Free Amazon SAP-C02 Exam Questions

Question 1

A solutions architect uses AWS Organizations to manage several AWS accounts for a company. The full

Organizations feature set is activated for the organization. All production AWS accounts exist under an OU

that is named "production ‘’ Systems operators have full administrative privileges within these accounts by

using IAM roles.

The company wants to ensure that security groups in all production accounts do not allow inbound traffic for

TCP port 22. All noncompliant security groups must be remediated immediately, and no new rules that allow

port 22 can be created.

Winch solution will meet these requirements?

A : Write an SCP that denies the CreateSecurityGroup action with a condition o( ec2:tngress rule with value22. Apply the SCP to the 'production' OU.

B : Configure an AWS CloudTrail trail for all accounts Send CloudTrail logs to an Amazon S3 bucket Inthe Organizations management account. Configure an AWS Lambda function on the managementaccount with permissions to assume a role in all production accounts to describe and modify securitygroups. Configure Amazon S3 to invoke the Lambda function on every PutObject event on the S3bucket Configure the Lambda function to analyze each CloudTrail event for noncompliant securitygroup actions and to automatically remediate any issues.

C : Create an Amazon EvertBridge (Amazon CloudWatch Events) event bus in the Organizationsmanagement account. Create an AWS Cloud Formation template to deploy configurations that sendCreateSecurityGroup events to the even! bus from an production accounts Configure an AWS Lambdafunction in the management account with permissions to assume a role «i all production accounts todescribe and modify security groups. Configure the event bus to invoke the Lambda function Configurethe Lambda function to analyse each event for noncompliant security group actions and to automaticallyremediate any issues.

D : Create an AWS CloudFormation template to turn on AWS Config Activate theINCOMING_SSH_DISABLED AWS Config managed rule Deploy an AWS Lambda function that willrun based on AWS Config findings and will remediate noncompliant resources Deploy theCloudFormation template by using a StackSet that is assigned to the "production" OU. Apply an SCP tothe OU to deny modification of the resources that the CloudFormation template provisions.

Answer: D

Question 2

A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL for each domain. All domains and target URLs are defined in a JSON document. All DNS records are managed by Amazon Route 53. A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests. Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose three.)

A : eate a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with the event message to look up and respond with a redirect URL.

B : eate an Application Load Balancer that includes HTTP and HTTPS listeners.

C : eate an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL.

D : an Amazon API Gateway API with a custom domain to publish an AWS Lambda function.

E : Create an Amazon CloudFront distribution. Deploy a Lambda@Edge function.

F : Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as SubjectAlternative Names.

Answer: A,C

Question 3

A stocks brokerage firm hosts its legacy application on Amazon EC2 in a private subnet of its Amazon VPC. The application is accessed by the employees from their corporate laptops through a proprietary desktop program. The company network is peered with the AWS Direct Connect (DX) connection to provide a fast and reliable connection to the private EC2 instances inside the VPC. To comply with the strict security requirements of financial institutions, the firm is required to encrypt its network traffic that flows from the employees' laptops to the resources inside the VPC.

Which of the following solution will comply with this requirement while maintaining the consistent network performance of Direct Connect?

A : ing the current Direct Connect connection, create a new private virtual interface and input the network prefixes that you want to advertise. Create a new site-to-site VPN connection to the VPC over the Internet. Configure the employees’ laptops to connect to this VPN.

B : ing the current Direct Connect connection, create a new public virtual interface and input the network prefixes that you want to advertise. Create a new site-to-site VPN connection to the VPC with the BGP protocol using the DX connection. Configure the company network to route employee traffic to this VPN.

C : ing the current Direct Connect connection, create a new public virtual interface and input the network prefixes that you want to advertise. Create a new site-to-site VPN connection to the VPC over the Internet. Configure the employees’ laptops to connect to this VPN.

D : ing the current Direct Connect connection, create a new private virtual interface and input the network prefixes that you want to advertise. Create a new site-to-site VPN connection to the VPC with the BGP protocol using the DX connection. Configure the company network to route employee traffic to this VPN.

Answer: B

Question 4

A company needs to improve the security of its web-based application on AWS. The application uses Amazon CloudFront with two custom origins. The first custom origin routes requests to an Amazon API Gateway HTTP API. The second custom origin routes traffic to an Application Load Balancer (ALB) The application integrates with an OpenlD Connect (OIDC) identity provider (IdP) for user management. A security audit shows that a JSON Web Token (JWT) authorizer provides access to the API The security

audit also shows that the ALB accepts requests from unauthenticated users

A solutions architect must design a solution to ensure that all backend services respond to only authenticated

users

Which solution will meet this requirement?

A : Configure the ALB to enforce authentication and authorization by integrating the ALB with the IdP Allow only authenticated users to access the backend services

B : Modify the CloudFront configuration to use signed URLs Implement a permissive signing policy that allows any request to access the backend services

C : Create an AWS WAF web ACL that filters out unauthenticated requests at the ALB level. Allow only authenticated traffic to reach the backend services.

D : Enable AWS CloudTrail to log all requests that come to the ALB Create an AWS Lambda function to analyze the togs and block any requests that come from unauthenticated users.

Answer: A

Question 5

A company hosts a public software as a service (SaaS) application on Amazon EC2 instances that run Linux. The EC2 instances are in multiple Availability Zones behind an Application Load Balancer. The application uses an Amazon RDS Multi-AZ database to store application data, including user sessions. The company needs to minimize the latency that is involved in storing and accessing the user sessions. Which solution will meet this requirement?

A : Create an Amazon S3 bucket. Store the user sessions in S3 Standard storage.

B : Create an Amazon FSx for Windows File Server volume. Mount the volume on each EC2 instance. Store the user sessions in the volume.

C : Create a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume. Enable Multi-Attach. Attach the volume to each EC2 instance. Store the user sessions in the volume.

D : Create an Amazon ElastiCache for Redis cluster. Store the user sessions in the Redis cache.

Answer: D