AWS SAP-C02 Exam Prep, PDF

Summary

This document contains practice questions and solutions for the AWS SAP-C02 exam. The questions cover a variety of topics related to cloud computing, including security, cost optimization, and deployment. The sample questions provide a good understanding of the types of questions that may appear on the actual exam.

Full Transcript

AWS SAP-C02

AWS SAP-C02

Question \#: 1

Topic \#: 1

A company is planning to host a web application on AWS and wants to load
balance the traffic across a group of Amazon EC2 instances. One of the
security requirements is to enable end-to-end encryption in transit
between the client and the web server.

Which solution will meet this requirement?

A. Place the EC2 instances behind an Application Load Balancer (ALB).
Provision an SSL certificate using AWS Certificate Manager (ACM), and
associate the SSL certificate with the ALB. Export the SSL certificate
and install it on each EC2 instance. Configure the ALB to listen on port
443 and to forward traffic to port 443 on the instances.

B. Associate the EC2 instances with a target group. Provision an SSL
certificate using AWS Certificate Manager (ACM). Create an Amazon
CloudFront distribution and configure it to use the SSL certificate. Set
CloudFront to use the target group as the origin server.

C. Place the EC2 instances behind an Application Load Balancer (ALB)
Provision an SSL certificate using AWS Certificate Manager (ACM), and
associate the SSL certificate with the ALB. Provision a third-party SSL
certificate and install it on each EC2 instance. Configure the ALB to
listen on port 443 and to forward traffic to port 443 on the instances.

D. Place the EC2 instances behind a Network Load Balancer (NLB).
Provision a third-party SSL certificate and install it on the NLB and on
each EC2 instance. Configure the NLB to listen on port 443 and to
forward traffic to port 443 on the instances.

Hint Answer: C

Question \#: 2

Topic \#: 1

A company migrated to AWS and uses AWS Business Support. The company
wants to monitor the cost-effectiveness of Amazon EC2 instances across
AWS accounts. The EC2 instances have tags for department, business unit,
and environment. Development EC2 instances have high cost but low
utilization.

The company needs to detect and stop any underutilized development EC2
instances. Instances are underutilized if they had 10% or less average
daily CPU utilization and 5 MB or less network I/O for at least 4 of the
past 14 days.

Which solution will meet these requirements with the LEAST operational
overhead?

A. Configure Amazon CloudWatch dashboards to monitor EC2 instance
utilization based on tags for department, business unit, and
environment. Create an Amazon EventBridge rule that invokes an AWS
Lambda function to stop underutilized development EC2 instances.

B. Configure AWS Systems Manager to track EC2 instance utilization and
report underutilized instances to Amazon CloudWatch. Filter the
CloudWatch data by tags for department, business unit, and environment.
Create an Amazon EventBridge rule that invokes an AWS Lambda function to
stop underutilized development EC2 instances.

C. Create an Amazon EventBridge rule to detect low utilization of EC2
instances reported by AWS Trusted Advisor. Configure the rule to invoke
an AWS Lambda function that filters the data by tags for department,
business unit, and environment and stops underutilized development EC2
instances.

D. Create an AWS Lambda function to run daily to retrieve utilization
data for all EC2 instances. Save the data to an Amazon DynamoDB table.
Create an Amazon QuickSight dashboard that uses the DynamoDB table as a
data source to identify and stop underutilized development EC2
instances.

Hint Answer: C

Question \#: 3

Topic \#: 1

A company uses AWS Organizations with a single OU named Production to
manage multiple accounts. All accounts are members of the Production OU.
Administrators use deny list SCPs in the root of the organization to
manage access to restricted services.

The company recently acquired a new business unit and invited the new
unit's existing AWS account to the organization. Once onboarded, the
administrators of the new business unit discovered that they are not
able to update existing AWS Config rules to meet the company's policies.

Which option will allow administrators to make changes and continue to
enforce the current policies without introducing additional long-term
maintenance?

A. Remove the organization's root SCPs that limit access to AWS Config.
Create AWS Service Catalog products for the company's standard AWS
Config rules and deploy them throughout the organization, including the
new account.

B. Create a temporary OU named Onboarding for the new account. Apply an
SCP to the Onboarding OU to allow AWS Config actions. Move the new
account to the Production OU when adjustments to AWS Config are
complete.

C. Convert the organization's root SCPs from deny list SCPs to allow
list SCPs to allow the required services only. Temporarily apply an SCP
to the organization's root that allows AWS Config actions for principals
only in the new account.

