Free SAP-C01 Exam Braindumps (page: 28)

Page 28 of 134

A solutions architect is auditing the security setup or an AWS Lambda function for a company. The Lambda function retrieves, the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.

The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the Internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.

What should the solutions architect recommend to meet these requirements?

  1. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.
  2. Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.
  3. Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VP
  4. Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials from Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Answer(s): A

Explanation:

To enhance the security of the AWS Lambda function and mitigate the risks associated with compromised database credentials, the recommended approach is to enable IAM database authentication for the Amazon Aurora database and use an IAM role for the Lambda function. This eliminates the need to store sensitive credentials directly within the Lambda function's environment variables.
Option A effectively addresses these requirements by:
1.Enabling IAM Database Authentication: This allows the Lambda function to authenticate to the Aurora database using temporary security credentials, which reduces the risk associated with static credentials.
2.Changing the IAM Role: The Lambda function’s IAM role is modified to grant permissions necessary for accessing the database using IAM authentication.
3.Deploying a Gateway VPC Endpoint for S3: This ensures that all data transfers between the Lambda function and the S3 bucket occur over the AWS network without traversing the public internet, thereby enhancing security.
This solution minimizes the impact of any potential compromise of database credentials while ensuring that the data remains secure during transfers.
Other options, while they may provide some level of security, do not fully address the requirement to eliminate stored credentials or may not guarantee that data remains within the AWS network. For instance, Options C and D suggest using AWS Systems Manager Parameter Store or Secrets Manager, which are valid for managing credentials but do not directly address the request to minimize the impact of compromised credentials as effectively as IAM database authentication.



A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.

While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. The solutions architect finds out that the company’s developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.

The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.

Which solution will meet these requirements?

  1. Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.
  2. In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers’ IAM accounts.
  3. Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers
  4. Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.

Answer(s): C

Explanation:

To effectively control the instance types that developers can launch in Amazon EC2 while ensuring alignment with the organization's cost management strategy, the best approach is to use an IAM policy that explicitly restricts the allowed instance types.
Option C is the most suitable solution for the following reasons:
1.IAM Policy Creation: By creating a new IAM policy that specifies the allowed instance types, you can enforce which EC2 instance types developers are permitted to launch. This prevents them from launching more expensive or inappropriate instance types that lead to unnecessary costs.
2.Attaching to IAM Group: The policy can be attached to an IAM group that includes all the developers. This makes it easier to manage permissions collectively rather than having to adjust individual IAM accounts.
3.Least Privilege Principle: This approach adheres to the principle of least privilege by restricting access only to the necessary instance types required for their work, thereby reducing the likelihood of cost overruns due to unintentional usage of more expensive resources.
Other options, such as using AWS Config (Option A) or launch templates (Option B), do not provide the same level of direct control over the instance types allowed for specific users. Option D, using EC2 Image Builder, does not address the requirement of limiting instance types and is unrelated to the cost issue identified. Thus, Option C provides a targeted and effective solution for the problem at hand.



A company is developing and hosting several projects in the AWS Cloud. The projects are developed across multiple AWS accounts under the same organization in AWS Organizations. The company requires the cost for cloud infrastructure to be allocated to the owning project. The team responsible for all of the AWS accounts has discovered that several Amazon EC2 instances are lacking the Project tag used for cost allocation.

Which actions should a solutions architect lake to resolve the problem and prevent it from happening in the future? (Choose three.)

  1. Create an AWS Config rule in each account to find resources with missing tags.
  2. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing.
  3. Use Amazon Inspector in the organization to find resources with missing tags.
  4. Create an IAM policy in each account with a deny action for ec2:RunInstances if the Project tag is missing.
  5. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag.
  6. Use AWS Security Hub to aggregate a list of EC2 instances with the missing Project tag.

Answer(s): A,B,E

Explanation:

To ensure all EC2 instances have the necessary Project tag for cost allocation:
-A. Create an AWS Config rule in each account to find resources with missing tags. This helps continuously monitor and report on instances that lack the required tag.
-B. Create an SCP in the organization with a deny action for ec2:RunInstances if the Project tag is missing. This enforces tagging at the account level, preventing instances from being launched without the Project tag.
-E. Create an AWS Config aggregator for the organization to collect a list of EC2 instances with the missing Project tag. This allows centralized visibility across multiple accounts, facilitating easier management and compliance verification.
These actions collectively help enforce and monitor tagging compliance across AWS accounts.



