Amazon SAP-C01 Online Practice Questions and Exam Preparation

Amazon SAP-C01 Online Questions & Answers

• Question 401:

  A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value.

  A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high.

  What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the Application Load Balancer to fail?

  A. Create two cache behaviors for static and dynamic content. Remove the User-Agent and Host HTTP headers from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
  B. Remove the User-Agent and Authorization HTTP headers from the whitelist headers section of the cache behavior. Then update the cache behavior to use presigned cookies for authorization.
  C. Remove the Host HTTP header from the whitelist headers section and remove the session cookie from the whitelist cookies section for the default cache behavior. Enable automatic object compression and use Lambda@Edge viewer request events for user authorization.
  D. Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.
  D. Create two cache behaviors for static and dynamic content. Remove the User-Agent HTTP header from the whitelist headers section on both of the cache behaviors. Remove the session cookie from the whitelist cookies section and the Authorization HTTP header from the whitelist headers section for cache behavior configured for static content.

• Question 402:

  A company uses a load balancer to distribute traffic to Amazon EC2 instances in a single Availability Zone. The company is concerned about security and wants a solutions architect to re-architect the solution to meet the following requirements:

  Inbound requests must be filtered for common vulnerability attacks. Rejected requests must be sent to a third-party auditing application. All resources should be highly available.

  Which solution meets these requirements?

  A. Configure a Multi-AZ Auto Scaling group using the application's AMI. Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Use Amazon Inspector to monitor traffic to the ALB and EC2 instances. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB. Use an AWS Lambda function to frequently push the Amazon Inspector report to the third-party auditing application
  B. Configure an Application Load Balancer (ALB) and add the EC2 instances as targets. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB name and enable logging with Amazon CloudWatch Logs. Use an AWS Lambda function to frequently push the logs to the third-party auditing application.
  C. Configure an Application Load Balancer (ALB) along with a target group adding the EC2 instances as targets. Create an Amazon Kinesis Data Firehose with the destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
  D. Configure a Multi-AZ Auto Scaling group using the application's AMI Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.
  D. Configure a Multi-AZ Auto Scaling group using the application's AMI Create an Application Load Balancer (ALB) and select the previously created Auto Scaling group as the target. Create an Amazon Kinesis Data Firehose with a destination of the third-party auditing application. Create a web ACL in WAF. Create an AWS WAF using the web ACL and ALB then enable logging by selecting the Kinesis Data Firehose as the destination. Subscribe to AWS Managed Rules in AWS Marketplace, choosing the WAF as the subscriber.

• Question 403:

  A solutions architect needs to migrate 50 TB of NFS data to Amazon S3. The files are on several NFS file servers on corporate network. These are dense file systems containing tens of millions of small files. The system operators have

  configured the file interface on an AWS Snowball Edge device and are using a shell script to copy data.

  Developers report that copying the data to the Snowball Edge device is very slow. The solutions architect suspects this may be related to the overhead of encrypting all the small files and transporting them over the network.

  Which changes can be made to speed up the data transfer?

  A. Cluster two Snowball Edge devices together to increase the throughput of the devices.
  B. Change the solution to use the S3 Adapter instead of the file interface on the Snowball Edge device.
  C. Increase the number of parallel copy jobs to increase the throughput of the Snowball Edge device.
  D. Connect directly to the USB interface on the Snowball Edge device and copy the files locally.
  B. Change the solution to use the S3 Adapter instead of the file interface on the Snowball Edge device.

• Question 404:

  A company is developing and hosting several projects in the AWS Cloud. The projects are developed across multiple AWS accounts under the same organization in AWS Organizations. The company requires the cost lor cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking the Project tag used for cost allocation.

  Which actions should a solutions architect take to resolve the problem and prevent it from happening in the future? (Select THREE.)

  A. Create an AWS Config rule in each account to find resources with missing tags.
  B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is missing.
  C. Use Amazon Inspector in the organization to find resources with missing tags.
  D. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is missing.
  E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.
  F. Use AWS Security Hub to aggregate a list of EC2 instances with the missing Project tag.
  B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is missing.
  D. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is missing.
  E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.

