The latest Amazon SAP-C01 dumps by Lead4Pass helps you pass the SAP-C01 exam for the first time! Lead4Pass
Latest Update Amazon SAP-C01 VCE Dump and SAP-C01 PDF Dumps, Lead4Pass SAP-C01 Exam Questions Updated, Answers corrected!
Get the latest Lead4Pass SAP-C01 dumps with Vce and PDF: https://www.leads4pass.com/aws-solution-architect-professional.html (Q&As: 684 dumps)
[Free SAP-C01 PDF] Latest Amazon SAP-C01 Dumps PDF collected by Lead4pass Google Drive:
https://drive.google.com/file/d/1hGM4QvNzLiC8NnOb66vga0X5SbJOYSlD/
[Lead4pass SAP-C01 Youtube] Amazon SAP-C01 Dumps can be viewed on Youtube shared by Lead4Pass
Latest Amazon SAP-C01 Exam Practice Questions and Answers
QUESTION 1
You\\’ve been brought in as solutions architect to assist an enterprise customer with their migration of an e-commerce
platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3-tier VPC.
The configuration is as follows: VPC: vpc-2f8bc447 IGW: igw-2d8bc445 NACL: ad-208bc448 Subnets and Route
Tables: Web servers: subnet-258bc44d Application servers: subnet-248bc44c Database servers: subnet-9189c6f9
Route Tables: rrb-218bc449 rtb-238bc44b Associations: subnet-258bc44d : rtb-218bc449 subnet-248bc44c :
rtb-238bc44b subnet-9189c6f9 : rtb-238bc44b
You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the internet
Application and database servers cannot have direct access to the internet.
Which configuration below will allow you the ability to remotely administer your application and database servers, as
well as allow these servers to retrieve updates from the Internet?
A. Create a bastion and NAT instance in subnet-258bc44d, and add a route from rtb- 238bc44b to the NAT instance.
B. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within subnet-248bc44c.
C. Create a bastion and NAT instance in subnet-248bc44c, and add a route from rtb- 238bc44b to subnet-258bc44d.
D. Create a bastion and NAT instance in subnet-258bc44d, add a route from rtb-238bc44b to Igw-2d8bc445, and a new
NACL that allows access between subnet-258bc44d and subnet-248bc44c.
Correct Answer: A
QUESTION 2
A user has created a MySQL RDS instance with PIOPS. Which of the below mentioned statements will help user
understand the advantage of PIOPS?
A. The user can achieve additional dedicated capacity for the EBS I/O with an enhanced RDS option
B. It uses a standard EBS volume with optimized configuration the stacks
C. It uses optimized EBS volumes and optimized configuration stacks
D. It provides a dedicated network bandwidth between EBS and RDS
Correct Answer: C
RDS DB instance storage comes in two types: standard and provisioned IOPS. Standard storage is allocated on the
Amazon EBS volumes and connected to the user\\’s DB instance. Provisioned IOPS uses optimized EBS volumes and
an optimized configuration stack. It provides additional, dedicated capacity for the EBS I/O.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
QUESTION 3
A company manages more than 200 separate internet-facing web applications. All of the applications are deployed to
AWS in a single AWS Region. The fully qualified domain names (FQDNs) of all of the applications are made available
through HTTPS using Application Load Balancers (ALBs). The ALBs are configured to use public SSL/TLS certificates.
A Solutions Architect needs to migrate the web applications to a multi-region architecture. All HTTPS services should
continue to work without interruption.
Which approach meets these requirements?
A. Request a certificate for each FQDN using AWS KMS. Associate the certificates with the ALBs in the primary AWS
Region. Enable cross-region availability in AWS KMS for the certificates and associate the certificates with the ALBs in
the secondary AWS Region.
B. Generate the key pairs and certificate requests for each FQDN using AWS KMS. Associate the certificates with the
ALBs in both the primary and secondary AWS Regions.
C. Request a certificate for each FQDN using AWS Certificate Manager. Associate the certificates with the ALBs in both
the primary and secondary AWS Regions.
D. Request certificates for each FQDN in both the primary and secondary AWS Regions using AWS Certificate
Manager. Associate the certificates with the corresponding ALBs in each AWS Region.
Correct Answer: D
Certificates in ACM are regional resources. To use a certificate with Elastic Load Balancing for the same fully qualified
domain name (FQDN) or set of FQDNs in more than one AWS region, you must request or import a certificate for each
region. For certificates provided by ACM, this means you must revalidate each domain name in the certificate for each
region. You cannot copy a certificate between regions.
Reference: https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html
QUESTION 4
A large company with hundreds of AWS accounts has a newly established centralized internal process for purchasing
new or modifying existing Reserved Instances. This process requires all business units that want to purchase or modify
Reserved Instances to submit requests to a dedicated team for procurement or execution. Previously, business units
would directly purchase or modify Reserved Instances in their own respective AWS accounts autonomously.
Which combination of steps should be taken to proactively enforce the new process in the MOST secure way possible?
(Choose two.)
