Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 761:

  An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices.

  Which of the below mentioned pointers will not help the organization achieve better security arrangement?

  A. Allow only IAM users to connect with the EC2 instances with their own secret access key.

  B. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.

  C. Apply the latest patch of OS and always keep it updated.

  D. Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.

  Correct Answer: A

  Since AWS is a public cloud any application hosted on EC2 is prone to hacker attacks. It becomes extremely important for a user to setup a proper security mechanism on the EC2 instances. A few of the security measures are listed below: Always keep the OS updated with the latest patch Always create separate users with in OS if they need to connect with the EC2 instances, create their keys and disable their password Create a procedure using which the admin can revoke the access of the user when the business work on the EC2 instance is completed. Lock down unnecessary ports. Audit any proprietary applications that the user may be running on the EC2 instance Provide temporary escalated privileges, such as sudo for users who need to perform occasional privileged tasks The IAM is useful when users are required to work with AWS resources and actions, such as launching an instance. It is not useful to connect (RDP / SSH) with an instance.

  Reference: http://aws.amazon.com/articles/1233/

• Question 762:

  Which statement is NOT true about a stack which has been created in a Virtual Private Cloud (VPC) in AWS OpsWorks?

  A. Subnets whose instances cannot communicate with the Internet are referred to as public subnets.

  B. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets.

  C. All instances in the stack should have access to any package repositories that your operating system depends on, such as the Amazon Linux or Ubuntu Linux repositories.

  D. Your app and custom cookbook repositories should be accessible for all instances in the stack.

  Correct Answer: A

  In AWS OpsWorks, you can control user access to a stack's instances by creating it in a virtual private cloud (VPC). For example, you might not want users to have direct access to your stack's app servers or databases and instead require that all public traffic be channeled through an Elastic Load Balancer. A VPC consists of one or more subnets, each of which contains one or more instances. Each subnet has an associated routing table that directs outbound traffic based on its destination IP address. Instances within a VPC can generally communicate with each other, regardless of their subnet. Subnets whose instances can communicate with the Internet are referred to as public subnets. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets. AWS OpsWorks requires the VPC to be configured so that every instance in the stack, including instances in private subnets, has access to the following endpoints: The AWS OpsWorks service, https://opsworks-instance-service.us-east-1.amazonaws.com. Amazon S3 The package repositories for Amazon Linux or Ubuntu 12.04 LTS, depending on which operating system you specify. Your app and custom cookbook repositories.

  Reference: http://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks-vpc.html#workingstacks-vpc-basics

• Question 763:

  A bucket owner has allowed another account's IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

  A. It is not possible to give permission to multiple IAM users

  B. AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object

  C. The bucket policy may not be created as S3 will give error due to conflict of Access Rights

  D. It is not possible that the IAM user of one account accesses objects of the other IAM user

  Correct Answer: B

  If a IAM user is trying to perform some action on an object belonging to another AWS user's bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

  Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html

• Question 764:

  In a VPC, can you modify a set of DHCP options after you create them?

  A. Yes, you can modify a set of DHCP options within 48 hours after creation and there are no VPCs associated with them.

  B. Yes, you can modify a set of DHCP options any time after you create them.

  C. No, you can't modify a set of DHCP options after you create them.

  D. Yes, you can modify a set of DHCP options within 24 hours after creation.

  Correct Answer: C

  After you create a set of DHCP options, you can't modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_DHCP_Options.html

• Question 765:

  You have been given the task to define multiple AWS Data Pipeline schedules for different activities in the same pipeline.

  Which of the following would successfully accomplish this task?

  A. Creating multiple pipeline definition files

  B. Defining multiple pipeline definitions in your schedule objects file and associating the desired schedule to the correct activity via its schedule field

  C. Defining multiple schedule objects in your pipeline definition file and associating the desired schedule to the correct activity via its schedule field

  D. Defining multiple schedule objects in the schedule field

  Correct Answer: C

  To define multiple schedules for different activities in the same pipeline, in AWS Data Pipeline, you should define multiple schedule objects in your pipeline definition file and associate the desired schedule to the correct activity via its schedule field. As an example of this, it could allow you to define a pipeline in which log files are stored in Amazon S3 each hour to drive generation of an aggregate report once a day.

  Reference: https://aws.amazon.com/datapipeline/faqs/

• Question 766:

  Which of the following cache engines does Amazon ElastiCache support?

  A. Amazon ElastiCache supports Memcached and Redis.

  B. Amazon ElastiCache supports Redis and WinCache.

  C. Amazon ElastiCache supports Memcached and Hazelcast.

  D. Amazon ElastiCache supports Memcached only.

  Correct Answer: A

  The cache engines supported by Amazon ElastiCache are Memcached and Redis.

  Reference: http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/SelectEngine.html

• Question 767:

  If a single condition within an IAM policy includes multiple values for one key, it will be evaluated using a logical______.

  A. OR

  B. NAND

  C. NOR

  D. AND

  Correct Answer: A

  If a single condition within an IAM policy includes multiple values for one key, it will be evaluated using a logical OR.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

• Question 768:

  A user is trying to create a PIOPS EBS volume with 3 GB size and 90 IOPS. Will AWS create the volume?

  A. No, since the PIOPS and EBS size ratio is less than 30

  B. Yes, since the ratio between EBS and IOPS is less than 30

  C. No, the EBS size is less than 4GB

  D. Yes, since PIOPS is higher than 100

  Correct Answer: C

  A Provisioned IOPS (SSD) volume can range in size from 4 GiB to 16 TiB and you can provision up to 20,000 IOPS per volume.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html#EBSVolumeTypes_piops

• Question 769:

  What is the maximum length for a certificate ID in AWS IAM?

  A. 1024 characters

  B. 512 characters

  C. 64 characters

  D. 128 characters

  Correct Answer: D

  The maximum length for a certificate ID is 128 characters.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

• Question 770:

  In Amazon Cognito, your mobile app authenticates with the Identity Provider (IdP) using the provider's SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito, which returns a new _____ for the user and a set of temporary, limited-privilege AWS credentials.

  A. Cognito Key Pair

  B. Cognito API

  C. Cognito ID

  D. Cognito SDK

  Correct Answer: C

  Your mobile app authenticates with the identity provider (IdP) using the provider's SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.

  Reference: http://aws.amazon.com/cognito/faqs/