[SAP-C01 Dumps Mar2022] Amazon SAP-C01 Dumps Practice Questions

Today, earning AWS Certified Professional SAP-C01 certification is one of the most productive investments to accelerate your career. The Amazon SAP-C01 certification exam is one of the most important exams that many IT aspirants dream of. You must have valid SAP-C01 exam dumps question preparation materials to prepare for the exam.

Pass4itSure Latest version SAP-C01 dumps Mar2022 https://www.pass4itsure.com/aws-solution-architect-professional.html is your best preparation material to ensure you successfully pass the exam and become certified.

Check out the following free SAP-C01 dumps Mar2022 practice questions(1-12)

1.

An organization is undergoing a security audit. The auditor wants to view the AWS VPC configurations as the organization has hosted all the applications in the AWS VPC. The auditor is from a remote place and wants to have access to AWS to view all the VPC records.

How can the organization meet the expectations of the auditor without compromising the security of its AWS infrastructure?

A. The organization should not accept the request as sharing the credentials means compromising security.
B. Create an IAM role that will have read-only access to all EC2 services including VPC and assign that role to the auditor.
C. Create an IAM user who will have read-only access to the AWS VPC and share those credentials with the auditor.
D. The organization should create an IAM user with VPC full access but set a condition that will not allow modifying anything if the request is from any IP other than the organization\\’s data center.

Correct Answer: C

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user\\’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC also works with IAM and the organization can create IAM users who have access to various VPC services. If an auditor wants to have access to the AWS VPC to verify the rules, the organization
should be careful before sharing any data which can allow making updates to the AWS infrastructure.

In this scenario, it is recommended that the organization creates an IAM user who will have read-only access to the VPC. Share the above-mentioned credentials with the auditor as it cannot harm the organization. The sample policy is given below:
{
“Effect”:”Allow”, “Action”: [ “ec2:DescribeVpcs”, “ec2:DescribeSubnets”,
“ec2: DescribeInternetGateways”, “ec2:DescribeCustomerGateways”, “ec2:DescribeVpnGateways”,
“ec2:DescribeVpnConnections”, “ec2:DescribeRouteTables”, “ec2:DescribeAddresses”, “ec2:DescribeSecurityGroups”,
“ec2:DescribeNetworkAcls”, “ec2:DescribeDhcpOptions”, “ec2:DescribeTags”, “ec2:DescribeInstances”
],
“Resource”:”*”
}
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_IAM.html

2.

IAM users do not have permission to create Temporary Security Credentials for federated users and roles by default. In contrast, IAM users can call __ without the need of any special permissions

A. GetSessionName
B. GetFederationToken
C. GetSessionToken
D. GetFederationName

Correct Answer: C

Currently the STS API command GetSessionToken is available to every IAM user in your account without previous permission. In contrast, the GetFederationToken command is restricted and explicit permissions need to be granted so a user can issue calls to this particular Action.

Reference: http://docs.aws.amazon.com/STS/latest/UsingSTS/STSPermission.html

3.

What is the role of the PollForTask action when it is called by a task runner in AWS Data Pipeline?

A. It is used to retrieve the pipeline definition.
B. It is used to report the progress of the task runner to AWS Data Pipeline.
C. It is used to receive a task to perform from AWS Data Pipeline.
D. It is used to inform AWS Data Pipeline of the outcome when the task runner completes a task.

Correct Answer: C

Task runners call PollForTask to receive a task to perform from AWS Data Pipeline. If tasks are ready in the work queue, PollForTask returns a response immediately. If no tasks are available in the queue, PollForTask uses longpolling and holds on to a poll connection for up to 90 seconds, during which time any newly scheduled tasks are handed to the task agent.

Your remote worker should not call PollForTask again on the same worker group until it receives a response, and this may take up to 90 seconds.
Reference: http://docs.aws.amazon.com/datapipeline/latest/APIReference/API_PollForTask.html

4.

Which of the following is true of an instance profile when an IAM role is created using the console?

A. The instance profile uses a different name.
B. The console gives the instance profile the same name as the role it corresponds to.
C. The instance profile should be created manually by a user.
D. The console creates the role and instance profile as separate actions.

Correct Answer: B

Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the console, the console creates an instance profile automatically and gives it the same name as the role it corresponds to.

If you use the AWS CLI, API, or an AWS SDK to create a role, you create the role and instance profile as separate actions, and you might give them different names.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
Exam C

5.

A company is configuring connectivity to a multi-account AWS environment to support application workloads that serve users in a single geographic region. The workloads depend on a highly available, on-premises legacy system deployed across two locations.

It is critical for the AWS workloads to maintain connectivity to the legacy system, and a minimum of 5 Gbps of bandwidth is required. All application workloads within AWS must have connectivity with one another.

Which solution will meet these requirements?

A. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on? remises location. Create private virtual interfaces on each connection for each AWS account VPC. Associate the private virtual interface with a virtual private gateway attached to each VPC.

B. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location. Create and attach a virtual private gateway for each AWS account VPC. Create a DX gateway in a central network account and associate it with the virtual private gateways. Create a public virtual interface on each DX connection and associate the interface with the DX gateway.

C. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location. Create a transit gateway and a DX gateway in a central network account. Create a transit virtual interface for each DX interface and associate them with the DX gateway. Create a gateway association between the DX
gateway and the transit gateway.

D. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on-premises location. Create and attach a virtual private gateway for each AWS account VPC. Create a transit gateway in a central network account and associate it with the virtual private gateways. Create a transit virtual interface on each DX
connection and attach the interface to the transit gateway.

Correct Answer: B

6.

True or False: “In the context of Amazon ElastiCache, from the application\’s point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node.”

A. True, from the application\’s point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node since, each has a unique node identifier.

B. True, from the application\’s point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node.

C. False, you can connect to a cache node, but not to a cluster configuration endpoint.

D. False, you can connect to a cluster configuration endpoint, but not to a cache node.

Correct Answer: B

This is true. From the application\’s point of view, connecting to the cluster configuration endpoint is no different than connecting directly to an individual cache node.

In the process of connecting to cache nodes, the application resolves the configuration endpoint\’s DNS name. Because the configuration endpoint maintains CNAME entries for all of the cache nodes, the DNS name resolves to one of the nodes; the client can then connect to that node.

Reference:
http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/AutoDiscovery.HowAutoDiscoveryWorks.html

7.

An AWS partner company is building a service in AWS Organizations using its organization named org1. This service requires the partner company to have access to AWS resources in a customer account, which is in a separate organization named org2.

The company must establish least privilege security access using an API or command-line tool to the customer account.

What is the MOST secure way to allow org1 to access resources in org2?

A. The customer should provide the partner company with their AWS account access keys to log in and perform the required tasks.

B. The customer should create an IAM user and assign the required permissions to the IAM user. The customer should then provide the credentials to the partner company to log in and perform the required tasks.

C. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role\’s Amazon Resource Name (ARN) when requesting access to perform the required tasks.

D. The customer should create an IAM role and assign the required permissions to the IAM role. The partner company should then use the IAM role\’s Amazon Resource Name (ARN), including the external ID in the IAM role\’s trust policy, when requesting access to perform the required tasks.

Correct Answer: B

8.

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts.

The company\’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets.

Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

A. Create a transit gateway in the infrastructure account.

B. Enable resource sharing from the AWS Organizations management account.

C. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.

D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.

E. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix-list to associate with the resource share.

Correct Answer: BE

9.

A company has an application that generates a weather forecast that is updated every 15 minutes with an output resolution of 1 billion unique positions, each approximately 20 bytes in size (20 Gigabytes per forecast).

Every hour, the forecast data is globally accessed approximately 5 million times (1,400 requests per second), and up to 10 times more
during weather events.

The forecast data is overwritten in every update. Users of the current weather forecast application expect responses to queries to be returned in less than two seconds for each request.

Which design meets the required request rate and response time?

A. Store forecast locations in an Amazon ES cluster. Use an Amazon CloudFront distribution targeting an Amazon API Gateway endpoint with AWS Lambda functions responding to queries as the origin. Enable API caching on the API Gateway stage with a cache-control timeout set for 15 minutes.

B. Store forecast locations in an Amazon EFS volume. Create an Amazon CloudFront distribution that targets an Elastic Load Balancing group of an Auto Scaling fleet of Amazon EC2 instances that have mounted the Amazon EFS volume. Set the cache-control timeout for 15 minutes in the CloudFront distribution.

C. Store forecast locations in an Amazon ES cluster. Use an Amazon CloudFront distribution targeting an API Gateway endpoint with AWS Lambda functions responding to queries as the origin. Create an Amazon [email protected] function that caches the data locally at edge locations for 15 minutes.

D. Store forecast locations in Amazon S3 as individual objects. Create an Amazon CloudFront distribution targeting an Elastic Load Balancing group of an Auto Scaling fleet of EC2 instances, querying the origin of the S3 object. Set the cache-control timeout for 15 minutes in the CloudFront distribution.

Correct Answer: C

Reference: https://aws.amazon.com/blogs/networking-and-content-delivery/lambdaedge-design-best-practices/

10.

The following are AWS Storage services? (Choose two.)

A. AWS Relational Database Service (AWS RDS)
B. AWS ElastiCache
C. AWS Glacier
D. AWS Import/Export

Correct Answer: CD

11.

An organization is trying to set up a VPC with Auto Scaling. Which configuration steps below are not required to set up AWS VPC with Auto Scaling?

A. Configure the Auto Scaling group with the VPC ID in which instances will be launched.
B. Configure the Auto Scaling Launch configuration with multiple subnets of the VPC to enable the Multi-AZ feature.
C. Configure the Auto Scaling Launch configuration which does not allow assigning a public IP to instances.
D. Configure the Auto Scaling Launch configuration with the VPC security group.

Correct Answer: B

The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an Auto Scaling group.

Before creating the Auto Scaling group it is recommended that the user creates the Launch configuration. Since it is a VPC, it is recommended to select the parameter which does not allow assigning a public IP to the instances.


The user should also set the VPC security group with the Launch configuration and select the subnets where the instances will be launched in the AutoScaling group. The HA will be provided as the subnets may be a part of separate AZs.

Reference:
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/autoscalingsubnets.html

12.

A company has a web application that allows users to upload short videos. The videos are stored on Amazon EBS volumes and analyzed by custom recognition software for categorization.

The website contains static content that has variable traffic with peaks in certain months. The architecture consists of Amazon EC2 instances running in an Auto Scaling group for the web application and EC2 instances running in an Auto Scaling group to process an Amazon SQS-queue.

The company wants to re-architect the application to reduce
operational overhead using AWS managed services where possible and remove dependencies on third-party software.

Which solution meets these requirements?

A. Use Amazon ECS containers for the web application and Spot instances for the Scaling group that processes the SQS queue. Replace the custom software with Amazon Rekognition to categorize the videos.

B. Store the uploaded videos in Amazon EFS and mount the file system to the EC2 instances for the web application. Process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.

C. Host the web application in Amazon S3. Store the uploaded videos in Amazon S3. Use S3 event notification to publish events to the SQS queue. Process the SQS queue with an AWS Lambda function that calls the Amazon Rekognition API to categorize the videos.

D. Use AWS Elastic Beanstalk to launch EC2 instances in an Auto Scaling group for the application and launch a working environment to process the SQS queue. Replace the custom software with Amazon Rekognition to categorize the videos.

Correct Answer: A

In addition, free SAP-C01 dumps Mar2022 PDF format is shared for you to download

Free SAP-C01 Dumps Pdf Question [google drive] https://drive.google.com/file/d/1gGGeMsq3YyCxavxldDOlVIagJ4ieNQmL/view?usp=sharing

After the above testing, you have a good experience with the latest version of SAP-C01 dumps Mar2022, so using the full Amazon SAP-C01 dumps https://www.pass4itsure.com/aws-solution-architect-professional.html easily earn your AWS Certified Professional certification.

Past articles about the SAP-C01 exam https://www.examdemosimulation.com/amazon-aws-sap-c01-dumps-pdf-top-trending-exam-questions-update/

Amazon AWS SAP-C01 Dumps PDF Top Trending Exam Questions Update

Passing the Amazon AWS Certified Solutions Architect – Professional (SAP-C01) exam is absolutely challenging! You need to update the AWS SAP-C01 dumps pdf >>> https://www.pass4itsure.com/aws-solution-architect-professional.html (SAP-C01 exam questions total 827).

I will mention, free SAP-C01 pdf download, latest SAP-C01 test questions…

AWS SAP-C01 dumps pdf free

Where can I find good practice exams for AWS SAP-C01?

You are the one who is looking for more practice tests to improve your abilities before taking the real exam. Try the practice test provided by Pass4itSure AWS SAP-C01 dumps pdf. Safe, reliable, and the most worry-free.

Free download SAP-C01 pdf format now – Google Drive

SAP-C01 dumps pdf free https://drive.google.com/file/d/1L1UCWyGxzZ0WGsX9hcpsf_QcXG8QSJca/view?usp=sharing

AWS SAP-C01 dumps pdf latest test questions

SAP-C01Q&As

QUESTION 1

An organization is setting up a backup and restoring the system in AWS of their on-premise system. The organization needs High Availability(HA) and Disaster Recovery(DR) but is okay to have a longer recovery time to save costs.

Which of the below-mentioned setup options helps achieve the objective of cost-saving as well as DR in the most effective way?

A. Setup pre-configured servers and create AMIs. Use EIP and Route 53 to quickly switch over to AWS from in-premise.
B. Setup the backup data on S3 and transfer data to S3 regularly using the storage gateway.
C. Setup a small instance with AutoScaling; in case of DR start diverting all the load to AWS from on-premise.
D. Replicate on-premise DB to EC2 at regular intervals and set up a scenario similar to the pilot light.

Correct Answer: B

Explanation: AWS has many solutions for Disaster Recovery(DR) and High Availability(HA). When the organization wants to have HA and DR but is okay to have a longer recovery time they should select the option backup and restore with S3.

The data can be sent to S3 using either Direct Connect, Storage Gateway, or over the internet. The EC2 instance will pick the data from the S3 bucket when started and set up the environment. This process takes longer but is very cost-effective due to the low pricing of S3. In all the other options, the EC2 instance might be running or there will be AMI storage costs.

Thus, it will be a costlier option. In this scenario, the organization should plan appropriate tools to take a backup, plan the retention policy for data, and set up the security of the data.

Reference:
http://d36cz9buwru1tt.cloudfront.net/AWS_Disaster_Recovery.pdf

QUESTION 2

An organization is setting up a web application with the JEE stack. The application uses the JBoss app server and MySQL DB. The application has a logging module that logs all the activities whenever a business function of the JEE application is called. The logging activity takes some time due to the large size of the log file.

If the application wants to set up a scalable infrastructure which of the below-mentioned options will help achieve this setup?

A. Host the log files on EBS with PIOPS which will have higher I/O.
B. Host logging and the app server on separate servers such that they are both in the same zone.
C. Host logging and the app server on the same instance so that the network latency will be shorter.
D. Create a separate module for logging and using SQS compartmentalize the module such that all calls to logging are asynchronous.

Correct Answer: D

Explanation: The organization can always launch multiple EC2 instances in the same region across multiple AZs for HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that they can both run in parallel without affecting the performance of the main application.

In this scenario, logging takes a longer time due to the large size of the log file. Thus, it is recommended that the organization should separate them out and make separate
modules and make asynchronous calls among them. This way the application can scale as per the requirement and the performance will not bear the impact of logging.

Reference:
http://www.awsarchitectureblog.com/2014/03/aws-and-compartmentalization.html

QUESTION 3

A user is planning to host a web server as well as an app server on a single EC2 instance which is a part of the public subnet of a VPC.

How can the user setup have two separate public IPs and separate security groups for both the application as well as the webserver?

A. Launch VPC with two separate subnets and make the instance a part of both the subnets.
B. Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them.
C. Launch a VPC instance with two network interfaces. Assign a separate security group to each and AWS will assign a separate public IP to them.
D. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subnet.

Correct Answer: B

Explanation:
If you need to host multiple websites (with different IPs) on a single EC2 instance, the following is the
suggested method from AWS.

Launch a VPC instance with two network interfaces.

Assign elastic IPs from the VPC EIP pool to those interfaces (Because, when the user has attached more than one network interface with an instance, AWS cannot assign public IPs to them.) Assign separate Security Groups if separate Security Groups are needed This scenario also helps for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.

Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html

QUESTION 4

A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis.

Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances.

Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?

A. Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling: EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination run the script to copy the log files, and terminate the instance using the AWS SDK.

B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling: EC2_INSTANCE_TERMINATING transition to calling the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.

C. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user data Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge (CloudWatch Events) rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.

D. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS a notification call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate the instance.

Correct Answer: D

Reference: https://docs.aws.amazon.com/autoscaling/ec2/userguide/configuring-lifecycle-hooknotifications.html

QUESTION 5

What is the default maximum number of VPCs allowed per region?

A. 5
B. 10
C. 100
D. 15

Correct Answer: A

Explanation:
The maximum number of VPCs allowed per region is 5.

Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

QUESTION 6

A user is trying to create a vault in AWS Glacier. The user wants to enable notifications.
In which of the below-mentioned options can the user enable the notifications from the AWS console?

A. Glacier does not support the AWS console
B. Archival Upload Complete
C. Vault Upload Job Complete
D. Vault Inventory Retrieval Job Complete

Correct Answer: D

Explanation:
From the AWS console, the user can configure to have notifications sent to Amazon Simple Notifications Service (SNS). The user can select specific jobs that, on completion, will trigger the notifications such as Vault Inventory Retrieval Job Complete and Archive Retrieval Job Complete.

Reference:
http://docs.aws.amazon.com/amazonglacier/latest/dev/configuring-notifications-console.html

QUESTION 7

A company has several Amazon EC2 instances to both public and private subnets within a VPC that is not connected to the corporate network.

A security group associated with the EC2 instances allows the company to use the Windows remote desktop protocol (RDP) over the internet to access the instances. The security team has noticed connection attempts from unknown sources. The company wants to implement a more secure solution to access the EC2 instances.

Which strategy should a solutions architect implement?

A. Deploy a Linux bastion host on the corporate network that has access to all instances in the VPC.
B. Deploy AWS Systems Manager Agent on the EC2 instances. Access the EC2 instances using Session Manager restricting access to users with permission.
C. Deploy a Linux bastion host with an Elastic IP address in the public subnet. Allow access to the bastion host from 0.0.0.0/0.
D. Establish a Site-to-Site VPN connecting the corporate network to the VPC. Update the security groups to allow access from the corporate network only.

Correct Answer: A

QUESTION 8

A group of research institutions and hospitals are in a partnership to study 2 PBs of genomic data. The institute that owns the data stores it in an Amazon S3 bucket and updates it regularly. The institute would like to give all of the organizations in the partnership read access to the data. All members of the partnership are extremely cost-conscious, and the institute that owns the account with the S3 bucket is concerned about covering the costs for requests and data transfers from Amazon S3.

Which solution allows for secure data sharing without causing the institute that owns the bucket to assume all the costs for S3 requests and data transfers?

A. Ensure that all organizations in the partnership have AWS accounts. In the account with the S3 bucket, create a cross-account role for each account in the partnership that allows read access to the data. Have the organizations assume and use that read role when accessing the data.

B. Ensure that all organizations in the partnership have AWS accounts. Create a bucket policy on the bucket that owns the data. The policy should allow the accounts in the partnership to read access to the bucket. Enable Requester Pays on the bucket. Have the organizations use their AWS credentials when accessing the data.

C. Ensure that all organizations in the partnership have AWS accounts. Configure buckets in each of the accounts with a bucket policy that allows the institute that owns the data the ability to write to the bucket. Periodically sync the data from the institute\’s account to the other organizations. Have the organizations use their AWS credentials when accessing the data using their accounts.

D. Ensure that all organizations in the partnership have AWS accounts. In the account with the S3 bucket, create a cross-account role for each account in the partnership that allows read access to the data. Enable Requester Pays on the bucket. Have the organizations assume and use that read role when accessing the data.

Correct Answer: A

QUESTION 9

A company has used infrastructure as code (IaC) to provision a set of two Amazon EC2 instances. The instances have remained the same for several years.

The company\’s business has grown rapidly in the past few months. In response, the company\’s operations team has implemented an Auto Scaling group to manage the sudden increases in traffic. Company policy requires a monthly installation of security updates on all operating systems that are running.

The most recent security update required a reboot. As a result, the Auto Scaling group terminated the instances and replaced them with new, unpatched instances.

Which combination of steps should a solutions architect recommend to avoid a recurrence of this issue? (Choose two.)

A. Modify the Auto Scaling group by setting the Update policy to target the oldest launch configuration for replacement.

B. Create a new Auto Scaling group before the next patch maintenance. During the maintenance window, patch both groups and reboot the instances.

C. Create an Elastic Load Balancer in front of the Auto Scaling group. Configure monitoring to ensure that target group health checks return healthy after the Auto Scaling group replaces the terminated instances.

D. Create automation scripts to patch an AMI, update the launch configuration, and invoke an Auto Scaling instance refresh.

E. Create an Elastic Load Balancer in front of the Auto Scaling group. Configure termination protection on the instances.

Correct Answer: AC

Reference: https://medium.com/@endofcake/using-terraform-for-zero-downtime-updates-of-an-autoscaling-group-inaws-60faca582664 https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html

QUESTION 10

In Amazon Cognito what is a silent push notification?

A. It is a push message that is received by your application on a user\\’s device that will not be seen by the user.
B. It is a push message that is received by your application on a user\\’s device that will return the user\\’s geolocation.
C. It is a push message that is received by your application on a user\\’s device that will not be heard by the user.
D. It is a push message that is received by your application on a user\\’s device that will return the user\\’s authentication credentials.

Correct Answer: A

Explanation:
Amazon Cognito uses the Amazon Simple Notification Service (SNS) to send silent push notifications to devices. A silent push notification is a push message that is received by your application on a user\\’s device that will not be seen by the user.

Reference:
http://aws.amazon.com/cognito/faqs/

QUESTION 11

A solutions architect is implementing federated access to AWS for users of the company\’s mobile application. Due to regulatory and security requirements, the application must use a custom-built solution for authenticating users and must use IAM roles for authorization.

Which of the following actions would enable authentication and authorization and satisfy the requirements? (Choose two.)

A. Use a custom-built SAML-compatible solution for authentication and AWS SSO for authorization.
B. Create a custom-built LDAP connector using Amazon API Gateway and AWS Lambda for authentication. Store
authorization tokens in Amazon DynamoDB, and validate authorization requests using another Lambda function that reads the credentials from DynamoDB.
C. Use a custom-built OpenID Connect-compatible solution with AWS SSO for authentication and authorization.
D. Use a custom-built SAML-compatible solution that uses LDAP for authentication and uses a SAML assertion to perform authorization to the IAM identity provider.
E. Use a custom-built OpenID Connect-compatible solution for authentication and use Amazon Cognito for authorization.

