Get 2021 Updated Free Amazon SAP-C01 Exam Questions & Answer [Q92-Q117]

Get 2021 Updated Free Amazon SAP-C01 Exam Questions & Answer

SAP-C01 Dumps PDF and Test Engine Exam Questions

NEW QUESTION 92
A company runs an e-commerce platform with front-end and e-commerce tiers. Both tiers run on LAMP stacks with the front-end instances running behind a load balancing appliance that has a virtual offering on AWS Current*/, the operations team uses SSH to log in to the instances to maintain patches and address other concerns. The platform has recently been the target of multiple attacks, including.
* A DDoS attack.
* An SOL injection attack
* Several successful dictionary attacks on SSH accounts on the web servers The company wants to improve the secunty of the e-commerce platform by migrating to AWS. The company's solutions architects have decided to use the following approach;
* Code review the existing application and fix any SQL injection issues.
* Migrate the web application to AWS and leverage the latest AWS Linux AMI to address initial secunty patching.
* Install AWS Systems Manager to manage patching and allow the system administrators to run commands on all instances, as needed.
What additional steps will address all of the identified attack types while providing high availability and minimizing risk?

• A. Enable SSH access to the Amazon EC2 instances through a bastion host secured by limiting access to specific IP addresses. Migrate on-premises MySQL to a self-managed EC2 instance. Leverage an AWS Elastic Load Balancer to spread the load, and enable AWS Shield Standard for DDoS protection Add an Amazon CloudFront distribution in front of the website.
• B. Enable SSH access to the Amazon EC2 instances using a security group that limits access to specific IPs. Migrate on-premises MySQL to Amazon RDS Multi-AZ Install the third-party load balancer from the AWS Marketplace and migrate the existing rules to the load balancer's AWS instances Enable AWS Shield Standard for DDoS protection
• C. Disable SSH access to the EC2 instances. Migrate on-premises MySQL to Amazon RDS Single-AZ.Leverage an AWS Elastic Load Balancer to spread the load Add an Amazon CloudFront distribution in front of the website Enable AWS WAF on the distribution to manage the rules.
• D. Disable SSH access to the Amazon EC2 instances. Migrate on-premises MySQL to Amazon RDS Multi-AZ Leverage an Elastic Load Balancer to spread the load and enable AWS Shield Advanced for protection. Add an Amazon CloudFront distribution in front of the website Enable AWS WAF on the distribution to manage the rules.

Answer: D

 

NEW QUESTION 93
A company is migrating an application to AWS. It wants to use fully managed services as much as possible during the migration. The company needs to store large, important documents within the application with the following requirements:
The data must be highly durable and available.
The data must always be encrypted at rest and in transit.
The encryption key must be managed by the company and rotated periodically.
Which of the following solutions should the Solutions Architect recommend?

• A. Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.
• B. Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
• C. Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
• D. Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.

Answer: D

Explanation:
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/

 

NEW QUESTION 94
A company is migrating its application to AWS. The applications will be deployed to AWS accounts owned by business units. The company has several teams of Developers who are responsible for the development and maintenance of all application. The company is expecting rapid growth in the number of users The company's Chief Technology Officer has the following requirement
* Developers must launch the AWS Infrastructure using AWS CloudFormation
* Developers must not be able to create resources outside of CloudFormation
* The solution must be able to scale to hundreds of AWS accounts
Which of the following would meet these requirements? (Select TWO)

• A. Using CloudFormation create an IAM role that can be assumed by CloudFormation that has permission to create all the resources the company needs. Use Cloud Formation StackSets to deploy this template to each AWS account.
• B. In a central AWS account create an IAM role that can be assumed by CloudFormation that has permissions to create the resources the company requires Create a CloudFormation stack pokey that allows the IAM role to manage resources Use CloudFormation StackSets to deploy the CloudFormation stack policy to each AWS account
• C. Using CloudFormation, create an IAM role that can be assumed by Developers and attach polices that allow interaction with and passing a role to services. Use CloudFormation StackSets to deploy this template to each AWS account
• D. In a central account, create an IAM role that can be assumed by developers, and attach a policy that allows interaction with CloudFormation. Modify the Assume Role Policy Document action to allow the IAM role to be passed to CloudFormation.
• E. Using CloudFormation create an IAM role for each Developer and attach policies that allow interaction with CloudFormation Use CloudFormation StackSets to deploy this template to each AWS account

Answer: B,C

 

NEW QUESTION 95
An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC.
An ENI can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you_____.

