← Back to exam page

AWS-Certified-Solutions-Architect-Professional-SAP-C01 AWS Certified Solutions Architect - Professional (SAP-C01)

Loading demo links...

Showing 7–9 of 20 questions

Question 7

A company runs an loT platform on AWS loT sensors in various locations send data to the company's Node js API servers on Amazon EC2 instances running behind an Application Load Balancer The data is stored in an Amazon RDS MySQL DB instance that uses a 4 TB General Purpose SSD volume

The number of sensors the company has deployed in the field has increased over time and is expected to grow significantly The API servers are consistently overloaded and RDS metrics show high write latency

Which of the following steps together will resolve the issues permanently and enable growth as new sensors are provisioned, while keeping this platform cost-efficient? {Select TWO.)

Select all that apply, then click Submit answer.

  • Resize the MySQL General Purpose SSD storage to 6 TB to improve the volume's IOPS

  • Re-architect the database tier to use Amazon Aurora instead of an RDS MySQL DB instance and add read replicas

  • Leverage Amazon Kinesis Data Streams and AWS Lambda to ingest and process the raw data

  • Use AWS X-Ray to analyze and debug application issues and add more API servers to match the load

  • Re-architect the database tier to use Amazon DynamoDB instead of an RDS MySQL DB instance
Question 8

A company is using multiple AWS accounts. The company has a shared services account and several other accounts (or different projects.

A team has a VPC in a project account. The team wants to connect this VPC to a corporate network through an AWS Direct Connect gateway that exists in the shared services account. The team wants to automatically perform a virtual private gateway association with the Direct Connect gateway by using an already-tested AWS Lambda function while deploying its VPC networking stack. The Lambda function code can assume a role by using AWS Security Token Service (AWS STS). The team is using AWS Cloud Formation to deploy its infrastructure.

Which combination of steps will meet these requirements? (Select THREE.)

Select all that apply, then click Submit answer.

  • Deploy the Lambda function to the project account. Update the Lambda function's 1AM role with the directconnect:* permission

  • Create a cross-account 1AM role in the shared services account that grants the Lambda function the directconnect:" permission. Add the sts:AssumeRo!e
    permission to the 1AM role that is associated with the Lambda function in the shared services account.

  • Add a custom resource to the Cloud Formation networking stack that references the Lambda function in the project account.

  • Deploy the Lambda function that is performing the association to the shared services account. Update the Lambda function's 1AM role with the directconnect:' permission.

  • Create a cross-account 1AM role in the shared services account that grants the sts: Assume Role permission to the Lambda function with the directconnect:"
    permission acting as a resource. Add the sts AssumeRole permission with this cross-account 1AM role as a resource to the 1AM role that belongs to the Lambda function in the project account.

  • Add a custom resource to the Cloud Formation networking stack that references the Lambda function in the shared services account.
Question 9

During a security audit of a Service team’s application, a Solutions Architect discovers that a username and password for an Amazon RDS database and a set of AWS IAM user credentials can be viewed in the AWS Lambda function code. The Lambda function uses the username and password to run queries on the database, and it uses the IAM credentials to call AWS services in a separate management account.

The Solutions Architect is concerned that the credentials could grant inappropriate access to anyone who can view the Lambda code. The management account and the Service team’s account are in separate AWS Organizations organizational units (OUs).

Which combination of changes should the Solutions Architect make to improve the solution’s security? (Choose two.)

Select all that apply, then click Submit answer.

  • Configure Lambda to assume a role in the management account with appropriate access to AWS.

  • Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.

  • Create a Lambda function to rotate the credentials every hour by deploying a new Lambda version with the updated credentials.

  • Use an SCP on the management account’s OU to prevent IAM users from accessing resources in the Service team’s account.

  • Enable AWS Shield Advanced on the management account to shield sensitive resources from unauthorized IAM access.