Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 681:

  Which of the following AWS services can be used to define alarms to trigger on a certain activity, such as activity success, failure, or delay in AWS Data Pipeline?

  A. Amazon SES

  B. Amazon CodeDeploy

  C. Amazon SNS

  D. Amazon SQS

  Correct Answer: C

  In AWS Data Pipeline, you can define Amazon SNS alarms to trigger on activities such as success, failure, or delay by creating an alarm object and referencing it in the onFail, onSuccess, or onLate slots of the activity object.

  Reference: https://aws.amazon.com/datapipeline/faqs/

• Question 682:

  Do you need to use Amazon Cognito to use the Amazon Mobile Analytics service?

  A. No. However, it is recommend by AWS to use Amazon Cognito for security best practices.

  B. Yes. You need to use it only if you have IAM root access.

  C. No. You cannot use it at all, and you need to use AWS IAM accounts.

  D. Yes. It is recommended by AWS to use Amazon Cognito to use Amazon Mobile Analytics service.

  Correct Answer: A

  You can initialize Amazon Mobile Analytics using AWS IAM accounts. AWS recommend using Amazon Cognito for security best practices.

  Reference: http://aws.amazon.com/mobileanalytics/faqs/

• Question 683:

  A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7 PM.

  What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

  A. It will deny access

  B. It is not possible to set a policy based on the time or IP

  C. IAM will throw an error for policy conflict

  D. It will allow access

  Correct Answer: A

  When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules: By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.) An explicit allow policy overrides this default. An explicit deny policy overrides any allows. In this case since there are explicit deny and explicit allow statements. Thus, the request will be denied since deny overrides allow.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html

• Question 684:

  You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: is being used by CloudFront."

  Which of the following statements is probably the reason why you are getting this error?

  A. Before you can delete an SSL certificate you need to set up https on your server.

  B. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM

  C. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate.

  D. You can't delete SSL certificates. You need to request it from AWS.

  Correct Answer: C

  CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css,.php, and image files, to end users. Every CloudFront web distribution must be associated either with the default CloudFront certificate or with a custom SSL certificate. Before you can delete an SSL certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom SSL certificate to using the default CloudFront certificate.

  Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Troubleshooting.html

• Question 685:

  An organization is setting up a web application with the JEE stack. The application uses the JBoss app server and MySQL DB. The application has a logging module which logs all the activities whenever a business function of the JEE application is called. The logging activity takes some time due to the large size of the log file.

  If the application wants to setup a scalable infrastructure which of the below mentioned options will help achieve this setup?

  A. Host the log files on EBS with PIOPS which will have higher I/O.

  B. Host logging and the app server on separate servers such that they are both in the same zone.

  C. Host logging and the app server on the same instance so that the network latency will be shorter.

  D. Create a separate module for logging and using SQS compartmentalize the module such that all calls to logging are asynchronous.

  Correct Answer: D

  The organization can always launch multiple EC2 instances in the same region across multiple AZs for HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that they can both run in parallel without affecting the performance of the main application. In this scenario logging takes a longer time due to the large size of the log file. Thus, it is recommended that the organization should separate them out and make separate modules and make asynchronous calls among them. This way the application can scale as per the requirement and the performance will not bear the impact of logging.

  Reference: http://www.awsarchitectureblog.com/2014/03/aws-and-compartmentalization.html

• Question 686:

  What is the network performance offered by the c4.8xlarge instance in Amazon EC2?

  A. Very High but variable

  B. 20 Gigabit

  C. 5 Gigabit

  D. 10 Gigabit

  Correct Answer: D

  Networking performance offered by the c4.8xlarge instance is 10 Gigabit.

  Reference: http://aws.amazon.com/ec2/instance-types/

• Question 687:

  A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open.

  Which of the following is correct in regards to those security groups?

  A. A security group that has no ports open to your network.

  B. A security group that has only port 3389 (for RDP) open to your network.

  C. A security group that has only port 22 (for SSH) open to your network.

  D. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.

  Correct Answer: D

  AWS CloudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud. AWS CloudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the AWS

  CloudHSM service. One private subnet (a subnet with no Internet gateway) in the VPC. The HSM

  appliance is provisioned into this subnet.

  One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this

  subnet.

  An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources to

  AWS CloudHSM.

  An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed.

  This instance is referred to as the control instance and is used to connect to and manage the HSM

  appliance. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This

  security group is attached to your control instances so you can access them remotely.

• Question 688:

  What is a possible reason you would need to edit claims issued in a SAML token?

  A. The NameIdentifier claim cannot be the same as the username stored in AD.

  B. Authentication fails consistently.

  C. The NameIdentifier claim cannot be the same as the claim URI.

  D. The NameIdentifier claim must be the same as the username stored in AD.

  Correct Answer: A

  The two reasons you would need to edit claims issued in a SAML token are:

  The NameIdentifier claim cannot be the same as the username stored in AD, and The app requires a

  different set of claim URIs.

  Reference:

  https://azure.microsoft.com/en-us/documentation/articles/active-directory-saml-claims-customization/

• Question 689:

  A user is creating a PIOPS volume. What is the maximum ratio the user should configure between PIOPS and the volume size?

  A. 5

  B. 10

  C. 20

  D. 30

  Correct Answer: D

  Provisioned IOPS volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads that are sensitive to storage performance and consistency in random access I/O throughput. A provisioned IOPS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested can be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html

• Question 690:

  A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

  A. Create VPC subnets in two separate availability zones and launch instances in different subnets.

  B. Create VPC with only one public subnet and launch instances in different AZs using that subnet.

  C. Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC.

  D. Create VPC with only one private subnet and launch instances in different AZs using that subnet.

  Correct Answer: A

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span across zones.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPCSubnet