Was :
$90
Today :
$50
Was :
$108
Today :
$60
Was :
$126
Today :
$70
Why Should You Prepare For Your AWS Certified Solutions Architect - Professional With MyCertsHub?
At MyCertsHub, we go beyond standard study material. Our platform provides authentic Amazon SAP-C02 Exam Dumps, detailed exam guides, and reliable practice exams that mirror the actual AWS Certified Solutions Architect - Professional test. Whether you’re targeting Amazon certifications or expanding your professional portfolio, MyCertsHub gives you the tools to succeed on your first attempt.
Verified SAP-C02 Exam Dumps
Every set of exam dumps is carefully reviewed by certified experts to ensure accuracy. For the SAP-C02 AWS Certified Solutions Architect - Professional , you’ll receive updated practice questions designed to reflect real-world exam conditions. This approach saves time, builds confidence, and focuses your preparation on the most important exam areas.
Realistic Test Prep For The SAP-C02
You can instantly access downloadable PDFs of SAP-C02 practice exams with MyCertsHub. These include authentic practice questions paired with explanations, making our exam guide a complete preparation tool. By testing yourself before exam day, you’ll walk into the Amazon Exam with confidence.
Smart Learning With Exam Guides
Our structured SAP-C02 exam guide focuses on the AWS Certified Solutions Architect - Professional's core topics and question patterns. You will be able to concentrate on what really matters for passing the test rather than wasting time on irrelevant content. Pass the SAP-C02 Exam – Guaranteed
We Offer A 100% Money-Back Guarantee On Our Products.
After using MyCertsHub's exam dumps to prepare for the AWS Certified Solutions Architect - Professional exam, we will issue a full refund. That’s how confident we are in the effectiveness of our study resources.
Try Before You Buy – Free Demo
Still undecided? See for yourself how MyCertsHub has helped thousands of candidates achieve success by downloading a free demo of the SAP-C02 exam dumps.
MyCertsHub – Your Trusted Partner For Amazon Exams
Whether you’re preparing for AWS Certified Solutions Architect - Professional or any other professional credential, MyCertsHub provides everything you need: exam dumps, practice exams, practice questions, and exam guides. Passing your SAP-C02 exam has never been easier thanks to our tried-and-true resources.
Amazon SAP-C02 Sample Question Answers
Question # 1
A company has an loT platform that runs in an on-premises environment. The platformconsists of a server that connects to loT devices by using the MQTT protocol. The platformcollects telemetry data from the devices at least once every 5 minutes The platform alsostores device metadata in a MongoDB clusterAn application that is installed on an on-premises machine runs periodic jobs to aggregateand transform the telemetry and device metadata The application creates reports thatusers view by using another web application that runs on the same on-premises machineThe periodic jobs take 120-600 seconds to run However, the web application is alwaysrunning.The company is moving the platform to AWS and must reduce the operational overhead ofthe stack.Which combination of steps will meet these requirements with the LEAST operationaloverhead? (Select THREE.)
A. Use AWS Lambda functions to connect to the loT devices B. Configure the loT devices to publish to AWS loT Core C. Write the metadata to a self-managed MongoDB database on an Amazon EC2 instance D. Write the metadata to Amazon DocumentDB (with MongoDB compatibility) E. Use AWS Step Functions state machines with AWS Lambda tasks to prepare thereports and to write the reports to Amazon S3 Use Amazon CloudFront with an S3 origin toserve the reports F. Use an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon EC2instances to prepare the reports Use an ingress controller in the EKS cluster to serve thereports
A company is designing an AWS environment tor a manufacturing application. Theapplication has been successful with customers, and the application's user base hasincreased. The company has connected the AWS environment to the company's onpremisesdata center through a 1 Gbps AWS Direct Connect connection. The company hasconfigured BGP for the connection.The company must update the existing network connectivity solution to ensure that thesolution is highly available, fault tolerant, and secure.Which solution win meet these requirements MOST cost-effectively?
A. Add a dynamic private IP AWS Site-to-Site VPN as a secondary path to secure data intransit and provide resilience for the Direct Conned connection. Configure MACsec toencrypt traffic inside the Direct Connect connection. B. Provision another Direct Conned connection between the company's on-premises datacenter and AWS to increase the transfer speed and provide resilience. Configure MACsecto encrypt traffic inside the Dried Conned connection. C. Configure multiple private VIFs. Load balance data across the VIFs between the onpremisesdata center and AWS to provide resilience. D. Add a static AWS Site-to-Site VPN as a secondary path to secure data in transit and toprovide resilience for the Direct Connect connection.
Answer: A
Explanation:
To enhance the network connectivity solution's availability, fault tolerance, and security in a
cost-effective manner, adding a dynamic private IP AWS Site-to-Site VPN as a secondary
path is a viable option. This VPN serves as a resilient backup for the Direct Connect
connection, ensuring continuous data flow even if the primary path fails. Implementing
MACsec (Media Access Control Security) on the Direct Connect connection further secures
the data in transit by providing encryption, thus addressing the security requirement. This solution strikes a balance between cost and operational efficiency, avoiding the higher
expenses associated with provisioning an additional Direct Connect connection.
References: AWS Documentation on AWS Direct Connect and AWS Site-to-Site VPN
provides insights into setting up resilient and secure network connections. Additionally,
information on MACsec offers guidance on how to implement encryption for Direct Connect
connections, aligning with best practices for secure and highly available network
architectures.
Question # 3
A company deploys workloads in multiple AWS accounts. Each account has a VPC withVPC flow logs published in text log format to a centralized Amazon S3 bucket. Each log fileis compressed with gzjp compression. The company must retain the log files indefinitely.A security engineer occasionally analyzes the togs by using Amazon Athena to query theVPC flow logs. The query performance is degrading over time as the number of ingestedtogs is growing. A solutions architect: must improve the performance of the tog analysis and reduce the storage space that the VPC flow logs use.Which solution will meet these requirements with the LARGEST performanceimprovement?
A. Create an AWS Lambda function to decompress the gzip flies and to compress the tileswith bzip2 compression. Subscribe the Lambda function to an s3: ObiectCrealed;Put S3event notification for the S3 bucket. B. Enable S3 Transfer Acceleration for the S3 bucket. Create an S3 Lifecycle configurationto move files to the S3 Intelligent-Tiering storage class as soon as the ties are uploaded C. Update the VPC flow log configuration to store the files in Apache Parquet format.Specify Hourly partitions for the log files. D. Create a new Athena workgroup without data usage control limits. Use Athena engineversion 2.
Answer: C
Explanation:
Converting VPC flow logs to store in Apache Parquet format and specifying hourly
partitions significantly improves query performance and reduces storage space usage.
Apache Parquet is a columnar storage file format optimized for analytical queries, allowing
Athena to scan less data and improve query performance. Partitioning logs by hour further
enhances query efficiency by limiting the amount of data scanned during queries,
addressing the issue of degrading performance over time due to the growing volume of
ingested logs.
References: AWS Documentation on VPC Flow Logs and Amazon Athena provides
insights into configuring VPC flow logs in Apache Parquet format and using Athena for
querying log data. This approach is recommended for efficient log analysis and storage
optimization.
