SAP-C01 : AWS Certified Solutions Architect – Professional : Part 12

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 12

1. Within an IAM policy, can you add an IfExists condition at the end of a Null condition?

   • Yes, you can add an IfExists condition at the end of a Null condition but not in all Regions.
   • Yes, you can add an IfExists condition at the end of a Null condition depending on the condition.
   • No, you cannot add an IfExists condition at the end of a Null condition.
   • Yes, you can add an IfExists condition at the end of a Null condition.
   Explanation:
   Within an IAM policy, IfExists can be added to the end of any condition operator except the Null condition. It can be used to indicate that conditional comparison needs to happen if the policy key is present in the context of a request; otherwise, it can be ignored.

2. Regarding Identity and Access Management (IAM), Which type of special account belonging to your application allows your code to access Google services programmatically?

   • Service account
   • Simple Key
   • OAuth
   • Code account
   Explanation:
   A service account is a special Google account that can be used by applications to access Google services programmatically. This account belongs to your application or a virtual machine (VM), instead of to an individual end user. Your application uses the service account to call the Google API of a service, so that the users aren’t directly involved.
   A service account can have zero or more pairs of service account keys, which are used to authenticate to Google. A service account key is a public/private key pair generated by Google. Google retains the public key, while the user is given the private key.

3. IAM users do not have permission to create Temporary Security Credentials for federated users and roles by default. In contrast, IAM users can call __________ without the need of any special permissions

   • GetSessionName
   • GetFederationToken
   • GetSessionToken
   • GetFederationName
   Explanation:
   Currently the STS API command GetSessionToken is available to every IAM user in your account without previous permission. In contrast, the GetFederationToken command is restricted and explicit permissions need to be granted so a user can issue calls to this particular Action.

4. An organization is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application securely in AWS VPC.

   What action can be recommended to the organization?

   • The organization should setup their own NoSQL cluster on the AWS instance and configure route tables and subnets.
   • The organization should only use a DynamoDB because by default it is always a part of the default subnet provided by AWS.
   • The organization should use a DynamoDB while creating a table within the public subnet.
   • The organization should use a DynamoDB while creating a table within a private subnet.
   Explanation:
   The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Currently VPC does not support DynamoDB. Thus, if the user wants to implement VPC, he has to setup his own NoSQL DB within the VPC.

5. What happens when Dedicated instances are launched into a VPC?

   • If you launch an instance into a VPC that has an instance tenancy of dedicated, you must manually create a Dedicated instance.
   • If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is created as a Dedicated instance, only based on the tenancy of the instance.
   • If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is automatically a Dedicated instance, regardless of the tenancy of the instance.
   • None of these are true.
   Explanation:
   If you launch an instance into a VPC that has an instance tenancy of dedicated, your instance is automatically a Dedicated instance, regardless of the tenancy of the instance.

6. An organization is setting up RDS for their applications. The organization wants to secure RDS access with VPC.

   Which of the following options is not required while designing the RDS with VPC?

   • The organization must create a subnet group with public and private subnets. Both the subnets can be in the same or separate AZ.
   • The organization should keep minimum of one IP address in each subnet reserved for RDS failover.
   • If the organization is connecting RDS from the internet it must enable the VPC attributes DNS hostnames and DNS resolution.
   • The organization must create a subnet group with VPC using more than one subnet which are a part of separate AZs.
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources, such as RDS into a virtual network that the user has defined. Subnets are segments of a VPC’s IP address range that the user can designate to a group of VPC resources based on security and operational needs. A DB subnet group is a collection of subnets (generally private) that the user can create in a VPC and assign to the RDS DB instances. A DB subnet group allows the user to specify a particular VPC when creating the DB instances.
   Each DB subnet group should have subnets in at least two Availability Zones in a given region. If the RDS instance is required to be accessible from the internet the organization must enable the VPC attributes, DNS hostnames and DNS resolution. For each RDS DB instance that the user runs in a VPC, he should reserve at least one address in each subnet in the DB subnet group for use by Amazon RDS for recovery actions.

7. You create a VPN connection, and your VPN device supports Border Gateway Protocol (BGP).

   Which of the following should be specified to configure the VPN connection?

