Amazon Web Services SAP-C02 Exam Questions Free Practice Test

Viewing page 9 out of 14 pages

Viewing questions 121-135 out of questions

Questions # 121:

A company is running an application on Amazon EC2 instances in the AWS Cloud. The application is using a MongoDB database with a replica set as its data tier. The MongoDB database is installed on systems in the company ' s on-premises data center and is accessible through an AWS Direct Connect connection to the data center environment.

A solutions architect must migrate the on-premises MongoDB database to Amazon DocumentDB (with MongoDB compatibility).

Which strategy should the solutions architect choose to perform this migration?

Options:

Create a fleet of EC2 instances. Install MongoDB Community Edition on the EC2 instances, and create a database. Configure continuous synchronous replication with the database that is running in the on-premises data center.

Create an AWS Database Migration Service (AWS DMS) replication instance. Create a source endpoint for the on-premises MongoDB database by using change data capture (CDC). Create a target endpoint for the Amazon DocumentDB database. Create and run a DMS migration task.

Create a data migration pipeline by using AWS Data Pipeline. Define data nodes for the on-premises MongoDB database and the Amazon DocumentDB database. Create a scheduled task to run the data pipeline.

Create a source endpoint for the on-premises MongoDB database by using AWS Glue crawlers. Configure continuous asynchronous replication between the MongoDB database and the Amazon DocumentDB database.

Expert Solution

Questions # 122:

A company has an application that stores user-uploaded videos in an Amazon S3 bucket that uses S3 Standard storage. Users access the videos frequently in the first 180 days after the videos are uploaded. Access after 180 days is rare. Named users and anonymous users access the videos. Most of the videos are more than 100 MB in size. Users often have poor internet connectivity when they upload videos, resulting in failed uploads. The company uses multipart uploads for the videos. A solutions architect needs to optimize the S3 costs of the application. Which combination of actions will meet these requirements? (Select TWO.)

Options:

Configure the S3 bucket to be a Requester Pays bucket.

Use S3 Transfer Acceleration to upload the videos to the S3 bucket.

Create an S3 Lifecycle configuration to expire incomplete multipart uploads 7 days after initiation.

Create an S3 Lifecycle configuration to transition objects to S3 Glacier Instant Retrieval after 1 day.

Create an S3 Lifecycle configuration to transition objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 180 days.

Expert Solution

Questions # 123:

A company generates approximately 20 GB of data multiple times each day. The company uses AWS DataSync to copy all data from on-premises storage to Amazon S3 every 6 hours for further processing.

The analytics team wants to modify the copy process to copy only data relevant to the analytics team and ignore the rest of the data. The team wants to copy data as soon as possible and receive a notification when the copy process is finished.

Which combination of steps will meet these requirements MOST cost-effectively? (Select THREE.)

Options:

Modify the data generation process on premises to create a manifest file at the end of the copy process with the names of the objects to be copied to Amazon S3. Create a custom script to upload the manifest file to an S3 bucket.

Modify the data generation process on premises to create a manifest file at the end of the copy process with the names of the objects to be copied to Amazon S3. Create an AWS Lambda function to load the manifest file data into an Amazon DynamoDB table.

Create an AWS Lambda function that Amazon EventBridge invokes when the manifest file is loaded into Amazon DynamoDB. Configure the Lambda function to copy the data from on-premises storage to the S3 bucket that uses the manifest file.

Create an AWS Lambda function that an S3 Event Notification invokes when the manifest file is uploaded. Configure the Lambda function to invoke the DataSync task by calling the StartTaskExecution API action with a manifest.

Create an Amazon SNS topic. Create an Amazon EventBridge rule to send an email notification to the SNS topic when the DataSync task execution status changes to SUCCESS or to ERROR.

Create an Amazon SNS topic. Create an AWS Lambda function to send an email notification to the SNS topic when the DataSync task execution status changes to SUCCESS or to ERROR.

Expert Solution

Answer

A, D, E

Explanation

The analytics team wants to copy only a subset of the data, run the copy as soon as data is ready, and receive notifications when the process completes. AWS DataSync supports the use of manifest files to control exactly which files or objects are transferred. By generating a manifest file on premises that lists only the relevant data and uploading that manifest to Amazon S3, the company can precisely limit what DataSync copies, which reduces data transfer costs and processing overhead.

