ExamGecko
Login
Home / Amazon / SAP-C01 / List of questions
Ask Question

Amazon SAP-C01 Practice Test - Questions Answers, Page 36

List of questions

Question 351

Report
Export
Collapse

A financial services company sells its software-as-a-service (SaaS) platform for application compliance to large global banks. The SaaS platform runs on AWS and uses multiple AWS accounts that are managed in an organization in AWS Organizations. The SaaS platform uses many AWS resources globally. For regulatory compliance, all API calls to AWS resources must be audited, tracked for changes, and stored in a durable and secure data store. Which solution will meet these requirements with the LEAST operational overhead?

Create a new AWS CloudTrail trail. Use an existing Amazon S3 bucket in the organization’s management account to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 bucket.
Create a new AWS CloudTrail trail. Use an existing Amazon S3 bucket in the organization’s management account to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 bucket.
Create a new AWS CloudTrail trail in each member account of the organization. Create new Amazon S3 buckets to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 buckets.
Create a new AWS CloudTrail trail in each member account of the organization. Create new Amazon S3 buckets to store the logs. Deploy the trail to all AWS Regions. Enable MFA delete and encryption on the S3 buckets.
Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket with versioning turned on to store the logs. Deploy the trail for all accounts in the organization. Enable MFA delete and encryption on the S3 bucket.
Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket with versioning turned on to store the logs. Deploy the trail for all accounts in the organization. Enable MFA delete and encryption on the S3 bucket.
Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket to store the logs. Configure Amazon Simple Notification Service (Amazon SNS) to send log-file delivery notifications to an external management system that will track the logs. Enable MFA delete and encryption on the S3 bucket.
Create a new AWS CloudTrail trail in the organization’s management account. Create a new Amazon S3 bucket to store the logs. Configure Amazon Simple Notification Service (Amazon SNS) to send log-file delivery notifications to an external management system that will track the logs. Enable MFA delete and encryption on the S3 bucket.
Suggested answer: D

Explanation:

Reference: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/creating-an-organizational-trail-in-the-console.html

asked 16/09/2024
Marcelo Tamaki
36 questions

Question 352

Report
Export
Collapse

The Solutions Architect manages a serverless application that consists of multiple API gateways, AWS Lambda functions, Amazon S3 buckets, and Amazon DynamoDB tables. Customers say that a few application components slow while loading dynamic images, and some are timing out with the “504 Gateway Timeout” error. While troubleshooting the scenario, the Solutions Architect confirms that DynamoDB monitoring metrics are at acceptable levels. Which of the following steps would be optimal for debugging these application issues? (Choose two.)

Parse HTTP logs in Amazon API Gateway for HTTP errors to determine the root cause of the errors.
Parse HTTP logs in Amazon API Gateway for HTTP errors to determine the root cause of the errors.
Parse Amazon CloudWatch Logs to determine processing times for requested images at specified intervals.
Parse Amazon CloudWatch Logs to determine processing times for requested images at specified intervals.
Parse VPC Flow Logs to determine if there is packet loss between the Lambda function and S3.
Parse VPC Flow Logs to determine if there is packet loss between the Lambda function and S3.
Parse AWS X-Ray traces and analyze HTTP methods to determine the root cause of the HTTP errors.
Parse AWS X-Ray traces and analyze HTTP methods to determine the root cause of the HTTP errors.
Parse S3 access logs to determine if objects being accessed are from specific IP addresses to narrow the scope to geographic latency issues.
Parse S3 access logs to determine if objects being accessed are from specific IP addresses to narrow the scope to geographic latency issues.
Suggested answer: B, D

Explanation:

Firstly “A 504 Gateway Timeout Error means your web server didn’t receive a timely response from another server upstream when it attempted to load one of your web pages. Put simply, your web servers aren’t communicating with each other fast enough”. This specific issue is addressed in the AWS article “Tracing, Logging and Monitoring an API Gateway API”.

Reference:

https://docs.amazonaws.cn/en_us/apigateway/latest/developerguide/monitoring_overview.html

asked 16/09/2024
Karthik Krishnamoorthy
25 questions

Question 353

Report
Export
Collapse

An education company is running a web application used by college students around the world. The application runs in an Amazon Elastic Container Service (Amazon ECS) cluster in an Auto Scaling group behind an Application Load Balancer (ALB). A system administrator detects a weekly spike in the number of failed login attempts, which overwhelm the application’s authentication service. All the failed login attempts originate from about 500 different IP addresses that change each week. A solutions architect must prevent the failed login attempts from overwhelming the authentication service. Which solution meets these requirements with the MOST operational efficiency?

Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses
Use AWS Firewall Manager to create a security group and security group policy to deny access from the IP addresses
Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB
Create an AWS WAF web ACL with a rate-based rule, and set the rule action to Block. Connect the web ACL to the ALB
Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges
Use AWS Firewall Manager to create a security group and security group policy to allow access only to specific CIDR ranges
Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB
Create an AWS WAF web ACL with an IP set match rule, and set the rule action to Block. Connect the web ACL to the ALB
Suggested answer: A

Explanation:

Reference: https://docs.aws.amazon.com/waf/latest/developerguide/security-group-policies.html

asked 16/09/2024
Kwame Kankam-Boadu
34 questions

Question 354

Report
Export
Collapse

A company is migrating a legacy application from an on-premises data center to AWS. The application consists of a single application server and a Microsoft SQL Server database server. Each server is deployed on a VMware VM that consumes 500 TB of data across multiple attached volumes.

The company has established a 10 Gbps AWS Direct Connect connection from the closest AWS Region to its on-premises data center. The Direct Connect connection is not currently in use by other services. Which combination of steps should a solutions architect take to migrate the application with the LEAST amount of downtime? (Choose two.)

Use an AWS Server Migration Service (AWS SMS) replication job to migrate the database server VM to AWS.
Use an AWS Server Migration Service (AWS SMS) replication job to migrate the database server VM to AWS.
Use VM Import/Export to import the application server VM.
Use VM Import/Export to import the application server VM.
Export the VM images to an AWS Snowball Edge Storage Optimized device.
Export the VM images to an AWS Snowball Edge Storage Optimized device.
Use an AWS Server Migration Service (AWS SMS) replication job to migrate the application server VM to AWS.
Use an AWS Server Migration Service (AWS SMS) replication job to migrate the application server VM to AWS.
Use an AWS Database Migration Service (AWS DMS) replication instance to migrate the database to an Amazon RDS DB instance.
Use an AWS Database Migration Service (AWS DMS) replication instance to migrate the database to an Amazon RDS DB instance.
Suggested answer: B, E
asked 16/09/2024
Matthew Isaacs
37 questions

Question 355

Report
Export
Collapse

A company has an Amazon EC2 deployment that has the following architecture:

An application tier that contains 8 m4.xlarge instances

A Classic Load Balancer

Amazon S3 as a persistent data store

After one of the EC2 instances fails, users report very slow processing of their requests. A Solutions Architect must recommend design changes to maximize system reliability. The solution must minimize costs. What should the Solutions Architect recommend?

Migrate the existing EC2 instances to a serverless deployment using AWS Lambda functions
Migrate the existing EC2 instances to a serverless deployment using AWS Lambda functions
Change the Classic Load Balancer to an Application Load Balancer
Change the Classic Load Balancer to an Application Load Balancer
Replace the application tier with m4.large instances in an Auto Scaling group
Replace the application tier with m4.large instances in an Auto Scaling group
Replace the application tier with 4 m4.2xlarge instances
Replace the application tier with 4 m4.2xlarge instances
Suggested answer: B

Explanation:

By default, connection draining is enabled for Application Load Balancers but must be enabled for Classic Load Balancers. When Connection Draining is enabled and configured, the process of deregistering an instance from an Elastic Load Balancer gains an additional step. For the duration of the configured timeout, the load balancer will allow existing, in-flight requests made to an instance to complete, but it will not send any new requests to the instance. During this time, the API will report the status of the instance as InService, along with a message stating that “Instance deregistration currently in progress.” Once the timeout is reached, any remaining connections will be forcibly closed.

Reference: https://docs.aws.amazon.com/autoscaling/ec2/userguide/attach-load-balancer-asg.html

https://aws.amazon.com/blogs/aws/elb-connection-draining-remove-instances-from-service-with-care/

asked 16/09/2024
ben ebrahimi
39 questions

Question 356

Report
Export
Collapse

A medical company is building a data lake on Amazon S3. The data must be encrypted in transit and at rest. The data must remain protected even if S3 bucket is inadvertently made public. Which combination of steps will meet these requirements? (Choose three.)

