SAP-C01 : AWS Certified Solutions Architect – Professional : Part 14

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 14

1. You’re trying to delete an SSL certificate from the IAM certificate store, and you’re getting the message “Certificate: <certificate-id> is being used by CloudFront.”

   Which of the following statements is probably the reason why you are getting this error?

   • Before you can delete an SSL certificate you need to set up https on your server.
   • Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM
   • Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CloudFront certificate.
   • You can’t delete SSL certificates. You need to request it from AWS.
   Explanation:
   CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css,.php, and image files, to end users. Every CloudFront web distribution must be associated either with the default CloudFront certificate or with a custom SSL certificate. Before you can delete an SSL certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom SSL certificate to using the default CloudFront certificate.

2. A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7 PM.

   What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

   • It will deny access
   • It is not possible to set a policy based on the time or IP
   • IAM will throw an error for policy conflict
   • It will allow access
   Explanation:
   When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
   By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)
   An explicit allow policy overrides this default. An explicit deny policy overrides any allows.
   In this case since there are explicit deny and explicit allow statements. Thus, the request will be denied since deny overrides allow.

3. Do you need to use Amazon Cognito to use the Amazon Mobile Analytics service?

   • No. However, it is recommend by AWS to use Amazon Cognito for security best practices.
   • Yes. You need to use it only if you have IAM root access.
   • No. You cannot use it at all, and you need to use AWS IAM accounts.
   • Yes. It is recommended by AWS to use Amazon Cognito to use Amazon Mobile Analytics service.
   Explanation:
   You can initialize Amazon Mobile Analytics using AWS IAM accounts. AWS recommend using Amazon Cognito for security best practices.

4. Which of the following AWS services can be used to define alarms to trigger on a certain activity, such as activity success, failure, or delay in AWS Data Pipeline?

   • Amazon SES
   • Amazon CodeDeploy
   • Amazon SNS
   • Amazon SQS
   Explanation:
   In AWS Data Pipeline, you can define Amazon SNS alarms to trigger on activities such as success, failure, or delay by creating an alarm object and referencing it in the onFail, onSuccess, or onLate slots of the activity object.

5. You want to use Amazon Redshift and you are planning to deploy dw1.8xlarge nodes. What is the minimum amount of nodes that you need to deploy with this kind of configuration?

   • 1
   • 4
   • 3
   • 2
   Explanation:
   For a single-node configuration in Amazon Redshift, the only option available is the smallest of the two options. The 8XL extra-large nodes are only available in a multi-node configuration.

6. Mike is appointed as Cloud Consultant in ABC.com. ABC has the following VPCs set- up in the US East Region:
   A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24 ABC.com is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24.

   Which one of the following solutions should Mike recommend to ABC.com?

   • Create 2 Virtual Private Gateways and configure one with each VPC.
   • Create 2 Internet Gateways, and attach one to each VPC.
   • Create a VPC Peering connection between both VPCs.
   • Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances.
   Explanation:
   A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.

7. Can Provisioned IOPS be used on RDS instances launched in a VPC?

   • Yes, they can be used only with Oracle based instances.
   • Yes, they can be used for all RDS instances.
   • No
   • Yes, they can be used only with MySQL based instances.
   Explanation:
   The basic building block of Amazon RDS is the DB instance. DB instance storage comes in three types:
   Magnetic, General Purpose (SSD), and Provisioned IOPS (SSD). When you buy a server, you get CPU, memory, storage, and IOPS, all bundled together. With Amazon RDS, these are split apart so that you can scale them independently. So, for example, if you need more CPU, less IOPS, or more storage, you can easily allocate them.

8. To get started using AWS Direct Connect, in which of the following steps do you configure Border Gateway Protocol (BGP)?

