ExamGecko
Home / Amazon / SAP-C01 / List of questions
Ask Question

Amazon SAP-C01 Practice Test - Questions Answers, Page 38

List of questions

Question 371

Report
Export
Collapse

In the context of AWS IAM, identify a true statement about user passwords (login profiles).

They must contain Unicode characters.
They must contain Unicode characters.
They can contain any Basic Latin (ASCII) characters.
They can contain any Basic Latin (ASCII) characters.
They must begin and end with a forward slash (/).
They must begin and end with a forward slash (/).
They cannot contain Basic Latin (ASCII) characters.
They cannot contain Basic Latin (ASCII) characters.
Suggested answer: B

Explanation:

The user passwords (login profiles) of IAM users can contain any Basic Latin (ASCII)characters.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

asked 16/09/2024
Calvin Bolico
36 questions

Question 372

Report
Export
Collapse

A company manages hundreds of AWS accounts centrally in an organization in AWS Organizations. The company recently started to allow product teams to create and manage their own S3 access points in their accounts. The S3 access points can be accessed only within VPCs, not on the Internet.

What is the MOST operationally efficient way to enforce this requirement?

Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Set the S3 access point resource policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Create an SCP at the root level in the organization to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Use AWS CloudFormation StackSets to create a new IAM policy in each AWS account that allows the s3:CreateAccessPoint action only if the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Set the S3 bucket policy to deny the s3:CreateAccessPoint action unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC.
Suggested answer: D

Explanation:

Reference: https://aws.amazon.com/blogs/storage/managing-amazon-s3-access-with-vpc-endpoints-and-s3-access-points/

asked 16/09/2024
Djordje Novakovic
35 questions

Question 373

Report
Export
Collapse

A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions, and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys. A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API’s reputation.

What should the solutions architect recommend to improve the customer experience?

Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.
Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.
Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is appropriate for the workload.
Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is appropriate for the workload.
Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.
Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.
Suggested answer: C

Explanation:

API Gateway recommends that you run a 10-minute load test to verify that your cache capacity is appropriate for your workload.

Reference: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-caching.html

asked 16/09/2024
David Washington
32 questions

Question 374

Report
Export
Collapse

In which step of "start using AWS Direct Connect" steps is the virtual interface you created tagged with a customer-provided tag that complies with the Ethernet 802.1Q standard?

Download Router Configuration.
Download Router Configuration.
Complete the Cross Connect.
Complete the Cross Connect.
Configure Redundant Connections with AWS Direct Connect.
Configure Redundant Connections with AWS Direct Connect.
Create a Virtual Interface.
Create a Virtual Interface.
Suggested answer: D

Explanation:

In the list of using Direct Connect steps, the create a Virtual Interface step is to provision your virtual interfaces. Each virtual interface must be tagged with a customer-provided tag that complies with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the AWS Direct Connect connection.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html#createvirtualinterface

asked 16/09/2024
Orenthial Johnson
31 questions

Question 375

Report
Export
Collapse

A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company’s information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.

To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application. Which combination of steps should the solutions architect take to implement this solution? (Choose two.)

Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point
Create an S3 access point for each application in the AWS account that owns the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point
Create an interface endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint
Create an interface endpoint for Amazon S3 in each application’s VPC. Configure the endpoint policy to allow access to an S3 access point. Create a VPC gateway attachment for the S3 endpoint
Create a gateway endpoint for Amazon S3 in each application’s VPConfigure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.
Create a gateway endpoint for Amazon S3 in each application’s VPConfigure the endpoint policy to allow access to an S3 access point. Specify the route table that is used to access the access point.
Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucket. Configure each access point to be accessible only from the application’s VPC. Update the bucket policy to require access from an access point.
Create a gateway endpoint for Amazon S3 in the data lake’s VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket
Create a gateway endpoint for Amazon S3 in the data lake’s VPC. Attach an endpoint policy to allow access to the S3 bucket. Specify the route table that is used to access the bucket
Suggested answer: A, C
asked 16/09/2024
Chris Houck
33 questions

Question 376

Report
Export
Collapse

What is the network performance offered by the c4.8xlarge instance in Amazon EC2?

Very High but variable
Very High but variable
20 Gigabit
20 Gigabit
5 Gigabit
5 Gigabit
10 Gigabit
10 Gigabit
Suggested answer: D

Explanation:

Networking performance offered by the c4.8xlarge instance is 10 Gigabit.

Reference: http://aws.amazon.com/ec2/instance-types/

asked 16/09/2024
Jeremy Cheeseborough
41 questions

Question 377

Report
Export
Collapse

What is the default maximum number of VPCs allowed per region?

