AWS Certified Solutions Architect - Professional SAP-C02 Exam Questions and Answers - 2 - Page 9 of 10

The latest AWS Certified Solutions Architect – Professional SAP-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Solutions Architect – Professional SAP-C02 exam and earn AWS Certified Solutions Architect – Professional SAP-C02 certification.

Question 181

Exam Question

A publishing company’s design team updates the icons and other static assets that an ecommerce web application uses. The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company’s production account. The company also uses a development account that members of the design team can access.

After the design team tests the static assets in the development account, the design team needs to load the assets into the S3 bucket in the production account. A solutions architect must provide the design team with access to the production account without exposing other parts of the web application to the risk of unwanted changes.

Which combination of steps will meet these requirements? (Select THREE.)

A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket.

B. In the development account, create a new IAM policy that allows read and write access to the S3 bucket.

C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity.

D. In the development account, create a role. Attach the new policy to the role. Define the production account as a trusted entity.

F. In the development account, create a group that contains all tfje IAM users of the design team. Attach a different IAM policy to the group to allow the sts;AssumeRole action on the role in the development account.

Correct Answer

A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket.

C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity.

Explanation

A. In the production account, create a new IAM policy that allows read and write access to the S3 bucket. The policy grants the necessary permissions to access the assets in the production S3 bucket.

C. In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity. By creating a role and attaching the policy, and then defining the development account as a trusted entity, the development account can assume the role and access the production S3 bucket with the read and write permissions.

E. In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account. The IAM policy attached to the group allows the design team members to assume the role created in the production account, thereby giving them access to the production S3 bucket.

In the production account, create a new IAM policy that allows read and write access to the S3 bucket. The policy grants the necessary permissions to access the assets in the production S3 bucket.

In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity. By creating a role and attaching the policy, and then defining the development account as a trusted entity, the development account can assume the role and access the production S3 bucket with the read and write permissions.

In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the production account. The IAM policy attached to the group allows the design team members to assume the role created in the production account, thereby giving them access to the production S3 bucket.

Step 1: Create a role in the Production Account; create the role in the Production account and specify the Development account as a trusted entity. You also limit the role permissions to only read and write access to the productionapp bucket. Anyone granted permission to use the role can read and write to the productionapp bucket.

Step 2: Grant access to the role Sign in as an administrator in the Development account and allow the AssumeRole action on the UpdateApp role in the Production account.

So, recap, production account you create the policy for S3, and you set development account as a trusted entity. Then on the development account you allow the sts:assumeRole action on the role in production account.

Reference

AWS > Documentation > AWS Identity and Access Management > User Guide > IAM tutorial: Delegate access across AWS accounts using IAM roles

Question 182

Exam Question

A company is migrating some of its applications to AWS. The company wants to migrate and modernize the applications quickly after it finalizes networking and security strategies. The company has set up an AWS Direct Connection connection in a central network account.

The company expects to have hundreds of AWS accounts and VPCs in the near future. The corporate network must be able to access the resources on AWS seamlessly and also must be able to communicate with all the VPCs. The company also wants to route its cloud resources to the internet through its on-premises data center.

Which combination of steps will meet these requirements? (Choose three.)

A. Create a Direct Connect gateway in the central account. In each of the accounts, create an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway.

B. Create a Direct Connect gateway and a transit gateway in the central network account. Attach the transit gateway to the Direct Connect gateway by using a transit VIF.

C. Provision an internet gateway. Attach the internet gateway to subnets. Allow internet traffic through the gateway.

D. Share the transit gateway with other accounts. Attach VPCs to the transit gateway.

E. Provision VPC peering as necessary.

F. Provision only private subnets. Open the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center.

Correct Answer

B. Create a Direct Connect gateway and a transit gateway in the central network account. Attach the transit gateway to the Direct Connect gateway by using a transit VIF.

D. Share the transit gateway with other accounts. Attach VPCs to the transit gateway.

Explanation

To meet the requirements, a Direct Connect gateway and a transit gateway should be set up in the central network account (B). The transit gateway should be shared with other accounts and VPCs should be attached to the transit gateway (D). Finally, only private subnets should be provisioned, and a route should be opened on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center (F).

For more information, you can refer to the AWS documentation on Direct Connect Gateways, Transit Gateways and NAT Gateways. Additionally, the AWS Certified Solutions Architect – Professional Official Amazon Textbook and Resources can provide more in-depth information on these topics.