   • Complete the Cross Connect
   • Configure Redundant Connections with AWS Direct Connect
   • Create a Virtual Interface
   • Download Router Configuration
   Explanation: In AWS Direct Connect, your network must support Border Gateway Protocol (BGP) and BGP MD5 authentication, and you need to provide a private Autonomous System Number (ASN) for that to connect to Amazon Virtual Private Cloud (VPC). To connect to public AWS products such as Amazon EC2 and Amazon S3, you will also need to provide a public ASN that you own (preferred) or a private ASN. You have to configure BGP in the Create a Virtual Interface step.

9. Which of the following components of AWS Data Pipeline polls for tasks and then performs those tasks?

   • Pipeline Definition
   • Task Runner
   • Amazon Elastic MapReduce (EMR)
   • AWS Direct Connect
   Explanation:
   Task Runner polls for tasks and then performs those tasks.

10. A user is hosting a public website on AWS. The user wants to have the database and the app server on the AWS VPC. The user wants to setup a database that can connect to the Internet for any patch upgrade but cannot receive any request from the internet. How can the user set this up?

    • Setup DB in a private subnet with the security group allowing only outbound traffic.
    • Setup DB in a public subnet with the security group allowing only inbound data.
    • Setup DB in a local data center and use a private gateway to connect the application with DB.
    • Setup DB in a private subnet which is connected to the internet via NAT for outbound.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. AWS provides two features that the user can use to increase security in VPC: security groups and network ACLs. When the user wants to setup both the DB and App on VPC, the user should make one public and one private subnet. The DB should be hosted in a private subnet and instances in that subnet cannot reach the internet. The user can allow an instance in his VPC to initiate outbound connections to the internet but prevent unsolicited inbound connections from the internet by using a Network Address Translation (NAT) instance.

11. An organization is setting up their website on AWS. The organization is working on various security measures to be performed on the AWS EC2 instances.

    Which of the below mentioned security mechanisms will not help the organization to avoid future data leaks and identify security weaknesses?

    • Run penetration testing on AWS with prior approval from Amazon.
    • Perform SQL injection for application testing.
    • Perform a Code Check for any memory leaks.
    • Perform a hardening test on the AWS instance.
    Explanation:
    AWS security follows the shared security model where the user is as much responsible as Amazon. Since Amazon is a public cloud it is bound to be targeted by hackers. If an organization is planning to host their application on AWS EC2, they should perform the below mentioned security checks as a measure to find any security weakness/data leaks:
    Perform penetration testing as performed by attackers to find any vulnerability. The organization must take an approval from AWS before performing penetration testing Perform hardening testing to find if there are any unnecessary ports open Perform SQL injection to find any DB security issues
    The code memory checks are generally useful when the organization wants to improve the application performance.

12. In Amazon ElastiCache, the default cache port is:

    • for Memcached 11210 and for Redis 6380.
    • for Memcached 11211 and for Redis 6380.
    • for Memcached 11210 and for Redis 6379.
    • for Memcached 11211 and for Redis 6379.
    Explanation:
    In Amazon ElastiCache, you can specify a new port number for your cache cluster, which by default is 11211 for Memcached and 6379 for Redis.

13. A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. The NAT instance ID is i-a12345.

    Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?

    • Destination: 20.0.0.0/0 and Target: 80
    • Destination: 20.0.0.0/0 and Target: i-a12345
    • Destination: 20.0.0.0/24 and Target: i-a12345
    • Destination: 0.0.0.0/0 and Target: i-a12345
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry “Destination: 0.0.0.0/0 and Target: i-a12345”, which allows all the instances in the private subnet to connect to the internet using NAT.

14. Which of the following cannot be used to manage Amazon ElastiCache and perform administrative tasks?

    • AWS software development kits (SDKs)
    • Amazon S3
    • ElastiCache command line interface (CLI)
    • AWS CloudWatch
    Explanation:
    CloudWatch is a monitoring tool and doesn’t give users access to manage Amazon ElastiCache.

