Free SAP-C01 Exam Braindumps (page: 40)

Page 40 of 134

A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL.

The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL’s deny list.
  2. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
  3. Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server’s subnet route table for any IP addresses that activate the alarm.
  4. Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.

Answer(s): B

Explanation:

The selected solution is:

B) Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.

Reasoning:
Mitigation of application layer attacks: AWS Shield Advanced provides enhanced protection against DDoS attacks, particularly for layer 7 (application layer) attacks, which is essential for safeguarding the web application hosted behind the ALB.
Automatic detection and mitigation: Shield Advanced automatically detects attacks and applies mitigations, reducing the need for manual intervention and allowing the application to remain available during an attack.
Minimal operational overhead: By integrating with AWS WAF and being managed by AWS, this solution reduces the administrative burden compared to creating and maintaining custom alarm and Lambda functions to respond to threats. It provides a comprehensive, robust security posture with less ongoing maintenance.
Enhanced reporting: Shield Advanced offers detailed attack diagnostics and insights, allowing for better understanding and future prevention strategies.



A company has a critical application in which the data tier is deployed in a single AWS Region. The data tier uses an Amazon DynamoDB table and an Amazon Aurora MySQL DB cluster. The current Aurora MySQL engine version supports a global database. The application tier is already deployed in two Regions.

Company policy states that critical applications must have application tier components and data tier components deployed across two Regions. The RTO and RPO must be no more than a few minutes each. A solutions architect must recommend a solution to make the data tier compliant with company policy.

Which combination of steps will meet these requirements? (Choose two.)

  1. Add another Region to the Aurora MySQL DB cluster
  2. Add another Region to each table in the Aurora MySQL DB cluster
  3. Set up scheduled cross-Region backups for the DynamoDB table and the Aurora MySQL DB cluster
  4. Convert the existing DynamoDB table to a global table by adding another Region to its configuration
  5. Use Amazon Route 53 Application Recovery Controller to automate database backup and recovery to the secondary Region

Answer(s): A,D

Explanation:

The selected solutions are:
A) Add another Region to the Aurora MySQL DB cluster.
D) Convert the existing DynamoDB table to a global table by adding another Region to its configuration.
Reasoning:
-A (Aurora MySQL Global Database): Adding another Region to the Aurora MySQL DB cluster allows for the creation of a global database setup. This provides high availability and low-latency reads across multiple Regions while ensuring that the data tier is compliant with the company's requirement for multi-Region deployment. The global database feature supports near real-time replication, which helps in meeting the RTO and RPO requirements.
-D (DynamoDB Global Tables): By converting the existing DynamoDB table to a global table and adding another Region, the application can maintain a fully replicated table across the specified Regions. This approach ensures that the data is available and consistent across both Regions, complying with the requirement for cross-Region deployment and minimizing the potential for data loss.
Both solutions ensure that the data tier can meet the company policy's requirements for redundancy, availability, and minimal downtime.



A telecommunications company is running an application on AWS. The company has set up an AWS Direct Connect connection between the company's on-premises data center and AWS. The company deployed the application on Amazon EC2 instances in multiple Availability Zones behind an internal Application Load Balancer (ALB). The company's clients connect from the on-premises network by using HTTPS. The TLS terminates in the ALB. The company has multiple target groups and uses path-based routing to forward requests based on the URL path.

The company is planning to deploy an on-premises firewall appliance with an allow list that is based on IP address. A solutions architect must develop a solution to allow traffic flow to AWS from the on-premises network so that the clients can continue to access the application.

Which solution will meet these requirements?

  1. Configure the existing ALB to use static IP addresses. Assign IP addresses in multiple Availability Zones to the ALB. Add the ALB IP addresses to the firewall appliance.
  2. Create a Network Load Balancer (NLB). Associate the NLB with one static IP addresses in multiple Availability Zones. Create an ALB-type target group for the NLB and add the existing ALAdd the NLB IP addresses to the firewall appliance. Update the clients to connect to the NL
  3. Create a Network Load Balancer (NLB). Associate the LNB with one static IP addresses in multiple Availability Zones. Add the existing target groups to the NLB. Update the clients to connect to the NLB. Delete the ALB Add the NLB IP addresses to the firewall appliance.
  4. Create a Gateway Load Balancer (GWLB). Assign static IP addresses to the GWLB in multiple Availability Zones. Create an ALB-type target group for the GWLB and add the existing ALB. Add the GWLB IP addresses to the firewall appliance. Update the clients to connect to the GWLB.