• A. create an elastic network interface for eth1
• B. use an existing network interface
• C. include a MAC address
• D. create an elastic network interface for eth0

Answer: D

Explanation:
Explanation
An elastic network interface (ENI) is defined as a virtual network interface that you can attach to an instance in a VPC and can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you create an elastic network interface for eth0 instead of using an existing network interface.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

 

NEW QUESTION 96
A company has developed a custom tool used in its workflow that runs within a Docker container The company must perform manual steps each time the container code is updated to make the container image available to new workflow executions The company wants to automate this process to eliminate manual effort and ensure a new container image is generated every time the tool code is updated Which combination of actions should a solutions architect take to meet these requirements? (Select THREE.)

• A. Configure an AWS CodePipeline pipeline that sources the tool code from the AWS CodeCommit repository and initiates an AWS CodeBuild build
• B. Configure an AWS CodeDeptoy application that triggers an application version update that pulls the latest tool container image from Amazon ECR, updates the container with code from the AWS CodeCommrt repository, and pushes the updated container image to Amazon ECR.
• C. Configure an Amazon ECR repository for the tool Configure an AWS CodeCommit repository containing code for the tool being deployed to the container image in Amazon ECR
• D. Configure an AWS CodeBuild project that pulls the latest tool container image from Amazon ECR, updates the container with code from the source AWS CodeCommit repository, and pushes the updated container image to Amazon ECR
• E. Configure an Amazon EventBridge rule that triggers on commits to the AWS CodeCommrt repository for the tool Configure the event to trigger an update to the tool container image in Amazon ECR Push the updated container image to Amazon ECR
• F. Configure an AWS CodePipeline pipeline that sources the tool code from the AWS CodeCommit repository and initiates an AWS CodeDeptoy application update

Answer: A,C,D

Explanation:
https://aws.amazon.com/fr/blogs/devops/build-a-continuous-delivery-pipeline-for-your-container-images-with-amazon-ecr-as-source/

 

NEW QUESTION 97
A company has a single AWS master billing account, which is the root of the AWS Organizations hierarchy.
The company has multiple AWS accounts within this hierarchy, all organized into organization units (OUs).
More OUS and AWS accounts will continue to be created as other parts of the business migrate applications to AWS. These business units may need to use different AWS services. The Security team is implementing the following requirements for all current and future AWS accounts.
* Control policies must be applied across all accounts to prohibit AWS servers.
* Exceptions to the control policies are allowed based on valid use cases.
Which solution will meet these requirements with minimal optional overhead?

• A. Use an SCP in Organizations to implement a deny list of AWS servers. Apply this SCP at the level. For any specific exceptions for an OU, create a new SCP for that OU and add the required AWS services the allow list.
• B. Use an SCP in Organizations to implement an allow list of AWS services. Apply this SCP at the root level. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions for an OU, modify the SCP attached to that OU, and add the required AWS services to the allow list.
• C. Use an SCP In organizations to implement a deny list of AWS service. Apply this SCP at the root level and each OU. Remove the default AWS managed SCP from the root level and all OU levels. For any specific exceptions, modify the SCP attached to that OU, and add the required AWS required services to the allow list.
• D. Use an SCP in Organization to implement a deny list of AWS service. Apply this SCP at each OU level
  . Leave the default AWS managed SCP at the root level For any specific executions for an OU, create a new SCP for that OU.