Correct Answer: AC

QUESTION 12

A company has a complex web application that leverages Amazon CloudFront for global scalability and performance. Over time, users report that the web application is slowing down.

The company\\’s operations team reports that the CloudFront cache hit ratio has been dropping steadily.

The cache metrics report indicates that query strings on some URLs are inconsistently ordered and are
specified sometimes in mixed-case letters and sometimes in lowercase letters.

Which set of actions should the solutions architect take to increase the cache hit ratio as quickly as possible?

A. Deploy a [email protected] function to sort parameters by name and force them to be lowercase. Select the CloudFront viewer request trigger to invoke the function.
B. Update the CloudFront distribution to disable caching based on query string parameters.
C. Deploy a reverse proxy after the load balancer to post-process the emitted URLs in the application to force the URL strings to be lowercase.
D. Update the CloudFront distribution to specify case-insensitive query string processing.

Correct Answer: B

Thank you also for using our practice test! You can check out our other free Amazon AWS practice tests for your next exam here https://www.examdemosimulation.com/category/amazon-exam-practice-test/

Summarize

AWS Certified Professional exam, exams are hard, but it’s not the hardest exam. According to what I said at the beginning, a really in-depth understanding of SAP-C01 dumps pdf is very easy.

Full SAP-C01 dumps pdf https://www.pass4itsure.com/aws-solution-architect-professional.html (SAP-C01 PDF +SAP-C01 VCE)

Pass4itSure You can fully trust, with years of exam experience, always offering the latest exam practice tests! Help you get through.

Have a great 2022 ahead!

[2021.2] Valid Amazon AWS SAP-C01 Practice Questions Free Share From Pass4itsure

Amazon AWS SAP-C01 is difficult. But with the Pass4itsure SAP-C01 dumps https://www.pass4itsure.com/aws-solution-architect-professional.html preparation material candidate, it can be achieved easily. In SAP-C01 practice tests, you can practice on the same exam as the actual exam. If you master the tricks you gained through practice, it will be easier to achieve your target score.

Amazon AWS SAP-C01 pdf free https://drive.google.com/file/d/1rvcv8bzmT_m1RuqIZFwAjwaO3qpYIiZ_/view?usp=sharing

Latest Amazon AWS SAP-C01 practice exam questions at here:

QUESTION 1
An organization is planning to use NoSQL DB for its scalable data needs. The organization wants to host an application
securely in AWS VPC. What action can be recommended to the organization?
A. The organization should setup their own NoSQL cluster on the AWS instance and configure route tables and
subnets.
B. The organization should only use a DynamoDB because by default it is always a part of the default subnet provided
by AWS.
C. The organization should use a DynamoDB while creating a table within the public subnet.
D. The organization should use a DynamoDB while creating a table within a private subnet.
Correct Answer: A
The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a
private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual
networking environment. Currently VPC does not support DynamoDB. Thus, if the user wants to implement VPC, he
has to setup his own NoSQL DB within the VPC.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Introduction.html


QUESTION 2
When using the AWS CLI for AWS CloudFormation, which of the following commands returns a description of the
specified resource in the specified stack?
A. describe-stack-events
B. describe-stack-resource
C. create-stack-resource
D. describe-stack-returns
Correct Answer: B
awsclicloudformation describe-stack-resource Description
Returns a description of the specified resource in the specified stack. For deleted stacks, describe-stack-resource
returns resource information for up to 90 days after the stack has been deleted.
Reference:
http://docs.aws.amazon.com/cli/latest/reference/cloudformation/describe-stack-resource.html

QUESTION 3
A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24.
Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate
with each other?
A. Destination : 20.0.0.0/0 and Target : ALL
B. Destination : 20.0.0.0/16 and Target : Local
C. Destination : 20.0.0.0/24 and Target : Local
D. Destination : 20.0.0.0/16 and Target : ALL
Correct Answer: B
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private
subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in
the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the
subnets. The main route table will have the entry “Destination: 20.0.0.0/16 and Target: Local”, which allows all instances
in the VPC to communicate with each other.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

QUESTION 4
What bandwidths do AWS Direct Connect currently support?
A. 10Mbps and 100Mbps
B. 10Gbps and 100Gbps
C. 100Mbps and 1Gbps
D. 1Gbps and 10 Gbps
Correct Answer: D
AWS Direct Connection currently supports 1Gbps and 10 Gbps.
Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

QUESTION 5
A solutions architect needs to advise a company on how to migrate its on-premises data processing application to the
AWS Cloud. Currently, users upload input files through a web portal. The web server then stores the uploaded files on
NAS and messages the processing server over a message queue. Each media file can take up to 1 hour to process.
The company has determined that the number of media files awaiting processing is significantly higher during business
hours, with the number of files rapidly declining after business hours.
What is the MOST cost-effective migration recommendation?
A. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. When there are
messages in the queue, invoke an AWS Lambda function to pull requests from the queue and process the files. Store the processed files in an Amazon S3 bucket.
B. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are
messages in the queue, create a new Amazon EC2 instance to pull requests from the queue and process the files.
Store the processed files in Amazon EFS. Shut down the EC2 instance after the task is complete.
C. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are
messages in the queue, invoke an AWS Lambda function to pull requests from the queue and process the files. Store
the processed files in Amazon EFS.
D. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. Use Amazon
EC2 instances in an EC2 Auto Seating group to pull requests from the queue and process the files. Scale the EC2
instances based on the SQS queue length. Store the processed files in an Amazon S3 bucket.
Correct Answer: D

