AWS Certified Solutions Architect - Professional SAP-C02
A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the
company can use to share a common network across multiple accounts.
The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to
manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to
create AWS resources within subnets.
Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)
Create a transit gateway in the infrastructure account.
Enable resource sharing from the AWS Organizations management account. Most Voted
Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and
subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will
use the shared network. Select each subnet to associate with the resource share. Most Voted
Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will
use the shared network. Select each prefix list to associate with the resource share.
A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API
calls. The third-party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use
of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the
company’s VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?
Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application
provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint. Most Voted
Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to
limit access across the VPN tunnels.
Create a VPC peering connection between the third-party SaaS application and the company VPUpdate route tables by adding the needed
routes for the peering connection.
Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service.
Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to
perform patching. Management requires a single report showing the patch status of all the servers and instances.
Which set of actions should a solutions architect take to meet these requirements?
Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch
compliance reports. Most Voted
Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use Amazon QuickSight integration with OpsWorks
to generate patch compliance reports.
Use an Amazon EventBridge rule to apply patches by scheduling an AWS Systems Manager patch remediation job. Use Amazon Inspector
to generate patch compliance reports.
Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use AWS X-Ray to post the patch status to AWS
Systems Manager OpsCenter to generate patch compliance reports.
A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on
the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied
to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2
instances.
Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?
Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and
an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the
autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to
copy the log files, and terminate the instance using the AWS SDK.
Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an
Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the
autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to
copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance. Most Voted
Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user
data. Create an Amazon EventBridge rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge rule that
uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that
publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems
Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate
the instance.
A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The
company’s applications and databases are running in Account B.
A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the
Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance.
The solutions architect confirmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)
Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance’s private IP in the private hosted zone.
Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B. Most Voted
Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A. Most Voted
Unlock All Questions
You are viewing the free preview. Purchase a plan to access all questions, answers, and detailed explanations.
