Free SAP-C01 Exam Braindumps (page: 8)

Page 7 of 134

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:

-The database must use strong, randomly generated passwords stored in a secure AWS managed service.
-The application resources must be deployed through AWS CloudFormation.
-The application must rotate credentials for the database every 90 days.

A solutions architect will generate a CloudFormation template to deploy the application.

Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

  1. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
  2. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
  3. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
  4. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

Answer(s): A

Explanation:

A) Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days is the correct answer because AWS Secrets Manager is specifically designed to manage and rotate credentials securely. It integrates easily with AWS Lambda to automate password rotation and allows for a RotationSchedule to ensure the credentials are updated every 90 days. This approach minimizes operational overhead and aligns with the security engineer’s requirements for strong, randomly generated passwords and automatic rotation.



A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.

Which solutions meet these requirements? (Choose two.)

  1. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.
  2. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway’s AWS integration type.
  3. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
  4. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.
  5. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions.

Answer(s): A,C

Explanation:

A) Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type and
C) Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables are the correct answers because they both meet the requirements of making data accessible publicly through a simple API over HTTPS.

Amazon API Gateway is a serverless option that automatically scales in response to demand, making it suitable for this architecture.
API Gateway's AWS integration type allows direct interaction with DynamoDB without needing intermediary Lambda functions in the case of the REST API.
Using AWS Lambda for the HTTP API option adds flexibility in handling requests and returning data from DynamoDB tables.
Both options allow for a scalable, serverless architecture that integrates with DynamoDB and responds to HTTPS requests.



A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL for each domain. All domains and target URLs are defined in a JSON document. All DNS records are managed by Amazon Route 53.

A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests.
Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose three.)

  1. Create a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with the event message to look up and respond with a redirect URL.
  2. Create an Application Load Balancer that includes HTTP and HTTPS listeners.
  3. Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL.
  4. Use an Amazon API Gateway API with a custom domain to publish an AWS Lambda function.
  5. Create an Amazon CloudFront distribution. Deploy a Lambda@Edge function.
  6. Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names.

Answer(s): B,C,F

Explanation:

B) Create an Application Load Balancer that includes HTTP and HTTPS listeners,
C) Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL, and
F) Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names are the correct answers because they provide a low operational effort solution for setting up domain redirection.

Application Load Balancer (ALB) allows handling both HTTP and HTTPS requests, ensuring the redirect service can accept traffic over both protocols.
AWS Lambda provides a serverless way to handle the redirects based on the JSON document, ensuring that the appropriate URL is returned.
AWS Certificate Manager (ACM) provides SSL certificates for secure HTTPS connections with minimal operational overhead, allowing you to include multiple domain names with Subject Alternative Names (SANs) in a single certificate.
This combination creates a cost-efficient, scalable, and secure solution with minimal operational effort.



A company that has multiple AWS accounts is using AWS Organizations. The company’s AWS accounts host VPCs, Amazon EC2 instances, and containers.

The company’s compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2 instances and send information to the AWS account that is dedicated for the compliance team. The company has tagged all the compliance-related resources with a key of “costCenter” and a value or “compliance”.

The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the compliance team’s AWS account. The cost calculation must be as accurate as possible.

What should a solutions architect do to meet these requirements?

  1. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources.
  2. In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total cost for the costCenter tagged resources.
  3. In the member accounts of the organization activate the costCenter user-defined tag. From the management account, schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources.
  4. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the costCenter tagged resources in the compliance team’s AWS account.

Answer(s): A

Explanation:

A) In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources is the correct answer because the AWS Cost and Usage Report (CUR) provides detailed cost allocation data, including custom tags like costCenter. By enabling the tag in the management account and configuring the Cost and Usage Reports to be stored in an S3 bucket, the company can get a detailed breakdown of costs associated with the tagged resources, making it possible to accurately charge the compliance team's account.






Post your Comments and Discuss Amazon SAP-C01 exam with other Community members:

SAP-C01 Discussions & Posts