A. Ensure all AWS accounts are part of an AWS Organizations’ structure operating in all features mode.
B. Use AWS Config to report on the attachment of an IAM policy that denies access to the
ec2:PurchaseReservedInstancesOffering and ec2:ModifyReservedInstances actions.
C. In each AWS account, create an IAM policy with a DENY rule to the ec2:PurchaseReservedInstancesOffering and
ec2:ModifyReservedInstances actions.
D. Create an SCP that contains a deny rule to the ec2:PurchaseReservedInstancesOffering and
ec2:ModifyReservedInstances actions. Attach the SCP to each organizational unit (OU) of the AWS Organizations’
structure.
E. Ensure that all AWS accounts are part of an AWS Organizations structure operating in consolidated billing features
mode.
Correct Answer: CE
QUESTION 5
A Solutions Architect must establish a patching plan for a large mixed fleet of Windows and Linux servers. The patching plan must be implemented securely, be audit-ready, and comply with the company\\’s business requirements.
Which option will meet these requirements with MINIMAL effort?
A. Install and use an OS-native patching service to manage the update frequency and release approval for all instances.
Use AWS Config to verify the OS state on each instance and report on any patch compliance issues.
B. Use AWS Systems Manager on all instances to manage to patch. Test patches outside of production and then
deploy during a maintenance window with the appropriate approval.
C. Use AWS OpsWorks for Chef Automate to run a set of scripts that will iterate through all instances of a given type.
Issue the appropriate OS command to get and install updates on each instance, including any required restarts during
the maintenance window.
D. Migrate all applications to AWS OpsWorks and use OpsWorks automatic patching support to keep the OS up-to-date
following the initial installation. Use AWS Config to provide audit and compliance reporting.
Correct Answer: B
Only Systems Manager can patch both OS effectively on AWS and on-premise.
QUESTION 6
An AWS customer is deploying an application mat is composed of an AutoScaling group of EC2 Instances.
The customer’s security policy requires that every outbound connection from these instances to any other service within
the customer’s Virtual Private Cloud must be authenticated using a unique x 509 certificate that contains the specific
instance-id.
In addition, an x 509 certificates must be Designed by the customer\\’s Key management service in order to be trusted for
authentication.
Which of the following configurations will support these requirements?
A. Configure an IAM Role that grants access to an Amazon S3 object containing a signed certificate and configure the
Auto Scaling group to launch instances with this role. Have the instances bootstrap get the certificate from Amazon S3
upon first boot.
B. Embed a certificate into the Amazon Machine Image that is used by the Auto Scaling group. Have the launched
instances generate a certificate signature request with the instance\\’s assigned instance-id to the key management
service for signature.
C. Configure the Auto Scaling group to send an SNS notification of the launch of a new instance to the trusted key
management service. Have the Key management service generate a signed certificate and send it directly to the newly
launched instance.
D. Configure the launched instances to generate a new certificate upon first boot. Have the Key management service
poll the Auto Scaling group for associated instances and send new instances a certificate signature (hat contains the
specific instance-id.
Correct Answer: A
QUESTION 7
A company is migrating its on-premises systems to AWS. The user environment consists of the following systems:
1.
Windows and Linux virtual machines running on VMware.
2.
Physical servers running Red Hat Enterprise Linux.
The company wants to be able to perform the following steps before migrating to AWS:
1.
Identify dependencies between on-premises systems.
2.
Group systems together into applications to build migration plans.
3.
Review performance data using Amazon Athena to ensure that Amazon EC2 instances are right-sized.
How can these requirements be met?
A. Populate the AWS Application Discovery Service import template with information from an on-premises configuration
management database (CMDB). Upload the completed import template to Amazon S3, then import the data into
Application Discovery Service.
B. Install the AWS Application Discovery Service Discovery Agent on each of the on-premises systems. Allow the
Discovery Agent to collect data for a period of time.
C. Install the AWS Application Discovery Service Discovery Connector on each of the on-premises systems and in
VMware vCenter. Allow the Discovery Connector to collect data for one week.
D. Install the AWS Application Discovery Service Discovery Agent on the physical on-pre-map servers. Install the AWS
Application Discovery Service Discovery Connector in VMware vCenter. Allow the Discovery Agent to collect data for a
period of time.
Correct Answer: C
QUESTION 8
A web company is looking to implement an intrusion detection and prevention system into its deployed VPC. This platform should have the ability to scale to thousands of instances running inside of the VPC.
How should they architect their solution to achieve these goals?
A. Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode
packet sniffing to see traffic across the VPC.
B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the
scalable virtualized IDS/IPS platform resides.
C. Configure servers running in the VPC using the host-based \\’ route\\’ commands to send all traffic through the
platform to a scalable virtualized IDS/IPS.
D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for
inspection.
Correct Answer: D
QUESTION 9
A 3-Ber e-commerce web application is currently deployed on-premises and will be migrated to AWS for greater
scalability and elasticity. The web tier currently shares read-only data using a network distributed file system. The app
server tier uses a clustering mechanism for discovery and shared session state that depends on IP multicast. The
database tier uses shared-storage clustering to provide database failover capability and uses several read slaves for
scaling. Data on all servers and the distributed file system directory is backed up weekly to off-site tapes.