Answer(s): B

Explanation:

The selected solution is:
B) Create a Network Load Balancer (NLB). Associate the NLB with one static IP address in multiple Availability Zones. Create an ALB-type target group for the NLB and add the existing ALB. Add the NLB IP addresses to the firewall appliance. Update the clients to connect to the NLB.
Reasoning:
1.Static IP Addresses: By using a Network Load Balancer (NLB) with static IP addresses, the solution allows the on-premises firewall to allow traffic based on these known IPs. This is essential for the firewall appliance's allow list, ensuring that only traffic from these static IPs is permitted.
2.Integration with ALB: The NLB can direct traffic to the existing Application Load Balancer (ALB) via a target group. This setup maintains the current architecture while enabling the use of static IPs for the firewall configuration.
3.Traffic Flow: Clients can continue to access the application without changes to the internal architecture, as the NLB will forward the requests to the ALB, preserving the path-based routing that the application relies on.
Overall, this solution minimizes disruption to the existing setup while meeting the security requirements imposed by the new firewall.



A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.

The company needs a solution that will prevent internet traffic from directly accessing the ALB.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
  2. Associate the existing web ACL with the AL
  3. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
  4. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.

Answer(s): C

Explanation:

The selected solution is:
C) Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
Reasoning:
1.Restricting Access: By adding a security group rule to the Application Load Balancer (ALB) that only allows traffic from the AWS managed prefix list for CloudFront, the solution effectively prevents any direct internet traffic from accessing the ALB. This ensures that all traffic must go through the CloudFront distribution first.
2.Minimal Operational Overhead: Using the AWS managed prefix list simplifies management because it automatically updates to include the necessary IP address ranges for CloudFront, reducing the need for manual updates or maintenance.
3.Maintaining Existing Setup: This solution leverages the existing architecture, allowing CloudFront to handle incoming requests and route them to the ALB while ensuring that direct access is blocked, thus maintaining the intended security posture.
Overall, this solution provides a straightforward and efficient way to achieve the desired outcome with minimal operational overhead.



Page 40 of 134



Post your Comments and Discuss Amazon SAP-C01 exam with other Community members:

Mike commented on October 08, 2024
Not bad at all
CANADA
upvote

Petro UA commented on October 01, 2024
hate DNS questions. So need to practice more
UNITED STATES
upvote

Gilbert commented on September 14, 2024
Cant wait to pass mine
Anonymous
upvote

Paresh commented on April 19, 2023
There were only 3 new questions that I did not see in this exam dumps. There rest of the questions were all word by word from this dump.
UNITED STATES
upvote

Matthew commented on October 18, 2022
An extremely helpful study package. I highly recommend.
UNITED STATES
upvote

Peter commented on June 23, 2022
I thought these were practice exam questions but they turned out to be real questoins from the actual exam.
NETHERLANDS
upvote

Henry commented on September 29, 2021
I do not have the words to thank you guys. Passing this exam was creting many scary thoughts. I am gold I used your braindumps and passed. I can get a beer and relax now.
AUSTRALIA
upvote

Nik commented on April 12, 2021
I would not be able to pass my exam without your help. You guys rock!
SINGAPOR
upvote

Rohit commented on January 09, 2021
Thank you for the 50% sale. I really appreicate this price cut during this extra ordinary time where everyone is having financial problem.
INDIA
upvote

Roger-That commented on December 23, 2020
The 20% holiday discount is a sweet deal. Thank you for the discount code.
UNITED STATES
upvote

Duke commented on October 23, 2020
It is helpful. Questions are real. Purcahse is easy but the only problem, there is no option to pay in Euro. Only USD.
GERMANY
upvote

Tan Jin commented on September 09, 2020
The questions from this exam dumps is valid. I got 88% in my exam today.
SINGAPORE
upvote

Dave commented on November 05, 2019
Useful practice questions to get a feel of the actual exam. Some of the answers are not correct so please exercise caution.
EUROPEAN UNION
upvote

Je commented on October 02, 2018
Great
UNITED STATES
upvote

Invisible Angel commented on January 11, 2018
Have yet to try. But most recommend it
NEW ZEALAND
upvote

Mic commented on December 26, 2017
Nice dumps, site is secure and checkout process is a breeze.
UNITED STATES
upvote