D. Create a temporary OU named Onboarding for the new account. Apply an
SCP to the Onboarding OU to allow AWS Config actions. Move the
organization's root SCP to the Production OU. Move the new account to
the Production OU when adjustments to AWS Config are complete.

Hint Answer: D

Question \#: 4

Topic \#: 1

A company that provides image storage services wants to deploy a
customer-facing solution to AWS. Millions of individual customers will
use the solution. The solution will receive batches of large image
files, resize the files, and store the files in an Amazon S3 bucket for
up to 6 months.

The solution must handle significant variance in demand. The solution
must also be reliable at enterprise scale and have the ability to rerun
processing jobs in the event of failure.

Which solution will meet these requirements MOST cost-effectively?

A. Use AWS Step Functions to process the S3 event that occurs when a
user stores an image. Run an AWS Lambda function that resizes the image
in place and replaces the original file in the S3 bucket. Create an S3
Lifecycle expiration policy to expire all stored images after 6 months.

B. Use Amazon EventBridge to process the S3 event that occurs when a
user uploads an image. Run an AWS Lambda function that resizes the image
in place and replaces the original file in the S3 bucket. Create an S3
Lifecycle expiration policy to expire all stored images after 6 months.

C. Use S3 Event Notifications to invoke an AWS Lambda function when a
user stores an image. Use the Lambda function to resize the image in
place and to store the original file in the S3 bucket. Create an S3
Lifecycle policy to move all stored images to S3 Standard-Infrequent
Access (S3 Standard-IA) after 6 months.

D. Use Amazon Simple Queue Service (Amazon SQS) to process the S3 event
that occurs when a user stores an image. Run an AWS Lambda function that
resizes the image and stores the resized file in an S3 bucket that uses
S3 Standard-Infrequent Access (S3 Standard-IA). Create an S3 Lifecycle
policy to move all stored images to S3 Glacier Deep Archive after 6
months.

Hint Answer: B

Question \#: 5

Topic \#: 1

A company is running a serverless ecommerce application on AWS. The
application uses Amazon API Gateway to invoke AWS Lambda Java functions.
The Lambda functions connect to an Amazon RDS for MySQL database to
store data.

During a recent sale event, a sudden increase in web traffic resulted in
poor API performance and database connection failures. The company needs
to implement a solution to minimize the latency for the Lambda functions
and to support bursts in traffic.

Which solution will meet these requirements with the LEAST amount of
change to the application?

A. Update the code of the Lambda functions so that the Lambda functions
open the database connection outside of the function handler. Increase
the provisioned concurrency for the Lambda functions.

B. Create an RDS Proxy endpoint for the database. Store database secrets
in AWS Secrets Manager. Set up the required IAM permissions. Update the
Lambda functions to connect to the RDS Proxy endpoint. Increase the
provisioned concurrency for the Lambda functions.

C. Create a custom parameter group. Increase the value of the
max\_connections parameter. Associate the custom parameter group with
the RDS DB instance and schedule a reboot. Increase the reserved
concurrency for the Lambda functions.

D. Create an RDS Proxy endpoint for the database. Store database secrets
in AWS Secrets Manager. Set up the required IAM permissions. Update the
Lambda functions to connect to the RDS Proxy endpoint. Increase the
reserved concurrency for the Lambda functions.

Hint Answer: B

Question \#: 6

Topic \#: 1

A company is hosting a monolithic REST-based API for a mobile app on
five Amazon EC2 instances in public subnets of a VPC. Mobile clients
connect to the API by using a domain name that is hosted on Amazon Route
53. The company has created a Route 53 multivalue answer routing policy
with the IP addresses of all the EC2 instances. Recently, the app has
been overwhelmed by large and sudden increases to traffic. The app has
not been able to keep up with the traffic.

A solutions architect needs to implement a solution so that the app can
handle the new and varying load.

Which solution will meet these requirements with the LEAST operational
overhead?

A. Separate the API into individual AWS Lambda functions. Configure an
Amazon API Gateway REST API with Lambda integration for the backend.
Update the Route 53 record to point to the API Gateway API.

B. Containerize the API logic. Create an Amazon Elastic Kubernetes
Service (Amazon EKS) cluster. Run the containers in the cluster by using
Amazon EC2. Create a Kubernetes ingress. Update the Route 53 record to
point to the Kubernetes ingress.

C. Create an Auto Scaling group. Place all the EC2 instances in the Auto
Scaling group. Configure the Auto Scaling group to perform scaling
actions that are based on CPU utilization. Create an AWS Lambda function
that reacts to Auto Scaling group changes and updates the Route 53
record.