Question 183

Exam Question

A company wants to improve cost awareness for its Amazon EMR platform The company has aWocated budgets for each team’s Amazon EMR usage When a budgetary threshold is reached a notification should be sent by email to the budget office’s distribution list Teams should be able lo view their EMR cluster expenses to date A solutions architect needs to create a solution that ensures this policy is proactively and centrally enforced in a multi-account environment.

Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)

A. Update the AWS CloudFormation template to include the AWS Budgets Budget resource with the NotificationsWithSubscnbers property

B. Implement Amazon CloudWatch dashboards for Amazon EMR usage

C. Create an EMR bootstrap action that runs at startup that calls the Cost Explorer API to set the budget on the cluster with the GetCostForecast and NotificationsWithSubscnbers actions

D. Create an AWS Service Catalog portfolio for each team. Add each team’s Amazon EMR cluster as an AWS CloudFormation template to their Service Catalog portfolio as a Product

E. Create an Amazon CloudWatch metric for billing Create a custom alert when costs exceed the budgetary threshold.

Correct Answer

B. Implement Amazon CloudWatch dashboards for Amazon EMR usage

E. Create an Amazon CloudWatch metric for billing Create a custom alert when costs exceed the budgetary threshold.

Question 184

Exam Question

An enterprise runs 103 line-of-business applications on virtual machines in an on-premises data center. Many of the applications are simple PHP. Java, or Ruby web applications, are no longer actively developed, and serve little traffic.

Which approach should be used to migrate these applications to AWS with the LOWEST infrastructure costs?

A. Deploy the applications lo single-instance AWS Elastic Beanstalk environments without a load balancer.

B. Use AWS SMS to create AMls for each virtual machine and run them in Amazon EC2.

C. Convert each application to a Docker image and deploy to a small Amazon ECS cluster behind an Application Load Balancer.

D. Use VM Import/Export to create AMls for each virtual machine and run them in single-instance AWS Elastic Beanstalk environments by configuring a custom image.

Correct Answer

C. Convert each application to a Docker image and deploy to a small Amazon ECS cluster behind an Application Load Balancer.

Question 185

Exam Question

A new startup is running a serverless application using AWS Lambda as the primary source of compute New versions of the application must be made available to a subset of users before deploying changes to all users Developers should also have the ability to stop the deployment and have access to an easy rollback mechanism A solutions architect decides to use AWS CodeDeploy to deploy changes when a new version is available.

Which CodeDeploy configuration should the solutions architect use?

A. A blue/green deployment

B. A linear deployment

C. A canary deployment

D. An all-at-once deployment

Correct Answer

C. A canary deployment

Explanation

Canary deployments are a popular deployment strategy used to safely deploy new changes to a subset of users in order to test them before deploying them to the full user base. With this strategy, a new version of the application is deployed to a small portion of the user base, and if no errors occur, the new version is gradually rolled out to the rest of the users. This deployment strategy also allows developers to easily roll back changes if any issues arise.

Reference

AWS > Documentation > AWS CodeDeploy > User Guide > What is CodeDeploy?
AWS > Documentation > AWS CodeDeploy > User Guide > Working with deployment configurations in CodeDeploy

Question 186

Exam Question

A company runs a proprietary stateless ETL application on an Amazon EC2 Linux instance. The application is a Linux binary, and the source code cannot be modified. The application is single-threaded, uses 2 GB of RAM. and is highly CPU intensive The application is scheduled to run every 4 hours and runs for up to 20 minutes A solutions architect wants to revise the architecture for the solution.

Which strategy should the solutions architect use?

A. Use AWS Lambda to run the application. Use Amazon CloudWatch Logs to invoke the Lambda function every 4 hours

B. Use AWS Batch to run the application Use an AWS Step Functions state machine to invoke the AWS Batch job every 4 hours

C. Use AWS Fargate to run the application Use Amazon EventBridge (Amazon CloudWatch Events) to invoke the Fargate task every 4 hours

D. Use Amazon 6C2 Spot Instances to run the application Use AWS CodeDeptoy to deploy and run the application every 4 hours.

Correct Answer

C. Use AWS Fargate to run the application Use Amazon EventBridge (Amazon CloudWatch Events) to invoke the Fargate task every 4 hours

Question 187

Exam Question

A developer reports receiving an Error 403: Access Denied message when they try to download an object from an Amazon S3 bucket. The S3 bucket is accessed using an S3 endpoint inside a VPC. and is encrypted with an AWS KMS key. A solutions architect has verified that (he developer is assuming the correct IAM role in the account that allows the object to be downloaded. The S3 bucket policy and the NACL are also valid.