Option A satisfies the requirement to identify only analytics-relevant data by creating and uploading a manifest file that lists the objects to be transferred. This avoids copying unnecessary data and is cost-effective.

Option D uses Amazon S3 Event Notifications to trigger an AWS Lambda function as soon as the manifest file is uploaded. The Lambda function starts the DataSync task and references the manifest file. This ensures that the copy process begins immediately after data generation, rather than waiting for a fixed schedule, which meets the “as soon as possible” requirement.

Option E provides a fully managed and scalable notification mechanism. AWS DataSync publishes task execution state changes as events. Amazon EventBridge can capture SUCCESS or ERROR states and route those events to Amazon SNS, which can then send email notifications. This approach avoids custom polling logic and minimizes operational overhead.

Option B and C introduce Amazon DynamoDB unnecessarily. DataSync can directly consume a manifest file from Amazon S3, so loading manifest data into DynamoDB and orchestrating copy logic manually adds cost and complexity without benefit.

Option F relies on a custom Lambda function to monitor task state changes, which increases operational overhead compared to the native EventBridge integration with DataSync.

Therefore, using S3-based manifests, event-driven invocation of DataSync, and EventBridge-based notifications is the most cost-effective and operationally efficient solution.

[References:AWS documentation on AWS DataSync manifest files for selective data transfer.AWS documentation on integrating AWS DataSync with Amazon S3 Event Notifications and AWS Lambda.AWS documentation on AWS DataSync task state change events and Amazon EventBridge integration with Amazon SNS for notifications., , , ]

Questions # 124:

A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances.

Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?

Options:

Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to copy the log files, and

Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge (Amazon CloudWatch Events) rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to t

Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user data. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge (CloudWatch Events) rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.

Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate the instance.

Expert Solution

Questions # 125:

A video processing company wants to build a machine learning (ML) model by using 600 TB of compressed data that is stored as thousands of files in the company ' s on-premises network attached storage system. The company does not have the necessary compute resources on premises for ML experiments and wants to use AWS.

The company needs to complete the data transfer to AWS within 3 weeks. The data transfer will be a one-time transfer. The data must be encrypted in transit. The measured upload speed of the company ' s internet connection is 100 Mbps, and multiple departments share the connection.

Which solution will meet these requirements MOST cost-effectively?

Options:

Order several AWS Snowball Edge Storage Optimized devices by using the AWS ManagementConsole. Configure the devices with a destination S3 bucket. Copy the data to the devices. Ship the devices back to AWS.

Set up a 10 Gbps AWS Direct Connect connection between the company location and the nearest AWS Region. Transfer the data over a VPN connection into the Region to store the data in Amazon S3.

Create a VPN connection between the on-premises network storage and the nearest AWS Region. Transfer the data over the VPN connection.

Deploy an AWS Storage Gateway file gateway on premises. Configure the file gateway with a destination S3 bucket. Copy the data to the file gateway.

Expert Solution

Questions # 126:

A company’s web application uses an Amazon API Gateway API, AWS Lambda functions, and Amazon DynamoDB global tables to handle backend requests. The web application is deployed in two AWS Regions in an active-passive model. The company uses Amazon Route 53 for DNS. The web application requires a manual DNS update to fail over to the secondary Region. An analytics Lambda function runs in the same AWS account. The function has caused Lambda concurrency to reach 90% of the current quota on an average day. A recent surge in traffic for the analytics workload resulted in throttled Lambda requests and a poor user experience for the web application users. A solutions architect must increase the reliability of the web application. The solution must use an Amazon CloudWatch alarm to send an Amazon SNS notification when the Lambda concurrency reaches a specific utilization threshold. Which solution will meet these requirements with the LEAST operational overhead?

Options:

Set reserved concurrency on the web application Lambda functions. Implement Route 53 health checks and failover records to route traffic to the secondary Region. Configure the CloudWatch alarm to use the AWS Trusted Advisor ServiceLimitUsage metric and to send the SNS notification.

Set reserved concurrency on the web application Lambda functions. Implement Route 53 health checks and latency records to route traffic to the secondary Region. Configure the CloudWatch alarm to use the AWS Trusted Advisor ServiceLimitUsage metric and to send an SNS notification.

