Free Practice Questions for Amazon Web Services SAP-C02 Exam

https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-instance-type-requirements.html#use-attribute-based-instance-type-selection-prerequisites

They all mention using spot instances and EKS based on EC2. A spot instance is not appropriate for a production server and the company is developing new application designed for AWS Fargate, which means we must plan the future cost improvement including AWS Fargate. https://aws.amazon.com/savingsplans/compute-pricing/

A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast-2) for SageMaker training and endpoint usage. This enablesautomatic quota increasesfor newly created accounts in the org.

B, C, and D misconfigure either region or quota type.

AWS Global Accelerator is a networking service that helps you improve the availability and performance of the applications that you offer to your global users1. It provides static IP addresses that act as a fixed entry point to your applications and route user traffic to the optimal endpoint based on performance, health, and policies that you configure1. By creating a standard accelerator endpoint for the NLB in each additional Region, you can ensure that customers are automatically directed to the Region that is geographically closest to them2. You can also provide customers with the Global Accelerator IP address, which is anycast from AWS edge locations and does not change when you add or remove endpoints3.

What is AWS Global Accelerator?

Standard accelerator endpoints

AWS Global Accelerator IP addresses

https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRequestRouting.htmlhttps://stackoverflow.com/questions/60947157/aws-s3-replication-without- versioning#:~:text=The%20automated%20Same%20Region%20Replication,is%20replicated%20between%20S3%20buckets.

to connect out from the private subnet you need an NAT gateway and since only one Elastic IP whitelisted on firewall its one NATGateway at time and if AZ failure happens Lambda creates a new NATGATEWAY in a different AZ using the Same Elastic IP ,dont be tempted to select D since application that needs to connect is on a private subnet whose outbound connections use the NATGateway Elastic IP

This option allows the solutions architect to use session tags to pass additional information about the federated user, such as the development unit name, to AWS1. Session tags are key-value pairs that you can define in your identity provider (IdP) and pass in your SAML assertion1. By using a deny action and a StringNotEquals condition in the IAM policy, you can prevent developers from accessing or modifying EC2 instances that belong to a different development unit2. This way, you can enforce fine-grained access control and prevent accidental or malicious incidents.

Passing session tags in SAML assertions

Using tags for attribute-based access control

The application is business-critical with an SLA requirement of 99.95% uptime and is currently limited by an on-premises data center. The architecture includes a PostgreSQL database and separate business logic and presentation layers. Remote users experience high latency when accessing the application, which is latency-sensitive.

To meet or exceed a 99.95% SLA for the database while minimizing operational burden, a managed database service with built-in high availability is preferred. Amazon Aurora PostgreSQL-compatible editions provide high availability and durability by automatically replicating data across multiple Availability Zones in a Region. Aurora can offer higher availability and faster failover compared to self-managed databases on EC2, and offloads patching, backups, and maintenance.

For the application and presentation layers, running them on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer preserves the basic architecture (stateless application servers behind a load balancer) while moving to a managed, highly available environment that can scale out and in automatically based on demand. This results in minimal changes to the application components and provides improved resilience compared to on-premises VMs.

Remote users experience slow load times because their desktop clients connect over higher-latency networks to the on-premises servers. By using Amazon AppStream 2.0, the application can be streamed from AWS to end users. AppStream 2.0 runs the desktop application close to the backend database and application servers within AWS, and streams only the display and input over the network. This significantly reduces the effect of latency between the user and the application backend, improving user experience, especially for latency-sensitive desktop applications, without requiring major changes to the application itself.

Option A uses a PostgreSQL database on EC2, which requires the customer to manage availability, backups, patching, and failover. This does not provide the same managed high-availability guarantees as Aurora or RDS Multi-AZ. It also suggests allocating a full Amazon WorkSpaces desktop per user, which can be more expensive and more complex than streaming only the application via AppStream 2.0.

Option C uses Amazon RDS for PostgreSQL with Multi-AZ configuration, which provides high availability and is a valid managed option. However, it runs the application and presentation layers on Fargate containers behind a Network Load Balancer. NLB is typically used for TCP-level load balancing and is better suited for protocols that require low-level handling, whereas HTTP/HTTPS web applications are commonly placed behind an Application Load Balancer, which provides advanced HTTP routing features. Also, ElastiCache can reduce database load and improve response times but does not directly solve the end-user network latency issue in a desktop client scenario.

Option D is incorrect because Amazon Redshift is a data warehouse service, not an operational PostgreSQL-compatible database for transaction processing. It is not appropriate for hosting the application’s primary relational database. CloudFront accelerates delivery of static and cached web content, not interactive desktop client-server traffic.

Therefore, migrating the database to Aurora PostgreSQL, running the application and presentation layers on EC2 Auto Scaling behind an Application Load Balancer, and using Amazon AppStream 2.0 to deliver the application to remote users (option B) meets the availability requirements, improves user experience, requires relatively little change to the application architecture, and minimizes operational costs compared to more complex or less-managed alternatives.

Moving the application frontend to a static website that is hosted on Amazon S3 will save cost as S3 is cheaper than running EC2 instances.

Using Spot instances for the backend EC2 instances will also save cost, as they are significantly cheaper than On-Demand instances. This will be suitable for the application, as it has minimal traffic during the rest of the day, and the availability of spot instances will not negatively affect the application's availability.

