Amazon (SAP-C01) Exam Questions And Answers page 58
Does Amazon RDS API provide actions to modify DB instances inside a VPC and associate them with DB Security Groups?
No
Yes, Amazon does this but only for Oracle RDS.
Yes, Amazon does this but only for MySQL RDS.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
Does an AWS Direct Connect location provide access to Amazon Web Services in the region it is associated with as well as access to other US regions?
No, it provides access only to the region it is associated with.
No, it provides access only to the US regions other than the region it is associated with.
Yes, it provides access.
Yes, it provides access but only when there's just one Availability Zone in the region.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing enterprise-wide scalable operations on AWS
Does Autoscaling automatically assign tags to resources?
No, not unless they are configured via API.
Yes, it does.
Yes, by default.
No, it does not.
Implementing cost control strategies
Designing for security and compliance
Doug has created a VPC with CIDR 10.201.0.0/16 in his AWS account. In this VPC he has created a public subnet with CIDR block 10.201.31.0/24.
While launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance.
Which is the most likely reason for this issue?
While launching a new EC2 from the console, he is not able to assign the private IP address 10.201.31.6 to this instance.
Which is the most likely reason for this issue?
Private address IP 10.201.31.6 is currently assigned to another interface
Private IP address 10.201.31.6 is reserved by Amazon for IP networking purposes.
Private IP address 10.201.31.6 is blocked via ACLs in Amazon infrastructure as a part of platform security.
Private IP address 10.201.31.6 is not part of the associated subnet's IP address range.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Do you need to use Amazon Cognito to use the Amazon Mobile Analytics service?
Yes. You need to use it only if you have IAM root access.
No. However, it is recommend by AWS to use Amazon Cognito for security best practices.
No. You cannot use it at all, and you need to use AWS IAM accounts.
Yes. It is recommended by AWS to use Amazon Cognito to use Amazon Mobile Analytics service.
Implementing cost control strategies
During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability.
Which solution will ensure that the credentials are appropriately secured automatically?
Which solution will ensure that the credentials are appropriately secured automatically?
Run a script nightly using AWS Systems Manager Run Command to search for credentials on the development instances. If found, use AWS Secrets Manager to rotate the credentials.
Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit. If credentials are found, generate new credentials and store them in AWS KMS.
Configure Amazon Macie to scan for credentials in CodeCommit repositories. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credentials. If credentials are found, disable them in AWS IAM and notify the user.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
How Can a Solutions Architect Secure AWS Lambda Credentials?
Multiple Choice
During a security audit of a Service team s application, a Solutions Architect discovers that a username and password for an Amazon RDS database and a set of AWS IAM user credentials can be viewed in the AWS Lambda function code. The Lambda function uses the username and password to run queries on the database, and it uses the IAM credentials to call AWS services in a separate management account.
The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code. The management account and the Service team s account are in separate AWS Organizations organizational units (OUs).
Which combination of changes should the Solutions Architect make to improve the solution s security? (Choose two.)
The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code. The management account and the Service team s account are in separate AWS Organizations organizational units (OUs).
Which combination of changes should the Solutions Architect make to improve the solution s security? (Choose two.)
Configure Lambda to assume a role in the management account with appropriate access to AWS.
Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.
Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials.
Use an SCP on the management account s OU to prevent IAM users from accessing resources in the Service team s account.
Enable AWS Shield Advanced on the management account to shield sensitive resources from unauthorized IAM access.
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
DynamoDB uses only as a transport protocol, not as a storage format.
WDDX
XML
SGML
JSON
Designing highly available, cost-efficient, fault-tolerant, scalable systems
For Amazon EC2 issues, while troubleshooting AWS CloudFormation, you need to view the cloud-init and cfn logs for more information. Identify a directory to which these logs are published.
/var/opt/log/ec2
/var/log/lastlog
/var/log/
/var/log/ec2
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Designing for security and compliance
For AWS CloudFormation, which stack state refuses UpdateStack calls?
UPDATE_COMPLETE
CREATE_COMPLETE
UPDATE_ROLLBACK_FAILED
UPDATE_ROLLBACK_COMPLETE
Designing highly available, cost-efficient, fault-tolerant, scalable systems
Comments