Set provisioned concurrency on the web application Lambda functions. Implement Route 53 health checks and failover records to route traffic to the secondary Region. Configure the CloudWatch alarm to use the Lambda ConcurrentExecutions metric and to send an SNS notification.

Set provisioned concurrency on the web application Lambda functions. Implement Route 53 health checks and geolocation records to route traffic to the secondary Region. Configure the CloudWatch alarm to use the Lambda ProvisionedConcurrencyInvocations metric and to send an SNS notification.

Expert Solution

Questions # 127:

A solutions architect is auditing the security setup of an AWS Lambda function for a company. The Lambda function retrieves the latest changes from an Amazon Aurora database. The Lambda function and the database run in the same VPC. Lambda environment variables are providing the database credentials to the Lambda function.

The Lambda function aggregates data and makes the data available in an Amazon S3 bucket that is configured for server-side encryption with AWS KMS managed encryption keys (SSE-KMS). The data must not travel across the internet. If any database credentials become compromised, the company needs a solution that minimizes the impact of the compromise.

What should the solutions architect recommend to meet these requirements?

Options:

Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.

Enable IAM database authentication on the Aurora DB cluster. Change the IAM role for the Lambda function to allow the function to access the database by using IAM database authentication. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Save the database credentials in AWS Systems Manager Parameter Store. Set up password rotation on the credentials in Parameter Store. Change the IAM role for the Lambda function to allow the function to access Parameter Store. Modify the Lambda function to retrieve the credentials from Parameter Store. Deploy a gateway VPC endpoint for Amazon S3 in the VPC.

Save the database credentials in AWS Secrets Manager. Set up password rotation on the credentials in Secrets Manager. Change the IAM role for the Lambda function to allow the function to access Secrets Manager. Modify the Lambda function to retrieve the credentials Om Secrets Manager. Enforce HTTPS on the connection to Amazon S3 during data transfers.

Expert Solution

Questions # 128:

A company is using an organization in AWS Organizations to manage hundreds of AWS accounts. A solutions architect is working on a solution to provide baseline protection for the Open Web Application Security Project (OWASP) top 10 web application vulnerabilities. The solutions architect is using AWS WAF for all existing and new Amazon CloudFront distributions that are deployed within the organization.

Which combination of steps should the solutions architect take to provide the baseline protection? (Select THREE.)

Options:

Enable AWS Config in all accounts.

Enable Amazon GuardDuty in all accounts.

Enable all features for the organization.

Use AWS Firewall Manager to deploy AWS WAF rules in all accounts for all CloudFront distributions.

Use AWS Shield Advanced to deploy AWS WAF rules in all accounts for all CloudFront distributions.

Use AWS Security Hub to deploy AWS WAF rules in all accounts for all CloudFront distributions.

Expert Solution

Questions # 129:

A company needs to gather data from an experiment in a remote location that does not have internet connectivity. During the experiment, sensors that are connected to a total network will generate 6 TB of data in a preprimary formal over the course of 1 week. The sensors can be configured to upload their data files to an FTP server periodically, but the sensors do not have their own FTP server. The sensors also do not support other protocols. The company needs to collect the data centrally and move lie data to object storage in the AWS Cloud as soon. as possible after the experiment.

Which solution will meet these requirements?

Options:

Order an AWS Snowball Edge Compute Optimized device. Connect the device to the local network. Configure AWS DataSync with a target bucket name, and unload the data over NFS to the device. After the experiment return the device to AWS so that the data can be loaded into Amazon S3.

Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the device to the local network. Launch an Amazon EC2 instance on the device. Create a shell script that periodically downloads data from each sensor. After the experiment, return the device to AWS so that the data can be loaded as an Amazon Elastic Block Store [Amazon EBS) volume.

Order an AWS Snowcone device, including an Amazon Linux 2 AMI. Connect the device to the local network. Launch an Amazon EC2 instance on the device. Install and configure an FTP server on the EC2 instance. Configure the sensors to upload data to the EC2 instance. After the experiment, return the device to AWS so that the data can be loaded into Amazon S3.

