Amazon (SAP-C01) Exam Questions And Answers page 14
A company is launching a new web application on Amazon EC2 instances. Development and production workloads exist in separate AWS accounts.
According to the company s security requirements, only automated configuration tools are allowed to access the production account. The company s security team wants to receive immediate notification if any manual access to the production AWS account or EC2 instances occurs.
Which combination of actions should a solutions architect take in the production account to meet these requirements? (Choose three.)
According to the company s security requirements, only automated configuration tools are allowed to access the production account. The company s security team wants to receive immediate notification if any manual access to the production AWS account or EC2 instances occurs.
Which combination of actions should a solutions architect take in the production account to meet these requirements? (Choose three.)
Configure Amazon Simple Email Service (Amazon SES) to send email to the security team when an alarm is activated.
Deploy EC2 instances in an Auto Scaling group. Configure the launch template to deploy instances without key pairs. Configure Amazon CloudWatch Logs to capture system access logs. Create an Amazon CloudWatch alarm that is based on the logs to detect when a user logs in to an EC2 instance.
Configure an Amazon Simple Notification Service (Amazon SNS) topic to send a message to the security team when an alarm is activated.
Turn on AWS CloudTrail logs for all AWS Regions. Configure Amazon CloudWatch alarms to provide an alert when an AwsConsoleSignin event is detected.
Deploy EC2 instances in an Auto Scaling group. Configure the launch template to delete the key pair after launch. Configure Amazon CloudWatch Logs for the system access logs. Create an Amazon CloudWatch dashboard to show user logins over time.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
A company is launching a new web application on Amazon EC2 instances. Development and production workloads exist in separate AWS accounts.
According to the company s security requirements, only automated configuration tools are allowed to access the production account. The company s security team wants to receive immediate notification if any manual access to the production AWS account or EC2 instances occurs.
Which combination of actions should a solutions architect take in the production account to meet these requirements? (Choose three.)
According to the company s security requirements, only automated configuration tools are allowed to access the production account. The company s security team wants to receive immediate notification if any manual access to the production AWS account or EC2 instances occurs.
Which combination of actions should a solutions architect take in the production account to meet these requirements? (Choose three.)
Turn on AWS CloudTrail logs in the application s primary AWS Region. Use Amazon Athena to query the logs for AwsConsoleSignIn events.
Configure Amazon Simple Email Service (Amazon SES) to send email to the security team when an alarm is activated.
Deploy EC2 instances in an Auto Scaling group. Configure the launch template to deploy instances without key pairs. Configure Amazon CloudWatch Logs to capture system access logs. Create an Amazon CloudWatch alarm that is based on the logs to detect when a user logs in to an EC2 instance.
Configure an Amazon Simple Notification Service (Amazon SNS) topic to send a message to the security team when an alarm is activated.
Turn on AWS CloudTrail logs for all AWS Regions. Configure Amazon CloudWatch alarms to provide an alert when an AwsConsoleSignIn event is detected.
Deploy EC2 instances in an Auto Scaling group. Configure the launch template to delete the key pair after launch. Configure Amazon CloudWatch Logs for the system access logs. Create an Amazon CloudWatch dashboard to show user logins over time.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
A company is launching a web-based application in multiple regions around the world. The application consists of both static content stored in a private Amazon S3 bucket and dynamic content hosted in Amazon ECS containers content behind an Application Load Balancer (ALB). The company requires that the static and dynamic application content be accessible through Amazon CloudFront only.
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront? (Choose three.)
Which combination of steps should a solutions architect recommend to restrict direct content access to CloudFront? (Choose three.)
Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the ALB.
Create a web ACL in AWS WAF with a rule to validate the presence of a custom header and associate the web ACL with the CloudFront distribution.
Configure CloudFront to add a custom header to origin requests.
Configure the ALB to add a custom header to HTTP requests.
Update the S3 bucket ACL to allow access from the CloudFront distribution only.
Create a CloudFront Origin Access Identity (OAI) and add it to the CloudFront distribution. Update the S3 bucket policy to allow access to the OAI only.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing enterprise-wide scalable operations on AWS
A company is manually deploying its application to production and wants to move to a more mature deployment pattern. The company has asked a solutions architect to design a solution that leverages its current Chef tools and knowledge. The application must be deployed to a staging environment for testing and verification before being deployed to production. Any new deployment must be rolled back in 5 minutes if errors are discovered after a deployment.
Which AWS service and deployment pattern should the solutions architect use to meet these requirements?
