Pass the Amazon Web Services AWS Certified Professional SAP-C02 Questions and answers with CertsForce

This option allows the solutions architect to use Aurora global database to replicate data across multiple AWS Regions with low latency and high availability1. By launching the solution in the target Region, the solutions architect can ensure that the API Gateway, Lambda functions, and other resources are ready to serve traffic in case of a disaster in the source Region. By configuring the two Regional solutions to work in an active-passive configuration, the solutions architect can minimize costs and avoid data conflicts by having only one primary Region that accepts write operations and one secondary Region that serves as a standby2. The RTO and RPO requirements can be met by using Aurora global database, which supports sub-second failover times and near real-time replication1.

Working with Amazon Aurora global database

Active-passive failover

Identify Proxy EC2 Instances:

Determine which EC2 instances in the private subnets are running the proxy server software.

Disable Source/Destination Checks:

For each of these EC2 instances, go to the AWS Management Console.

Navigate to the EC2 dashboard, select the instance, and choose "Actions" > "Networking" > "Change Source/Dest.Check".

Disable the source/destination check for these instances.

Disabling source/destination checks allows the EC2 instances to route traffic appropriately, enabling them to function as network appliances or proxies. This ensures that traffic from other instances in the private subnets can be routed through the proxy instances to the internet, meeting the company's security requirements.

References

Amazon EC2 User Guide on Source/Destination Checks

Option A is correct because using an Elastic Load Balancer and an Auto Scaling group with a minimum capacity of two instances can improve the availability and scalability of the EC2 instances that host the application. The load balancer can distribute traffic across multiple instances and the Auto Scaling group can replace any unhealthy instances automatically1

Option D is correct because modifying the DB instance to create a Multi-AZ deployment that extends across two Availability Zones can improve the availability and durability of the RDS for MariaDB database. Multi-AZ deployments provide enhanceddata protection and minimize downtime by automatically failing over to astandby replica in another Availability Zone in case of a planned or unplanned outage4

Option F is correct because creating a replication group for the ElastiCache for Redis cluster and enabling Multi-AZ on the cluster can improve the availability and fault tolerance of the in-memory data store. A replication group consists of a primary node and up to five read-only replica nodes that are synchronized with the primary node using asynchronous replication. Multi-AZ allows automatic failover to one of the replicas if the primary node fails or becomes unreachable6

The company should download the data from the Amazon Redshift tables to an Amazon S3 bucket periodically and use AWS Data Exchange for S3 to share data with customers. The company should configure subscription verification and require the data customers to subscribe to the data product. This solution will meet the requirements with the least operational overhead because AWS Data Exchange for S3 is a feature that enables data subscribers to access third-party data files directly from data providers’ Amazon S3 buckets. Subscribers can easily use these files for their data analysis with AWS services without needing to create or manage data copies. Data providers can easily set up AWS Data Exchange for S3 on top of their existing S3 buckets to share direct access to an entire S3 bucket or specific prefixes and S3 objects. AWS Data Exchange automatically manages subscriptions, entitlements, billing, and payment1.

The other options are not correct because:

Using AWS Data Exchange for APIs to share data with customers would not work because AWS Data Exchange for APIs is a feature that enables data subscribers to access third-party APIs directly from data providers’ AWS accounts. Subscribers can easily use these APIs for their data analysis with AWS services without needing to manage API keys or tokens. Data providers can easily set up AWS Data Exchangefor APIs on top of their existing API Gateway resources to share direct access to an entire API or specific routes and stages2. However, this feature is not suitable for sharing data from Amazon Redshift tables, which are not exposed as APIs.

Creating an Amazon API Gateway Data API service integration with Amazon Redshift would not work because the Data API is a feature that enables you to query your Amazon Redshift cluster using HTTP requests, without needing a persistent connection or a SQL client3. It is useful for building applications that interact with Amazon Redshift, but not for sharing data files with customers.

Creating an AWS Data Exchange datashare by connecting AWS Data Exchange to the Redshift cluster would not work because AWS Data Exchange does not support datashares for Amazon Redshift clusters. A datashare is a feature that enables you to share live and secure access to your Amazon Redshift data across your accounts or with third parties without copying or moving the underlying data4. It is useful for sharing query results and views with other users, but not for sharing data files with customers.

Publishing the Amazon Redshift data to an Open Data on AWS Data Exchange would not work because Open Data on AWS Data Exchange is a feature that enables you to find and use free and public datasets from AWS customers and partners. It is useful for accessing open and free data, but not for confirming the identities of the customers or charging them for the data.

There are three core requirements: reduce/manage active database connections, keep communication private without internet exposure, and scale to many consumer accounts over time.

To manage and pool database connections to an Amazon RDS for PostgreSQL DB instance, the AWS-managed service designed for this purpose is Amazon RDS Proxy. RDS Proxy maintains a pool of database connections and multiplexes application connections onto fewer database connections. This reduces connection overhead on the database, improves resiliency during failovers, and helps control the number of active connections that reach the DB instance.

