Free SAP-C01 Exam Braindumps (page: 31)

Page 31 of 134

A company is migrating some of its applications to AWS. The company wants to migrate and modernize the applications quickly after it finalizes networking and security strategies. The company has set up an AWS Direct Connect connection in a central network account.

The company expects to have hundreds of AWS accounts and VPCs in the near future. The corporate network must be able to access the resources on AWS seamlessly and also must be able to communicate with all the VPCs. The company also wants to route its cloud resources to the internet through its on-premises data center.

Which combination of steps will meet these requirements? (Choose three.)

  1. Create a Direct Connect gateway in the central account. In each of the accounts, create an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway.
  2. Create a Direct Connect gateway and a transit gateway in the central network account. Attach the transit gateway to the Direct Connect gateway by using a transit VIF.
  3. Provision an internet gateway. Attach the internet gateway to subnets. Allow internet traffic through the gateway.
  4. Share the transit gateway with other accounts. Attach VPCs to the transit gateway.
  5. Provision VPC peering as necessary.
  6. Provision only private subnets. Open the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center.

Answer(s): B,D,F

Explanation:

To successfully migrate and modernize the applications while ensuring seamless access to AWS resources from the corporate network, the following steps are essential:

B) Create a Direct Connect gateway and a transit gateway in the central network account. Attach the transit gateway to the Direct Connect gateway using a transit VIF. This setup enables a central point for routing traffic from the on-premises data center to multiple VPCs across various AWS accounts, leveraging the high bandwidth and low latency of AWS Direct Connect.

D) Share the transit gateway with other accounts. Attach VPCs to the transit gateway. By sharing the transit gateway, all associated VPCs can communicate with one another and with the on-premises data center, facilitating efficient routing between accounts.

F) Provision only private subnets. Open the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center. This ensures that internet-bound traffic is routed through the on-premises data center, maintaining compliance with the company's networking strategy.

This approach ensures scalability, efficient resource access, and the ability to route traffic as required, all while minimizing operational complexity.



A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.

A solutions architect needs to enforce the new process in the most secure way possible.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  1. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
  2. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
  3. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action.
  4. Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization.
  5. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.

Answer(s): A,D

Explanation:

To enforce a centralized process for purchasing and modifying Reserved Instances in a secure manner across multiple AWS accounts, the following steps should be taken:

A) Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled. This setup allows for centralized management of policies and permissions across all accounts, enabling the implementation of Service Control Policies (SCPs) to restrict actions at the organizational level.

D) Create an SCP that denies the ec2:PurchaseReservedInstancesOffering action and the ec2:ModifyReservedInstances action. Attach the SCP to each OU of the organization. By using SCPs, the organization can enforce the new procurement process across all accounts within the specified OUs, ensuring that no business unit can independently purchase or modify Reserved Instances without going through the designated procurement team.

Together, these steps ensure that the process is both secure and compliant with the new centralized purchasing strategy.



A company is running a critical application that uses an Amazon RDS for MySQL database to store data. The RDS DB instance is deployed in Multi-AZ mode.

A recent RDS database failover test caused a 40-second outage to the application. A solutions architect needs to design a solution to reduce the outage time to less than 20 seconds.

Which combination of steps should the solutions architect take to meet these requirements? (Choose three.)

  1. Use Amazon ElastiCache for Memcached in front of the database
  2. Use Amazon ElastiCache for Redis in front of the database
  3. Use RDS Proxy in front of the database.
  4. Migrate the database to Amazon Aurora MySQL.
  5. Create an Amazon Aurora Replica.
  6. Create an RDS for MySQL read replica

Answer(s): C,D,E

Explanation:

To reduce the outage time during RDS database failover to less than 20 seconds, the following steps should be taken:

C) Use RDS Proxy in front of the database. RDS Proxy helps manage connections to the RDS database and allows for connection pooling, which can reduce failover times by maintaining connections through the proxy. In case of a failover, the proxy can quickly redirect connections to the new primary database instance.

