Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 771:

  An organization is planning to create a secure scalable application with AWS VPC and ELB. The organization has two instances already running and each instance has an ENI attached to it in addition to a primary network interface. The primary network interface and additional ENI both have an elastic IP attached to it. If those instances are registered with ELB and the organization wants ELB to send data to a particular EIP of the instance, how can they achieve this?

  A. The organization should ensure that the IP which is required to receive the ELB traffic is attached to a primary network interface.

  B. It is not possible to attach an instance with two ENIs with ELB as it will give an IP conflict error.

  C. The organization should ensure that the IP which is required to receive the ELB traffic is attached to an additional ENI.

  D. It is not possible to send data to a particular IP as ELB will send to any one EIP.

  Correct Answer: A

  Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For the internet facing ELB it is required that the ELB should be in a public subnet. When the user registers a multi-homed instance (an instance that has an Elastic Network Interface (ENI) attached) with a load balancer, the load balancer will route the traffic to the IP address of the primary network interface (eth0).

  Reference: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/gs-ec2VPC.html

• Question 772:

  Cognito Sync is an AWS service that you can use to synchronize user profile data across mobile devices without requiring your own backend. When the device is online, you can synchronize data.

  If you also set up push sync, what does it allow you to do?

  A. Notify other devices that a user profile is available across multiple devices

  B. Synchronize user profile data with less latency

  C. Notify other devices immediately that an update is available

  D. Synchronize online data faster

  Correct Answer: C

  Cognito Sync is an AWS service that you can use to synchronize user profile data across mobile devices without requiring your own backend. When the device is online, you can synchronize data, and if you have also set up push sync, notify other devices immediately that an update is available.

  Reference: http://docs.aws.amazon.com/cognito/devguide/sync/

• Question 773:

  What is the maximum length for an instance profile name in AWS IAM?

  A. 512 characters

  B. 128 characters

  C. 1024 characters

  D. 64 characters

  Correct Answer: B

  The maximum length for an instance profile name is 128 characters.

  Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

• Question 774:

  An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.

  How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

  A. The organization should not accept the request as sharing the credentials means compromising on security.

  B. Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.

  C. Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.

  D. The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization's data center.

  Correct Answer: C

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. The user can

  create subnets as per the requirement within a VPC. The VPC also works with IAM and the organization

  can create IAM users who have access to various VPC services. If an auditor wants to have access to the

  AWS VPC to verify the rules, the organization should be careful before sharing any data which can allow

  making updates to the AWS infrastructure. In this scenario it is recommended that the organization creates

  an IAM user who will have read only access to the VPC. Share the above mentioned credentials with the

  auditor as it cannot harm the organization. The sample policy is given below:

  {

  "Effect":"Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets",

  "ec2: DescribeInternetGateways", "ec2:DescribeCustomerGateways", "ec2:DescribeVpnGateways",

  "ec2:DescribeVpnConnections", "ec2:DescribeRouteTables", "ec2:DescribeAddresses",

  "ec2:DescribeSecurityGroups", "ec2:DescribeNetworkAcls", "ec2:DescribeDhcpOptions",

  "ec2:DescribeTags", "ec2:DescribeInstances"

  ],

  "Resource":"*"

  }

  Reference:

  http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html

• Question 775:

  ABC has three separate departments and each department has their own AWS accounts. The HR department has created a file sharing site where all the on roll employees' data is uploaded. The Admin department uploads data about the employee presence in the office to their DB hosted in the VPC. The Finance department needs to access data from the HR department to know the on roll employees to calculate the salary based on the number of days that an employee is present in the office. How can ABC setup this scenario?

  A. It is not possible to configure VPC peering since each department has a separate AWS account.

  B. Setup VPC peering for the VPCs of Admin and Finance.

  C. Setup VPC peering for the VPCs of Finance and HR as well as between the VPCs of Finance and Admin.

  D. Setup VPC peering for the VPCs of Admin and HR

  Correct Answer: C

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. A VPC peering connection allows the user to route traffic between the peer VPCs using private IP addresses as if they are a part of the same network. This is helpful when one VPC from the same or different AWS account wants to connect with resources of the other VPC.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-fullaccess.html#three-vpcs-full-access.

• Question 776:

  An organization is purchasing licensed software. The software license can be registered only to a specific MAC Address. The organization is going to host the software in the AWS environment. How can the organization fulfil the license requirement as the MAC address changes every time an instance is started/ stopped/terminated?

  A. It is not possible to have a fixed MAC address with AWS.

  B. The organization should use VPC with the private subnet and configure the MAC address with that subnet.

  C. The organization should use VPC with an elastic network interface which will have a fixed MAC Address.

  D. The organization should use VPC since VPC allows to configure the MAC address for each EC2 instance.

  Correct Answer: C

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. An ENI can include attributes such as: a primary private IP address, one or more secondary private IP addresses, one elastic IP address per private IP address, one public IP address, one or more security groups, a MAC address, a source/destination check flag, and a description. The user can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow the network interface as it is attached or detached from an instance and reattached to another instance. Thus, the user can maintain a fixed MAC using the network interface.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

• Question 777:

  A user is trying to create a vault in AWS Glacier. The user wants to enable notifications.

  In which of the below mentioned options can the user enable the notifications from the AWS console?

  A. Glacier does not support the AWS console

  B. Archival Upload Complete

  C. Vault Upload Job Complete

  D. Vault Inventory Retrieval Job Complete

  Correct Answer: D

  From AWS console the user can configure to have notifications sent to Amazon Simple Notifications Service (SNS). The user can select specific jobs that, on completion, will trigger the notifications such as Vault Inventory Retrieval Job Complete and Archive Retrieval Job Complete.

  Reference: http://docs.aws.amazon.com/amazonglacier/latest/dev/configuring-notifications-console.html

• Question 778:

  An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet IPs.

  How can the organization achieve this by running web server on a single instance?

  A. It is not possible to have two IP addresses for a single instance.

  B. The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface.

  C. The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access.

  D. The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.

  Correct Answer: C

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. The user can create a management network using two separate network interfaces. For the present scenario it is required that the secondary network interface on the instance handles the public facing traffic and the primary network interface handles the back-end management traffic and it is connected to a separate subnet in the VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group to allow access to the server from the internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the internet, a private subnet within the VPC or a virtual private gateway.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

• Question 779:

  A user is planning to use EBS for his DB requirement. The user already has an EC2 instance running in

  the VPC private subnet.

  How can the user attach the EBS volume to a running instance?

  A. The user can create EBS in the same zone as the subnet of instance and attach that EBS to instance.

  B. It is not possible to attach an EBS to an instance running in VPC until the instance is stopped.

  C. The user can specify the same subnet while creating EBS and then attach it to a running instance.

  D. The user must create EBS within the same VPC and then attach it to a running instance.

  Correct Answer: A

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. The user can create subnets as per the requirement within a VPC. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. The instance launched will always be in the same availability zone of the respective subnet. When creating an EBS the user cannot specify the subnet or VPC. However, the user must create the EBS in the same zone as the instance so that it can attach the EBS volume to the running instance.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html#VPCSubnet

• Question 780:

  The user has provisioned the PIOPS volume with an EBS optimized instance.

  Generally speaking, in which I/O chunk should the bandwidth experienced by the user be measured by

  AWS?

  A. 128 KB

  B. 256 KB

  C. 64 KB

  D. 32 KB

  Correct Answer: B

  IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second (that is 256 KB or smaller) as one IOPS.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html