QUESTION 6
You have a periodic image analysis application that gets some files in input, analyzes them and tor each file writes
some data in output to a ten file the number of files in input per day is high and concentrated in a few hours of the day.
Currently you have a server on EC2 with a large EBS volume that hosts the input data and the results. It takes almost
20 hours per day to complete the process.
What services could be used to reduce the elaboration time and improve the availability of the solution?
A. S3 to store I/O files. SQS to distribute elaboration commands to a group of hosts working in parallel. Auto scaling to
dynamically size the group of hosts depending on the length of the SQS queue
B. EBS with Provisioned IOPS (PIOPS) to store I/O files. SNS to distribute elaboration commands to a group of hosts
working in parallel Auto Scaling to dynamically size the group of hosts depending on the number of SNS notifications
C. S3 to store I/O files, SNS to distribute evaporation commands to a group of hosts working in parallel. Auto scaling to
dynamically size the group of hosts depending on the number of SNS notifications
D. EBS with Provisioned IOPS (PIOPS) to store I/O files SQS to distribute elaboration commands to a group of hosts
working in parallel Auto Scaling to dynamically size the group ot hosts depending on the length of the SQS queue.
Correct Answer: D
Amazon EBS allows you to create storage volumes and attach them to Amazon EC2 instances. Once attached, you can
create a file system on top of these volumes, run a database, or use them in any other way you would use a block
device. Amazon EBS volumes are placed in a specific Availability Zone, where they are automatically replicated to
protect you from the failure of a single component. Amazon EBS provides three volume types: General Purpose (SSD),
Provisioned IOPS (SSD), and Magnetic. The three volume types differ in performance characteristics and cost, so you
can choose the right storage performance and price for the needs of your applications. All EBS volume types offer the
same durable snapshot capabilities and are designed for 99.999% availability.

QUESTION 7
An ecommerce website running on AWS uses an Amazon RDS for MySQL DB instance with General Purpose SSD
storage. The developers chose an appropriate instance type based on demand, and configured 100 GB of storage with
a sufficient amount of free space.
The website was running smoothly for a few weeks until a marketing campaign launched. On the second day of the
campaign, users reported long wait times and time outs. Amazon CloudWatch metrics indicated that both reads and
writes to the DB instance were experiencing long response times. The CloudWatch metrics show 40% to 50% CPU and
memory utilization, and sufficient free storage space is still available. The application server logs show no evidence of
database connectivity issues.
What could be the root cause of the issue with the marketing campaign?
A. It exhausted the I/O credit balance due to provisioning low disk storage during the setup phase.
B. It caused the data in the tables to change frequently, requiring indexes to be rebuilt to optimize queries.
C. It exhausted the maximum number of allowed connections to the database instance.
D. It exhausted the network bandwidth available to the RDS for MySQL DB instance.
Correct Answer: C


QUESTION 8
An AWS account owner has set up multiple IAM users. One of these IAM users, named John, has CloudWatch access,
but no access to EC2 services. John has set up an alarm action that stops EC2 instances when their CPU utilization is
below the threshold limit.
When an EC2 instance\\’s CPU Utilization rate drops below the threshold John has set, what will happen and why?
A. CloudWatch will stop the instance when the action is executed
B. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.
C. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access
through IAM policies.
D. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm
Correct Answer: C
Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more
actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup
an action which stops the instances when their CPU utilization is below a certain threshold for a certain period of time.
The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has read/write
permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm.
However, the stop or terminate actions will not be performed on the Amazon EC2 instance.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/UsingAlarmActions.html

QUESTION 9
A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from
hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the
logging service.
In each AWS account with a client an interface endpoint has been created for the logging service and is available. The
logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The
clients are unable to submit logs using the VPC endpoint.
Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)
A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB
subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service
subnets running on EC2 instances.
B. Check that the NACL is attached to the logging service subnets to allow communications to and from the interface
endpoint subnets. Check that the NACL is attached to the interface endpoint subnet to allow communications to and
from the logging service subnets running on EC2 instances.
C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the
NLB subnets.
D. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the
clients.
E. Check the security group for the NLB to ensure it allows ingress from the interface endpoint subnets.
Correct Answer: DE

QUESTION 10
A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production
release of the web application introduced an issue that resulted in an outage lasting several minutes. A solutions
architect must adjust the deployment process to support a canary release.
Which solution will meet these requirements?
A. Create an alias for every new deployed version of the Lambda function. Use the AWS CLI update-alias command
with the routing-config parameter to distribute the load.
B. Deploy the application into a new CloudFormation stack. Use an Amazon Route 53 weighted routing policy to
distribute the load.
C. Create a version for every new deployed Lambda function. Use the AWS CLI update-function-configuration
command with the routing-config parameter to distribute the load.
D. Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the Deployment configuration to distribute
the load.
Correct Answer: C

QUESTION 11
A user is configuring MySQL RDS with PIOPS. What should be the minimum size of DB storage provided by the user?
A. 1 TB
B. 50 GB
C. 5 GB
D. 100 GB
Correct Answer: D
If the user is trying to enable PIOPS with MySQL RDS, the minimum size of storage should be 100 GB.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PIOPS.html


QUESTION 12
If you have a running instance using an Amazon EBS boot partition, you can call the _______ API to release the
compute resources but preserve the data on the boot partition.
A. Stop Instances
B. Terminate Instances
C. AMI Instance
D. Ping Instance
Correct Answer: A
If you have a running instance using an Amazon EBS boot partition, you can also call the Stop Instances API to release
the compute resources but preserve the data on the boot partition.
Reference: https://aws.amazon.com/ec2/faqs/#How_quickly_will_systems_be_running

