SAP-C02 Free Practice Test

- (Exam Topic 3)
A company is rearchitecting its applications to run on AWS. The company's infrastructure includes multiple Amazon EC2 instances. The company's development team needs different levels of access. The company wants to implement a policy that requires all Windows EC2 instances to be joined to an Active Directory domain on AWS. The company also wants to Implement enhanced security processes such as multi-factor authentication (MFA). The company wants to use managed AWS services wherever possible.
Which solution will meet these requirements?

1. A. Create an AWS Directory Service for Microsoft Active Directory implementatio
2. B. Launch an Amazon Workspac
3. C. Connect to and use the Workspace for domain security configuration tasks.
4. D. Create an AWS Directory Service for Microsoft Active Directory implementatio
5. E. Launch an EC2 instanc
6. F. Connect to and use the EC2 instance for domain security configuration tasks.
7. G. Create an AWS Directory Service Simple AD implementatio
8. H. Launch an EC2 instanc
9. I. Connect to and use the EC2 instance for domain security configuration tasks.
10. J. Create an AWS Directory Service Simple AD implementatio
11. K. Launch an Amazon Workspac
12. L. Connect to and use the Workspace for domain security configuration tasks.

Correct Answer: A
A is the correct answer because it uses AWS Directory Service for Microsoft Active Directory to join the Windows EC2 instances to an Active Directory domain on AWS and enable MFA. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is a fully managed service that is powered by Windows Server 2019. It allows you to run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory. AWS Managed Microsoft AD supports MFA by integrating with your existing RADIUS-based MFA infrastructure. To join the Windows EC2 instances to an Active Directory domain on AWS, you can use an Amazon Workspace, which is a fully managed, secure desktop computing service that runs on AWS. You can connect to and use the Workspace for domain security configuration tasks. References:
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_microsoft_ad.html
https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_join_instance.html
https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html

- (Exam Topic 3)
An enterprise company is building an infrastructure services platform for its users. The company has the following requirements:
Provide least privilege access to users when launching AWS infrastructure so users cannot provision unapproved services.
Use a central account to manage the creation of infrastructure services.
Provide the ability to distribute infrastructure services to multiple accounts in AWS Organizations.
Provide the ability to enforce tags on any infrastructure that is started by users.
Which combination of actions using AWS services will meet these requirements? (Choose three.)

1. A. Develop infrastructure services using AWS Cloud Formation template
2. B. Add the templates to a central Amazon S3 bucket and add the-IAM roles or users that require access to the S3 bucket policy.
3. C. Develop infrastructure services using AWS Cloud Formation template
4. D. Upload each template as an AWS Service Catalog product to portfolios created in a central AWS accoun
5. E. Share these portfolios with the Organizations structure created for the company.
6. F. Allow user IAM roles to have AWSCloudFormationFullAccess and AmazonS3ReadOnlyAccess permission
7. G. Add an Organizations SCP at the AWS account root user level to deny all services except AWS CloudFormation and Amazon S3.
8. H. Allow user IAM roles to have ServiceCatalogEndUserAccess permissions onl
9. I. Use an automation script to import the central portfolios to local AWS accounts, copy the TagOption assign users access and apply launch constraints.
10. J. Use the AWS Service Catalog TagOption Library to maintain a list of tags required by the company.Apply the TagOption to AWS Service Catalog products or portfolios.
11. K. Use the AWS CloudFormation Resource Tags property to enforce the application of tags to any CloudFormation templates that will be created for users.

Correct Answer: BDE

Developing infrastructure services using AWS CloudFormation templates and uploading them as AWS Service Catalog products to portfolios created in a central AWS account will enable the company to
centrally manage the creation of infrastructure services and control who can use them1. AWS Service Catalog allows you to create and manage catalogs of IT services that are approved for use on
AWS2. You can organize products into portfolios, which are collections of products along with configuration information3. You can share portfolios with other accounts in your organization using AWS Organizations4.
Allowing user IAM roles to have ServiceCatalogEndUserAccess permissions only and using an automation script to import the central portfolios to local AWS accounts, copy the TagOption, assign users access, and apply launch constraints will enable the company to provide least privilege access to users when launching AWS infrastructure services. ServiceCatalogEndUserAccess is a managed IAM policy that grants users permission to list and view products and launch product instances. An automation script can help import the shared portfolios from the central account to the local accounts, copy the TagOption from the central account, assign users access to the portfolios, and apply launch constraints that specify which IAM role or user can provision a product.
Using the AWS Service Catalog TagOption Library to maintain a list of tags required by the company and applying the TagOption to AWS Service Catalog products or portfolios will enable the company to enforce tags on any infrastructure that is started by users. TagOptions are key-value pairs that you can use to classify your AWS Service Catalog resources. You can create a TagOption Library that contains all the tags that you want to use across your organization. You can apply TagOptions to products or portfolios, and they will be automatically applied to any provisioned product instances.
References:
Creating a product from an existing CloudFormation template
What is AWS Service Catalog?
Working with portfolios
Sharing a portfolio with AWS Organizations
[Providing least privilege access for users]
[AWS managed policies for job functions]
[Importing shared portfolios]
[Enforcing tag policies]
[Working with TagOptions]
[Creating a TagOption Library]
[Applying TagOptions]

- (Exam Topic 1)
A company is subject to regulatory audits of its financial information. External auditors who use a single AWS account need access to the company's AWS account. A solutions architect must provide the auditors with secure, read-only access to the company's AWS account. The solution must comply with AWS security best practices.
Which solution will meet these requirements?

