Amazon SAP-C02 Online Practice Questions and Exam Preparation

Amazon SAP-C02 Online Questions & Answers

• Question 611:

  A company's site reliability engineer is performing a review of Amazon FSx for Windows File Server deployments within an account that the company acquired Company policy states that all Amazon FSx file systems must be configured to be highly available across Availability Zones.

  During the review, the site reliability engineer discovers that one of the Amazon FSx file systems used a deployment type of Single-AZ 2 A solutions architect needs to minimize downtime while aligning this Amazon FSx file system with company policy.

  What should the solutions architect do to meet these requirements?

  A. Reconfigure the deployment type to Multi-AZ for this Amazon FSx tile system
  B. Create a new Amazon FSx fie system with a deployment type o( Multi-AZ. Use AWS DataSync to transfer data to the new Amazon FSx file system. Point users to the new location
  C. Create a second Amazon FSx file system with a deployment type of Single-AZ 2. Use AWS DataSync to keep the data n sync. Switch users to the second Amazon FSx fie system in the event of failure
  D. Use the AWS Management Console to take a backup of the Amazon FSx He system Create a new Amazon FSx file system with a deployment type of Multi-AZ Restore the backup to the new Amazon FSx file system. Point users to the new location.
  B. Create a new Amazon FSx fie system with a deployment type o( Multi-AZ. Use AWS DataSync to transfer data to the new Amazon FSx file system. Point users to the new location

  ---

  Explanation

• Question 612:

  A company is building a hybrid solution between its existing on-premises systems and a new backend in AWS. The company has a management application to monitor the state of its current IT infrastructure and automate responses to issues. The company wants to incorporate the status of its consumed AWS services into the application. The application uses an HTTPS endpoint to receive updates.

  Which approach meets these requirements with the LEAST amount of operational overhead?

  A. Configure AWS Systems Manager OpsCenter to ingest operational events from the on- premises systems Retire the on-premises management application and adopt OpsCenter as the hub
  B. Configure Amazon EventBridge (Amazon CloudWatch Events) to detect and react to changes for AWS Health events from the AWS Personal Health Dashboard Configure the EventBridge (CloudWatch Events) event to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic and subscribe the topic to the HTTPS endpoint of the management application
  C. Modify the on-premises management application to call the AWS Health API to poll for status events of AWS services.
  D. Configure Amazon EventBridge (Amazon CloudWatch Events) to detect and react to changes for AWS Health events from the AWS Service Health Dashboard Configure the EventBridge (CloudWatch Events) event to publish a message to an Amazon Simple Notification Service (Amazon SNS) topic and subscribe the topic to an HTTPS endpoint for the management application with a topic filter corresponding to the services being used
  A. Configure AWS Systems Manager OpsCenter to ingest operational events from the on- premises systems Retire the on-premises management application and adopt OpsCenter as the hub

  ---

  Explanation

  ALB and NLB both supports IPs as targets. Questions is based on TCP traffic over VPN to on-premise. TCP is layer 4 and the , load balancer should be NLB. Then next questions does NLB supports loadbalcning traffic over VPN. And answer is

  YEs based on below URL.https://aws.amazon.com/about-aws/whats-new/2018/09/network-load-balancer- now-supports-aws-vpn/

  Target as IPs for NLB and ALB:

  https://aws.amazon.com/elasticloadbalancing/faqs/?nc=snandloc=5

  https://aws.amazon.com/elasticloadbalancing/application-load-balancer/

• Question 613:

  A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.

  A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.

  Which combination of steps should the solutions architect take to meet the requirements? (Select THREE.)

  A. Create a destination Amazon Kinesis data stream in the central logging account.
  B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
  C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data stream. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
  D. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queue. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
  E. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
  F. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.
  A. Create a destination Amazon Kinesis data stream in the central logging account.
  C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data stream. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
  E. Create an AWS Lambda function. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.

  ---

  Explanation

• Question 614:

  A company needs to migrate some Oracle databases to AWS while keeping other son- premises for compliance. The on-prem databases contains patial data and run cron jobs. The solution must allow querying on-prem data as foreign tables from AWS.

  A. Use DynamoDB, SCT, and Lambda. Move spatial data to S3 and query with Athena.
  B. Use RDS for SQL Server and AWS Glue crawlers for Oracle access.
  C. Use EC2-hosted Oracle with Application Migration Service. Use Step Functions for cron.
  D. Use RDS for PostgreSQL with DMS and SCT. Use PostgreSQL foreign data wrappers.
  D. Use RDS for PostgreSQL with DMS and SCT. Use PostgreSQL foreign data wrappers.

