Pass the Amazon Web Services AWS Certified Professional SAP-C02 Questions and answers with CertsForce

Option A is correct because using an Elastic Load Balancer and an Auto Scaling group with a minimum capacity of two instances can improve the availability and scalability of the EC2 instances that host the application. The load balancer can distribute traffic across multiple instances and the Auto Scaling group can replace any unhealthy instances automatically1

Option D is correct because modifying the DB instance to create a Multi-AZ deployment that extends across two Availability Zones can improve the availability and durability of the RDS for MariaDB database. Multi-AZ deployments provide enhanceddata protection and minimize downtime by automatically failing over to astandby replica in another Availability Zone in case of a planned or unplanned outage4

Option F is correct because creating a replication group for the ElastiCache for Redis cluster and enabling Multi-AZ on the cluster can improve the availability and fault tolerance of the in-memory data store. A replication group consists of a primary node and up to five read-only replica nodes that are synchronized with the primary node using asynchronous replication. Multi-AZ allows automatic failover to one of the replicas if the primary node fails or becomes unreachable6

Create an S3 Bucket:

Log in to the AWS Management Console and navigate to Amazon S3.

Create a new S3 bucket that will serve as the destination for the application data.

Deploy AWS Storage Gateway:

Download and deploy the AWS Storage Gateway virtual machine (VM) on your on-premises environment. This VM can be deployed on VMware ESXi, Microsoft Hyper-V, or Linux KVM.

Configure the File Gateway:

Configure the deployed Storage Gateway as a file gateway. This will enable it to present Amazon S3 buckets as SMB file shares to your on-premises applications.

Create a New File Share:

Within the Storage Gateway configuration, create a new file share that is associated with the S3 bucket you created earlier. This file share will use the SMB protocol, allowing your on-premises applications to access the S3 bucket as if it were a local SMB file share.

Copy Data to the File Gateway:

Use your preferred method (such as robocopy, rsync, or similar tools) to copy data from the on-premises storage to the newly created file gateway endpoint. This data will be stored in the S3 bucket, maintaining accessibility through SMB.

Ensure Secure and Efficient Data Transfer:

AWS Storage Gateway ensures that all data in transit is encrypted using TLS, providing secure data transfer to AWS. It also provides local caching for frequently accessed data, improving access performance for on-premises applications.

This approach allows your existing on-premises applications to continue accessing data via SMB while leveraging the scalability and durability of Amazon S3.

References

AWS Storage Gateway Overview【67】.

AWS DataSync and Storage Gateway Hybrid Architecture【66】.

AWS S3 File Gateway Details【68】.

You can segment your network by creating multiple route tables in an AWS Transit Gateway and associate Amazon VPCs and VPNs to them. This will allow you to create isolated networks inside an AWS Transit Gateway similar to virtual routing and forwarding (VRFs) in traditional networks. The AWS Transit Gateway will have a default route table. The use of multiple route tables is optional.

The requirements can be achieved by using an Amazon DynamoDB database with a global table. DynamoDB is a NoSQL database so it fits the requirements. A global table also allows both reads and writes to occur in both Regions. For the web and application tiers Auto Scaling groups should be configured. Due to the 1-minute RTO these must be configured in an active/passive state. The best pricing model to lower price but ensure resources are available when needed is to use a combination of zonal reserved instances and on-demand instances. To failover between the Regions, a Route 53 failover routing policy can be configured with a TTL configured on the record of 30 seconds. This will mean clients must resolve against Route 53 every 30 seconds to get the latest record. In a failover scenario the clients would be redirected to the secondary site if the primary site is unhealthy.

Option A is correct because AWS Compute Optimizer provides right-sizing recommendations for Amazon ECS services on AWS Fargate, including task CPU, task memory, and container-level CPU and memory values. Since the workload is deployed through CloudFormation, the correct operational path is to update the ECS task definition in the CloudFormation template and redeploy the stack. That keeps infrastructure as code as the source of truth. Target tracking policies adjust the number of running tasks, not the CPU and memory size assigned to each Fargate task, so option B does not directly fix over-provisioned task resources. Cost Explorer Reserved Instance reports are not the right tool for Fargate task right-sizing because Fargate does not use EC2 Reserved Instances in the same way.