Which AWS service and deployment pattern should the solutions architect use to meet these requirements?
Use AWS OpsWorks and deploy the application using a blue/green deployment strategy.
Use AWS Elastic Beanstalk and deploy the application using a rolling update deployment strategy.
Use AWS CodePipeline and deploy the application using a rolling update deployment strategy.
Use AWS CodeBuild and deploy the application using a canary deployment strategy.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing enterprise-wide scalable operations on AWS
How to Migrate Legacy Apps to AWS with Minimal Downtime?
Multiple Choice
A company is migrating a legacy application from an on-premises data center to AWS. The application consists of a single application server and a Microsoft SQL Server database server. Each server is deployed on a VMware VM that consumes 500 TB of data across multiple attached volumes.
The company has established a 10 Gbps AWS Direct Connect connection from the closest AWS Region to its on-premises data center. The Direct Connect connection is not currently in use by other services.
Which combination of steps should a solutions architect take to migrate the application with the LEAST amount of downtime? (Choose two.)
The company has established a 10 Gbps AWS Direct Connect connection from the closest AWS Region to its on-premises data center. The Direct Connect connection is not currently in use by other services.
Which combination of steps should a solutions architect take to migrate the application with the LEAST amount of downtime? (Choose two.)
Use an AWS Server Migration Service (AWS SMS) replication job to migrate the database server VM to AWS.
Use VM Import/Export to import the application server VM.
Export the VM images to an AWS Snowball Edge Storage Optimized device.
Use an AWS Server Migration Service (AWS SMS) replication job to migrate the application server VM to AWS.
Use an AWS Database Migration Service (AWS DMS) replication instance to migrate the database to an Amazon RDS DB instance.
Migrating complex, multi-tier applications on AWS
Designing enterprise-wide scalable operations on AWS
A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large, important documents within the application with the following requirements:
• The data must be highly durable and available.
• The data must always be encrypted at rest and in transit.
• The encryption key must be managed by the company and rotated periodically.
Which of the following solutions should the Solutions Architect recommend?
• The data must be highly durable and available.
• The data must always be encrypted at rest and in transit.
• The encryption key must be managed by the company and rotated periodically.
Which of the following solutions should the Solutions Architect recommend?
Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.
Designing enterprise-wide scalable operations on AWS
Designing for security and compliance
A company is migrating an application to the AWS Cloud. The application runs in an on-premises data center and writes thousands of images into a mounted NFS file system each night. After the company migrates the application, the company will host the application on an Amazon EC2 instance with a mounted Amazon Elastic File System (Amazon EFS) file system.
The company has established an AWS Direct Connect connection to AWS. Before the migration cutover, a solutions architect must build a process that will replicate the newly created on-premises images to the EFS file system.
What is the MOST operationally efficient way to replicate the images?
The company has established an AWS Direct Connect connection to AWS. Before the migration cutover, a solutions architect must build a process that will replicate the newly created on-premises images to the EFS file system.
What is the MOST operationally efficient way to replicate the images?
Configure a periodic process to run the aws s3 sync command from the on-premises file system to Amazon S3. Configure an AWS Lambda function to process event notifications from Amazon S3 and copy the images from Amazon S3 to the EFS file system.
Deploy an AWS Storage Gateway file gateway with an NFS mount point. Mount the file gateway file system on the on-premises server. Configure a process to periodically copy the images to the mount point.
Deploy an AWS DataSync agent to an on-premises server that has access to the NFS file system. Send data over the Direct Connect connection to an S3 bucket by using public VIF. Configure an AWS Lambda function to process event notifications from Amazon S3 and copy the images from Amazon S3 to the EFS file system.
Deploy an AWS DataSync agent to an on-premises server that has access to the NFS file system. Send data over the Direct Connect connection to an AWS PrivateLink interface VPC endpoint for Amazon EFS by using a private VIF. Configure a DataSync scheduled task to send the images to the EFS file system every 24 hours.
Designing enterprise-wide scalable operations on AWS
Designing for security and compliance
A company is migrating applications from on premises to the AWS Cloud. These applications power the company s internal web forms. These web forms collect data for specific events several times each quarter. The web forms use simple SQL statements to save the data to a local relational database.
Data collection occurs for each event, and the on-premises servers are idle most of the time. The company needs to minimize the amount of idle infrastructure that supports the web forms.
Which solution will meet these requirements?
Data collection occurs for each event, and the on-premises servers are idle most of the time. The company needs to minimize the amount of idle infrastructure that supports the web forms.
