Amazon (SAP-C01) Exam Questions And Answers page 41
An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices.
Which of the below mentioned pointers will not help the organization achieve better security arrangement?
Which of the below mentioned pointers will not help the organization achieve better security arrangement?
Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
Apply the latest patch of OS and always keep it updated.
Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
Implementing cost control strategies
Designing for security and compliance
An organization has setup RDS with VPC. The organization wants RDS to be accessible from the internet. Which of the below mentioned configurations is not required in this scenario?
The organization must enable the parameter in the console which makes the RDS instance publicly accessible.
The organization must allow access from the internet in the RDS VPC security group,
The organization must setup RDS with the subnet group which has an external IP.
The organization must enable the VPC attributes DNS hostnames and DNS resolution.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
An organization has two Amazon EC2 instances:
• The first is running an ordering application and an inventory application.
• The second is running a queuing system.
During certain times of the year, several thousand orders are placed per second. Some orders were lost when the queuing system was down. Also, the organization s inventory application has the incorrect quantity of products because some orders were processed twice.
What should be done to ensure that the applications can handle the increasing number of orders?
• The first is running an ordering application and an inventory application.
• The second is running a queuing system.
During certain times of the year, several thousand orders are placed per second. Some orders were lost when the queuing system was down. Also, the organization s inventory application has the incorrect quantity of products because some orders were processed twice.
What should be done to ensure that the applications can handle the increasing number of orders?
Put the ordering and inventory applications into their own AWS Lambda functions. Have the ordering application write the messages into an Amazon SQS FIFO queue.
Put the ordering and inventory applications into their own Amazon ECS containers, and create an Auto Scaling group for each application. Then, deploy the message queuing server in multiple Availability Zones.
Put the ordering and inventory applications into their own Amazon EC2 instances, and create an Auto Scaling group for each application. Use Amazon SQS standard queues for the incoming orders, and implement idempotency in the inventory application.
Put the ordering and inventory applications into their own Amazon EC2 instances. Write the incoming orders to an Amazon Kinesis data stream. Configure AWS Lambda to poll the stream and update the inventory application.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
An organization hosts an app on EC2 instances which multiple developers need access to in order to perform updates.
The organization plans to implement some security best practices related to instance access.
Which one of the following recommendations will not help improve its security in this way?
The organization plans to implement some security best practices related to instance access.
Which one of the following recommendations will not help improve its security in this way?
Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
Create an IAM policy allowing only IAM users to connect to the EC2 instances with their own SSH key.
Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
Apply the latest patch of OS and always keep it updated.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
An organization is creating a VPC for their application hosting. The organization has created two private subnets in the same AZ and created one subnet in a separate zone.
The organization wants to make a HA system with the internal ELB.
Which of these statements is true with respect to an internal ELB in this scenario?
The organization wants to make a HA system with the internal ELB.
Which of these statements is true with respect to an internal ELB in this scenario?
ELB can support only one subnet in each availability zone.
ELB does not allow subnet selection; instead it will automatically select all the available subnets of the VPC.
If the user is creating an internal ELB, he should use only private subnets.
ELB can support all the subnets irrespective of their zones.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
An organization is having an application which can start and stop an EC2 instance as per schedule. The organization needs the MAC address of the instance to be registered with its software. The instance is launched in EC2-CLASSIC.
How can the organization update the MAC registration every time an instance is booted?
How can the organization update the MAC registration every time an instance is booted?
The organization should write a boot strapping script which will get the MAC address from the instance metadata and use that script to register with the application.
The organization should provide a MAC address as a part of the user data. Thus, whenever the instance is booted the script assigns the fixed MAC address to that instance.
The instance MAC address never changes. Thus, it is not required to register the MAC address every time.
AWS never provides a MAC address to an instance; instead the instance ID is used for identifying the instance for any software registration.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
An organization is having a VPC for the HR department, and another VPC for the Admin department. The HR department requires access to all the instances running in the Admin VPC while the Admin department requires access to all the resources in the HR department.
How can the organization setup this scenario?
How can the organization setup this scenario?
Setup VPC peering between the VPCs of Admin and HR.
Setup ACL with both VPCs which will allow traffic from the CIDR of the other VPC.
Setup the security group with each VPC which allows traffic from the CIDR of another VPC.
It is not possible to connect resources of one VPC from another VPC.
Designing enterprise-wide scalable operations on AWS
Designing for security and compliance
An organization is hosting a scalable web application using AWS. The organization has configured ELB and Auto Scaling to make the application scalable.
Which of the below mentioned statements is not required to be followed for ELB when the application is planning to host a web application on VPC?
Which of the below mentioned statements is not required to be followed for ELB when the application is planning to host a web application on VPC?
The ELB and all the instances should be in the same subnet.
Configure the security group rules and network ACLs to allow traffic to be routed between the subnets in the VPC.
The internet facing ELB should have a route table associated with the internet gateway.
The internet facing ELB should be only in a public subnet.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
An organization is making software for the CIA in USA. CIA agreed to host the application on AWS but in a secure environment. The organization is thinking of hosting the application on the AWS GovCloud region. Which of the below mentioned difference is not correct when the organization is hosting on the AWS GovCloud in comparison with the AWS standard region?
The billing for the AWS GovCLoud will be in a different account than the Standard AWS account.
GovCloud region authentication is isolated from Amazon.com.
Physical and logical administrative access only to U.S. persons.
It is physically isolated and has logical network isolation from all the other regions.
Migrating complex, multi-tier applications on AWS
Designing for security and compliance
An organization is planning to create a secure scalable application with AWS VPC and ELB. The organization has two instances already running and each instance has an ENI attached to it in addition to a primary network interface. The primary network interface and additional ENI both have an elastic IP attached to it.
If those instances are registered with ELB and the organization wants ELB to send data to a particular EIP of the instance, how can they achieve this?
If those instances are registered with ELB and the organization wants ELB to send data to a particular EIP of the instance, how can they achieve this?
The organization should ensure that the IP which is required to receive the ELB traffic is attached to a primary network interface.
It is not possible to attach an instance with two ENIs with ELB as it will give an IP conflict error.
The organization should ensure that the IP which is required to receive the ELB traffic is attached to an additional ENI.
It is not possible to send data to a particular IP as ELB will send to any one EIP.
Designing enterprise-wide scalable operations on AWS
Designing for security and compliance
Comments