To minimize EKS compute costs:

A. Rebuild the application container images to support ARM64 architecture: Graviton instances (ARM-based) require container images built for the ARM64 architecture. This ensures compatibility and allows leveraging Graviton-based compute.

C. Migrate the EKS nodes to the most recent generation of Graviton-based instances: AWS Graviton instances (e.g., c7g, m7g) offer significant price/performance benefits over x86_64 instances. By migrating EKS worker nodes to Graviton, the company can reduce compute costs substantially.

E. Purchase a new EC2 Instance Savings Plan for the newly selected Graviton instance family: Savings Plans provide cost savings compared to On-Demand pricing. After moving to Graviton, purchasing a new Savings Plan tailored for these instance families ensures continued cost savings.This approach aligns with AWS cost optimization best practices—migrating to the latest instance types and purchasing Savings Plans to match the new usage pattern—while ensuring full compatibility with EKS.

CloudFront origin failover is implemented by using an origin group with a primary origin and a secondary origin. CloudFront can automatically fail over to the secondary origin when the primary origin fails under configured conditions. The default origin connection behavior can take up to 30 seconds because CloudFront uses multiple connection attempts and timeout values. AWS documentation states that reducing the connection timeout and reducing the number of connection attempts can make failover occur faster. Option C correctly adds the replicated S3 bucket as a second origin, creates an origin group, updates the default cache behavior to use that origin group, and sets both connection timeout and connection attempts to 1. Option B misses updating the cache behavior and uses the wrong timeout. Lambda-based promotion is unnecessary operational overhead.

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption AWS is now transitioning the previous term ' guardrail ' new term ' control ' .

https://repost.aws/knowledge-center/kinesis-readprovisionedthroughputexceeded

Follow Data Streams best practices

To mitigate ReadProvisionedThroughputExceeded exceptions, apply these best practices:

• Reshard your stream to increase the number of shards in the stream.

• Use consumers with enhanced fan-out. For more information about enhanced fan-out, see Developing custom consumers with dedicated throughput (enhanced fan-out).

• Use an error retry and exponential backoff mechanism in the consumer logic if ReadProvisionedThroughputExceeded exceptions are encountered. For consumer applications that use an AWS SDK, the requests are retried by default.

https://docs.aws.amazon.com/cur/latest/userguide/billing-cur-limits.html

The requirement is to allow each OU (which contains multiple accounts) to view a cost breakdown across its accounts. In an AWS Organizations setup with consolidated billing, the management account is the central place where organization-level cost and usage reporting is configured and aggregated. The Cost and Usage Report is designed to produce the most detailed cost and usage dataset, and it can include charges for linked (member) accounts. A single CUR created from the management account can include all accounts in the organization, and then filtering can be applied to show cost breakdowns per OU or per team.

Once the CUR is delivered to Amazon S3, analytics tools such as Amazon Athena and Amazon QuickSight can be used to create dashboards. Teams can be provided access to the dataset or curated views and can filter by linked account, tags, and other dimensions. With appropriate cost allocation tags and organizational mapping (for example, account-to-OU mapping maintained in reporting logic), each OU can see its consolidated view.

Option B meets the requirements because it creates one CUR centrally from the management account and uses QuickSight for visualization. This approach is scalable for hundreds of accounts and avoids duplicating CUR configuration in each member account.

Option A is incorrect because AWS Resource Access Manager is not used to create CURs per OU. CUR is not an OU-scoped resource created via RAM.

Option C is not operationally efficient because it requires creating and managing CURs in each member account, producing fragmented datasets and significantly increasing overhead at hundreds of accounts. It also makes it harder to generate a single view per OU across accounts.

Option D is incorrect because Systems Manager does not create CURs, and OpsCenter dashboards are not the standard tool for cost and usage reporting.

Therefore, a centrally created CUR in the management account with QuickSight visualization is the correct solution.

Comprehensive and Detailed Explanation:

This question tests knowledge of private access patterns to Amazon S3 from:

resources inside a VPC, and

users in an on-premises environment connected through Site-to-Site VPN.