Next, the connectivity must be private across accounts and scalable as more consumer accounts are added. AWS PrivateLink provides scalable, private connectivity between VPCs and services across accounts without requiring VPC peering, transitive routing, or exposing traffic to the public internet. With PrivateLink, the database account can publish an endpoint service backed by a Network Load Balancer, and consumer accounts create interface endpoints in their VPCs to connect privately to that service. This is operationally scalable because adding new consumer accounts does not require managing a growing mesh of VPC peering relationships or complex route propagation; each consumer adds an interface endpoint.

Option B is the only option that addresses connection management by introducing RDS Proxy and uses PrivateLink to provide private, cross-account, scalable connectivity. The proxy endpoint being in private subnets aligns with the requirement that traffic stays private.

Option A is incorrect because a NAT gateway in a public subnet is used for outbound internet access from private subnets. It is not needed for private cross-account database access and introduces unnecessary public subnet components. Also, NAT gateways do not manage database connections. Transit gateway can provide private connectivity, but it does not address connection pooling, and the NAT gateway component is not appropriate for the stated requirement of avoiding internet exposure.

Option C is incorrect because an Application Load Balancer is not used to proxy raw PostgreSQL database traffic. PostgreSQL uses TCP, and ALB is primarily for HTTP/HTTPS and higher-layer routing. Also, VPC peering to each consumer VPC does not scale well as the number of accounts grows, and it creates operational overhead to manage many peering connections and route tables. It also does not manage DB connections.

Option D is incorrect because it uses VPC peering and NAT gateway. NAT gateway is again not the correct mechanism for private database access and does not provide connection pooling. VPC peering per consumer is not scalable and increases operational overhead.

Therefore, using RDS Proxy to manage connections and AWS PrivateLink (via an NLB-backed endpoint service) to provide private, scalable cross-account access is the correct solution.

The key requirement is to provide access to a private Git repository while keeping the SageMaker notebook instances isolated from the internet. The environment is intentionally configured without internet access, and connectivity to AWS services is provided through VPC endpoints. Introducing a NAT gateway and routing to the internet would violate the requirement to keep the notebook instances isolated from the internet, and network ACLs cannot reliably restrict outbound access by URL or domain name because NACLs operate at the IP and port level and do not provide DNS-aware URL filtering.

SageMaker supports integrating Git repositories so that notebooks can pull code directly as part of the workflow. When using a private repository, credentials must be handled securely. Using AWS Secrets Manager to store and reference Git credentials allows authentication without embedding usernames and passwords in code or URLs and without granting broad network access. This approach meets the requirement with low operational overhead because it relies on managed SageMaker Git integration and managed secret storage rather than custom networking controls.

Option A uses SageMaker’s Git repository integration with the remote URL and stores credentials in AWS Secrets Manager. This allows notebooks to access the private repository in a controlled, auditable way while preserving the “no internet access” posture of the VPC design (because it does not require adding a NAT gateway or public routes).

Option B is not appropriate because embedding credentials (even just usernames) in URLs is not a secure or robust credential management practice. It also does not solve private authentication in a secure manner and can lead to credential leakage through logs or configuration.

Options C and D are not correct because they require adding a NAT gateway and routing to the internet. That directly conflicts with the requirement that SageMaker notebook instances remain isolated from the internet. Additionally, the proposed restriction mechanism is invalid: network ACLs cannot restrict traffic to a specific URL. They only allow/deny traffic based on IP addresses, ports, and protocols. A Git repository can resolve to multiple IPs, can change IPs, and can use CDNs, making NACL-based IP allowlisting brittle and operationally heavy.

Therefore, integrating the Git repository with SageMaker and using Secrets Manager for credentials is the best solution with the least operational overhead while maintaining internet isolation.

On-demand capacity mode is the function of Dynamodb.https://aws.amazon.com/blogs/news/running-spiky-workloads-and-optimizing-costs-by-more-than-90-using-amazon-dynamodb-on-demand-capacity-mode/

Amazon DocumentDB Elastic Clustershttps://aws.amazon.com/blogs/news/announcing-amazon-documentdb-elastic-clusters/

Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application. This will provide high availability and scalability, while allowing the company to retain the same database structure as the original application.

This solution will allow the detection logic to be run as soon as the image is uploaded to the S3 bucket, before it is served to users via the CloudFront distribution. This way, the detection logic can quickly identify any corrupted images and prevent them from being served to users, minimizing latency between ingestion and serving.

The workload is containerized, runs for hours, and is event-driven by nightly data arrival in Amazon S3. The current architecture uses EC2 instances and cron jobs, which results in operational overhead (managing instances, patching, scaling, scheduling) and idle compute between processing windows.

A key constraint is that the processing tasks can take hours. AWS Lambda has maximum execution duration limits that make it unsuitable for multi-hour batch processing. Even though Lambda can run container images, it still must complete within Lambda’s runtime limit. Packaging container images as Lambda layers is also not an appropriate pattern for long-running container workloads and adds complexity.

