Amazon SAP-C02 Online Practice Questions and Exam Preparation

Amazon SAP-C02 Online Questions & Answers

• Question 661:

  A company is using multiple AWS accounts. The company has a shared services account and several other accounts (or different projects.

  A team has a VPC in a project account. The team wants to connect this VPC to a corporate network through an AWS Direct Connect gateway that exists in the shared services account. The team wants to automatically perform a virtual private gateway association with the Direct Connect gateway by using an already-tested AWS Lambda function while deploying its VPC networking stack. The Lambda function code can assume a role by using AWS Security Token Service (AWS STS). The team is using AWS Cloud Formation to deploy its infrastructure.

  Which combination of steps will meet these requirements? (Select THREE.)

  A. Deploy the Lambda function to the project account. Update the Lambda function's IAM role with the directconnect:* permission
  B. Create a cross-account IAM role in the shared services account that grants the Lambda function the directconnect:" permission. Add the sts:AssumeRo!e permission to the IAM role that is associated with the Lambda function in the shared services account.
  C. Add a custom resource to the Cloud Formation networking stack that references the Lambda function in the project account.
  D. Deploy the Lambda function that is performing the association to the shared services account. Update the Lambda function's IAM role with the directconnect:' permission.
  E. Create a cross-account IAM role in the shared services account that grants the sts: Assume Role permission to the Lambda function with the directconnect:" permission acting as a resource. Add the sts AssumeRole permission with this cross- account IAM role as a resource to the IAM role that belongs to the Lambda function in the project account.
  F. Add a custom resource to the Cloud Formation networking stack that references the Lambda function in the shared services account.
  B. Create a cross-account IAM role in the shared services account that grants the Lambda function the directconnect:" permission. Add the sts:AssumeRo!e permission to the IAM role that is associated with the Lambda function in the shared services account.
  C. Add a custom resource to the Cloud Formation networking stack that references the Lambda function in the project account.
  E. Create a cross-account IAM role in the shared services account that grants the sts: Assume Role permission to the Lambda function with the directconnect:" permission acting as a resource. Add the sts AssumeRole permission with this cross- account IAM role as a resource to the IAM role that belongs to the Lambda function in the project account.

  ---

  Explanation

• Question 662:

  A company is running a serverless application that consists of several AWS Lambda functions and Amazon DynamoDB tables. The company has created new functionality that requires the Lambda functions to access an Amazon Neptune DB cluster The Neptune DB cluster is located in three subnets in a VPC.

  Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and DynamoDB tables? (Select TWO )

  A. Create three public subnets in the Neptune VPC and route traffic through an interne: gateway Host the Lambda functions m the three new public subnets
  B. Create three private subnets in the Neptune VPC and route internet traffic through a NAT gateway Host the Lambda functions In the three new private subnets.
  C. Host the Lambda functions outside the VPC. Update the Neptune security group to allow access from the IP ranges of the Lambda functions.
  D. Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and have the Lambda functions access Neptune over the VPC endpoint
  E. Create three private subnets in the Neptune VPC. Host the Lambda functions m the three new isolated subnets. Create a VPC endpoint for DynamoDB. and route DynamoDB traffic to the VPC endpoint
  B. Create three private subnets in the Neptune VPC and route internet traffic through a NAT gateway Host the Lambda functions In the three new private subnets.
  E. Create three private subnets in the Neptune VPC. Host the Lambda functions m the three new isolated subnets. Create a VPC endpoint for DynamoDB. and route DynamoDB traffic to the VPC endpoint

  ---

  Explanation

  This option allows the company to use private subnets and VPC endpoints to connect the Lambda functions to the Neptune DB cluster and DynamoDB tables securely and efficiently1. By creating three private subnets in the Neptune VPC, the company can isolate the Lambda functions from the public internet and reduce the attack surface2. By routing internet traffic through a NAT gateway, the company can enable the Lambda functions to access AWS services that are outside the VPC, such as Amazon S3 or Amazon CloudWatch3. By hosting the Lambda functions in the three new private subnets, the company can ensure that the Lambda functions can access the Neptune DB cluster within the same VPC4. By creating a VPC endpoint for DynamoDB, the company can enable the Lambda functions to access DynamoDB tables without going through the internet or a NAT gateway5. By routing DynamoDB traffic to the VPC endpoint, the company can improve the performance and availability of the DynamoDB access5.

