Amazon SAP-C01 Online Practice Questions and Exam Preparation

Amazon SAP-C01 Online Questions & Answers

• Question 391:

  A company has developed a web application. The company is hosting the application on a group of Amazon EC2 instances behind an Application Load Balancer. The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs. The solution must not adversely affect legitimate traffic to the application.

  How should a solutions architect configure the web ACLs to meet these requirements?

  A. Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.
  B. Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.
  C. Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs. Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
  D. Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block.
  B. Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.

• Question 392:

  A company in the United States (US) has acquired a company in Europe. Both companies use the AWS Cloud. The US company has built a new application with a microservices architecture. The US company is hosting the application across five VPCs in the us-east-2 Region. The application must be able to access resources in one VPC in the eu-west-1 Region. However, the application must not be able to access any other VPCs.

  The VPCs in both Regions have no overlapping CIDR ranges. All Accounts are already consolidated in one organization in AWS Organizations.

  Which solution will meet these requirements MOST cost-effectively?

  A. Create one transit gateway in eu-west-1. Attach the VPCs in us-east-2 and the VPC in eu-west-1 to the transit gateway. Create the necessary route entries in each VPC so that the traffic is routed through the transit gateway.
  B. Create one transit gateway in each Region. Attach the involved subnets to the regional transit gateway. Create the necessary route entries in the associated route tables for each subnet so that the traffic is routed through the regional transit gateway. Peer the two transit gateways.
  C. Create a full mesh VPC peering connection configuration between all the VPCs. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.
  D. Create one VPC peering connection for each VPC in us-east-2 to the VPC in eu-west-1. Create the necessary route entries in each VPC so that the traffic is routed through the VPC peering connection.
  B. Create one transit gateway in each Region. Attach the involved subnets to the regional transit gateway. Create the necessary route entries in the associated route tables for each subnet so that the traffic is routed through the regional transit gateway. Peer the two transit gateways.

• Question 393:

  In the context of Amazon ElastiCache CLI, which of the following commands can you use to view all ElastiCache instance events for the past 24 hours?

  A. elasticache-events --duration 24
  B. elasticache-events --duration 1440
  C. elasticache-describe-events --duration 24
  D. elasticache describe-events --source-type cache-cluster --duration 1440
  D. elasticache describe-events --source-type cache-cluster --duration 1440

• Question 394:

  Which of the following is NOT a true statement about Auto Scaling?

  A. Auto Scaling can launch instances in different Azs.
  B. Auto Scaling can work with CloudWatch.
  C. Auto Scaling can launch an instance at a specific time.
  D. Auto Scaling can launch instances in different regions.
  D. Auto Scaling can launch instances in different regions.

• Question 395:

  What is the maximum length for a certificate ID in AWS IAM?

  A. 1024 characters
  B. 512 characters
  C. 64 characters
  D. 128 characters
  D. 128 characters

• Question 396:

  If a single condition within an IAM policy includes multiple values for one key, it will be evaluated using a logical______.

  A. OR
  B. NAND
  C. NOR
  D. AND
  A. OR

• Question 397:

  An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this?

  A. The organization should create each user in a separate region so that they have their own URL to login
  B. The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias
  C. It is not possible to have the same login ID for multiple IAM users of the same account
  D. The organization should create various groups and add each user with the same login ID to different groups. The user can login with their own group ID
  C. It is not possible to have the same login ID for multiple IAM users of the same account

• Question 398:

  A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-123456) to connect to the user's data center. The user's data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet.

  Which of the below mentioned options is not a valid entry for the main route table in this scenario?

  A. Destination: 20.0.0.0/16 and Target: local
  B. Destination: 0.0.0.0/0 and Target: i-123456
  C. Destination: 172.28.0.0/12 and Target: vgw-123456
  D. Destination: 20.0.1.0/24 and Target: i-123456
  D. Destination: 20.0.1.0/24 and Target: i-123456

• Question 399:

  During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability.

  Which solution will ensure that the credentials are appropriately secured automatically?

  A. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.
  B. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
  C. Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
  D. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
  A. Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.

• Question 400:

  A weather service provides high-resolution weather maps from a web application hosted on AWS in the eu-west-1 Region. The weather maps are updated frequently and stored in Amazon S3 along with static HTML content. The web application is fronted by Amazon CloudFront.

  The company recently expanded to serve users in the us-east-1 Region, and these new users report that viewing their respective weather maps is slow from time to time.

  Which combination of steps will resolve the us-east-1 performance issues? (Choose two.)

  A. Configure the AWS Global Accelerator endpoint for the S3 bucket in eu-west-1. Configure endpoint groups for TCP ports 80 and 443 in us-east-1.
  B. Create a new S3 bucket in us-east-1. Configure S3 cross-Region replication to synchronize from the S3 bucket in eu-west-1.
  C. Use Lambda@Edge to modify requests from North America to use the S3 Transfer Acceleration endpoint in us-east-1.
  D. Use Lambda@Edge to modify requests from North America to use the S3 bucket in us-east-1.
  E. Configure the AWS Global Accelerator endpoint for us-east-1 as an origin on the CloudFront distribution. Use Lambda@Edge to modify requests from North America to use the new origin.
  B. Create a new S3 bucket in us-east-1. Configure S3 cross-Region replication to synchronize from the S3 bucket in eu-west-1.
  C. Use Lambda@Edge to modify requests from North America to use the S3 Transfer Acceleration endpoint in us-east-1.