Practice SAP-C02 Exam Online

Question 1

A company is developing an application that will allow biologists from around the world to submit plant genomic information and share it with other biologists. The application will expect several submissions every minute and will push about 8KB of genomic data every second to the data platform. This data needs to be processed and analyzed to provide meaningful information back to the biologists. The following are the requirements for the data platform:

-The inbound genomic data must be processed near-real-time and provide analytics.

-The received data must be stored in a flexible, parallel, and durable manner.

-After processing the data, the resulting output must be delivered to a data warehouse.

Which of the following options should the Solutions Architect implement to meet the company's requirements?

A : Create a delivery stream on Amazon Kinesis Data Firehose to deliver the inbound data to an Amazon S3 bucket. Use a Kinesis client to analyze the stored data. For data warehousing, register the S3 bucket on AWS Lake Formation as a data lake. Use Amazon Quicksight to query the data lake.

B : Create a stream in Amazon Kinesis Data Streams to collect the inbound data. Use a Kinesis client to analyze the genomic data. After processing, use Amazon EMR to save the results to an Amazon Redshift cluster.

C : Leverage Amazon API Gateway to accept the inbound data and send it to an Amazon SQS queue. Write an AWS Lambda function that will process the messages on the SQS queue. After processing, use Amazon EMR to save the results to an Amazon Redshift cluster.

D : Store all inbound data files directly to an Amazon S3 bucket. Use Amazon Kinesis with Amazon SQS to analyze the data stored in the S3 bucket. After processing, send the results to an Amazon Redshift cluster.

Answer: B

Question 2

A company requires that all internal application connectivity use private IP addresses. To facilitate this policy,

a solutions architect has created interface endpoints to connect to AWS public services. Upon testing, the

solutions architect notices that the service names are resolving to public IP addresses, and that internal services

cannot connect to the interface endpoints.

Which step should the solutions architect take to resolve this issue?

A : Update the subnet route table with a route to the interface endpoint.

B : Enable the private DNS option on the VPC attributes.

C : Configure the security group on the interface endpoint to allow connectivity to the AWS services.

D : Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application.

Answer: C

Question 3

A top university has launched its serverless online portal using Lambda and API Gateway in AWS that enables its students to enroll, manage their class schedules, and see their grades online. After a few weeks, the portal abruptly stopped working and lost all of its data. The university hired an external cybersecurity consultant and based on the investigation, the outage was due to an SQL injection vulnerability on the portal's login page in which the attacker simply injected the malicious SQL code. You also need to track historical changes to the rules and metrics associated with your firewall.

Which of the following is the most suitable and cost-effective solution to avoid another SQL Injection attack against their infrastructure in AWS?

A : Create a new Application Load Balancer (ALB) and set up AWS WAF in the load balancer. Place the API Gateway behind the ALB and configure a web access control list (web ACL) in front of the ALB to block requests that contain malicious SQL code. Use AWS Firewall Manager to track changes to your web access control lists (web ACLs) such as the creation and deletion of rules including the updates to the WAF rule configurations.

B : Block the IP address of the attacker in the Network Access Control List of your VPC and then set up a CloudFront distribution. Set up AWS WAF to add a web access control list (web ACL) in front of the CloudFront distribution to block requests that contain malicious SQL code. Use AWS Config to track changes to your web access control lists (web ACLs) such as the creation and deletion of rules including the updates to the WAF rule configurations.

C : Use AWS WAF to add a web access control list (web ACL) in front of the Lambda functions to block requests that contain malicious SQL code. Use AWS Firewall Manager, to track changes to your web access control lists (web ACLs) such as the creation and deletion of rules including the updates to the WAF rule configurations.

D : Use AWS WAF to add a web access control list (web ACL) in front of the API Gateway to block requests that contain malicious SQL code. Use AWS Config to track changes to your web access control lists (web ACLs) such as the creation and deletion of rules including the updates to the WAF rule configurations.

Answer: D

Question 4

A company has an on-premises Microsoft SQL Server database that writes a nightly 200 GB export to a local

drive. The company wants to move the backups to more robust cloud storage on Amazon S3. The company

has set up a 10 Gbps AWS Direct Connect connection between the on-premises data center and AWS. Which

solution meets these requirements Most cost effectively?

A :

Create a new S3 bucket Deploy an AWS Storage Gateway file gateway within the VPC that is

connected to the Direct Connect connection. Create a new SMB file share. Write nightly database

exports to the new SMB file share.

B :

Create an Amzon FSx for Windows File Server Single-AZ file system within the VPC that is connected

to the Direct Connect connection. Create a new SMB file share. Write nightly database exports to an

SMB file share on the Amazon FSx file system Enable backups.

C :

Create an Amazon FSx for Windows File Server Multi-AZ system within the VPC that is connected to

the Direct Connect connection. Create a new SMB file share. Write nightly database exports to an SMB

file share on the Amazon FSx file system. Enable nightly backups.

D :

Create a new S3 buckets. Deploy an AWS Storage Gateway volume gateway within the VPC that is

connected to the Direct Connect connection. Create a new SMB file share. Write nightly database

exports to the new SMB file share on the volume gateway, and automate copies of this data to an S3

bucket.

Answer: A

Question 5

A large company with hundreds of AWS accounts has a newly established centralized internal process for purchasing new or modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement or execution. Previously, business units would directly purchase or modify Reserved Instances in their own respective AWS accounts autonomously. Which combination of steps should be taken to proactively enforce the new process in the MOST secure way possible? (Select TWO.)

A : Ensure all AWS accounts are part of an AWS Organizations structure operating in all features mode

B : Use AWS Contig lo report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedlnstancesOffering and ec2:ModifyReservedlnstances actions.

C : In each AWS account, create an IAM policy with a DENY rule to the ec2:PurchaseReservedlnstancesOffering and ec2:ModifyReservedInstances actions

D : Create an SCP that contains a deny rule to the ec2:PurchaseReservedlnstancesOffering and ec2: Modify Reserved Instances actions. Attach the SCP to each organizational unit (OU) of the AWS Organizations structure.

E : Ensure that all AWS accounts are part of an AWS Organizations structure operating in consolidated billing features mode.

Answer: A,D

Name:	AWS Certified Solutions Architect- Professional
Exam Code:	SAP-C02
Certification:	AWS Certified Professional
Vendor:	Amazon
Total Questions:	891
Last Updated:	Apr 22, 2024

Amazon SAP-C02