Free Practice Questions for Amazon Web Services SAP-C02 Exam

The company should create a new AWS WAF web ACL. The company should add a new rule that blocks requests that match the SQL database rule group. The company should set the web ACL to allow all other traffic that does not match those rules. The company should attach the web ACL to the ALB in front of the ECS tasks. This solution will meet the requirements because AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked1. By creating a new AWS WAF web ACL, the company can create a collection of rules that define the conditions for allowing or blocking web requests. By adding a new rule that blocks requests that match the SQL database rule group, the company can prevent SQL injection attacks from reaching the ECS API service. The SQL database rule group is a managed rule group provided by AWS that contains rules to protect against common SQL injection attack patterns2. By setting the web ACL to allow all other traffic that does not match those rules, the company can ensure that legitimate traffic can access the API service. By attaching the web ACL to the ALB in front of the ECS tasks, the company can apply the web security rules to all requests that are forwarded by the load balancer.

The other options are not correct because:

Creating a new AWS WAF Bot Control implementation would not prevent SQL injection attacks from reaching the ECS API service. AWS WAF Bot Control is a feature that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities. However, it does not protect against SQL injection attacks, which are malicious attempts to execute unauthorized SQL statements against your database3.

Creating a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks would not prevent SQL injection attacks from reaching the ECS API service. Monitoring mode is a feature that enables you to evaluate how your rules would perform without actually blocking any requests. However, this mode does not provide any protection against attacks, as it only logs and counts requests that match your rules4.

Creating a new AWS WAF web ACL and creating a new empty IP set in AWS WAF would not prevent SQL injection attacks from reaching the ECS API service. An IP set is a feature that enables you to specify a list of IP addresses or CIDR blocks that you want to allow or block based on their source IP address. However, this approach would not be effective or efficient against SQL injection attacks, as it would require constantly updating the IP set with new IP addresses of attackers, and it would not block attackers who use proxies or VPNs.

This solution will meet the requirement with the least operational overhead because it directly denies the creation of the security group inbound rule with 0.0.0.0/0 as the source, which is the exact requirement. Additionally, it does not require any additional steps or resources such as invoking a Lambda function or adding a Config rule.

An SCP (Service Control Policy) is a policy that you can use to set fine-grained permissions for your AWS accounts within your organization. You can use SCPs to set permissions for the root user of an account and to delegate permissions to IAM users and roles in the accounts. You can use SCPs to set permissions that allow or deny access to specific services, actions, and resources.

To implement this solution, you would need to create an SCP that denies the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. This SCP would then be applied to the NonProd OU. This would ensure that any security group inbound rule that includes 0.0.0.0/0 as the source will be denied, thus meeting the requirement.

Provisioned concurrencyaddresses cold starts and improves performance during spikes.

RDS Reserved Instancessave money over On-Demand for predictable usage.

AWS WAFis designed to protect againstSQL injectionandweb exploits, and integrates with CloudFront.

AWS Lambda Provisioned Concurrency

AWS WAF Web ACL with CloudFront

https://aws.amazon.com/blogs/architecture/create-dynamic-contact-forms-for-s3-static-websites-using-aws-lambda-amazon-api-gateway-and-amazon-ses/

Comprehensive and Detailed in Depth Explanation:

A is correct because write throttling on DynamoDB means WCU (write capacity units) are insufficient. Increasing them will reduce the error rate.

D is correct because introducing Kinesis allows for efficient, high-throughput ingestion and batch processing, reducing the number of Lambda invocations and overall load.

https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/

AWS Organizations allows the management of multiple AWS accounts as a single entity and AWS CloudFormation StackSets allows creating, updating, and deleting stacks across multiple accounts and regions in an organization. This solution allows creating a single CloudFormation template that can be deployed across multiple accounts and regions, and also allows for the management of access and permissions for the different accounts through the use of IAM roles and policies in the management account.

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

https://docs.aws.amazon.com/lambda/latest/dg/configuration-aliases.html

https://aws.amazon.com/blogs/compute/implementing-canary-deployments-of-aws-lambda-functions-with-alias-traffic-shifting/

The current architecture uses a fleet of small EC2 instances that poll SQS for URLs and write results to EFS. Because URLs arrive only occasionally and each crawl takes 10 seconds or less, EC2 instances are often idle waiting for messages. This leads to unnecessary compute and storage costs.

This workload is naturally event-driven: each URL in the SQS queue triggers a short-lived crawl operation. AWS Lambda is well suited for such event-driven, short-duration tasks. Lambda integrates natively with Amazon SQS as an event source, which allows Lambda to poll the SQS queue automatically and invoke functions when messages arrive, scaling the concurrency up and down as needed. When there are no messages, there are no Lambda invocations and no compute charges, eliminating the cost of idle EC2 instances.

For storage of crawl results, Amazon S3 is a highly durable, cost-effective object store. The current use of an EFS file system mounted on all instances is no longer necessary if each Lambda invocation can write the output directly to S3 as objects (for example, CSV files). S3 charges only for the storage used and requests, and does not require continuously running file system infrastructure.

