Text preview & study summary
AWS SAP-C02 SCS-C02 ANS-C01 - Professional Architecture Security Networking Specialty
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An architect designs a multi-region active-active architecture for a globally distributed application. Database writes must be consistent across regions. Which AWS database service supports this?
Explanation
Aurora Global Database supports multi-region deployments. With write forwarding enabled, applications in secondary regions can perform write operations which are automatically forwarded to the primary region for processing, providing a globally consistent write path. DynamoDB Global Tables provides multi-region active-active with eventual consistency (last-write-wins), suitable for many use cases but not for strict consistency requirements. RDS Multi-AZ is single-region only. ElastiCache Global Datastore provides Redis replication across regions but for caching, not primary database operations.
Question 2
A developer stores application secrets (database passwords, API keys) in AWS Secrets Manager. The application must automatically rotate the database password every 30 days. Which mechanism handles rotation?
Explanation
Secrets Manager automatic rotation: when rotation is enabled for a secret, Secrets Manager calls a Lambda function (AWS-provided for RDS, Redshift, DocumentDB or custom for other systems) on the configured schedule. The Lambda function: (1) Creates a new password, (2) Updates the database (using the current password to authenticate and change it), (3) Updates the secret in Secrets Manager, (4) Verifies the new credentials work. Applications fetching secrets from Secrets Manager automatically get the new credentials after rotation. The rotation Lambda is the key component — it orchestrates the actual password change.
Question 3
An organization implements AWS Network Firewall to inspect all traffic entering their VPC from the internet. Where should the Network Firewall endpoint be deployed in the VPC architecture?
Explanation
AWS Network Firewall architecture: (1) Create a dedicated firewall subnet in each AZ. (2) Deploy the Network Firewall endpoint in the firewall subnet. (3) Update route tables: the Internet Gateway's route table sends inbound traffic to the firewall endpoint. The firewall subnet's route table sends allowed traffic to the application subnets. This creates a "bump in the wire" for traffic inspection. The firewall inspects all traffic before it reaches application resources. Deploying in private subnets means internet traffic reaches applications before being inspected. Network Firewall does deploy as VPC endpoints.
Question 4
A company uses Amazon GuardDuty and receives a finding: `CryptoCurrency:EC2/BitcoinTool.B!DNS`. What does this finding indicate and what is the appropriate response?
Explanation
GuardDuty `CryptoCurrency:EC2/BitcoinTool.B!DNS` finding indicates that an EC2 instance's DNS queries match patterns associated with cryptocurrency mining pools (BitcoinTool DNS infrastructure). This strongly suggests unauthorized cryptomining software is running on the instance — a common indicator of compromise where attackers deploy mining malware for financial gain. Response: (1) Isolate the instance, (2) Take forensic snapshot, (3) Investigate with CloudTrail, VPC Flow Logs, and instance logs. GuardDuty detects and alerts but does not automatically respond/block.
Question 5
A company uses Route 53 with a private hosted zone. An application needs to resolve on-premises DNS names while instances in the VPC also need to resolve Route 53 private zone records. Which feature enables bidirectional DNS resolution?
Explanation
Route 53 Resolver endpoints enable hybrid DNS: (1) Inbound Resolver Endpoint — on-premises DNS servers can forward queries for AWS private zones to this endpoint (on-prem → AWS DNS). (2) Outbound Resolver Endpoint — Route 53 Resolver forwards queries for on-premises domains to on-premises DNS servers (AWS → on-prem DNS). Resolver rules define which domains use outbound forwarding. Together, they enable seamless DNS resolution across hybrid environments. VPC DNS attributes enable VPC-internal DNS but don't handle hybrid DNS forwarding.
