Free Practice Questions for Amazon Web Services SAP-C02 Exam

Amazon Connect is a cloud-based contact center service that allows you to set up a virtual call center for your business. It provides an easy-to-use interface for managing customer interactions through voice and chat. Amazon Connect integrates with other AWS services, such as Amazon S3 and Amazon Kinesis, to help you collect, store, and analyze customer data for insights into customer behavior and trends. On the other hand, Amazon Pinpoint is a marketing automation and analytics service that allows you to engage with your customers across different channels, such as email, SMS, push notifications, and voice. It helps you create personalized campaigns based on userbehavior and enables you to track user engagement and retention. While both services allow you to communicate with your customers, they serve different purposes. Amazon Connect is focused on customer support and service, while Amazon Pinpoint is focused on marketing and engagement.

https://docs.aws.amazon.com/fsx/latest/WindowsGuide/what-is.htmlhttps://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_join_instance.html

Store the PGP Private Key:

Step 1: In the AWS Management Console, navigate to AWS Secrets Manager.

Step 2: Store the PGP private key in Secrets Manager. Ensure the key is encrypted and properly secured.

Set Up the Transfer Family Managed Workflow:

Step 1: In the AWS Transfer Family console, create a new managed workflow.

Step 2: Add a nominal step to the workflow that includes the decryption of the files. Configure this step with the PGP decryption parameters, referencing the PGP private key stored in Secrets Manager.

Step 3: Associate this workflow with the Transfer Family SFTP server, ensuring that incoming files are automatically decrypted upon receipt.

This solution ensures that the data is securely decrypted as it is transferred from the SFTP server to the S3 bucket, automating the decryption process and leveraging AWS Secrets Manager for key management.

References

AWS Transfer Family Documentation

Using AWS Secrets Manager for Managing Secrets

AWS Transfer Family Managed Workflows

The company wants three things: minimize client-to-broker latency within the same Availability Zone, increase available bandwidth, and increase the scaling speed of the MSK cluster. The current brokers are Standard brokers (two per AZ). Clients use default settings, which means they are not explicitly configured for rack awareness or AZ affinity.

A common way to reduce latency in multi-AZ Kafka deployments is to enable rack awareness on clients and brokers so clients prefer brokers in the same “rack,” which can map to an Availability Zone. In Kafka, the client.rack setting allows the client to include rack information so the broker can return metadata that helps the client select replicas that are closest, reducing cross-AZ traffic and improving latency.

To increase bandwidth and improve scaling speed, the most direct approach in the choices is to move from Standard brokers to Express brokers. Express brokers are designed to provide higher throughput and faster scaling characteristics compared to standard broker types. Since the question explicitly calls out increasing available bandwidth and scaling speed, the broker type change is the key lever, and it can be combined with client.rack configuration to minimize cross-AZ latency.

Option C matches these requirements: it replaces Standard brokers with Express brokers (to improve throughput/bandwidth and scaling speed) and sets client.rack to the Availability Zone identifier (az_id) to improve locality and reduce latency between clients and brokers in the same AZ.

Option A is not appropriate because MSK does not use EC2 Auto Scaling predictive scaling in that manner, and Kafka clients/brokers are not “associated” with an EC2 placement group as a primary latency solution in MSK. Placement groups are for EC2 instance placement; MSK broker placement is managed by the service.

Option B introduces a proxy layer and MSK Connect in a way that increases complexity and does not directly guarantee lower latency or higher bandwidth. MSK Connect is for Kafka Connect workloads, not as a general-purpose low-latency routing proxy for Kafka clients. Cruise Control is used for partition rebalancing and cluster optimization, but it does not replace the benefits of higher-throughput broker types and client rack awareness for AZ locality.

Option D increases broker size and introduces PrivateLink endpoints. PrivateLink is about private connectivity from VPCs to services and does not inherently ensure AZ-local broker selection or reduce latency between clients and brokers in the same AZ. Also, resizing to xlarge increases capacity but does not address scaling speed and locality as directly as express brokers plus rack configuration.

Therefore, option C best meets all requirements.

To minimize EKS compute costs:

A. Rebuild the application container images to support ARM64 architecture: Graviton instances (ARM-based) require container images built for the ARM64 architecture. This ensures compatibility and allows leveraging Graviton-based compute.

C. Migrate the EKS nodes to the most recent generation of Graviton-based instances: AWS Graviton instances (e.g., c7g, m7g) offer significant price/performance benefits over x86_64 instances. By migrating EKS worker nodes to Graviton, the company can reduce compute costs substantially.

E. Purchase a new EC2 Instance Savings Plan for the newly selected Graviton instance family: Savings Plans provide cost savings compared to On-Demand pricing. After moving to Graviton, purchasing a new Savings Plan tailored for these instance families ensures continued cost savings.This approach aligns with AWS cost optimization best practices—migrating to the latest instance types and purchasing Savings Plans to match the new usage pattern—while ensuring full compatibility with EKS.

AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. By creating a management account and inviting all the existing accounts to join the organization, the solutions architect can track and consolidate expenditures for all the accounts using AWS Cost Management tools such as AWS Cost Explorer and AWS Budgets. An organizational unit (OU) is a group of accounts within an organization that can be used to apply policies and simplify management. A service control policy (SCP) is a type of policy that you can use to manage permissions in your organization. By creating an OU that includes all the development teams and applying an SCP that allows the creation of resources only in Regions that are in the United States, the solutions architect can ensure that the company meets its compliance requirements and avoids unwanted charges from other Regions. An IAM role is an identity with permission policies that determine what the identity can and cannot do in AWS. By creating an IAM role in the management account and allowing the finance team users to assume it, the solutions architect can give them access to view the Billing and Cost Management console without sharing credentials or creating additional users. References:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/aws-cost-management/latest/userguide/what-is-costmanagement.html

Creating a single transit gateway in eu-west-1 allows for centralized and cost-effective connectivity between the VPCs involved, without the complexity of creating multiple peering connections or transit gateways.

This approach also allows for selective attachment of only the required VPCs, meeting the strict security and access requirements.

Route table configuration ensures traffic flows properly through the transit gateway, providing connectivity for the application without exposing other VPC resources.

This solution is the most cost-effective and operationally efficient choice for secure inter-Region communication.

You can use the management account of the organization in AWS Billing and Cost Management console to turn off RI sharing for the HR department's production AWS account. This will prevent other departments from sharing the RI discounts and ensure that only the HR department can use the RIs purchased in their production account.

The company’s goal is to modernize the application while minimizing operational overhead. The current architecture relies heavily on self-managed EC2 instances for web serving, APIs, search, and relational data storage. This increases operational burden related to patching, scaling, availability, and troubleshooting.

Option B replaces self-managed components with fully managed AWS services that are purpose-built for each workload type. Hosting the static web application on Amazon S3 with Amazon CloudFront removes the need to manage web servers such as NGINX and provides global content delivery with built-in scalability and high availability. Migrating the search data to Amazon OpenSearch Service eliminates the need to manage an EC2-based OpenSearch node, providing a managed search service with built-in scaling, patching, and monitoring. Migrating PostgreSQL to Amazon Aurora PostgreSQL removes the operational overhead of managing database instances on EC2 and provides managed backups, high availability, and performance optimizations. Running APIs on AWS App Runner further reduces operational effort by abstracting infrastructure management, scaling, and deployment, allowing the team to focus on application code.

Option A still requires running and operating containerized databases and search engines, which is not recommended and does not significantly reduce operational overhead compared to EC2-based deployments. Databases and OpenSearch are better consumed as managed services rather than as containers.

Option C introduces Amazon EKS, which adds significant operational complexity. Even with managed node groups, Kubernetes requires cluster management, networking configuration, upgrades, and ongoing operational expertise. This contradicts the requirement for the least operational overhead.

Option D attempts to run databases and OpenSearch on AWS App Runner. App Runner is designed for stateless web services and APIs, not for stateful services such as databases or search engines. This architecture is not aligned with AWS best practices and would introduce reliability and operational challenges.

Therefore, using managed services such as Amazon CloudFront, Amazon S3, Amazon OpenSearch Service, Amazon Aurora PostgreSQL, and AWS App Runner provides the most modern architecture with the least operational overhead.

AWS Backup is a fully managed service that makes it easy to centralize and automate the creation, retention, and restoration of backups across AWS services. It provides a way to schedule automatic backups for CodeCommit repositories on an hourly basis. Additionally, it also supports cross-Region replication, which allows you to copy the backups to a second Region for disaster recovery.

By using AWS Backup, the company can set up an automatic and regular backup schedule for the CodeCommit repository, ensuring that the data is regularly backed up and stored in a second Region. This can provide a way to recover quickly from any disaster event that might occur.

To enhance the network connectivity solution's availability, fault tolerance, and security in a cost-effective manner, adding a dynamic private IP AWS Site-to-Site VPN as a secondary path is a viable option. This VPN serves as a resilient backup for the Direct Connect connection, ensuring continuous data flow even if the primary path fails. Implementing MACsec (Media Access Control Security) on the Direct Connect connection further secures the data in transit by providing encryption, thus addressing the security requirement. This solution strikes a balance between cost and operational efficiency, avoiding the higher expenses associated with provisioning an additional Direct Connect connection.

AWS Documentation on AWS Direct Connect and AWS Site-to-Site VPN provides insights into setting up resilient and secure network connections. Additionally, information on MACsec offers guidance on how to implement encryption for Direct Connect connections, aligning with best practices for secure and highly available network architectures.

The company has migrated an application to EC2 and will deploy it in an additional Region. The usage is expected to be stable for 3 years, but parts of the application will be redesigned over the next 2 years to use AWS Lambda. Therefore, the company will gradually shift a portion of its compute usage from EC2 to Lambda.

Savings Plans are a flexible pricing model that provide lower prices in exchange for a commitment to a consistent amount of compute usage (measured in dollars per hour) for a 1- or 3-year term. There are two main types of Savings Plans:

• Compute Savings Plans: Apply to any EC2 instance usage regardless of Region, instance family, OS, tenancy, and also apply to AWS Fargate and AWS Lambda usage.

• EC2 Instance Savings Plans: Apply only to a specific instance family in a specific Region.

In this scenario, because there will be a gradual migration from EC2-based compute to Lambda-based compute, a plan that only applies to EC2 (EC2 Instance Savings Plan) risks underutilization as more usage moves to Lambda. Compute Savings Plans, by contrast, can cover EC2 now and Lambda later, maintaining high utilization of the commitment and maximizing effective discount.

Option A recommends evaluating Savings Plans recommendations each year in AWS Cost Management and purchasing a 1-year Compute Savings Plan based on those recommendations. The Cost Management tools and Cost Explorer provide Savings Plans recommendations based on actual usage patterns. Buying 1-year Compute Savings Plans and re-evaluating annually allows the company to adjust its committed spend each year as portions of the application move from EC2 to Lambda. This approach maximizes the chance that the Savings Plans coverage matches the actual combined EC2 and Lambda usage over time and avoids being locked into an EC2-only commitment that becomes increasingly underutilized.

Option B is not optimal because it recommends a 3-year EC2 Instance Savings Plan. That commitment applies only to specific EC2 instance families in a Region and does not apply to Lambda. As the company migrates portions of its workloads to Lambda, the EC2 Instance Savings Plan may become underutilized, reducing the effective discount and potentially increasing overall cost. Compute Optimizer also does not provide Savings Plans purchase recommendations; Savings Plans recommendations come from Cost Management and Cost Explorer.

Option C uses 1-year EC2 Instance Savings Plans and adjusts the commitment each year. While this gives some flexibility, EC2 Instance Savings Plans still do not apply to Lambda usage, so over time there is a risk of underutilizing the EC2 commitment as the Lambda portion grows. This does not maximize savings relative to Compute Savings Plans, which can cover both services.

Option D proposes a 3-year EC2 Instance Savings Plan and suggests decreasing the hourly commitment during the term as workloads move to Lambda. However, Savings Plans commitments cannot be decreased during the term. The company would remain obligated to the original 3-year commitment even if EC2 usage drops, leading to wasted commitment.

Therefore, purchasing 1-year Compute Savings Plans each year based on Savings Plans recommendations from AWS Cost Management (option A) is the best strategy to maximize cost savings while the company transitions part of the workload from EC2 to Lambda.

The cost of EFS backup cold storage is $0.01 per GB-month, whereas the cost of EFS backup warm storage is $0.05 per GB-month1. Therefore, moving the backups to cold storage as soon as possible will reduce the storage cost. However, cold storage backupsmust be retained for a minimum of 90 days2, otherwise they incur a pro-rated charge equal to the storage charge for the remaining days1. Therefore, setting the backup retention period to 30 days will incur a penalty of 60 days of cold storage cost for each backup deleted. This penalty will still be lower than keeping the backups in warm storage for 7 days and then in cold storage for 83 days, which is the current configuration. Therefore, option A is the most cost-effective solution.