Option B replaces the idle fleet of EC2 instances with a Lambda function that reads from SQS. This aligns compute usage with actual work and takes advantage of serverless scaling and pricing.

Option E modifies the web-crawling process to store results in Amazon S3 instead of EFS, removing the need to maintain an EFS file system and its associated costs.

Option A increases instance size to m5.8xlarge, which greatly increases capacity and cost. Reducing the number of instances by 50% does not offset the large increase in instance size; it does not address idle capacity and likely increases overall cost.

Option C uses Amazon Neptune, which is a managed graph database service. It is not needed for storing simple CSV output; it is more complex and more expensive than S3 for this use case.

Option D uses Aurora Serverless MySQL. While Aurora Serverless can automatically scale, using a relational database to store simple crawl outputs adds unnecessary cost and operational complexity compared to S3 objects.

Therefore, moving the crawling logic to Lambda triggered by SQS (option B) and writing results directly to Amazon S3 (option E) meets the requirements in the most cost-effective way.

The best solution is to store the database credentials for both environments in AWS Secrets Manager with distinct key entry for the QA environment and the production environment. AWS Secrets Manager is a web service that can securely store, manage, and retrieve secrets, such as database credentials. AWS Secrets Manager also supports automatic rotation of secrets by using Lambda functions or built-in rotation templates. By storing the database credentials for both environments in AWS Secrets Manager, the company can avoid exposing credentials within application code and rotate passwords automatically. By providing a reference to the Secrets Manager key as an environment variable for the Lambda functions, the company can easily access the credentials from the code by using the AWS SDK. This solution meets all the requirements of the company.

A Lambda function alias allows you to point to a specific version of a function and also can be updated to point to a new version of the function without modifying the client application. This way, the company can test different versions of the function with different environment variables and,once the optimal parameters are found, update the alias to point to the new version, without the need to update the client application.

By using this approach, the company can simplify the process of updating the environment variables, minimize disruption to users, and reduce the operational overhead.

migrating the data processing script to an AWS Lambda function and using an S3 event notification to invoke the Lambda function to process the objects when the company uploads the objects. This solution meets the company's requirements of high availability and scalability, as well as reducing long-term management overhead, and is likely to be the most cost-effective option.

The company is building an active-active, multi-Region architecture for an ECS-based web application behind ALBs, with shared container images in ECR and a relational database in Aurora MySQL. The goal is to duplicate the setup in a second Region with minimal operational overhead while allowing minor replication latency.

A is required because ACM certificates are Regional for use with Regional resources like an Application Load Balancer. An ALB in the secondary Region needs an ACM certificate that exists in that same Region to terminate HTTPS. Requesting (or importing) a certificate in the secondary Region and attaching it to the ALB HTTPS listener is the standard managed approach with low operational overhead.

B is not correct because ACM certificates are not shared “across Regions” for direct use by a Regional ALB in another Region. Sharing via AWS RAM is used for sharing resources across accounts within a Region (and for supported resource types), but it does not provide a mechanism to use an ACM certificate issued in one Region directly on an ALB in a different Region.

D is required because the application runs in both Regions and must be able to pull container images locally with minimal operational work. Amazon ECR supports cross-Region replication so images pushed in the primary Region can be replicated automatically to the secondary Region’s ECR repositories. This avoids building custom copy pipelines and reduces the chance of drift. Once replication is enabled, updating images in the primary Region can automatically populate the secondary Region repository.

C is not the best fit. A VPC endpoint for ECR is about private connectivity to ECR within a Region. It does not solve the multi-Region image availability problem by itself, and it introduces the idea of pulling images from the primary Region, which is unnecessary and less optimal when cross-Region replication can keep images local to each Region.

E is required because the database must support multi-Region application operation with tolerable replication latency. Aurora Global Database is the managed feature designed to replicate an Aurora cluster to a secondary Region with low-latency replication and minimal operational overhead compared to custom replication. Enabling write forwarding allows applications in the secondary Region to send write requests to the secondary cluster endpoint, with Aurora forwarding those writes to the primary writer. This reduces application changes compared to forcing all writes to go directly to the primary Region endpoints, and it supports an active-active application deployment pattern where both Regions can accept traffic.

F is not correct because “cross-Region writes between DB clusters” and “multiple writer instances in the primary Region” do not provide a managed, multi-Region, multi-writer Aurora design as described. Aurora’s managed multi-Region pattern is Aurora Global Database with a single primary writer in one Region (with the option to promote a secondary Region during failover) and optional write forwarding from a secondary Region to the primary. The option’s described cross-Region multi-writer behavior is not a standard supported Aurora configuration and would not be the least operational overhead approach.

Therefore, the least operational overhead combination that correctly addresses HTTPS termination in the secondary Region, image availability in both Regions, and managed multi-Region database replication is A, D, and E.