  References: Configuring a Lambda function to access resources in a VPC Working with VPCs and subnets NAT gateways Accessing Amazon Neptune from AWS Lambda VPC endpoints for DynamoDB

• Question 663:

  A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NL B). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2. However, the company now acquires a new customer in the us-east-I Region. The company creates a new VPC and new subnets in us-east-I. The company establishes inter-Region VPC peering between the VPCs in the two Regions.

  The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-I

  Which solution will meet these requirements?

  A. Configure a PrivateLink endpoint service in us-east-I to use the existing NL B that is in eu-west-2. Grant specific AWS accounts access to connect to the SaaS service.
  B. Create an NL B in us-east-I . Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-I . Grant specific AWS accounts access to connect to the SaaS service.
  C. Create an Application Load Balancer (ALB) in front of the EC2 instances in eu-west-2. Create an NLB in us-east-I . Associate the NLB that is in us-east-I with an ALB target group that uses the ALB that is in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-I . Grant specific AWS accounts access to connect to the SaaS service.
  D. Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances that are in eu-west-2. In us-east-I , create an NLB and an instance target group that includes the shared EC2 instances from eu-west-2. Configure a PrivateLink endpoint service that uses the NL B that is in us-east-I. Grant specific AWS accounts access to connect to the SaaS service.
  B. Create an NL B in us-east-I . Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-I . Grant specific AWS accounts access to connect to the SaaS service.

  ---

  Explanation

• Question 664:

  A company is deploying a new API to AWS. The API uses Amazon API Gateway with a Regional API endpoint and an AWS Lambda function for hosting. The API retrieves data from an external vendor API, stores data in an Amazon

  DynamoDB global table, and retrieves data from the DynamoDB global table. The API key for the vendor's API is stored in AWS Secrets Manager and is encrypted with a customer managed key in AWS Key Management Service (AWS

  KMS).

  The company has deployed its own API into a single AWS Region.

  A solutions architect needs to change the API components of the company's API to ensure that the components can run across multiple Regions in an active-active configuration. Which combination of changes will meet this requirement with the LEAST operational overhead? (Choose three.)

  A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 multivalue answer routing policy.
  B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.
  C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region's replicated secret, select the appropriate KMS key.
  D. Create a new AWS managed KMS key in each in-scope Region. Convert an existing key to a multi- Region key. Use the multi-Region key in other Regions.
  E. Create a new Secrets Manager secret in each in-scope Region. Copy the secret value from the existing Region to the new secret in each in-scope Region.
  F. Modify the deployment process for the Lambda function to repeat the deployment across in-scope Regions. Turn on the multi-Region option for the existing API. Select the Lambda function that is deployed in each Region as the backend for the multi-Region API.
  A. Deploy the API to multiple Regions. Configure Amazon Route 53 with custom domain names that route traffic to each Regional API endpoint. Implement a Route 53 multivalue answer routing policy.
  B. Create a new KMS multi-Region customer managed key. Create a new KMS customer managed replica key in each in-scope Region.
  C. Replicate the existing Secrets Manager secret to other Regions. For each in-scope Region's replicated secret, select the appropriate KMS key.

  ---

  Explanation

  References:

  1: Creating a regional API endpoint - Amazon API Gateway

  2: Multivalue answer routing policy - Amazon Route 53

  3: Multi-Region keys in AWS KMS - AWS Key Management Service

  4: Creating multi-Region keys - AWS Key Management Service

  5: Replicate an AWS Secrets Manager secret to other AWS Regions

  6: How to replicate secrets in AWS Secrets Manager to multiple Regions | AWS Security Blog

• Question 665:

  A company hosts an intranet web application on Amazon EC2 instances behind an Application Load Balancer (ALB). Currently, users authenticate to the application against an internal user database.