Order an AWS Snowcone device. Connect the device to the local network. Configure the device to use Amazon FSx. Configure the sensors to upload data to the device. Configure AWS DataSync on the device to synchronize the uploaded data with an Amazon S3 bucket Return the device to AWS so that the data can be loaded as an Amazon Elastic Block Store (Amazon EBS) volume.

Expert Solution

Questions # 130:

A company is refactoring its on-premises order-processing platform in the AWS Cloud. The platform includes a web front end that is hosted on a fleet of VMs RabbitMQ to connect the front end to the backend, and a Kubernetes cluster to run a containerized backend system to process the orders. The company does not want to make any major changes to the application

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Create an AMI of the web server VM Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer Set up Amazon MQ to replace the on-premises messaging queue Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order-processing backend

Create a custom AWS Lambda runtime to mimic the web server environment Create an Amazon API Gateway API to replace the front-end web servers Set up Amazon MQ to replace the on-premises messaging queue Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order-processing backend

Create an AMI of the web server VM Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer Set up Amazon MQ to replace the on-premises messaging queue Install Kubernetes on a fleet of different EC2 instances to host the order-processing backend

Create an AMI of the web server VM Create an Amazon EC2 Auto Scaling group that uses the AMI and an Application Load Balancer Set up an Amazon Simple Queue Service (Amazon SQS) queue to replace the on-premises messaging queue Configure Amazon Elastic Kubernetes Service (Amazon EKS) to host the order-processing backend

Expert Solution

Questions # 131:

A company needs to apply consistent custom security audit rules across its organization in AWS Organizations. Accounts in the organization use a single AWS Region.

The company uses AWS Config in each account with four custom rules and five managed rules. The rules must be deployed to all accounts and must not be editable by member accounts. The company wants to easily update rules in the future. All required permissions are already in place.

Which combination of steps will meet these requirements with the LEAST operational effort? (Select TWO.)

Options:

Call the PutOrganizationConformancePack API operation from a delegated administrator account to deploy the conformance pack to the entire organization.

Create an AWS Config conformance pack that includes four custom policy rules.

Create an AWS Config conformance pack that includes four custom policy rules and five AWS managed rules.

Deploy five AWS organizational rules and the conformance pack from a delegated administrator account to the entire organization.

Use AWS CloudFormation StackSets to deploy the conformance pack with termination protection.

Expert Solution

Questions # 132:

A company has an environment that has a single AWS account. A solutions architect is reviewing the environment to recommend what the company could improve specifically in terms of access to the AWS Management Console. The company ' s IT support workers currently access the console for administrative tasks, authenticating with named IAM users that have been mapped to their job role.

The IT support workers no longer want to maintain both their Active Directory and IAM user accounts. They want to be able to access the console by using their existing Active Directory credentials. The solutions architect is using AWS Single Sign-On (AWS SSO) to implement this functionality.

Which solution will meet these requirements MOST cost-effectively?

Options:

Create an organization in AWS Organizations. Turn on the AWS SSO feature in Organizations Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company ' s on-premises Active Directory. Configure AWS SSO and set the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Manag

Create an organization in AWS Organizations. Turn on the AWS SSO feature in Organizations Create and configure an AD Connector to connect to the company ' s on-premises Active Directory. Configure AWS SSO and select the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company ' s Active Directory.

Create an organization in AWS Organizations. Turn on all features for the organization. Create and configure a directory in AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD) with a two-way trust to the company ' s on-premises Active Directory. Configure AWS SSO and select the AWS Managed Microsoft AD directory as the identity source. Create permission sets and map them to the existing groups within the AWS Mana

Create an organization in AWS Organizations. Turn on all features for the organization. Createand configure an AD Connector to connect to the company ' s on-premises Active Directory. Configure AWS SSO and select the AD Connector as the identity source. Create permission sets and map them to the existing groups within the company ' s Active Directory.

Expert Solution

Questions # 133:

A company processes environment data. The has a set up sensors to provide a continuous stream of data from different areas in a city. The data is available in JSON format.

The company wants to use an AWS solution to send the data to a database that does not require fixed schemas for storage. The data must be send in real time.

Which solution will meet these requirements?

Options:

Use Amazon Kinesis Data Firehouse to send the data to Amazon Redshift.