Which additional step should the solutions architect take to troubleshoot this issue?

A. Ensure that blocking all public access has not been enabled in the S3 bucket.

B. Verify that the IAM rote has permission to decrypt the referenced KMS key.

C. Verify that the IAM role has the correct trust relationship configured.

D. Check that local firewall rules are not preventing access to the S3 endpoint.

Correct Answer

B. Verify that the IAM rote has permission to decrypt the referenced KMS key.

Question 188

Exam Question

A company has a project that is launching Amazon EC2 instances that are larger than required. The project’s account cannot be part of the company’s organization in AWS Organizations due to policy restrictions to keep this activity outside of corporate IT. The company wants to allow only the launch of t3.small EC2 instances by developers in the project’s account. These EC2 instances must be restricted to the us-east-2 Region.

What should a solutions architect do to meet these requirements?

A. Create a new developer account. Move all EC2 instances, users, and assets into us-east-2. Add the account to the company’s organization in AWS Organizations. Enforce a tagging policy that denotes Region affinity.

B. Create an SCP that denies the launch of all EC2 instances except I3.small EC2 instances in us-east-2.
Attach the SCP to the project’s account.

C. Create and purchase a t3.small EC2 Reserved Instance for each developer in us-east-2. Assign each developer a specific EC2 instance with their name as the tag.

D. Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.

Correct Answer

D. Create an IAM policy than allows the launch of only t3.small EC2 instances in us-east-2. Attach the policy to the roles and groups that the developers use in the project’s account.

Question 189

Exam Question

A company uses AWS Organizations to manage more than 1.000 AWS accounts. The company has created a new developer organization. There are 540 developer member accounts that must be moved to the new developer organization All accounts are set up with all the required Information so mat each account can be operated as a standalone account.

Which combination of steps should a solutions architect take to move all of the developer accounts to the new developer organization? (Select THREE )

A. Call the MoveAccount operation In the Organizations API from the old organization’s management account to migrate the developer accounts to the new developer organization

B. From the management account remove each developer account from the old organization using the RemoveAccountFromOrganization operation in the Organizations API

C. From each developer account, remove the account from the old organization using the RemoveAccounrFromOrganization operation in the Organizations API

D. Sign in to the new developer organization’s management account and create a placeholder member account that acts as a target for the developer account migration

E. Call the InviteAccountToOrganzation operation in the Organizations API from the new developer organization’s management account to send invitations to the developer accounts.

F. Have each developer sign in to their account and confirm to join the new developer organization.

Correct Answer

B. From the management account remove each developer account from the old organization using the RemoveAccountFromOrganization operation in the Organizations API

D. Sign in to the new developer organization’s management account and create a placeholder member account that acts as a target for the developer account migration

E. Call the InviteAccountToOrganzation operation in the Organizations API from the new developer organization’s management account to send invitations to the developer accounts.

Question 190

Exam Question

A company is running a workload that consists of thousands of Amazon EC2 instances The workload is running in a VPC that contains several public subnets and private subnets The public subnets have a route for 0 0 0 0/0 to an existing internet gateway. The private subnets have a route for 0 0 0 0/0 to an existing NAT gateway A solutions architect needs to migrate the entire fleet of EC2 instances to use IPv6 The EC2 instances that are in private subnets must not be accessible from the public internet.

What should the solutions architect do to meet these requirements?

A. Update the existing VPC and associate a custom IPv6 CIDR block with the VPC and all subnets Update all the VPC route tables and add a route for /0 to the internet gateway

B. Update the existing VPC. and associate an Amazon-provided IPv6 CIDR block with the VPC and all subnets Update the VPC route tables for all private subnets, and add a route for /0 to the NAT gateway

C. Update the existing VPC. and associate an Amazon-provided IPv6 CIDR block with the VPC and ail subnets Create an egress-only internet gateway Update the VPC route tables for all private subnets, and add a route for /0 to the egress-only internet gateway

D. Update the existing VPC and associate a custom IPv6 CIDR block with the VPC and all subnets Create a new NAT gateway, and enable IPv6 support Update the VPC route tables for all private subnets and add a route for 70 to the IPv6-enabled NAT gateway.