SAP-C02 Free Practice Test

- (Exam Topic 2)
A company has a data lake in Amazon S3 that needs to be accessed by hundreds of applications across many AWS accounts. The company's information security policy states that the S3 bucket must not be accessed over the public internet and that each application should have the minimum permissions necessary to function.
To meet these requirements, a solutions architect plans to use an S3 access point that is restricted to specific VPCs for each application.
Which combination of steps should the solutions architect take to implement this solution? (Select TWO.)

1. A. Create an S3 access point for each application in the AWS account that owns the S3 bucke
2. B. Configureeach access point to be accessible only from the application's VP
3. C. Update the bucket policy to require access from an access point.
4. D. Create an interface endpoint for Amazon S3 in each application's VP
5. E. Configure the endpoint policy to allow access to an S3 access poin
6. F. Create a VPC gateway attachment for the S3 endpoint.
7. G. Create a gateway endpoint for Amazon S3 in each application's VP
8. H. Configure the endpoint policy to allow access to an S3 access poin
9. I. Specify the route table that is used to access the access point.
10. J. Create an S3 access point for each application in each AWS account and attach the access points to the S3 bucke
11. K. Configure each access point to be accessible only from the application's VP
12. L. Update the bucket policy to require access from an access point.
13. M. Create a gateway endpoint for Amazon S3 in the data lake's VP
14. N. Attach an endpoint policy to allow access to the S3 bucke
15. O. Specify the route table that is used to access the bucket.

Correct Answer: AC
https://joe.blog.freemansoft.com/2020/04/protect-data-in-cloud-with-s3-access.html

- (Exam Topic 1)
A company has 10 accounts that are part of an organization in AWS Organizations AWS Config is configured in each account All accounts belong to either the Prod OU or the NonProd OU
The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source The company's security team is subscribed to the SNS topic
For all accounts in the NonProd OU the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source
Which solution will meet this requirement with the LEAST operational overhead?

1. A. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic Deploy the updated rule to the NonProd OU
2. B. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU
3. C. Configure an SCP to allow the ec2 AulhonzeSecurityGrouplngress action when the value of the aws Sourcelp condition key is not 0.0.0.0/0 Apply the SCP to the NonProd OU
4. D. Configure an SCP to deny the ec2 AuthorizeSecurityGrouplngress action when the value of the aws Sourcelp condition key is 0.0.0.0/0 Apply the SCP to the NonProd OU

Correct Answer: D
This solution will meet the requirement with the least operational overhead because it directly denies the creation of the security group inbound rule with 0.0.0.0/0 as the source, which is the exact requirement. Additionally, it does not require any additional steps or resources such as invoking a Lambda function or adding a Config rule.
An SCP (Service Control Policy) is a policy that you can use to set fine-grained permissions for your AWS
accounts within your organization. You can use SCPs to set permissions for the root user of an account and to delegate permissions to IAM users and roles in the accounts. You can use SCPs to set permissions that allow or deny access to specific services, actions, and resources.
To implement this solution, you would need to create an SCP that denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This SCP would then be applied to the NonProd OU. This would ensure that any security group inbound rule that includes 0.0.0.0/0 as the source will be denied, thus meeting the requirement.
Reference: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_condition-keys.html

- (Exam Topic 2)
A company runs its sales reporting application in an AWS Region in the United States. The application uses an Amazon API Gateway Regional API and AWS Lambda functions to generate on-demand reports from data in an Amazon RDS for MySQL database. The frontend of the application is hosted on Amazon S3 and is accessed by users through an Amazon CloudFront distribution. The company is using Amazon Route 53 as the DNS service for the domain. Route 53 is configured with a simple routing policy to route traffic to the API Gateway API.
In the next 6 months, the company plans to expand operations to Europe. More than 90% of the database traffic is read-only traffic. The company has already deployed an API Gateway API and Lambda functions in the new Region.
A solutions architect must design a solution that minimizes latency for users who download reports. Which solution will meet these requirements?

1. A. Use an AWS Database Migration Service (AWS DMS) task with full load to replicate the primary database in the original Region to the database in the new Regio
2. B. Change the Route 53 record to latency-based routing to connect to the API Gateway API.
3. C. Use an AWS Database Migration Service (AWS DMS) task with full load plus change data capture (CDC) to replicate the primary database in the original Region to the database in the new Regio
4. D. Change the Route 53 record to geolocation routing to connect to the API Gateway API.
5. E. Configure a cross-Region read replica for the RDS database in the new Regio
6. F. Change the Route 53 record to latency-based routing to connect to the API Gateway API.
7. G. Configure a cross-Region read replica for the RDS database in the new Regio
8. H. Change the Route 53 record to geolocation routing to connect to the API

