Home/ Practice/ SAP-C02 Questions/ Page 3

AWS SAP-C02 Free Practice Questions — Page 3

Solutions Architect Professional • 5 questions • Answers & explanations included

Question 11

A company has many AWS accounts and uses AWS Organizations to manage all of them. A solutions architect must implement a solution that the company can use to share a common network across multiple accounts. The company’s infrastructure team has a dedicated infrastructure account that has a VPC. The infrastructure team must use this account to manage the network. Individual accounts cannot have the ability to manage their own networks. However, individual accounts must be able to create AWS resources within subnets. Which combination of actions should the solutions architect perform to meet these requirements? (Choose two.)

A. Create a transit gateway in the infrastructure account.
B. Enable resource sharing from the AWS Organizations management account.
C. Create VPCs in each AWS account within the organization in AWS Organizations. Configure the VPCs to share the same CIDR range and subnets as the VPC in the infrastructure account. Peer the VPCs in each individual account with the VPC in the infrastructure account.
D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.
E. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each prefix list to associate with the resource share.
Show Answer & Explanation

Correct Answers: B. Enable resource sharing from the AWS Organizations management account.; D. Create a resource share in AWS Resource Access Manager in the infrastructure account. Select the specific AWS Organizations OU that will use the shared network. Select each subnet to associate with the resource share.

Option B is required to enable AWS Resource Access Manager (RAM) sharing from the AWS Organizations management account - this is a prerequisite for sharing resources across accounts in an organization. Option D creates a resource share in RAM within the infrastructure account and shares specific subnets with the designated OU, allowing other accounts to launch resources in those shared subnets while the infrastructure account maintains network control. This meets the requirement that individual accounts cannot manage their own networks but can create resources within subnets. Option A is incorrect because Transit Gateway is for connecting multiple VPCs, but the requirement is to share a single VPC's network. Option C is incorrect because it creates separate VPCs in each account (violating the "share a common network" requirement) and VPC peering doesn't allow sharing of subnets for resource creation. Option E is incorrect because you share subnets, not prefix lists - prefix lists are used for routing and security group rules, not for sharing network infrastructure.

Question 12

A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third- party SaaS application also runs on AWS inside a VPC. The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company's VPC. All permissions must conform to the principles of least privilege. Which solution meets these requirements?

A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
C. Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.
D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
Show Answer & Explanation

Correct Answer: A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.

AWS PrivateLink interface VPC endpoint allows the company to privately access the third-party SaaS application without traversing the internet. The company creates the interface endpoint in their VPC, which connects to the endpoint service that the third-party provider has already set up. The security group limits access according to least privilege principles. This is the correct direction - the consumer creates the interface endpoint to connect to the provider's endpoint service. Option B is incorrect because Site-to-Site VPN requires configuration on both sides and doesn't align with the SaaS consumption model. Option C is incorrect because VPC peering requires both parties to manage routing and doesn't provide the same level of isolation as PrivateLink. Option D is incorrect because it has the roles reversed - the third-party SaaS provider should create the endpoint service, and the company creates the interface endpoint to consume it.

Question 13

A company needs to implement a patching process for its servers. The on-premises servers and Amazon EC2 instances use a variety of tools to perform patching. Management requires a single report showing the patch status of all the servers and instances. Which set of actions should a solutions architect take to meet these requirements?

A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch compliance reports
B. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use Amazon QuickSight integration with OpsWorks to generate patch compliance reports.
C. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to apply patches by scheduling an AWS Systems Manager patch remediation job. Use Amazon Inspector to generate patch compliance reports.
D. Use AWS OpsWorks to manage patches on the on-premises servers and EC2 instances. Use AWS X-Ray to post the patch status to AWS Systems Manager OpsCenter to generate patch compliance reports.
Show Answer & Explanation

Correct Answer: A. Use AWS Systems Manager to manage patches on the on-premises servers and EC2 instances. Use Systems Manager to generate patch compliance reports

AWS Systems Manager Patch Manager provides unified patch management for both on-premises servers and EC2 instances through a single service. It supports multiple operating systems, can manage hybrid environments via the Systems Manager agent, and generates comprehensive patch compliance reports showing the status of all managed instances in a single dashboard. This directly meets the requirement for a single report across all servers. Option B is incorrect because OpsWorks is primarily a configuration management service, not designed for patch management, and QuickSight integration doesn't provide native patch compliance reporting. Option C is incorrect because EventBridge with patch remediation doesn't provide the comprehensive reporting needed, and Amazon Inspector is for vulnerability assessments, not patch compliance reporting. Option D is incorrect because OpsWorks doesn't manage patches, and X-Ray is for application tracing, not patch management.

Question 14

A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances. Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?

A. Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to copy the log files, and terminate the instance using the AWS SDK.
B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.
C. Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user data. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge (CloudWatch Events) rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
D. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate the instance.
Show Answer & Explanation

Correct Answer: B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.

This solution uses Auto Scaling lifecycle hooks to intercept the termination process, putting the instance in a "Terminating:Wait" state. When EventBridge detects the autoscaling:EC2_INSTANCE_TERMINATING event, it triggers a Lambda function that uses Systems Manager SendCommand to execute the document/script that copies log files to S3. After the logs are copied, the Lambda sends CONTINUE to the Auto Scaling group, allowing the instance to terminate gracefully. This is the proper pattern for ensuring data is saved before termination. Option A is incorrect because sending ABANDON prevents termination indefinitely and then manually terminating via SDK bypasses Auto Scaling's lifecycle management. Option C is incorrect because user data only runs at instance launch, not termination, and EventBridge detecting termination happens too late. Option D is incorrect because SNS notification adds unnecessary complexity, and sending ABANDON (rather than CONTINUE) after copying logs would prevent proper termination.

Question 15

A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The company's applications and databases are running in Account B. A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53. During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The solutions architect confirmed that the record set was created correctly in Route 53. Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)

A. Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance's private IP in the private hosted zone.
B. Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
C. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.
D. Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
E. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.
Show Answer & Explanation

Correct Answers: C. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.; E. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.

For cross-account Route 53 private hosted zone resolution, you need a two-step process: Option C creates an authorization in Account A to allow the private hosted zone to be associated with VPCs in Account B - this is the first step that grants permission. Option E completes the process by associating the new VPC in Account B with the hosted zone in Account A, then deleting the authorization (which is no longer needed after association). This allows EC2 instances in Account B's VPC to resolve DNS records from Account A's private hosted zone. Option A is incorrect because it changes the architecture unnecessarily. Option B is incorrect because manually editing /etc/resolv.conf is not a scalable or proper solution and would need to be updated if the RDS endpoint changes. Option D is incorrect because Route 53 doesn't have cross-account replication - you use cross-account association instead.

Ready for the Full SAP-C02 Experience?

Access all 106 pages of practice questions, track your progress, and simulate the real exam with timed mode.

Start Interactive Quiz →

Recommended Next Certifications

After SAP-C02, consider these certification paths:

ANS-C01 — Advanced Networking SCS-C02 — Security Specialty DBS-C01 — Database Specialty