Amazon SAP-C02 Online Practice Questions and Exam Preparation

Amazon SAP-C02 Online Questions & Answers

• Question 461:

  A solutions architect has developed a web application that uses an Amazon API Gateway Regional endpoint and an AWS Lambda function. The consumers of the web application are all close to the AWS Region where the application will be deployed. The Lambda function only queries an Amazon Aurora MySQL database. The solutions architect has configured the database to have three read replicas. During testing, the application does not meet performance requirements. Under high load, the application opens a large number of database connections. The solutions architect must improve the application's performance.

  Which actions should the solutions architect take to meet these requirements? (Choose two.)

  A. Use the cluster endpoint of the Aurora database.
  B. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.
  C. Use the Lambda Provisioned Concurrency feature.
  D. Move the code for opening the database connection in the Lambda function outside of the event handler.
  E. Change the API Gateway endpoint to an edge-optimized endpoint.
  B. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.
  D. Move the code for opening the database connection in the Lambda function outside of the event handler.

  ---

  Explanation

  Connect to RDS outside of Lambda handler method to improve performancehttps://awstut.com/en/2022/04/30/connect-to-rds-outside-of-lambda-handler- method-to-improve-performance-en/ Using RDS Proxy, you can handle unpredictable surges in database traffic. Otherwise, these surges might cause issues due to oversubscribing connections or creating new connections at a fast rate. RDS Proxy establishes a database connection pool and reuses connections in this pool. This approach avoids the memory and CPU overhead of opening a new database connection each time. To protect the database against oversubscription, you can control the number of database connections that are created. https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

• Question 462:

  A company is using Amazon API Gateway to deploy a private REST API that will provide access to sensitive data. The API must be accessible only from an application that is deployed in a VPC. The company deploys the API successfully. However, the API is not accessible from an Amazon EC2 instance that is deployed in the VPC.

  Which solution will provide connectivity between the EC2 instance and the API?

  A. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows apigateway:* actions. Disable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC. Use the VPC endpoint's DNS name to access the API.
  B. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows the execute- api:lnvoke action. Enable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint's DNS names to access the API.
  C. Create a Network Load Balancer (NLB) and a VPC link. Configure private integration between API Gateway and the NLB. Use the API endpoint's DNS names to access the API.
  D. Create an Application Load Balancer (ALB) and a VPC Link. Configure private integration between API Gateway and the ALB. Use the ALB endpoint's DNS name to access the API.
  B. Create an interface VPC endpoint for API Gateway. Attach an endpoint policy that allows the execute- api:lnvoke action. Enable private DNS naming for the VPC endpoint. Configure an API resource policy that allows access from the VPC endpoint. Use the API endpoint's DNS names to access the API.

  ---

  Explanation

  According to the AWS documentation1, to access a private API from a VPC, you need to do the following: Create an interface VPC endpoint for API Gateway in your VPC. This creates a private connection between your VPC and API Gateway. Attach an endpoint policy to the VPC endpoint that allows the execute-api:lnvoke action for your private API. This grants permission to invoke your API from the VPC. Enable private DNS naming for the VPC endpoint. This allows you to use the same DNS names for your private APIs as you would for public APIs. Configure a resource policy for your private API that allows access from the VPC endpoint. This controls who can access your API and under what conditions. Use the API endpoint's DNS names to access the API from your VPC. For example, https://api-id.executeapi.region.amazonaws.com/stage.

• Question 463:

  A company runs an intranet application on premises. The company wants to configure a cloud backup of the application. The company has selected AWS Elastic Disaster Recovery for this solution.

  The company requires that replication traffic does not travel through the public internet. The application also must not be accessible from the internet. The company does not want this solution to consume all available network bandwidth because other applications require bandwidth.

  Which combination of steps will meet these requirements? (Select THREE.)

