Amazon SAP-C02 Online Practice Questions and Exam Preparation

Amazon SAP-C02 Online Questions & Answers

• Question 621:

  A company is developing and hosting several projects in the AWS Cloud. The projects are developed across multiple AWS accounts under the same organization in AWS Organizations. The company requires the cost lor cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking the Project tag used for cost allocation.

  Which actions should a solutions architect take to resolve the problem and prevent it from happening in the future? (Select THREE.)

  A. Create an AWS Config rule in each account to find resources with missing tags.
  B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is missing.
  C. Use Amazon Inspector in the organization to find resources with missing tags.
  D. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is missing.
  E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.
  F. Use AWS Security Hub to aggregate a list of EC2 instances with the missing Project tag.
  A. Create an AWS Config rule in each account to find resources with missing tags.
  B. Create an SCP in the organization with a deny action for ec2:Runlnstances if the Project tag is missing.
  E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.

  ---

  Explanation

  Create Config rule to find resources in all accounts. Aggregate those cross-account findings with Config aggregator so you can see it in one place. Deny ec2:RunInstances with SCP.

• Question 622:

  A company has several Amazon DynamoDB tables in an AWS Region. Each table has more than 100,000 records and was created with default table settings.

  To reduce costs, the company needs to identify unused tables. However, the company must maintain the availability and current performance capability of the tables in case the company must use the tables in the future.

  Which combination of steps will meet these requirements? (Select THREE.)

  A. In Amazon CloudWatch, graph the sum of the ReadThrottleEvents metric and the sum of the WriteThrottleEvents metric for each table over a period of 1 month.
  B. In Amazon CloudWatch, graph the sum of the ConsumedReadCapacityUnits metric and the sum of the ConsumedWriteCapacityUnits metric for each table over a period of 1 month.
  C. Change the provisioned RCUs to 1 for the unused tables. Change the provisioned WCUs to 1 for the unused tables.
  D. Change the capacity mode of the unused tables to on-demand mode.
  E. Change the table class of the unused tables to DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA).
  F. Purchase a reserved capacity of 1 RCU and 1 WCU for each unused table.
  B. In Amazon CloudWatch, graph the sum of the ConsumedReadCapacityUnits metric and the sum of the ConsumedWriteCapacityUnits metric for each table over a period of 1 month.
  D. Change the capacity mode of the unused tables to on-demand mode.
  E. Change the table class of the unused tables to DynamoDB Standard-Infrequent Access (DynamoDB Standard-IA).

  ---

  Explanation

• Question 623:

  A team of data scientists is using Amazon SageMaker instances and SageMaker APIs to train machine learning (ML) models. The SageMaker instances are deployed in a VPC that does not have access to or from the internet. Datasets for ML model training are stored in an Amazon S3 bucket. Interface VPC endpoints provide access to Amazon S3 and the SageMaker APIs.

  Occasionally, the data scientists require access to the Python Package Index (PyPl) repository to update Python packages that they use as part of their workflow. A solutions architect must provide access to the PyPI repository while ensuring that the SageMaker instances remain isolated from the internet.

  Which solution will meet these requirements?

  A. Create an AWS CodeCommit repository for each package that the data scientists need to access. Configure code synchronization between the PyPl repository and the CodeCommit repository. Create a VPC endpoint for CodeCommit.
  B. Create a NAT gateway in the VPC. Configure VPC routes to allow access to the internet with a network ACL that allows access to only the PyPl repository endpoint.
  C. Create a NAT instance in the VPC. Configure VPC routes to allow access to the internet. Configure SageMaker notebook instance firewall rules that allow access to only the PyPI repository endpoint.
  D. Create an AWS CodeArtifact domain and repository. Add an external connection for public:pypi to the CodeArtifact repository. Configure the Python client to use the CodeArtifact repository. Create a VPC endpoint for CodeArtifact.
  D. Create an AWS CodeArtifact domain and repository. Add an external connection for public:pypi to the CodeArtifact repository. Configure the Python client to use the CodeArtifact repository. Create a VPC endpoint for CodeArtifact.

  ---

  Explanation

• Question 624:

  A company is deploying a third-party firewall appliance solution from AWS Marketplace to monitor and protect traffic that leaves the company's AWS environments. The company wants to deploy this appliance into a shared services VPC and route all outbound internet- bound traffic through the appliances.

  A solutions architect needs to recommend a deployment method that prioritizes reliability and minimizes failover time between firewall appliances within a single AWS Region. The company has set up routing from the shared services VPC to other VPCs.

  Which steps should the solutions architect recommend to meet these requirements? (Select THREE.)

