Amazon SAP-C01 Online Practice Questions and Exam Preparation

Amazon SAP-C01 Online Questions & Answers

• Question 611:

  A company has implemented AWS Organizations. It has recently set up a number of new accounts and wants to deny access to a specific set of AWS services in these new accounts. How can this be controlled MOST efficiently?

  A. Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM group, and add all IAM users to the group.
  B. Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.
  C. Create an IAM policy in each account that denies access to the services. Associate the policy with an IAM role, and instruct users to log in using their corporate credentials and assume the IAM role.
  D. Create a service control policy that denies access to the services, and apply the policy to the root of the organization.
  B. Create a service control policy that denies access to the services. Add all of the new accounts to a single organizational unit (OU), and apply the policy to that OU.

• Question 612:

  A company's security compliance requirements state that all Amazon EC2 images must be scanned for vulnerabilities and must pass a CVE assessment. A solutions architect is developing a mechanism to create security- approved AMIs that can be used by developers. Any new AMIs should go through an automated assessment process and be marked as approved before developers can use them. The approved images must be scanned every 30 days to ensure compliance.

  Which combination of steps should the solutions architect take to meet these requirements while following best practices? (Choose two.)

  A. Use the AWS Systems Manager EC2 agent to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
  B. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days.
  C. Use Amazon Inspector to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
  D. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use a managed AWS Config rule for continuous scanning on all EC2 instances, and use AWS Systems Manager Automation documents for remediation.
  E. Use AWS CloudTrail to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.
  B. Use AWS Lambda to write automatic approval rules. Store the approved AMI list in AWS Systems Manager Parameter Store. Use Amazon EventBridge to trigger an AWS Systems Manager Automation document on all EC2 instances every 30 days.
  C. Use Amazon Inspector to run the CVE assessment on the EC2 instances launched from the AMIs that need to be scanned.

• Question 613:

  An organization is planning to host an application on the AWS VPC. The organization wants dedicated instances. However, an AWS consultant advised the organization not to use dedicated instances with VPC as the design has a few limitations.

  Which of the below mentioned statements is not a limitation of dedicated instances with VPC?

  A. All instances launched with this VPC will always be dedicated instances and the user cannot use a default tenancy model for them.
  B. It does not support the AWS RDS with a dedicated tenancy VPC.
  C. The user cannot use Reserved Instances with a dedicated tenancy model.
  D. The EBS volume will not be on the same tenant hardware as the EC2 instance though the user has configured dedicated tenancy.
  C. The user cannot use Reserved Instances with a dedicated tenancy model.

• Question 614:

  A mobile gaming company is expanding into the global market. The company's game servers run in the us-east-1 Region. The game's client application uses UDP to communicate with the game servers and needs to be able to connect to a

  set of static IP addresses.

  The company wants its game to be accessible on multiple continents. The company also wants the game to maintain its network performance and global availability.

  Which solution meets these requirements?

  A. Provision an Application Load Balancer (ALB) in front of the game servers. Create an Amazon CloudFront distribution that has no geographical restrictions. Set the ALB as the origin. Perform DNS lookups for the cloudfront.net domain name. Use the resulting IP addresses in the game's client application.
  B. Provision game servers in each AWS Region. Provision an Application Load Balancer in front of the game servers. Create an Amazon Route 53 latency-based routing policy for the game's client application to use with DNS lookups.
  C. Provision game servers in each AWS Region. Provision a Network Load Balancer (NLB) in front of the game servers. Create an accelerator in AWS Global Accelerator, and configure endpoint groups in each Region. Associate the NLBs with the corresponding Regional endpoint groups. Point the game client's application to the Global Accelerator endpoints.
  D. Provision game servers in each AWS Region. Provision a Network Load Balancer (NLB) in front of the game servers. Create an Amazon CloudFront distribution that has no geographical restrictions. Set the NLB as the origin. Perform DNS lookups for the cloudfront.net domain name. Use the resulting IP addresses in the game's client application.
  A. Provision an Application Load Balancer (ALB) in front of the game servers. Create an Amazon CloudFront distribution that has no geographical restrictions. Set the ALB as the origin. Perform DNS lookups for the cloudfront.net domain name. Use the resulting IP addresses in the game's client application.

• Question 615:

  When using string conditions within IAM, short versions of the available comparators can be used instead of the more verbose ones. streqi is the short version of the _______ string condition.

  A. StringEqualsIgnoreCase
  B. StringNotEqualsIgnoreCase
  C. StringLikeStringEquals
  D. StringNotEquals
  A. StringEqualsIgnoreCase

• Question 616:

  A company needs to store and process image data that will be uploaded from mobile devices using a custom mobile app. Usage peaks between 8 AM and 5 PM on weekdays, with thousands of uploads per minute. The app is rarely used at any other time. A user is notified when image processing is complete.

  Which combination of actions should a solutions architect take to ensure image processing can scale to handle the load? (Choose three.)