Answer: C

 

NEW QUESTION 98
A filness tracking company serves users around the world, with its primary markets in North America and Asia. The company needs to design an infrastructure for its read-heavy user authorization application with the following requirements:
* Be resilient to problems with the application in any Region.
* Write to a database in a single Region.
* Read from multiple Regions.
* Support resiliency across application tiers in each Region.
* Support the relational database semantics reflected in the application.
Which combination of steps should a solutions architect take? (Select TWO.)

• A. Set up active-active web and application servers in each Region. Deploy an Amazon Aurora global database with clusters in each Region. Set up the application to use the in-Region Aurora database endpoints. Create snapshots of the web and application servers and store them in an Amazon S3 bucket in both Regions.
• B. Use an Amazon Route 53 geolocation routing policy combined with a failover routing policy.
• C. Deploy web. application, and MySQL database servers to Amazon EC2 instances in each Region. Set up the application so that reads and writes are local to the Region. Create snapshots of the web, application, and database servers and store the snapshots in an Amazon S3 bucket in both Regions. Set up cross-Region replication for the database layer.
• D. Set up web, application, and Amazon RDS for MySQL instances in each Region. Set up the application so that reads are local and writes are partitioned based on the user. Set up a Multi-AZ failover for the web, application, and database servers. Set up cross-Region replication for the database layer.
• E. Use an Amazon Route 53 geoproximity routing policy combined with a multivalue answer routing policy.

Answer: B,D

 

NEW QUESTION 99
The company Security team requires that all data uploaded into an Amazon S3 bucket must be encrypted. The encryption keys must be highly available and the company must be able to control access on a per-user basis, with different users having access to different encryption keys.
Which of the following architectures will meet these requirements? (Choose two.)

• A. Use Amazon S3 server-side encryption with Amazon S3-managed keys. Allow Amazon S3 to generate an AWS/S3 master key, and use IAM to control access to the data keys that are generated.
• B. Use Amazon S3 server-side encryption with customer-managed keys, and use two AWS CloudHSM instances configured in high-availability mode to manage the keys. Use the Cloud HSM client software to control access to the keys that are generated.
• C. Use Amazon S3 server-side encryption with AWS KMS-managed keys, create multiple customer master keys, and use key policies to control access to them.
• D. Use Amazon S3 server-side encryption with customer-managed keys, and use AWS CloudHSM to manage the keys. Use CloudHSM client software to control access to the keys that are generated.
• E. Use Amazon S3 server-side encryption with customer-managed keys, and use two AWS CloudHSM instances configured in high-availability mode to manage the keys. Use IAM to control access to the keys that are generated in CloudHSM.

Answer: B,C

Explanation:
Explanation
http://websecuritypatterns.com/blogs/2018/03/01/encryption-and-key-management-in-aws-k ms-vs-cloudhsm-myths-and-realities/

 

NEW QUESTION 100
In the Amazon RDS Oracle DB engine, the Database Diagnostic Pack and the Database Tuning Pack are only available with __________.

• A. Oracle Enterprise Edition
• B. Oracle Express Edition
• C. None of these
• D. Oracle Standard Edition

Answer: A

Explanation:
Explanation
https://www.pythian.com/blog/a-most-simple-cloud-is-amazon-rds-for-oracle-right-for-you/

 

NEW QUESTION 101
A company uses an Amazon EMR cluster to process data once a day. The raw data comes from Amazon S3, and the resulting processed data is also stored in Amazon S3. The processing must complete within 4 hours; currently, it only takes 3 hours. However, the processing time is taking 5 to 10 minutes. longer each week due to an increasing volume of raw data.
The team is also concerned about rising costs as the compute capacity increases. The EMR cluster is currently running on three m3.xlarge instances (one master and two core nodes).
Which of the following solutions will reduce costs related to the increasing compute needs?