  ---

  Explanation

  Option D is correct because RDS for PostgreSQL supports foreign data wrappers (FDW) that allow querying remote Oracle databases. With AWS Schema Conversion Tool (SCT)and Database Migration Service (DMS), schema and data can

  be migrated effectively. AWS Direct Connect ensures secure, private connectivity to on-prem databases. Cron jobs can be run via EventBridge or external orchestration.

  Option A doesn't support relational/spatial querying.

  Option B doesn't support FDW or spatial types.

  Option C introduces unnecessary complexity.

  https://www.postgresql.org/docs/current/postgres-fdw.html https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.PostgreSQL.html

• Question 615:

  A company is creating a solution that can move 400 employees into a remote working environment in the event of an unexpected disaster. The user desktops have a mix of Windows and Linux operating systems. Multiple types of software, such as web browsers and mail clients, are installed on each desktop.

  A solutions architect needs to implement a solution that can be integrated with the company's on-premises Active Directory to allow employees to use their existing identity credentials. The solution must provide multifactor authentication (MFA) and must replicate the user experience from the existing desktops.

  Which solution will meet these requirements?

  A. Use Amazon WorkSpaces for the cloud desktop service. Set up a VPN connection to the on-premises network. Create an AD Connector, and connect to the on-premises Active Directory. Activate MFA for Amazon WorkSpaces by using the AWS Management Console.
  B. Use Amazon AppStream 2.0 as an application streaming service. Configure Desktop View for the employees. Set up a VPN connection to the on-premises network. Set up Active Directory Federation Services (AD FS) on premises. Connect the VPC network to AD FS through the VPN connection.
  C. Use Amazon WorkSpaces for the cloud desktop service. Set up a VPN connection to the on-premises network. Create an AD Connector, and connect to the on-premises Active Directory. Configure a RADIUS server for MFA.
  D. Use Amazon AppStream 2.0 as an application streaming service. Set up Active Directory Federation Services on premises. Configure MFA to grant users access on AppStream 2.0.
  C. Use Amazon WorkSpaces for the cloud desktop service. Set up a VPN connection to the on-premises network. Create an AD Connector, and connect to the on-premises Active Directory. Configure a RADIUS server for MFA.

  ---

  Explanation

• Question 616:

  A company has a website that enables users to upload videos. Company policy states the uploaded videos must be analyzed for restricted content. An uploaded video is placed in Amazon S3, and a message is pushed to an Amazon SOS queue with the video's location. A backend application pulls this location from Amazon SOS and analyzes the video.

  The video analysis is compute-intensive and occurs sporadically during the day The website scales with demand. The video analysis application runs on a fixed number of instances. Peak demand occurs during the holidays, so the company must add instances to the application dunng this time. All instances used are currently on-demand Amazon EC2 T2 instances. The company wants to reduce the cost of the current solution.

  Which of the following solutions is MOST cost-effective?

  A. Keep the website on T2 instances. Determine the minimum number of website instances required during off-peak times and use Spot Instances to cover them while using Reserved Instances to cover peak demand. Use Amazon EC2 R4 and Amazon EC2 R5 Reserved Instances in an Auto Scaling group for the video analysis application
  B. Keep the website on T2 instances. Determine the minimum number of website instances required during off-peak times and use Reserved Instances to cover them while using On- Demand Instances to cover peak demand. Use Spot Fleet for the video analysis application comprised of Amazon EC2 C4 and Amazon EC2 C5 Spot Instances.
  C. Migrate the website to AWS Elastic Beanstalk and Amazon EC2 C4 instances. Determine the minimum number of website instances required during off-peak times and use On-Demand Instances to cover them while using Spot capacity to cover peak demand Use Spot Fleet for the video anarysis application comprised of C4 and Amazon EC2 C5 instances.
  D. Migrate the website to AWS Elastic Beanstalk and Amazon EC2 R4 instances. Determine the minimum number of website instances required during off-peak times and use Reserved Instances to cover them while using On-Demand Instances to cover peak demand Use Spot Fleet for the video analysis application comprised of R4 and Amazon EC2 R5 instances
  B. Keep the website on T2 instances. Determine the minimum number of website instances required during off-peak times and use Reserved Instances to cover them while using On- Demand Instances to cover peak demand. Use Spot Fleet for the video analysis application comprised of Amazon EC2 C4 and Amazon EC2 C5 Spot Instances.

