SAP-C02 Free Practice Test

- (Exam Topic 3)
A company provides a software as a service (SaaS) application that runs in the AWS Cloud. The application runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in an Auto Scaling group and are distributed across three Availability Zones in a single AWS Region.
The company is deploying the application into additional Regions. The company must provide static IP addresses for the application to customers so that the customers can add the IP addresses to allow lists.
The solution must automatically route customers to the Region that is geographically closest to them. Which solution will meet these requirements?

1. A. Create an Amazon CloudFront distributio
2. B. Create a CloudFront origin grou
3. C. Add the NLB for each additional Region to the origin grou
4. D. Provide customers with the IP address ranges of the distribution's edge locations.
5. E. Create an AWS Global Accelerator standard accelerato
6. F. Create a standard accelerator endpoint for the NLB in each additional Regio
7. G. Provide customers with the Global Accelerator IP address.
8. H. Create an Amazon CloudFront distributio
9. I. Create a custom origin for the NLB in each additional Regio
10. J. Provide customers with the IP address ranges of the distribution's edge locations.
11. K. Create an AWS Global Accelerator custom routing accelerato
12. L. Create a listener for the custom routing accelerato
13. M. Add the IP address and ports for the NLB in each additional Regio
14. N. Provide customers with the Global Accelerator IP address.

Correct Answer: B
AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users1. It provides static IP addresses that act as a fixed entry point to your applications and route user traffic to the optimal endpoint based on performance, health, and policies that you configure1. By creating a standard accelerator endpoint for the NLB in each additional Region, you can ensure that customers are automatically directed to the Region that is
geographically closest to them2. You can also provide customers with the Global Accelerator IP address, which is anycast from AWS edge locations and does not change when you add or remove endpoints3.
References:
What is AWS Global Accelerator?
Standard accelerator endpoints
AWS Global Accelerator IP addresses

- (Exam Topic 2)
A company consists of two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3 bucket in each account and configured two-way replication between the S3 buckets. The S3 buckets have millions of objects.
Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3).
What is the MOST operationally efficient solution that meets these requirements?

1. A. Turn on SSE-S3 on both S3 bucket
2. B. Use S3 Batch Operations to copy and encrypt the objects in the same location.
3. C. Create an AWS Key Management Service (AWS KMS) key in each accoun
4. D. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS accoun
5. E. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
6. F. Turn on SSE-S3 on both S3 bucket
7. G. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
8. H. Create an AWS Key Management Service (AWS KMS) key in each accoun
9. I. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS accoun
10. J. Use S3 Batch Operations to copy the objects into the same location.

Correct Answer: A
"The S3 buckets have millions of objects" If there are million of objects then you should use Batch operations. https://aws.amazon.com/blogs/storage/encrypting-objects-with-amazon-s3-batch-operations/

- (Exam Topic 3)
A solutions architect has launched multiple Amazon EC2 instances in a placement group within a single Availability Zone. Because of additional load on the system, the solutions architect attempts to add new instances to the placement group. However, the solutions architect receives an insufficient capacity error.
What should the solutions architect do to troubleshoot this issue?

1. A. Use a spread placement grou
2. B. Set a minimum of eight instances for each Availability Zone.
3. C. Stop and start all the instances in the placement grou
4. D. Try the launch again.
5. E. Create a new placement grou
6. F. Merge the new placement group with the original placement group.
7. G. Launch the additional instances as Dedicated Hosts in the placement groups.

Correct Answer: B

- (Exam Topic 3)
A solutions architect must update an application environment within AWS Elastic Beanstalk using a blue/green deployment methodology The solutions architect creates an environment that is identical to the existing application environment and deploys the application to the new environment.
What should be done next to complete the update?

1. A. Redirect to the new environment using Amazon Route 53
2. B. Select the Swap Environment URLs option
3. C. Replace the Auto Scaling launch configuration
4. D. Update the DNS records to point to the green environment

Correct Answer: B
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html

- (Exam Topic 3)
A company is using AWS Organizations with a multi-account architecture. The company's current security configuration for the account architecture includes SCPs, resource-based policies, identity-based policies, trust policies, and session policies.
A solutions architect needs to allow an IAM user in Account A to assume a role in Account B.
Which combination of steps must the solutions architect take to meet this requirement? (Select THREE.)

1. A. Configure the SCP for Account A to allow the action.
2. B. Configure the resource-based policies to allow the action.
3. C. Configure the identity-based policy on the user in Account A to allow the action.
4. D. Configure the identity-based policy on the user in Account B to allow the action.
5. E. Configure the trust policy on the target role in Account B to allow the action.
6. F. Configure the session policy to allow the action and to be passed programmatically by the GetSessionToken API operation.

Correct Answer: BCE
Resource-based policies are policies that you attach to a resource, such as an IAM role, to specify who can access the resource and what actions they can perform on it1. Identity-based policies are policies that you attach to an IAM user, group, or role to specify what actions they can perform on which resources2. Trust policies are special types of resource-based policies that define which principals (such as IAM users or roles) can assume a role3.
To allow an IAM user in Account A to assume a role in Account B, the solutions architect needs to do the following:
Configure the resource-based policy on the target role in Account B to allow the action sts:AssumeRole for the IAM user in Account A. This policy grants permission to the IAM user to assume the role4.
Configure the identity-based policy on the user in Account A to allow the action sts:AssumeRole for the target role in Account B. This policy grants permission to the user to perform the action of assuming the role5.
Configure the trust policy on the target role in Account B to allow the principal of the IAM user in Account A. This policy defines who can assume the role.
References:
Resource-based policies
Identity-based policies
Trust policies
Granting a user permissions to switch roles
Switching roles
[Modifying a role trust policy]