SAP-C01 : AWS Certified Solutions Architect – Professional : Part 10

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 10

1. ABC has three separate departments and each department has their own AWS accounts. The HR department has created a file sharing site where all the on roll employees’ data is uploaded. The Admin department uploads data about the employee presence in the office to their DB hosted in the VPC. The Finance department needs to access data from the HR department to know the on roll employees to calculate the salary based on the number of days that an employee is present in the office.

   How can ABC setup this scenario?

   • It is not possible to configure VPC peering since each department has a separate AWS account.
   • Setup VPC peering for the VPCs of Admin and Finance.
   • Setup VPC peering for the VPCs of Finance and HR as well as between the VPCs of Finance and Admin.
   • Setup VPC peering for the VPCs of Admin and HR
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. A VPC peering connection allows the user to route traffic between the peer VPCs using private IP addresses as if they are a part of the same network. This is helpful when one VPC from the same or different AWS account wants to connect with resources of the other VPC.

2. An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.

   How can the organization meet the expectations of the auditor without compromising on the security of their AWS infrastructure?

   • The organization should not accept the request as sharing the credentials means compromising on security.
   • Create an IAM role which will have read only access to all EC2 services including VPC and assign that role to the auditor.
   • Create an IAM user who will have read only access to the AWS VPC and share those credentials with the auditor.
   • The organization should create an IAM user with VPC full access but set a condition that will not allow to modify anything if the request is from any IP other than the organization’s data center.
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also works with IAM and the organization can create IAM users who have access to various VPC services. If an auditor wants to have access to the AWS VPC to verify the rules, the organization should be careful before sharing any data which can allow making updates to the AWS infrastructure. In this scenario it is recommended that the organization creates an IAM user who will have read only access to the VPC. Share the above mentioned credentials with the auditor as it cannot harm the organization. The sample policy is given below:
   {
   “Effect”:”Allow”, “Action”: [ “ec2:DescribeVpcs”, “ec2:DescribeSubnets”,
   “ec2: DescribeInternetGateways”, “ec2:DescribeCustomerGateways”, “ec2:DescribeVpnGateways”, “ec2:DescribeVpnConnections”, “ec2:DescribeRouteTables”, “ec2:DescribeAddresses”, “ec2:DescribeSecurityGroups”, “ec2:DescribeNetworkAcls”, “ec2:DescribeDhcpOptions”, “ec2:DescribeTags”, “ec2:DescribeInstances”
   ],
   “Resource”:”*”
   }

3. What is the maximum length for an instance profile name in AWS IAM?

   • 512 characters
   • 128 characters
   • 1024 characters
   • 64 characters
   Explanation:
   The maximum length for an instance profile name is 128 characters.

4. Cognito Sync is an AWS service that you can use to synchronize user profile data across mobile devices without requiring your own backend. When the device is online, you can synchronize data.

   If you also set up push sync, what does it allow you to do?

   • Notify other devices that a user profile is available across multiple devices
   • Synchronize user profile data with less latency
   • Notify other devices immediately that an update is available
   • Synchronize online data faster
   Explanation:
   Cognito Sync is an AWS service that you can use to synchronize user profile data across mobile devices without requiring your own backend. When the device is online, you can synchronize data, and if you have also set up push sync, notify other devices immediately that an update is available.

5. An organization is planning to create a secure scalable application with AWS VPC and ELB. The organization has two instances already running and each instance has an ENI attached to it in addition to a primary network interface. The primary network interface and additional ENI both have an elastic IP attached to it.

   If those instances are registered with ELB and the organization wants ELB to send data to a particular EIP of the instance, how can they achieve this?

   • The organization should ensure that the IP which is required to receive the ELB traffic is attached to a primary network interface.
   • It is not possible to attach an instance with two ENIs with ELB as it will give an IP conflict error.
   • The organization should ensure that the IP which is required to receive the ELB traffic is attached to an additional ENI.
   • It is not possible to send data to a particular IP as ELB will send to any one EIP.
   Explanation:
   Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an ELB, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For the internet facing ELB it is required that the ELB should be in a public subnet. When the user registers a multi-homed instance (an instance that has an Elastic Network Interface (ENI) attached) with a load balancer, the load balancer will route the traffic to the IP address of the primary network interface (eth0).

6. In Amazon Cognito, your mobile app authenticates with the Identity Provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito, which returns a new _____ for the user and a set of temporary, limited-privilege AWS credentials.

   • Cognito Key Pair
   • Cognito API
   • Cognito ID
   • Cognito SDK
   Explanation:
   Your mobile app authenticates with the identity provider (IdP) using the provider’s SDK. Once the end user is authenticated with the IdP, the OAuth or OpenID Connect token returned from the IdP is passed by your app to Amazon Cognito, which returns a new Cognito ID for the user and a set of temporary, limited-privilege AWS credentials.

7. What is the maximum length for a certificate ID in AWS IAM?

   • 1024 characters
   • 512 characters
   • 64 characters
   • 128 characters
   Explanation:
   The maximum length for a certificate ID is 128 characters.

8. A user is trying to create a PIOPS EBS volume with 3 GB size and 90 IOPS. Will AWS create the volume?

   • No, since the PIOPS and EBS size ratio is less than 30
   • Yes, since the ratio between EBS and IOPS is less than 30
   • No, the EBS size is less than 4GB
   • Yes, since PIOPS is higher than 100
   Explanation:
   A Provisioned IOPS (SSD) volume can range in size from 4 GiB to 16 TiB and you can provision up to 20,000 IOPS per volume.

9. If a single condition within an IAM policy includes multiple values for one key, it will be evaluated using a logical______.

   • OR
   • NAND
   • NOR
   • AND
   Explanation:
   If a single condition within an IAM policy includes multiple values for one key, it will be evaluated using a logical OR.

10. Which of the following cache engines does Amazon ElastiCache support?

    • Amazon ElastiCache supports Memcached and Redis.
    • Amazon ElastiCache supports Redis and WinCache.
    • Amazon ElastiCache supports Memcached and Hazelcast.
    • Amazon ElastiCache supports Memcached only.
    Explanation:
    The cache engines supported by Amazon ElastiCache are Memcached and Redis.

11. You have been given the task to define multiple AWS Data Pipeline schedules for different activities in the same pipeline.

    Which of the following would successfully accomplish this task?

    • Creating multiple pipeline definition files
    • Defining multiple pipeline definitions in your schedule objects file and associating the desired schedule to the correct activity via its schedule field
    • Defining multiple schedule objects in your pipeline definition file and associating the desired schedule to the correct activity via its schedule field
    • Defining multiple schedule objects in the schedule field
    Explanation:
    To define multiple schedules for different activities in the same pipeline, in AWS Data Pipeline, you should define multiple schedule objects in your pipeline definition file and associate the desired schedule to the correct activity via its schedule field. As an example of this, it could allow you to define a pipeline in which log files are stored in Amazon S3 each hour to drive generation of an aggregate report once a day.

12. In a VPC, can you modify a set of DHCP options after you create them?

    • Yes, you can modify a set of DHCP options within 48 hours after creation and there are no VPCs associated with them.
    • Yes, you can modify a set of DHCP options any time after you create them.
    • No, you can’t modify a set of DHCP options after you create them.
    • Yes, you can modify a set of DHCP options within 24 hours after creation.
    Explanation:
    After you create a set of DHCP options, you can’t modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all.

13. A bucket owner has allowed another account’s IAM users to upload or access objects in his bucket. The IAM user of Account A is trying to access an object created by the IAM user of account B. What will happen in this scenario?

    • It is not possible to give permission to multiple IAM users
    • AWS S3 will verify proper rights given by the owner of Account A, the bucket owner as well as by the IAM user B to the object
    • The bucket policy may not be created as S3 will give error due to conflict of Access Rights
    • It is not possible that the IAM user of one account accesses objects of the other IAM user
    Explanation:
    If a IAM user is trying to perform some action on an object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.

14. Which statement is NOT true about a stack which has been created in a Virtual Private Cloud (VPC) in AWS OpsWorks?

    • Subnets whose instances cannot communicate with the Internet are referred to as public subnets.
    • Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets.
    • All instances in the stack should have access to any package repositories that your operating system depends on, such as the Amazon Linux or Ubuntu Linux repositories.
    • Your app and custom cookbook repositories should be accessible for all instances in the stack.
    Explanation:
    In AWS OpsWorks, you can control user access to a stack’s instances by creating it in a virtual private cloud (VPC). For example, you might not want users to have direct access to your stack’s app servers or databases and instead require that all public traffic be channeled through an Elastic Load Balancer. A VPC consists of one or more subnets, each of which contains one or more instances. Each subnet has an associated routing table that directs outbound traffic based on its destination IP address. Instances within a VPC can generally communicate with each other, regardless of their subnet. Subnets whose instances can communicate with the Internet are referred to as public subnets. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets. AWS OpsWorks requires the VPC to be configured so that every instance in the stack, including instances in private subnets, has access to the following endpoints:
    The AWS OpsWorks service, https://opsworks-instance-service.us-east-1.amazonaws.com.
    Amazon S3
    The package repositories for Amazon Linux or Ubuntu 12.04 LTS, depending on which operating system you specify.
    Your app and custom cookbook repositories.