• A. Add additional task nodes, but use instance fleets with the master node in on-Demand mode and a mix of On-Demand and Spot Instances for the core and task nodes. Purchase a scheduled Reserved Instances for the master node.
• B. Add additional task nodes, but use instance fleets with the master node in Spot mode and a mix of On-Demand and Spot Instances for the core and task nodes. Purchase enough scheduled Reserved Instances to offset the cost of running any On-Demand instances.
• C. Add additional task nodes, but use instance fleets with the master node in On-Demand mode and a mix of On-Demand and Spot Instances for the core and task nodes. Purchase a standard all-upfront Reserved Instance for the master node.
• D. Add additional task nodes, but have the team purchase an all-upfront convertible Reserved Instance for each additional node to offset the costs.

Answer: D

 

NEW QUESTION 102
An auction website enables users to bid on collectible items. The auction rules require that each bid is processed only once and in the order it was received. The current implementation is based on a fleet of Amazon EC2 web servers that write bid records into Amazon Kinesis Data Streams. A single t2.large instance has a cron job that runs the bid processor, which reads incoming bids from Kinesis Data Streams and processes each bid. The auction site is growing in popularity, but users are complaining that some bids are not registering.
Troubleshooting indicates that the bid processor is too slow during peak demand hours, sometimes crashes while processing, and occasionally loses track of which records is being processed.
What changes should make the bid processing more reliable?

• A. Refactor the web application to post each incoming bid to an Amazon SNS topic in place of Kinesis Data Streams. Configure the SNS topic to trigger an AWS Lambda function that processes each bid as soon as a user submits it.
• B. Refactor the web application to post each incoming bid to an Amazon SQS FIFO queue in place of Kinesis Data Streams. Refactor the bid processor to continuously the SQS queue. Place the bid processing EC2 instance in an Auto Scaling group with a minimum and a maximum size of 1.
• C. Refactor the web application to use the Amazon Kinesis Producer Library (KPL) when posting bids to Kinesis Data Streams. Refactor the bid processor to flag each record in Kinesis Data Streams as being unread, processing, and processed. At the start of each bid processing run, scan Kinesis Data Streams for unprocessed records.
• D. Switch the EC2 instance type from t2.large to a larger general compute instance type. Put the bid processor EC2 instances in an Auto Scaling group that scales out the number of EC2 instances running the bid processor, based on the IncomingRecords metric in Kinesis Data Streams.

Answer: D

 

NEW QUESTION 103
A company is creating a REST API to share information with six of Its partners based m the United States. The company has created an Amazon API Gateway Regional endpoint Each of the six partners will access the API once per day to post daily sales figures.
After Initial deployment the company observes 1,000 requests per second originating from 500 different IP addresses around the world. The company believes this traffic is originating from a botnet end wants to secure its API while minimizing cost Which approach should the company take to secure its API?

• A. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners Associate the web ACL with the API Create a usage plan with a request limit and associate it with the API Create an API key and add it lo Hie usage plan.
• B. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners Associate the web ACL with the API Create a resource policy with a request limit and associate it with the API Configure the API to require an API key on the POST method
• C. Create an Amazon CloudFront distribution with the API as the origin Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution Add a custom header to the CloudFront distribution populated with an API key Configure the API to require an API key on the POST method
• D. Create an Amazon CloudFront distribution with the API as the origin Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution Configure CloudFront with an origin access identity (OAI) and associate it with the distribution Configure API Gateway to ensure only the OAI can execute the POST method

Answer: A

 

NEW QUESTION 104
A company runs a Windows Server host in a public subnet that is configured to allow a team of administrators to connect over RDP to troubleshoot issues with hosts in a private subnet. The host must be available at all times outside of a scheduled maintenance window, and needs to receive the latest operating system updates within 3 days of release.
What should be done to manage the host with the LEAST amount of administrative effort?

