AWS Certified Solutions Architect Professional (SAP C02)

The AWS Certified Solutions Architect Professional (SAP C02) were last updated on today.

Viewing page 5 out of 270 pages.
Viewing questions 21-25 out of 1,350 questions

Disclaimers:

- ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.and Azure
- Trademarks, certification & product names are used for reference only and belong to Amazon.and Azure

Topic 1 - Exam A

Question #21 Topic 1

A solutions architect needs to copy data from an Amazon S3 bucket m an AWS account to a new S3 bucket in a new AWS account. The solutions architect must implement a solution that uses the AWS CLI. Which combination of steps will successfully copy the data? (Choose three.)

A Create a bucket policy to allow the source bucket to list its contents and to put objects and set object ACLs in the destination bucket. Attach the bucket policy to the destination bucket.
B Create a bucket policy to allow a user in the destination account to list the source bucket’s contents and read the source bucket’s objects. Attach the bucket policy to the source bucket.
C Create an IAM policy in the source account. Configure the policy to allow a user in the source account to list contents and get objects in the source bucket, and to list contents, put objects, and set object ACLs in the destination bucket. Attach the policy to the user.
D Create an IAM policy in the destination account. Configure the policy to allow a user in the destination account to list contents and get objects in the source bucket, and to list contents, put objects, and set objectACLs in the destination bucket. Attach the policy to the user.
E Run the aws s3 sync command as a user in the source account. Specify the source and destination buckets to copy the data.
F Run the aws s3 sync command as a user in the destination account. Specify the source and destination buckets to copy the data.

Suggested Answer: BDF
NOTE: Answer is :B, D, F
Explanation :To copy data from one S3 bucket to another one in a different AWS account, bucket policies and IAM policies must be correctly configured. Option B sets up a bucket policy on the source bucket to allow a user in the destination account to read its contents. Option D configures an IAM policy in the destination account, allowing a user to get objects from the source bucket and put objects into the destination bucket. Finally, option F runs the sync command from the destination account, which ensures that the data is successfully copied from the source bucket to the destination bucket.

Question #22 Topic 1

A company recently acquired several other companies. Each company has a separate AWS account with a different billing and reporting method. The acquiring company has consolidated all the accounts into one organization in AWS Organizations. However, the acquiring company has found it difficult to generate a cost report that contains meaningful groups for all the teams. The acquiring company’s finance team needs a solution to report on costs for all the companies through a self-managed application. Which solution will meet these requirements?

A Create an AWS Cost and Usage Report for the organization. Define tags and cost categories in the report. Create a table in Amazon Athena. Create an Amazon QuickSight dataset based on the Athena table. Share the dataset with the finance team.
B Create an AWS Cost and Usage Report for the organization. Define tags and cost categories in the report. Create a specialized template in AWS Cost Explorer that the finance department will use to build reports.
C Create an Amazon QuickSight dataset that receives spending information from the AWS Price List Query API. Share the dataset with the finance team.
D Use the AWS Price List Query API to collect account spending information. Create a specialized template in AWS Cost Explorer that the finance department will use to build reports.

Suggested Answer: A
NOTE: Answer is :A
Explanation :The company needs a solution to report on costs for all the companies through a self-managed application. 'A' is the best answer because it involves creating an AWS Cost and Usage Report for the organization, defining tags and cost categories in the report, and creating a table in Amazon Athena. This way, an Amazon QuickSight dataset can be created based on the Athena table and then shared with the finance team. This approach allows for a thorough and clear report to be generated that the finance team can use to manage costs across all the companies.

Question #23 Topic 1

A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN. The company is hosting internal applications with VPCs in multiple AWS accounts. Currently, the applications are accessible from the company's on-premises office network through an AWS Site-to-Site VPN connection. The VPC in the company's main AWS account has peering connections established with VPCs in other AWS accounts. A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home. What is the MOST cost-effective solution that meets these requirements?

A Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications.
B Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.
C Create a Client VPN endpoint in the main AWS account. Provision a transit gateway that is connected to each AWS account. Configure required routing that allows access to internal applications.
D Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN.

Suggested Answer: B
NOTE: Answer is :B
Explanation :This is the most cost-effective solution as it only requires the creation of a Client VPN endpoint in the main AWS account. Unlike options C and D, it does not require the provision of a transit gateway or establishment of secondary connectivity. It is also more efficient than option A, as it does not require the creation of multiple VPN endpoints across all AWS accounts.

Question #24 Topic 1

A company is building an electronic document management system in which users upload their documents. The application stack is entirely serverless and runs on AWS in the eu-central-1 Region. The system includes a web application that uses an Amazon CloudFront distribution for delivery with Amazon S3 as the origin. The web application communicates with Amazon API Gateway Regional endpoints. The API Gateway APIs call AWS Lambda functions that store metadata in an Amazon Aurora Serverless database and put the documents into an S3 bucket. The company is growing steadily and has completed a proof of concept with its largest customer. The company must improve latency outside of Europe. Which combination of actions will meet these requirements? (Choose two.)

A Enable S3 Transfer Acceleration on the S3 bucket. Ensure that the web application uses the Transfer Acceleration signed URLs.
B Create an accelerator in AWS Global Accelerator. Attach the accelerator to the CloudFront distribution.
C Change the API Gateway Regional endpoints to edge-optimized endpoints.
D Provision the entire stack in two other locations that are spread across the world. Use global databases on the Aurora Serverless cluster.
E Add an Amazon RDS proxy between the Lambda functions and the Aurora Serverless database.

Suggested Answer: AC
NOTE: Answer is :A, C
Explanation :A represents using S3 Transfer Acceleration, which would speed up the transfer of documents to the S3 bucket from anywhere in the world. C represents changing API Gateway Regional endpoints to edge-optimized endpoints which would reduce the latency outside of Europe as requests are routed through CloudFront edge locations around the world.

Question #25 Topic 1

A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account. The company has AWS Config enabled on all of its accounts. The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices. Developers will reference this list to gain access to their applications securely. Which solution meets these requirements with the LEAST amount of operational overhead?

A Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.
B Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.
C In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
D In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.

Suggested Answer: C
NOTE: Answer is :C
Explanation :Creating a VPC prefix list in the transit account with the internal IP address ranges, then sharing this prefix list with all the accounts using AWS Resource Access Manager is the solution with the least operational overhead. It allows the centrally management of the IP address ranges and developers can directly reference this list without the need of AWS Lambda function or AWS Config managed rule.