15. An organization has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The organization is planning to implement certain security best practices.

    Which of the below mentioned pointers will not help the organization achieve better security arrangement?

    • Allow only IAM users to connect with the EC2 instances with their own secret access key.
    • Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
    • Apply the latest patch of OS and always keep it updated.
    • Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
    Explanation:
    Since AWS is a public cloud any application hosted on EC2 is prone to hacker attacks. It becomes extremely important for a user to setup a proper security mechanism on the EC2 instances. A few of the security measures are listed below:
    Always keep the OS updated with the latest patch
    Always create separate users with in OS if they need to connect with the EC2 instances, create their keys and disable their password
    Create a procedure using which the admin can revoke the access of the user when the business work on the EC2 instance is completed. Lock down unnecessary ports.
    Audit any proprietary applications that the user may be running on the EC2 instance Provide temporary escalated privileges, such as sudo for users who need to perform occasional privileged tasks
    The IAM is useful when users are required to work with AWS resources and actions, such as launching an instance. It is not useful to connect (RDP / SSH) with an instance.

16. By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours, but you can request a duration as long as _________ hours.

    • 24
    • 36
    • 10
    • 48
    Explanation:
    By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours, but you can request a duration as short as 15 minutes or as long as 36 hours.

17. What RAID method is used on the Cloud Block Storage back-end to implement a very high level of reliability and performance?

    • RAID 1 (Mirror)
    • RAID 5 (Blocks striped, distributed parity)
    • RAID 10 (Blocks mirrored and striped)
    • RAID 2 (Bit level striping)
    Explanation:
    Cloud Block Storage back-end storage volumes employs the RAID 10 method to provide a very high level of reliability and performance.

18. One of the AWS account owners faced a major challenge in June as his account was hacked and the hacker deleted all the data from his AWS account. This resulted in a major blow to the business.

    Which of the below mentioned steps would not have helped in preventing this action?

    • Setup an MFA for each user as well as for the root account user.
    • Take a backup of the critical data to offsite / on premise.
    • Create an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions.
    • Do not share the AWS access and secret access keys with others as well do not store it inside programs, instead use IAM roles.
    Explanation:
    AWS security follows the shared security model where the user is as much responsible as Amazon. If the user wants to have secure access to AWS while hosting applications on EC2, the first security rule to follow is to enable MFA for all users. This will add an added security layer. In the second step, the user should never give his access or secret access keys to anyone as well as store inside programs. The better solution is to use IAM roles. For critical data of the organization, the user should keep an offsite/ in premise backup which will help to recover critical data in case of security breach. It is recommended to have AWS AMIs and snapshots as well as keep them at other regions so that they will help in the DR scenario. However, in case of a data security breach of the account they may not be very helpful as hacker can delete that.
    Therefore, creating an AMI and a snapshot of the data at regular intervals as well as keep a copy to separate regions, would not have helped in preventing this action.

19. With Amazon Elastic MapReduce (Amazon EMR) you can analyze and process vast amounts of data. The cluster is managed using an open-source framework called Hadoop. You have set up an application to run Hadoop jobs. The application reads data from DynamoDB and generates a temporary file of 100 TBs.
    The whole process runs for 30 minutes and the output of the job is stored to S3.

    Which of the below mentioned options is the most cost effective solution in this case?

    • Use Spot Instances to run Hadoop jobs and configure them with EBS volumes for persistent data storage.
    • Use Spot Instances to run Hadoop jobs and configure them with ethereal storage for output file storage.
    • Use an on demand instance to run Hadoop jobs and configure them with EBS volumes for persistent storage.
    • Use an on demand instance to run Hadoop jobs and configure them with ephemeral storage for output file storage.
    Explanation:
    AWS EC2 Spot Instances allow the user to quote his own price for the EC2 computing capacity. The user can simply bid on the spare Amazon EC2 instances and run them whenever his bid exceeds the current Spot Price. The Spot Instance pricing model complements the On-Demand and Reserved Instance pricing models, providing potentially the most cost-effective option for obtaining compute capacity, depending on the application. The only challenge with a Spot Instance is data persistence as the instance can be terminated whenever the spot price exceeds the bid price. In the current scenario a Hadoop job is a temporary job and does not run for a longer period. It fetches data from a persistent DynamoDB. Thus, even if the instance gets terminated there will be no data loss and the job can be re-run. As the output files are large temporary files, it will be useful to store data on ethereal storage for cost savings.

20. In Amazon SNS, to send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following, except:

    • Device token
    • Client ID
    • Registration ID
    • Client secret
    Explanation:
    To send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain the following: Registration ID and Client secret.