Amazon Amazon Certifications SAA-C02 Questions & Answers

• Question 1031:

  The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

  

  What are the effective IAM permissions of this policy for group members?

  A. Group members are permitted any Amazon EC2 action within the uss-east-1 Region. Statements after The Allow permission are not applied

  B. Group member are denied any Amazon EC2 permissions in the us-east-1 Region unless they are tagged in with multi-factor authentication (MFA).

  C. Group members are allowed the ec2:StopInstances and ec2:Terminatelnstances permissions for all Regions when logged in with multi-factor authentication (MFA). Group members authorized any other Amazon EC2 action.

  D. Group members are allowed the ec2:Stoplnstances and ec2:Terminatelnstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA). Groups are permitted any other Amazon EC2 action within the us-east-1 Region

  Correct Answer: D

  By default, AWS Identity and Access Management (IAM) users don't have permission to create or modify Amazon EC2 resources, or perform tasks using the Amazon EC2 API. To allow IAM users to create or modify resources and perform tasks, you must create IAM policies that grant IAM users permissions for the specific resources and API actions they'll need to use, and then attach those policies to the IAM users or groups that require those permissions.

  https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html

• Question 1032:

  A company is planning on deploying a newly built application on AWS in a default VPC The application will consist of a web layer and database layer. The web server was created in public subnets, and the MySQL database was created in

  private subnets. All subnets are created with the default network ACL settings, and the default security group in the VPC will be replaced with new custom security groups.

  The following are the key requirements:

  1.

  The web servers must be accessible only to users on an SSL connection.

  2.

  The database should be accessible to the web layer, which is created in a public subnet only.

  3.

  All traffic to and from the IP range 182.20.0.0/16 subnet should be blocked.

  Which combination of steps meets these requirements? (Select TWO.)

  A. Create a database server security group with inbound and outbound rules for MySQL port 3306 traffic to and from anywhere (0 0.0.0/0)

  B. Create a database server security group with an inbound rule for MySQL port 3306 and specify the source as a web server security group.

  C. Create a web server security group with an inbound allow rule for HTTPS port 443 traffic from anywhere (0.0.0.0/0) and an inbound deny rule for IP range 182.20.0 0/16.

  D. Create a web server security group with an inbound rule for HTTPS port 443 traffic from anywhere (0.0 0 0/0) Create network ACL inbound and outbound deny rules for IP range 182 20.00/16

  E. Create a web server security group with inbound and outbound rules for HTTPS port 443 traffic to and from anywhere (0.0.0.0/0). Create a network ACL inbound deny rule for IP range 182.20.0.0/16.

  Correct Answer: BD

• Question 1033:

  A company wants a storage option that enables its data science team to analyze its data on premises and in the AWS Cloud The team needs to be able to run statistical analyses by using the data on premises and by using a fleet of Amazon EC2 instances across multiple Availability Zones. What should a solutions architect do to meet these requirements?

  A. Use an AWS Storage Gateway tape gateway to copy the on-premises files into Amazon S3.

  B. Use an AWS Storage Gateway volume gateway to copy the on-premises files into Amazon S3.

  C. Use an AWS Storage Gateway file gateway to copy the on-premises files to Amazon Elastic Block Store (Amazon EBS).

  D. Attach an Amazon Elastic File System (Amazon EFS) file system to the on-premises servers. Copy the files to Amazon EFS.

  Correct Answer: D

• Question 1034:

  A company stores 200 GB of data each month in Amazon S3. The company needs to perform analytics on this data at the end of each month to determine the number of items sold in each sales region for the previous month. Which analytics strategy is MOST cost-effective for the company to use?

  A. Create an Amazon Elasticsearch Service (Amazon ES) cluster. Query the data in Amazon ES.Visualize the data by using Kibana.

  B. Create a table in the AWS Glue Data Catalog. Query the data in Amazon S3 by using Amazon Athena. Visualize the data in Amazon QuickSight

  C. Create an Amazon EMR cluster Query the data by using Amazon EMR, and store the results in Amazon S3 Visualize the data in Amazon QuickSight.

