified when image processing is complete.

  Which combination of actions should a solutions architect take to ensure image processing can scale to handle the load? (Choose three.)

  A. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to create a message in an Amazon MQ queue.

  B. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to create a message in an Amazon Simple Queue Service (Amazon SQS) standard queue.

  C. Invoke an AWS Lambda function to perform image processing when a message is available in the queue.

  D. Invoke an S3 Batch Operations job to perform image processing when a message is available in the queue.

  E. Send a push notification to the mobile app by using Amazon Simple Notification Service (Amazon SNS) when processing is complete.

  F. Send a push notification to the mobile app by using Amazon Simple Email Service (Amazon SES) when processing is complete.

  Correct Answer: BCE

  https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops- basics.html