D. Create an Application Load Balancer (ALB) in front of the API. Move
the EC2 instances to private subnets in the VPC. Add the EC2 instances
as targets for the ALB. Update the Route 53 record to point to the ALB.

Hint Answer: A

Question \#: 7

Topic \#: 1

An entertainment company hosts a ticketing service on a fleet of Linux
Amazon EC2 instances that are in an Auto Scaling group. The ticketing
service uses a pricing file. The pricing file is stored in an Amazon S3
bucket that has S3 Standard storage. A central pricing solution that is
hosted by a third party updates the pricing file.

The pricing file is updated every 1-15 minutes and has several thousand
line items. The pricing file is downloaded to each EC2 instance when the
instance launches.

The EC2 instances occasionally use outdated pricing information that can
result in incorrect charges for customers.

Which solution will resolve this problem MOST cost-effectively?

A. Create an AWS Lambda function to update an Amazon DynamoDB table with
new prices each time the pricing file is updated. Update the ticketing
service to use DynramoDB to look up pricing

B. Create an AWS Lambda function to update an Amazon Elastic File System
(Amazon EFS) file share with the pricing file each time the file is
updated. Update the ticketing service to use Amazon EFS to access the
pricing file.

C. Load Mountpoint for Amazon S3 onto the AMI of the EC2 instances.
Configure Mountpoint for Amazon S3 to mount the S3 bucket that contains
the pricing file. Update the ticketing service to point to the mount
point and path to access the \$3 object,

D. Create an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS
Multi-Attach to attach the volume to every EC2 instance. When a new EC2
instance launches, configure the new instance to update the pricing file
on the EBS volume. Update the ticketing service to point to the new
local source.

Hint Answer: C

Question \#: 8

Topic \#: 1

A company runs a web application on a single Amazon EC2 instance. End
users experience slow application performance during times of peak
usage, when CPU utilization is consistently more than 95%.

A user data script installs required custom packages on the EC2
instance. The process of launching the instance takes several minutes.

The company is creating an Auto Scaling group that has mixed instance
groups, varied CPUs, and a maximum capacity limit. The Auto Scaling
group will use a launch template for various configuration options. The
company needs to decrease application latency when new instances are
launched during auto scaling.

Which solution will meet these requirements?

A. Use a predictive scaling policy. Use an instance maintenance policy
to run the user data script. Set the default instance warmup time to 0
seconds.

B. Use a dynamic scaling policy. Use lifecycle hooks to run the user
data script. Set the default instance warmup time to 0 seconds.

C. Use a predictive scaling policy. Enable warm pools for the Auto
Scaling group. Use an instance maintenance policy to run the user data
script.

D. Use a dynamic scaling policy. Enable warm pools for the Auto Scaling
group. Use lifecycle hooks to run the user data script.

Hint Answer: B

Question \#: 9

Topic \#: 1

A software as a service (SaaS) company uses AWS to host a service that
is powered by AWS PrivateLink. The service consists of proprietary
software that runs on three Amazon EC2 instances behind a Network Load
Balancer (NLB). The instances are in private subnets in multiple
Availability Zones in the eu-west-2 Region. All the company\'s customers
are in eu-west-2.

However, the company now acquires a new customer in the us-east-1
Region. The company creates a new VPC and new subnets in us-east-1. The
company establishes inter-Region VPC peering between the VPCs in the two
Regions.

The company wants to give the new customer access to the SaaS service,
but the company does not want to immediately deploy new EC2 resources in
us-east-1.

Which solution will meet these requirements?

A. Configure a PrivateLink endpoint service in us-east-1 to use the
existing NLB that is in eu-west-2. Grant specific AWS accounts access to
connect to the SaaS service.

B. Create an NLB in us-east-1. Create an IP target group that uses the
IP addresses of the company\'s instances in eu-west-2 that host the SaaS
service. Configure a PrivateLink endpoint service that uses the NLB that
is in us-east-1. Grant specific AWS accounts access to connect to the
SaaS service.

C. Create an Application Load Balancer (ALB) in front of the EC2
instances in eu-west-2. Create an NLB in us-east-1. Associate the NLB
that is in us-east-1 with an ALB target group that uses the ALB that is
in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB
that is in us-east-1. Grant specific AWS accounts access to connect to
the SaaS service.

D. Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances
that are in eu-west-2. In us-east-1, create an NLB and an instance
target group that includes the shared EC2 instances from eu-west-2.
Configure a PrivateLink endpoint service that uses the NLB that is in
us-east-1. Grant specific AWS accounts access to connect to the SaaS
service.

