SAP-C02 Free Practice Test

- (Exam Topic 1)
A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization.
The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to
and from the company's on-premises network.
Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list.
The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.
Which solution meets these requirements with the LEAST amount of operational overhead?

1. A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team's AWS accoun
2. B. Deploy an AWS Lambda function in each AWS accoun
3. C. Configure the Lambda function to run every time an SNS topic receives a messag
4. D. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the accoun
5. E. Instruct the security team to distribute changes by publishing messages to its SNS topic.
6. F. Create new customer-managed prefix lists in each AWS account within the organizatio
7. G. Populate the prefix lists in each account with all internal CIDR range
8. H. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security group
9. I. Instruct the security team to share updates with each AWS account owner.
10. J. Create a new customer-managed prefix list in the security team's AWS accoun
11. K. Populate the customer-managed prefix list with all internal CIDR range
12. L. Share the customer-managed prefix listwith the organization by using AWS Resource Access Manage
13. M. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
14. N. Create an IAM role in each account in the organizatio
15. O. Grant permissions to update security groups.Deploy an AWS Lambda function in the security team's AWS accoun
16. P. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.

Correct Answer: C
Create a new customer-managed prefix list in the security team’s AWS account. Populate the
customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups. This solution meets the requirements with the least amount of operational overhead as it requires the security team to create and maintain a single customer-managed prefix list, and share it with the organization using AWS Resource Access Manager. The owners of each AWS account are then responsible for allowing the prefix list in their security groups, which eliminates the need for the security team to manually notify each account owner when changes are made. This solution also eliminates the need for a separate AWS Lambda function in each account, reducing the overall complexity of the solution.

- (Exam Topic 3)
A car rental company has built a serverless REST API to provide data to its mobile app. The app consists of an Amazon API Gateway API with a Regional endpoint, AWS Lambda functions, and an Amazon Aurora MySQL Serverless DB cluster. The company recently opened the API to mobile apps of partners. A
significant increase in the number of requests resulted, causing sporadic database memory errors. Analysis of the API traffic indicates that clients are making multiple HTTP GET requests for the same queries in a short period of time. Traffic is concentrated during business hours, with spikes around holidays and other events.
The company needs to improve its ability to support the additional usage while minimizing the increase in costs associated with the solution.
Which strategy meets these requirements?

1. A. Convert the API Gateway Regional endpoint to an edge-optimized endpoin
2. B. Enable caching in the production stage.
3. C. Implement an Amazon ElastiCache for Redis cache to store the results of the database call
4. D. Modify the Lambda functions to use the cache.
5. E. Modify the Aurora Serverless DB cluster configuration to increase the maximum amount of available memory.
6. F. Enable throttling in the API Gateway production stag
7. G. Set the rate and burst values to limit the incoming calls.

Correct Answer: A
This option allows the company to use Amazon CloudFront to improve the latency and availability of the API requests by caching the responses at the edge locations closest to the clients1. By enabling caching in the production stage, the company can reduce the number of calls made to the backend services, such as Lambda functions and Aurora Serverless DB cluster, and save on costs and resources2. This option also helps to handle traffic spikes and reduce database memory errors by serving cached responses instead of querying the database repeatedly.
References:
Choosing an API endpoint type
Enabling API caching to enhance responsiveness

- (Exam Topic 3)
A financial company needs to create a separate AWS account for a new digital wallet application. The company uses AWS Organizations to manage its accounts. A solutions architect uses the 1AM user Supportl from the management account to create a new member account with finance1@example.com as the email address.
What should the solutions architect do to create IAM users in the new member account?

1. A. Sign in to the AWS Management Console with AWS account root user credentials by using the64-character password from the initial AWS Organizations email senttofinance1@example.co
2. B. Set up the IAM users as required.
3. C. From the management account, switch roles to assume the OrganizationAccountAccessRole role with the account ID of the new member accoun
4. D. Set up the IAM users as required.
5. E. Go to the AWS Management Console sign-in pag
6. F. Choose "Sign in using root account credentials." Sign in in by using the email address finance1@example.com and the management account's root passwor
7. G. Set up the IAM users as required.
8. H. Go to the AWS Management Console sign-in pag
9. I. Sign in by using the account ID of the new member account and the Supportl IAM credential
10. J. Set up the IAM users as required.

Correct Answer: D
The best solution is to turn on the Concurrency Scaling feature for the Amazon Redshift cluster. This feature allows the cluster to automatically add additional capacity to handle bursts of read queries without affecting the performance of write queries. The additional capacity is transparent to the users and is billed separately based on the usage. This solution meets the business requirements of servicing read and write queries at all times and is also cost-effective compared to the other options, which involve provisioning additional resources or resizing the cluster. References: Amazon Redshift Documentation, Concurrency Scaling in Amazon Redshift

- (Exam Topic 3)
During an audit, a security team discovered that a development team was putting IAM user secret access keys in their code and then committing it to an AWS CodeCommit repository. The security team wants to automatically find and remediate instances of this security vulnerability.
Which solution will ensure that the credentials are appropriately secured automatically7

1. A. Run a script nightly using AWS Systems Manager Run Command to search tor credentials on the development instance
2. B. If foun
3. C. use AWS Secrets Manager to rotate the credentials.
4. D. Use a scheduled AWS Lambda function to download and scan the application code from CodeCommit.If credentials are found, generate new credentials and store them in AWS KMS.
5. E. Configure Amazon Made to scan for credentials in CodeCommit repositorie
6. F. If credentials are found, trigger an AWS Lambda function to disable the credentials and notify the user.
7. G. Configure a CodeCommit trigger to invoke an AWS Lambda function to scan new code submissions for credential
8. H. It credentials are found, disable them in AWS IAM and notify the user

Correct Answer: D
CodeCommit may use S3 on the back end (and it also uses DynamoDB on the back end) but I don't think they're stored in buckets that you can see or point Macie to. In fact, there are even solutions out there describing how to copy your repo from CodeCommit into S3 to back it up:
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automate-event-driven-backups-from-codeco

- (Exam Topic 3)
A company has an loT platform that runs in an on-premises environment. The platform consists of a server that connects to loT devices by using the MQTT protocol. The platform collects telemetry data from the devices at least once every 5 minutes The platform also stores device metadata in a MongoDB cluster
An application that is installed on an on-premises machine runs periodic jobs to aggregate and transform the telemetry and device metadata The application creates reports that users view by using another web application that runs on the same on-premises machine The periodic jobs take 120-600 seconds to run However, the web application is always running.
The company is moving the platform to AWS and must reduce the operational overhead of the stack. Which combination of steps will meet these requirements with the LEAST operational overhead? (Select
THREE.)

1. A. Use AWS Lambda functions to connect to the loT devices
2. B. Configure the loT devices to publish to AWS loT Core
3. C. Write the metadata to a self-managed MongoDB database on an Amazon EC2 instance
4. D. Write the metadata to Amazon DocumentDB (with MongoDB compatibility)
5. E. Use AWS Step Functions state machines with AWS Lambda tasks to prepare the reports and to write the reports to Amazon S3 Use Amazon CloudFront with an S3 origin to serve the reports
6. F. Use an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon EC2 instances to prepare the reports Use an ingress controller in the EKS cluster to serve the reports

Correct Answer: BDE
https://aws.amazon.com/step-functions/use-cases/