D) Migrate the database to Amazon Aurora MySQL. Amazon Aurora is designed for high availability and can provide faster failover times compared to RDS for MySQL. It offers a more resilient architecture that can minimize downtime during failovers.

E) Create an Amazon Aurora Replica. Aurora Replicas can be used to offload read traffic and, during a failover, they can be promoted quickly to a primary instance, thus significantly reducing the downtime experienced during a failover.

By implementing these solutions, the company can enhance its application's availability and ensure that failover times are minimized.



An AWS partner company is building a service in AWS Organizations using its organization named org1. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2. The company must establish least privilege security access using an API or command line tool to the customer account.

What is the MOST secure way to allow org1 to access resources in org2?

  1. The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks.
  2. The customer should create an IAM user and assign the required permissions to the IAM user. The customer should then provide the credentials to the partner company to log in and perform the required tasks.
  3. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN) when requesting access to perform the required tasks.
  4. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including the external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.

Answer(s): D

Explanation:

The most secure way to allow the partner company in org1 to access resources in the customer account in org2 is:

D) The customer should create an IAM role and assign the required permissions to that role. The partner company should then use the IAM role’s Amazon Resource Name (ARN), including an external ID in the IAM role’s trust policy, when requesting access to perform the required tasks.

This approach provides several security benefits:

IAM Role: Roles are designed for temporary access and can have permissions tailored to specific tasks, adhering to the principle of least privilege.
Trust Policy with External ID: Using an external ID helps mitigate the risk of the confused deputy problem, ensuring that only the intended third party (the partner company) can assume the role, even if the ARN is known to others.
By using IAM roles with external IDs, the customer can securely grant access without sharing long-term credentials or access keys, minimizing the risk of unauthorized access.



Page 31 of 134



Post your Comments and Discuss Amazon SAP-C01 exam with other Community members:

Mike commented on October 08, 2024
Not bad at all
CANADA
upvote

Petro UA commented on October 01, 2024
hate DNS questions. So need to practice more
UNITED STATES
upvote

Gilbert commented on September 14, 2024
Cant wait to pass mine
Anonymous
upvote

Paresh commented on April 19, 2023
There were only 3 new questions that I did not see in this exam dumps. There rest of the questions were all word by word from this dump.
UNITED STATES
upvote

Matthew commented on October 18, 2022
An extremely helpful study package. I highly recommend.
UNITED STATES
upvote

Peter commented on June 23, 2022
I thought these were practice exam questions but they turned out to be real questoins from the actual exam.
NETHERLANDS
upvote

Henry commented on September 29, 2021
I do not have the words to thank you guys. Passing this exam was creting many scary thoughts. I am gold I used your braindumps and passed. I can get a beer and relax now.
AUSTRALIA
upvote

Nik commented on April 12, 2021
I would not be able to pass my exam without your help. You guys rock!
SINGAPOR
upvote

Rohit commented on January 09, 2021
Thank you for the 50% sale. I really appreicate this price cut during this extra ordinary time where everyone is having financial problem.
INDIA
upvote

Roger-That commented on December 23, 2020
The 20% holiday discount is a sweet deal. Thank you for the discount code.
UNITED STATES
upvote

Duke commented on October 23, 2020
It is helpful. Questions are real. Purcahse is easy but the only problem, there is no option to pay in Euro. Only USD.
GERMANY
upvote

Tan Jin commented on September 09, 2020
The questions from this exam dumps is valid. I got 88% in my exam today.
SINGAPORE
upvote

Dave commented on November 05, 2019
Useful practice questions to get a feel of the actual exam. Some of the answers are not correct so please exercise caution.
EUROPEAN UNION
upvote

Je commented on October 02, 2018
Great
UNITED STATES
upvote

Invisible Angel commented on January 11, 2018
Have yet to try. But most recommend it
NEW ZEALAND
upvote

Mic commented on December 26, 2017
Nice dumps, site is secure and checkout process is a breeze.
UNITED STATES
upvote