Free Amazon SAP-C02 Exam Questions

Question 1

A company wants to launch its online shopping website to give customers an easy way to purchase the products they need. The proposed setup is to host the application on an AWS Fargate cluster, utilize a Load Balancer to distribute traffic between the Fargate tasks, and use Amazon CloudFront for caching and content delivery. The company wants to ensure that the website complies with industry best practices and should be able to protect customers from common “man-in-the-middle” attacks for e-commerce websites such as DNS spoofing, HTTPS spoofing, or SSL hijacking.

Which of the following configurations will provide the MOST secure access to the website?

A : gister the domain name on Route 53 and enable DNSSEC validation for all public hosted zones to ensure that all DNS requests have not been tampered with during transit. Use AWS Certificate Manager (ACM) to generate a valid TLS/SSL certificate for the domain name. Configure the Application Load Balancer with an HTTPS listener to use the ACM TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.

B : gister the domain name on Route 53. Since Route 53 only supports DNSSEC for registration, host the company DNS root servers on Amazon EC2 instances running the BIND service. Enable DNSSEC for DNS requests to ensure the replies have not been tampered with. Generate a valid certificate for the website domain name on AWS ACM and configure the Application Load Balancers HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.

C : Route 53 for domain registration. Use a third-party DNS service that supports DNSSEC for DNS requests that use the customer-managed keys. Use AWS Certificate Manager (ACM) to generate a valid 2048-bit TLS/SSL certificate for the domain name and configure the Application Load Balancer HTTPS listener to use this TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.

D : gister the domain name on Route 53. Use a third-party DNS provider that supports the import of the customer-managed keys for DNSSEC. Import a 2048-bit TLS/SSL certificate from a third-party certificate service to AWS Certificate Manager (ACM). Configure the Application Load Balancer with an HTTPS listener to use the imported TLS/SSL certificate. Use Server Name Identification and HTTP to HTTPS redirection on CloudFront.

Answer: A

Question 2

An enterprise company wants to allow its developers to purchase third-party software through AWS

Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a

shared services account in each organizational unit (OU) that will be used by procurement managers. The

procurement team's policy indicates that developers should be able to obtain third-party software from an

approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement . The

procurement team wants administration of Private Marketplace to be restricted to a role named

procurement-manager-role, which could be assumed by procurement managers Other IAM users groups, roles,

and account administrators in the company should be denied Private Marketplace administrative access

What is the MOST efficient way to design an architecture to meet these requirements?

A : Create an IAM role named procurement-manager-role in all AWS accounts in the organization Add thePowerUserAccess managed policy to the role Apply an inline policy to all IAM users and roles in everyAWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.

B : Create an IAM role named procurement-manager-role in all AWS accounts in the organization Add theAdministratorAccess managed policy to the role Define a permissions boundary with theAWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.

C : Create an IAM role named procurement-manager-role in all the shared services accounts in theorganization Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role Create anorganization root-level SCP to deny permissions to administer Private Marketplace to everyone exceptthe role named procurement-manager-role Create another organization root-level SCP to denypermissions to create an IAM role named procurement-manager-role to everyone in the organization.

D : Create an IAM role named procurement-manager-role in all AWS accounts that will be used bydevelopers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create anSCP in Organizations to deny permissions to administer Private Marketplace to everyone except the rolenamed procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.

Answer: C

Question 3

A company is using a single AWS Region (or its ecommerce website. The website includes a web application

that runs on several Amazon EC2 instances behind an Application Load Balancer (ALB). The website also

includes an Amazon DynamoDB table. A custom domain name in Amazon Route 53 is linked to the ALB.

The company created an SSL/TLS certificate in AWS Certificate Manager (ACM) and attached the certificate

to the ALB. The company is not using a content delivery network as part of its design.

The company wants to replicate its entire application stack in a second Region to provide disaster recovery,

plan for future growth, and provide improved access time to users. A solutions architect needs to implement a

solution that achieves these goals and minimizes administrative overhead.

Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)

A : Create an AWS Cloud Formation template for the current infrastructure design. Use parameters forimportant system values, including Region. Use the CloudFormation template to create the newinfrastructure in the second Region.

B : Use the AWS Management Console to document the existing infrastructure design in the first Regionand to create the new infrastructure in the second Region.

C : Update the Route 53 hosted zone record for the application to use weighted routing. Send 50% of thetraffic to the ALB in each Region.

D : Update the Route 53 hosted zone record for the application to use latency-based routing. Send traffic tothe ALB in each Region.

E : Update the configuration of the existing DynamoDB table by enabling DynamoDB Streams Add thesecond Region to create a global table.

F : Create a new DynamoDB table. Enable DynamoDB Streams for the new table. Add the second Regionto create a global table. Copy the data from the existing DynamoDB table to the new table as a one-timeoperation.

Answer: A,D

Question 4

A company hosts a public software as a service (SaaS) application on Amazon EC2 instances that run Linux. The EC2 instances are in multiple Availability Zones behind an Application Load Balancer. The application uses an Amazon RDS Multi-AZ database to store application data, including user sessions. The company needs to minimize the latency that is involved in storing and accessing the user sessions. Which solution will meet this requirement?

A : Create an Amazon S3 bucket. Store the user sessions in S3 Standard storage.

B : Create an Amazon FSx for Windows File Server volume. Mount the volume on each EC2 instance. Store the user sessions in the volume.

C : Create a Provisioned IOPS SSD (io2) Amazon Elastic Block Store (Amazon EBS) volume. Enable Multi-Attach. Attach the volume to each EC2 instance. Store the user sessions in the volume.

D : Create an Amazon ElastiCache for Redis cluster. Store the user sessions in the Redis cache.

Answer: D

Question 5

A company is modernizing a legacy.NET Frameworkapplication backed by SQL Server. Requirements: Containerize into microservices. Control OS patches and storage. Add load balancing. Ensure high availability.Which solution meets all of these with minimal refactoring?

A : Use App2Container to deploy on ECS EC2 with ALB and RDS for SQL Server.

B : Use App2Container on ECS EC2 with NLB and Aurora MySQL.

C : Use Porting Assistant and EKS with Fargate and Aurora MySQL.

D : Use Porting Assistant and EKS with Fargate and RDS SQL Server.

Answer: A