  A. Create a VPC that has at least two private subnets, two NAT gateways, and a virtual private gateway.
  B. Create a VPC that has at least two public subnets, a virtual private gateway, and an internet gateway.
  C. Create an AWS Site-to-Site VPN connection between the on-premises network and the target AWS network.
  D. Create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network.
  E. During configuration of the replication servers, select the option to use private IP addresses for data replication.
  F. During configuration of the launch settings for the target servers, select the option to ensure that the Recovery instance's private IP address matches the source server's private IP address.
  A. Create a VPC that has at least two private subnets, two NAT gateways, and a virtual private gateway.
  D. Create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network.
  E. During configuration of the replication servers, select the option to use private IP addresses for data replication.

  ---

  Explanation

  ADE

  Option D: Create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network. Option E: During configuration of the replication servers, select the option to use private IP addresses for data replication. Option A: could be considered if the private subnets are used without the NAT gateways, ensuring internal-only network access

• Question 464:

  A solutions architect needs to improve an application that is hosted in the AWS Cloud. The application uses an Amazon Aurora MySQL DB instance that is experiencing overloaded connections. Most of the application's operations insert records into the database. The application currently stores credentials in a text-based configuration file.

  The solutions architect needs to implement a solution so that the application can handle the current connection load. The solution must keep the credentials secure and must provide the ability to rotate the credentials automatically on a regular basis.

  Which solution will meet these requirements?

  A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.
  B. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials in AWS Systems Manager Parameter Store.
  C. Create an Aurora Replica. Store the connection credentials as a secret in AWS Secrets Manager.
  D. Create an Aurora Replica. Store the connection credentials in AWS Systems Manager Parameter Store.
  A. Deploy an Amazon RDS Proxy layer in front of the DB instance. Store the connection credentials as a secret in AWS Secrets Manager.

  ---

  Explanation

  https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

• Question 465:

  A software company has deployed an application that consumes a REST API by using Amazon API Gateway. AWS Lambda functions, and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.

  A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API's reputation.

  What should the solutions architect recommend to improve the customer experience?

  A. Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
  B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.
  C. Turn on API caching to enhance responsiveness for the production stage. Run 10- minute load tests. Verify that the cache capacity is appropriate for the workload.
  D. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.
  B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.

  ---

  Explanation

  https://aws.amazon.com/premiumsupport/knowledge-center/aws-batch-requests-error/ https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-429-limit/

• Question 466:

  A company has an application that stores user-uploaded videos in an Amazon S3 bucket that uses S3 Standard storage. Users access the videos frequently in the first 180 days after the videos are uploaded. Access after 180 days is rare. Named users and anonymous users access the videos.

  Most of the videos are more than 100 MB in size. Users often have poor internet connectivity when they upload videos, resulting in failed uploads. The company uses multipart uploads for the videos.

  A solutions architect needs to optimize the S3 costs of the application.

  Which combination of actions will meet these requirements? (Choose two.)

  A. Configure the S3 bucket to be a Requester Pays bucket.
  B. Use S3 Transfer Acceleration to upload the videos to the S3 bucket.
  C. Create an S3 Lifecycle configuration o expire incomplete multipart uploads 7 days after initiation.
  D. Create an S3 Lifecycle configuration to transition objects to S3 Glacier Instant Retrieval after 1 day.
  E. Create an S3 Lifecycle configuration to transition objects to S3 Standard-infrequent Access (S3 Standard- IA) after 180 days.
  C. Create an S3 Lifecycle configuration o expire incomplete multipart uploads 7 days after initiation.
  E. Create an S3 Lifecycle configuration to transition objects to S3 Standard-infrequent Access (S3 Standard- IA) after 180 days.

  ---

  Explanation

• Question 467:

  A company recently deployed a new application that runs on a group of Amazon EC2 Linux instances in a VPC In a peered VPC the company launched an EC2 Linux instance that serves as a bastion host The security group of the application instances allows access only on TCP port 22 from the private IP of the bastion host The security group of the bastion host allows access to TCP port 22 from 0 0 0.0/0 so that system administrators can use SSH to remotely log in to the application instances from several branch offices

  While looking through operating system logs on the bastion host, a cloud engineer notices thousands of failed SSH logins to the bastion host from locations around the world The cloud engineer wants to change how remote access is granted to the application instances and wants to meet the following requirements:

  1.Eliminate brute-force SSH login attempts

  2.Retain a log of commands run during an SSH session

  3.Retain the ability to forward ports

  Which solution meets these requirements for remote access to the application instances?

