Amazon SAP-C02 Online Practice Questions and Exam Preparation

Amazon SAP-C02 Online Questions & Answers

• Question 291:

  A company is running an application distributed over several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer The security team requires that all application access attempts be made available for analysis Information about the client IP address, connection type, and user agent must be included.

  Which solution will meet these requirements?

  A. Enable EC2 detailed monitoring, and include network logs Send all logs through Amazon Kinesis Data Firehose to an Amazon ElasDcsearch Service (Amazon ES) cluster that the security team uses for analysis.
  B. Enable VPC Flow Logs for all EC2 instance network interfaces Publish VPC Flow Logs to an Amazon S3 bucket Have the security team use Amazon Athena to query and analyze the logs
  C. Enable access logs for the Application Load Balancer, and publish the logs to an Amazon S3 bucket Have the security team use Amazon Athena to query and analyze the logs
  D. Enable Traffic Mirroring and specify all EC2 instance network interfaces as the source. Send all traffic information through Amazon Kinesis Data Firehose to an Amazon Elastic search Service (Amazon ES) cluster that the security team uses for analysis.
  C. Enable access logs for the Application Load Balancer, and publish the logs to an Amazon S3 bucket Have the security team use Amazon Athena to query and analyze the logs

  ---

  Explanation

  https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html

• Question 292:

  A solutions architect needs to assess a newly acquired company's portfolio of applications and databases. The solutions architect must create a business case to migrate the portfolio to AWS. The newly acquired company runs applications in an on-premises data center. The data center is not well documented. The solutions architect cannot immediately determine how many applications and databases exist. Traffic for the applications is variable. Some applications are batch processes that run at the end of each month.

  The solutions architect must gain a better understanding of the portfolio before a migration to AWS can begin.

  Which solution will meet these requirements?

  A. Use AWS Server Migration Service (AWS SMS) and AWS Database Migration Service (AWS DMS) to evaluate migration. Use AWS Service Catalog to understand application and database dependencies.
  B. Use AWS Application Migration Service. Run agents on the on-premises infrastructure. Manage the agents by using AWS Migration Hub. Use AWS Storage Gateway to assess local storage needs and database dependencies.
  C. Use Migration Evaluator to generate a list of servers. Build a report for a business case. Use AWS Migration Hub to view the portfolio. Use AWS Application Discovery Service to gain an understanding of application dependencies.
  D. Use AWS Control Tower in the destination account to generate an application portfolio. Use AWS Server Migration Service (AWS SMS) to generate deeper reports and a business case. Use a landing zone for core accounts and resources.
  C. Use Migration Evaluator to generate a list of servers. Build a report for a business case. Use AWS Migration Hub to view the portfolio. Use AWS Application Discovery Service to gain an understanding of application dependencies.

  ---

  Explanation

  The company should use Migration Evaluator to generate a list of servers and build a report for a business case. The company should use AWS Migration Hub to view the portfolio and use AWS Application Discovery Service to gain an

  understanding of application dependencies. This solution will meet the requirements because Migration Evaluator is a migration assessment service that helps create a data-driven business case for AWS cloud planning and migration.

  Migration Evaluator provides a clear baseline of what the company is running today and projects AWS costs based on measured on- premises provisioning and utilization1. Migration Evaluator can use an agentless collector to conduct broad-

  based discovery or securely upload exports from existing inventory tools2 . Migration Evaluator integrates with AWS Migration Hub, which is a service that provides a single location to track the progress of application migrations across

  multiple AWS and partner solutions3. Migration Hub also supports AWS Application Discovery Service, which is a service that helps systems integrators quickly and reliably plan application migration projects by automatically identifying

  applications running in on-premises data centers, their associated dependencies, and their performance profile4.

  https://aws.amazon.com/migration-evaluator/

  https://docs.aws.amazon.com/migration-evaluator/latest/userguide/what-is.html

  https://aws.amazon.com/migration-hub/

  https://aws.amazon.com/application-discovery/

  https://aws.amazon.com/server-migration-service/

  https://aws.amazon.com/dms/

  https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

  https://aws.amazon.com/application-migration-service/

  https://aws.amazon.com/storagegateway/

• Question 293:

  A company standardized its method of deploying applications to AWS using AWS CodePipeline and AWS Cloud Formation. The applications are in Typescript and Python. The company has recently acquired another business that deploys applications to AWS using Python scripts.

  Developers from the newly acquired company are hesitant to move their applications under CloudFormation because it would require than they learn a new domain-specific language and eliminate their access to language features, such as looping.

  How can the acquired applications quickly be brought up to deployment standards while addressing the developers' concerns?