  ---

  Explanation

• Question 617:

  A company is changing the way that it handles patching of Amazon EC2 instances in its application account. The company currently patches instances over the internet by using a NAT gateway in a VPC in the application account.

  The company has EC2 instances set up as a patch source repository in a dedicated private VPC in a core account. The company wants to use AWS Systems Manager Patch Manager and the patch source repository in the core account to patch the EC2 instances in the application account. The company must prevent all EC2 instances in the application account from accessing the internet.

  The EC2 instances in the application account need to access Amazon S3, where the application data is stored. These EC2 instances need connectivity to Systems Manager and to the patch source repository in the private VPC in the core account.

  Which solution will meet these requirements?

  A. Create a network ACL that blocks outbound traffic on port 80. Associate the network ACL with all subnets in the application account. In the application account and the core account, deploy one EC2 instance that runs a custom VPN server. Create a VPN tunnel to access the private VPC. Update the route table in the application account.
  B. Create private VIFs for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route table in the core account.
  C. Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
  D. Create a network ACL that blocks inbound traffic on port 80. Associate the network ACL with all subnets in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
  C. Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.

  ---

  Explanation

• Question 618:

  A company hosts a blog post application on AWS using Amazon API Gateway. Amazon DynamoDB, and AWS Lambda The application currently does not use API keys to authorize requests The API model is as follows:

  1.GET /posts/Jpostld) to get post details

  2.GET /users/{userld}. to get user details

  3.GET /comments/{commentld}: to get comments details

  The company has noticed users are actively discussing topics in the comments section, and the company wants to increase user engagement by making the comments appear in real time

  Which design should be used to reduce comment latency and improve user experience?

  A. Use edge-optimized API with Amazon CloudFront to cache API responses.
  B. Modify the blog application code to request GET/commentsV{commentld} every 10 seconds
  C. Use AWS AppSync and leverage WebSockets to deliver comments
  D. Change the concurrency limit of the Lambda functions to lower the API response time.
  C. Use AWS AppSync and leverage WebSockets to deliver comments

  ---

  Explanation

  https://docs.aws.amazon.com/appsync/latest/devguide/graphql-overview.html

  AWS AppSync is a fully managed GraphQL service that allows applications to securely access, manipulate, and receive data as well as real-time updates from multiple data sources1. AWS AppSync supports GraphQL subscriptions to perform real-time operations and can push data to clients that choose to listen to specific events from the backend1 . AWS AppSync uses WebSockets to establish and maintain a secure connection between the clients and the API endpoint2. Therefore, using AWS AppSync and leveraging WebSockets is a suitable design to reduce comment latency and improve user experience.

• Question 619:

  A company provisions short-lived AWS accounts for students. Each account needs access to ml.p2.xlarge SageMaker instances for training and inference. The default quotas are insufficient.

  How should quota increases be automated during account provisioning?

  A. Create a quota request template inus-east-1, enable template association, and add quotas for ml.p2.xlarge training and endpoint usage in ap-southeast-2.
  B. Use ml.p2.xlarge training warm pool quota in ap-southeast-2.
  C. Create the template in ap-southeast-2 for SageMaker quotas in us-east-1.
  D. Use warm pool quotas in us-east-1.
  A. Create a quota request template inus-east-1, enable template association, and add quotas for ml.p2.xlarge training and endpoint usage in ap-southeast-2.

  ---

  Explanation

  Comprehensive and Detailed Explanation:

  Option A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast2) for SageMaker training and endpoint usage. This enablesautomatic quota increases for newly created accounts in the org.

  Option B, Option C, and Option D misconfigure either region or quota type.

  Quota request templates

• Question 620:

  A company creates an AWS Control Tower landing zone to manage and govern a multi-account AWS environment. The company's security team will deploy preventive controls and detective controls to monitor AWS services across all the accounts. The security team needs a centralized view of the security state of all the accounts.

  Which solution will meet these requirements?

  A. From the AWS Control Tower management account, use AWS CloudFormation StackSets to deploy an AWS Config conformance pack to all accounts in the organization.
  B. Enable Amazon Detective for the organization in AWS Organizations. Designate one AWS account as the delegated administrator for Detective.
  C. From the AWS Control Tower management account, deploy an AWS CloudFormation stack set that uses the automatic deployment option to enable Amazon Detective for the organization.
  D. Enable AWS Security Hub for the organization in AWS Organizations. Designate one AWS account as the delegated administrator for Security Hub.
  D. Enable AWS Security Hub for the organization in AWS Organizations. Designate one AWS account as the delegated administrator for Security Hub.

  ---

  Explanation