Amazon SAP-C01 Practice Test - Questions Answers, Page 12
List of questions
Question 111
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet. The company deploys resources only into a single AWS Region. The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone. Which solution meets these requirements?
Question 112
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
Which is a valid Amazon Resource name (ARN) for IAM?
Explanation:
IAM ARNs
Most resources have a friendly name (for example, a user named Bob or a group named Developers). However, the access policy language requires you to specify the resource or resources using the following Amazon Resource Name (ARN) format. arn:aws:service:region:account:resource Where: service identifies the AWS product. For IAM resources, this is always iam. region is the region the resource resides in. For IAM resources, this is always left blank. account is the AWS account ID with no hyphens (for example, 123456789012). resource is the portion that identifies the specific resource by name. You can use ARNs in IAM for users (IAM and federated), groups, roles, policies, instance profiles, virtual MFA devices, and server certificates. The following table shows the ARN format for each and an example. The region portion of the ARN is blank because IAM resources are global.
Question 113
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
You have setup an Auto Scaling group. The cool down period for the Auto Scaling group is 7 minutes. The first scaling activity request for the Auto Scaling group is to launch two instances. It receives the activity question at time "t", and the first instance is launched at t+3 minutes, while the second instance is launched at t+4 minutes.
How many minutes after time "t" will Auto Scaling accept another scaling activity request?
Explanation:
If an Auto Scaling group is launching more than one instance, the cool down period for each instance starts after that instance is launched. The group remains locked until the last instance that was launched has completed its cool down period. In this case the cool down period for the first instance starts after 3 minutes and finishes at the 10th minute (3+7 cool down), while for the second instance it starts at the 4th minute and finishes at the 11th minute (4+7 cool down). Thus, the Auto Scaling group will receive another request only after 11 minutes.
Reference: http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AS_Concepts.html
Question 114
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A media company is serving video files stored in Amazon S3 using Amazon CloudFront. The development team needs access to the logs to diagnose faults and perform service monitoring. The log files from CloudFront may contain sensitive information about users.
The company uses a log processing service to remove sensitive information before making the logs available to the development team. The company has the following requirements for the unprocessed logs:
The logs must be encrypted at rest and must be accessible by the log processing service only.
Only the data protection team can control access to the unprocessed log files.
AWS CloudFormation templates must be stored in AWS CodeCommit.
AWS CodePipeline must be triggered on commit to perform updates made to CloudFormation templates.
CloudFront is already writing the unprocessed logs to an Amazon S3 bucket, and the log processing service is operating against this S3 bucket. Which combination of steps should a solutions architect take to meet the company’s requirements? (Choose two.)
Question 115
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A web application is hosted in a dedicated VPC that is connected to a company’s on-premises data center over a Site-to-Site VPN connection. The application is accessible from the company network only. This is a temporary non-production application that is used during business hours. The workload is generally low with occasional surges. The application has an Amazon Aurora MySQL provisioned database cluster on the backend. The VPC has an internet gateway and a NAT gateways attached. The web servers are in private subnets in an Auto Scaling group behind an Elastic Load Balancer. The web servers also upload data to an Amazon S3 bucket through the internet.
A solutions architect needs to reduce operational costs and simplify the architecture.
Which strategy should the solutions architect use?
Question 116
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company is migrating applications from on premises to the AWS Cloud. These applications power the company’s internal web forms. These web forms collect data for specific events several times each quarter. The web forms use simple SQL statements to save the data to a local relational database.
Data collection occurs for each event, and the on-premises servers are idle most of the time. The company needs to minimize the amount of idle infrastructure that supports the web forms. Which solution will meet these requirements?
Explanation:
Reference: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/kds.html
Question 117
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has several AWS accounts. A development team is building an automation framework for cloud governance and remediation processes. The automation framework uses AWS Lambda functions in a centralized account. A solutions architect must implement a least privilege permissions policy that allows the Lambda functions to run in each of the company’s AWS accounts. Which combination of steps will meet these requirements? (Choose two.)
Explanation:
Reference: https://aws.amazon.com/blogs/devops/how-to-centrally-manage-aws-config-rules-across-multiple-aws-accounts/
Question 118
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
An organization is setting up a highly scalable application using Elastic Beanstalk. The organization is using ELB and RDS with VPC. The organization has public and private subnets within the cloud. Which of the below mentioned configurations will not work in this scenario?
Explanation:
The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. If the organization is planning to implement a scalable secure application using RDS, VPC and ELB the organization should follow below mentioned configurations:
Setup RDS in a private subnet Setup ELB in a public subnet
Since RDS needs a subnet group, the organization should have two private subnets in the same zone The ELB needs private and public subnet to be part of same AZs It is not required that instances should have a public IP assigned to them. The instances can be a part of a private subnet and the organization can setup a corresponding routing mechanism.
Reference: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-rds.html
Question 119
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company recently transformed its legacy infrastructure provisioning scripts to AWS CloudFormation templates. The newly developed templates are hosted in the company’s private GitHub repository. Since adopting CloudFormation, the company has encountered several issues with updates to the CloudFormation templates, causing execution or creating environment. Management is concerned by the increase in errors and has asked a Solutions Architect to design the automated testing of CloudFormation template updates. What should the Solution Architect do to meet these requirements?
Question 120
![Export Export](https://examgecko.com/assets/images/icon-download-24.png)
A company has developed a mobile game. The backend for the game runs on several virtual machines located in an onpremises data center. The business logic is exposed using a REST API with multiple functions. Player session data is stored in central file storage. Backend services use different API keys for throttling and to distinguish between live and test traffic. The load on the game backend varies throughout the day. During peak hours, the server capacity is not sufficient. There are also latency issues when fetching player session data. Management has asked a solutions architect to present a cloud architecture that can handle the game’s varying load and provide low-latency data access. The API model should not be changed. Which solution meets these requirements?
Question