  A. Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.
  B. Create a new Network Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Network Load Balancer. Add each of the firewall appliance instances to the target group.
  C. Create a new Gateway Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Gateway Load Balancer. Add each of the firewall appliance instances to the target group.
  D. Create a VPC interface endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.
  E. Deploy two firewall appliances into the shared services VPC. each in the same Availability Zone.
  F. Create a VPC Gateway Load Balancer endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.
  A. Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.
  C. Create a new Gateway Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Gateway Load Balancer. Add each of the firewall appliance instances to the target group.
  F. Create a VPC Gateway Load Balancer endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.

  ---

  Explanation

• Question 625:

  A financial services company logs personally identifiable information 10 its application logs stored in Amazon S3. Due to regulatory compliance requirements, the log files must be encrypted at rest. The security team has mandated that the company's on-premises hardware security modules (HSMs) be used to generate the CMK material.

  Which steps should the solutions architect take to meet these requirements?

  A. Create an AWS CloudHSM cluster. Create a new CMK in AWS KMS using AWS_CloudHSM as the source (or the key material and an origin of AWS_CLOUDHSM. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the togging bucket thai disallows uploads of unencrypted data and requires that the encryption source be AWS KMS.
  B. Provision an AWS Direct Connect connection, ensuring there is no overlap of the RFC 1918 address space between on-premises hardware and the VPCs. Configure an AWS bucket policy on the logging bucket that requires all objects to be encrypted. Configure the logging application to query the on-premises HSMs from the AWS environment for the encryption key material, and create a unique CMK for each logging event.
  C. Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AWS. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
  D. Create a new CMK in AWS KMS with AWS-provided key material and an origin of AWS_KMS. Disable this CMK. and overwrite the key material with the key material from the on-premises HSM using the public key and import token provided by AWS. Re-enable the CMK. Enable automatic key rotation on the CMK with a duration of 1 year. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.
  C. Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key material generated from the on-premises HSMs into the CMK using the public key and import token provided by AWS. Configure a bucket policy on the logging bucket that disallows uploads of non-encrypted data and requires that the encryption source be AWS KMS.

  ---

  Explanation

  https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to- aws-kms-for-less-than-15-00-a-year-using-aws-cloudhsm/ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html

• Question 626:

  A finance company is running its business-critical application on current-generation Linux EC2 instances The application includes a self-managed MySQL database performing heavy I/O operations. The application is working fine to handle a moderate amount of traffic during the month. However, it slows down during the final three days of each month due to month-end reporting, even though the company is using Elastic Load Balancers and Auto Scaling within its infrastructure to meet the increased demand.

  Which of the following actions would allow the database to handle the month-end load with the LEAST impact on performance?

  A. Pre-warming Elastic Load Balancers, using a bigger instance type, changing all Amazon EBS volumes to GP2 volumes.
  B. Performing a one-time migration of the database cluster to Amazon RDS. and creating several additional read replicas to handle the load during end of month
  C. Using Amazon CioudWatch with AWS Lambda to change the type. size, or IOPS of Amazon EBS volumes in the cluster based on a specific CloudWatch metric
  D. Replacing all existing Amazon EBS volumes with new PIOPS volumes that have the maximum available storage size and I/O per second by taking snapshots before the end of the month and reverting back afterwards.
  B. Performing a one-time migration of the database cluster to Amazon RDS. and creating several additional read replicas to handle the load during end of month

  ---

  Explanation

  In this scenario, the Amazon EC2 instances are in an Auto Scaling group already which means that the database read operations is the possible bottleneck especially during the month-end wherein the reports are generated. This can be solved by creating RDS read replicas.

• Question 627:

  A company has a web application that uses Amazon API Gateway. AWS Lambda, and Amazon DynamoDB. A recent marketing campaign has increased demand. Monitoring software reports that many requests have significantly longer response times than before the marketing campaign.

  A solutions architect enabled Amazon CloudWatch Logs for API Gateway and noticed that errors are occurring on 20% of the requests. In CloudWatch, the Lambda function Throttles metric represents 1% of the requests and the Errors metric represents 10% of the requests. Application logs indicate that, when errors occur, there is a call to DynamoDB.

  What change should the solutions architect make to improve the current response times as the web application becomes more popular?

  A. Increase the concurrency limit of the Lambda function.
  B. Implement DynamoDB auto scaling on the table.
  C. Increase the API Gateway throttle limit.
  D. Re-create the DynamoDB table with a better-partitioned primary index.
  B. Implement DynamoDB auto scaling on the table.

  ---

  Explanation

• Question 628:

  The company needs to determine which costs on the monthly AWS bill are attributable to each application or team. The company also must be able to create reports to compare costs from the last 12 months and to help forecast costs for the next 12 months. A solutions architect must recommend an AWS Billing and Cost Management solution that provides these cost reports.

  Which combination of actions will meet these requirements? (Select THREE.)

  A. Activate the user-defined cost allocation tags that represent the application and the team.
  B. Activate the AWS generated cost allocation tags that represent the application and the team.
  C. Create a cost category for each application in Billing and Cost Management.
  D. Activate IAM access to Billing and Cost Management.
  E. Create a cost budget.
  F. Enable Cost Explorer.
  A. Activate the user-defined cost allocation tags that represent the application and the team.
  C. Create a cost category for each application in Billing and Cost Management.
  F. Enable Cost Explorer.

