Download Amazon.SAP-C01.Pass4Sure.2019-05-18.257q.tqb
| Vendor: | Amazon |
| Exam Code: | SAP-C01 |
| Exam Name: | AWS Certified Solutions Architect - Professional |
| Date: | May 18, 2019 |
| File Size: | 3 MB |
Demo Questions
Question 1
A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of roles between the EC2 service administrators that are entitled to login to instances as well as making API calls and the security officers who will maintain and have exclusive access to the application’s X.509 certificate that contains the private key.
- Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers.
- Configure the web servers to retrieve the certificate upon boot from an CloudHSM is managed by the security officers.
- Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers
- Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
Correct answer: D
Explanation:
You'll terminate the SSL at ELB. and the web request will get unencrypted to the EC2 instance, even if the certs are stored in S3, it has to be configured on the web servers or load balancers somehow, which becomes difficult if the keys are stored in S3. However, keeping the keys in the cert store and using IAM to restrict access gives a clear separation of concern between security officers and developers. Developer’s personnel can still configure SSL on ELB without actually handling the keys. You'll terminate the SSL at ELB. and the web request will get unencrypted to the EC2 instance, even if the certs are stored in S3, it has to be configured on the web servers or load balancers somehow, which becomes difficult if the keys are stored in S3. However, keeping the keys in the cert store and using IAM to restrict access gives a clear separation of concern between security officers and developers. Developer’s personnel can still configure SSL on ELB without actually handling the keys.
Question 2
A company is storing data on Amazon Simple Storage Service (S3). The company's security policy mandates that data is encrypted at rest.
Which of the following methods can achieve this? (Choose 3)
- Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.
- Use Amazon S3 server-side encryption with customer-provided keys.
- Use Amazon S3 server-side encryption with EC2 key pair.
- Use Amazon S3 bucket policies to restrict access to the data at rest.
- Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.
- Use SSL to encrypt the data while in transit to Amazon S3.
Correct answer: ABE
Explanation:
Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html
Question 3
Your firm has uploaded a large amount of aerial image data to S3. In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ - An open source messaging system to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost.
Which is correct?
- Use SQS for passing job messages use Cloud Watch alarms to terminate EC2 worker instances when they become idle. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
- Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SOS Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
- Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SQS Once data is processed, change the storage class of the S3 objects to Glacier.
- Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idle. Once data is processed, change the storage class of the S3 object to Glacier.
Correct answer: C