• A. Run the host in an Auto Scaling group with a minimum and maximum instance count of 1. Use a hardened machine image from AWS Marketplace. Apply system updates with AWS Systems Manager Patch Manager.
• B. Run the host in a single-instance AWS Elastic Beanstalk environment. Configure the environment with a custom AMI to use a hardened machine image from AWS Marketplace. Apply system updates with AWS Systems Manager Patch Manager.
• C. Run the host on AWS WorkSpaces. Use Amazon WorkSpaces Application Manager (WAM) to harden the host. Configure Windows automatic updates to occur every 3 days.
• D. Run the host in AWS OpsWorks Stacks. Use a Chief recipe to harden the AMI during instance launch.
  Use an AWS Lambda scheduled event to run the Upgrade Operating System stack command to apply system updates.

Answer: C

 

NEW QUESTION 105
A company has deployed an application to multiple environments in AWS, including production and testing.
The company has separate accounts for production and testing, and users are allowed to create additional application users for team members or services, as needed. The Security team has asked the Operations team for better isolation between production and testing with centralized controls on security credentials and improved management of permissions between environments.
Which of the following options would MOST securely accomplish this goal?

• A. Create all user accounts in the production account. Create roles for access in the production account and testing accounts. Grant cross-account access from the production account to the testing account.
• B. Create a script that runs on each account that checks user accounts for adherence to a security policy.
  Disable any user or service accounts that do not comply.
• C. Modify permissions in the production and testing accounts to limit creating new IAM users to members of the Operations team. Set a strong IAM password policy on each account. Create new IAM users and groups in each account to limit developer access to just the services required to complete their job function.
• D. Create a new AWS account to hold user and service accounts, such as an identity account. Create users and groups in the identity account. Create roles with appropriate permissions in the production and testing accounts. Add the identity account to the trust policies for the roles.

Answer: C

 

NEW QUESTION 106
A company has a new application that needs to run on five Amazon EC2 instances in a single AWS Region.
The application requires high-throughput, low-latency network connections between all of the EC2 instances where the application will run. There is no requirement for the application to be fault tolerant.
Which solution will meet these requirements?

• A. Launch five new EC2 instances into a cluster placement group. Ensure that the EC2 instance type supports enhanced networking.
• B. Launch five new EC2 instances into an Auto Scaling group in the same Availability Zone. Attach an extra elastic network interface to each EC2 instance.
• C. Launch five new EC2 instances into a partition placement group. Ensure that the EC2 instance type supports enhanced networking.
• D. Launch five new EC2 instances into a spread placement group. Attach an extra elastic network interface to each EC2 instance.

Answer: D

 

NEW QUESTION 107
An internal security audit of AWS resources within a company found that a number of Amazon EC2 instances running Microsoft Windows workloads were missing several important operating system-level patches. A Solutions Architect has been asked to fix existing patch deficiencies, and to develop a workflow to ensure that future patching requirements are identified and taken care of quickly. The Solutions Architect has decided to use AWS Systems Manager. It is important that EC2 instance reboots do not occur at the same time on all Windows workloads to meet organizational uptime requirements.
Which workflow will meet these requirements in an automated manner?

