SAP-C02 Free Practice Test

- (Exam Topic 2)
A solutions architect uses AWS Organizations to manage several AWS accounts for a company. The full Organizations feature set is activated for the organization. All production AWS accounts exist under an OU that is named "production ‘’ Systems operators have full administrative privileges within these accounts by using IAM roles.
The company wants to ensure that security groups in all production accounts do not allow inbound traffic for TCP port 22. All noncompliant security groups must be remediated immediately, and no new rules that allow port 22 can be created.
Winch solution will meet these requirements?

1. A. Write an SCP that denies the CreateSecurityGroup action with a condition o( ec2:tngress rule with value 22. Apply the SCP to the 'production' OU.
2. B. Configure an AWS CloudTrail trail for all accounts Send CloudTrail logs to an Amazon S3 bucket In the Organizations management accoun
3. C. Configure an AWS Lambda function on the management account with permissions to assume a role in all production accounts to describe and modify security group
4. D. Configure Amazon S3 to invoke the Lambda function on every PutObject event on the S3 bucket Configure the Lambda function to analyze each CloudTrail event for noncompliant security group actions and to automatically remediate any issues.
5. E. Create an Amazon EvertBridge (Amazon CloudWatch Events) event bus in the Organizations management accoun
6. F. Create an AWS Cloud Formation template to deploy configurations that send CreateSecurityGroup events to the even! bus from an production accounts Configure an AWS Lambda function in the management account with permissions to assume a role «i all production accounts to describe and modify security group
7. G. Configure the event bus to invoke the Lambda function Configure the Lambda function to analyse each event for noncompliant security group actions and to automatically remediate any issues.
8. H. Create an AWS CloudFormation template to turn on AWS Config Activate the INCOMING_SSH_DISABLED AWS Config managed rule Deploy an AWS Lambda function that will run based on AWS Config findings and will remediate noncompliant resources Deploy the CloudFormation template by using a StackSet that is assigned to the "production" O
9. I. Apply an SCP to the OU to deny modification of the resources that the CloudFormation template provisions.

Correct Answer: D

- (Exam Topic 2)
A new startup is running a serverless application using AWS Lambda as the primary source of compute New versions of the application must be made available to a subset of users before deploying changes to all users Developers should also have the ability to stop the deployment and have access to an easy rollback mechanism A solutions architect decides to use AWS CodeDeploy to deploy changes when a new version is available.
Which CodeDeploy configuration should the solutions architect use?

1. A. A blue/green deployment
2. B. A linear deployment
3. C. A canary deployment
4. D. An all-at-once deployment

Correct Answer: C

- (Exam Topic 2)
A company is running a critical application that uses an Amazon RDS for MySQL database to store data. The RDS DB instance is deployed in Multi-AZ mode.
A recent RDS database failover test caused a 40-second outage to the application A solutions architect needs to design a solution to reduce the outage time to less than 20 seconds.
Which combination of steps should the solutions architect take to meet these requirements? (Select THREE.)

1. A. Use Amazon ElastiCache for Memcached in front of the database
2. B. Use Amazon ElastiCache for Redis in front of the database.
3. C. Use RDS Proxy in front of the database
4. D. Migrate the database to Amazon Aurora MySQL
5. E. Create an Amazon Aurora Replica
6. F. Create an RDS for MySQL read replica

Correct Answer: ABF

- (Exam Topic 1)
A company maintains a restaurant review website. The website is a single-page application where files are stored in Amazon S3 and delivered using Amazon CloudFront. The company receives several fake postings every day that are manually removed.
The security team has identified that most of the fake posts are from bots with IP addresses that have a bad reputation within the same global region. The team needs to create a solution to help restrict the bots from accessing the website.
Which strategy should a solutions architect use?

1. A. Use AWS Firewall Manager to control the CloudFront distribution security setting
2. B. Create a geographical block rule and associate it with Firewall Manager.
3. C. Associate an AWS WAF web ACL with the CloudFront distributio
4. D. Select the managed Amazon IP reputation rule group for the web ACL with a deny action.
5. E. Use AWS Firewall Manager to control the CloudFront distribution security setting
6. F. Select the managed Amazon IP reputation rule group and associate it with Firewall Manager with a deny action.
7. G. Associate an AWS WAF web ACL with the CloudFront distributio
8. H. Create a rule group for the web ACL with a geographical match statement with a deny action.

Correct Answer: B
IP reputation rule groups allow you to block requests based on their source. Choose one or more of these rule groups if you want to reduce your exposure to BOTS!!!! traffic or exploitation attempts
The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Inspects for a list of IP addresses that have been identified as bots by Amazon threat intelligence.

- (Exam Topic 2)
A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS
Which combination of steps should a solutions architect take to meet these requirements? (Select TWO.)

1. A. Establish a networking account in the AWS Cloud Create a private VPC in the networking account Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC
2. B. Establish a networking account in the AWS Cloud Create a private VPC in the networking account Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC
3. C. Create an Amazon S3 interface endpoint in the networking account
4. D. Create an Amazon S3 gateway endpoint in the networking account
5. E. Establish a networking account in the AWS Clou
6. F. Create a private VPC in the networking account Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account

Correct Answer: AD