Use Amazon Kinesis Data streams to send the data to Amazon DynamoDB.

Use Amazon Managed Streaming for Apache Kafka (Amazon MSK) to send the data to Amazon Aurora.

Use Amazon Kinesis Data firehouse to send the data to Amazon Keyspaces (for Apache Cassandra).

Expert Solution

Questions # 134:

A company hosts a payment processing platform across multiple AWS Regions. The processing platform exposes payment processing API endpoints. The company uses Amazon Route 53 to route traffic to an Application Load Balancer (ALB) in each Region to distribute requests to backend payment gateways. The company has implemented Auto Scaling for the payment gateways.

The company needs to improve reliability and availability by handling application failures quickly.

Which solution will meet this requirement with the LEAST response time for global users?

Options:

Configure Route 53 to use a geolocation routing policy to resolve DNS to an Amazon CloudFront distribution. Configure the distribution with an origin group that includes the ALBs from each Region as origins.

Create an accelerator in AWS Global Accelerator. Create an endpoint group and add each ALB as an endpoint in the group. Update the Route 53 alias records to point to the accelerator.

Configure Route 53 to use a latency-based routing policy and health checks for each Regional endpoint.

Set up cross-Region connectivity by using AWS Cloud WAN to connect VPCs across Regions. Use network policies to route traffic from each Region to the Region that is closest to the origin Region.

Expert Solution

Answer

Explanation

Answer B (AWS Global Accelerator) best meets both requirements: fastest failover from application failures and the lowest response time for global users. Global Accelerator is designed for global, latency-sensitive, highly available applications. It uses static Anycast IP addresses so users enter the AWS network at the nearest edge location, then traffic is carried over the AWS global backbone to the closest healthy regional endpoint (in this case, each Region’s ALB). It continuously performs health checks and can rapidly shift traffic away from unhealthy endpoints, which helps “handle application failures quickly” without being constrained by DNS caching behavior.

Why the other options are less suitable:

C (Route 53 latency-based routing + health checks) can improve routing and failover, but it is still DNS-based. DNS-based failover can be delayed by DNS resolver caching and TTL propagation, meaning failover may not be as fast or as consistent as Global Accelerator for rapid recovery.

A (CloudFront with origin group) can provide origin failover and performance benefits mainly for cacheable or edge-optimizable content. For a payment processing API (typically dynamic and not cache-friendly), CloudFront is not the primary service for achieving the least response time globally with fast multi-Region failover compared with Global Accelerator’s Anycast + edge routing model.

D (AWS Cloud WAN) addresses private network connectivity and centralized network policy across Regions/VPCs. It does not directly optimize public user-to-application latency or provide the same kind of edge-based, Anycast-driven rapid failover for internet-facing API endpoints.

[References:, AWS Global Accelerator Documentation (concepts: static Anycast IPs, endpoint groups, health checks, traffic routing and failover), Amazon Route 53 Documentation (concepts: latency-based routing, health checks, DNS caching/TTL effects on failover), AWS Certified Solutions Architect – Professional (SAP-C02) Exam Guide (domains covering global networking service selection, multi-Region availability, and resilience design), , , , , ]

Questions # 135:

A solutions architect works for a government agency that has strict disaster recovery requirements. All Amazon Elastic Block Store (Amazon EBS) snapshots are required to be saved in at least two additional AWS Regions. The agency also is required to maintain the lowest possible operational overhead.

Which solution meets these requirements?

Options:

Configure a policy in Amazon Data Lifecycle Manager (Amazon DLM) to run once daily to copy the EBS snapshots to the additional Regions.

Use Amazon EventBridge (Amazon CloudWatch Events) to schedule an AWS Lambda function to copy the EBS snapshots to the additional Regions.

Set up AWS Backup to create the EBS snapshots. Configure Amazon S3 cross-Region replication to copy the EBS snapshots to the additional Regions.

Schedule Amazon EC2 Image Builder to run once daily to create an AMI and copy the AMI to the additional Regions

Expert Solution

Viewing page 9 out of 14 pages

Viewing questions 121-135 out of questions

Summer Certification Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Pass the Amazon Web Services AWS Certified Professional SAP-C02 Questions and answers with CertsForce