Question # 4
An e-commerce company is revamping its IT infrastructure and is planning to use AWSservices. The company's CIO has asked a solutions architect to design a simple, highlyavailable, and loosely coupled order processing application. The application is responsiblefor receiving and processing orders before storing them in an Amazon DynamoDB table.The application has a sporadic traffic pattern and should be able to scale during marketingcampaigns to process the orders with minimal delays.Which of the following is the MOST reliable approach to meet the requirements?
A. Receive the orders in an Amazon EC2-hosted database and use EC2 instances toprocess them. B. Receive the orders in an Amazon SQS queue and invoke an AWS Lambda function toprocess them. C. Receive the orders using the AWS Step Functions program and launch an Amazon ECScontainer to process them. D. Receive the orders in Amazon Kinesis Data Streams and use Amazon EC2 instances toprocess them.
Answer: B
Explanation:
The best option is to use Amazon SQS and AWS Lambda to create a serverless order
processing application. Amazon SQS is a fully managed message queue service that can
decouple the order receiving and processing components, making the application more
scalable and fault-tolerant. AWS Lambda is a serverless compute service that can
automatically scale to handle the incoming messages from the SQS queue and process
them according to the business logic. AWS Lambda can also integrate with Amazon
DynamoDB to store the processed orders in a fast and flexible NoSQL database. This
approach eliminates the need to provision, manage, or scale any servers or containers,
and reduces the operational overhead and cost.
Option A is not reliable because using an EC2-hosted database to receive the orders
introduces a single point of failure and a scalability bottleneck. EC2 instances also require
more management and configuration than serverless services. Option C is not reliable because using AWS Step Functions to receive the orders adds
unnecessary complexity and cost to the application. AWS Step Functions is a service that
coordinates multiple AWS services into a serverless workflow, but it is not designed to
handle high-volume, sporadic, or unpredictable traffic patterns. AWS Step Functions also
charges per state transition, which can be expensive for a large number of orders.
Launching an ECS container to process each order also requires more resources and
management than invoking a Lambda function.
Option D is not reliable because using Amazon Kinesis Data Streams to receive the orders
is not suitable for this use case. Amazon Kinesis Data Streams is a service that enables
real-time processing of streaming data at scale, but it is not meant for asynchronous
message queuing. Amazon Kinesis Data Streams requires consumers to poll the data from
the stream, which can introduce latency and complexity. Amazon Kinesis Data Streams
also charges per shard hour, which can be expensive for a sporadic traffic pattern.
References:
Amazon SQS
AWS Lambda
Amazon DynamoDB
AWS Step Functions
Amazon ECS
Question # 5
A company that is developing a mobile game is making game assets available in two AWSRegions. Game assets are served from a set of Amazon EC2 instances behind anApplication Load Balancer (ALB) in each Region. The company requires game assets to befetched from the closest Region. If game assess become unavailable in the closest Region,they should the fetched from the other Region. What should a solutions architect do to meet these requirement?
A. Create an Amazon CloudFront distribution. Create an origin group with one origin foreach ALB. Set one of the origins as primary. B. Create an Amazon Route 53 health check tor each ALB. Create a Route 53 failoverrouting record pointing to the two ALBs. Set the Evaluate Target Health value Yes. C. Create two Amazon CloudFront distributions, each with one ALB as the origin. Createan Amazon Route 53 failover routing record pointing to the two CloudFront distributions.Set the Evaluate Target Health value to Yes. D. Create an Amazon Route 53 health check tor each ALB. Create a Route 53 latency aliasrecord pointing to the two ALBs. Set the Evaluate Target Health value to Yes.
Answer: A
Explanation:
To ensure that game assets are fetched from the closest region and have a fallback option
in case the assets become unavailable in the closest region, a solution architect should
leverage Amazon CloudFront, a global content delivery network (CDN) service. By creating
an Amazon CloudFront distribution and setting up origin groups, the architect can specify
multiple origins (in this case, the Application Load Balancers in each region). The primary
origin will serve content under normal circumstances, and if the content becomes
unavailable, CloudFront will automatically switch to the secondary origin. This approach not
only meets the requirement of regional proximity and redundancy but also optimizes
latency and enhances the gaming experience by serving assets from the nearest
geographical location to the end-user.
References: AWS Documentation on Amazon CloudFront and origin groups provides
detailed instructions on setting up distributions with multiple origins for high availability and
performance optimization. Additionally, AWS whitepapers and best practices on content
delivery and global applications offer insights into effectively utilizing CloudFront and other
AWS services to achieve low latency and high availability.
Question # 6
A flood monitoring agency has deployed more than 10.000 water-level monitoring sensors.Sensors send continuous data updates, and each update is less than 1 MB in size. Theagency has a fleet of on-premises application servers. These servers receive upda.es 'onthe sensors, convert the raw data into a human readable format, and write the results loanon-premises relational database server. Data analysts then use simple SOL queries tomonitor the data.The agency wants to increase overall application availability and reduce the effort that isrequired to perform maintenance tasks These maintenance tasks, which include updatesand patches to the application servers, cause downtime. While an application server isdown, data is lost from sensors because the remaining servers cannot handle the entireworkload.The agency wants a solution that optimizes operational overhead and costs. A solutionsarchitect recommends the use of AWS loT Core to collect the sensor data. What else should the solutions architect recommend to meet these requirements?
A. Send the sensor data to Amazon Kinesis Data Firehose. Use an AWS Lambda functionto read the Kinesis Data Firehose data, convert it to .csv format, and insert it into anAmazon Aurora MySQL DB instance. Instruct the data analysts to query the data directlyfrom the DB instance. B. Send the sensor data to Amazon Kinesis Data Firehose. Use an AWS Lambda functionto read the Kinesis Data Firehose data, convert it to Apache Parquet format and save it toan Amazon S3 bucket. Instruct the data analysts to query the data by using AmazonAthena. C. Send the sensor data to an Amazon Managed Service for Apache Flink {previouslyknown as Amazon Kinesis Data Analytics) application to convert the data to .csv formatand store it in an Amazon S3 bucket. Import the data into an Amazon Aurora MySQL DBinstance. Instruct the data analysts to query the data directly from the DB instance. D. Send the sensor data to an Amazon Managed Service for Apache Flink (previouslyknown as Amazon Kinesis Data Analytics) application to convert the data to ApacheParquet format and store it in an Amazon S3 bucket Instruct the data analysis to query thedata by using Amazon Athena.
Answer: B
Explanation:
To enhance application availability and reduce maintenance-induced downtime, sending
sensor data to Amazon Kinesis Data Firehose, processing it with an AWS Lambda
function, converting it to Apache Parquet format, and storing it in Amazon S3 is an effective
strategy. This approach leverages serverless architectures for scalability and reliability.
Data analysts can then query the optimized data using Amazon Athena, a serverless
interactive query service, which supports complex queries on data stored in S3 without the
need for traditional database servers, optimizing operational overhead and costs.