Which AWS storage and database architecture meets the requirements of the application?
A. Web servers: store read-only data in S3, and copy from S3 to root volume at boot time. App servers: share state
using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZ deployment and one or more read
replicas. Backup: web servers, app servers, and database backed up weekly to Glacier using snapshots.
B. Web servers: store read-only data in an EC2 NFS server mount to each web server at boot time. App servers: share
state using a combination of DynamoDB and IP multicast. Database: use RDS with multi-AZ deployment and one or
more Read Replicas. Backup: web and app servers backed up weekly via AMIs, database backed up via DB
snapshots.
C. Web servers: store read-only data in S3, and copy from S3 to root volume at boot time. App servers: share state
using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZ deployment and one or more
Read Replicas. Backup: web and app servers backed up weekly via AMIs, database backed up via DB snapshots.
D. Web servers: store read-only data in S3, and copy from S3 to root volume at boot time App servers: share state
using a combination of DynamoDB and IP unicast. Database: use RDS with multi-AZ deployment. Backup: web and app
servers backed up weekly via AMIs, database backed up via DB snapshots.
Correct Answer: A
Amazon Glacier doesn\\’t suit all storage situations. Listed following are a few storage needs for which you should
consider other AWS storage options instead of Amazon Glacier. Data that must be updated very frequently might be
better
served by a storage solution with lower read/write latencies, such as Amazon EBS, Amazon RDS, Amazon DynamoDB,
or relational databases running on EC2.
Reference:
https://d0.awsstatic.com/whitepapers/Storage/AWS%20Storage%20Services%20Whitepaper-v9.pdf
QUESTION 10
After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual
Interface?
A. You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways
(VGWs) if you have more than one virtual interface.
B. You can change the region of your virtual interface.
C. You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
D. You can create a hosted virtual interface.
Correct Answer: A
You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual
interface to connect to public resources or a private virtual interface to connect to your VPC. Also, it is possible to
configure multiple virtual interfaces on a single AWS Direct Connect connection, and you\\’ll need one private virtual
interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key.
To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for
that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public
resources or a VPC.
Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
QUESTION 11
You want to use Amazon Redshift and you are planning to deploy dw1.8xlarge nodes. What is the minimum amount of
nodes that you need to deploy with this kind of configuration?
A. 1
B. 4
C. 3
D. 2
Correct Answer: D
For a single-node configuration in Amazon Redshift, the only option available is the smallest of the two options. The 8XL
extra-large nodes are only available in a multi-node configuration.
Reference: http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-clusters.html
QUESTION 12
Which of the following is true of an instance profile when an IAM role is created using the console?
A. The instance profile uses a different name.
B. The console gives the instance profile the same name as the role it corresponds to.
C. The instance profile should be created manually by a user.
D. The console creates the role and instance profile as separate actions.
Correct Answer: B
Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the console,
the console creates an instance profile automatically and gives it the same name as the role it corresponds to. If you
use the AWS CLI, API, or an AWS SDK to create a role, you create the role and instance profile as separate actions,
and you might give them different names.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html
QUESTION 13
A healthcare company runs a production workload on AWS that stores highly sensitive personal information. The
security team mandates that, for auditing purposes, any AWS API action using AWS account root user credentials must
automatically create a high-priority ticket in the company\\’s ticketing system. The ticketing system has a monthly 3-hour
maintenance window when no tickets can be created.
To meet security requirements, the company enabled AWS CloudTrail logs and wrote a scheduled AWS Lambda
function that uses Amazon Athena to query API actions performed by the root user. The Lambda function submits any
actions found to the ticketing system API. During a recent security audit, the security team discovered that several
tickets were not created because the ticketing system was unavailable due to planned maintenance.
Which combination of steps should a solutions architect take to ensure that the incidents are reported to the ticketing
system even during planned maintenance? (Choose two.)
A. Create an Amazon SNS topic to which Amazon CloudWatch alarms will be published. Configure a CloudWatch alarm
to invoke the Lambda function.
B. Create an Amazon SQS queue to which Amazon CloudWatch alarms will be published. Configure a CloudWatch
alarm to publish to the SQS queue.
C. Modify the Lambda function to be triggered by messages published to an Amazon SNS topic. Update the existing
application code to retry every 5 minutes if the ticketing system\\’s API endpoint is unavailable.
D. Modify the Lambda function to be triggered when there are messages in the Amazon SQS queue and to return
successfully when the ticketing system API has processed the request.
E. Create an Amazon EventBridge rule that triggers on all API events where the invoking user identity is root. Configure
the EventBridge rule to write the event to an Amazon SQS queue.
Correct Answer: BD
latest updated Amazon SAP-C01 exam questions from the Lead4Pass SAP-C01 dumps! 100% pass the SAP-C01 exam!
Download Lead4Pass SAP-C01 VCE and PDF dumps: https://www.leads4pass.com/aws-solution-architect-professional.html (Q&As: 684 dumps)
Get free Amazon SAP-C01 dumps PDF online: https://drive.google.com/file/d/1hGM4QvNzLiC8NnOb66vga0X5SbJOYSlD/