A company has an on-premises monitoring solution using a PostgreSQL database for persistence of events. The database is unable to scale due to heavy ingestion and it frequently runs out of storage.

The company wants to create a hybrid solution and has already set up a VPN connection between its network and AWS. The solution should include the following attributes:
-Managed AWS services to minimize operational complexity.
-A buffer that automatically scales to match the throughput of data and requires no ongoing administration.
-A visualization tool to create dashboards to observe events in near-real time.
-Support for semi-structured JSON data and dynamic schemas.

Which combination of components will enable the company to create a monitoring solution that will satisfy these requirements? (Choose two.)

  1. Use Amazon Kinesis Data Firehose to buffer events. Create an AWS Lambda function to process and transform events.
  2. Create an Amazon Kinesis data stream to buffer events. Create an AWS Lambda function to process and transform events.
  3. Configure an Amazon Aurora PostgreSQL DB cluster to receive events. Use Amazon QuickSight to read from the database and create near-real-time visualizations and dashboards.
  4. Configure Amazon Elasticsearch Service (Amazon ES) to receive events. Use the Kibana endpoint deployed with Amazon ES to create near-real-time visualizations and dashboards.
  5. Configure an Amazon Neptune DB instance to receive events. Use Amazon QuickSight to read from the database and create near-real-time visualizations and dashboards.

Answer(s): A,D

Explanation:

To create a hybrid monitoring solution that meets the specified requirements:

A) Use Amazon Kinesis Data Firehose to buffer events. Create an AWS Lambda function to process and transform events. Kinesis Data Firehose automatically scales to match data throughput and can handle semi-structured JSON data, providing a reliable buffer for event ingestion.

D) Configure Amazon Elasticsearch Service (Amazon ES) to receive events. Use the Kibana endpoint deployed with Amazon ES to create near-real-time visualizations and dashboards. Amazon ES is designed for indexing and searching large volumes of data, including semi-structured JSON, and Kibana allows for creating interactive dashboards to visualize the data in real time.

This combination minimizes operational complexity while providing the necessary capabilities for the company's monitoring needs.



Page 28 of 134



Post your Comments and Discuss Amazon SAP-C01 exam with other Community members:

Mike commented on October 08, 2024
Not bad at all
CANADA
upvote

Petro UA commented on October 01, 2024
hate DNS questions. So need to practice more
UNITED STATES
upvote

Gilbert commented on September 14, 2024
Cant wait to pass mine
Anonymous
upvote

Paresh commented on April 19, 2023
There were only 3 new questions that I did not see in this exam dumps. There rest of the questions were all word by word from this dump.
UNITED STATES
upvote

Matthew commented on October 18, 2022
An extremely helpful study package. I highly recommend.
UNITED STATES
upvote

Peter commented on June 23, 2022
I thought these were practice exam questions but they turned out to be real questoins from the actual exam.
NETHERLANDS
upvote

Henry commented on September 29, 2021
I do not have the words to thank you guys. Passing this exam was creting many scary thoughts. I am gold I used your braindumps and passed. I can get a beer and relax now.
AUSTRALIA
upvote

Nik commented on April 12, 2021
I would not be able to pass my exam without your help. You guys rock!
SINGAPOR
upvote

Rohit commented on January 09, 2021
Thank you for the 50% sale. I really appreicate this price cut during this extra ordinary time where everyone is having financial problem.
INDIA
upvote

Roger-That commented on December 23, 2020
The 20% holiday discount is a sweet deal. Thank you for the discount code.
UNITED STATES
upvote

Duke commented on October 23, 2020
It is helpful. Questions are real. Purcahse is easy but the only problem, there is no option to pay in Euro. Only USD.
GERMANY
upvote

Tan Jin commented on September 09, 2020
The questions from this exam dumps is valid. I got 88% in my exam today.
SINGAPORE
upvote

Dave commented on November 05, 2019
Useful practice questions to get a feel of the actual exam. Some of the answers are not correct so please exercise caution.
EUROPEAN UNION
upvote

Je commented on October 02, 2018
Great
UNITED STATES
upvote

Invisible Angel commented on January 11, 2018
Have yet to try. But most recommend it
NEW ZEALAND
upvote

Mic commented on December 26, 2017
Nice dumps, site is secure and checkout process is a breeze.
UNITED STATES
upvote