CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAP-C01

Free SAP-C01 Exam Braindumps (page: 41)

Page 40 of 134
PDF with 529 Questions

A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL.

The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL’s deny list.
  2. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
  3. Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server’s subnet route table for any IP addresses that activate the alarm.
  4. Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.

Answer(s): B

Explanation:

The selected solution is:

B) Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.

Reasoning:
Mitigation of application layer attacks: AWS Shield Advanced provides enhanced protection against DDoS attacks, particularly for layer 7 (application layer) attacks, which is essential for safeguarding the web application hosted behind the ALB.
Automatic detection and mitigation: Shield Advanced automatically detects attacks and applies mitigations, reducing the need for manual intervention and allowing the application to remain available during an attack.
Minimal operational overhead: By integrating with AWS WAF and being managed by AWS, this solution reduces the administrative burden compared to creating and maintaining custom alarm and Lambda functions to respond to threats. It provides a comprehensive, robust security posture with less ongoing maintenance.
Enhanced reporting: Shield Advanced offers detailed attack diagnostics and insights, allowing for better understanding and future prevention strategies.



A company has a critical application in which the data tier is deployed in a single AWS Region. The data tier uses an Amazon DynamoDB table and an Amazon Aurora MySQL DB cluster. The current Aurora MySQL engine version supports a global database. The application tier is already deployed in two Regions.

Company policy states that critical applications must have application tier components and data tier components deployed across two Regions. The RTO and RPO must be no more than a few minutes each. A solutions architect must recommend a solution to make the data tier compliant with company policy.

Which combination of steps will meet these requirements? (Choose two.)

  1. Add another Region to the Aurora MySQL DB cluster
  2. Add another Region to each table in the Aurora MySQL DB cluster
  3. Set up scheduled cross-Region backups for the DynamoDB table and the Aurora MySQL DB cluster
  4. Convert the existing DynamoDB table to a global table by adding another Region to its configuration
  5. Use Amazon Route 53 Application Recovery Controller to automate database backup and recovery to the secondary Region

Answer(s): A,D

Explanation:

The selected solutions are:
A) Add another Region to the Aurora MySQL DB cluster.
D) Convert the existing DynamoDB table to a global table by adding another Region to its configuration.
Reasoning:
-A (Aurora MySQL Global Database): Adding another Region to the Aurora MySQL DB cluster allows for the creation of a global database setup. This provides high availability and low-latency reads across multiple Regions while ensuring that the data tier is compliant with the company's requirement for multi-Region deployment. The global database feature supports near real-time replication, which helps in meeting the RTO and RPO requirements.
-D (DynamoDB Global Tables): By converting the existing DynamoDB table to a global table and adding another Region, the application can maintain a fully replicated table across the specified Regions. This approach ensures that the data is available and consistent across both Regions, complying with the requirement for cross-Region deployment and minimizing the potential for data loss.
Both solutions ensure that the data tier can meet the company policy's requirements for redundancy, availability, and minimal downtime.



A telecommunications company is running an application on AWS. The company has set up an AWS Direct Connect connection between the company's on-premises data center and AWS. The company deployed the application on Amazon EC2 instances in multiple Availability Zones behind an internal Application Load Balancer (ALB). The company's clients connect from the on-premises network by using HTTPS. The TLS terminates in the ALB. The company has multiple target groups and uses path-based routing to forward requests based on the URL path.

The company is planning to deploy an on-premises firewall appliance with an allow list that is based on IP address. A solutions architect must develop a solution to allow traffic flow to AWS from the on-premises network so that the clients can continue to access the application.

Which solution will meet these requirements?

  1. Configure the existing ALB to use static IP addresses. Assign IP addresses in multiple Availability Zones to the ALB. Add the ALB IP addresses to the firewall appliance.
  2. Create a Network Load Balancer (NLB). Associate the NLB with one static IP addresses in multiple Availability Zones. Create an ALB-type target group for the NLB and add the existing ALAdd the NLB IP addresses to the firewall appliance. Update the clients to connect to the NL
  3. Create a Network Load Balancer (NLB). Associate the LNB with one static IP addresses in multiple Availability Zones. Add the existing target groups to the NLB. Update the clients to connect to the NLB. Delete the ALB Add the NLB IP addresses to the firewall appliance.
  4. Create a Gateway Load Balancer (GWLB). Assign static IP addresses to the GWLB in multiple Availability Zones. Create an ALB-type target group for the GWLB and add the existing ALB. Add the GWLB IP addresses to the firewall appliance. Update the clients to connect to the GWLB.

Answer(s): B

Explanation:

The selected solution is:
B) Create a Network Load Balancer (NLB). Associate the NLB with one static IP address in multiple Availability Zones. Create an ALB-type target group for the NLB and add the existing ALB. Add the NLB IP addresses to the firewall appliance. Update the clients to connect to the NLB.
Reasoning:
1.Static IP Addresses: By using a Network Load Balancer (NLB) with static IP addresses, the solution allows the on-premises firewall to allow traffic based on these known IPs. This is essential for the firewall appliance's allow list, ensuring that only traffic from these static IPs is permitted.
2.Integration with ALB: The NLB can direct traffic to the existing Application Load Balancer (ALB) via a target group. This setup maintains the current architecture while enabling the use of static IPs for the firewall configuration.
3.Traffic Flow: Clients can continue to access the application without changes to the internal architecture, as the NLB will forward the requests to the ALB, preserving the path-based routing that the application relies on.
Overall, this solution minimizes disruption to the existing setup while meeting the security requirements imposed by the new firewall.



A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.

The company needs a solution that will prevent internet traffic from directly accessing the ALB.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
  2. Associate the existing web ACL with the AL
  3. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
  4. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.

Answer(s): C

Explanation:

The selected solution is:
C) Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
Reasoning:
1.Restricting Access: By adding a security group rule to the Application Load Balancer (ALB) that only allows traffic from the AWS managed prefix list for CloudFront, the solution effectively prevents any direct internet traffic from accessing the ALB. This ensures that all traffic must go through the CloudFront distribution first.
2.Minimal Operational Overhead: Using the AWS managed prefix list simplifies management because it automatically updates to include the necessary IP address ranges for CloudFront, reducing the need for manual updates or maintenance.
3.Maintaining Existing Setup: This solution leverages the existing architecture, allowing CloudFront to handle incoming requests and route them to the ALB while ensuring that direct access is blocked, thus maintaining the intended security posture.
Overall, this solution provides a straightforward and efficient way to achieve the desired outcome with minimal operational overhead.






Post your Comments and Discuss Amazon SAP-C01 exam with other Community members:

SAP-C01 Discussions & Posts