Hint Answer: B

Question \#: 10

Topic \#: 1

A company runs an IoT platform on AWS. IoT sensors in various locations
send data to the company's Node.js API servers on Amazon EC2 instances
running behind an Application Load Balancer. The data is stored in an
Amazon RDS MySQL DB instance that uses a 4 TB General Purpose SSD
volume.

The number of sensors the company has deployed in the field has
increased over time, and is expected to grow significantly. The API
servers are consistently overloaded and RDS metrics show high write
latency.

Which of the following steps together will resolve the issues
permanently and enable growth as new sensors are provisioned, while
keeping this platform cost-efficient? (Choose two.)

A. Resize the MySQL General Purpose SSD storage to 6 TB to improve the
volume's IOPS.

B. Re-architect the database tier to use Amazon Aurora instead of an RDS
MySQL DB instance and add read replicas.

C. Leverage Amazon Kinesis Data Streams and AWS Lambda to ingest and
process the raw data.

D. Use AWS X-Ray to analyze and debug application issues and add more
API servers to match the load.

E. Re-architect the database tier to use Amazon DynamoDB instead of an
RDS MySQL DB instance.

Hint Answer: CE

Question \#: 11

Topic \#: 1

A company that is developing a mobile game is making game assets
available in two AWS Regions. Game assets are served from a set of
Amazon EC2 instances behind an Application Load Balancer (ALB) in each
Region. The company requires game assets to be fetched from the closest
Region. If game assets become unavailable in the closest Region, they
should be fetched from the other Region.

What should a solutions architect do to meet these requirements?

A. Create an Amazon CloudFront distribution. Create an origin group with
one origin for each ALB. Set one of the origins as primary.

B. Create an Amazon Route 53 health check for each ALCreate a Route 53
failover routing record pointing to the two ALBs. Set the Evaluate
Target Health value to Yes.

C. Create two Amazon CloudFront distributions, each with one ALB as the
origin. Create an Amazon Route 53 failover routing record pointing to
the two CloudFront distributions. Set the Evaluate Target Health value
to Yes.

D. Create an Amazon Route 53 health check for each ALB. Create a Route
53 latency alias record pointing to the two ALBs. Set the Evaluate
Target Health value to Yes.

Hint Answer: D

Question \#: 12

Topic \#: 1

A company is planning to host a web application on AWS and wants to load
balance the traffic across a group of Amazon EC2 instances. One of the
security requirements is to enable end-to-end encryption in transit
between the client and the web server.

Which solution will meet this requirement?

A. Place the EC2 instances behind an Application Load Balancer (ALB).
Provision an SSL certificate using AWS Certificate Manager (ACM), and
associate the SSL certificate with the ALB. Export the SSL certificate
and install it on each EC2 instance. Configure the ALB to listen on port
443 and to forward traffic to port 443 on the instances.

B. Associate the EC2 instances with a target group. Provision an SSL
certificate using AWS Certificate Manager (ACM). Create an Amazon
CloudFront distribution and configure it to use the SSL certificate. Set
CloudFront to use the target group as the origin server.

C. Place the EC2 instances behind an Application Load Balancer (ALB)
Provision an SSL certificate using AWS Certificate Manager (ACM), and
associate the SSL certificate with the ALB. Provision a third-party SSL
certificate and install it on each EC2 instance. Configure the ALB to
listen on port 443 and to forward traffic to port 443 on the instances.

D. Place the EC2 instances behind a Network Load Balancer (NLB).
Provision a third-party SSL certificate and install it on the NLB and on
each EC2 instance. Configure the NLB to listen on port 443 and to
forward traffic to port 443 on the instances.

Hint Answer: C

Question \#: 13

Topic \#: 1

A company is running a data-intensive application on AWS. The
application runs on a cluster of hundreds of Amazon EC2 instances. A
shared file system also runs on several EC2 instances that store 200 TB
of data. The application reads and modifies the data on the shared file
system and generates a report. The job runs once monthly, reads a subset
of the files from the shared file system, and takes about 72 hours to
complete. The compute instances scale in an Auto Scaling group, but the
instances that host the shared file system run continuously. The compute
and storage instances are all in the same AWS Region.

A solutions architect needs to reduce costs by replacing the shared file
system instances. The file system must provide high performance access
to the needed data for the duration of the 72-hour run.

Which solution will provide the LARGEST overall cost reduction while
meeting these requirements?

A. Migrate the data from the existing shared file system to an Amazon S3
bucket that uses the S3 Intelligent-Tiering storage class. Before the
job runs each month, use Amazon FSx for Lustre to create a new file
system with the data from Amazon S3 by using lazy loading. Use the new
file system as the shared storage for the duration of the job. Delete
the file system when the job is complete.