Correct Answer: C
The company should configure a cross-Region read replica for the RDS database in the new Region. The company should change the Route 53 record to latency-based routing to connect to the API Gateway API. This solution will meet the requirements because a cross-Region read replica is a feature that enables you to create a MariaDB, MySQL, Oracle, PostgreSQL, or SQL Server read replica in a different Region from the source DB instance. You can use cross-Region read replicas to improve availability and disaster recovery, scale out globally, or migrate an existing database to a new Region1. By creating a cross-Region read replica for the RDS database in the new Region, the company can have a standby copy of its primary database that can serve read-only traffic from users in Europe. A latency-based routing policy is a feature that enables you to route traffic based on the latency between your users and your resources. You can use latency-based routing to route traffic to the resource that provides the best latency2. By changing the Route 53 record to latency-based routing, the company can minimize latency for users who download reports by connecting them to the API Gateway API in the Region that provides the best response time.
The other options are not correct because:
Using AWS Database Migration Service (AWS DMS) to replicate the primary database in the original Region to the database in the new Region would not be as cost-effective or simple as using a
cross-Region read replica. AWS DMS is a service that enables you to migrate relational databases, data
warehouses, NoSQL databases, and other types of data stores. You can use AWS DMS to perform one-time migrations or continuous data replication with high availability and consolidate databases into
a petabyte-scale data warehouse3. However, AWS DMS requires more configuration and management than creating a cross-Region read replica, which is fully managed by Amazon RDS. AWS DMS also incurs additional charges for replication instances and tasks.
Creating an Amazon API Gateway Data API service integration with Amazon Redshift would not help with disaster recovery or minimizing latency. The Data API is a feature that enables you to query your Amazon Redshift cluster using HTTP requests, without needing a persistent connection or a SQL client. It is useful for building applications that interact with Amazon Redshift, but not for replicating or recovering data from an RDS database.
Creating an AWS Data Exchange datashare by connecting AWS Data Exchange to the Redshift cluster would not help with disaster recovery or minimizing latency. AWS Data Exchange is a service that makes it easy for AWS customers to exchange data in the cloud. You can use AWS Data Exchange to subscribe to a diverse selection of third-party data products or offer your own data products to other AWS customers. A datashare is a feature that enables you to share live and secure access to your Amazon Redshift data across your accounts or with third parties without copying or moving the underlying data. It is useful for sharing query results and views with other users, but not for replicating or recovering data from an RDS database.
References:
https://aws.amazon.com/dms/
https://docs.aws.amazon.com/redshift/latest/mgmt/data-api.html
https://aws.amazon.com/data-exchange/
https://docs.aws.amazon.com/redshift/latest/dg/datashare-overview.html

- (Exam Topic 3)
A company has an organization in AWS Organizations that includes a separate AWS account for each of the company's departments. Application teams from different departments develop and deploy solutions independently.
The company wants to reduce compute costs and manage costs appropriately across departments. The company also wants to improve visibility into billing for individual departments. The company does not want to lose operational flexibility when the company selects compute resources.
Which solution will meet these requirements?

1. A. Use AWS Budgets for each departmen
2. B. Use Tag Editor to apply tags to appropriate resource
3. C. Purchase EC2 Instance Savings Plans.
4. D. Configure AWS Organizations to use consolidated billin
5. E. Implement a tagging strategy that identifies department
6. F. Use SCPs to apply tags to appropriate resource
7. G. Purchase EC2 Instance Savings Plans.
8. H. Configure AWS Organizations to use consolidated billin
9. I. Implement a tagging strategy that identifies department
10. J. Use Tag Editor to apply tags to appropriate resource
11. K. Purchase Compute Savings Plans.
12. L. Use AWS Budgets for each departmen
13. M. Use SCPs to apply tags to appropriate resource
14. N. Purchase Compute Savings Plans.

Correct Answer: C

- (Exam Topic 3)
A company is using AWS Control Tower to manage AWS accounts in an organization in AWS Organizations. The company has an OU that contains accounts. The company must prevent any new or existing Amazon EC2 instances in the OUs accounts from gaining a public IP address.
Which solution will meet these requirements?

1. A. Configure all instances in each account in the OU to use AWS Systems Manage
2. B. Use a Systems Manager Automation runbook to prevent public IP addresses from being attached to the instances.
3. C. Implement the AWS Control Tower proactive control to check whether instances in the OU's accounts have a public IP addres
4. D. Set the AssociatePubIicIpAddress property to Fals
5. E. Attach the proactive control to the OU.
6. F. Create an SCP that prevents the launch of instances that have a public IP addres
7. G. Additionally, configure the SCP to prevent the attachment of a public IP address to existing instance
8. H. Attach the SCP to the OU.
9. I. Create an AWS Config custom rule that detects instances that have a public IP addres
10. J. Configure a remediation action that uses an AWS Lambda function to detach the public IP addresses from the instances.

Correct Answer: C
This option will meet the requirements of preventing any new or existing EC2 instances in the OU’s accounts from gaining a public IP address. An SCP is a policy that you can attach to an OU or an account in AWS Organizations to define the maximum permissions for the entities in that OU or account. By creating an SCP that denies the ec2:RunInstances and ec2:AssociateAddress actions when the value of the aws:RequestTag/aws:PublicIp condition key is true, you can prevent any user or role in the OU from launching instances that have a public IP address or attaching a public IP address to existing instances. This will effectively enforce a security best practice and reduce the risk of unauthorized access to your EC2 instances.