References: AWS Documentation on AWS IoT Core, Amazon Kinesis Data Firehose,
AWS Lambda, Amazon S3, and Amazon Athena provides a comprehensive framework for
building a scalable, serverless data processing pipeline. This solution aligns with AWS best
practices for processing and analyzing large-scale data streams efficiently.
Question # 7
A company has many services running in its on-premises data center. The data center isconnected to AWS using AWS Direct Connect (DX)and an IPsec VPN. The service data issensitive and connectivity cannot traverse the interne. The company wants to expand to a new market segment and begin offering Is services to other companies that are usingAWS.Which solution will meet these requirements?
A. Create a VPC Endpoint Service that accepts TCP traffic, host it behind a Network LoadBalancer, and make the service available over DX. B. Create a VPC Endpoint Service that accepts HTTP or HTTPS traffic, host it behind anApplication Load Balancer, and make the service available over DX. C. Attach an internet gateway to the VPC. and ensure that network access control andsecurity group rules allow the relevant inbound and outbound traffic. D. Attach a NAT gateway to the VPC. and ensue that network access control and securitygroup rules allow the relevant inbound and outbound traffic.
Answer: B
Explanation:
To offer services to other companies using AWS without traversing the internet, creating a
VPC Endpoint Service hosted behind an Application Load Balancer (ALB) and making it
available over AWS Direct Connect (DX) is the most suitable solution. This approach
ensures that the service traffic remains within the AWS network, adhering to the
requirement that connectivity must not traverse the internet. An ALB is capable of handling
HTTP/HTTPS traffic, making it appropriate for web-based services. Utilizing DX for
connectivity between the on-premises data center and AWS further secures and optimizes
the network path.
References:
AWS Direct Connect Documentation: Explains how to set up DX for private
connectivity between AWS and an on-premises network.
details on creating and configuring endpoint services for private, secure access to
services hosted in AWS.
AWS Application Load Balancer Documentation: Offers guidance on configuring
ALBs to distribute HTTP/HTTPS traffic efficiently.
Question # 8
A company wants to establish a dedicated connection between its on-premisesinfrastructure and AWS. The company is setting up a 1 Gbps AWS Direct Connectconnection to its account VPC. The architecture includes a transit gateway and a DirectConnect gateway to connect multiple VPCs and the on-premises infrastructure.The company must connect to VPC resources over a transit VIF by using the DirectConnect connection.Which combination of steps will meet these requirements? (Select TWO.)
A. Update the 1 Gbps Direct Connect connection to 10 Gbps. B. Advertise the on-premises network prefixes over the transit VIF. C. Adverse the VPC prefixes from the Direct Connect gateway to the on-premises networkover the transit VIF. D. Update the Direct Connect connection's MACsec encryption mode attribute to mustencrypt. E. Associate a MACsec Connection Key Name-Connectivity Association Key (CKN/CAK)pair with the Direct Connect connection.
Answer: B,C
Explanation:
To connect VPC resources over a transit Virtual Interface (VIF) using a Direct Connect
connection, the company should advertise the on-premises network prefixes over the
transit VIF and advertise the VPC prefixes from the Direct Connect gateway to the onpremises
network over the same VIF. This configuration ensures seamless connectivity
between the on-premises infrastructure and the AWS VPCs through the transit gateway,
facilitating efficient and secure communication across the network.
References: AWS Documentation on AWS Direct Connect and transit gateways provides
detailed instructions on configuring transit VIFs and routing for Direct Connect connections.
This setup is recommended in AWS best practices for establishing dedicated network
connections between on-premises environments and AWS to achieve low-latency, highthroughput,
and secure connectivity.
Question # 9
A company hosts an intranet web application on Amazon EC2 instances behind anApplication Load Balancer (ALB). Currently, users authenticate to the application againstan internal user database.The company needs to authenticate users to the application by using an existing AWSDirectory Service for Microsoft Active Directory directory. All users with accounts in thedirectory must have access to the application.Which solution will meet these requirements?
A. Create a new app client in the directory. Create a listener rule for the ALB. Specify theauthenticate-oidc action for the listener rule. Configure the listener rule with the appropriateissuer, client ID and secret, and endpoint details for the Active Directory service. Configurethe new app client with the callback URL that the ALB provides. B. Configure an Amazon Cognito user pool. Configure the user pool with a federatedidentity provider (IdP) that has metadata from the directory. Create an app client. Associatethe app client with the user pool. Create a listener rule for the ALB. Specify theauthenticate-cognito action for the listener rule. Configure the listener rule to use the userpool and app client. C. Add the directory as a new 1AM identity provider (IdP). Create a new 1AM role that hasan entity type of SAML 2.0 federation. Configure a role policy that allows access to theALB. Configure the new role as the default authenticated user role for the IdP. Create alistener rule for the ALB. Specify the authenticate-oidc action for the listener rule. D. Enable AWS 1AM Identity Center (AWS Single Sign-On). Configure the directory as anexternal identity provider (IdP) that uses SAML. Use the automatic provisioning method.Create a new 1AM role that has an entity type of SAML 2.0 federation. Configure a rolepolicy that allows access to the ALB. Attach the new role to all groups. Create a listenerrule for the ALB. Specify the authenticate-cognito action for the listener rule.
Answer: A
Explanation:
The correct solution is to use the authenticate-oidc action for the ALB listener rule and
configure it with the details of the AWS Directory Service for Microsoft Active Directory
directory. This way, the ALB can use OpenID Connect (OIDC) to authenticate users
against the directory and grant them access to the intranet web application. The app client
in the directory is used to register the ALB as an OIDC client and provide the necessary
credentials and endpoints. The callback URL is the URL that the ALB redirects the user to
after a successful authentication. This solution does not require any additional services or
roles, and it leverages the existing directory accounts for all users.
The other solutions are incorrect because they either use the wrong action for the ALB
listener rule, or they involve unnecessary or incompatible services or roles. For example:
Solution B is incorrect because it uses Amazon Cognito user pool, which is a
separate user directory service that does not integrate with AWS Directory Service
for Microsoft Active Directory. To use this solution, the company would have to
migrate or synchronize their users from the directory to the user pool, which is not
required by the question. Moreover, the authenticate-cognito action for the ALB
listener rule only works with Amazon Cognito user pools, not with federated
identity providers (IdPs) that have metadata from the directory.
Solution C is incorrect because it uses IAM as an identity provider (IdP), which is
not compatible with AWS Directory Service for Microsoft Active Directory. IAM can
only be used as an IdP for web identity federation, which allows users to sign in
with social media or other third-party IdPs, not with Active Directory. Moreover, the
authenticate-oidc action for the ALB listener rule requires an OIDC IdP, not a
SAML 2.0 federation IdP, which is what IAM provides.
Solution D is incorrect because it uses AWS IAM Identity Center (AWS Single Sign-On), which is a service that simplifies the management of SSO access to
multiple AWS accounts and business applications. This service is not needed for
the scenario in the question, which only involves a single intranet web application.
Moreover, the authenticate-cognito action for the ALB listener rule does not work
with external IdPs that use SAML, such as AWS IAM Identity Center.
References:
Authenticate users using an Application Load Balancer
What is AWS Directory Service for Microsoft Active Directory?
