SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

According to the AWS documentation1, to access a private API from a VPC, you need to do the following:

Create an interface VPC endpoint for API Gateway in your VPC. This creates a private connection between your VPC and API Gateway.

Attach an endpoint policy to the VPC endpoint that allows the execute-api:lnvoke action for your private API. This grants permission to invoke your API from the VPC.

Enable private DNS naming for the VPC endpoint. This allows you to use the same DNS names for your private APIs as you would for public APIs.

Configure a resource policy for your private API that allows access from the VPC endpoint. This controls who can access your API and under what conditions.

Use the API endpoint’s DNS names to access the API from your VPC. For example, https://api-id.execute-api.region.amazonaws.com/stage.

To meet the requirements for automatic key rotation of EC2 SSH key pairs with minimal downtime, storing the keys in AWS Secrets Manager and defining a rotation schedule is the most suitable solution. AWS Secrets Manager supports automatic rotation of secrets, including SSH keys, by invoking a Lambda function that can handle the creation of new key pairs and the replacement of public keys on EC2 instances. Updating the corresponding private keys in Secrets Manager ensures secure and centralized management of SSH keys, complying with the key rotation policy and minimizing operational overhead.

AWS Secrets Manager Documentation: Describes how to store and rotate secrets, including SSH keys, using Secrets Manager and Lambda functions.

AWS Lambda Documentation: Provides information on creating Lambda functions for custom secret rotation logic.

AWS Best Practices for Security: Highlights the importance of key rotation and how AWS services like Secrets Manager can facilitate secure and automated key management.

https://docs.aws.amazon.com/application-discovery/latest/userguide/discovery-agent.htmlhttps://docs.aws.amazon.com/migrationhub/latest/ug/ec2-recommendations.html

The key requirements are: OpenSearch Service must be deployed within a VPC (VPC-only access), and developers must access OpenSearch from their local machines across multiple locations, including home networks. The most suitable low-overhead approach is to provide remote users with secure client-based connectivity into the VPC so they can reach private endpoints.

AWS Client VPN is a managed client-based VPN service that allows individual users to establish secure TLS VPN connections from their devices into a VPC. By associating a Client VPN endpoint with a subnet in the VPC and configuring authorization rules and routes, developers can access private resources (including VPC-only Amazon OpenSearch Service endpoints) as if they were on the corporate network. Client VPN is designed for distributed workforces and supports users connecting from anywhere without requiring each remote location to have dedicated network appliances.

Option A matches the need for remote developer access from home and multiple offices with the least operational overhead because it is a managed service for user-based VPN access and does not require running and maintaining bastion fleets or building site-to-site networks for each location.

Option B is not correct because AWS Site-to-Site VPN is designed to connect networks (for example, an office network or data center) to AWS, not to provide individual developers remote access from arbitrary home networks. Also, instructing developers to use an OpenVPN client does not align with how Site-to-Site VPN is typically used; Site-to-Site VPN terminates on a customer gateway device, not on individual laptops.

Option C is not correct because Direct Connect is designed for dedicated private connectivity between on-premises networks and AWS. It is not a solution for individual developers connecting from home. Additionally, using a public VIF is for reaching public AWS endpoints, whereas the requirement is to keep access within a VPC. A public VIF does not provide private VPC access to VPC-only service endpoints.

Option D is not the best choice because a bastion host provides SSH access to instances, not direct, secure network-level access to VPC-only managed service endpoints from developer tools. It also increases operational overhead (patching, hardening, monitoring, scaling) and introduces additional security considerations. Developers also typically need browser-based or tool-based access to OpenSearch Dashboards, which is better served by VPN access into the VPC than SSH tunneling through a bastion host as a primary access mechanism.

Therefore, configuring AWS Client VPN to provide developers with secure connectivity into the VPC is the correct solution.

The company needs to upgrade DocumentDB to the latest version with no data loss while allowing continuous reads and writes. The company also must be able to test and verify the upgrade before switching production traffic. This is a classic requirement for performing an upgrade using a blue/green approach: build a new target environment on the new version, keep it in sync with the source, validate it, and then cut over by changing the endpoint (here, Route 53 DNS).

Option A implements this pattern using a new DocumentDB cluster running the latest version and AWS DMS to continuously migrate and replicate changes from the old cluster to the new cluster. Because the workload is continuously changing, a one-time export/import is insufficient; continuous replication is needed to keep the target cluster current during the test period. AWS DMS supports a “migrate and replicate” style of task that performs a full load and then applies ongoing changes (CDC) so the target stays synchronized. The question also states that change streams are enabled with a 24-hour retention period, which supports capturing and applying changes during migration/validation and helps ensure the replication stream can be maintained while testing.

Option A also addresses indexes by using the DocumentDB Index Tool to export and import indexes, which is important because indexes can affect query performance and behavior. After the company validates the new cluster, the cutover is done by updating the Route 53 record to point to the new cluster endpoint, switching all backend services without changing application configuration beyond DNS resolution.

Option B uses MongoDB CLI tools to export/import. This is not suitable for continuous write workloads because export/import is a point-in-time operation and would require downtime or risk data divergence during the test period. It also adds more operational overhead and does not provide continuous replication for the duration of validation.

Option C performs an in-place major version upgrade. That does not satisfy the requirement to test and verify the upgrade before backend services use the upgraded version because the upgrade happens directly on the production cluster. Even though a snapshot exists for rollback, production is still exposed to the upgrade immediately, which violates the requirement for pre-cutover verification.

Option D is incorrect because AWS DataSync transfers files between storage systems such as NFS/SMB and AWS storage services. It is not a database migration or replication service and cannot copy a DocumentDB database in a way that preserves database semantics and supports continuous replication.

Therefore, creating a new DocumentDB cluster, keeping it synchronized using AWS DMS (supported by change stream retention), validating it, and then cutting over via Route 53 DNS update (option A) meets all requirements.

The awsvpc network mode provides each task with its own elastic network interface (ENI) and a primary private IP address1. By using this network mode, the solutions architect can isolate the tasks from each other and apply security groups to the tasks directly2. This way, the solutions architect can control the inbound and outbound traffic at the task level and enforce the least privilege principle3. IAM roles for tasks allow the solutions architect to assign permissions to each task separately, so that they can access other AWS resources that they need4. By using IAM roles for tasks, the solutions architect can avoid passing IAM credentials into the container at launch time, which is less secure and more prone to errors5.

awsvpc network mode

Task networking with the awsvpc network mode

Security groups for your VPC

IAM roles for tasks

Best practices for managing AWS access keys