Amazon SAP-C02 Practice Test - Questions Answers, Page 49
Question list
List of questions
Related questions
A utility company wants to collect usage data every 5 minutes from its smart meters to facilitate time-of-use metering. When a meter sends data to AWS. the data is sent to Amazon API Gateway, processed by an AWS Lambda function, and stored in an Amazon DynamoDB table. During the pilot phase, the Lambda functions took from 3 to 5 seconds to complete.
As more smart meters are deployed, the engineers notice the Lambda functions are taking from 1 to 2 minutes to complete. The functions are also increasing in duration as new types of metrics are collected from the devices. There are many ProvisionedThroughputExceededException errors while performing PUT operations on DynamoDB. and there are also many TooManyRequestsException errors from Lambda.
Which combination of changes will resolve these issues? (Select TWO)
Increase the write capacity units to the DynamoDB table.
Increase the memory available to the Lambda functions
Increase the payload size from the smart meters to send more data.
Stream the data into an Amazon Kinesis data stream from API Gateway and process the data in batches.
Collect data in an Amazon SOS FIFO queue, which triggers a Lambda function to process each message.
A company is running a serverless ecommerce application on AWS. The application uses Amazon API Gateway to invoke AWS Lambda Java functions. The Lambda functions connect to an Amazon RDS for MySQL database to store data.
During a recent sale event, a sudden increase in web traffic resulted in poor API performance and database connection failures. The company needs to implement a solution to minimize the latency for the Lambda functions and to support bursts in traffic.
Which solution will meet these requirements with the LEAST amount of change to the application?
Update the code of the Lambda functions so that the Lambda functions open the database connection outside of the function handler. Increase the provisioned concurrency for the Lambda functions.
Create an RDS Proxy endpoint for the database. Store database secrets in AWS Secrets Manager. Set up the required 1AM permissions. Update the Lambda functions to connect to the RDS Proxy endpoint. Increase the provisioned concurrency for the Lambda functions.
Create a custom parameter group. Increase the value of the max_connections parameter. Associate the custom parameter group with the RDS DB instance and schedule a reboot. Increase the reserved concurrency for the Lambda functions.
Create an RDS Proxy endpoint for the database. Store database secrets in AWS Secrets Manager. Set up the required 1AM permissions. Update the Lambda functions to connect to the RDS Proxy endpoint. Increase the reserved concurrency for the Lambda functions.
A company has an application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The application is in an AWS account that has AWS CloudTrail enabled. The company restricts access to the application by adding the IP addresses of end users to a security group that is associated with the ALB.
The company is developing an AWS Lambda function to determine if the allowed IP addresses have accessed the application recently. If an allowed IP address has not accessed the application in the last 90 days, the Lambda function will remove the IP address from the security group.
The company needs to implement the functionality for the Lambda function to check the IP addresses.
Which combination of steps will provide this functionality MOST cost-effectively? (Select TWO)
For the VPC that contains (he ALB, configure VPC flow logs to be sent to a log group in Amazon CloudWatch Logs.
Enable access logging on the ALB. Create an Amazon Athena table to query the ALB access logs.
Program the Lambda function to check when each allowed IP address from the security group last appeared in the VPC flow logs.
Program the Lambda function to check when each allowed IP address from the security group last appeared in the ALB access logs
Program the Lambda function to check when each allowed IP address from the security group last appeared in the CloudTrail logs.
A company has separate AWS accounts for each of its departments. The accounts are in OUs that are in an organization in AWS Organizations. The IT department manages a private certificate authority (CA) by using AWS Private Certificate Authority in its account.
The company needs a solution to allow developer teams in the other departmental accounts to access the private CA to issue certificates for their applications. The solution must maintain appropriate security boundaries between accounts.
Which solution will meet these requirements?
Create an AWS Lambda function in the IT account. Program the Lambda function to use theAWS Private CA API to export and import a private CA certificate to each department account. Use Amazon EventBridge to invoke the Lambda function on a schedule.
Create an 1AM identity-based policy that allows cross-account access to AWS Private CA. In the IT account, attach this policy to the private CA. Grant access to AWS Private CA by using the AWS Private CA API.
In the organization's management account, create an AWS CloudFormation stack to set up a resource-based delegation policy. Update the policy to allow the organizations: EnableAWSServiceAccess action. Add the ARN of the private CA from the IT account as the principal in the policy statement.
Use AWS Resource Access Manager (AWS RAM) in the IT account to enable sharing in the organization. Create a resource share. Add the private CA resource to the resource share. Grant the department OUs access to the shared CA.
A company hosts its primary API on AWS by using an Amazon API Gateway API and AWS Lambda functions that contain the logic tor the API methods. The company's internal applications use the API tor core functionality and business logic. The company's customers use the API to access data from their accounts. Several customers also have access to a legacy API that is running on a single standalone Amazon EC2 instance.
