Amazon Web Services edusum aws Certified Professional Changed Sap-c02 Questions by Lowen q42 vce pdf

Page: 29 / 42

Exam Name:	AWS Certified Solutions Architect - Professional
Exam Code:	SAP-C02 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Professional
Questions:	569 Q&A's	Shared By:	lowen

Question 116

A company built an application based on AWS Lambda deployed in an AWS CloudFormation stack. The last production release of the web application introduced an issue that resulted in an outage lasting several minutes. A solutions architect must adjust the deployment process to support a canary release.

Which solution will meet these requirements?

Options:

Create an alias for every new deployed version of the Lambda function. Use the AWS CLIupdate-alias command with the routing-config parameter to distribute the load.

Deploy the application into a new CloudFormation stack. Use an Amazon Route 53 weighted routing policy to distribute the load.

Create a version for every new deployed Lambda function. Use the AWS CLI update-function-configuration command with the routing-config parameter to distribute the load.

Configure AWS CodeDeploy and use CodeDeployDefault.OneAtATime in the Deployment configuration to distribute the load.

Discussion

Atlas

What are these Dumps? Would anybody please explain it to me.

Reign Sep 22, 2025

These are exam dumps for a variety of IT certifications. They have a vast collection of updated questions and answers, which are very helpful in preparing for the exams.

Zayaan

Successfully aced the exam… Thanks a lot for providing amazing Exam Dumps.

Harmony Sep 16, 2025

That's fantastic! I'm glad to hear that their dumps helped you. I also used them and found it accurate.

Honey

I highly recommend it. They made a big difference for me and I'm sure they'll help you too. Just make sure to use them wisely and not solely rely on them. They should be used as a supplement to your regular studies.

Antoni Sep 16, 2025

Good point. Thanks for the advice. I'll definitely keep that in mind.

Kingsley

Do anyone guide my how these dumps would be helpful for new students like me?

Haris Sep 25, 2025

Absolutely! They are highly recommended for anyone looking to pass their certification exam. The dumps are easy to understand and follow, making it easier for you to study and retain the information.

Question 117

A company is changing the way that it handles patching of Amazon EC2 instances in its application account. The company currently patches instances over the internet by using a NAT gateway in a VPC in the application account. The company has EC2 instances set up as a patch source repository in a dedicated private VPC in a core account. The company wants to use AWS Systems Manager Patch Manager and the patch source repository in the core account to patch the EC2 instances in the application account. The company must prevent all EC2 instances in the application account from accessing the internet. The EC2 instances in the application account need to access Amazon S3, where the application data is stored. These EC2 instances need connectivity to Systems Manager and to the patch source repository in the private VPC in the core account. Which solution will meet these requirements?

Options:

Create a network ACL that blocks outbound traffic on port 80. Associate the network ACL with all subnets in the application account. In the application account and the core account, deploy one EC2 instance that runs a custom VPN server. Create a VPN tunnel to access the private VPC. Update the route table in the application account.

Create private VIFs for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route table in the core account.

Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.

Create a network ACL that blocks inbound traffic on port 80. Associate the network ACL with all subnets in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.

Discussion

Answer:

Explanation:

Option C is the correct and most efficient solution, aligning with AWS best practices for secure and private connectivity:

Create VPC Endpoints for Systems Manager and Amazon S3:

Systems Manager VPC Endpoints: By creating interface VPC endpoints for Systems Manager (com.amazonaws.region.ssm, com.amazonaws.region.ec2messages, and com.amazonaws.region.ssmmessages), the EC2 instances can communicate with Systems Manager services without requiring internet access. This setup ensures that patching operations can be conducted securely within the AWS network.

Amazon S3 VPC Endpoint: A gateway VPC endpoint for Amazon S3 (com.amazonaws.region.s3) allows EC2 instances to access S3 buckets privately. This is essential for accessing application data stored in S3 without traversing the public internet.

[Reference: docs.aws.amazon.com, Delete the NAT Gateway:, Removing the NAT gateway ensures that EC2 instances in the application account cannot access the internet, satisfying the requirement to prevent internet access. This action enhances the security posture by eliminating a potential vector for unauthorized outbound traffic., Create a VPC Peering Connection:, Establishing a VPC peering connection between the application account's VPC and the core account's private VPC enables direct, private communication between the EC2 instances in both accounts. This setup allows the application account's EC2 instances to access the patch source repository hosted in the core account securely., Reference: docs.aws.amazon.com, Update Route Tables in Both Accounts:, After setting up the VPC peering connection, it's crucial to update the route tables in both VPCs to allow traffic to flow between them. This configuration ensures that the EC2 instances in the application account can reach the patch source repository in the core account and vice versa., Why Other Options Are Incorrect:, Option A: Implementing a custom VPN solution introduces unnecessary complexity and operational overhead. Additionally, merely blocking outbound traffic on port 80 does not comprehensively prevent internet access, as other ports (e.g., 443 for HTTPS) remain open., Option B: Creating private virtual interfaces (VIFs) is typically associated with AWS Direct Connect, which is not applicable in this scenario. Moreover, using a transit gateway, while feasible, is more complex and may be unnecessary for this use case., Option D: Blocking inbound traffic on port 80 does not prevent outbound internet access. Furthermore, employing a transit gateway adds complexity and cost, which may not be justified given the requirements., Conclusion:, Option C provides a secure, efficient, and cost-effective solution that meets all the specified requirements:, Prevents EC2 instances from accessing the internet., Enables access to Amazon S3 and Systems Manager services via VPC endpoints., Facilitates secure communication with the patch source repository in the core account through VPC peering., This approach leverages AWS's native networking features to maintain a secure and private environment for patch management operations., ]

Question 118

A Solutions Architect wants to make sure that only AWS users or roles with suitable permissions can access a new Amazon API Gateway endpoint. The Solutions

Architect wants an end-to-end view of each request to analyze the latency of the request and create service maps.

How can the Solutions Architect design the API Gateway access control and perform request inspections?

Options:

For the API Gateway method, set the authorization to AWS_IAM. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Enable the API caller to sign requests with AWS Signature when accessing the endpoint. Use AWS X-Ray to trace and analyze user requests to API Gateway.

For the API Gateway resource, set CORS to enabled and only return the company's domain in Access-Control-Allow-Origin headers. Then, give the IAM user or role execute-api:Invoke permission on the REST API resource. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.

Create an AWS Lambda function as the custom authorizer, ask the API client to pass the key and secret when making the call, and then use Lambda to validate the key/secret pair against the IAM system. Use AWS X-Ray to trace and analyze user requests to API Gateway.

Create a client certificate for API Gateway. Distribute the certificate to the AWS users and roles that need to access the endpoint. Enable the API caller to pass the client certificate when accessing the endpoint. Use Amazon CloudWatch to trace and analyze user requests to API Gateway.

Discussion

Question 119

A company recently wanted a web application from an on-premises data center to the AWS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application is accessible by using both CloudFront and ALB endpoints. However. the company requires that the web application must be accessible only by using the CloudFront endpoint.

Which solution will meet this requirement with the LEAST amount of effort?

Options:

Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group.

Update ALB security group ingress to allow access only from the CloudFront managed prefix list.

Create a VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal_

Extract CloudFront IPS from the AWS provided ip-ranges.json document. Update ALB security group ingress to allow access only from CloudFront IPs.