  A. Create CloudFormation templates and re-use parts of the Python scripts as instance user data. Use the AWS Cloud Development Kit (AWS CDK) to deploy the application using these templates. Incorporate the AWS CDK into CodePipeline and deploy the application to AWS using these templates.
  B. Use a third-party resource provisioning engine inside AWS CodeBuild to standardize the deployment processes of the existing and acquired company. Orchestrate the CodeBuild job using CodePipeline.
  C. Standardize on AWS OpsWorks. Integrate OpsWorks with CodePipeline. Have the developers create Chef recipes to deploy their applications on AWS.
  D. Define the AWS resources using Typescript or Python. Use the AWS Cloud Development Kit (AWS CDK) to create CloudFormation templates from the developers' code, and use the AWS CDK to create CloudFormation stacks. Incorporate the AWS CDK as a CodeBuild job in CodePipeline.
  D. Define the AWS resources using Typescript or Python. Use the AWS Cloud Development Kit (AWS CDK) to create CloudFormation templates from the developers' code, and use the AWS CDK to create CloudFormation stacks. Incorporate the AWS CDK as a CodeBuild job in CodePipeline.

  ---

  Explanation

• Question 294:

  A company has a new application that needs to run on five Amazon EC2 instances in a single AWS Region. The application requires high-throughput, low-latency network connections between all of the EC2 instances where the application will run. There is no requirement for the application to be fault tolerant.

  Which solution will meet these requirements?

  A. Launch five new EC2 instances into a cluster placement group. Ensure that the EC2 instance type supports enhanced networking.
  B. Launch five new EC2 instances into an Auto Scaling group in the same Availability Zone. Attach an extra elastic network interface to each EC2 instance.
  C. Launch five new EC2 instances into a partition placement group. Ensure that the EC2 instance type supports enhanced networking.
  D. Launch five new EC2 instances into a spread placement group. Attach an extra elastic network interface to each EC2 instance.
  A. Launch five new EC2 instances into a cluster placement group. Ensure that the EC2 instance type supports enhanced networking.

  ---

  Explanation

  When you launch EC2 instances in a cluster they benefit from performance and low latency. No redundancy though as per the questionhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html.

• Question 295:

  A solutions architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint The solutions architect wants an end-to-end view of each request to analyze the latency of the request and create service maps

  How can the Solutions Architect design the API Gateway access control and perform request inspections?

  A. For the API Gateway method, set the authorization to AWSJAM Then, give the IAM user or role execute-api Invoke permission on the REST API resource Enable the API caller to sign requests with AWS Signature when accessing the endpoint Use AWS X-Ray to trace and analyze user requests to API Gateway
  B. For the API Gateway resource set CORS to enabled and only return the company's domain in Access-Control-Allow-Origin headers Then give the IAM user or role execute-api Invoke permission on the REST API resource Use Amazon CloudWatch to trace and analyze user requests to API Gateway
  C. Create an AWS Lambda function as the custom authorizer ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the IAM system Use AWS X-Ray to trace and analyze user requests to API Gateway
  D. Create a client certificate for API Gateway Distribute the certificate to the AWS users and roles that need to access the endpoint Enable the API caller to pass the client certificate when accessing the endpoint. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.
  A. For the API Gateway method, set the authorization to AWSJAM Then, give the IAM user or role execute-api Invoke permission on the REST API resource Enable the API caller to sign requests with AWS Signature when accessing the endpoint Use AWS X-Ray to trace and analyze user requests to API Gateway

  ---

  Explanation

• Question 296:

  A company processes environment data. The has a set up sensors to provide a continuous stream of data from different areas in a city. The data is available in JSON format.

  The company wants to use an AWS solution to send the data to a database that does not require fixed schemas for storage. The data must be send in real time.

  Which solution will meet these requirements?

  A. Use Amazon Kinesis Data Firehouse to send the data to Amazon Redshift.
  B. Use Amazon Kinesis Data streams to send the data to Amazon DynamoDB.
  C. Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to send the data to Amazon Aurora.
  D. Use Amazon Kinesis Data firehouse to send the data to Amazon Keyspaces (for Apache Cassandra).
  B. Use Amazon Kinesis Data streams to send the data to Amazon DynamoDB.

  ---

  Explanation

  : Amazon Kinesis Data Streams is a service that enables real-time data ingestion and processing. Amazon DynamoDB is a NoSQL database that does not require fixed schemas for storage. By using Kinesis Data Streams and DynamoDB,

  the company can send the JSON data to a database that can handle schemaless data in real time.

  References:

  https://docs.aws.amazon.com/streams/latest/dev/introduction.html https://docs.aws.amazon.com/ amazondynamodb/latest/developerguide/Introductio n.html

• Question 297:

  A financial services company runs a complex, multi-tier application on Amazon EC2 instances and AWS Lambda functions. The application stores temporary data in Amazon S3. The S3 objects are valid for only 45 minutes and are deleted after 24 hours.

