1. Home
  2. Amazon
  3. SAP-C01

Amazon SAP-C01 Online Practice Questions and Exam Preparation

SAP-C01 Exam Details

  • Exam Code
    :SAP-C01
  • Exam Name
    :AWS Certified Solutions Architect - Professional (SAP-C01)
  • Certification
    :Amazon Certifications
  • Vendor
    :Amazon
  • Total Questions
    :973 Q&As
  • Last Updated
    :Jul 09, 2023

Amazon SAP-C01 Online Questions & Answers

  • Question 561:

    A Solutions Architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint. The Solutions Architect wants an end-to-end view of each request to analyze the latency of the request and create service maps.

    How can the Solutions Architect design the API Gateway access control and perform request inspections?

    A. For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Enable the API caller to sign requests with AWS Signature when accessing the endpoint. Use AWS X-Ray to trace and analyze user requests to API Gateway.
    B. For the API Gateway resource, set CORS to enabled and only return the company's domain in Access-Control-Allow-Origin headers. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
    C. Create an AWS Lambda function as the custom authorizer, ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the IAM system. Use AWS X-Ray to trace and analyze user requests to API Gateway.
    D. Create a client certificate for API Gateway. Distribute the certificate to the AWS users and roles that need to access the endpoint. Enable the API caller to pass the client certificate when accessing the endpoint. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.

  • Question 562:

    A company has multiple lines of business (LOBs) that roll up to the parent company. The company has asked its solutions architect to develop a solution with the following requirements:

    1.

    Produce a single AWS invoice for all of the AWS accounts used by its LOBs.

    2.

    The costs for each LOB account should be broken out on the invoice.

    3.

    Provide the ability to restrict services and features in the LOB accounts, as defined by the company's governance policy.

    4.

    Each LOB account should be delegated full administrator permissions, regardless of the governance policy.

    Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

    A. Use AWS Organizations to create an organization in the parent account for each LOB. Then, invite each LOB account to the appropriate organization.
    B. Use AWS Organizations to create a single organization in the parent account. Then, invite each LOB's AWS account to pin the organization.
    C. Implement service quotas to define the services and features that are permitted and apply the quotas to each LOB as appropriate.
    D. Create an SCP that allows only approved services and features, then apply the policy to the LOB accounts. Enable consolidated billing in the parent account's billing console and link the LOB accounts.

  • Question 563:

    As a part of building large applications in the AWS Cloud, the Solutions Architect is required to implement the perimeter security protection. Applications running on AWS have the following endpoints:

    1.

    Application Load Balancer

    2.

    Amazon API Gateway regional endpoint

    3.

    Elastic IP address-based EC2 instances.

    4.

    Amazon S3 hosted websites.

    5.

    Classic Load Balancer

    The Solutions Architect must design a solution to protect all of the listed web front ends and provide the following security capabilities:

    1.

    DDoS protection

    2.

    SQL injection protection

    3.

    IP address whitelist/blacklist

    4.

    HTTP flood protection

    5.

    Bad bot scraper protection

    How should the Solutions Architect design the solution?

    A. Deploy AWS WAF and AWS Shield Advanced on all web endpoints. Add AWS WAF rules to enforce the company's requirements.
    B. Deploy Amazon CloudFront in front of all the endpoints. The CloudFront distribution provides perimeter protection. Add AWS Lambda-based automation to provide additional security.
    C. Deploy Amazon CloudFront in front of all the endpoints. Deploy AWS WAF and AWS Shield Advanced. Add AWS WAF rules to enforce the company's requirements. Use AWS Lambda to automate and enhance the security posture.
    D. Secure the endpoints by using network ACLs and security groups and adding rules to enforce the company's requirements. Use AWS Lambda to automatically update the rules.

  • Question 564:

    Which of following IAM policy elements lets you specify an exception to a list of actions?

    A. NotException
    B. ExceptionAction
    C. Exception
    D. NotAction

  • Question 565:

    Your fortune 500 company has under taken a TCO analysis evaluating the use of Amazon S3 versus acquiring more hardware The outcome was that ail employees would be granted access to use Amazon S3 for storage of their personal documents.