  A. Configure the application instances to communicate with AWS Systems Manager Grant access to the system administrators to use Session Manager to establish a session with the application instances Terminate the bastion host
  B. Update the security group of the bastion host to allow traffic from only the public IP addresses of the branch offices
  C. Configure an AWS Client VPN endpoint and provision each system administrator with a certificate to establish a VPN connection to the application VPC Update the security group of the application instances to allow traffic from only the Client VPN IPv4 CIDR. Terminate the bastion host.
  D. Configure the application instances to communicate with AWS Systems Manager. Grant access to the system administrators to issue commands to the application instances by using Systems Manager Run Command. Terminate the bastion host.
  A. Configure the application instances to communicate with AWS Systems Manager Grant access to the system administrators to use Session Manager to establish a session with the application instances Terminate the bastion host

  ---

  Explanation

  "Session Manager removes the need to open inbound ports, manage SSH keys, or use bastion hosts" Ref:https://docs.aws.amazon.com/systems- manager/latest/userguide/session-manager.html

• Question 468:

  A company runs applications in hundreds of production AWS accounts. The company uses AWS Organizations with all features enabled and has a centralized backup operation that uses AWS Backup.

  The company is concerned about ransomware attacks. To address this concern, the company has created a new policy that all backups must be resilient to breaches of privileged-user credentials in any production account.

  Which combination of steps will meet this new requirement? (Select THREE.)

  A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts.
  B. Add an SCP that restricts the modification of AWS Backup vaults.
  C. Implement AWS Backup Vault Lock in compliance mode.
  D. Configure the backup frequency, lifecycle, and retention period to ensure that at least one backup always exists in the cold tier.
  E. Configure AWS Backup to write all backups to an Amazon S3 bucket in a designated non-production account. Ensure that the S3 bucket has S3 Object Lock enabled.
  F. Implement least privilege access for the IAM service role that is assigned to AWS Backup.
  A. Implement cross-account backup with AWS Backup vaults in designated non-production accounts.
  B. Add an SCP that restricts the modification of AWS Backup vaults.
  C. Implement AWS Backup Vault Lock in compliance mode.

  ---

  Explanation

• Question 469:

  A VPC spans three Availability Zones, each with public and private subnets. One NAT gateway and one internet gateway exist. Private EC2 instances must connect to the internet.

  A. Add two more NAT gateways (one per AZ). Configure each private subnet to use its AZ's NAT gateway.
  B. Add two more NAT gateways and configure public subnets.
  C. Add internet gateways per AZ and route private subnets.
  D. Add internet gateways per AZ and configure public subnets.
  A. Add two more NAT gateways (one per AZ). Configure each private subnet to use its AZ's NAT gateway.

  ---

  Explanation

  To improve resiliency and fault tolerance, place a NAT Gateway in each AZ, and route each private subnet to its local NAT gateway. This ensures local AZ failure won't break internet access.

• Question 470:

  A company is migrating its development and production workloads to a new organization in AWS Organizations. The company has created a separate member account for development and a separate member account for production. Consolidated billing is linked to the management account. In the management account, a solutions architect needs to create an IAM user that can stop or terminate resources in both member accounts.

  Which solution will meet this requirement?

  A. Create an IAM user and a cross-account role in the management account. Configure the cross-account role with least privilege access to the member accounts.
  B. Create an IAM user in each member account. In the management account, create a cross-account role that has least privilege access. Grant the IAM users access to the cross-account role by using a trust policy.
  C. Create an IAM user in the management account. In the member accounts, create an IAM group that has least privilege access. Add the IAM user from the management account to each IAM group in the member accounts.
  D. Create an IAM user in the management account. In the member accounts, create cross- account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.
  D. Create an IAM user in the management account. In the member accounts, create cross- account roles that have least privilege access. Grant the IAM user access to the roles by using a trust policy.

  ---

  Explanation

  Cross account role should be created in destination(member) account. The role has trust entity to master account.