• Question 405:

  An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices. Which of the below mentioned pointers will not help the organization achieve better security arrangement?

  A. Allow only IAM users to connect with the EC2 instances with their own secret access key.
  B. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
  C. Apply the latest patch of OS and always keep it updated.
  D. Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
  A. Allow only IAM users to connect with the EC2 instances with their own secret access key.

• Question 406:

  Your company plans to host a large donation website on Amazon Web Services (AWS). You anticipate a large and undetermined amount of traffic that will create many database writes. To be certain that you do not drop any writes to a database hosted on AWS.

  Which service should you use?

  A. Amazon RDS with provisioned IOPS up to the anticipated peak write throughput.
  B. Amazon Simple Queue Service (SQS) for capturing the writes and draining the queue to write to the database.
  C. Amazon ElastiCache to store the writes until the writes are committed to the database.
  D. Amazon DynamoDB with provisioned write throughput up to the anticipated peak write throughput.
  B. Amazon Simple Queue Service (SQS) for capturing the writes and draining the queue to write to the database.

• Question 407:

  A company is planning to migrate an existing high performance computing (HPE) solution to the AWS Cloud. The existing solution consists of a 12-node cluster running Linux with high speed interconnectivity developed on a single rack. A solutions architect needs to optimize the performance of the HPE cluster.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Deploy instances across at least three Availability Zones.
  B. Deploy Amazon EC2 instances in a placement group.
  C. Use Amazon EC2 instances that support Elastic Fabric Adapter (EFA).
  D. Use Amazon EC2 instances that support burstable performance.
  E. Enable CPU hyperthreading.
  B. Deploy Amazon EC2 instances in a placement group.
  E. Enable CPU hyperthreading.

• Question 408:

  How many cg1.4xlarge on-demand instances can a user run in one region without taking any limit increase approval from AWS?

  A. 20
  B. 2
  C. 5
  D. 10
  B. 2

• Question 409:

  Which of the following is NOT true of the DynamoDB Console?

  A. It allows you to add local secondary indexes to existing tables.
  B. It allows you to query a table.
  C. It allows you to set up alarms to monitor your table's capacity usage.
  D. It allows you to view items stored in a tables, add, update, and delete items.
  A. It allows you to add local secondary indexes to existing tables.

• Question 410:

  A healthcare company runs a production workload on AWS that stores highly sensitive personal information. The security team mandates that, for auditing purposes, any AWS API action using AWS account root user credentials must automatically create a high-priority ticket in the company's ticketing system. The ticketing system has a monthly 3-hour maintenance window when no tickets can be created.

  To meet security requirements, the company enabled AWS CloudTrail logs and wrote a scheduled AWS Lambda function that uses Amazon Athena to query API actions performed by the root user. The Lambda function submits any actions found to the ticketing system API. During a recent security audit, the security team discovered that several tickets were not created because the ticketing system was unavailable due to planned maintenance.

  Which combination of steps should a solutions architect take to ensure that the incidents are reported to the ticketing system even during planned maintenance? (Choose two.)

  A. Create an Amazon SNS topic to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to invoke the Lambda function.
  B. Create an Amazon SQS queue to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to publish to the SQS queue.
  C. Modify the Lambda function to be triggered by messages published to an Amazon SNS topic. Update the existing application code to retry every 5 minutes if the ticketing system's API endpoint is unavailable.
  D. Modify the Lambda function to be triggered when there are messages in the Amazon SQS queue and to return successfully when the ticketing system API has processed the request.
  E. Create an Amazon EventBridge rule that triggers on all API events where the invoking user identity is root. Configure the EventBridge rule to write the event to an Amazon SQS queue.
  B. Create an Amazon SQS queue to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm to publish to the SQS queue.
  D. Modify the Lambda function to be triggered when there are messages in the Amazon SQS queue and to return successfully when the ticketing system API has processed the request.