Which solution will meet these requirements?
Use Amazon EC2 Image Builder to create AMIs for the legacy servers. Use the AMIs to provision EC2 instances to recreate the applications in the AWS Cloud. Place an Application Load Balancer (ALB) in front of the EC2 instances. Use Amazon Route 53 to point the DNS names of the web forms to the ALB.
Create one Amazon DynamoDB table to store data for all the data input. Use the application form name as the table key to distinguish data items. Create an Amazon Kinesis data stream to receive the data input and store the input in DynamoDB. Use Amazon Route 53 to point the DNS names of the web forms to the Kinesis data stream s endpoint.
Create Docker images for each server of the legacy web form applications. Create an Amazon Elastic Container Service (Amazon EC2) cluster on AWS Fargate. Place an Application Load Balancer in front of the ECS cluster. Use Fargate task storage to store the web form data.
Provision an Amazon Aurora Serverless cluster. Build multiple schemas for each web form s data storage. Use Amazon API Gateway and an AWS Lambda function to recreate the data input forms. Use Amazon Route 53 to point the DNS names of the web forms to their corresponding API Gateway endpoint.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing enterprise-wide scalable operations on AWS
A company is migrating a subset of its application APIs from Amazon EC2 instances to run on a serverless infrastructure. The company has set up Amazon API Gateway, AWS Lambda, and Amazon DynamoDB for the new application. The primary responsibility of the Lambda function is to obtain data from a third-party Software as a Service (SaaS) provider. For consistency, the Lambda function is attached to the same virtual private cloud (VPC) as the original EC2 instances.
Test users report an inability to use this newly moved functionality, and the company is receiving 5xx errors from API Gateway. Monitoring reports from the SaaS provider shows that the requests never made it to its systems. The company notices that Amazon CloudWatch Logs are being generated by the Lambda functions. When the same functionality is tested against the EC2 systems, it works as expected.
What is causing the issue?
Test users report an inability to use this newly moved functionality, and the company is receiving 5xx errors from API Gateway. Monitoring reports from the SaaS provider shows that the requests never made it to its systems. The company notices that Amazon CloudWatch Logs are being generated by the Lambda functions. When the same functionality is tested against the EC2 systems, it works as expected.
What is causing the issue?
Lambda is in a subnet that does not have a NAT gateway attached to it to connect to the SaaS provider.
The end-user application is misconfigured to continue using the endpoint backed by EC2 instances.
The throttle limit set on API Gateway is too low and the requests are not making their way through.
API Gateway does not have the necessary permissions to invoke Lambda.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Implementing cost control strategies
A company is migrating its applications to AWS. The applications will be deployed to AWS accounts owned by business units. The company has several teams of developers who are responsible for the development and maintenance of all applications. The company is expecting rapid growth in the number of users.
The company's chief technology officer has the following requirements:
• Developers must launch the AWS infrastructure using AWS CloudFormation.
• Developers must not be able to create resources outside of CloudFormation.
• The solution must be able to scale to hundreds of AWS accounts.
Which of the following would meet these requirements? (Choose two.)
The company's chief technology officer has the following requirements:
• Developers must launch the AWS infrastructure using AWS CloudFormation.
• Developers must not be able to create resources outside of CloudFormation.
• The solution must be able to scale to hundreds of AWS accounts.
Which of the following would meet these requirements? (Choose two.)
Using CloudFormation, create an IAM role that can be assumed by CloudFormation that has permissions to create all the resources the company needs. Use CloudFormation StackSets to deploy this template to each AWS account.
In a central account, create an IAM role that can be assumed by developers, and attach a policy that allows interaction with CloudFormation. Modify the AssumeRolePolicyDocument action to allow the IAM role to be passed to CloudFormation.
Using CloudFormation, create an IAM role that can be assumed by developers, and attach policies that allow interaction with and passing a role to CloudFormation. Attach an inline policy to deny access to all other AWS services. Use CloudFormation StackSets to deploy this template to each AWS account.
Using CloudFormation, create an IAM role for each developer, and attach policies that allow interaction with CloudFormation. Use CloudFormation StackSets to deploy this template to each AWS account.
In a central AWS account, create an IAM role that can be assumed by CloudFormation that has permissions to create the resources the company requires. Create a CloudFormation stack policy that allows the IAM role to manage resources. Use CloudFormation StackSets to deploy the CloudFormation stack policy to each AWS account.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing enterprise-wide scalable operations on AWS
Comments