• A. Add a Patch Group tag with a value of either Windows servers1 or Windows Server2 to all existing EC2 instances. Ensure that all Windows EC2 instances are assigned this tag. Associate the AWS-WindowsPatchBaseline with both Windows Servers patch groups. Define two non-overlapping AWS Systems Manager maintenance windows, conduct patching within them, and associate each with a different patch group. Assign the AWS-RunWindowsPatchBaseline document as a task within each maintenance window. Create an AWS Systems Manager State Manager document to define commands to be executed during patch execution.
• B. Add a Patch Group tag with a value of either Windows Servers1 or Windows Server2 to all existing EC2 instances. Ensure that all Windows EC2 instances are assigned this tag. Associate the AWS-DefaultPatchBaseline with both Windows Servers patch groups. Define two non-overlapping AWS Systems Manager maintenance windows, conduct patching within them, and associate each with a different patch group. Register targets with specific maintenance windows using the Patch Group tags.
  Assign the AWS-RunPatchBaseline document as a task within each maintenance window.
• C. Add a Patch Group tag a value of Windows Servers to all existing EC2 instances. Ensure that all Windows EC2 instances are assigned this tag. Associate the AWS-WindowsPatchBaseline document as a task associated with the Windows Servers patch group. Create an Amazon CloudWatch Events rule configured to use a cron expression to schedule the execution of patching using the AWS Systems Manager run command. Create an AWS Systems Manager State Manager document to define commands to be executed during patch execution.
• D. Add a Patch Group tag with a value of Windows Servers to all existing EC2 instances. Ensure that all Windows EC2 instances are assigned this tag. Associate the AWS-DefaultPatchBaseline to the Windows servers patch group. Define an AWS Systems Manager maintenance window, conduct patching within it, and associate it with the Windows Servers patch group. Register instances with the maintenance window using associated subnet IDs. Assign the AWS-RunPatchBaseline document as a task within each maintenance window.

Answer: D

 

NEW QUESTION 108
Your customer is willing to consolidate their log streams (access logs, application logs, security logs, etc.) in one single system. Once consolidated, the customer wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data samples extracted from the last 12 hours.
What is the best approach to meet your customer's requirements?

• A. Setup an Auto Scaling group of EC2 syslogd servers, store the logs on S3, use EMR to apply heuristics on the logs
• B. Configure Amazon CloudTrail to receive custom logs, use EMR to apply heuristics the logs
• C. Send all the log events to Amazon SQS, setup an Auto Scaling group of EC2 servers to consume the logs and apply the heuristics.
• D. Send all the log events to Amazon Kinesis, develop a client process to apply heuristics on the logs

Answer: D

Explanation:
Explanation
The throughput of an Amazon Kinesis stream is designed to scale without limits via increasing the number of shards within a stream. However, there are certain limits you should keep in mind while using Amazon Kinesis Streams:
By default, Records of a stream are accessible for up to 24 hours from the time they are added to the stream.
You can raise this limit to up to 7 days by enabling extended data retention.
The maximum size of a data blob (the data payload before Base64-encoding) within one record is 1 megabyte (MB).
Each shard can support up to 1000 PUT records per second.
For more information about other API level limits, see Amazon Kinesis Streams Limits.

 

NEW QUESTION 109
An IAM user is trying to perform an action on an object belonging to some other root account's bucket.
Which of the below mentioned options will AWS S3 not verify?

• A. Permission provided by the parent of the IAM user on the bucket
• B. Permission provided by the bucket owner to the IAM user
• C. Permission provided by the parent of the IAM user
• D. The object owner has provided access to the IAM user

Answer: A

Explanation:
Explanation
If the IAM user is trying to perform some action on the object belonging to another AWS user's bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html

 

NEW QUESTION 110
A company is migrating its data centre from on premises to the AWS Cloud. The migration will take several months to complete. The company will use Amazon Route 53 for private DNS zones.
During the migration, the company must Keep its AWS services pointed at the VPC's Route 53 Resolver for DNS. The company also must maintain the ability to resolve addresses from its on-premises DNS server A solutions architect must set up DNS so that Amazon EC2 instances can use native Route 53 endpoints to resolve on-premises DNS queries Which configuration writ meet these requirements?

• A. Create a new outbound endpoint in Route 53. and attach me endpoint to the VPC. Ensure that the security groups that are attached to the endpoint can access the on-premises DNS server IP address on port 53 Create a new Route 53 Resolver rule that routes on-premises designated traffic to the on-premises DNS server.
• B. Launch an EC2 instance that has DNS BIND installed and configured. Ensure that the security groups that are attached to the EC2 instance can access the on-premises DNS server IP address on port 53.
  Configure BIND to forward DNS queries to on-premises DNS server IP addresses Configure each migrated EC2 instances DNS settings to point to the BIND server IP address.
• C. Configure Vie VPC DHCP options set to point to on-premises DNS server IP addresses Ensure that security groups for EC2 instances allow outbound access to port 53 on those DNS server IP addresses.
• D. Create a new private DNS zone in Route 53 with the same domain name as the on-premises domain.
  Create a single wildcard record with the on-premises DNS server IP address as the record's address.