B. Migrate the data from the existing shared file system to a large
Amazon Elastic Block Store (Amazon EBS) volume with Multi-Attach
enabled. Attach the EBS volume to each of the instances by using a user
data script in the Auto Scaling group launch template. Use the EBS
volume as the shared storage for the duration of the job. Detach the EBS
volume when the job is complete

C. Migrate the data from the existing shared file system to an Amazon S3
bucket that uses the S3 Standard storage class. Before the job runs each
month, use Amazon FSx for Lustre to create a new file system with the
data from Amazon S3 by using batch loading. Use the new file system as
the shared storage for the duration of the job. Delete the file system
when the job is complete.

D. Migrate the data from the existing shared file system to an Amazon S3
bucket. Before the job runs each month, use AWS Storage Gateway to
create a file gateway with the data from Amazon S3. Use the file gateway
as the shared storage for the job. Delete the file gateway when the job
is complete.

Hint Answer: A

Question \#: 14

Topic \#: 1

A company is collecting data from a large set of IoT devices. The data
is stored in an Amazon S3 data lake. Data scientists perform analytics
on Amazon EC2 instances that run in two public subnets in a VPC in a
separate AWS account.

The data scientists need access to the data lake from the EC2 instances.
The EC2 instances already have an assigned role with permissions to
access Amazon S3.

According to company policies, only authorized networks are allowed to
have access to the IoT data.

Which combination of steps should a solutions architect take to meet
these requirements? (Choose two.)

A. Create a gateway VPC endpoint for Amazon S3 in the data scientists'
VPC.

B. Create an S3 access point in the data scientists\' AWS account for
the data lake.

C. Update the EC2 instance role. Add a policy with a condition that
allows the s3:GetObject action when the value for the
s3:DataAccessPointArn condition key is a valid access point ARN.

D. Update the VPC route table to route S3 traffic to an S3 access point.

E. Add an S3 bucket policy with a condition that allows the s3:GetObject
action when the value for the s3:DataAccessPointArn condition key is a
valid access point ARN.

Hint Answer: AE

Question \#: 15

Topic \#: 1

A company is using an on-premises Active Directory service for user
authentication. The company wants to use the same authentication service
to sign in to the company's AWS accounts, which are using AWS
Organizations. AWS Site-to-Site VPN connectivity already exists between
the on-premises environment and all the company's AWS accounts.

The company's security policy requires conditional access to the
accounts based on user groups and roles. User identities must be managed
in a single location.

Which solution will meet these requirements?

A. Configure AWS IAM Identity Center (AWS Single Sign-On) to connect to
Active Directory by using SAML 2.0. Enable automatic provisioning by
using the System for Cross-domain Identity Management (SCIM) v2.0
protocol. Grant access to the AWS accounts by using attribute-based
access controls (ABACs).

B. Configure AWS IAM Identity Center (AWS Single Sign-On) by using IAM
Identity Center as an identity source. Enable automatic provisioning by
using the System for Cross-domain Identity Management (SCIM) v2.0
protocol. Grant access to the AWS accounts by using IAM Identity Center
permission sets.

C. In one of the company's AWS accounts, configure AWS Identity and
Access Management (IAM) to use a SAML 2.0 identity provider. Provision
IAM users that are mapped to the federated users. Grant access that
corresponds to appropriate groups in Active Directory. Grant access to
the required AWS accounts by using cross-account IAM users.

D. In one of the company's AWS accounts, configure AWS Identity and
Access Management (IAM) to use an OpenID Connect (OIDC) identity
provider. Provision IAM roles that grant access to the AWS account for
the federated users that correspond to appropriate groups in Active
Directory. Grant access to the required AWS accounts by using
cross-account IAM roles.

Hint Answer: A

Question \#: 16

Topic \#: 1

A company is planning to store a large number of archived documents and
make the documents available to employees through the corporate
intranet. Employees will access the system by connecting through a
client VPN service that is attached to a VPC. The data must not be
accessible to the public.

The documents that the company is storing are copies of data that is
held on physical media elsewhere. The number of requests will be low.
Availability and speed of retrieval are not concerns of the company.

Which solution will meet these requirements at the LOWEST cost?

A. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3 One
Zone-Infrequent Access (S3 One Zone-IA) storage class as default.
Configure the S3 bucket for website hosting. Create an S3 interface
endpoint. Configure the S3 bucket to allow access only through that
endpoint.

