SAP-C01 (Page 64)

A company uses Amazon S3 to host a web application.Currently, the company uses a continuous integration tool running on an Amazon EC2 instance that builds and deploys the application by uploading it to an S3 bucket.A Solutions Architect needs to enhance the security of the company’s platform with the following requirements:✑ A build process should be run in a separate account from the account hosting the web application.✑ A build process should have minimal access in the account it operates in.✑ Long-lived credentials should not be used.As a start, the Development team created two AWS accounts: one for the application named web account process; other is a named build account.Which solution should the Solutions Architect use to meet the security requirements?Read More →

A company experienced a breach of highly confidential personal information due to permission issues on an Amazon S3 bucket.The Information Security team has tightened the bucket policy to restrict access.Additionally, to be better prepared for future attacks, these requirements must be met:✑ Identify remote IP addresses that are accessing the bucket objects.✑ Receive alerts when the security policy on the bucket is changed.✑ Remediate the policy changes automatically.Which strategies should the Solutions Architect use?Read More →

A Solutions Architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint.The SolutionsArchitect wants an end-to-end view of each request to analyze the latency of the request and create service maps.How can the Solutions Architect design the API Gateway access control and perform request inspections?Read More →

A large company with hundreds of AWS accounts has a newly established centralized internal process for purchasing new or modifying existing ReservedInstances.This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement or execution.Previously, business units would directly purchase or modify Reserved Instances in their own respective AWS accounts autonomously.Which combination of steps should be taken to proactively enforce the new process in the MOST secure way possible? (Choose two.)Read More →

A company is having issues with a newly deployed serverless infrastructure that uses Amazon API Gateway, Amazon Lambda, and Amazon DynamoDB.In a steady state, the application performs as expected.However, during peak load, tens of thousands of simultaneous invocations are needed and user requests fail multiple times before succeeding.The company has checked the logs for each component, focusing specifically on Amazon CloudWatch Logs for Lambda.There are no errors logged by the services or applications.What might cause this problem?Read More →

During a security audit of a Service team’s application, a Solutions Architect discovers that a username and password for an Amazon RDS database and a set ofAWS IAM user credentials can be viewed in the AWS Lambda function code.The Lambda function uses the username and password to run queries on the database, and it uses the IAM credentials to call AWS services in a separate management account.The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code.The management account and the Service team’s account are in separate AWS Organizations organizational units (OUs).Which combination of changes should the Solutions Architect make to improve the solution’s security? (Choose two.)Read More →

A solutions architect is implementing infrastructure as code for a two-tier web application in an AWS CloudFormation template.The web frontend application will be deployed on Amazon EC2 instances in an Auto Scaling group.The backend database will be an Amazon RDS for MySQL DB instance.The database password will be rotated every 60 days.How can the solutions architect MOST securely manage the configuration of the application’s database credentials?Read More →

A company has built a high performance computing (HPC) cluster in AWS for a tightly coupled workload that generates a large number of shared files stored inAmazon EFS.The cluster was performing well when the number of Amazon EC2 instances in the cluster was 100.However, when the company increased the cluster size to 1,000 EC2 instances, overall performance was well below expectations.Which collection of design choices should a solutions architect make to achieve the maximum performance from the HPC cluster? (Choose three.)Read More →

Your company hosts a social media site supporting users in multiple countries. You have been asked to provide a highly available design tor the application that leverages multiple regions tor the most recently accessed content and latency sensitive portions of the wet) site The most latency sensitive component of the application involves reading user preferences to support web site personalization and ad selection.In addition to running your application in multiple regions, which option will support this application’s requirements?Read More →

You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an e-commerce platform to Amazon Virtual Private Cloud(VPC) The previous architect has already deployed a 3-tier VPC.The configuration is as follows:VPC: vpc-2f8bc447 -IGW: igw-2d8bc445 -NACL: ad-208bc448 -Subnets and Route Tables:Web servers: subnet-258bc44d -Application servers: subnet-248bc44cDatabase servers: subnet-9189c6f9Route Tables:rrb-218bc449rtb-238bc44bAssociations:subnet-258bc44d : rtb-218bc449subnet-248bc44c : rtb-238bc44bsubnet-9189c6f9 : rtb-238bc44bYou are now ready to begin deploying EC2 instances into the VPC  Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet.Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?Read More →