Ensure that each S3 bucket has a bucket policy that includes a Deny statement if the aws:SecureTransport condition is not present.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement if the aws:SecureTransport condition is not present.
Create a CMK in AWS Key Management Service (AWS KMS). Turn on server-side encryption (SSE) on the S3 buckets, select SSE-KMS for the encryption type, and use the CMK as the key.
Create a CMK in AWS Key Management Service (AWS KMS). Turn on server-side encryption (SSE) on the S3 buckets, select SSE-KMS for the encryption type, and use the CMK as the key.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an “s3:x-amz-server-side-encryption”:“aws:kms” condition.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an “s3:x-amz-server-side-encryption”:“aws:kms” condition.
Turn on server-side encryption (SSE) on the S3 buckets and select SSE-S3 for the encryption type.
Turn on server-side encryption (SSE) on the S3 buckets and select SSE-S3 for the encryption type.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an “s3:x-amz-server-side-encryption”:“AES256” condition.
Ensure that each S3 bucket has a bucket policy that includes a Deny statement for PutObject actions if the request does not include an “s3:x-amz-server-side-encryption”:“AES256” condition.
Turn on AWS Config. Use the s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, and s3-bucket-sslrequests- only AWS Config managed rules to monitor the S3 buckets.
Turn on AWS Config. Use the s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, and s3-bucket-sslrequests- only AWS Config managed rules to monitor the S3 buckets.
Suggested answer: A, B, C

Explanation:

To determine HTTP or HTTPS requests in a bucket policy, use a condition that checks for the key "aws:SecureTransport". When this key is true, then request is sent through HTTPS. To comply with the s3bucket-ssl-requests-only rule, create abucket policy that explicitly denies access when the request meets the condition "aws:SecureTransport": "false". This policyexplicitly denies access to HTTP requests.

When you create an object, you can specify the use of server-side encryption with AWS Key Management Service (AWS KMS) keys to encrypt your data. This is true when you are either uploading a new object or copying an existing object. This encryption is known as SSE-KMS.

Enforce object encryption, create an S3 bucket policy that denies any S3 Put request that does not include the x-amz-serverside- encryption header.

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-bucket-policy-for-config-rule/

https://docs.aws.amazon.com/AmazonS3/latest/userguide/specifying-kms-encryption.html

https://aws.amazon.com/blogs/security/how-to-prevent-uploads-of-unencrypted-objects-to-amazon-s3/

asked 16/09/2024
Nosh Shah
37 questions

Question 357

Report
Export
Collapse

A video streaming company recently launched a mobile app for video sharing. The app uploads various files to an Amazon S3 bucket in the us-east-1 Region. The files range in size from 1 GB to 10 GB. Users who access the app from Australia have experienced uploads that take long periods of time. Sometimes the files fail to completely upload for these users. A solutions architect must improve the app’s performance for these uploads. Which solutions will meet these requirements? (Choose two.)

Enable S3 Transfer Acceleration on the S3 bucket. Configure the app to use the Transfer Acceleration endpoint for uploads.
Enable S3 Transfer Acceleration on the S3 bucket. Configure the app to use the Transfer Acceleration endpoint for uploads.
Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region Replication to copy the files to the distribution S3 bucket.
Configure an S3 bucket in each Region to receive the uploads. Use S3 Cross-Region Replication to copy the files to the distribution S3 bucket.
Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket Region.
Set up Amazon Route 53 with latency-based routing to route the uploads to the nearest S3 bucket Region.
Configure the app to break the video files into chunks. Use a multipart upload to transfer files to Amazon S3.
Configure the app to break the video files into chunks. Use a multipart upload to transfer files to Amazon S3.
Modify the app to add random prefixes to the files before uploading.
Modify the app to add random prefixes to the files before uploading.
Suggested answer: A, C
asked 16/09/2024
Niall Dempsey
35 questions

Question 358

Report
Export
Collapse

If you have a running instance using an Amazon EBS boot partition, you can call the _______ API to release the compute resources but preserve the data on the boot partition.

Stop Instances
Stop Instances
Terminate Instances
Terminate Instances
AMI Instance
AMI Instance
Ping Instance
Ping Instance
Suggested answer: A

Explanation:

If you have a running instance using an Amazon EBS boot partition, you can also call the Stop Instances API to release the compute resources but preserve the data on the boot partition.

