Free Amazon SAP-C02 Exam Questions

Question 1

A solutions architect uses AWS Organizations to manage several AWS accounts for a company. The full

Organizations feature set is activated for the organization. All production AWS accounts exist under an OU

that is named "production ‘’ Systems operators have full administrative privileges within these accounts by

using IAM roles.

The company wants to ensure that security groups in all production accounts do not allow inbound traffic for

TCP port 22. All noncompliant security groups must be remediated immediately, and no new rules that allow

port 22 can be created.

Winch solution will meet these requirements?

A : Write an SCP that denies the CreateSecurityGroup action with a condition o( ec2:tngress rule with value22. Apply the SCP to the 'production' OU.

B : Configure an AWS CloudTrail trail for all accounts Send CloudTrail logs to an Amazon S3 bucket Inthe Organizations management account. Configure an AWS Lambda function on the managementaccount with permissions to assume a role in all production accounts to describe and modify securitygroups. Configure Amazon S3 to invoke the Lambda function on every PutObject event on the S3bucket Configure the Lambda function to analyze each CloudTrail event for noncompliant securitygroup actions and to automatically remediate any issues.

C : Create an Amazon EvertBridge (Amazon CloudWatch Events) event bus in the Organizationsmanagement account. Create an AWS Cloud Formation template to deploy configurations that sendCreateSecurityGroup events to the even! bus from an production accounts Configure an AWS Lambdafunction in the management account with permissions to assume a role «i all production accounts todescribe and modify security groups. Configure the event bus to invoke the Lambda function Configurethe Lambda function to analyse each event for noncompliant security group actions and to automaticallyremediate any issues.

D : Create an AWS CloudFormation template to turn on AWS Config Activate theINCOMING_SSH_DISABLED AWS Config managed rule Deploy an AWS Lambda function that willrun based on AWS Config findings and will remediate noncompliant resources Deploy theCloudFormation template by using a StackSet that is assigned to the "production" OU. Apply an SCP tothe OU to deny modification of the resources that the CloudFormation template provisions.

Answer: D

Question 2

A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL.

The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks.

Which solution will meet these requirements with the LEAST operational overhead?

A : eate an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL's deny list.

B : ploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.

C : eate an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server's subnet route table for any IP addresses that activate the alarm.

D : pect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.

Answer: C

Question 3

A company deployed a blockchain application in AWS a year ago using AWS Opsworks. There has been a lot of security patches lately for the underlying Linux servers of the blockchain application, which means that the Opsworks stack instances should be updated.

In this scenario, which of the following are the best practices when updating an AWS stack? (Select TWO.)

A : n the Update Dependencies stack command for Linux based instances.

B : Windows-based instances, run the Update Dependencies stack command.

C : lete the entire stack and create a new one.

D : CloudFormation to deploy the security patches.

E : WAF to deploy the security patches.

F : eate and start new instances to replace your current online instances. Then delete the current instances. The new instances will have the latest set of security patches installed during setup.

Answer: A

Question 4

A company is running a serverless application that consists of several AWS Lambda functions and Amazon

DynamoDB tables. The company has created new functionality that requires the Lambda functions to access

an Amazon Neptune DB cluster The Neptune DB cluster is located in three subnets in a VPC.

Which of the possible solutions will allow the Lambda functions to access the Neptune DB cluster and

DynamoDB tables? (Select TWO )

A : Create three public subnets in the Neptune VPC and route traffic through an interne: gateway Host theLambda functions m the three new public subnets

B : Create three private subnets in the Neptune VPC and route internet traffic through a NAT gateway Hostthe Lambda functions In the three new private subnets.

C : Host the Lambda functions outside the VPC. Update the Neptune security group to allow access fromthe IP ranges of the Lambda functions.

D : Host the Lambda functions outside the VPC. Create a VPC endpoint for the Neptune database, and havethe Lambda functions access Neptune over the VPC endpoint

E : Create three private subnets in the Neptune VPC. Host the Lambda functions m the three new isolatedsubnets. Create a VPC endpoint for DynamoDB. and route DynamoDB traffic to the VPC endpoint

Answer: A,C

Question 5

A company is running a two-tier web-based application in an on-premises data center. The application layer consists of a single server running a stateful application. The application connects to a PostgreSQL database running on a separate server. The application’s user base is expected to grow significantly, so the company is migrating the application and database to AWS. The solution will use Amazon Aurora PostgreSQL, Amazon EC2 Auto Scaling, and Elastic Load Balancing. Which solution will provide a consistent user experience that will allow the application and database tiers to scale?

A : able Aurora Auto Scaling for Aurora Replicas. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.

B : able Aurora Auto Scaling for Aurora writers. Use an Application Load Balancer with the round robin routing algorithm and sticky sessions enabled.

C : able Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions enabled.

D : able Aurora Scaling for Aurora writers. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.

Answer: C