SAP-C02 Free Practice Test

- (Exam Topic 3)
A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center.
The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center.
Which solution will meet these requirements with the LEAST administrative overhead?

1. A. Provision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.
2. B. Provision an Amazon Route 53 private hosted zon
3. C. Configure NS records that point to on-premises DNS servers.
4. D. Create DNS endpoints by using Amazon Route 53 Resolver Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.
5. E. Provision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.

Correct Answer: C

- (Exam Topic 1)
A large mobile gaming company has successfully migrated all of its on-premises infrastructure to the AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.
While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. The solutions architect finds out that the company's developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.
The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.
Which solution will meet these requirements?

1. A. Create a desired-instance-type managed rule in AWS Confi
2. B. Configure the rule with the instance types that are allowe
3. C. Attach the rule to an event to run each time a new EC2 instance is launched.
4. D. In the EC2 console, create a launch template that specifies the instance types that are allowe
5. E. Assign the launch template to the developers' IAM accounts.
6. F. Create a new IAM polic
7. G. Specify the instance types that are allowe
8. H. Attach the policy to an IAM group that contains the IAM accounts for the developers
9. I. Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.

Correct Answer: C
This is doable with IAM policy creation to restrict users to specific instance types. Found the below article. https://blog.vizuri.com/limiting-allowed-aws-instance-type-with-iam-policy

- (Exam Topic 1)
A company has purchased appliances from different vendors. The appliances all have loT sensors. The sensors send status information in the vendors' proprietary formats to a legacy application that parses the information into JSON. The parsing is simple, but each vendor has a unique format. Once daily, the application parses all the JSON records and stores the records in a relational database for analysis.
The company needs to design a new data analysis solution that can deliver faster and optimize costs. Which solution will meet these requirements?

1. A. Connect the loT sensors to AWS loT Cor
2. B. Set a rule to invoke an AWS Lambda function to parse the information and save a .csv file to Amazon S3. Use AWS Glue to catalog the file
3. C. Use Amazon Athena and Amazon OuickSight for analysis.
4. D. Migrate the application server to AWS Fargate, which will receive the information from loT sensors and parse the information into a relational forma
5. E. Save the parsed information to Amazon Redshift for analysis.
6. F. Create an AWS Transfer for SFTP serve
7. G. Update the loT sensor code to send the information as a .csv file through SFTP to the serve
8. H. Use AWS Glue to catalog the file
9. I. Use Amazon Athena for analysis.
10. J. Use AWS Snowball Edge to collect data from the loT sensors directly to perform local analysis.Periodically collect the data into Amazon Redshift to perform global analysis.

Correct Answer: A
Connect the IoT sensors to AWS IoT Core. Set a rule to invoke an AWS Lambda function to parse the information and save a .csv file to Amazon S3. Use AWS Glue to catalog the files. Use Amazon Athena and Amazon QuickSight for analysis. This solution meets the requirement of faster analysis and cost optimization by using AWS IoT Core to collect data from the IoT sensors in real-time and then using AWS Glue and Amazon Athena for efficient data analysis.
This solution involves connecting the loT sensors to the AWS loT Core, setting a rule to invoke an AWS Lambda function to parse the information, and saving a .csv file to Amazon S3. AWS Glue can be used to catalog the files and Amazon Athena and Amazon QuickSight can be used for analysis. This solution will enable faster and more cost-effective data analysis.
This solution is in line with the official Amazon Textbook and Resources for the AWS Certified Solutions Architect - Professional certification. In particular, the book states that: “AWS IoT Core can be used to ingest and process the data, AWS Lambda can be used to process and transform the data, and Amazon S3 can be used to store the data. AWS Glue can be used to catalog and access the data, Amazon Athena can be used to query the data, and Amazon QuickSight can be used to visualize the data.” (Source: https://d1.awsstatic.com/training-and-certification/docs-sa-pro/AWS_Certified_Solutions_Architect_Professiona

- (Exam Topic 3)
A company wants to migrate its website from an on-premises data center onto AWS. At the same time, it wants to migrate the website to a containerized microservice-based architecture to improve the availability and cost efficiency. The company's security policy states that privileges and network permissions must be configured according to best practice, using least privilege.
A Solutions Architect must create a containerized architecture that meets the security requirements and has deployed the application to an Amazon ECS cluster.
What steps are required after the deployment to meet the requirements? (Choose two.)

1. A. Create tasks using the bridge network mode.
2. B. Create tasks using the awsvpc network mode.
3. C. Apply security groups to Amazon EC2 instances, and use IAM roles for EC2 instances to access other resources.
4. D. Apply security groups to the tasks, and pass IAM credentials into the container at launch time to access other resources.
5. E. Apply security groups to the tasks, and use IAM roles for tasks to access other resources.

Correct Answer: BE
The awsvpc network mode provides each task with its own elastic network interface (ENI) and a primary private IP address1. By using this network mode, the solutions architect can isolate the tasks from each other and apply security groups to the tasks directly2. This way, the solutions architect can control the inbound and outbound traffic at the task level and enforce the least privilege principle3. IAM roles for tasks allow the solutions architect to assign permissions to each task separately, so that they can access other AWS resources that they need4. By using IAM roles for tasks, the solutions architect can avoid passing IAM credentials into the container at launch time, which is less secure and more prone to errors5.
References:
awsvpc network mode
Task networking with the awsvpc network mode
Security groups for your VPC
IAM roles for tasks
Best practices for managing AWS access keys

- (Exam Topic 1)
A video processing company wants to build a machine learning (ML) model by using 600 TB of compressed data that is stored as thousands of files in the company's on-premises network attached storage system. The company does not have the necessary compute resources on premises for ML experiments and wants to use AWS.
The company needs to complete the data transfer to AWS within 3 weeks. The data transfer will be a one-time transfer. The data must be encrypted in transit. The measured upload speed of the company's internet connection is 100 Mbps, and multiple departments share the connection.
Which solution will meet these requirements MOST cost-effectively?

1. A. Order several AWS Snowball Edge Storage Optimized devices by using the AWS Management Consol
2. B. Configure the devices with a destination S3 bucke
3. C. Copy the data to the device
4. D. Ship the devices back to AWS.
5. E. Set up a 10 Gbps AWS Direct Connect connection between the company location and the nearest AWS Regio
6. F. Transfer the data over a VPN connection into the Region to store the data in Amazon S3.
7. G. Create a VPN connection between the on-premises network storage and the nearest AWS Region.Transfer the data over the VPN connection.
8. H. Deploy an AWS Storage Gateway file gateway on premise
9. I. Configure the file gateway with a destination S3 bucke
10. J. Copy the data to the file gateway.

Correct Answer: A
This solution will meet the requirements of the company as it provides a secure, cost-effective and fast way of transferring large data sets from on-premises to AWS. Snowball Edge devices encrypt the data during transfer, and the devices are shipped back to AWS for import into S3. This option is more cost effective than using Direct Connect or VPN connections as it does not require the company to pay for long-term dedicated connections.