  A. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to create a message in an Amazon MQ queue.
  B. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to create a message in an Amazon Simple Queue Service (Amazon SQS) standard queue.
  C. Invoke an AWS Lambda function to perform image processing when a message is available in the queue.
  D. Invoke an S3 Batch Operations job to perform image processing when a message is available in the queue.
  E. Send a push notification to the mobile app by using Amazon Simple Notification Service (Amazon SNS) when processing is complete.
  F. Send a push notification to the mobile app by using Amazon Simple Email Service (Amazon SES) when processing is complete.
  B. Upload files from the mobile software directly to Amazon S3. Use S3 event notifications to create a message in an Amazon Simple Queue Service (Amazon SQS) standard queue.
  C. Invoke an AWS Lambda function to perform image processing when a message is available in the queue.
  E. Send a push notification to the mobile app by using Amazon Simple Notification Service (Amazon SNS) when processing is complete.

• Question 617:

  You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet. Which of the following options would you consider? (Choose two.)

  A. Implement IDS/IPS agents on each Instance running in VPC
  B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
  C. Implement Elastic Load Balancing with SSL listeners in front of the web applications
  D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.
  A. Implement IDS/IPS agents on each Instance running in VPC
  D. Implement a reverse proxy layer in front of web servers and configure IDS/IPS agents on each reverse proxy server.

• Question 618:

  A company has a single AWS master billing account, which is the root of the AWS Organizations hierarchy.

  The company has multiple AWS accounts within this hierarchy, all organized into organization units (OUs). More OUs and AWS accounts will continue to be created as other parts of the business migrate applications to AWS. These business units may need to use different AWS services. The Security team is implementing the following requirements for all current and future AWS accounts:

  1.

  Control policies must be applied across all accounts to prohibit AWS servers.

  2.

  Exceptions to the control policies are allowed based on valid use cases.

  Which solution will meet these requirements with minimal optional overhead?

  A. Use an SCP in Organizations to implement a deny list of AWS servers. Apply this SCP at the level. For any specific exceptions for an OU, create a new SCP for that OU and add the required AWS services to the allow list.
  B. Use an SCP in Organizations to implement a deny list of AWS service. Apply this SCP at the root level and each OU. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions, modify the SCP attached to that OU, and add the required AWS services to the allow list.
  C. Use an SCP in Organizations to implement a deny list of AWS service. Apply this SCP at each OU level. Leave the default AWS managed SCP at the root level. For any specific executions for an OU, create a new SCP for that OU.
  D. Use an SCP in Organizations to implement an allow list of AWS services. Apply this SCP at the root level. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions for an OU, modify the SCP attached to that OU, and add the required AWS services to the allow list.
  B. Use an SCP in Organizations to implement a deny list of AWS service. Apply this SCP at the root level and each OU. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions, modify the SCP attached to that OU, and add the required AWS services to the allow list.

• Question 619:

  A solutions architect is importing a VM from an on-premises environment by using the Amazon EC2 VM Import feature of AWS Import/Export. The solutions architect has created an AMI and has provisioned an Amazon EC2 instance that is

  based on that AMI. The EC2 instance runs inside a public subnet in a VPC and has a public IP address assigned.

  The EC2 instance does not appear as a managed instance in the AWS Systems Manager console.

  Which combination of steps should the solutions architect take to troubleshoot this issue? (Choose two.)

  A. Verify that Systems Manager Agent is installed on the instance and is running
  B. Verify that the instance is assigned an appropriate IAM role for Systems Manager.
  C. Verify the existence of a VPC endpoint on the VPC.
  D. Verify that the AWS Application Discovery Agent is configured.
  E. Verify the correct configuration of service-linked roles for Systems Manager.
  A. Verify that Systems Manager Agent is installed on the instance and is running
  B. Verify that the instance is assigned an appropriate IAM role for Systems Manager.
  D. Verify that the AWS Application Discovery Agent is configured.

• Question 620:

  A company recently transformed its legacy infrastructure provisioning scripts to AWS CloudFormation templates. The newly developed templates are hosted in the company's private GitHub repository. Since adopting CloudFormation, the company has encountered several issues with updates to the CloudFormation templates, causing execution or creating environment. Management is concerned by the increase in errors and has asked a Solutions Architect to design the automated testing of CloudFormation template updates.

  What should the Solution Architect do to meet these requirements?

  A. Use AWS CodePipeline to create a change set from the CloudFormation templates stored in the private GitHub repository. Execute the change set using AWS CodeDeploy. Include a CodePipeline action to test the deployment with testing scripts run by AWS CodeBuild.
  B. Mirror the GitHub repository to AWS CodeCommit using AWS Lambda. Use AWS CodeDeploy to create a change set from the CloudFormation templates and execute it. Have CodeDeploy test the deployment with testing scripts run by AWS CodeBuild.
  C. Use AWS CodePipeline to create and execute a change set from the CloudFormation templates stored in the GitHub repository. Configure a CodePipeline action to be deployment with testing scripts run by AWS CodeBuild.
  D. Mirror the GitHub repository to AWS CodeCommit using AWS Lambda. Use AWS CodeBuild to create a change set from the CloudFormation templates and execute it. Have CodeBuild test the deployment with testing scripts.
  B. Mirror the GitHub repository to AWS CodeCommit using AWS Lambda. Use AWS CodeDeploy to create a change set from the CloudFormation templates and execute it. Have CodeDeploy test the deployment with testing scripts run by AWS CodeBuild.