B. Launch an Amazon EC2 instance that runs a web server. Attach an
Amazon Elastic File System (Amazon EFS) file system to store the
archived data in the EFS One Zone-Infrequent Access (EFS One Zone-IA)
storage class Configure the instance security groups to allow access
only from private networks.

C. Launch an Amazon EC2 instance that runs a web server Attach an Amazon
Elastic Block Store (Amazon EBS) volume to store the archived data. Use
the Cold HDD (sc1) volume type. Configure the instance security groups
to allow access only from private networks.

D. Create an Amazon S3 bucket. Configure the S3 bucket to use the S3
Glacier Deep Archive storage class as default. Configure the S3 bucket
for website hosting. Create an S3 interface endpoint. Configure the S3
bucket to allow access only through that endpoint.

Hint Answer: A

Question \#: 17

Topic \#: 1

A company recently deployed an application on AWS. The application uses
Amazon DynamoDB. The company measured the application load and
configured the RCUs and WCUs on the DynamoDB table to match the expected
peak load. The peak load occurs once a week for a 4-hour period and is
double the average load. The application load is close to the average
load for the rest of the week. The access pattern includes many more
writes to the table than reads of the table.

A solutions architect needs to implement a solution to minimize the cost
of the table.

Which solution will meet these requirements?

A. Use AWS Application Auto Scaling to increase capacity during the peak
period. Purchase reserved RCUs and WCUs to match the average load.

B. Configure on-demand capacity mode for the table.

C. Configure DynamoDB Accelerator (DAX) in front of the table. Reduce
the provisioned read capacity to match the new peak load on the table.

D. Configure DynamoDB Accelerator (DAX) in front of the table. Configure
on-demand capacity mode for the table.

Hint Answer: A

Question \#: 18

Topic \#: 1

A company has registered 10 new domain names. The company uses the
domains for online marketing. The company needs a solution that will
redirect online visitors to a specific URL for each domain. All domains
and target URLs are defined in a JSON document. All DNS records are
managed by Amazon Route 53.

A solutions architect must implement a redirect service that accepts
HTTP and HTTPS requests.

Which combination of steps should the solutions architect take to meet
these requirements with the LEAST amount of operational effort? (Choose
three.)

A. Create a dynamic webpage that runs on an Amazon EC2 instance.
Configure the webpage to use the JSON document in combination with the
event message to look up and respond with a redirect URL.

B. Create an Application Load Balancer that includes HTTP and HTTPS
listeners.

C. Create an AWS Lambda function that uses the JSON document in
combination with the event message to look up and respond with a
redirect URL.

D. Use an Amazon API Gateway API with a custom domain to publish an AWS
Lambda function.

E. Create an Amazon CloudFront distribution. Deploy a Lambda\@Edge
function.

F. Create an SSL certificate by using AWS Certificate Manager (ACM).
Include the domains as Subject Alternative Names.

Hint Answer: CEF

Question \#: 19

Topic \#: 1

A company recently completed a successful proof of concept of Amazon
WorkSpaces. A solutions architect needs to make the solution highly
available across two AWS Regions. Amazon WorkSpaces is deployed in a
failover Region, and a hosted zone is deployed in Amazon Route 53.

What should the solutions architect do to configure high availability
for the solution?

A. Create a connection alias in the primary Region and in the failover
Region. Associate the connection aliases with a directory in each
Region. Create a Route 53 failover routing policy. Set Evaluate Target
Health to Yes.

B. Create a connection alias in the primary Region and in the failover
Region. Associate the connection aliases with a directory in the primary
Region. Create a Route 53 multivalue answer routing policy.

C. Create a connection alias in the primary Region. Associate the
connection alias with a directory in the primary Region. Create a Route
53 weighted routing policy.

D. Create a connection alias in the primary Region Associate the
connection alias with a directory in the failover Region. Create a Route
53 failover routing policy. Set Evaluate Target Health to Yes.

Hint Answer: D

Question \#: 20

Topic \#: 1

A company has many AWS accounts and uses AWS Organizations to manage all
of them. A solutions architect must implement a solution that the
company can use to share a common network across multiple accounts.

The company's infrastructure team has a dedicated infrastructure account
that has a VPC. The infrastructure team must use this account to manage
the network. Individual accounts cannot have the ability to manage their
own networks. However, individual accounts must be able to create AWS
resources within subnets.

Which combination of actions should the solutions architect perform to
meet these requirements? (Choose two.)

A. Create a transit gateway in the infrastructure account.

B. Enable resource sharing from the AWS Organizations management
account.

C. Create VPCs in each AWS account within the organization in AWS
Organizations. Configure the VPCs to share the same CIDR range and
subnets as the VPC in the infrastructure account. Peer the VPCs in each
individual account with the VPC in the infrastructure account.