Answer: A

 

NEW QUESTION 111
The CFO of a company wants to allow one of his employees to view only the AWS usage report page.
Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

• A. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
• B. "Effect": "Allow", "Action": ["Describe"], "Resource": "Billing"
• C. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
• D. "Effect": "Allow", "Action": ["aws-portal: ViewUsage"], "Resource": "*"

Answer: D

Explanation:
Explanation
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow", "Action": [
"aws-portal:ViewUsage"
],
"Resource": "*"
}
]
}
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-permissions-ref.html

 

NEW QUESTION 112
A company is finalizing the architecture for its backup solution for applications running on AWS. All of the applications run on AWS and use at least two Availability Zones in each tier.
Company policy requires IT to durably store nightly backups of all its data in at least two locations: production and disaster recovery. The locations must be m different geographic regions. The company also needs the backup to be available to restore immediately at the production data center, and within 24 hours at the disaster recovery location AM backup processes must be fully automated.
What is the MOST cost-effective backup solution that will meet all requirements?

• A. Back up all the data to a large Amazon EBS volume attached to the backup media server m the production region. Run automated scripts to snapshot these volumes nightly. and copy these snapshots to the disaster recovery region.
• B. Back up all the data to Amazon S3 in the disaster recovery region Use a Lifecycle policy to move this data to Amazon Glacier in the production region immediately Only the data is replicated: remove the data from the S3 bucket in the disaster recovery region.
• C. Back up all the data to Amazon Glacier in the production region. Set up cross-region replication of this data to Amazon Glacier in the disaster recovery region. Set up a lifecycle policy to delete any data o der than 60 days.
• D. Back up all the data to Amazon S3 in the production region. Set up cross-region replication of this S3 bucket to another region and set up a lifecycle policy in the second region to immediately move this data to Amazon Glacier

Answer: D

 

NEW QUESTION 113
A large company in Europe plans to migrate its applications to the AWS Cloud, The company uses multiple AWS accounts for various business groups. A data privacy law requires the company to restrict developers' access to AWS European Regions only.
What should the solutions architect do to meet this requirement with the LEAST amount of management overhead?

• A. Set up AWS Single Sign-On and attach AWS accounts. Create permission sets with policies to restrict access to non-European Regions. Create IAM users and IAM groups in each account.
• B. Enable AWS Organizations, attach the AWS accounts, and create OUs for European Regions and non-European Regions. Create permission sets with policies to restrict access lo non-European Regions. Create IAM users and IAM groups in the primary account.
• C. Create IAM users and IAM groups in each account. Create IAM policies to limit access to non-European Regions. Attach the IAM policies to the IAM groups.
• D. Enable AWS Organizations, attach the AWS accounts, and create OUs tor European Regions and non-European Regions. Create SCPs to limit access to non-European Regions and attach the policies to the OUs.

Answer: D

 

NEW QUESTION 114
A company has an Amazon VPC that is divided into a public subnet and a pnvate subnet. A web application runs in Amazon VPC. and each subnet has its own NACL The public subnet has a CIDR of 10.0.0 0/24 An Application Load Balancer is deployed to the public subnet The private subnet has a CIDR of 10.0.1.0/24. Amazon EC2 instances that run a web server on port 80 are launched into the private subnet Onty network traffic that is required for the Application Load Balancer to access the web application can be allowed to travel between the public and private subnets What collection of rules should be written to ensure that the private subnet's NACL meets the requirement? (Select TWO.)