    Which of the following will you need to consider so you can set up a solution that incorporates single sign-on from your corporate AD or LDAP directory and restricts access for each user to a designated user folder in a bucket? (Choose three.)

    A. Setting up a federation proxy or identity provider
    B. Using AWS Security Token Service to generate temporary tokens
    C. Tagging each folder in the bucket
    D. Configuring IAM role
    E. Setting up a matching IAM user for every user in your corporate directory that needs access to a folder in the bucket

  • Question 566:

    You are developing a new mobile application and are considering storing user preferences in AWS.2w This would provide a more uniform cross-device experience to users using multiple mobile devices to access the application. The preference data for each user is estimated to be 50KB in size Additionally 5 million customers are expected to use the application on a regular basis.

    The solution needs to be cost-effective, highly available, scalable and secure, how would you design a solution to meet the above requirements?

    A. Setup an RDS MySQL instance in 2 availability zones to store the user preference data. Deploy a public facing application on a server in front of the database to manage security and access credentials
    B. Setup a DynamoDB table with an item for each user having the necessary attributes to hold the user preferences. The mobile application will query the user preferences directly from the DynamoDB table. Utilize STS. Web Identity Federation, and DynamoDB Fine Grained Access Control to authenticate and authorize access.
    C. Setup an RDS MySQL instance with multiple read replicas in 2 availability zones to store the user preference data .The mobile application will query the user preferences from the read replicas. Leverage the MySQL user management and access privilege system to manage security and access credentials.
    D. Store the user preference data in S3 Setup a DynamoDB table with an item for each user and an item attribute pointing to the user' S3 object. The mobile application will retrieve the S3 URL from DynamoDB and then access the S3 object directly utilize STS, Web identity Federation, and S3 ACLs to authenticate and authorize access.

  • Question 567:

    In an AWS CloudFormation template, each resource declaration includes:

    A. a logical ID, a resource type, and resource properties
    B. a variable resource name and resource attributes
    C. an IP address and resource entities
    D. a physical ID, a resource file, and resource data

  • Question 568:

    A company runs an application on AWS. An AWS Lambda function uses credentials to authenticate to an Amazon RDS for MySQL DB instance. A security risk assessment identified that these credentials are not frequently rotated. Also, encryption at rest is not enabled for the DB instance. The security team requires that both of these issues be resolved.

    Which strategy should a solutions architect recommend to remediate these security risks?

    A. Configure the Lambda function to store and retrieve the database credentials in AWS Secrets Manager and enable rotation of the credentials. Take a snapshot of the DB instance and encrypt a copy of that snapshot. Replace the DB instance with a new DB instance that is based on the encrypted snapshot.
    B. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Modify the DB instance and enable encryption.
    C. Enable IAM DB authentication on the DB instance. Grant the Lambda execution role access to the DB instance. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.
    D. Configure the Lambda function to store and retrieve the database credentials as encrypted AWS Systems Manager Parameter Store parameters. Create another Lambda function to automatically rotate the credentials. Create an encrypted read replica of the DB instance. Promote the encrypted read replica to be the new primary node.

  • Question 569:

    A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service.

    In each AWS account with a client an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint.

    Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)

    A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances.
    B. Check that the NACL is attached to the logging service subnets to allow communications to and from the interface endpoint subnets. Check that the NACL is attached to the interface endpoint subnet to allow communications to and from the logging service subnets running on EC2 instances.
    C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.
    D. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the clients.
    E. Check the security group for the NLB to ensure it allows ingress from the interface endpoint subnets.

  • Question 570:

    A user has created an AWS AMI. The user wants the AMI to be available only to his friend and not anyone else. How can the user manage this?

    A. Share the AMI with the community and setup the approval workflow before anyone launches it.
    B. It is not possible to share the AMI with the selected user.
    C. Share the AMI with a friend's AWS account ID.
    D. Share the AMI with a friend's AWS login ID.

Related Exams:

Tips on How to Prepare for the Exams

Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Amazon exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SAP-C01 exam preparations and Amazon certification application, do not hesitate to visit our Vcedump.com to find your solutions here.