Using OpenID Connect for user authentication
Question # 10
A public retail web application uses an Application Load Balancer (ALB) in front of AmazonEC2 instances running across multiple Availability Zones (AZs) in a Region backed by anAmazon RDS MySQL Multi-AZ deployment. Target group health checks are configured touse HTTP and pointed at the product catalog page. Auto Scaling is configured to maintainthe web fleet size based on the ALB health check.Recently, the application experienced an outage. Auto Scaling continuously replaced theinstances during the outage. A subsequent investigation determined that the web servermetrics were within the normal range, but the database tier was experiencing high toad,resulting in severely elevated query response times.Which of the following changes together would remediate these issues while improvingmonitoring capabilities for the availability and functionality of the entire application stack forfuture growth? (Select TWO.)
A. Configure read replicas for Amazon RDS MySQL and use the single reader endpoint inthe web application to reduce the load on the backend database tier. B. Configure the target group health check to point at a simple HTML page instead of aproduct catalog page and the Amazon Route 53 health check against the product page toevaluate full application functionality. Configure Ama7on CloudWatch alarms to notifyadministrators when the site fails. C. Configure the target group health check to use a TCP check of the Amazon EC2 webserver and the Amazon Route S3 health check against the product page to evaluate fullapplication functionality. Configure Amazon CloudWatch alarms to notify administratorswhen the site fails. D. Configure an Amazon CtoudWatch alarm for Amazon RDS with an action to recover ahigh-load, impaired RDS instance in the database tier. E. Configure an Amazon Elastic ache cluster and place it between the web application andRDS MySQL instances to reduce the load on the backend database tier.
Answer: A,E
Explanation:
Configuring read replicas for Amazon RDS MySQL and using the single reader endpoint in
the web application can significantly reduce the load on the backend database tier,
improving overall application performance. Additionally, implementing an Amazon
ElastiCache cluster between the web application and RDS MySQL instances can further
reduce database load by caching frequently accessed data, thereby enhancing the
application's resilience and scalability. These changes address the root cause of the
outage by alleviating the database tier's high load and preventing similar issues in the
future.
References: AWS Documentation on Amazon RDS Read Replicas and Amazon
ElastiCache provides comprehensive guidance on improving application performance and
scalability by offloading read traffic from the primary database and caching common
queries. These solutions are in line with AWS best practices for building resilient and
scalable web applications.
Question # 11
A company needs to implement disaster recovery for a critical application that runs in asingle AWS Region. The application's users interact with a web frontend that is hosted onAmazon EC2 Instances behind an Application Load Balancer (ALB). The application writesto an Amazon RD5 tor MySQL DB instance. The application also outputs processeddocuments that are stored in an Amazon S3 bucketThe company's finance team directly queries the database to run reports. During busyperiods, these queries consume resources and negatively affect application performance.A solutions architect must design a solution that will provide resiliency during a disaster.The solution must minimize data loss and must resolve the performance problems thatresult from the finance team's queries.Which solution will meet these requirements?
A. Migrate the database to Amazon DynamoDB and use DynamoDB global tables. Instructthe finance team to query a global table in a separate Region. Create an AWS Lambdafunction to periodically synchronize the contents of the original S3 bucket to a new S3bucket in the separate Region. Launch EC2 instances and create an ALB in the separateRegion. Configure the application to point to the new S3 bucket. B. Launch additional EC2 instances that host the application in a separate Region. Add theadditional instances to the existing ALB. In the separate Region, create a read replica ofthe RDS DB instance. Instruct the finance team to run queries ageist the read replica. UseS3 Cross-Region Replication (CRR) from the original S3 bucket to a new S3 Docket in theseparate Region. During a disaster, promote the read replace to a standalone DB instance.Configure the application to point to the new S3 bucket and to the newly project readreplica. C. Create a read replica of the RDS DB instance in a separate Region. Instruct the financeteam to run queries against the read replica. Create AMIs of the EC2 instances mat hostthe application frontend- Copy the AMIs to the separate Region. Use S3 Cross-RegionReplication (CRR) from the original S3 bucket to a new S3 bucket in the separate Region.During a disaster, promote the read replica to a standalone DB instance. Launch EC2instances from the AMIs and create an ALB to present the application to end users.Configure the application to point to the new S3 bucket. D. Create hourly snapshots of the RDS DB instance. Copy the snapshots to a separateRegion. Add an Amazon Elastic ache cluster m front of the existing RDS database. CreateAMIs of the EC2 instances that host the application frontend Copy the AMIs to the separateRegion. Use S3 Cross-Region Replication (CRR) from the original S3 bucket to a new S3bucket in the separate Region. During a disaster, restore The database from the latestRDS snapshot. Launch EC2 Instances from the AMIs and create an ALB to present theapplication to end users. Configure the application to point to the new S3 bucket
Answer: C
Explanation:
Implementing a disaster recovery strategy that minimizes data loss and addresses
performance issues involves creating a read replica of the RDS DB instance in a separate
region and directing the finance team's queries to this replica. This solution alleviates the
performance impact on the primary database. Using Amazon S3 Cross-Region Replication
(CRR) ensures that processed documents are available in the disaster recovery region. In
the event of a disaster, the read replica can be promoted to a standalone DB instance, and
EC2 instances can be launched from pre-created AMIs to serve the web frontend, thereby
Region Replication, and Amazon EC2 AMIs provides comprehensive guidance on
implementing a robust disaster recovery solution. This approach is in line with AWS best
practices for high availability and disaster recovery planning.
Question # 12
A company wants to use Amazon Workspaces in combination with thin client devices toreplace aging desktops. Employees use the desktops to access applications that work withclinical trial data. Corporate security policy states that access to the applications must be restricted to only company branch office locations. The company is considering adding anadditional branch office in the next 6 months.Which solution meets these requirements with the MOST operational efficiency?
A. Create an IP access control group rule with the list of public addresses from the branchoffices. Associate the IP access control group with the Workspaces directory. B. Use AWS Firewall Manager to create a web ACL rule with an IPSet with the list to publicaddresses from the branch office Locations-Associate the web ACL with the Workspacesdirectory. C. Use AWS Certificate Manager (ACM) to issue trusted device certificates to the machinesdeployed in the branch office locations. Enable restricted access on the Workspacesdirectory. D. Create a custom Workspace image with Windows Firewall configured to restrict accessto the public addresses of the branch offices. Use the image to deploy the Workspaces.
Answer: A
Explanation: Utilizing an IP access control group rule with the list of public addresses from
branch offices and associating it with the Amazon WorkSpaces directory is the most
operationally efficient solution. This method ensures that access to WorkSpaces is
restricted to specified locations, aligning with the corporate security policy. This approach
offers simplicity and flexibility, especially with the potential addition of a new branch office,
as updating the IP access control group is straightforward.
References: AWS Documentation on Amazon WorkSpaces and IP Access Control Groups
provides detailed instructions on how to implement access restrictions based on IP
addresses. This solution aligns with best practices for securing virtual desktops while
maintaining operational efficiency.
