Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 751:

  An organization is making software for the CIA in USA. CIA agreed to host the application on AWS but in a secure environment. The organization is thinking of hosting the application on the AWS GovCloud region. Which of the below mentioned difference is not correct when the organization is hosting on the AWS GovCloud in comparison with the AWS standard region?

  A. The billing for the AWS GovCLoud will be in a different account than the Standard AWS account.

  B. GovCloud region authentication is isolated from Amazon.com.

  C. Physical and logical administrative access only to U.S. persons.

  D. It is physically isolated and has logical network isolation from all the other regions.

  Correct Answer: A

  AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud (US) Region adheres to the U.S. International Traffic in Arms Regulations (ITAR) requirements. It has added advantages, such as: Restricting physical and logical administrative access to U.S. persons only There will be a separate AWS GovCloud (US) credentials, such as access key and secret access key than the standard AWS account The user signs in with the IAM user name and password The AWS GovCloud (US) Region authentication is completely isolated from Amazon.com If the organization is planning to host on EC2 in AWS GovCloud then it will be billed to standard AWS account of organization since AWS GovCloud billing is linked with the standard AWS account and is not be billed separately.

  Reference: http://docs.aws.amazon.com/govcloud-us/latest/UserGuide/whatis.html

• Question 752:

  An organization has created multiple components of a single application for compartmentalization. Currently all the components are hosted on a single EC2 instance. Due to security reasons the organization wants to implement two separate SSLs for the separate modules although it is already using VPC.

  How can the organization achieve this with a single instance?

  A. You have to launch two instances each in a separate subnet and allow VPC peering for a single IP.

  B. Create a VPC instance which will have multiple network interfaces with multiple elastic IP addresses.

  C. Create a VPC instance which will have both the ACL and the security group attached to it and have separate rules for each IP address.

  D. Create a VPC instance which will have multiple subnets attached to it and each will have a separate IP address.

  Correct Answer: B

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. With VPC the user can specify multiple private IP addresses for his instances. The number of network interfaces and private IP addresses that a user can specify for an instance depends on the instance type. With each network interface the organization can assign an EIP. This scenario helps when the user wants to host multiple websites on a single EC2 instance by using multiple SSL certificates on a single server and associating each certificate with a specific EIP address. It also helps in scenarios for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html

• Question 753:

  An EC2 instance that performs source/destination checks by default is launched in a private VPC subnet. All security, NACL, and routing definitions are configured as expected. A custom NAT instance is launched.

  Which of the following must be done for the custom NAT instance to work?

  A. The source/destination checks should be disabled on the NAT instance.

  B. The NAT instance should be launched in public subnet.

  C. The NAT instance should be configured with a public IP address.

  D. The NAT instance should be configured with an elastic IP address.

  Correct Answer: A

  Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/ destination checks on the NAT instance.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/ VPC_NAT_Instance.html#EIP_DisableSrcDestCheck

• Question 754:

  An organization is setting up a highly scalable application using Elastic Beanstalk.

  They are using Elastic Load Balancing (ELB) as well as a Virtual Private Cloud (VPC) with public and

  private subnets. They have the following requirements:

  -

  All the EC2 instances should have a private IP

  -

  All the EC2 instances should receive data via the ELB's.

  Which of these will not be needed in this setup?

  A. Launch the EC2 instances with only the public subnet.

  B. Create routing rules which will route all inbound traffic from ELB to the EC2 instances.

  C. Configure ELB and NAT as a part of the public subnet only.

  D. Create routing rules which will route all outbound traffic from the EC2 instances through NAT.

  Correct Answer: A

  The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. If the organization wants the Amazon EC2 instances to have a private IP address, he should create a public and private subnet for VPC in each Availability Zone (this is an AWS Elastic Beanstalk requirement). The organization should add their public resources, such as ELB and NAT to the public subnet, and AWC Elastic Beanstalk will assign them unique elastic IP addresses (a static, public IP address). The organization should launch Amazon EC2 instances in a private subnet so that AWS Elastic Beanstalk assigns them non-routable private IP addresses. Now the organization should configure route tables with the following rules: route all inbound traffic from ELB to EC2 instances route all outbound traffic from EC2 instances through NAT

  Reference: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo-vpc.html

• Question 755:

  True or False: "In the context of Amazon ElastiCache, from the application's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node."

  A. True, from the application's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node since, each has a unique node identifier.

