Question 1

A company has deployed a multi-tier web application on AWS that uses Compute Optimized Instances for server-side processing and Storage Optimized EC2 Instances to store various media files. To ensure data durability, there is a scheduled job that replicates the files to each EC2 instance. The current architecture worked for a few months but it started to fail as the number of files grew, which is why the management decided to redesign the system.

Which of the following options should the solutions architect implement in order to launch a new architecture with improved data durability and cost-efficiency?

Options :

A : Migrate and host the entire web application to Amazon S3 for a more cost-effective web hosting. Enable cross-region replication to improve data durability. Use a combination of Consolidated Billing and AWS Trusted advisor checks to monitor the operating costs and identify potential savings.

B : Migrate all media files to Amazon EFS then attach this new drive as a mount point to a new set of Storage Optimized EC2 Instances. For the web servers, set up an Elastic Load Balancer with an Auto Scaling of EC2 instances and use this as the origin for a new Amazon CloudFront web distribution. Use a combination of Cost Explorer and AWS Trusted advisor checks to monitor the operating costs and identify potential savings.

C : Migrate all media files to an Amazon S3 bucket and use this as the origin for the new CloudFront web distribution. Set up an Elastic Load Balancer with an Auto Scaling of EC2 instances to host the web servers. Use a combination of Cost Explorer and AWS Trusted advisor checks to monitor the operating costs and identify potential savings.

D : Migrate the web application to AWS Elastic Beanstalk and move all media files to Amazon EFS for a durable and scalable storage. Set up an Amazon CloudFront distribution with EFS as the origin. Use a combination of Consolidated Billing and AWS Trusted advisor checks to monitor the operating costs and identify potential savings.

Answer: C

Question 2

A leading commercial bank has multiple AWS accounts that are consolidated using AWS Organizations. They are building an online portal for foreclosed real estate properties that they own. The online portal is designed to use SSL for better security. The bank would like to implement a separation of responsibilities between the DevOps team and their cybersecurity team. The DevOps team is entitled to manage and log in to the EC2 instances while the cybersecurity team has exclusive access to the application's X.509 certificate, which contains the private key and is stored in AWS Certificate Manager (ACM).

Which of the following options would satisfy the company requirements?

Options :

A : Configure an IAM policy that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB

B : Upload the X.509 certificate to an S3 bucket owned by the cybersecurity team and accessible only by the IAM role of the EC2 instances. Use the Systems Manager Session Manager as the HTTPS session manager for the application.

C : Set up a Service Control Policy (SCP) that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB.

D : Use the AWS Config service to configure the EC2 instances to retrieve the X.509 certificate upon boot from a CloudHSM that is managed by the cybersecurity team

Answer: A

Question 3

A company has multiple business units Each business unit has its own AWS account and runs a single website

within that account. The company also has a single logging account. Logs from each business unit website are

aggregated into a single Amazon S3 bucket in the logging account. The S3 bucket policy provides each

business unit with access to write data into the bucket and requires data to be encrypted.

The company needs to encrypt logs uploaded into the bucket using a Single AWS Key Management Service

{AWS KMS) CMK The CMK that protects the data must be rotated once every 365 days

Which strategy is the MOST operationally efficient for the company to use to meet these requirements?

Options :

A :

Create a customer managed CMK ri the logging account Update the CMK key policy to provide access

to the logging account only Manually rotate the CMK every 365 days.

B :

Create a customer managed CMK in the logging account. Update the CMK key policy to provide access

to the logging account and business unit accounts. Enable automatic rotation of the CMK

C :

Use an AWS managed CMK m the togging account. Update the CMK key policy to provide access to

the logging account and business unit accounts Manually rotate the CMK every 365 days.

D :

Use an AWS managed CMK in the togging account Update the CMK key policy to provide access to

the togging account only. Enable automatic rotation of the CMK.

Answer: A

Question 4

A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NL B). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2. However, the company now acquires a new customer in the us-east-I Region. The company creates a new VPC and new subnets in us-east-I. The company establishes inter-Region VPC peering between the VPCs in the two Regions. The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-I Which solution will meet these requirements?

Options :

A :

Configure a PrivateLink endpoint service in us-east-I to use the existing NL B that is in eu-west-2. Grant specific AWS accounts access to connect to the SaaS service.

B :

Create an NL B in us-east-I . Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-I . Grant specific AWS accounts access to connect to the SaaS service.

C :

Create an Application Load Balancer (ALB) in front of the EC2 instances in eu-west-2. Create an NLB in us-east-I . Associate the NLB that is in us-east-I with an ALB target group that uses the ALB that is in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-I . Grant specific AWS accounts access to connect to the SaaS service.

D :

Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances that are in eu-west-2. In us-east-I , create an NLB and an instance target group that includes the shared EC2 instances from eu-west-2. Configure a PrivateLink endpoint service that uses the NL B that is in us-east-I. Grant specific AWS accounts access to connect to the SaaS service

Answer: B

Question 5

A solutions architect must provide a secure way for a team of cloud engineers to use the AWS CLI to upload objects into an Amazon S3 bucket Each cloud engineer has an IAM user. IAM access keys and a virtual multi-factor authentication (MFA) device The IAM users for the cloud engineers are in a group that is named S3-access The cloud engineers must use MFA to perform any actions in Amazon S3

Which solution will meet these requirements?

Options :

A :

Attach a policy to the S3 bucket to prompt the 1AM user for an MFA code when the 1AM user performs actions on the S3 bucket Use 1AM access keys with the AWS CLI to

call Amazon S3

B : Update the trust policy for the S3-access group to require principals to use MFA when principals assume the group Use 1AM access keys with the AWS CLI to call Amazon S3

C : Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Use 1AM access keys with the AWS CLI to call Amazon S3

D : Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Request temporary credentials from AWS Security Token Service (AWS STS) Attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3

Answer: D

Higher Test Marks with Free Online SAP-C02 Exam Practice

Buying Options: