SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

https://docs.aws.amazon.com/application-discovery/latest/userguide/discovery-agent.htmlhttps://docs.aws.amazon.com/migrationhub/latest/ug/ec2-recommendations.html

By adding two more NAT gateways (one per Availability Zone), each private subnet has direct access to a NAT gateway in its own AZ.

This increases network resiliency because even if a single NAT gateway becomes unavailable, the others remain operational, ensuring consistent internet connectivity for the private EC2 instances.

This follows AWS best practices for highly available network architecture in multi-AZ deployments.

The best combination is A, D, and E because it replaces self-managed components with managed AWS services. AWS IoT Core is purpose-built for MQTT-based device communication, and IoT rules can invoke Lambda functions when messages arrive, allowing serverless processing of device data. Amazon DocumentDB is compatible with MongoDB workloads and removes the operational burden of running MongoDB clusters on EC2. For report generation, AWS Step Functions can orchestrate Lambda tasks, and the reports can be written to Amazon S3 and served publicly through CloudFront. The job duration of 120–600 seconds fits within Lambda’s 15-minute maximum invocation timeout. EKS and EC2-based MongoDB would increase operational overhead, while having Lambda poll IoT devices directly is a poor design compared with device publishing through AWS IoT Core. (AWS Documentation)

===============

A is correct becauseSSM Agent must be installed and actively runningon the instance for it to be managed by Systems Manager. Imported VMs typically do not have the agent installed by default.

B is also correct becausean IAM instance profilewith at least the AmazonSSMManagedInstanceCore policy must be attached to the instance to allow communication with SSM.

Option C is unnecessary if the instance has internet access (via public IP).

Option D relates to migration assessments, not Systems Manager.

Option E is good practice but not required for the instance to appear as managed.

https://aws.amazon.com/blogs/architecture/accelerating-your-migration-to-aws/ Build a business case with AWS Migration Evaluator The foundation for a successful migration starts with a defined business objective (for example, growth or new offerings). In order to enable the business drivers, the established business case must then be aligned to a technical capability (increased security and elasticity). AWS Migration Evaluator (formerly known as TSO Logic) can help you meet these objectives. To get started, you can choose to upload exports from third-party tools such as Configuration Management Database (CMDB) or install a collector agent to monitor. You will receive an assessment after data collection, which includes a projected cost estimate and savings of running your on-premises workloads in the AWS Cloud. This estimate will provide a summary of the projected costs to re-host on AWS based on usage patterns. It will show the breakdown of costs by infrastructure and software licenses. With this information, you can make the business case and plan next steps.

This solution will meet the requirements of the company as it provides a secure, cost-effective and fast way of transferring large data sets from on-premises to AWS. Snowball Edge devices encrypt the data during transfer, and the devices are shipped back to AWS for import into S3. This option is more cost effective than using Direct Connect or VPN connections as it does not require the company to pay for long-term dedicated connections.

The requirement is to reduce application latency for a globally distributed user base, with users primarily in the United States but increasing usage in Europe and the Middle East. The application is read-heavy and uses Amazon DynamoDB as its data store. Reducing latency for global users requires placing both the application compute and the data closer to users in each Region.

Option D uses the correct multi-Region architecture. Deploying the application to multiple AWS Regions places Amazon EKS workloads closer to end users. Converting the DynamoDB table to a global table creates fully managed, multi-Region replicas of the data with low-latency replication. This allows reads to be served locally from the nearest DynamoDB replica, significantly reducing read latency for users outside the primary Region. Because the workload is read-heavy, this design is particularly effective.

Route 53 geolocation routing directs users to the Region closest to them based on their geographic location. Combined with health checks and Evaluate Target Health, this ensures users are routed to the nearest healthy Region, improving both latency and availability.

Option A is incorrect because global secondary indexes do not replicate data across Regions. GSIs operate within a single Region and are used to support alternative query patterns, not global data distribution. Additionally, Route 53 failover routing is designed for disaster recovery, not for performance optimization or global load balancing.

Option B uses DynamoDB Accelerator (DAX), which improves read latency by caching data in memory, but DAX is Region-specific and does not reduce cross-Region network latency for users in Europe and the Middle East accessing a US-based application. It also does not address application-level latency caused by distance to the EKS cluster.

Option C is not valid because DynamoDB does not support read replicas in the same way relational databases do. DynamoDB replication for latency and global access is achieved through global tables, not through read replicas in a single Region. CloudFront can reduce latency for static or cacheable HTTP content, but it does not solve backend application latency or DynamoDB access latency for dynamic, read-heavy requests.

Therefore, deploying the application and DynamoDB as global tables across Regions and using Route 53 geolocation routing is the correct solution to minimize latency for all global users.

Since the company is already using Kubernetes manifests,Amazon EKSis a natural fit. It’s a managed Kubernetes control plane and works withAmazon Aurora PostgreSQL, a highly available DB service.

What is EKS?

" The AWS WAF API supports security automation such as blacklisting IP addresses thatexceed request limits, which can be useful for mitigating HTTP flood attacks. " > https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

The correct answer is A because the control must prevent creation of new EC2 instances and EBS volumes unless the required Project tag is supplied in the launch request. The relevant API action is ec2:RunInstances, not ec2:StartInstances. AWS supports enforcing tags at resource creation by using request tag condition keys such as aws:RequestTag/Project. A deny statement with the Null condition set to true blocks the request when the tag is missing. aws:CostAllocationTag is not the correct condition key for authorization at launch time; cost allocation tags are for billing categorization after tags exist. AWS tagging guidance specifically shows deny policies for ec2:RunInstances when a required cost allocation-style tag is not present in the request. (AWS Documentation)

===============

Amazon Kinesis Data Streams is a service that enables real-time data ingestion and processing. Amazon DynamoDB is a NoSQL database that does not require fixed schemas for storage. By using Kinesis Data Streams and DynamoDB, the company can send the JSON data to a database that can handle schemaless data in real time. References:

https://docs.aws.amazon.com/streams/latest/dev/introduction.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html