Exam Logo

Amazon (SAP-C01) Exam Questions And Answers page 19

A company is using Amazon Aurora MySQL for a customer relationship management (CRM) application. The application requires frequent maintenance on the database and the Amazon EC2 instances on which the application runs. For AWS Management Console access, the system administrators authenticate against AWS Identity and Access Management (IAM) using an internal identity provider. For database access, each system administrator has a user name and password that have previously been configured within the database.

A recent security audit revealed that the database passwords are not frequently rotated. The company wants to replace the passwords with temporary credentials using the company s existing AWS access controls.

Which set of options will meet the company s requirements?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Designing for security and compliance
A company is using Amazon Aurora MySQL for a customer relationship management (CRM) application. The application requires frequent maintenance on the database and the Amazon EC2 instances on which the application runs. For AWS Management Console access, the system administrators authenticate against AWS Identity and Access Management (IAM) using an internal identity provider. For database access, each system administrator has a user name and password that have previously been configured within the database.

A recent security audit revealed that the database passwords are not frequently rotated. The company wants to replace the passwords with temporary credentials using the company s existing AWS access controls.

Which set of options will meet the company s requirements?
Designing for security and compliance
A company is using an Amazon CloudFront distribution to distribute both static and dynamic content from a web application running behind an Application Load Balancer. The web application requires user authorization and session tracking for dynamic content. The CloudFront distribution has a single cache behavior configured to forward the Authorization, Host, and User-Agent HTTP whitelist headers and a session cookie to the origin. All other cache behavior settings are set to their default value.

A valid ACM certificate is applied to the CloudFront distribution with a matching CNAME in the distribution settings. The ACM certificate is also applied to the HTTPS listener for the Application Load Balancer. The CloudFront origin protocol policy is set to HTTPS only. Analysis of the cache statistics report shows that the miss rate for this distribution is very high.

What can the Solutions Architect do to improve the cache hit rate for this distribution without causing the SSL/TLS handshake between CloudFront and the Application Load Balancer to fail?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Designing enterprise-wide scalable operations on AWS
A company is using an Amazon EMR cluster to run its big data jobs. The cluster s jobs are invoked by AWS Step Functions Express Workflows that consume various Amazon Simple Queue Service (Amazon SQS) queues. The workload of this solution is variable and unpredictable. Amazon CloudWatch metrics show that the cluster's peak utilization is only 25% at times and that the cluster sits idle the rest of the time.

A solutions architect must optimize the costs of the cluster without negatively impacting the time it takes to run the various jobs.

What is the MOST cost-effective solution that meets these requirements?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Implementing cost control strategies
A company is using an existing orchestration tool to manage thousands of Amazon EC2 instances. A recent penetration test found a vulnerability in the company s software stack. This vulnerability has prompted the company to perform a full evaluation of its current production environment. The analysis determined that the following vulnerabilities exist within the environment:

• Operating systems with outdated libraries and known vulnerabilities are being used in production.
• Relational databases hosted and managed by the company are running unsupported versions with known vulnerabilities.
• Data stored in databases is not encrypted.

The solutions architect intends to use AWS Config to continuously audit and assess the compliance of the company s AWS resource configurations with the company s policies and guidelines.

What additional steps will enable the company to secure its environments and track resources while adhering to best practices?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Designing for security and compliance
A company is using an on-premises Active Directory service for user authentication. The company wants to use the same authentication service to sign in to the company s AWS accounts, which are using AWS Organizations. AWS Site-to-Site VPN connectivity already exists between the on-premises environment and all the company s AWS accounts.

The company s security policy requires conditional access to the accounts based on user groups and roles. User identities must be managed in a single location.

Which solution will meet these requirements?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Designing for security and compliance
A company is using AWS CloudFormation as its deployment tool for all application. It stages all application binaries and templates within Amazon S3 bucket with versioning enabled. Developers have access to an Amazon EC2 instance that hosts the integrated development (IDE). The Developers download the application binaries from Amazon S3 to the EC2 instance, make changes, and upload the binaries to an S3 bucket after running the unit tests locally. The developers want to improve the existing deployment mechanism and implement CI/CD using AWS CodePipeline.

The developers have the following requirements:

• Use AWS CodeCommit for source control.
• Automate unit testing and security scanning.
• Alert the Developers when unit tests fail.
• Turn application features on and off, and customize deployment dynamically as part of CI/CD.
• Have the lead Developer provide approval before deploying an application.

Which solution will meet these requirements?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Implementing cost control strategies
A company is using AWS CloudFormation to deploy its infrastructure. The company is concerned that, if a production CloudFormation stack is deleted, important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted.

How can the company prevent users from accidentally deleting data in this way?
Designing enterprise-wide scalable operations on AWS Designing for security and compliance
A company is using AWS CodePipeline for the CI/CD of an application to an Amazon EC2 Auto Scaling group. All AWS resources are defined in AWS CloudFormation templates. The application artifacts are stored in an Amazon S3 bucket and deployed to the Auto Scaling group using instance user data scripts. As the application has become more complex, recent resource changes in the CloudFormation templates have caused unplanned downtime.

How should a solutions architect improve the CI/CD pipeline to reduce the likelihood that changes in the templates will cause downtime?
Designing highly available, cost-efficient, fault-tolerant, scalable systems Designing enterprise-wide scalable operations on AWS
A company is using AWS for production and development workloads. Each business unit has its own AWS account for production, and a separate AWS account to develop and deploy its applications. The Information Security department has introduced new security policies that limit access for terminating certain Amazon EC2 instances in all accounts to a small group of individuals from the Security team.

How can the Solutions Architect meet these requirements?
Designing for security and compliance