Browse SAP Questions
Study all 100 questions at your own pace with detailed explanations
Total: 100 questionsPage: 7 of 10
Question 61 of 100
You have deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28. You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances. The Web Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route 53 for DNS Web .Traffic gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch. Which of the following could the root caused? (Choose 2 answers)
AThe Internet Gateway (IGW) of your VPC has scaled-up adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches.
BAWS reserves one IP address in each subnet’s CIDR block for Route 53 so you do not have enough addresses left to launch all of the new EC2 instances.
CAWS reserves the first and the last private IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
DThe ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches
EAWS reserves the first four and the last IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 62 of 100
A Company is running an Amazon Redshift cluster with four nodes running 24/7/365 and expects, potentially, to add one on-demand node for one to two days once during the year. Which architecture would have the lowest possible cost for the cluster requirement? Choose the correct answer:
APurchase 5 reserved nodes to cover all possible node usage during the year
BPurchase 4 reserved nodes and rely on on-demand instances for the fifth node, if required
CPurchase 2 reserved nodes and utilize 3 on-demand nodes only for peak usage times
DPurchase 4 reserved nodes and bid on spot instances for the extra node usage required
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 63 of 100
Your company is hosting a web application on AWS. According to the architectural best practices, the application must be highly available, scalable, cost effective, with high-performance and should require minimal human intervention. You have deployed the web servers and database servers in public and private subnet of the VPC respectively. While testing the application via web browser, you noticed that the application is not accessible. Which configuration settings you must do to tackle this problem? Choose 2 options
AConfigure a NAT instance in your VPC and create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT instance public IP address.
BConfigure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers. Configure a Route53 CNAME record to your CloudFront distribution.
CPlace all your web servers behind ELB. Configure a Route53 ALIAS-Record to point to the ELB DNS name.
DAssign EIP's to all web servers. Configure a Route53 A-Record set with all EIPs with health checks and DNS failover.
EConfigure ELB with an EIP. Place all your Web servers behind ELB Configure a Route 53 A record that points to the EIP
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 64 of 100
Your application Amazon Elastic Compute Cloud (EC2) instances bootstrap by using a master configuration file that is kept in a version-enabled Amazon Simple Storage Service (S3) bucket. Which one of the following methods should you use to securely install the current configuration version onto the instances in a cost-effective way?
ACreate an Amazon DynamoDB table to store the different versions of the configuration file. Associate AWS Identity and Access Management (IAM) EC2 roles to the Amazon EC2 instances, and reference the DynamoDB table to get the latest file from Amazon Simple Storage Service (S3).
BAssociate an IAM S3 role to the bucket, list the object versions using the Amazon S3 API, and then get the latest object.
CAssociate an IAM EC2 role to the instances, list the object versions using the Amazon S3 API, and then get the latest object.
DAssociate an IAM EC2 role to the instances, and then simply get the object from Amazon S3, because the default is the current version.
EStore the IAM credentials in the Amazon EC2 user data for each instance, and then simply get the object from S3, because the default is the current version.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 65 of 100Multiple Choice
You have been asked to create a DR plan for a business. The specific application they have asked you to look at runs on an EC2 instance. The application takes around 20 minutes to install using a set of installation scripts. At the present time, the EC2 instance has an EBS volume attached to it which contains 200Gb of data (mapped into the file system as /medicalimages). The medical images are the only 'non-static' part of the application. The application runs in AZ-A in a given AWS region and the business have asked that you make sure it can be moved over to another AZ quickly and efficiently if an AZ failure occurs. The application runs on a Linux instance - and its a general purpose instance. For the sake of this exercise you have not been asked to account for data corruption - only AZ failure. The application has an RTO of 15 minutes and an RPO of 30 minutes. What would you suggest? (Select TWO)
AStore the medical images onto a separate EBS volume using the IO2 type. Configure point in time recovery of the volume with the Two Zone option configured to ensure replication between at least two AZ's
BMigrate the medicalimages data to an EFS file system configured to operate within all AZ's in that region. Configure the EC2 instances on boot to map the EFS file system.
CConfigure the application install scripts within a launch configuration and use this for an auto-scaling group with a 1:1:1 configuration.
DConfigure recovery on the EC2 instance and ensure fault-tolerance is enabled for both the EC2 and EBS components
ECreate a new EC2 instance; install the application. Stop the instance and create an AMI - use this for a Launch template and auto-scaling group with a 1:1:1 configuration.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 66 of 100
You are the administrator for a new startup company which has a production account and a development account on AWS. Up until this point, no one has had access to the production account except yourself. There are 20 people on the development account who now need various levels of access provided to them on the production account. 10 of them need read-only access to all resources on the production account, 5 of them need read/write access to EC2 resources, and the remaining 5 only need read-only access to S3 buckets. Which of the following options would be the best way, both practically and security-wise, to accomplish this task? Choose the correct answer:
ACopy the 20 users IAM accounts from the development account to the production account. Then change the access levels for each user on the production account.