   • Classless routing
   • Classfull routing
   • Dynamic routing
   • Static routing
   Explanation:
   If you create a VPN connection, you must specify the type of routing that you plan to use, which will depend upon on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), you need to specify dynamic routing when you configure your VPN connection. If your device does not support BGP, you should specify static routing.

8. An organization has developed an application which provides a smarter shopping experience. They need to show a demonstration to various stakeholders who may not be able to access the in premise application so they decide to host a demo version of the application on AWS.
   Consequently, they will need a fixed elastic IP attached automatically to the instance when it is launched.

   In this scenario which of the below mentioned options will not help assign the elastic IP automatically?

   • Write a script which will fetch the instance metadata on system boot and assign the public IP using that metadata.
   • Provide an elastic IP in the user data and setup a bootstrapping script which will fetch that elastic IP and assign it to the instance.
   • Create a controlling application which launches the instance and assigns the elastic IP based on the parameter provided when that instance is booted.
   • Launch instance with VPC and assign an elastic IP to the primary network interface.
   Explanation: EC2 allows the user to launch On-Demand instances. If the organization is using an application temporarily only for demo purposes the best way to assign an elastic IP would be:
   Launch an instance with a VPC and assign an EIP to the primary network interface. This way on every instance start it will have the same IP
   Create a bootstrapping script and provide it some metadata, such as user data which can be used to assign an EIP
   Create a controller instance which can schedule the start and stop of the instance and provide an EIP as a parameter so that the controller instance can check the instance boot and assign an EIP The instance metadata gives the current instance data, such as the public/private IP. It can be of no use for assigning an EIP.

9. An organization is having a VPC for the HR department, and another VPC for the Admin department. The HR department requires access to all the instances running in the Admin VPC while the Admin department requires access to all the resources in the HR department.

   How can the organization setup this scenario?

   • Setup VPC peering between the VPCs of Admin and HR.
   • Setup ACL with both VPCs which will allow traffic from the CIDR of the other VPC.
   • Setup the security group with each VPC which allows traffic from the CIDR of another VPC.
   • It is not possible to connect resources of one VPC from another VPC.
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined.
   A VPC peering connection allows the user to route traffic between the peer VPCs using private IP addresses as if they are a part of the same network.
   This is helpful when one VPC from the same or different AWS account wants to connect with resources of the other VPC.

10. Can a Direct Connect link be connected directly to the Internet?

    • Yes, this can be done if you pay for it.
    • Yes, this can be done only for certain regions.
    • Yes
    • No
    Explanation:
    AWS Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud service. Hence, a Direct Connect link cannot be connected to the Internet directly.

11. ABC has created a multi-tenant Learning Management System (LMS). The application is hosted for five different tenants (clients) in the VPCs of the respective AWS accounts of the tenant. ABC wants to setup a centralized server which can connect with the LMS of each tenant upgrade if required. ABC also wants to ensure that one tenant VPC should not be able to connect to the other tenant VPC for security reasons.

    How can ABC setup this scenario?

    • ABC has to setup one centralized VPC which will peer in to all the other VPCs of the tenants.
    • ABC should setup VPC peering with all the VPCs peering each other but block the IPs from CIDR of the tenant VPCs to deny them.
    • ABC should setup all the VPCs with the same CIDR but have a centralized VPC. This way only the centralized VPC can talk to the other VPCs using VPC peering.
    • ABC should setup all the VPCs meshed together with VPC peering for all VPCs.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. A VPC peering connection allows the user to route traffic between the peer VPCs using private IP addresses as if they are a part of the same network.
    This is helpful when one VPC from the same or different AWS account wants to connect with resources of the other VPC. The organization wants to setup that one VPC can connect with all the other VPCs but all other VPCs cannot connect among each other. This can be achieved by configuring VPC peering where one VPC is peered with all the other VPCs, but the other VPCs are not peered to each other. The VPCs are in the same or a separate AWS account and should not have overlapping CIDR blocks.

12. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24.

    What will happen in this scenario?

    • The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range
    • The second subnet will be created
    • It will throw a CIDR overlaps error
    • It is not possible to create a subnet with the same CIDR as VPC
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet.

