Text preview & study summary

AWS SAP-C02 SCS-C02 ANS-C01 - Professional Architecture Security Networking Specialty

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

An architect designs a multi-region active-active architecture for a globally distributed application. Database writes must be consistent across regions. Which AWS database service supports this?

Answer choices

  • A. RDS Multi-AZ

  • B. DynamoDB Global Tables with last-write-wins conflict resolution

  • C. Aurora Global Database with write forwarding (Correct)

  • D. ElastiCache Global Datastore

Explanation

Aurora Global Database supports multi-region deployments. With write forwarding enabled, applications in secondary regions can perform write operations which are automatically forwarded to the primary region for processing, providing a globally consistent write path. DynamoDB Global Tables provides multi-region active-active with eventual consistency (last-write-wins), suitable for many use cases but not for strict consistency requirements. RDS Multi-AZ is single-region only. ElastiCache Global Datastore provides Redis replication across regions but for caching, not primary database operations.

Question 2

A developer stores application secrets (database passwords, API keys) in AWS Secrets Manager. The application must automatically rotate the database password every 30 days. Which mechanism handles rotation?

Answer choices

  • A. Secrets Manager uses IAM policies to rotate credentials

  • B. Secrets Manager triggers a Lambda rotation function that updates the password in the database and the secret (Correct)

  • C. RDS automatically detects Secrets Manager and rotates the password

  • D. Secrets Manager emails the DBA to manually update the password

Explanation

Secrets Manager automatic rotation: when rotation is enabled for a secret, Secrets Manager calls a Lambda function (AWS-provided for RDS, Redshift, DocumentDB or custom for other systems) on the configured schedule. The Lambda function: (1) Creates a new password, (2) Updates the database (using the current password to authenticate and change it), (3) Updates the secret in Secrets Manager, (4) Verifies the new credentials work. Applications fetching secrets from Secrets Manager automatically get the new credentials after rotation. The rotation Lambda is the key component — it orchestrates the actual password change.

Question 3

An organization implements AWS Network Firewall to inspect all traffic entering their VPC from the internet. Where should the Network Firewall endpoint be deployed in the VPC architecture?

Answer choices

  • A. In the private subnet, between the application layer and database

  • B. In a dedicated firewall subnet, with route tables directing internet traffic through the firewall before reaching application subnets (Correct)

  • C. In the public subnet alongside the Internet Gateway

  • D. Deployed externally — Network Firewall is a cloud service, not deployed in VPC

Explanation

AWS Network Firewall architecture: (1) Create a dedicated firewall subnet in each AZ. (2) Deploy the Network Firewall endpoint in the firewall subnet. (3) Update route tables: the Internet Gateway's route table sends inbound traffic to the firewall endpoint. The firewall subnet's route table sends allowed traffic to the application subnets. This creates a "bump in the wire" for traffic inspection. The firewall inspects all traffic before it reaches application resources. Deploying in private subnets means internet traffic reaches applications before being inspected. Network Firewall does deploy as VPC endpoints.

Question 4

A company uses Amazon GuardDuty and receives a finding: `CryptoCurrency:EC2/BitcoinTool.B!DNS`. What does this finding indicate and what is the appropriate response?

Answer choices

  • A. Cryptocurrency software is using excessive CPU on the EC2 instance

  • B. An EC2 instance is making DNS queries associated with cryptocurrency mining pool domains — potentially indicating compromised instance running unauthorized cryptomining (Correct)

  • C. The EC2 instance is using an approved cryptocurrency payment API

  • D. GuardDuty has blocked the mining activity automatically

Explanation

GuardDuty `CryptoCurrency:EC2/BitcoinTool.B!DNS` finding indicates that an EC2 instance's DNS queries match patterns associated with cryptocurrency mining pools (BitcoinTool DNS infrastructure). This strongly suggests unauthorized cryptomining software is running on the instance — a common indicator of compromise where attackers deploy mining malware for financial gain. Response: (1) Isolate the instance, (2) Take forensic snapshot, (3) Investigate with CloudTrail, VPC Flow Logs, and instance logs. GuardDuty detects and alerts but does not automatically respond/block.

Question 5

A company uses Route 53 with a private hosted zone. An application needs to resolve on-premises DNS names while instances in the VPC also need to resolve Route 53 private zone records. Which feature enables bidirectional DNS resolution?

Answer choices

  • A. Route 53 Resolver with inbound and outbound endpoints (Correct)

  • B. Route 53 Public Hosted Zones with health checks

  • C. VPC DNS attributes `enableDnsHostnames` and `enableDnsSupport` only

  • D. AWS Direct Connect with split-horizon DNS

Explanation

Route 53 Resolver endpoints enable hybrid DNS: (1) Inbound Resolver Endpoint — on-premises DNS servers can forward queries for AWS private zones to this endpoint (on-prem → AWS DNS). (2) Outbound Resolver Endpoint — Route 53 Resolver forwards queries for on-premises domains to on-premises DNS servers (AWS → on-prem DNS). Resolver rules define which domains use outbound forwarding. Together, they enable seamless DNS resolution across hybrid environments. VPC DNS attributes enable VPC-internal DNS but don't handle hybrid DNS forwarding.