QUESTION 13
A three-tier web application runs on Amazon EC2 instances. Cron daemons are used to trigger scripts that collect the
web server, application, and database logs and send them to a centralized location every hour. Occasionally, scaling
events or unplanned outages have caused the instances to stop before the latest logs were collected, and the log files
were lost.
Which of the following options is the MOST reliable way of collecting and preserving the log files?
A. Update the cron jobs to run every 5 minutes instead of every hour to reduce the possibility of log messages being lost
in an outage.
B. Use Amazon CloudWatch Events to trigger Amazon Systems Manager Run Command to invoke the log collection
scripts more frequently to reduce the possibility of log messages being lost in an outage.
C. Use the Amazon CloudWatch Logs agent to stream log messages directly to CloudWatch Logs. Configure the agent
with a batch count of 1 to reduce the possibility of log messages being lost in an outage.
D. Use Amazon CloudWatch Events to trigger AWS Lambda to SSH into each running instance and invoke the log collection scripts more frequently to reduce the possibility of log messages being lost in an outage.
Correct Answer: C
Reference: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html

 

Welcome to download the valid Pass4itsure SAP-C01 pdf

Free downloadGoogle Drive
Amazon AWS SAP-C01 pdf https://drive.google.com/file/d/1rvcv8bzmT_m1RuqIZFwAjwaO3qpYIiZ_/view?usp=sharing

Summary:

New Amazon SAP-C01 exam questions from Pass4itsure SAP-C01 dumps! Welcome to download the newest Pass4itsure SAP-C01 dumps https://www.pass4itsure.com/aws-solution-architect-professional.html (708 Q&As), verified the latest SAP-C01 practice test questions with relevant answers.

Amazon AWS SAP-C01 dumps pdf free share https://drive.google.com/file/d/1rvcv8bzmT_m1RuqIZFwAjwaO3qpYIiZ_/view?usp=sharing

Latest Amazon Exam Dumps

Exam Name Free Online practice test Free PDF Dumps Premium Exam Dumps
AWS Certified Professional
AWS Certified DevOps Engineer – Professional (DOP-C01) Free DOP-C01 practice test (Online) Free DOP-C01 PDF Dumps (Download) pass4itsure DOP-C01 Exam Dumps (Premium)
AWS Certified Solutions Architect – Professional (SAP-C01) Free SAP-C01 practice test (Online) Free SAP-C01 PDF Dumps (Download) pass4itsure SAP-C01 Exam Dumps (Premium)
AWS Certified Associate
AWS Certified Developer – Associate (DVA-C01) Free DVA-C01 practice test (Online) Free DVA-C01 PDF Dumps (Download) pass4itsure DVA-C01 Exam Dumps (Premium)
AWS Certified Solutions Architect – Associate (SAA-C01) Free SAA-C01 practice test (Online) Free SAA-C01 PDF Dumps (Download) pass4itsure SAA-C01 Exam Dumps (Premium)
AWS Certified Solutions Architect – Associate (SAA-C02) Free SAA-C02 practice test (Online) Free SAA-C02 PDF Dumps (Download) pass4itsure SAA-C02 Exam Dumps (Premium)
AWS Certified SysOps Administrator – Associate (SOA-C01) Free SOA-C01 practice test (Online) Free SOA-C01 PDF Dumps (Download) pass4itsure SOA-C01 Exam Dumps (Premium)
AWS Certified Foundational
AWS Certified Cloud Practitioner (CLF-C01) Free CLF-C01 practice test (Online) Free CLF-C01 PDF Dumps (Download) pass4itsure CLF-C01 Exam Dumps (Premium)
AWS Certified Specialty
AWS Certified Advanced Networking – Specialty (ANS-C00) Free ANS-C00 practice test (Online) Free ANS-C00 PDF Dumps (Download) pass4itsure ANS-C00 Exam Dumps (Premium)
AWS Certified Database – Specialty (DBS-C01) Free DBS-C01 practice test (Online) Free DBS-C01 PDF Dumps (Download) pass4itsure DBS-C01 Exam Dumps (Premium)
AWS Certified Alexa Skill Builder – Specialty (AXS-C01) Free AXS-C01 practice test (Online) Free AXS-C01 PDF Dumps (Download) pass4itsure AXS-C01 Exam Dumps (Premium)
AWS Certified Big Data – Speciality (BDS-C00) Free BDS-C00 practice test (Online) Free BDS-C00 PDF Dumps (Download) pass4itsure BDS-C00 Exam Dumps (Premium)
AWS Certified Machine Learning – Specialty (MLS-C01) Free MLS-C01 practice test (Online) Free MLS-C01 PDF Dumps (Download) pass4itsure MLS-C01 Exam Dumps (Premium)
AWS Certified Security – Specialty (SCS-C01) Free SCS-C01 practice test (Online) Free SCS-C01 PDF Dumps (Download) pass4itsure SCS-C01 Exam Dumps (Premium)

Free AWS Certified Specialty Exam Readiness | New ANS-C00 Dumps Pdf

I’ve answered some questions about Amazon ANS-C00 certification on this blog and provided some learning materials: free AWS ANS-C00 dumps pdf and questions! Helps you pass the difficult AWS Certified Advanced Networking – Specialty (ANS-C00) exam.

Why do some say that Amazon ANS-C00 is the only “00” certification?

Regular observers of Amazon certifications will notice that most certifications from AWS end in 01 (such as SAP-C01). The single ANS-C00 exception is the “00” certification. It also shows that it is special, and through it, it will inevitably make you different.

How to pass the WS Certified Advanced Networking – Specialty (ANS-C00) exam?

This is definitely a hard certificate to pass! It takes more effort from you. Learning with Pass4itSure ANS-C00 dumps pdf will do more with less. Get the new ANS-C00 dumps pdf today to pass the exam >> https://www.pass4itsure.com/aws-certified-advanced-networking-specialty.html (ANS-C00 PDF + ANS-C00 VCE).