5
5
10
10
100
100
15
15
Suggested answer: A

Explanation:

The maximum number of VPCs allowed per region is 5.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

asked 16/09/2024
Thanh Tran
34 questions

Question 378

Report
Export
Collapse

A company is using AWS for production and development workloads. Each business unit has its own AWS account for production, and a separate AWS account to develop and deploy its applications. The Information Security department has introduced new security policies that limit access for terminating certain Amazon EC2 instances in all accounts to a small group of individuals from the Security team. How can the Solutions Architect meet these requirements?

Create a new IAM policy that allows access to those EC2 instances only for the Security team. Apply this policy to the AWS Organizations master account.
Create a new IAM policy that allows access to those EC2 instances only for the Security team. Apply this policy to the AWS Organizations master account.
Create a new tag-based IAM policy that allows access to these EC2 instances only for the Security team. Tag the instances appropriately, and apply this policy in each account.
Create a new tag-based IAM policy that allows access to these EC2 instances only for the Security team. Tag the instances appropriately, and apply this policy in each account.
Create an organizational unit under AWS Organizations. Move all the accounts into this organizational unit and use SCP to apply a whitelist policy to allow access to these EC2 instances for the Security team only.
Create an organizational unit under AWS Organizations. Move all the accounts into this organizational unit and use SCP to apply a whitelist policy to allow access to these EC2 instances for the Security team only.
Set up SAML federation for all accounts in AWS. Configure SAML so that it checks for the service API call before authenticating the user. Block SAML from authenticating API calls if anyone other than the Security team accesses these instances.
Set up SAML federation for all accounts in AWS. Configure SAML so that it checks for the service API call before authenticating the user. Block SAML from authenticating API calls if anyone other than the Security team accesses these instances.
Suggested answer: C

Explanation:

Reference:

https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-to-set-permission-guardrails-across-accounts-inyour-aws-organization/ https://docs.aws.amazon.com/organizations/latest/userguide/ orgs_manage_policies_examplescps.html

asked 16/09/2024
Ken Mak
43 questions

Question 379

Report
Export
Collapse

A Solutions Architect is designing a multi-account structure that has 10 existing accounts. The design must meet the following requirements:

Consolidate all accounts into one organization.

Allow full access to the Amazon EC2 service from the master account and the secondary accounts. Minimize the effort required to add additional secondary accounts. Which combination of steps should be included in the solution? (Choose two.)

Create an organization from the master account. Send invitations to the secondary accounts from the master account. Accept the invitations and create an OU.
Create an organization from the master account. Send invitations to the secondary accounts from the master account. Accept the invitations and create an OU.
Create an organization from the master account. Send a join request to the master account from each secondary account. Accept the requests and create an OU.
Create an organization from the master account. Send a join request to the master account from each secondary account. Accept the requests and create an OU.
Create a VPC peering connection between the master account and the secondary accounts. Accept the request for the VPC peering connection.
Create a VPC peering connection between the master account and the secondary accounts. Accept the request for the VPC peering connection.
Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU.
Create a service control policy (SCP) that enables full EC2 access, and attach the policy to the OU.
Create a full EC2 access policy and map the policy to a role in each account. Trust every other account to assume the role.
Create a full EC2 access policy and map the policy to a role in each account. Trust every other account to assume the role.
Suggested answer: A, D

Explanation:

There is a concept of Permission Boundary vs Actual IAM Policies. That is, we have a concept of “Allow” vs “Grant”. In terms of boundaries, we have the following three boundaries:

1. SCP

2. User/Role boundaries

3. Session boundaries (ex. AssumeRole ... )

In terms of actual permission granting, we have the following:

1. Identity Policies

2. Resource Policies

asked 16/09/2024
umar raad
36 questions

Question 380

Report
Export
Collapse

A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw123456) to connect to the user's data center.

The user's data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?

Destination: 20.0.0.0/16 and Target: local
Destination: 20.0.0.0/16 and Target: local
Destination: 0.0.0.0/0 and Target: i-123456
Destination: 0.0.0.0/0 and Target: i-123456
Destination: 172.28.0.0/12 and Target: vgw-123456
Destination: 172.28.0.0/12 and Target: vgw-123456
Destination: 20.0.1.0/24 and Target: i-123456
Destination: 20.0.1.0/24 and Target: i-123456
Suggested answer: D

Explanation:

The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the user has setup a NAT instance to route all the internet requests, then all requests to the internet should be routed to it.

All requests to the organization's DC will be routed to the VPN gateway. Here are the valid entries for the main route table in this scenario:

Destination: 0.0.0.0/0 & Target: i-123456 (To route all internet traffic to the NAT Instance) Destination: 172.28.0.0/12 & Target: vgw-123456 (To route all the organization's data centre traffic to the VPN gateway) Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC)

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html

asked 16/09/2024
Laimonas Mulys
38 questions
Total 906 questions
Go to page: of 91
Search

Related questions