Free Practice Questions for Amazon Web Services SAP-C02 Exam

Updating the ingestion process to use Amazon Kinesis Data Firehose to save data to Amazon S3 will reduce the need for EC2 instances and EBS volumes for data storage1. Using AWS Batch with Spot Instances to perform nightly processing will leverage the cost savings of Spot Instances, which are up to 90% cheaper than On-Demand Instances2. AWS Batch will also handle the scheduling and scaling of the processing jobs. Setting the maximum Spot price to 50% of the On-Demand price will reduce the chances of interruption and ensure that the processing is cost-effective.

https://aws.amazon.com/blogs/security/how-to-securely-provide-database-credentials-to-lambda-functions-by-using-aws-secrets-manager/

https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_cloudformation.html

The company has many S3 buckets and many identities across multiple AWS accounts. It currently uses S3 bucket policies for granular authorization. As requirements grow, the bucket policies have become very large and have hit the maximum size limits. The company needs a way to express granular, identity-based access to S3 resources without relying on increasingly complex bucket policies.

AWS provides S3 Access Grants to centrally manage S3 data access based on identities. S3 Access Grants integrate with IAM Identity Center and external identity providers such as Microsoft Entra ID (formerly Azure AD). With S3 Access Grants, you define grants that associate specific identities or groups (from IAM Identity Center) with permissions on specific S3 buckets, prefixes, or objects. Access Grants maintain a mapping between identities and S3 resources without requiring large, per-bucket policies.

Option A describes exactly this approach. You create an S3 Access Grant configuration associated with the IAM Identity Center instance that is already integrated with the company’s IdP. You then define S3 Access Grants for the various user groups according to business requirements, specifying the appropriate S3 buckets and prefixes. When users access S3 through AWS tools that support S3 Access Grants, temporary credentials are issued that reflect the grants. This centralizes authorization management, reduces the size and complexity of S3 bucket policies, and minimizes operational overhead because you manage permissions per identity group rather than constantly editing long bucket policies.

Option B uses S3 access points and Object Lambda Access Points with a Lambda function for data filtering. This is more suitable for content transformation or redaction rather than primary authorization management. It adds operational complexity by requiring custom Lambda code and Object Lambda configuration, and it does not directly solve the problem of large bucket policies for fine-grained permissions.

Option C uses per-bucket S3 access points with attached policies. While access points can simplify some aspects of access control and allow per-application policies, using many access points with detailed policies can still lead to significant policy complexity. It also does not take advantage of the existing IAM Identity Center integration and does not centrally align permissions with identity groups.

Option D uses AWS Organizations service control policies (SCPs). SCPs are intended to define high-level guardrails and maximum permissions at the account or organizational unit level, not detailed, per-bucket or per-prefix access control for individual users or groups. Using SCPs to express granular S3 bucket permissions would be complex, hard to maintain, and not aligned with the purpose of SCPs.

Therefore, using S3 Access Grants integrated with IAM Identity Center (option A) provides a centralized, identity-aware, low-overhead way to manage granular S3 access without hitting S3 bucket policy size limits.

Hosting the .NET Core components on Amazon ECS with the Amazon EC2 launch type will meet the requirements of having complex orchestration and full control over networking and host configuration. Amazon ECS is a fully managed container orchestration service that supports both AWS Fargate and Amazon EC2 as launch types. The Amazon EC2 launch type allows users to choose their own EC2 instances, configure their own networking settings, and access their own host operating systems. Hosting the database on Amazon Aurora MySQL Serverless v2 will meet the requirements of having a strongly relational database model and using the same database engine as SQL Server. MySQL is a compatible relational database engine with SQL Server, and it can support most of the legacy application’s database model. Amazon Aurora MySQL Serverless v2 is a serverless version of Amazon Aurora MySQL that can scale up and down automatically based on demand. Using Amazon SQS for asynchronous messaging will meet the requirements of providing a compatible replacement for MSMQ, which is a queue-based messaging system3. Amazon SQS is a fully managed message queuing service that enables decoupled and scalable microservices, distributed systems, and serverless applications.

A is correct because:

DynamoDB global tablesallow for multi-Region, active-active usage.

RDS MySQL read replicain another Region supports read workloads and can bepromotedduring disaster to act as a standalone DB.

B is incorrect: DAX is a cache, not a replication mechanism.

C is wrong because Multi-AZ doesn’t span Regions.

D is more manual and error-prone.

By reducing the number of data nodes in the cluster to 2 and adding UltraWarm nodes to handle the expected capacity, the company can reduce the cost of running the cluster. Additionally, configuring the indexes to transition to UltraWarm when OpenSearch Service ingests the data will ensure that the data is stored in the most cost-effective manner. Finally, transitioning the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy will ensure that the data is retained for compliance purposes, while also reducing the ongoing costs.

(https://aws.amazon.com/compute-optimizer/pricing/,https://aws.amazon.com/systems-manager/pricing/).

https://aws.amazon.com/compute-optimizer/

The company’s goal is to modernize the application while minimizing operational overhead. The current architecture relies heavily on self-managed EC2 instances for web serving, APIs, search, and relational data storage. This increases operational burden related to patching, scaling, availability, and troubleshooting.

Option B replaces self-managed components with fully managed AWS services that are purpose-built for each workload type. Hosting the static web application on Amazon S3 with Amazon CloudFront removes the need to manage web servers such as NGINX and provides global content delivery with built-in scalability and high availability. Migrating the search data to Amazon OpenSearch Service eliminates the need to manage an EC2-based OpenSearch node, providing a managed search service with built-in scaling, patching, and monitoring. Migrating PostgreSQL to Amazon Aurora PostgreSQL removes the operational overhead of managing database instances on EC2 and provides managed backups, high availability, and performance optimizations. Running APIs on AWS App Runner further reduces operational effort by abstracting infrastructure management, scaling, and deployment, allowing the team to focus on application code.

Option A still requires running and operating containerized databases and search engines, which is not recommended and does not significantly reduce operational overhead compared to EC2-based deployments. Databases and OpenSearch are better consumed as managed services rather than as containers.

Option C introduces Amazon EKS, which adds significant operational complexity. Even with managed node groups, Kubernetes requires cluster management, networking configuration, upgrades, and ongoing operational expertise. This contradicts the requirement for the least operational overhead.

Option D attempts to run databases and OpenSearch on AWS App Runner. App Runner is designed for stateless web services and APIs, not for stateful services such as databases or search engines. This architecture is not aligned with AWS best practices and would introduce reliability and operational challenges.

Therefore, using managed services such as Amazon CloudFront, Amazon S3, Amazon OpenSearch Service, Amazon Aurora PostgreSQL, and AWS App Runner provides the most modern architecture with the least operational overhead.

Amazon Kinesis Data Streams is a service that enables real-time data ingestion and processing. Amazon DynamoDB is a NoSQL database that does not require fixed schemas for storage. By using Kinesis Data Streams and DynamoDB, the company can send the JSON data to a database that can handle schemaless data in real time. References:

https://docs.aws.amazon.com/streams/latest/dev/introduction.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

The company wants to serve static content from an S3 bucket during the maintenance period. To do this, the following steps are required:

Upload static informational content to the S3 bucket. This will provide the source of the content that will be served to the visitors.

Set the S3 bucket as a second origin in the original CloudFront distribution. Configure the distribution and the S3 bucket to use an origin access identity (OAI). Thiswill allow CloudFront to access the S3 bucket securely and prevent public access to the bucket.

During the weekly maintenance, edit the default cache behavior to use the S3 origin. Revert the change when the maintenance is complete. This will redirect all web requests to the S3 bucket instead of the Elastic Beanstalk domain name.

The other options are not correct because:

Creating a new CloudFront distribution is not necessary and would require changing the alternate domain name configuration.

Creating a cache behavior for the S3 origin on a new distribution would not work because the visitors would still access the original distribution using the alternate domain name.

Configuring Elastic Beanstalk to serve traffic from the S3 bucket is not possible and would not achieve the desired result.

To minimize EKS compute costs:

A. Rebuild the application container images to support ARM64 architecture: Graviton instances (ARM-based) require container images built for the ARM64 architecture. This ensures compatibility and allows leveraging Graviton-based compute.

C. Migrate the EKS nodes to the most recent generation of Graviton-based instances: AWS Graviton instances (e.g., c7g, m7g) offer significant price/performance benefits over x86_64 instances. By migrating EKS worker nodes to Graviton, the company can reduce compute costs substantially.

E. Purchase a new EC2 Instance Savings Plan for the newly selected Graviton instance family: Savings Plans provide cost savings compared to On-Demand pricing. After moving to Graviton, purchasing a new Savings Plan tailored for these instance families ensures continued cost savings.This approach aligns with AWS cost optimization best practices—migrating to the latest instance types and purchasing Savings Plans to match the new usage pattern—while ensuring full compatibility with EKS.

In this solution, the company can use Amazon SES to send email messages, which will minimize operational overhead as SES is a fully managed service that handles sending and receiving email messages. The company can store the email template on Amazon SES with parameters for the customer data and use an AWS Lambda function to call the SendTemplatedEmail API operation, passing in the customer data to replace the parameters and the email destination. This solution eliminates the need to set up and manage an SMTP server on EC2 instances, which can be costly and time-consuming.

Setting up an AWS Client VPN endpoint and integrating it with Active Directory Domain Services (AD DS) using an AD Connector directory enables secure remote access to internal services deployed in a VPC. Enabling multi-factor authentication (MFA) for AD Connector enhances security by adding an additional layer of authentication. This solution meets the company's requirements for secure remote access through a VPN with MFA, ensuring that the security policy is adhered to while providing a seamless experience for the remote engineers.

AWS Documentation on AWS Client VPN and AD Connector provides detailed instructions on setting up a Client VPN endpoint and integrating it with existing Active Directory for authentication. This solution aligns with AWS best practices for secure remote access to AWS resources.