BCreate encryption keys for each of the resources that need access and provide those keys to each user depending on the access required.
CCreate 3 new users on the production account with the various levels of permissions needed. Give each of the 20 users the login for whichever one of the 3 accounts they need depending on the level of access required.
DCreate 3 roles in the production account with a different policy for each of the access levels needed. Add permissions to each IAM user on the developer account.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 67 of 100
Your social media marketing application has a component written in Ruby running on AWS Elastic Beanstalk. This application component posts messages to social media sites in support of various marketing campaigns. Your management now requires you to record replies to these social media messages to analyze the effectiveness of the marketing campaign in comparison to past and future efforts. You’ve already developed a new application component to interface with the social media site APIs in order to read the replies. Which process should you use to record the social media replies in a durable data store that can be accessed at any time for analytics of historical data?
ADeploy the new application component in an Auto Scaling group of Amazon EC2 instances, read the data from the social media sites, store it with Amazon Elastic Block Store, and use AWS Data Pipeline to publish it to Amazon Kinesis for analytics.
BDeploy the new application component as an Elastic Beanstalk application, read the data from the social media sites, store it in DynamoDB, and use Apache Hive with Amazon Elastic MapReduce for analytics.
CDeploy the new application component in an Auto Scaling group of Amazon EC2 instances, read the data from the social media sites, store it in Amazon Glacier, and use AWS Data Pipeline to publish it to Amazon RedShift for analytics.
DDeploy the new application component as an Amazon Elastic Beanstalk application, read the data from the social media site, store it with Amazon Elastic Block store, and use Amazon Kinesis to stream the data to Amazon CloudWatch for analytics.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 68 of 100
A company is migrating an application from its data center to AWS. The application currently stores an API key used to access a third-party service in a local file. When deployed on AWS, the application will run on Amazon EC2 instances. As part of the migration, the application must make the API key more secure. Specifically: Each environment (such as development, test, and production) must have its own API key. All API key access requests should be logged for auditing purposes. The API keys must be encrypted at rest using a customer-managed key. Access permissions must be granular; the development environment cannot access the production API key, for example. What is the MOST secure way to meet these requirements?
ACreate an AWS Systems Manager Parameter Store secure string for each API key. Encrypt the secure strings using a customer-managed AWS KMS customer master key (CMK). Create an IAM user with permissions to the kms:decrypt action for the CMK and the ssm:getparameter action for the API key for the environment. Store an access key for that user in a credential store on each Amazon EC2 instance.
BCreate an AWS Systems Manager Parameter Store secure string for each API key. Encrypt the secure strings using a customer-managed AWS KMS customer master key (CMK). Create an IAM role for each environment with permissions to the kms:decrypt action for the CMK and the ssm:getparameter action for the proper API key. Launch each Amazon EC2 instance with the proper IAM role.
CCreate an Amazon DynamoDB table encrypted with an AWS KMS customer master key (CMK). Store each API key in a different item in the table. Create an IAM role for each environment with permissions to the kms:decrypt action for the CMK and the dynamodb:getitem action for the correct item. Launch each Amazon EC2 instance with the proper IAM role.
DPass the proper API key to each Amazon EC2 instance upon launch utilizing user data. Assign an IAM role to each EC2 instance with permissions to the kms:encrypt and the kms:decrypt actions for a customer-managed AWS KMS customer master key (CMK). In the user data script, encrypt the API key using the CMK. Store the encrypted API key on each EC2 instance.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 69 of 100
A customer is deploying an SSL enabled Web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to Instances as well as making API calls and the security officers who will maintain and have exclusive access to the application’s X.509 certificate that contains the private key. Which configuration option could satisfy the above requirement?
AConfigure the web servers to retrieve the certificate upon boot from an CloudHSM that is managed by the security officers.
BUpload the certificate on an S3 bucket owned by the security officers and accessible only by the EC2 Role of the web servers.
CConfigure system permissions on the web servers to restrict access to the certificate only to the authorized security officers.
DConfigure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation
Question 70 of 100
Your CIO has become very paranoid recently after a series of security breaches and wants you to start providing additional layers of security to all your company's AWS resources. First up he wants you to provide additional layers of protection to all your EC2 resources. Which of the following would be a way of providing that additional layer of protection to all your EC2 resources? Choose the correct answer:
AEnsure that the proper tagging strategies have been implemented to identify all of your EC2 resources.
BAdd an IP address condition to policies that specify that requests to EC2 instances should come from a specific IP address or CIDR block range.
CAdd policies which have deny and/or allow permissions on tagged resources
DAll actions listed here would provide additional layers of protection.
💡 Try to answer first, then click "Show Answer" to see the correct answer and explanation