The company wants to increase the security for these APIs to better prevent denial of service (DoS) attacks, check for vulnerabilities, and guard against common exploits.
What should a solutions architect do to meet these requirements?
Use AWS WAF to protect both APIs. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor (or malicious attempts to access the APIs.
Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze both APIs. Configure Amazon GuardDuty to block malicious attempts to access the APIs.
Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to analyze the legacy API. Configure Amazon GuardDuty to monitor for malicious attempts to access the APIs.
Use AWS WAF to protect the API Gateway API. Configure Amazon Inspector to protect the legacy API. Configure Amazon GuardDuty to block malicious attempts to access the APIs.
A global ecommerce company has many data centers around the world. With the growth of its stored data, the company needs to set up a solution to provide scalable storage for legacy on-premises file applications. The company must be able to take point-in-time copies of volumes by using AWS Backup and must retain low-latency access to frequently accessed data. The company also needs to have storage volumes that can be mounted as Internet Small Computer System Interface (iSCSI) devices from the company's on-premises application servers.
Which solution will meet these requirements?
Provision an AWS Storage Gateway tape gateway. Configure the tape gateway to store data in an Amazon S3 bucket. Deploy AWS Backup to take point-in-time copies of the volumes.
Provision an Amazon FSx File Gateway and an Amazon S3 File Gateway. Deploy AWS Backup to take point-in-time copies of the data.
Provision an AWS Storage Gateway volume gateway in cache mode. Back up the on-premises Storage Gateway volumes with AWS Backup.
Provision an AWS Storage Gateway file gateway in cache mode. Deploy AWS Backup to take point-in-time copies of the volumes.
A company recently completed a successful proof of concept of Amazon Workspaces. A solutions architect needs to make the solution highly available across two AWS Regions. Amazon Workspaces is deployed in a failover Region, and a hosted zone is deployed in Amazon Route 53.
What should the solutions architect do to configure high availability for the solution?
Create a connection alias in the primary Region and in the failover Region. Associate the connection aliases with a directory in each Region. Create a Route 53 failover routing policy. Set Evaluate Target Health to Yes.
Create a connection alias in the primary Region and in the failover Region. Associate the connection aliases with a directory in the primary Region. Create a Route 53 multivalue answer routing policy.
Create a connection alias in the primary Region. Associate the connection alias with a directory in the primary Region. Create a Route 53 weighted routing policy.
Create a connection alias in the primary Region. Associate the connection alias with a directory in the failover Region. Create a Route 53 failover routing policy. Set Evaluate Target Health to Yes.
A company hosts an application that uses several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). During the initial startup of the EC2 instances, the EC2 instances run user data scripts to download critical content for the application from an Amazon S3 bucket.
The EC2 instances are launching correctly. However, after a period of time, the EC2 instances are terminated with the following error message: 'An instance was taken out of service in response to an ELB system health check failure.' EC2 instances continue to launch and be terminated because of Auto Scaling events in an endless loop.
The only recent change to the deployment is that the company added a large amount of critical content to the S3 bucket. The company does not want to alter the user data scripts in production.
What should a solutions architect do so that the production environment can deploy successfully?
Increase the size of the EC2 instances.
Increase the health check timeout for the ALB.
Change the health check path for the ALB.
Increase the health check grace period for the Auto Scaling group.
A solutions architect is importing a VM from an on-premises environment by using the Amazon EC2 VM Import feature of AWS Import/Export. The solutions architect has created an AMI and has provisioned an Amazon EC2 instance that is based on that AMI. The EC2 instance runs inside a public subnet in a VPC and has a public IP address assigned.
The EC2 instance does not appear as a managed instance in the AWS Systems Manager console.
Which combination of steps should the solutions architect take to troubleshoot this issue? (Select TWO)
Verify that Systems Manager Agent is installed on the instance and is running.
Verify that the instance is assigned an appropriate 1AM role for Systems Manager.
Verify the existence of a VPC endpoint on the VPC.
Verify that the AWS Application Discovery Agent is configured.
Verify the correct configuration of service-linked roles for Systems Manager.
A company requires that all internal application connectivity use private IP addresses. To facilitate this policy, a solutions architect has created interface endpoints to connect to AWS public services. Upon testing, the solutions architect notices that the service names are resolving to public IP addresses, and that internal services cannot connect to the interlace endpoints.
Which step should the solutions architect take to resolve this issue?
Update the subnet route table with a route to the interface endpoint.
Enable the private DNS option on the VPC attributes.
Configure the security group on the interface endpoint to allow connectivity to the AWS services.
Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application.
Question