SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

B:https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.requests

D:https://aws.amazon.com/blogs/compute/robust-serverless-application-design-with-aws-lambda-dlq/c

Amazon ECS on Fargateis ideal forevent-driven, long-running jobswith minimal management. Combine S3event notificationswithEventBridge rulesto trigger a Fargate task per upload.

Using Fargate with EventBridge

The company has many S3 buckets and many identities across multiple AWS accounts. It currently uses S3 bucket policies for granular authorization. As requirements grow, the bucket policies have become very large and have hit the maximum size limits. The company needs a way to express granular, identity-based access to S3 resources without relying on increasingly complex bucket policies.

AWS provides S3 Access Grants to centrally manage S3 data access based on identities. S3 Access Grants integrate with IAM Identity Center and external identity providers such as Microsoft Entra ID (formerly Azure AD). With S3 Access Grants, you define grants that associate specific identities or groups (from IAM Identity Center) with permissions on specific S3 buckets, prefixes, or objects. Access Grants maintain a mapping between identities and S3 resources without requiring large, per-bucket policies.

Option A describes exactly this approach. You create an S3 Access Grant configuration associated with the IAM Identity Center instance that is already integrated with the company’s IdP. You then define S3 Access Grants for the various user groups according to business requirements, specifying the appropriate S3 buckets and prefixes. When users access S3 through AWS tools that support S3 Access Grants, temporary credentials are issued that reflect the grants. This centralizes authorization management, reduces the size and complexity of S3 bucket policies, and minimizes operational overhead because you manage permissions per identity group rather than constantly editing long bucket policies.

Option B uses S3 access points and Object Lambda Access Points with a Lambda function for data filtering. This is more suitable for content transformation or redaction rather than primary authorization management. It adds operational complexity by requiring custom Lambda code and Object Lambda configuration, and it does not directly solve the problem of large bucket policies for fine-grained permissions.

Option C uses per-bucket S3 access points with attached policies. While access points can simplify some aspects of access control and allow per-application policies, using many access points with detailed policies can still lead to significant policy complexity. It also does not take advantage of the existing IAM Identity Center integration and does not centrally align permissions with identity groups.

Option D uses AWS Organizations service control policies (SCPs). SCPs are intended to define high-level guardrails and maximum permissions at the account or organizational unit level, not detailed, per-bucket or per-prefix access control for individual users or groups. Using SCPs to express granular S3 bucket permissions would be complex, hard to maintain, and not aligned with the purpose of SCPs.

Therefore, using S3 Access Grants integrated with IAM Identity Center (option A) provides a centralized, identity-aware, low-overhead way to manage granular S3 access without hitting S3 bucket policy size limits.

B is correct because the problem is caused by inconsistent query-string casing leading to CloudFront cache misses, and the best place to normalize the request is at the CloudFront edge before cache-key evaluation. CloudFront Functions run at the edge with very low latency and are intended for lightweight request manipulations (for example, normalizing URLs, headers, and query strings) on viewer request events. By sorting query parameters and converting them to lowercase on the viewer request, CloudFront will treat semantically equivalent requests as the same cache key, increasing cache hit ratio and reducing the number of origin calls to API Gateway and downstream Lambda invocations. This directly reduces latency for global users.

Why the other options are less suitable:

A (Lambda@Edge on origin request): Lambda@Edge can also modify requests, but it is heavier-weight than CloudFront Functions for simple normalization logic. Also, doing this on origin request occurs after CloudFront has already decided whether there is a cache hit. If the cache key is still based on the original mixed-case query string at the viewer side, you won’t consistently prevent cache misses. Normalization must happen before cache lookup to maximize cache hits.

C (API Gateway mapping templates): This normalizes the request only after it has already missed in CloudFront and reached the origin. It does not fix CloudFront cache fragmentation, so it does not meet the “minimal latency” goal as effectively.

D (Lambda authorizer): Lambda authorizers are for authorization/authentication decisions. Using an authorizer for query normalization adds unnecessary overhead and still happens at API Gateway (origin), not at CloudFront before cache evaluation.

This solution meets the requirements by using Application Auto Scaling to automatically increase capacity during the peak period, which will handle the double the average load. And by purchasing reserved RCUs and WCUs to match the average load, it will minimize the cost of the table for the rest of the week when the load is close to the average.