  The company deploys each version of the application by launching an AWS CloudFormation stack. The stack creates all resources that are required to run the application. When the company deploys and validates a new application version, the company deletes the CloudFormation stack of the old version.

  The company recently tried to delete the CloudFormation stack of an old application version, but the operation failed. An analysis shows that CloudFormation failed to delete an existing S3 bucket. A solutions architect needs to resolve this issue without making major changes to the application's architecture.

  Which solution meets these requirements?

  A. Implement a Lambda function that deletes all files from a given S3 bucket. Integrate this Lambda function as a custom resource into the CloudFormation stack. Ensure that the custom resource has a DependsOn attribute that points to the S3 bucket's resource.
  B. Modify the CloudFormation template to provision an Amazon Elastic File System (Amazon EFS) file system to store the temporary files there instead of in Amazon S3. Configure the Lambda functions to run in the same VPC as the file system. Mount the file system to the EC2 instances and Lambda functions.
  C. Modify the CloudFormation stack to create an S3 Lifecycle rule that expires all objects 45 minutes after creation. Add a DependsOn attribute that points to the S3 bucket's resource.
  D. Modify the CloudFormation stack to attach a DeletionPolicy attribute with a value of Delete to the S3 bucket.
  A. Implement a Lambda function that deletes all files from a given S3 bucket. Integrate this Lambda function as a custom resource into the CloudFormation stack. Ensure that the custom resource has a DependsOn attribute that points to the S3 bucket's resource.

  ---

  Explanation

  It should be A, becase with DeletionPolicy you can only keep or delete bucket, but bucket can't be deleted if it is not empty. So better way in that case - to create a lambda function as a custom resource, that will clean bucket before deletion.

  https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-attribute-deletionpolicy.html https://awstut.com/en/2022/05/08/create-and-delete-s3-object-by-cfn-custom-resource-en/

• Question 298:

  A large company is migrating ils entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.

  The finance department requires a centralized method for payment but must maintain visibility into each group's spending to allocate costs. The security team requires a centralized mechanism to control IAM usage in all the company's accounts.

  What combination of the following options meet the company's needs with the LEAST effort? (Select TWO.)

  A. Use a collection of parameterized AWS CloudFormation templates defining common 1AM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.
  B. Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
  C. Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.
  D. Enable all features of AWS Organizations and establish appropriate service control policies that filter 1AM permissions for sub-accounts.
  E. Consolidate all of the company's AWS accounts into a single AWS account. Use tags for billing purposes and the lAM's Access Advisor feature to enforce the least privilege model.
  B. Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.
  D. Enable all features of AWS Organizations and establish appropriate service control policies that filter 1AM permissions for sub-accounts.

  ---

  Explanation

  Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group's spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process. Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company's accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization. Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model. Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations. Option E is incorrect because consolidating all of the company's AWS accounts into a single AWS account does not provide visibility into each group's spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM's Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

  References: AWS Organizations Service Control Policies AWS CloudFormation Cost Explorer IAM Access Advisor

• Question 299:

  An application uses CloudFront, App Runner, and two S3 buckets -- one for static assets and one for user-uploaded content. User content is infrequently accessed after 30 days. Users are located only in Europe.

  How can the companyoptimize cost?

  A. Expire S3 objects after 30 days.
  B. Transition S3 content to Glacier Deep Archiveafter 30 days.
  C. Use Spot Instances with App Runner.
  D. Add auto scaling to Aurora read replica.
  E. UseCloudFront Price Class 200(Europe and U.S. only).
  B. Transition S3 content to Glacier Deep Archiveafter 30 days.
  E. UseCloudFront Price Class 200(Europe and U.S. only).

  ---

  Explanation

  Option B: Archiving inactive user uploads to Glacier Deep Archive offers the lowest storage cost.

  Option E: Since the users are in Europe only, using Price Class 200 reduces CloudFront delivery cost without affecting performance.

  Option A (expiration) deletes data -- not suitable.

  Option C is invalid (App Runner does not support Spot).

  Option D might save little unless read traffic is high.

  CloudFront Price Classes

• Question 300:

  A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production release of the web application introduced an issue that resulted in an outage lasting several minutes. A solutions architect must adjust the deployment process to support a canary release.

  Which solution will meet these requirements?

  A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI update-alias command with the routing-config parameter to distribute the load.
  B. Deploy the application into a new CloudFormation stack. Use an Amazon Route 53 weighted routing policy to distribute the load.
  C. Create a version for every new deployed Lambda function. Use the AWS CLI update- function-configuration command with the routing-config parameter to distribute the load.
  D. Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the Deployment configuration to distribute the load.
  A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI update-alias command with the routing-config parameter to distribute the load.

  ---

  Explanation

  https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/ https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html