  The company needs to authenticate users to the application by using an existing AWS Directory Service for Microsoft Active Directory directory. All users with accounts in the directory must have access to the application.

  Which solution will meet these requirements?

  A. Create a new app client in the directory. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule. Configure the listener rule with the appropriate issuer, client ID and secret, and endpoint details for the Active Directory service. Configure the new app client with the callback URL that the ALB provides.
  B. Configure an Amazon Cognito user pool. Configure the user pool with a federated identity provider (ldP) that has metadata from the directory. Create an app client. Associate the app client with the user pool. Create a listener rule for the ALSpecify the authenticate-cognito action for the listener rule. Configure the listener rule to use the user pool and app client.
  C. Add the directory as a new IAM identity provider (ldP). Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Configure the new role as the default authenticated user role for the ldP. Create a listener rule for the ALB. Specify the authenticate-oidc action for the listener rule.
  D. Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.
  D. Enable AWS IAM Identity Center (AWS Single Sign-On). Configure the directory as an external identity provider (ldP) that uses SAML. Use the automatic provisioning method. Create a new IAM role that has an entity type of SAML 2.0 federation. Configure a role policy that allows access to the ALB. Attach the new role to all groups. Create a listener rule for the ALB. Specify the authenticate-cognito action for the listener rule.

  ---

  Explanation

• Question 666:

  A company gives users the ability to upload images from a custom application. The upload process invokes an AWS Lambda function that processes and stores the image in an Amazon S3 bucket. The application invokes the Lambda function by using a specific function version ARN.

  The Lambda function accepts image processing parameters by using environment variables. The company often adjusts the environment variables of the Lambda function to achieve optimal image processing output. The company tests different parameters and publishes a new function version with the updated environment variables after validating results. This update process also requires frequent changes to the custom application to invoke the new function version ARN. These changes cause interruptions for users.

  A solutions architect needs to simplify this process to minimize disruption to users.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Directly modify the environment variables of the published Lambda function version. Use the SLATEST version to test image processing parameters.
  B. Create an Amazon DynamoDB table to store the image processing parameters. Modify the Lambda function to retrieve the image processing parameters from the DynamoDB table.
  C. Directly code the image processing parameters within the Lambda function and remove the environment variables. Publish a new function version when the company updates the parameters.
  D. Create a Lambda function alias. Modify the client application to use the function alias ARN. Reconfigure the Lambda alias to point to new versions of the function when the company finishes testing.
  D. Create a Lambda function alias. Modify the client application to use the function alias ARN. Reconfigure the Lambda alias to point to new versions of the function when the company finishes testing.

  ---

  Explanation

  A Lambda function alias allows you to point to a specific version of a function and also can be updated to point to a new version of the function without modifying the client application. This way, the company can test different versions of the

  function with different environment variables and, once the optimal parameters are found, update the alias to point to the new version, without the need to update the client application. By using this approach, the company can simplify the

  process of updating the environment variables, minimize disruption to users, and reduce the operational overhead.

  AWS Lambda documentation:https://aws.amazon.com/lambda/

  AWS Lambda Aliases

  documentation:https://docs.aws.amazon.com/lambda/latest/dg/aliases-intro.html

  AWS Lambda versioning and aliases

  documentation:https://aws.amazon.com/blogs/compute/versioning-aliases-in-aws-lambda/

• Question 667:

  A company needs to improve the reliability of its ticketing application. The application runs on an Amazon Elastic Container Service (Amazon ECS) cluster. The company uses Amazon CloudFront to serve the application. A single ECS service of the ECS cluster is the CloudFront distribution's origin.

  The application allows only a specific number of active users to enter a ticket purchasing flow. These users are identified by an encrypted attribute in their JSON Web Token (JWT). All other users are redirected to a waiting room module until there is available capacity for purchasing.

  The application is experiencing high loads. The waiting room module is working as designed, but load on the waiting room is disrupting the applications availability. This disruption is negatively affecting the application's ticket sale transactions.

  Which solution will provide the MOST reliability for ticket sale transactions during periods of high load?

