Free Online SAP-C02 Practice Test

Question 1

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS

application is consumed through several API calls. The third-party SaaS application also runs on AWS inside a

VPC.

The company will consume the third-party SaaS application from inside a VPC. The company has internal

security policies that mandate the use of private connectivity that does not traverse the internet. No resources

that run in the company VPC are allowed to be accessed from outside the company’s VPC. All permissions

must conform to the principles of least privilege.

Which solution meets these requirements?

A :

Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that

the third-party SaaS application provides. Create a security group to limit the access to the endpoint.

Associate the security group with the endpoint.

B :

Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company

VPC. Configure network ACLs to limit access across the VPN tunnels.

C :

Create a VPC peering connection between the third-party SaaS application and the company VPUpdate

route tables by adding the needed routes for the peering connection.

D :

Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface

VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific

account of the third-party SaaS provider.

Answer: A

Question 2

A company is running a web application in a VPC. The web application runs on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is using AWS WAF.

An external customer needs to connect to the web application. The company must provide IP addresses to all external customers.

Which solution will meet these requirements with the LEAST operational overhead?

A : Replace the ALB with a Network Load Balancer (NLB). Assign an Elastic IP address to the NLB.

B : Allocate an Elastic IP address. Assign the Elastic IP address to the ALProvide the Elastic IP address to the customer.

C : Create an AWS Global Accelerator standard accelerator. Specify the ALB as the accelerator's endpoint. Provide the accelerator's IP addresses to the customer.

D : Configure an Amazon CloudFront distribution. Set the ALB as the origin. Ping the distribution's DNS name to determine the distribution's public IP address. Provide the IP address to the customer.

Answer: C

Question 3

A company has deployed an application on AWS Elastic Beanstalk. The application uses Amazon Aurora for

the database layer. An Amazon CloudFront distribution serves web requests and includes the Elastic Beanstalk

domain name as the origin server. The distribution is configured with an alternate domain name that visitors

use when they access the application.

Each week, the company takes the application out of service for routine maintenance. During the time that the

application is unavailable, the company wants visitors to receive an informational message instead of a

CloudFront error message.

A solutions architect creates an Amazon S3 bucket as the first step in the process.

Which combination of steps should the solutions architect take next to meet the requirements? (Choose three.)

A :

Upload static informational content to the S3 bucket.

B :

Create a new CloudFront distribution. Set the S3 bucket as the origin.

C :

Set the S3 bucket as a second origin in the original CloudFront distribution. Configure the distribution

and the S3 bucket to use an origin access identity (OAI).

D :

During the weekly maintenance, edit the default cache behavior to use the S3 origin. Revert the change

when the maintenance is complete.

E :

During the weekly maintenance, create a cache behavior for the S3 origin on the new distribution. Set

the path pattern to \ Set the precedence to 0. Delete the cache behavior when the maintenance is

complete.

F :

During the weekly maintenance, configure Elastic Beanstalk to serve traffic from the S3 bucket.

Answer: A,C,D

Question 4

A multinational corporation has recently acquired a smaller company. The solutions architect was instructed to consolidate the multiple AWS accounts of both entities using AWS Organizations. The solutions architect has set up the required service control policies (SCPs) to simplify the process of controlling access permissions for each individual account and Organizational Units (OUs). However, one account is having trouble creating a new S3 bucket, and it is required to investigate the cause of this issue. The account has the following SCP attached:

1. {

2. "Version": "2012-10-17",

3. "Statement": [

4. {

5. "Effect": "Allow",

6. "Action": "cloudtrail:*",

7. "Resource": "*"

8. },

9. {

10. "Effect": "Allow",

11. "Action": "iam:*",

12. "Resource": "*"

13. }

14. ]

15. }

Each IAM user of the account has the following IAM policy attached:

1. {

2. "Version": "2012-10-17",

3. "Statement": [

4. {

5. "Effect": "Allow",

6. "Action": "s3:*",

7. "Resource": [

8. "arn:aws:s3:::*"

9. ]

10. },

11. {

12. "Effect": "Deny",

13. "NotAction": "s3:*",

14. "NotResource": [

15. "arn:aws:s3:::*"

16. ]

17. }

18. ]

19. }

Based on the provided SCP and IAM policy, which of the following options could be the possible root cause of this problem?

A : The SCP is the root cause because it does not support whitelisting actions of the AWS resources.

B : The IAM policy is the root cause because you have denied user permissions to execute any S3-related actions.

C : The SCP is the root cause since it does not explicitly allow the required action that would enable the account to create an S3 bucket.

D : Both the IAM policy and the SCP are the problem. The SCP should explicitly allow S3 bucket creation in its policy and the IAM policy should exactly match the permissions of the SCP.

Answer: C

Question 5

A company has 50 AWS accounts that are members of an organization in AWS Organizations Each account

contains multiple VPCs The company wants to use AWS Transit Gateway to establish connectivity between

the VPCs in each member account Each time a new member account is created, the company wants to

automate the process of creating a new VPC and a transit gateway attachment.

Which combination of steps will meet these requirements? (Select TWO)

A : From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager

B : Prom the management account, share the transit gateway with member accounts by using an AWS Organizations SCP

C : Launch an AWS CloudFormation stack set from the management account that automatical^/ creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.

D : Launch an AWS CloudFormation stack set from the management account that automatical^ creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.

E : From the management account, share the transit gateway with member accounts by using AWS Service Catalog

Answer: A,C

Free Online Amazon SAP-C02 Practice Test