1. A. In the company's AWS account, create resource policies for all resources in the account to grant access to the auditors' AWS accoun
2. B. Assign a unique external ID to the resource policy.
3. C. In the company's AWS account create an IAM role that trusts the auditors' AWS account Create an IAM policy that has the required permission
4. D. Attach the policy to the rol
5. E. Assign a unique external ID to the role's trust policy.
6. F. In the company's AWS account, create an IAM use
7. G. Attach the required IAM policies to the IAM user.Create API access keys for the IAM use
8. H. Share the access keys with the auditors.
9. I. In the company's AWS account, create an IAM group that has the required permissions Create an IAM user in the company s account for each audito
10. J. Add the IAM users to the IAM group.

Correct Answer: B
This solution will allow the external auditors to have read-only access to the company's AWS account while being compliant with AWS security best practices. By creating an IAM role, which is a secure and flexible way of granting access to AWS resources, and trusting the auditors' AWS account, the company can ensure that the auditors only have the permissions that are required for their role and nothing more. Assigning a unique external ID to the role's trust policy, it will ensure that only the auditors' AWS account can assume the role.
Reference:
AWS IAM Roles documentation: https://aws.amazon.com/iam/features/roles/ AWS IAM Best practices: https://aws.amazon.com/iam/security-best-practices/

- (Exam Topic 3)
A company is deploying a third-party web application on AWS. The application is packaged as a Docker image. The company has deployed the Docker image as an AWS Fargate service in Amazon Elastic Container Service (Amazon ECS). An Application Load Balancer (ALB) directs traffic to the application.
The company needs to give only a specific list of users the ability to access the application from the internet. The company cannot change the application and cannot integrate the application with an identity provider. All users must be authenticated through multi-factor authentication (MFA).
Which solution will meet these requirements?

1. A. Create a user pool in Amazon Cognit
2. B. Configure the pool for the applicatio
3. C. Populate the pool with the required user
4. D. Configure the pool to require MF
5. E. Configure a listener rule on the ALB to require authentication through the Amazon Cognito hosted UI.
6. F. Configure the users in AWS Identity and Access Management (IAM). Attach a resource policy to the Fargate service to require users to use MF
7. G. Configure a listener rule on the ALB to require authentication through IAM.
8. H. Configure the users in AWS Identity and Access Management (IAM). Enable AWS IAM Identity Center (AWS Single Sign-On). Configure resource protection for the AL
9. I. Create a resource protection rule to require users to use MFA.
10. J. Create a user pool in AWS Amplif
11. K. Configure the pool for the applicatio
12. L. Populate the pool with the required user
13. M. Configure the pool to require MF
14. N. Configure a listener rule on the ALB to require authentication through the Amplify hosted UI.

Correct Answer: A
Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with a username and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listener rule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate users before forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

- (Exam Topic 2)
A solutions architect needs to review the design of an Amazon EMR cluster that is using the EMR File System (EMRFS). The cluster performs tasks that are critical to business needs. The cluster is running Amazon EC2 On-Demand Instances at all times tor all task, primary, and core nodes. The EMR tasks run each morning, starting at 1 ;00 AM. and take 6 hours to finish running. The amount of time to complete the processing is not a priority because the data is not referenced until late in the day.
The solutions architect must review the architecture and suggest a solution to minimize the compute costs. Which solution should the solutions architect recommend to meet these requirements?

1. A. Launch all task, primary, and core nodes on Spool Instances in an instance flee
2. B. Terminate the cluster, including all instances, when the processing is completed.
3. C. Launch the primary and core nodes on On-Demand Instance
4. D. Launch the task nodes on Spot Instances in an instance flee
5. E. Terminate the cluster, including all instances, when the processing is complete
6. F. Purchase Compute Savings Plans to cover the On-Demand Instance usage.
7. G. Continue to launch all nodes on On-Demand Instance
8. H. Terminate the cluster, including all instances, when the processing is complete
9. I. Purchase Compute Savings Plans to cover the On-Demand Instance usage
10. J. Launch the primary and core nodes on On-Demand Instance
11. K. Launch the task nodes on Spot Instances in an instance flee
12. L. Terminate only the task node instances when the processing is complete
13. M. Purchase Compute Savings Plans to cover the On-Demand Instance usage.

Correct Answer: A
Amazon EC2 Spot Instances offer spare compute capacity at steep discounts compared to On-Demand prices. Spot Instances can be interrupted by EC2 with two minutes of notification when EC2 needs the capacity back. Amazon EMR can handle Spot interruptions gracefully by decommissioning the nodes and redistributing the tasks to other nodes. By launching all nodes on Spot Instances in an instance fleet, the solutions architect can minimize the compute costs of the EMR cluster. An instance fleet is a collection of EC2 instances with different types and sizes that EMR automatically provisions to meet a defined target capacity. By terminating the cluster when the processing is completed, the solutions architect can avoid paying for idle resources. References:
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-managed-scaling.html
https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-instance-fleet.html
https://aws.amazon.com/blogs/big-data/optimizing-amazon-emr-for-resilience-and-cost-with-capacity-opt