Question # 13
A software development company has multiple engineers who ate working remotely. Thecompany is running Active Directory Domain Services (AD DS) on an Amazon EC2instance. The company's security policy states that al internal, nonpublic services that aredeployed in a VPC must be accessible through a VPN. Multi-factor authentication (MFA)must be used for access to a VPN.What should a solutions architect do to meet these requirements?
A. Create an AWS Sire-to-Site VPN connection. Configure Integration between a VPN andAD DS. Use an Amazon Workspaces client with MFA support enabled to establish a VPNconnection. B. Create an AWS Client VPN endpoint Create an AD Connector directory tor integrationwith AD DS. Enable MFA tor AD Connector. Use AWS Client VPN to establish a VPNconnection. C. Create multiple AWS Site-to-Site VPN connections by using AWS VPN CloudHub.Configure integration between AWS VPN CloudHub and AD DS. Use AWS Copilot toestablish a VPN connection. D. Create an Amazon WorkLink endpoint. Configure integration between AmazonWorkLink and AD DS. Enable MFA in Amazon WorkLink. Use AWS Client VPN to establisha VPN connection.
Answer: B
Explanation:
Setting up an AWS Client VPN endpoint and integrating it with Active Directory Domain
Services (AD DS) using an AD Connector directory enables secure remote access to
internal services deployed in a VPC. Enabling multi-factor authentication (MFA) for AD
Connector enhances security by adding an additional layer of authentication. This solution
meets the company's requirements for secure remote access through a VPN with MFA,
ensuring that the security policy is adhered to while providing a seamless experience for
the remote engineers.
References: AWS Documentation on AWS Client VPN and AD Connector provides
detailed instructions on setting up a Client VPN endpoint and integrating it with existing
Active Directory for authentication. This solution aligns with AWS best practices for secure
remote access to AWS resources.
Question # 14
A company needs to improve the reliability ticketing application. The application runs on anAmazon Elastic Container Service (Amazon ECS) cluster. The company uses AmazonCloudFront to servo the application. A single ECS service of the ECS cluster is theCloudFront distribution's origin.The application allows only a specific number of active users to enter a ticket purchasingflow. These users are identified by an encrypted attribute in their JSON Web Token (JWT).All other users are redirected to a waiting room module until there is available capacity forpurchasing.The application is experiencing high loads. The waiting room modulo is working asdesigned, but load on the waiting room is disrupting the application's availability. Thisdisruption is negatively affecting the application's ticket sale Transactions.Which solution will provide the MOST reliability for ticket sale transactions during periods ofhigh load? '
A. Create a separate service in the ECS cluster for the waiting room. Use a separatescaling configuration. Ensure that the ticketing service uses the JWT info-nation andappropriately forwards requests to the waring room service. B. Move the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.Split the wailing room module into a pod that is separate from the ticketing pod. Make theticketing pod part of a StatefuISeL Ensure that the ticketing pod uses the JWT informationand appropriately forwards requests to the waiting room pod. C. Create a separate service in the ECS cluster for the waiting room. Use a separatescaling configuration. Create a CloudFront function That inspects the JWT information andappropriately forwards requests to the ticketing service or the waiting room service D. Move the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster.Split the wailing room module into a pod that is separate from the ticketing pod. Use AWSApp Mesh by provisioning the App Mesh controller for Kubermetes. Enable mTLSauthentication and service-to-service authentication for communication between theticketing pod and the waiting room pod. Ensure that the ticketing pod uses The JWTinformation and appropriately forwards requests to the waiting room pod.
Answer: C
Explanation:
Implementing a CloudFront function that inspects the JWT information and appropriately
forwards requests either to the ticketing service or the waiting room service within the
Amazon ECS cluster enhances reliability during high load periods. This solution segregates
the load between the main application and the waiting room, ensuring that the ticketing
service remains unaffected by the high load on the waiting room. Using CloudFront
functions for request routing based on JWT attributes allows for efficient distribution of user
traffic, thereby maintaining the application's availability and performance during peak times.
References: AWS Documentation on Amazon CloudFront Functions provides guidance on
creating and deploying functions that can inspect and manipulate HTTP(S) requests at the
edge, close to the users. This approach is in line with best practices for scaling and
managing high-traffic web applications.
Question # 15
A company is currently in the design phase of an application that will need an RPO of lessthan 5 minutes and an RTO of less than 10 minutes. The solutions architecture team isforecasting that the database will store approximately 10 TB of data. As part of the design, they are looking for a database solution that will provide the company with the ability to failover to a secondary Region.Which solution will meet these business requirements at the LOWEST cost?
A. Deploy an Amazon Aurora DB cluster and take snapshots of the cluster every 5minutes. Once a snapshot is complete, copy the snapshot to a secondary Region to serveas a backup in the event of a failure. B. Deploy an Amazon RDS instance with a cross-Region read replica in a secondaryRegion. In the event of a failure, promote the read replica to become the primary. C. Deploy an Amazon Aurora DB cluster in the primary Region and another in a secondaryRegion. Use AWS DMS to keep the secondary Region in sync. D. Deploy an Amazon RDS instance with a read replica in the same Region. In the event ofa failure, promote the read replica to become the primary.
Answer: B
Explanation: The best solution is to deploy an Amazon RDS instance with a cross-Region
read replica in a secondary Region. This will provide the company with a database solution
that can fail over to the secondary Region in case of a disaster. The read replica will have
minimal replication lag and can be promoted to become the primary in less than 10
minutes, meeting the RTO requirement. The RPO requirement of less than 5 minutes can
also be met by using synchronous replication within the primary Region and asynchronous
replication across Regions. This solution will also have the lowest cost compared to the
other options, as it does not involve additional services or resources. References: [Amazon
RDS User Guide], [Amazon Aurora User Guide]
Question # 16
A company is using an organization in AWS organization to manage AWS accounts. Foreach new project the company creates a new linked account. After the creation of a newaccount, the root user signs in to the new account and creates a service request to increase the service quota for Amazon EC2 instances. A solutions architect needs toautomate this process.Which solution will meet these requirements with tie LEAST operational overhead?
A. Create an Amazon EventBridge rule to detect creation of a new account Send the eventto an Amazon Simple Notification Service (Amazon SNS) topic that invokes an AWSLambda function. Configure the Lambda function to run the request-service-quota-increasecommand to request a service quota increase for EC2 instances. B. Create a Service Quotas request template in the management account. Configure thedesired service quota increases for EC2 instances. C. Create an AWS Config rule in the management account to set the service quota for EC2instances. D. Create an Amazon EventBridge rule to detect creation of a new account. Send the eventto an Amazon simple Notification service (Amazon SNS) topic that involves an AWSLambda function. Configure the Lambda function to run the create-case command torequest a service quota increase for EC2 instances.
Answer: A
Explanation:
Automating the process of increasing service quotas for Amazon EC2 instances in new
AWS accounts with minimal operational overhead can be effectively achieved by using
Amazon EventBridge, Amazon SNS, and AWS Lambda. An EventBridge rule can detect
the creation of a new account and trigger an SNS topic, which in turn invokes a Lambda
function. This function can then programmatically request a service quota increase for EC2
instances using the AWS Service Quotas API. This approach streamlines the process,
reduces manual intervention, and ensures that new accounts are automatically configured
with the desired service quotas.