15. Which of the following statements is correct about AWS Direct Connect?

    • Connections to AWS Direct Connect require double clad fiber for 1 gigabit Ethernet with Auto Negotiation enabled for the port.
    • An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with.
    • AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 50 gigabit Ethernet cable.
    • To use AWS Direct Connect, your network must be collocated with a new AWS Direct Connect location.
    Explanation:
    AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable. An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with, as well as access to other US regions. To use AWS Direct Connect, your network is collocated with an existing AWS Direct Connect location. Connections to AWS Direct Connect require single mode fiber, 1000BASE-LX (1310nm) for 1 gigabit Ethernet, or 10GBASE-LR (1310nm) for 10 gigabit Ethernet. Auto Negotiation for the port must be disabled.

16. Which of the following statements is correct about the number of security groups and rules applicable for an EC2-Classic instance and an EC2-VPC network interface?

    • In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 50 rules to a security group. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 100 rules to a security group.
    • In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 50 rules to a security group. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 100 rules to a security group.
    • In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 100 rules to a security group. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 50 rules to a security group.
    • In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.
    Explanation:
    A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. If you’re using EC2-Classic, you must use security groups created specifically for EC2-Classic. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group. If you’re using EC2-VPC, you must use security groups created specifically for your VPC. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.

17. Is there any way to own a direct connection to Amazon Web Services?

    • No, AWS only allows access from the public Internet.
    • No, you can create an encrypted tunnel to VPC, but you cannot own the connection.
    • Yes, you can via Amazon Dedicated Connection
    • Yes, you can via AWS Direct Connect.
    Explanation:
    AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection in place, you can create virtual interfaces directly to the AWS cloud (for example, to Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3)) and to Amazon Virtual Private Cloud (Amazon VPC), bypassing Internet service providers in your network path.

18. Identify a true statement about the statement ID (Sid) in IAM.

    • You cannot expose the Sid in the IAM API.
    • You cannot use a Sid value as a sub-ID for a policy document’s ID for services provided by SQS and SNS.
    • You can expose the Sid in the IAM API.
    • You cannot assign a Sid value to each statement in a statement array.
    Explanation:
    The Sid (statement ID) is an optional identifier that you provide for the policy statement. You can assign a Sid a value to each statement in a statement array. In IAM, the Sid is not exposed in the IAM API. You can’t retrieve a particular statement based on this ID.

19. In Amazon ElastiCache, which of the following statements is correct?

    • When you launch an ElastiCache cluster into an Amazon VPC private subnet, every cache node is assigned a public IP address within that subnet.
    • You cannot use ElastiCache in a VPC that is configured for dedicated instance tenancy.
    • If your AWS account supports only the EC2-VPC platform, ElastiCache will never launch your cluster in a VPC.
    • ElastiCache is not fully integrated with Amazon Virtual Private Cloud (VPC).
    Explanation:
    The VPC must allow non-dedicated EC2 instances. You cannot use ElastiCache in a VPC that is configured for dedicated instance tenancy.

20. An organization has setup RDS with VPC. The organization wants RDS to be accessible from the internet. Which of the below mentioned configurations is not required in this scenario?

    • The organization must enable the parameter in the console which makes the RDS instance publicly accessible.
    • The organization must allow access from the internet in the RDS VPC security group,
    • The organization must setup RDS with the subnet group which has an external IP.
    • The organization must enable the VPC attributes DNS hostnames and DNS resolution.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources, such as RDS into a virtual network that the user has defined. Subnets are segments of a VPC’s IP address range that the user can designate to a group of VPC resources based on security and operational needs. A DB subnet group is a collection of subnets (generally private) that the user can create in a VPC and which the user assigns to the RDS DB instances. A DB subnet group allows the user to specify a particular VPC when creating DB instances. If the RDS instance is required to be accessible from the internet:
    The organization must setup that the RDS instance is enabled with the VPC attributes, DNS hostnames and DNS resolution.
    The organization must enable the parameter in the console which makes the RDS instance publicly accessible.
    The organization must allow access from the internet in the RDS VPC security group.