To ensure that game assets are fetched from the closest region and have a fallback option in case the assets become unavailable in the closest region, a solution architect should leverage Amazon CloudFront, a global content delivery network (CDN) service. By creating an Amazon CloudFront distribution and setting up origin groups, the architect can specify multiple origins (in this case, the Application Load Balancers in each region). The primary origin will serve content under normal circumstances, and if the content becomes unavailable, CloudFront will automatically switch to the secondary origin. This approach not only meets the requirement of regional proximity and redundancy but also optimizes latency and enhances the gaming experience by serving assets from the nearest geographical location to the end-user.

AWS Documentation on Amazon CloudFront and origin groups provides detailed instructions on setting up distributions with multiple origins for high availability and performance optimization. Additionally, AWS whitepapers and best practices on content delivery and global applications offer insights into effectively utilizing CloudFront and other AWS services to achieve low latency and high availability.

The requirement is to continuously scan all AWS resources in this solution for security vulnerabilities with the least operational overhead. The environment includes Amazon EKS worker nodes in a managed node group and an Amazon ECR repository that stores container images used by the EKS cluster.

Amazon Inspector is a managed vulnerability scanning service that integrates directly with multiple AWS resource types. It can automatically discover Amazon EC2 instances (including EKS managed node group instances) and perform continuous vulnerability assessments against them, using software inventory and known CVE databases. Inspector also integrates with Amazon ECR to scan container images for vulnerabilities when images are pushed to the repository and periodically thereafter, providing continuous assessment of image security posture without requiring separate scanners or infrastructure.

By activating Amazon Inspector for the account and region, the service will automatically start tracking supported resources, including EKS-managed EC2 instances and ECR repositories, and will begin scanning them for known vulnerabilities. Findings are provided through the Inspector console and can be integrated with other services such as AWS Security Hub or Amazon EventBridge for further aggregation and automation, but no separate infrastructure deployment or maintenance is required.

Option B, therefore, provides end-to-end vulnerability scanning for both the EKS nodes and the ECR images with minimal operational overhead, because it leverages a fully managed AWS service that automatically discovers and scans supported resources.

Option A is not correct because AWS Security Hub does not itself perform vulnerability scanning. Security Hub aggregates and normalizes security findings from various AWS services, including Amazon Inspector, GuardDuty, and others. It is a security posture management and aggregation service, not a vulnerability scanner.

Option C introduces additional operational overhead by requiring the company to provision, configure, secure, and maintain a separate EC2 instance running a third-party vulnerability scanning tool. While ECR basic scan-on-push can detect some image vulnerabilities, the EC2-based scanner must be managed, updated, and scaled by the customer, which violates the requirement for the least operational overhead when a fully managed alternative exists.

Option D is incorrect because the Amazon CloudWatch agent is used for metrics and log collection from EC2 instances and other environments; it does not perform vulnerability scanning or CVE analysis. Configuring CloudWatch for monitoring and logging does not meet the requirement to continuously scan for security vulnerabilities. ECR basic scans also provide only image-level scanning and do not cover the EKS nodes themselves.

Therefore, enabling Amazon Inspector to scan both the EKS nodes and the ECR repository, as described in option B, is the solution that meets the continuous vulnerability scanning requirement with the least operational overhead.

Creating an internal ALB and configuring it as a PrivateLink endpoint service enables private connectivity between internal applications and the metadata API, ensuring that traffic does not traverse the public internet.

Internal ALB: Ensures traffic stays within the AWS network and is not exposed publicly.

PrivateLink endpoint service: Provides secure, private access to the ALB from the internal EC2 instances in other AWS accounts.

Traffic stays within the AWS global network, leveraging AWS security best practices and meeting the new policy requirements for no public internet exposure.This approach is secure, scalable, and minimizes management complexity compared to API Gateway solutions.

Amazon Simple Notification Service (Amazon SNS) is a fully managed pub/sub messaging service that enables users to send messages to multiple subscribers1. Users can sendevent details to an Amazon SNS topic and configure an AWS Lambda function as a subscriber to the SNS topic to process the events. Lambda is a serverless compute service that runs code in response to events and automatically manages the underlying compute resources2. Users can add an on-failure destination to the function and set an Amazon Simple Queue Service (Amazon SQS) queue as the target. Amazon SQS is a fully managed message queuing service that enables users to decouple and scale microservices, distributed systems, and serverless applications3. This way, if a processing error occurs, the event will move into the separate queue for review.

Option B is incorrect because publishing events to an Amazon SQS queue and creating an Amazon EC2 Auto Scaling group will not have the ability to scale in and out based on the number of events that the solution receives. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. Auto Scaling is a feature that helps users maintain application availability and allows them to scale their EC2 capacity up or down automatically according to conditions they define. However, for this use case, using SQS and EC2 will not take advantage of the serverless capabilities of Lambda and SNS.

Option C is incorrect because writing events to an Amazon DynamoDB table and configuring a DynamoDB stream for the table will not have the ability to move events into a separate queue for review if a processing error occurs. Amazon DynamoDB is a fully managed key-value and document database that delivers single-digit millisecond performance at any scale. DynamoDB Streams is a feature that captures data modification events in DynamoDB tables. Users can configure the stream to invoke a Lambda function, but they cannot configure an on-failure destination for the function.

Option D is incorrect because publishing events to an Amazon EventBridge event bus and setting an Application Load Balancer (ALB) as the event bus target will not have the ability to move events into a separate queue for review if a processing error occurs. Amazon EventBridge is a serverless event bus service that makes it easy to connect applications with data from a variety of sources. An ALB is a load balancer that distributes incoming application traffic across multiple targets, such as EC2 instances, containers, IP addresses, Lambda functions, and virtual appliances. Users can configure EventBridge to retry events, but they cannot configure an on-failure destination for the ALB.