References:
Amazon EventBridge Documentation: Provides guidance on setting up event rules
for detecting AWS account creation.
AWS Lambda Documentation: Details how to create and configure Lambda
functions to perform automated tasks, such as requesting service quota increases.
AWS Service Quotas Documentation: Offers information on managing and
requesting increases for AWS service quotas programmatically.
Question # 17
A company needs to gather data from an experiment in a remote location that does nothave internet connectivity. During the experiment, sensors that are connected to a totalnetwork will generate 6 TB of data in a preprimary formal over the course of 1 week. Thesensors can be configured to upload their data files to an FTP server periodically, but thesensors do not have their own FTP server. The sensors also do not support otherprotocols. The company needs to collect the data centrally and move lie data to objectstorage in the AWS Cloud as soon. as possible after the experiment.Which solution will meet these requirements?
A. Order an AWS Snowball Edge Compute Optimized device. Connect the device to thelocal network. Configure AWS DataSync with a target bucket name, and unload the dataover NFS to the device. After the experiment return the device to AWS so that the data canbe loaded into Amazon S3. B. Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the deviceto the local network. Launch an Amazon EC2 instance on the device. Create a shell script that periodically downloads data from each sensor. After the experiment, return the deviceto AWS so that the data can be loaded as an Amazon Elastic Block Store [Amazon EBS)volume. C. Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the deviceto the local network. Launch an Amazon EC2 instance on the device. Install and configurean FTP server on the EC2 instance. Configure the sensors to upload data to the EC2instance. After the experiment, return the device to AWS so that the data can be loadedinto Amazon S3. D. Order an AWS Snowcone device. Connect the device to the local network. Configurethe device to use Amazon FSx. Configure the sensors to upload data to the device.Configure AWS DataSync on the device to synchronize the uploaded data with an AmazonS3 bucket Return the device to AWS so that the data can be loaded as an Amazon ElasticBlock Store (Amazon EBS) volume.
Answer: C
Explanation: For collecting data from remote sensors without internet connectivity, using
an AWS Snowcone device with an Amazon EC2 instance running an FTP server presents
a practical solution. This setup allows the sensors to upload data to the EC2 instance via
FTP, and after the experiment, the Snowcone device can be returned to AWS for data
ingestion into Amazon S3. This approach minimizes operational complexity and ensures
efficient data transfer to AWS for further processing or storage.
References: AWS Documentation on AWS Snowcone and Amazon EC2 provides detailed
guidance on deploying compute and storage capabilities in edge locations. This solution
leverages AWS's edge computing devices to address challenges associated with data
collection in remote or disconnected environments.
Question # 18
A company has Linux-based Amazon EC2 instances. Users must access the instances byusing SSH with EC2 SSH Key pairs. Each machine requires a unique EC2 Key pair.The company wants to implement a key rotation policy that will, upon request,automatically rotate all the EC2 key pairs and keep the key in a securely encrypted place.The company will accept less than 1 minute of downtime during key rotation.Which solution will meet these requirement?
A. Store all the keys in AWS Secrets Manager. Define a Secrets Manager rotationschedule to invoke an AWS Lambda function to generate new key pairs. Replace publicKeys on EC2 instances. Update the private keys in Secrets Manager. B. Store all the keys in Parameter. Store, a capability of AWS Systems Manager, as astring. Define a Systems Manager maintenance window to invoke an AWS Lambdafunction to generate new key pairs. Replace public keys on EC2 instance. Update theprivate keys in parameter. C. Import the EC2 key pairs into AWS Key Management Service (AWS KMS). Configureautomatic key rotation for these key pairs. Create an Amazon EventlBridge scheduled ruleto invoke an AWS Lambda function to initiate the key rotation AWS KMS. D. Add all the EC2 instances to Feet Manager, a capability of AWS Systems Manager.Define a Systems Manager maintenance window to issue a Systems Manager RunCommand document to generate new Key pairs and to rotate public keys to all theinstances in Feet Manager.
Answer: A
Explanation:
To meet the requirements for automatic key rotation of EC2 SSH key pairs with minimal
downtime, storing the keys in AWS Secrets Manager and defining a rotation schedule is
the most suitable solution. AWS Secrets Manager supports automatic rotation of secrets,
including SSH keys, by invoking a Lambda function that can handle the creation of new key
pairs and the replacement of public keys on EC2 instances. Updating the corresponding
private keys in Secrets Manager ensures secure and centralized management of SSH
keys, complying with the key rotation policy and minimizing operational overhead.
References:
AWS Secrets Manager Documentation: Describes how to store and rotate secrets,
including SSH keys, using Secrets Manager and Lambda functions.
AWS Lambda Documentation: Provides information on creating Lambda functions
for custom secret rotation logic.
AWS Best Practices for Security: Highlights the importance of key rotation and
how AWS services like Secrets Manager can facilitate secure and automated key
management.
Question # 19
A company has a Windows-based desktop application that is packaged and deployed to the users' Windows machines. The company recently acquired another company that hasemployees who primarily use machines with a Linux operating system. The acquiringcompany has decided to migrate and rehost the Windows-based desktop application loAWS.All employees must be authenticated before they use the application. The acquiringcompany uses Active Directory on premises but wants a simplified way to manage accessto the application on AWS (or all the employees.Which solution will rehost the application on AWS with the LEAST development effort?
A. Set up and provision an Amazon Workspaces virtual desktop for every employee.Implement authentication by using Amazon Cognito identity pools. Instruct employees torun the application from their provisioned Workspaces virtual desktops. B. Create an Auto Scarlet group of Windows-based Ama7on EC2 instances. Join eachEC2 instance to the company's Active Directory domain. Implement authentication by usingthe Active Directory That is running on premises. Instruct employees to run the applicationby using a Windows remote desktop. C. Use an Amazon AppStream 2.0 image builder to create an image that includes theapplication and the required configurations. Provision an AppStream 2.0 On-Demand fleetwith dynamic Fleet Auto Scaling process for running the image. Implement authenticationby using AppStream 2.0 user pools. Instruct the employees to access the application bystarling browse'-based AppStream 2.0 streaming sessions. D. Refactor and containerize the application to run as a web-based application. Run theapplication in Amazon Elastic Container Service (Amazon ECS) on AWS Fargate with stepscaling policies Implement authentication by using Amazon Cognito user pools. Instruct theemployees to run the application from their browsers.
Answer: C
Explanation: Amazon AppStream 2.0 offers a streamlined solution for rehosting a
Windows-based desktop application on AWS with minimal development effort. By creating
an AppStream 2.0 image that includes the application and using an On-Demand fleet for
streaming, the application becomes accessible from any device, including Linux machines.
AppStream 2.0 user pools can be used for authentication, simplifying access management
without the need for extensive changes to the application or infrastructure.
References: AWS Documentation on Amazon AppStream 2.0 provides insights into setting
up application streaming solutions. This approach is recommended for delivering desktop
applications to diverse operating systems without the complexity of managing virtual
desktops or extensive application refactoring.