• A. An inbound rule for port 80 from source 0.0 0.0/0
• B. An outbound rule for ports 1024 through 65535 to destination 10.0.0.0/24
• C. An outbound rule for port 80 to destination 0.0.0.0/0
• D. An outbound rule for port 80 to destination 10.0.0.0/24
• E. An inbound rule for port 80 from source 10.0 0 0/24

Answer: B,E

 

NEW QUESTION 115
You want to define permissions for a role in an IAM policy. Which of the following configuration formats should you use?

• A. A JSON document written in the IAM Policy Language
• B. An XML document written in a language of your choice
• C. An XML document written in the IAM Policy Language
• D. JSON document written in a language of your choice

Answer: A

Explanation:
Explanation
You define the permissions for a role in an IAM policy. An IAM policy is a JSON document written in the IAM Policy Language.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

 

NEW QUESTION 116
A company that provides wireless services needs a solution to store and analyze log files about user activities.
Currently, log files are delivered daily to Amazon Linux on Amazon EC2 instance. A batch script is run once a day to aggregate data used for analysis by a third-party tool. The data pushed to the third-party tool is used to generate a visualization for end users. The batch script is cumbersome to maintain, and it takes several hours to deliver the ever-increasing data volumes to the third-party tool. The company wants to lower costs, and is open to considering a new tool that minimizes development effort and lowers administrative overhead. The company wants to build a more agile solution that can store and perform the analysis in near-real time, with minimal overhead. The solution needs to be cost effective and scalable to meet the company's end-user base growth.
Which solution meets the company's requirements?

• A. Use an Amazon Kinesis agent running on an EC2 instance in an Auto Scaling group to collect and send the data to an Amazon Kinesis Data Forehose delivery stream. The Kinesis Data Firehose delivery stream will deliver the data directly to Amazon ES. Use Kibana to visualize the data.
• B. Develop a Python script to failure the data from Amazon EC2 in real time and store the data in Amazon S3. Use a copy command to copy data from Amazon S3 to Amazon Redshift. Connect a business intelligence tool running on Amazon EC2 to Amazon Redshift and create the visualizations.
• C. Use an Amazon Kinesis agent running on an EC2 instance to collect and send the data to an Amazon Kinesis Data Firehose delivery stream. The Kinesis Data Firehose delivery stream will deliver the data to Amazon S3. Use an AWS Lambda function to deliver the data from Amazon S3 to Amazon ES. Use Kibana to visualize the data.
• D. Use an in-memory caching application running on an Amazon EBS-optimized EC2 instance to capture the log data in near real-time. Install an Amazon ES cluster on the same EC2 instance to store the log files as they are delivered to Amazon EC2 in near real-time. Install a Kibana plugin to create the visualizations.

Answer: D

 

NEW QUESTION 117
......

Understanding useful and specialized parts of AWS Certified SAP - Solutions Architect Exam Migration Planning

The accompanying will be dicussed in AMAZON SAP C01 dumps:

• Design secure access to AWS resources

Determining when to decide between users, groups, and roles, deciphering the net effect of a provided access policy, selecting relevant methods to secure a root account, determining ways to secure credentials using characteristics of AWS IAM, determining the safe method for an application to access AWS APIs, and selecting suitable services to generate traceability for access to AWS resources

• Design secure application tiers

Determining when and how to utilise security groups and network ACLs, determining a network segregation strategy using public and private subnets, selecting the proper routing mechanism to safely enter AWS service endpoints or internet-based resources from Amazon VPC, and selecting relevant AWS services to defend applications from external threats

• Select appropriate data security options

Determining the policies that need to be applied to objects based on access patterns, selecting fitting encryption options for data at rest and in transition for AWS services, and choosing proper key management options based on specifications.

 

Verified SAP-C01 exam dumps Q&As with Correct 228 Questions and Answers: https://www.dumpsking.com/SAP-C01-testking-dumps.html

Get New SAP-C01 Certification – Valid Exam Dumps Questions: https://drive.google.com/open?id=1m_GGbtJAVD5KYR3lw2GTehUePu-suUI8