  A. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling configuration. Ensure that the ticketing service uses the JWT information and appropriately forwards requests to the waiting room service.
  B. Move the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Split the waiting room module into a pod that is separate from the ticketing pod. Make the ticketing pod part of a StatefulSet. Ensure that the ticketing pod uses the JWT information and appropriately forwards requests to the waiting room pod.
  C. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling configuration. Create a CloudFront function that inspects the JWT information and appropriately forwards requests to the ticketing service or the waiting room service.
  D. Move the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Split the waiting room module into a pod that is separate from the ticketing pod. Use AWS App Mesh by provisioning the App Mesh controller for Kubernetes. Enable mTLS authentication and service-to-service authentication for communication between the ticketing pod and the waiting room pod. Ensure that the ticketing pod uses the JWT information and appropriately forwards requests to the waiting room pod.
  C. Create a separate service in the ECS cluster for the waiting room. Use a separate scaling configuration. Create a CloudFront function that inspects the JWT information and appropriately forwards requests to the ticketing service or the waiting room service.

  ---

  Explanation

• Question 668:

  A company has a complex web application that leverages Amazon CloudFront for global scalability and performance. Over time, users report that the web application is slowing down.

  The company's operations team reports that the CloudFront cache hit ratio has been dropping steadily. The cache metrics report indicates that query strings on some URLs are inconsistently ordered and are specified sometimes in mixed-case letters and sometimes in lowercase letters.

  Which set of actions should the solutions architect take to increase the cache hit ratio as quickly as possible?

  A. Deploy a Lambda@Edge function to sort parameters by name and force them to be lowercase. Select the CloudFront viewer request trigger to invoke the function.
  B. Update the CloudFront distribution to disable caching based on query string parameters.
  C. Deploy a reverse proxy after the load balancer to post-process the emitted URLs in the application to force the URL strings to be lowercase.
  D. Update the CloudFront distribution to specify casing-insensitive query string processing.
  A. Deploy a Lambda@Edge function to sort parameters by name and force them to be lowercase. Select the CloudFront viewer request trigger to invoke the function.

  ---

  Explanation

  https://docs.amazonaws.cn/en_us/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-query-string-examples Before CloudFront serves content from the cache it will trigger any Lambda function associated with the Viewer Request, in which we can normalize parameters. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-normalize-query-string-parameters

• Question 669:

  A company is running a web application on Amazon EC2 instances in a production AWS account. The company requires all logs generated from the web application to be copied to a central AWS account (or analysis and archiving. The company's AWS accounts are currently managed independently. Logging agents are configured on the EC2 instances to upload the tog files to an Amazon S3 bucket in the central AWS account.

  A solutions architect needs to provide access for a solution that will allow the production account to store log files in the central account. The central account also needs to have read access to the tog files.

  What should the solutions architect do to meet these requirements?

  A. Create a cross-account role in the central account. Assume the role from the production account when the logs are being copied.
  B. Create a policy on the S3 bucket with the production account ID as the principal. Allow S3 access from a delegated user.
  C. Create a policy on the S3 bucket with access from only the CIDR range of the EC2 instances in the production account. Use the production account ID as the principal.
  D. Create a cross-account role in the production account. Assume the role from the production account when the logs are being copied.
  B. Create a policy on the S3 bucket with the production account ID as the principal. Allow S3 access from a delegated user.

  ---

  Explanation

• Question 670:

  A company uses AWS Organizations and tags every resource with a BusinessUnit tag. They want to allocate cloud costsby business unit and visualize them.

  A. Activate BusinessUnit cost allocation tag in the management account. Create a CUR to S3. Use Athena + QuickSight for reporting.
  B. Create cost allocation tags in each member account. Use CloudWatch Dashboards.
  C. Create cost allocation tags in the management account. Deploy CURs per account.
  D. Use tags and CUR per account. Visualize with QuickSight from management account.
  A. Activate BusinessUnit cost allocation tag in the management account. Create a CUR to S3. Use Athena + QuickSight for reporting.

  ---

  Explanation

  https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc- tags.htmlhttps://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html