  ---

  Explanation

  https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-cost-categories.html https://aws.amazon.com/premiumsupport/knowledge-center/cost-explorer-analyze-spending-and-usage/ https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-cost-categories.htmlhttps://docs.aws.amazon.com/cost-management/latest/userguide/ce-enable.html

  The best combination of actions to meet the company's requirements is Options A, C, and

  F. Option A involves activating the user-defined cost allocation tags that represent the application and the team. This will allow the company to assign costs to different applications or teams, and will allow them to be tracked in the monthly AWS bill. Option C involves creating a cost category for each application in Billing and Cost Management. This will allow the company to easily identify and compare costs across different applications and teams. Option F involves enabling Cost Explorer. This will allow the company to view the costs of their AWS resources over the last 12 months and to create forecasts for the next 12 months. These recommendations are in line with the official Amazon Textbook and Resources for the AWS Certified Solutions Architect - Professional certification. In particular, the book states that "You can use cost allocation tags to group your costs by application, team, or other categories" (Source: https://d1.awsstatic.com/training-andcertification/docs-sa- pro/AWS_Certified_Solutions_Architect_Professional_Exam_Guide_EN_v1.5.pdf). Additionally, the book states that "Cost Explorer enables you to view the costs of your AWS resources over the last 12 months and to create forecasts for the next 12 months" (Source: https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS_Certified_Solutions_Architect_Professional_Exam_Guide_EN_v1.5.pdf).

• Question 629:

  An ecommerce company runs an application on AWS. The application has an Amazon API Gateway API that invokes an AWS Lambda function. The data is stored in an Amazon RDS for PostgreSQL DB instance.

  During the company's most recent flash sale, a sudden increase in API calls negatively affected the application's performance. A solutions architect reviewed the Amazon CloudWatch metrics during that time and noticed a significant increase in Lambda invocations and database connections. The CPU utilization also was high on the DB instance.

  What should the solutions architect recommend to optimize the application's performance?

  A. Increase the memory of the Lambda function. Modify the Lambda function to close the database connections when the data is retrieved.
  B. Add an Amazon ElastiCache for Redis cluster to store the frequently accessed data from the RDS database.
  C. Create an RDS proxy by using the Lambda console. Modify the Lambda function to use the proxy endpoint.
  D. Modify the Lambda function to connect to the database outside of the function's handler. Check for an existing database connection before creating a new connection.
  C. Create an RDS proxy by using the Lambda console. Modify the Lambda function to use the proxy endpoint.

  ---

  Explanation

  This option will optimize the application's performance by reducing the overhead of opening and closing database connections for each Lambda invocation. An RDS proxy is a fully managed database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure1. It allows applications to pool and share connections established with the database, improving database efficiency and application scalability1. By creating an RDS proxy by using the Lambda console, you can easily configure your Lambda function to use the proxy endpoint instead of the direct database endpoint2. This will enable your Lambda function to reuse existing connections from the proxy's connection pool, reducing the latency and CPU utilization caused by establishing new connections for each invocation. It will also prevent connection saturation or exhaustion on the database, which can degrade performance or cause errors3.

• Question 630:

  A company is running an Apache Hadoop cluster on Amazon EC2 instances. The Hadoop cluster stores approximately 100 TB of data for weekly operational reports and allows occasional access for data scientists to retrieve data. The company needs to reduce the cost and operational complexity for storing and serving this data.

  Which solution meets these requirements in the MOST cost-effective manner?

  A. Move the Hadoop cluster from EC2 instances to Amazon EMR. Allow data access patterns to remain the same.
  B. Write a script that resizes the EC2 instances to a smaller instance type during downtime and resizes the instances to a larger instance type before the reports are created.
  C. Move the data to Amazon S3 and use Amazon Athena to query the data for reports. Allow the data scientists to access the data directly in Amazon S3.
  D. Migrate the data to Amazon DynamoDB and modify the reports to fetch data from DynamoDB. Allow the data scientists to access the data directly in DynamoDB.
  C. Move the data to Amazon S3 and use Amazon Athena to query the data for reports. Allow the data scientists to access the data directly in Amazon S3.

  ---

  Explanation

  "The company needs to reduce the cost and operational complexity for storing and serving this data. Which solution meets these requirements in the MOST cost- effective manner?" EMR storage is ephemeral. The company has 100TB that

  need to persist, they would have to use EMRFS to backup to S3 anyway.https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-plan-storage.html 100TB EBS - 8.109$ S3 - 2.355$

  You have saved 5.752$

  This amount can be used for Athen. BTW. we don't know indexes, amount of data that is scanned. What we know is that tit will be: "occasional access for data scientists to retrieve data"