D. Create a resource share in AWS Resource Access Manager in the
infrastructure account. Select the specific AWS Organizations OU that
will use the shared network. Select each subnet to associate with the
resource share.

E. Create a resource share in AWS Resource Access Manager in the
infrastructure account. Select the specific AWS Organizations OU that
will use the shared network. Select each prefix list to associate with
the resource share.

Hint Answer: BD

Question \#: 21

Topic \#: 1

A company built an application based on AWS Lambda deployed in an AWS
CloudFormation stack. The last production release of the web application
introduced an issue that resulted in an outage lasting several minutes.
A solutions architect must adjust the deployment process to support a
canary release.

Which solution will meet these requirements?

A. Create an alias for every new deployed version of the Lambda
function. Use the AWS CLI update-alias command with the routing-config
parameter to distribute the load.

B. Deploy the application into a new CloudFormation stack. Use an Amazon
Route 53 weighted routing policy to distribute the load.

C. Create a version for every new deployed Lambda function. Use the AWS
CLI update-function-configuration command with the routing-config
parameter to distribute the load.

D. Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the
Deployment configuration to distribute the load.

Hint Answer: A

Question \#: 22

Topic \#: 1

A company has a monolithic application that is critical to the company's
business. The company hosts the application on an Amazon EC2 instance
that runs Amazon Linux 2. The company's application team receives a
directive from the legal department to back up the data from the
instance's encrypted Amazon Elastic Block Store (Amazon EBS) volume to
an Amazon S3 bucket. The application team does not have the
administrative SSH key pair for the instance. The application must
continue to serve the users.

Which solution will meet these requirements?

A. Attach a role to the instance with permission to write to Amazon S3.
Use the AWS Systems Manager Session Manager option to gain access to the
instance and run commands to copy data into Amazon S3.

B. Create an image of the instance with the reboot option turned on.
Launch a new EC2 instance from the image. Attach a role to the new
instance with permission to write to Amazon S3. Run a command to copy
data into Amazon S3.

C. Take a snapshot of the EBS volume by using Amazon Data Lifecycle
Manager (Amazon DLM). Copy the data to Amazon S3.

D. Create an image of the instance. Launch a new EC2 instance from the
image. Attach a role to the new instance with permission to write to
Amazon S3. Run a command to copy data into Amazon S3.

Hint Answer: C

Question \#: 23

Topic \#: 1

A company has an organization in AWS Organizations that has a large
number of AWS accounts. One of the AWS accounts is designated as a
transit account and has a transit gateway that is shared with all of the
other AWS accounts. AWS Site-to-Site VPN connections are configured
between all of the company's global offices and the transit account. The
company has AWS Config enabled on all of its accounts.

The company's networking team needs to centrally manage a list of
internal IP address ranges that belong to the global offices. Developers
will reference this list to gain access to their applications securely.

Which solution meets these requirements with the LEAST amount of
operational overhead?

A. Create a JSON file that is hosted in Amazon S3 and that lists all of
the internal IP address ranges. Configure an Amazon Simple Notification
Service (Amazon SNS) topic in each of the accounts that can be invoked
when the JSON file is updated. Subscribe an AWS Lambda function to the
SNS topic to update all relevant security group rules with the updated
IP address ranges.

B. Create a new AWS Config managed rule that contains all of the
internal IP address ranges. Use the rule to check the security groups in
each of the accounts to ensure compliance with the list of IP address
ranges. Configure the rule to automatically remediate any noncompliant
security group that is detected.

C. In the transit account, create a VPC prefix list with all of the
internal IP address ranges. Use AWS Resource Access Manager to share the
prefix list with all of the other accounts. Use the shared prefix list
to configure security group rules in the other accounts.

D. In the transit account, create a security group with all of the
internal IP address ranges. Configure the security groups in the other
accounts to reference the transit account's security group by using a
nested security group reference of "/sg-1a2b3c4d".

Hint Answer: C

Question \#: 24

Topic \#: 1

A company runs a new application as a static website in Amazon S3. The
company has deployed the application to a production AWS account and
uses Amazon CloudFront to deliver the website. The website calls an
Amazon API Gateway REST API. An AWS Lambda function backs each API
method.

The company wants to create a CSV report every 2 weeks to show each API
Lambda function's recommended configured memory, recommended cost, and
the price difference between current configurations and the
recommendations. The company will store the reports in an S3 bucket.

Which solution will meet these requirements with the LEAST development
time?