The correct answer is B because the company has two different traffic sources with different endpoint requirements.

Why B is correct

For the EC2 instance inside the private VPC:

An S3 gateway endpoint is the standard and most cost-effective method for private access from resources in the VPC to Amazon S3. With a gateway endpoint, traffic from the VPC to S3 stays on the AWS network and does not require a NAT gateway or internet gateway. This satisfies the requirement to remove the NAT gateways for the application’s S3 access.

For the on-premises users over the Site-to-Site VPN:

Gateway endpoints are for use within the VPC and are not accessed from on-premises networks over VPN or Direct Connect. To allow on-premises clients to access S3 privately through the VPC, the architecture needs an S3 interface endpoint with private DNS enabled. Interface endpoints create elastic network interfaces in the VPC and can be reached privately from connected on-premises environments, assuming routing and DNS are configured correctly.

Therefore, the combination is required:

S3 gateway endpoint for VPC resources

S3 interface endpoint with private DNS for on-premises access through VPN

This design allows both the EC2 application and on-premises users to access S3 without using the public internet.

Why A is incorrect

An S3 gateway endpoint works for VPC resources, but it does not provide private access for on-premises users over Site-to-Site VPN. On-premises networks cannot route directly to a gateway endpoint in the way described. That makes A incomplete and incorrect.

Why C is incorrect

Mountpoint for Amazon S3 is a way to mount an S3 bucket for file-like access from an EC2 instance or similar compute environment. It does not solve the connectivity requirement for on- premises users, and it does not address the broader network design requirement of private S3 access without NAT gateways for all stated users. It also does not replace the need for appropriate VPC endpoint architecture.

Why D is incorrect

Storage Browser for S3 is not the solution to provide private network connectivity for an application and on-premises users. It is unrelated to the core architecture requirement. The question is asking about private access paths to S3, not a user interface or client-side browser tool.

Key design principle being tested

This question checks whether you know the distinction between:

S3 gateway endpoints for traffic originating from within the VPC

S3 interface endpoints for private access from on-premises environments over hybrid connectivity

It also tests whether you understand that removing NAT gateways is possible for S3 access from private subnets when a VPC endpoint is used.

Final justification

Because the company needs:

private S3 access from an EC2 instance in a private VPC, and

private S3 access from on-premises users over VPN,

while removing NAT gateways,

the correct design is to use:

an S3 gateway endpoint for the VPC application, and

an S3 interface endpoint with private DNS for the on-premises users.

That makes B the best answer.

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

This option allows the company to use DAX to improve the performance and reduce the latency of the DynamoDB queries by caching the results in memory1. By updating the application to use DAX, the company can reduce the load on the DynamoDB tables and avoid throttling errors1. By creating an Auto Scaling group for the EC2 instances, the company can adjust the number of instances based on the demand and ensure high availability2. By creating an ALB, the company can distribute the incoming traffic across multiple EC2 instances and improve fault tolerance3. By updating the Route 53 record to use a simple routing policy that targets the ALB’s DNS alias, the company can route users to the ALB endpoint and leverage its health checks and load balancing features4. By configuring scheduled scaling for the EC2 instances before the content updates, the company can anticipate and handle traffic spikes during peak periods5.

What is Amazon DynamoDB Accelerator (DAX)?

What is Amazon EC2 Auto Scaling?

What is an Application Load Balancer?

Choosing a routing policy

Scheduled scaling for Amazon EC2 Auto Scaling

This option allows the company to use Amazon Aurora MySQL, which is a fully managed relational database service that is compatible with MySQL and offers up to five times better performance than standard MySQL1. By migrating the database to Aurora MySQL, the company can benefitfrom its high availability, durability, scalability, and security features1. By deploying the application in an Auto Scaling group on Amazon EC2 instances behind an Application LoadBalancer, the company can ensure that the application can handle varying levels of traffic and distribute the requests across multiple instances2. By storing sessions in an Amazon ElastiCache for Redis replication group, the company can improve the performance and reliability of the session data by using a fast, in-memory data store that supports replication and failover3.

What is Amazon Aurora?

What is Auto Scaling?

What is Amazon ElastiCache?