  B. True, from the application's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node.

  C. False, you can connect to a cache node, but not to a cluster configuration endpoint.

  D. False, you can connect to a cluster configuration endpoint, but not to a cache node.

  Correct Answer: B

  This is true. From the application's point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node. In the process of connecting to cache nodes, the application resolves the configuration endpoint's DNS name. Because the configuration endpoint maintains CNAME entries for all of the cache nodes, the DNS name resolves to one of the nodes; the client can then connect to that node.

  Reference: http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/ AutoDiscovery.HowAutoDiscoveryWorks.html

• Question 756:

  In Amazon SNS, to send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following, except:

  A. Device token

  B. Client ID

  C. Registration ID

  D. Client secret

  Correct Answer: A

  To send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following: Registration ID and Client secret.

  Reference: http://docs.aws.amazon.com/sns/latest/dg/SNSMobilePushPrereq.html

• Question 757:

  With Amazon Elastic MapReduce (Amazon EMR) you can analyze and process vast amounts of data. The

  cluster is managed using an open-source framework called Hadoop. You have set up an application to run

  Hadoop jobs. The application reads data from DynamoDB and generates a temporary file of 100 TBs.

  The whole process runs for 30 minutes and the output of the job is stored to S3.

  Which of the below mentioned options is the most cost effective solution in this case?

  A. Use Spot Instances to run Hadoop jobs and configure them with EBS volumes for persistent data storage.

  B. Use Spot Instances to run Hadoop jobs and configure them with ethereal storage for output file storage.

  C. Use an on demand instance to run Hadoop jobs and configure them with EBS volumes for persistent storage.

  D. Use an on demand instance to run Hadoop jobs and configure them with ephemeral storage for output file storage.

  Correct Answer: B

  AWS EC2 Spot Instances allow the user to quote his own price for the EC2 computing capacity. The user can simply bid on the spare Amazon EC2 instances and run them whenever his bid exceeds the current Spot Price. The Spot Instance pricing model complements the On-Demand and Reserved Instance pricing models, providing potentially the most cost-effective option for obtaining compute capacity, depending on the application. The only challenge with a Spot Instance is data persistence as the instance can be terminated whenever the spot price exceeds the bid price. In the current scenario a Hadoop job is a temporary job and does not run for a longer period. It fetches data from a persistent DynamoDB. Thus, even if the instance gets terminated there will be no data loss and the job can be re-run. As the output files are large temporary files, it will be useful to store data on ethereal storage for cost savings.

  Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/

• Question 758:

  One of the AWS account owners faced a major challenge in June as his account was hacked and the hacker deleted all the data from his AWS account. This resulted in a major blow to the business.

  Which of the below mentioned steps would not have helped in preventing this action?

  A. Setup an MFA for each user as well as for the root account user.

  B. Take a backup of the critical data to offsite / on premise.

  C. Create an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions.

  D. Do not share the AWS access and secret access keys with others as well do not store it inside programs, instead use IAM roles.

  Correct Answer: C

  AWS security follows the shared security model where the user is as much responsible as Amazon. If the user wants to have secure access to AWS while hosting applications on EC2, the first security rule to follow is to enable MFA for all users. This will add an added security layer. In the second step, the user should never give his access or secret access keys to anyone as well as store inside programs. The better solution is to use IAM roles. For critical data of the organization, the user should keep an offsite/ in premise backup which will help to recover critical data in case of security breach. It is recommended to have AWS AMIs and snapshots as well as keep them at other regions so that they will help in the DR scenario. However, in case of a data security breach of the account they may not be very helpful as hacker can delete that. Therefore, creating an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions, would not have helped in preventing this action.

• Question 759:

  What RAID method is used on the Cloud Block Storage back-end to implement a very high level of reliability and performance?

  A. RAID 1 (Mirror)

  B. RAID 5 (Blocks striped, distributed parity)

  C. RAID 10 (Blocks mirrored and striped)

  D. RAID 2 (Bit level striping)

  Correct Answer: C

  Cloud Block Storage back-end storage volumes employs the RAID 10 method to provide a very high level of reliability and performance.

  Reference: http://www.rackspace.com/knowledge_center/product-faq/cloud-block-storage

• Question 760:

  By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours, but you can request a duration as long as _________ hours.

  A. 24

  B. 36

  C. 10

  D. 48

  Correct Answer: B

  By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours, but you can request a duration as short as 15 minutes or as long as 36 hours.

  Reference: http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html