Introduction
The AWS Certified Solutions Architect–Professional (SAP-C01) exam is intended for individuals who perform a Solutions Architect–Professional role. This exam validates advanced technical skills and experience in designing distributed applications and systems on the AWS platform.
It validates an examinee’s ability to:
Design and deploy dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
Select appropriate AWS services to design and deploy an application based on given requirements
Migrate complex, multi-tier applications on AWS
Design and deploy enterprise-wide scalable operations on AWS
Implement cost-control strategies
Recommended AWS and General IT Knowledge and Experience
Two or more years of hands-on experience designing and deploying cloud architecture on AWS
Ability to evaluate cloud application requirements and make architectural recommendations for implementation, deployment, and provisioning applications on AWS
Ability to provide best practice guidance on the architectural design across multiple applications and projects of the enterprise
Familiarity with a scripting language
Familiarity with Windows and Linux environments
Familiarity with AWS CLI, AWS APIs, AWS CloudFormation templates, the AWS Billing Console, and the AWS Management Console
Explain and apply the five pillars of the AWS Well-Architected Framework
Map business objectives to application/architecture requirements
Design a hybrid architecture using key AWS technologies (e.g., VPN, AWS Direct Connect)
Architect a continuous integration and deployment process
Exam Preparation
These training courses and materials may be helpful for examination preparation:
AWS Training: (aws.amazon.com/training)
Advanced Architecting on AWS: 3-day instructor-led live or virtual course
AWS Certification Exam Readiness Workshops: AWS Certified Solutions Architect–Professional: 1-day live course
AWS Security Fundamentals: 1-day instructor-led live course
AWS Well-Architected Training: 2-hour online training course
EC2 Systems Manager: 2-hour online training course
Migrating to AWS: 2-day instructor-led live or virtual course
Preview Course: Deep Dive into Amazon Elastic Block Store (EBS): 1-hour online training course
Preview Course: Deep Dive into Elastic File System (EFS): 65-minute online training course
Preview Course: Migrating and Tiering Storage to AWS: 1-hour online training course
Suggested AWS Whitepapers (aws.amazon.com/whitepapers) Kindle and .pdf, and Other Materials
AWS Security Best Practices whitepaper, August 2016
Web Services: Overview of Security Processes whitepaper, May 2017
Using Amazon Web Services for Disaster Recovery whitepaper, October 2014
AWS Documentation for services, including but not limited to compute, management tools, storage, networking and content delivery, analytics, database, security, identity and compliance, and application integration web-pages
AWS Architecture Center web-pages
Exam Content
Response Types
There are two types of questions on the examination:
Multiple-choice: Has one correct response and three incorrect responses (distractors).
Multiple-response: Has two or more correct responses out of five or more options.
Select one or more responses that best complete the statement or answer the question. Distractors, or incorrect answers, are response options that an examinee with incomplete knowledge or skill would likely choose. However, they are generally plausible responses that fit in the content area defined by the test objective.
Unanswered questions will be scored as incorrect; there is no penalty for guessing.
Unscored Content
Your examination may include unscored items that are placed on the test to gather statistical information. These questions are not identified on the form, and do not affect your score.
Exam Results
The AWS Certified Solutions Architect–Professional (SAP-C01) is a pass or fail exam. The examination is scored against a minimum standard established by AWS professionals who are guided by certification industry best practices and guidelines.
Your results for the examination are reported as a score from 100 through 1000, with a minimum passing score of 750. Your score shows how you performed on the examination as a whole and whether you passed. Scaled scoring models are used to equate scores across multiple exam forms that may have slightly different difficulty levels.
Your score report contains a table of classifications of your performance at each section level. This information is designed to provide general feedback concerning your examination performance. The examination uses a compensatory scoring model, which means that you do not need to “pass” the individual sections, only the overall examination. Each section of the examination has a specific weighting, so some sections have more questions than others. The table contains general information, highlighting your strengths and weaknesses. Exercise caution when interpreting section-level feedback.
Content Outline
This exam guide includes weightings, test domains, and objectives only. It is not a comprehensive listing of the content on this examination. The table below lists the main content domains and their weightings.
for Existing Solutions 29%
TOTAL 100%
Domain 1: Design for Organizational Complexity
1.1. Determine cross-account authentication and access strategy for complex organizations (for example, an organization with varying compliance requirements, multiple business units, and varying scalability requirements).
1.2. Determine how to design networks for complex organizations (for example, an organization with varying compliance requirements, multiple business units, and varying scalability requirements).
1.3. Determine how to design a multi-account AWS environment for complex organizations (for example, an organization with varying compliance requirements, multiple business units, and varying scalability requirements).