A modern, low-ops approach for long-running, containerized batch jobs is to run containers on AWS Fargate. Fargate removes the need to manage EC2 instances and allows tasks to run for extended periods as needed, scaling based on demand. Because the workload is composed of several data-processing services that likely need orchestration (for example, fan-out, sequencing, retries, parallelism), AWS Step Functions is well suited to coordinate the workflow and invoke the appropriate ECS tasks.

For triggering based on new S3 data, Amazon EventBridge provides a managed, scalable event bus for AWS service events, including S3 object events, and can route events to targets such as Step Functions state machines. Using EventBridge reduces the need for direct point-to-point notification wiring and provides centralized event routing, filtering, and monitoring.

Option C combines all the right elements: it runs the containers as ECS tasks on Fargate to eliminate EC2 management and idle capacity, uses Step Functions to orchestrate tasks that can run for hours, and uses EventBridge to trigger the state machine when new data is uploaded to S3. This replaces the per-instance cron scheduling with an event-driven serverless orchestration model and significantly reduces operational overhead.

Option B is close but is less appropriate as written because S3 Event Notifications are typically configured to send to Amazon SQS, Amazon SNS, or AWS Lambda. Triggering Step Functions directly is more naturally handled through EventBridge rules. EventBridge is also the recommended event routing layer for integrating service events into workflows.

Option A is not suitable because Lambda is not designed for multi-hour processing jobs due to runtime limits.

Option D is incorrect because Lambda layers are for sharing libraries and runtime dependencies, not for packaging multi-hour container workloads. It also still depends on Lambda runtime limits and does not match the operational model for long-running batch processing.

Therefore, option C is the best modernization approach with the least operational overhead.

In this solution, the company can use Amazon SES to send email messages, which will minimize operational overhead as SES is a fully managed service that handles sending and receiving email messages. The company can store the email template on Amazon SES with parameters for the customer data and use an AWS Lambda function to call the SendTemplatedEmail API operation, passing in the customer data to replace the parameters and the email destination. This solution eliminates the need to set up and manage an SMTP server on EC2 instances, which can be costly and time-consuming.

https://docs.aws.amazon.com/appsync/latest/devguide/graphql-overview.html

AWS AppSync is a fully managed GraphQL service that allows applications to securely access, manipulate, and receive data as well as real-time updates from multiple data sources1. AWS AppSync supports GraphQL subscriptions to perform real-time operations and can push data to clients that choose to listen to specific events from the backend1. AWS AppSync uses WebSockets to establish and maintain a secure connection between the clients and the API endpoint2. Therefore, using AWS AppSync and leveraging WebSockets is a suitable design to reduce comment latency and improve user experience.

The workload must be deployed to a second AWS Region to reduce latency for users while maintaining business continuity. Because more than 95% of operations are read operations, the database layer must efficiently support low-latency reads in multiple Regions without introducing complex replication logic or sacrificing availability.

Amazon Aurora MySQL global database is specifically designed for multi-Region deployments. It provides a single primary Region for writes and up to multiple secondary Regions with read-only replicas that use low-latency, storage-based replication. This architecture is well suited for read-heavy workloads because read traffic can be served locally in each Region while writes are centralized. Aurora global database also supports fast recovery and promotes a secondary Region in the event of a primary Region failure, which satisfies business continuity requirements.

Option A correctly migrates the existing RDS for MySQL database to an Aurora MySQL global database and deploys application infrastructure (ALB and Auto Scaling group) in the second Region. This enables applications in each Region to read from the closest Aurora replica, reducing read latency while preserving a managed, highly available database architecture.

To route users to the closest healthy Region, DNS-based traffic management is required. Route 53 latency-based routing directs users to the endpoint (ALB) with the lowest latency from their location. This directly addresses the requirement to reduce application latency while also supporting multi-Region availability.

Option C provides this routing capability by configuring latency-based routing with Route 53 and pointing records to both ALBs. Route 53 continuously evaluates latency and health checks to route traffic appropriately, which supports both performance and business continuity.

Option B is not sufficient because migrating to a separate Multi-AZ database in another Region does not provide a shared data layer or managed cross-Region replication. This would require custom replication and conflict resolution and does not maintain a single logical dataset across Regions. CloudFront improves content delivery for static assets but does not solve database read latency or data consistency.

Option D uses geolocation routing, which routes traffic based on user location rather than actual measured latency. This is less precise than latency-based routing and does not automatically adapt to changing network conditions or Region health.

Option E introduces Aurora Serverless v2, which is not designed for multi-Region global database replication. Aurora Serverless v2 focuses on scaling capacity within a Region, not on reducing latency across Regions or providing managed global read replicas.

Therefore, migrating to an Aurora MySQL global database and using Route 53 latency-based routing provides low-latency reads, high availability, and business continuity with minimal operational overhead.