Please read on…

Free AWS ANS-C00 dumps pdf [google drive] download

AWS ANS-C00 exam pdf https://drive.google.com/file/d/1Ev6EmPoWI0m7ZNfzu67VP-2-aecCB-7Q/view?usp=sharing

2022 latest AWS Certified Specialty ANS-C00 practice tests

The correct answer is at the end of the question, and the question and answer are separated, making it easier for you to test your ability.

QUESTION 1

A company is deploying a non-web application on an Elastic Load Balancing. All targets are servers located on-premises that can be accessed by using AWS Direct Connect.

The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

How can this requirement be achieved?

A. Use a Network Load Balancer to automatically preserve the source IP address.
B. Use a Network Load Balancer and enable the X-Forwarded-Forattribute.
C. Use a Network Load Balancer and enable the ProxyProtocolattribute.
D. Use an Application Load Balancer to automatically preserve the source IP address in the XForwarded-Forheader.

QUESTION 2

To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files

A. SSE-S3
B. SCE-KMS
C. SCE-S3
D. SSE-KMS

Explanation: By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files.

Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-withaws-kms.html

QUESTION 3

DNS name resolution must be provided for services in the following four zones: The contents of these zones are not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.

How can you use Amazon route 53 to meet these requirements?

A. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.
B. Create a single Route 53 Private Hosted Zone for the zone company.private.and associate it with the three VPCs.
C. Create a Route Public 53 Hosted Zone for each of the four zones and configure the VPC DNS Resolver to forward
D. Create a single Route 53 Public Hosted Zone for the zone company. private. and configure the VPC DNS Resolver to forward

QUESTION 4

A network engineer has configured a private hosted zone using Amazon Route 53. The engineer needs to configure health checks for recordsets within the zone that are associated with instances.
How can the engineer meet the requirements?

A. Configure a Route 53 health check to a private IP associated with the instances inside the VPC to be checked.
B. Configure a Route 53 health checkpointing to an Amazon SNS topic that notifies an Amazon CloudWatch alarm when the Amazon EC2 StatusCheckFailed metric fails.
C. Create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm.
D. Create a CloudWatch alarm for the StatusCheckFailed metric and choose to Recover this instance, selecting a threshold value of 1.

QUESTION 5

A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance. For compliance purposes, data encryption is required.

What should the network engineer do to meet these requirements?

A. Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
B. Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the
customer gateway and the virtual private gateway in the VPC.
C. Configure an internet gateway in the VPC. Set up a software VPN between the customer gateway and an EC2 instance in the VPC.
D. Configure an internet gateway in the VPC. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

QUESTION 6

A company is running services in a VPC with a CIDR block of 10.5.0.0/22. End users report that they no longer can provision new resources because some of the subnets in the VPC have run out of IP addresses.

How should a network engineer resolve this issue?

A. Add 10.5.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block and provision new resources in the new subnet.
B. Add 10.5.4.0/21 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.
C. Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.
D. Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block and provision new resources in the new subnet.

Explanation: To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Connect, you need to provide the following: A public Autonomous System Number (ASN) that you own (preferred) or a private ASN. Public IP addresses (/30) (that is, one for each end of the BGP session) for each BGP session. The public routes that you will advertise over BGP.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

QUESTION 8

You have a DX connection and a VPN connection as backup for your 10.0.0.0/16 network. You just received a letter indicating that the colocation provider hosting the DX connection will be undergoing maintenance soon. It is critical that you do not experience any downtime or latency during this period.
What is the best course of action?

A. Configure the VPN as a static VPN instead of a dynamic one.
B. Configure AS_PATH Prepending on the DX connection to make it the less preferred path.
C. Advertise 10.0.0.0/9 and 10.128.0.0/9 over your VPN connection.
D. None of the above.

Explanation:
A more specific route is the only way to force AWS to prefer a VPN connection over a DX connection. A /9 is not more specific than a /16.

QUESTION 9

Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

A. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
B. To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
C. If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
D. Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.

Explanation:
AWS Direct Connect locations in the United States can access public resources in any US region. You can use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.

To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in the US. You can then also establish a VPN connection to your VPC in the remote region. Any data transfer out of a remote region is billed at the remote region data transfer rate.

Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/remote_regions.html

QUESTION 10

Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot.

You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?

A. Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
B. Configure an outbound rule on the application server instance security group for the Git repository.
C. Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
D. Configure an inbound rule on the application server instance security group for the Git repository.

Explanation: The traffic leaves the instance destined for the Git repository; at this point, the security group must allow it through.

The route then directs that traffic (based on the IP) to the NAT gateway. This is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway. C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway. D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule.

QUESTION 11

What is the maximum size of a response body that Amazon CloudFront will return to the viewer?

A. Unlimited
B. 5 GB
C. 100 MB
D. 20 GB

Explanation:
The maximum size of a response body that CloudFront will return to the viewer is 20 GB.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/
RequestAndResponseBehaviorS3Origin.html#ResponseBehaviorS3Origin

QUESTION 12

An organization processes consumer information submitted through its website. The organization\’s security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received.

The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an IAM role.

Which combination of services will support these requirements? (Choose two.)

A. Amazon Aurora in a private subnet
B. Amazon CloudFront using AWS [email protected]
C. Customer-managed MySQL with Transparent Data Encryption
D. Application Load Balancer using HTTPS listeners and targets
E. AWS Key Management Services

References: https://noise.getoto.net/tag/aws-kms/

Correct answer

Q1Q2Q3Q4Q5Q6Q7Q8Q9Q10Q11Q12
DDDAADBDDBDCE

For your next AWS exam, you can check out our other free AWS tests here: https://www.examdemosimulation.com/category/amazon-exam-practice-test/

Start with Pass4itSure ANS-C00 dumps pdf today >> https://www.pass4itsure.com/aws-certified-advanced-networking-specialty.html with the full ANS-C00 questions, all that’s left is to practice hard, come on, the AWS Certified Specialty certification is calling you.

Hope this helps someone studying for this exam!