13. True or False: The Amazon ElastiCache clusters are not available for use in VPC at this time.

    • TRUE
    • True, but they are available only in the GovCloud.
    • True, but they are available only on request
    • FALSE
    Explanation:
    Amazon Elasticache clusters can be run in an Amazon VPC. With Amazon VPC, you can define a virtual network topology and customize the network configuration to closely resemble a traditional network that you might operate in your own datacenter. You can now take advantage of the manageability, availability and scalability benefits of Amazon ElastiCache Clusters in your own isolated network. The same functionality of Amazon ElastiCache, including automatic failure detection, recovery, scaling, auto discovery, Amazon CloudWatch metrics, and software patching, are now available in Amazon VPC.

14. In Amazon Redshift, how many slices does a dw2.8xlarge node have?

    • 16
    • 8
    • 32
    • 2
    Explanation:
    The disk storage for a compute node in Amazon Redshift is divided into a number of slices, equal to the number of processor cores on the node. For example, each DW1.XL compute node has two slices, and each DW2.8XL compute node has 32 slices.

15. Identify a true statement about using an IAM role to grant permissions to applications running on Amazon EC2 instances.

    • When AWS credentials are rotated; developers have to update only the root Amazon EC2 instance that uses their credentials.
    • When AWS credentials are rotated, developers have to update only the Amazon EC2 instance on which the password policy was applied and which uses their credentials.
    • When AWS credentials are rotated, you don’t have to manage credentials and you don’t have to worry about long-term security risks.
    • When AWS credentials are rotated, you must manage credentials and you should consider precautions for long-term security risks.
    Explanation:
    Using IAM roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. Because role credentials are temporary and rotated automatically, you don’t have to manage credentials, and you don’t have to worry about long-term security risks.

16. Out of the striping options available for the EBS volumes, which one has the following disadvantage:

    ‘Doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you’re mirroring all writes to a pair of volumes, limiting how much you can stripe.’?

    • Raid 1
    • Raid 0
    • RAID 1+0 (RAID 10)
    • Raid 2
    Explanation:
    RAID 1+0 (RAID 10) doubles the amount of I/O required from the instance to EBS compared to RAID 0, because you’re mirroring all writes to a pair of volumes, limiting how much you can stripe.

17. In the context of IAM roles for Amazon EC2, which of the following NOT true about delegating permission to make API requests?

    • You cannot create an IAM role.
    • You can have the application retrieve a set of temporary credentials and use them.
    • You can specify the role when you launch your instances.
    • You can define which accounts or AWS services can assume the role.
    Explanation:
    Amazon designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use.
    Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as follows: Create an IAM role. Define which accounts or AWS services can assume the role. Define which API actions and resources the application can use after assuming the role. Specify the role when you launch your instances. Have the application retrieve a set of temporary credentials and use them.

18. In the context of Amazon ElastiCache CLI, which of the following commands can you use to view all ElastiCache instance events for the past 24 hours?

    • elasticache-events –duration 24
    • elasticache-events –duration 1440
    • elasticache-describe-events –duration 24
    • elasticache describe-events –source-type cache-cluster –duration 1440
    Explanation:
    In Amazon ElastiCache, the code “aws elasticache describe-events –source-type cache-cluster — duration 1440” is used to list the cache-cluster events for the past 24 hours (1440 minutes).

19. In Amazon Cognito what is a silent push notification?

    • It is a push message that is received by your application on a user’s device that will not be seen by the user.
    • It is a push message that is received by your application on a user’s device that will return the user’s geolocation.
    • It is a push message that is received by your application on a user’s device that will not be heard by the user.
    • It is a push message that is received by your application on a user’s device that will return the user’s authentication credentials.
    Explanation:
    Amazon Cognito uses the Amazon Simple Notification Service (SNS) to send silent push notifications to devices. A silent push notification is a push message that is received by your application on a user’s device that will not be seen by the user.

20. When using Numeric Conditions within IAM, short versions of the available comparators can be used instead of the more verbose versions.

    Which of the following is the short version of the Numeric Condition “NumericLessThanEquals”?

    • numlteq
    • numlteql
    • numltequals
    • numeql
    Explanation:
    When using Numeric Conditions within IAM, short versions of the available comparators can be used instead of the more verbose versions. For instance, numIteq is the short version of NumericLessThanEquals.