  D. Create an Amazon Redshift cluster. Query the data in Amazon Redshift, and upload the results to Amazon S3. Visualize the data in Amazon QuickSight.

  Correct Answer: B

• Question 1035:

  A solutions architect must design a database solution for a high-traffic ecommerce web application. The database stores customer profiles and shopping cart information. The database must support a peak load of several million requests each second and deliver responses in milliseconds. The operational overhead for managing and scaling the database must be minimized.

  Which database solution should the solutions architect recommend?

  A. Amazon Aurora

  B. Amazon DynamoDB

  C. Amazon RDS

  D. Amazon Redshift

  Correct Answer: B

  DynamoDB supports millions of request.

• Question 1036:

  A business application is hosted on Amazon EC2 and uses Amazon S3 for encrypted object storage. The chief information security officer has directed that no application traffic between the two services should traverse the public internet. Which capability should the solutions architect use to meet the compliance requirements?

  A. AWS Key Management Service (AWS KMS) )

  B. VPC endpoint

  C. Private subnet

  D. Virtual private gateway

  Correct Answer: B

• Question 1037:

  A company is launching a new application deployed on an Amazon Elastic Container Service (Amazon ECS) cluster and is using the Fargate launch type for ECS tasks. The company is monitoring CPU and memory usage because it is

  expecting high traffic to the application upon its launch. However, the company wants to reduce costs when utilization decreases.

  What should a solutions architect recommend?

  A. Use Amazon EC2 Auto Scaling to scale at certain periods based on previous traffic patterns.

  B. Use an AWS Lambda function to scale Amazon ECS based on metric breaches that trigger an Amazon CloudWatch alarm.

  C. Use Amazon EC2 Auto Scaling with simple scaling policies to scale when ECS metric breaches trigger an Amazon CloudWatch alarm.

  D. Use AWS Application Auto Scaling with target tracking policies to scale when ECS metric breaches trigger an Amazon CloudWatch alarm.

  Correct Answer: C

• Question 1038:

  A recently acquired company is required to build its own infrastructure on AWS and migrate multiple applications to the cloud within a month. Each application has approximately 50 TB of data to be transferred After the migration ts complete

  this company and its parent company will Doth require secure network connectivity with consistent throughput from their data centers to the applications. A solutions architect must ensure one-time data migration and ongoing network

  connectivity.

  Which solution will meet these requirements?

  A. AWS Direct Connect for both the initial transfer and ongoing connectivity.

  B. AWS Site-to-Site VPN for both the initial transfer and ongoing connectivity.

  C. AWS Snowball for the initial transfer and AWS Direct Connect for ongoing connectivity.

  D. AWS Snowball for the initial transfer and AWS Site-to-Site VPN for ongoing connectivity.

  Correct Answer: C

• Question 1039:

  A company is using a third-party vendor to manage its marketplace analytics. The vendor needs limited programmatic access to resources in the company's account. All the needed policies have been created to grant appropriate access. Which additional component will provide the vendor with the MOST secure access to the account?

  A. Create an IAM user.

  B. Implement a service control policy (SCP)

  C. Use a cross-account role with an external ID.

  D. Configure a single sign-on (SSO) identity provider.

  Correct Answer: C

• Question 1040:

  A leasing company generates and emails PDF statements every month for all its customers. Each statement is about 400 KB in size. Customers can download their statements from the website for up to 30 days from when the statements were generated. At the end of their 3-year lease, the customers are emailed a ZIP file that contains all the statements

  What is the MOST cost-effective storage solution for this situation?

  A. Store the statements using the Amazon S3 Standard storage class Create a lifecycle policy to move the statements to Amazon S3 Glacier storage after 1 day.

  B. Store the statements using the Amazon S3 Glacier storage class Create a lifecycle policy to move the statements to Amazon S3 Glacier Deep Archive storage after 30 days.

  C. Store the statements using the Amazon S3 Standard storage class. Create a lifecycle policy to move the statements to Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) storage after 30 days.

  D. Store the statements using the Amazon S3 Standard-Infrequent Access (S3 Standard-IA) storage class. Create a lifecycle policy to move the statements to Amazon S3 Glacier storage after 30 days.

  Correct Answer: D