A. Create a Lambda function that extracts metrics data for each API
Lambda function from Amazon CloudWatch Logs for the 2-week period.
Collate the data into tabular format. Store the data as a.csv file in
an S3 bucket. Create an Amazon EventBridge rule to schedule the Lambda
function to run every 2 weeks.

B. Opt in to AWS Compute Optimizer. Create a Lambda function that calls
the ExportLambdaFunctionRecommendations operation. Export the.csv file
to an S3 bucket. Create an Amazon EventBridge rule to schedule the
Lambda function to run every 2 weeks.

C. Opt in to AWS Compute Optimizer. Set up enhanced infrastructure
metrics. Within the Compute Optimizer console, schedule a job to export
the Lambda recommendations to a.csv file. Store the file in an S3
bucket every 2 weeks.

D. Purchase the AWS Business Support plan for the production account.
Opt in to AWS Compute Optimizer for AWS Trusted Advisor checks. In the
Trusted Advisor console, schedule a job to export the cost optimization
checks to a.csv file. Store the file in an S3 bucket every 2 weeks.

Hint Answer: B

Question \#: 25

Topic \#: 1

A company is running a web application in a VPC. The web application
runs on a group of Amazon EC2 instances behind an Application Load
Balancer (ALB). The ALB is using AWS WAF.

An external customer needs to connect to the web application. The
company must provide IP addresses to all external customers.

Which solution will meet these requirements with the LEAST operational
overhead?

A. Replace the ALB with a Network Load Balancer (NLB). Assign an Elastic
IP address to the NLB.

B. Allocate an Elastic IP address. Assign the Elastic IP address to the
ALProvide the Elastic IP address to the customer.

C. Create an AWS Global Accelerator standard accelerator. Specify the
ALB as the accelerator\'s endpoint. Provide the accelerator\'s IP
addresses to the customer.

D. Configure an Amazon CloudFront distribution. Set the ALB as the
origin. Ping the distribution\'s DNS name to determine the
distribution\'s public IP address. Provide the IP address to the
customer.

Hint Answer: C

Question \#: 26

Topic \#: 1

A company that has multiple business units is using AWS Organizations
with all features enabled. The company has implemented an account
structure in which each business unit has its own AWS account.
Administrators in each AWS account need to view detailed cost and
utilization data for their account by using Amazon Athena.

Each business unit can have access to only its own cost and utilization
data. The IAM policies that govern the ability to set up AWS Cost and
Usage Reports are in place. A central Cost and Usage Report that
contains all data for the organization is already available in an Amazon
S3 bucket.

Which solution will meet these requirements with the LEAST operational
complexity?

A. In the organization\'s management account, use AWS Resource Access
Manager (AWS RAM) to share the Cost and Usage Report data with each
member account.

B. In the organization\'s management account, configure an S3 event to
invoke an AWS Lambda function each time a new file arrives in the S3
bucket that contains the central Cost and Usage Report. Configure the
Lambda function to extract each member account's data and to place the
data in Amazon S3 under a separate prefix. Modify the S3 bucket policy
to allow each member account to access its own prefix.

C. In each member account, access AWS Cost Explorer. Create a new report
that contains relevant cost information for the account. Save the report
in Cost Explorer. Provide instructions that the account administrators
can use to access the saved report.

D. In each member account, create a new S3 bucket to store Cost and
Usage Report data. Set up a Cost and Usage Report to deliver the data to
the new S3 bucket.

Hint Answer: B

Question \#: 27

Topic \#: 1

An application is deployed on Amazon EC2 instances that run in an Auto
Scaling group. The Auto Scaling group configuration uses only one type
of instance.

CPU and memory utilization metrics show that the instances are
underutilized. A solutions architect needs to implement a solution to
permanently reduce the EC2 cost and increase the utilization.

Which solution will meet these requirements with the LEAST number of
configuration changes in the future?

A. List instance types that have properties that are similar to the
properties that the current instances have. Modify the Auto Scaling
group\'s launch template configuration to use multiple instance types
from the list.

B. Use the information about the application\'s CPU and memory
utilization to select an instance type that matches the requirements.
Modify the Auto Scaling group\'s configuration by adding the new
instance type. Remove the current instance type from the configuration.

C. Use the information about the application\'s CPU and memory
utilization to specify CPU and memory requirements in a new revision of
the Auto Scaling group\'s launch template. Remove the current instance
type from the configuration.

D. Create a script that selects the appropriate instance types from the
AWS Price List Bulk API. Use the selected instance types to create a new
revision of the Auto Scaling group\'s launch template.

Hint Answer: C