Question # 20
A company is developing an application that will display financial reports. The companyneeds a solution that can store financial Information that comes from multiple systems. Thesolution must provide the reports through a web interface and must serve the data will lessman 500 milliseconds or latency to end users. The solution also must be highly availableand must have an RTO or 30 seconds.Which solution will meet these requirements?
A. Use an Amazon Redshift cluster to store the data. Use a state website that is hosted onAmazon S3 with backend APIs that ate served by an Amazon Elastic Cubemates Service(Amazon EKS) cluster to provide the reports to the application. B. Use Amazon S3 to store the data Use Amazon Athena to provide the reports to theapplication. Use AWS App Runner to serve the application to view the reports. C. Use Amazon DynamoDB to store the data, use an embedded Amazon QuickStightdashboard with direct Query datasets to provide the reports to the application. D. Use Amazon Keyspaces (for Apache Cassandra) to store the data, use AWS ElasticBeanstalk to provide the reports to the application.
Answer: C
Explanation: For an application requiring low-latency access to financial information and
high availability with a Recovery Time Objective (RTO) of 30 seconds, using Amazon
DynamoDB for data storage and Amazon QuickSight for reporting is the most suitable
solution. DynamoDB offers fast, consistent, and single-digit millisecond latency for data
retrieval, meeting the latency requirements. QuickSight's ability to directly query
DynamoDB datasets and provide embedded dashboards for reporting enables real-time
financial report generation. This combination ensures high availability and meets the RTO
requirement, providing a robust solution for the application's needs.
References:
Amazon DynamoDB Documentation: Describes the features and benefits of
DynamoDB, emphasizing its performance and scalability for applications requiring
low-latency access to data.
Amazon QuickSight Documentation: Provides information on using QuickSight for
creating and embedding interactive dashboards, including direct querying of
DynamoDB datasets for real-time data visualization.
Question # 21
A company is planning to migrate an on-premises data center to AWS. The companycurrently hosts the data center on Linux-based VMware VMs. A solutions architect mustcollect information about network dependencies between the VMs. The information mustbe in the form of a diagram that details host IP addresses, hostnames, and networkconnection information.Which solution will meet these requirements?
A. Use AWS Application Discovery Service. Select an AWS Migration Hub home AWSRegion. Install the AWS Application Discovery Agent on the on-premises servers for datacollection. Grant permissions to Application Discovery Service to use the Migration Hubnetwork diagrams. B. Use the AWS Application Discovery Service Agentless Collector for server datacollection. Export the network diagrams from the AWS Migration Hub in .png format. C. Install the AWS Application Migration Service agent on the on-premises servers for datacollection. Use AWS Migration Hub data in Workload Discovery on AWS to generatenetwork diagrams. D. Install the AWS Application Migration Service agent on the on-premises servers for datacollection. Export data from AWS Migration Hub in .csv format into an Amazon CloudWatchdashboard to generate network diagrams.
Answer: B
Explanation: To effectively gather information about network dependencies between VMs
in an on-premises data center for migration to AWS, it's crucial to use tools that can
capture detailed application and server dependencies. The AWS Application Discovery
Service is designed for this purpose, particularly when migrating from environments like
Linux-based VMware VMs. By installing the AWS Application Discovery Agent on the onpremises
servers, the service can collect necessary data such as host IP addresses,
hostnames, and network connection information. This data is crucial for creating a
comprehensive network diagram that outlines the interactions and dependencies between various components of the on-premises infrastructure. The integration with AWS Migration
Hub enhances this process by allowing the visualization of these dependencies in a
network diagram format, aiding in the planning and execution of the migration process. This
approach ensures a thorough understanding of the on-premises environment, which is
essential for a successful migration to AWS.
References:
AWS Documentation on Application Discovery Service: This provides detailed guidance on
how to use the Application Discovery Service, including the installation and configuration of
the Discovery Agent.
AWS Migration Hub User Guide: Offers insights on how to integrate Application Discovery
Service data with Migration Hub for comprehensive migration planning and tracking.
AWS Solutions Architect Professional Learning Path: Contains advanced topics and best
practices for migrating complex on-premises environments to AWS, emphasizing the use of
AWS services and tools for effective migration planning and execution.
Question # 22
A company maintains information on premises in approximately 1 million .csv files that arehosted on a VM. The data initially is 10 TB in size and grows at a rate of 1 TB each week.The company needs to automate backups of the data to the AWS Cloud.Backups of the data must occur daily. The company needs a solution that applies customfilters to back up only a subset of the data that is located in designated source directories.The company has set up an AWS Direct Connect connection.Which solution will meet the backup requirements with the LEAST operational overhead?
A. Use the Amazon S3 CopyObject API operation with multipart upload to copy the existingdata to Amazon S3. Use the CopyObject API operation to replicate new data to Amazon S3daily. B. Create a backup plan in AWS Backup to back up the data to Amazon S3. Schedule thebackup plan to run daily. C. Install the AWS DataSync agent as a VM that runs on the on-premises hypervisor.Configure a DataSync task to replicate the data to Amazon S3 daily. D. Use an AWS Snowball Edge device for the initial backup. Use AWS DataSync forincremental backups to Amazon S3 daily.
Answer: C
Explanation:
AWS DataSync is an online data transfer service that is designed to help customers get their data to and from AWS quickly, easily, and securely. Using DataSync, you can copy
data from your on-premises NFS or SMB shares directly to Amazon S3, Amazon EFS, or
Amazon FSx for Windows File Server. DataSync uses a purpose-built, parallel transfer
protocol for speeds up to 10x faster than open source tools. DataSync also has built-in
verification of data both in flight and at rest, so you can be confident that your data was
transferred successfully. DataSync allows you to apply filters to select which files or folders
to transfer, based on file name, size, or modification time. You can also schedule your
DataSync tasks to run daily, weekly, or monthly, or on demand. DataSync is integrated with
AWS Direct Connect, so you can take advantage of your existing private connection to
AWS. DataSync is also a fully managed service, so you do not need to provision,
configure, or maintain any infrastructure for data transfer.
Option A is incorrect because the Amazon S3 CopyObject API operation does not support
filtering or scheduling, and it would require you to write and maintain custom scripts to
automate the backup process.
Option B is incorrect because AWS Backup does not support filtering or transferring data
from on-premises sources to Amazon S3. AWS Backup is a fully managed backup service
that makes it easy to centralize and automate the backup of data across AWS services.
Option D is incorrect because AWS Snowball Edge is a physical device that is used for
offline data transfer when network bandwidth is limited or unavailable. It is not suitable for
daily backups or incremental transfers. AWS Snowball Edge also does not support filtering
or scheduling.
References:
1: Considering four different replication options for data in Amazon S3
2: Protect your file and backup archives using AWS DataSync and Amazon S3
Glacier
3: AWS DataSync FAQs
Question # 23
A company needs to migrate an on-premises SFTP site to AWS. The SFTP site currentlyruns on a Linux VM. Uploaded files are made available to downstream applications throughan NFS share.As part of the migration to AWS, a solutions architect must implement high availability. Thesolution must provide external vendors with a set of static public IP addresses that thevendors can allow. The company has set up an AWS Direct Connect connection betweenits on-premises data center and its VPC.Which solution will meet these requirements with the least operational overhead?