Domain 2: Design for New Solutions
2.1. Determine security requirements and controls when designing and implementing a solution.
2.2. Determine a solution design and implementation strategy to meet reliability requirements.
2.3. Determine a solution design to ensure business continuity.
2.4. Determine a solution design to meet performance objectives.
2.5. Determine a deployment strategy to meet business requirements when designing and implementing a solution.
Domain 3: Migration Planning
3.1. Select existing workloads and processes for potential migration to the cloud.
3.2. Select migration tools and/or services for new and migrated solutions based on detailed AWS knowledge.
3.3. Determine a new cloud architecture for an existing solution.
3.4. Determine a strategy for migrating existing on-premises workloads to the cloud.
Domain 4: Cost Control
4.1. Select a cost-effective pricing model for a solution.
4.2. Determine which controls to design and implement that will ensure cost optimization.
4.3. Identify opportunities to reduce cost in an existing solution.
Domain 5: Continuous Improvement for Existing Solutions
5.1. Troubleshoot solution architectures.
5.2. Determine a strategy to improve an existing solution for operational excellence.
5.3. Determine a strategy to improve the reliability of an existing solution.
5.4. Determine a strategy to improve the performance of an existing solution.
5.5. Determine a strategy to improve the security of an existing solution.
5.6. Determine how to improve the deployment of an existing solution.
QUESTION 1
Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance.
Which of these options would allow you to encrypt your data at rest? (Choose 3)
A. Implement third party volume encryption tools
B. Implement SSL/TLS for all services running on the server
C. Encrypt data inside your applications before storing it on EBS
D. Encrypt data using native data encryption drivers at the file system level
E. Do nothing as EBS volumes are encrypted by default
Correct Answer: A,C,D
QUESTION 2
A customer is deploying an SSL enabled web application to AWS and would like to implement a separation of
roles between the EC2 service administrators that are entitled to login to instances as well as making API calls
and the security officers who will maintain and have exclusive access to the application’s X.509 certificate that contains the private key.
A. Upload the certificate on an S3 bucket owned by the security officers and accessible only by EC2 Role of the web servers.
B. Configure the web servers to retrieve the certificate upon boot from an CloudHSM is managed by the security officers.
C. Configure system permissions on the web servers to restrict access to the certificate only to the authority security officers
D. Configure IAM policies authorizing access to the certificate store only to the security officers and terminate SSL on an ELB.
Correct Answer: D
QUESTION 3
You have recently joined a startup company building sensors to measure street noise and air quality in urban
areas. The company has been running a pilot deployment of around 100 sensors for 3 months each sensor
uploads 1KB of sensor data every minute to a backend hosted on AWS.
During the pilot, you measured a peak or 10 IOPS on the database, and you stored an average of 3GB of
sensor data per month in the database.
The current deployment consists of a load-balanced auto scaled Ingestion layer using EC2 instances and a
PostgreSQL RDS database with 500GB standard storage.
The pilot is considered a success and your CEO has managed to get the attention or some potential investors.
The business plan requires a deployment of at least 100K sensors which needs to be supported by the
backend. You also need to store sensor data for at least two years to be able to compare year over year Improvements.
To secure funding, you have to make sure that the platform meets these requirements and leaves room for further scaling.
Which setup win meet the requirements?
A. Add an SQS queue to the ingestion layer to buffer writes to the RDS instance
B. Ingest data into a DynamoDB table and move old data to a Redshift cluster
C. Replace the RDS instance with a 6 node Redshift cluster with 96TB of storage
D. Keep the current architecture but upgrade RDS storage to 3TB and 10K provisioned IOPS Correct Answer: C
Correct Answer: B
QUESTION 4
A web company is looking to implement an intrusion detection and prevention system into their deployed VPC.
This platform should have the ability to scale to thousands of instances running inside of the VPC.
How should they architect their solution to achieve these goals?
A. Configure an instance with monitoring software and the elastic network interface (ENI) set to promiscuous mode packet sniffing to see an traffic across the VPC.
B. Create a second VPC and route all traffic from the primary application VPC through the second VPC where the scalable virtualized IDS/IPS platform resides.
C. Configure servers running in the VPC using the host-based ‘route’ commands to send all traffic through the platform to a scalable virtualized IDS/IPS.
D. Configure each host with an agent that collects all network traffic and sends that traffic to the IDS/IPS platform for inspection.
Correct Answer: D
QUESTION 5
A company is storing data on Amazon Simple Storage Service (S3). The company’s security policy mandates that data is encrypted at rest.
Which of the following methods can achieve this? (Choose 3)
A. Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.
B. Use Amazon S3 server-side encryption with customer-provided keys.
C. Use Amazon S3 server-side encryption with EC2 key pair.
D. Use Amazon S3 bucket policies to restrict access to the data at rest.
E. Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.
F. Use SSL to encrypt the data while in transit to Amazon S3.
Correct Answer: A,B,E
Certkingdom Review, Certkingdom AWS-Certified-Solutions-Architect-Professional-SAP-C01 PDF
Best AWS-Certified-Solutions-Architect-Professional-SAP-C01 Certification, AWS-Certified-Solutions-Architect-Professional-SAP-C01 Training at certkingdom.com