Reference: https://aws.amazon.com/ec2/faqs/#How_quickly_will_systems_be_running

asked 16/09/2024
Christos Katopis
33 questions

Question 359

Report
Export
Collapse

An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An ENI can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you_____.

create an elastic network interface for eth1
create an elastic network interface for eth1
include a MAC address
include a MAC address
use an existing network interface
use an existing network interface
create an elastic network interface for eth0
create an elastic network interface for eth0
Suggested answer: D

Explanation:

An elastic network interface (ENI) is defined as a virtual network interface that you can attach to an instance in a VPC and can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you create an elastic network interface for eth0 instead of using an existing network interface.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

asked 16/09/2024
Massimo Cerqui
38 questions

Question 360

Report
Export
Collapse

A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

SNS cannot provide data every minute
SNS cannot provide data every minute
SNS will send data every minute after configuration
SNS will send data every minute after configuration
There is no need to enable since SNS provides data every minute
There is no need to enable since SNS provides data every minute
AWS CloudWatch does not support monitoring for SNS
AWS CloudWatch does not support monitoring for SNS
Suggested answer: A

Explanation:

CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/supported_services.html

asked 16/09/2024
Vivek Nandey
34 questions
Total 906 questions
Go to page: of 91
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances. Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?
A company is developing a gene reporting device that will collect genomic information to assist researchers will collecting large samples of data from a diverse population. The device will push 8 KB of genomic data every second to a data platform that will need to process and analyze the data and provide information back to researchers. The data platform must meet the following requirements: Provide near-real-time analytics of the inbound genomic data Ensure the data is flexible, parallel, and durable Deliver results of processing to a data warehouse Which strategy should a solutions architect use to meet these requirements?
A medical company is running an application in the AWS Cloud. The application simulates the effect of medical drugs in development. The application consists of two parts: configuration and simulation. The configuration part runs in AWS Fargate containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The simulation part runs on large, compute optimized Amazon EC2 instances. Simulations can restart if they are interrupted. The configuration part runs 24 hours a day with a steady load. The simulation part runs only for a few hours each night with a variable load. The company stores simulation results in Amazon S3, and researchers use the results for 30 days. The company must store simulations for 10 years and must be able to retrieve the simulations within 5 hours. Which solution meets these requirements MOST cost-effectively?
A Solutions Architect must build a highly available infrastructure for a popular global video game that runs on a mobile phone platform. The application runs on Amazon EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The database tier is an Amazon RDS MySQL Multi-AZ instance. The entire application stack is deployed in both us-east-1 and eu-central-1. Amazon Route 53 is used to route traffic to the two installations using a latency-based routing policy. A weighted routing policy is configured in Route 53 as a fail over to another region in case the installation in a region becomes unresponsive. During the testing of disaster recovery scenarios, after blocking access to the Amazon RDS MySQL instance in eu-central-1 from all the application instances running in that region. Route 53 does not automatically failover all traffic to us- east-1. Based on this situation, which changes would allow the infrastructure to failover to us-east-1? (Choose two.)
Your firm has uploaded a large amount of aerial image data to S3. In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ - An open source messaging system to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct?
A company’s processing team has an AWS account with a production application. The application runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are hosted in private subnets in a VPC in the eu- west- 1 Region. The VPC was assigned the CIDR block of 10.0.0.0/16. The billing team recently created a new AWS account and deployed an application on EC2 instances that are hosted in private subnets in a VPC in the eu-central-1 Region. The new VPC is assigned the CIDR block of 10.0.0.0/16. The processing application needs to securely communicate with the billing application over a proprietary TCP port. What should a solutions architect do to meet this requirement with the LEAST amount of operational effort?
A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The company’s applications and databases are running in Account B. A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53. During deployment the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The solutions architect confirmed that the record set was created correctly in Route 53. Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)
A company runs an application on AWS. An AWS Lambda function uses credentials to authenticate to an Amazon RDS for MySQL DB instance. A security risk assessment identified that these credentials are not frequently rotated. Also, encryption at rest is not enabled for the DB instance. The security team requires that both of these issues be resolved. Which strategy should a solutions architect recommend to remediate these security risks?
A company runs a dynamic mission-critical web application that has an SLA of 99.99%. Global application users access the application 24/7. The application is currently hosted on premises and routinely fails to meet its SLA, especially when millions of users access the application concurrently. Remote users complain of latency. How should this application be redesigned to be scalable and allow for automatic failover at the lowest cost?
A 3-Ber e-commerce web application is currently deployed on-premises, and will be migrated to AWS for greater scalability and elasticity. The web tier currently shares read-only data using a network distributed file system. The app server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast. The database tier uses sharedstorage clustering to provide database failover capability, and uses several read slaves for scaling. Data on all servers and the distributed file system directory is backed up weekly to off-site tapes. Which AWS storage and database architecture meets the requirements of the application?