A. Create an AWS Transfer Family server, configure an internet-facing VPC endpoint forthe Transfer Family server, specify an Elastic IP address for each subnet, configure theTransfer Family server to pace files into an Amazon Elastic Files System (Amazon EFS)file system that is deployed across multiple Availability Zones Modify the configuration onthe downstream applications that access the existing NFS share to mount the EFSendpoint instead. B. Create an AWS Transfer Family server. Configure a publicly accessible endpoint for theTransfer Family server. Configure the Transfer Family server to place files into an AmazonElastic Files System [Amazon EFS} the system that is deployed across multiple AvailabilityZones. Modify the configuration on the downstream applications that access the existingNFS share to mount the its endpoint instead. C. Use AWS Application Migration service to migrate the existing Linux VM to an AmazonEC2 instance. Assign an Elastic IP address to the EC2 instance. Mount an Amazon ElasticFie system (Amazon EFS) the system to the EC2 instance. Configure the SFTP server toplace files in. the EFS file system. Modify the configuration on the downstream applicationsthat access the existing NFS share to mount the EFS endpoint instead. D. Use AWS Application Migration Service to migrate the existing Linux VM to an AWSTransfer Family server. Configure a publicly accessible endpoint for the Transfer Familyserver. Configure the Transfer Family sever to place files into an Amazon FSx for Lusterthe system that is deployed across multiple Availability Zones. Modify the configuration onthe downstream applications that access the existing NFS share to mount the FSx forLuster endpoint instead.
Answer: A
Explanation:
To migrate an on-premises SFTP site to AWS with high availability and a set of static public
IP addresses for external vendors, the best solution is to create an AWS Transfer Family
server with an internet-facing VPC endpoint. Assigning Elastic IP addresses to each subnet
and configuring the server to store files in an Amazon Elastic File System (EFS) that spans
multiple Availability Zones ensures high availability and consistent access. This approach
minimizes operational overhead by leveraging AWS managed services and eliminates the
need to manage underlying infrastructure.
References: AWS Documentation on AWS Transfer Family and Amazon Elastic File
System provides detailed instructions on setting up a highly available SFTP environment
on AWS. This solution is in line with AWS best practices for migrating and modernizing
applications with minimal disruption and ensuring high availability and security.
Question # 24
A company's factory and automaton applications are running in a single VPC More than 23applications run on a combination of Amazon EC2, Amazon Elastic Container Service(Amazon ECS), are Amazon RDS.The company has software engineers spread across three teams. One of the three teamsowns each application, and each team is responsible for the cost and performance of all ofits applications. Team resources have tags that represent their application and team. Thelearns use IAH access for daily activities.The company needs to determine which costs on the monthly AWS bill are attributable toeach application or team. The company also must be able to create reports to comparecosts item the last 12 months and to help forecast costs tor the next 12 months. A solutionarchitect must recommend an AWS Billing and Cost Management solution that provides these cost reports.Which combination of actions will meet these requirement? Select THREE.)
A. Activate the user-defined cost allocation tags that represent the application and theteam. B. Activate the AWS generated cost allocation tags that represent the application and theteam. C. Create a cost category for each application in Billing and Cost Management D. Activate IAM access to Billing and Cost Management. E. Create a cost budget F. Enable Cost Explorer.
Answer: A,C,F
Explanation:
To attribute AWS costs to specific applications or teams and enable detailed cost analysis
and forecasting, the solution architect should recommend the following actions: A.
Activating user-defined cost allocation tags for resources associated with each application
and team allows for detailed tracking of costs by these identifiers. C. Creating a cost
category for each application within AWS Billing and Cost Management enables the
organization to group costs according to application, facilitating detailed reporting and
analysis. F. Enabling Cost Explorer is essential for analyzing and visualizing AWS
spending over time. It provides the capability to view historical costs and forecast future
expenses, supporting the company's requirement for cost comparison and forecasting.
References:
AWS Billing and Cost Management Documentation: Covers the activation of cost
allocation tags, creation of cost categories, and the use of Cost Explorer for cost
management.
AWS Tagging Strategies: Provides best practices for implementing tagging
strategies that support cost allocation and reporting.
AWS Cost Explorer Documentation: Details how to use Cost Explorer to analyze
and forecast AWS costs.
Question # 25
A company's compliance audit reveals that some Amazon Elastic Block Store (AmazonEBS) volumes that were created in an AWS account were not encrypted. A solutionsarchitect must Implement a solution to encrypt all new EBS volumes at restWhich solution will meet this requirement with the LEAST effort?
A. Create an Amazon EventBridge rule to detect the creation of unencrypted EBS volumes.Invoke an AWS Lambda function to delete noncompliant volumes. B. Use AWS Audit Manager with data encryption. C. Create an AWS Config rule to detect the creation of a new EBS volume. Encrypt thevolume by using AWS Systems Manager Automation. D. Turn in EBS encryption by default in all AWS Regions.
Answer: D
Explanation:
The most effortless way to ensure that all new Amazon Elastic Block Store (EBS) volumes
are encrypted at rest is to enable EBS encryption by default in all AWS Regions. This
setting automatically encrypts all new EBS volumes and snapshots created in the account,
thereby ensuring compliance with encryption policies without the need for manual
intervention or additional monitoring.
References: AWS Documentation on Amazon EBS encryption provides guidance on
enabling EBS encryption by default. This approach aligns with AWS best practices for data
protection and compliance, ensuring that all new EBS volumes adhere to encryption
requirements with minimal operational effort.
Feedback That Matters: Reviews of Our Amazon SAP-C02 Dumps
Vincent JohnstonJun 30, 2026
Until MyCertsHub's SAP-C02 labs gave me a lifeline, I was submerged in AWS design concepts. Similar to the actual exam, their "Architecture War Room" simulations required me to defend my answers. passed with plenty of room. This wasn’t just prep; it was mastery training.
Cataleya AllenJun 29, 2026
MyCertsHub's SAP-C02 practice tests identified my weaknesses (hello, multi-account strategies!), after two unsuccessful attempts with other resources. Through their fix-it drills, my weaknesses became strengths. Finally certified; no more gray hairs.
Kayden BaileyJun 29, 2026
Like an AWS whisperer in your ear during the exam, MyCertsHub's SAP-C02 preparation.
Emilia LeblancJun 28, 2026
I passed every RTO/RPO question thanks to their "Disaster Recovery Deep Dive" module, which saved me on exam day. MyCertsHub teaches your thinking, not just the SAP-C02. 920, and they continue to use their frameworks at work.
Aatif BarmanJun 28, 2026
Expected dry theory. Instead, I went with MyCertsHub's "Exam Blackbelts," a community similar to Slack with tried-and-true SAP-C02 strategies. beat the test's most difficult migration questions. Still shocked by how well it worked.
Thandi GoosenJun 27, 2026
Sent a "thank you" note to MyCertsHub. I received a certification from AWS. Coincidence? Nope.
Vincent Johnston
Emilia Leblanc
Aatif Barman
Thandi Goosen