This solution requires minimal operational overhead, as it only requires setting up AWS IoT Core and creating a thing for each device. (Reference: AWS Certified Solutions Architect - Professional Official Amazon Text Book, Page 537)

AWS IoT Core is a fully managed service that enables secure, bi-directional communication between internet-connected devices and the AWS Cloud. It supports the MQTT protocol and includes built-in device authentication and access control. By using AWS IoT Core, the company can easily provision and manage the X.509 certificates for each device, and connect the devices to the service with minimal operational overhead.

This option allows the solutions architect to use an identity policy that grants the user readand write access to their own personal folder on the S3 bucket1. By adding a condition that specifies that the S3 paths must be prefixed with ${aws:username}, the solutions architect can ensure that each scientist can only access their own folder2. By applying the policy on the scientists’ IAM user group, the solutions architect can simplify the management of permissions for all the scientists3. By configuring a trail with AWS CloudTrail to capture all object-level events in the S3 bucket, the solutions architect can record and store information about every action performed on the S3 objects4. By storing the trail output in another S3 bucket, thesolutions architect can secure and archive the log files5. By using Amazon Athena to query the logs and generate reports, the solutions architect can use a serverless interactive query service that can analyze data in S3 using standard SQL.

Identity-based policies

Policy variables

IAM groups

Object-level logging

Creating a trail that applies to all regions

[What is Amazon Athena?]

Create Amazon S3 gateway endpoint in the VPC and add a VPC endpoint policy. This VPC endpoint policy will have a statement that allows S3 access only via access points owned by the organization.

The workload consists of large batch-processing simulation jobs that read 15–20 GB per job from Amazon S3, write results back to S3, are not time sensitive, and can tolerate interruptions. These characteristics are ideal for using EC2 Spot Instances, which provide steep discounts compared to On-Demand pricing in exchange for potential interruptions.

AWS Batch is designed specifically for batch and simulation workloads. It can dynamically provision compute resources, manage job queues, retry failed jobs, and integrate tightly with EC2 Spot Instances. Using an AWS Batch compute environment that is configured to use EC2 Spot Instances with the SPOT_CAPACITY_OPTIMIZED allocation strategy allows AWS Batch to choose the lowest interruption-risk Spot capacity pools automatically while still giving the largest cost savings.

Option B leverages these capabilities. It creates an AWS Batch compute environment using only Spot Instances and uses the SPOT_CAPACITY_OPTIMIZED allocation strategy to select capacity across instance types with lower interruption rates. Since the simulations are not time sensitive and can withstand interruptions, the risk of Spot interruptions is acceptable, and AWS Batch will re-run interrupted jobs as needed. This combination provides the most cost-effective solution while minimizing operational overhead for job scheduling and capacity management.

Option A uses Lambda with Step Functions. Lambda has limits on memory, runtime, and payload size, making it a poor fit for processing 15–20 GB of data per job. In addition, the concurrency and invocation cost for large-scale, long-running simulation workloads would be higher and less cost-effective than EC2 Spot Instances.

Option C mixes On-Demand and Spot Instances. While this can provide reliability for more time-critical workloads, it is less cost-effective than a pure Spot configuration when the workload explicitly can tolerate interruptions and is not time sensitive.

Option D uses Amazon EKS with a mix of On-Demand and Spot Instances. While this can be made to work, it requires managing Kubernetes clusters, node groups, and job scheduling, which introduces more operational complexity than using AWS Batch, and the inclusion of On-Demand capacity reduces cost-effectiveness compared to pure Spot-based batch processing.

Therefore, using AWS Batch with EC2 Spot Instances and the SPOT_CAPACITY_OPTIMIZED allocation strategy (option B) is the most cost-effective solution for this tolerant, batch-processing workload.

A Direct Connect gateway allows you to connect multiple VPCs across different Regions to a Direct Connect connection1. A public VIF allows you to access AWS public services such as EC21. A Site-to-Site VPN connection over the public VIF provides encryption and redundancy for the traffic between the on-premises data center and the VPCs2. This solution is cheaper than setting up additional Direct Connect connections or using a private VIF with VPC peering.

Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use Amazon Textract and Amazon Comprehend to perform optical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system ' s API. This solution meets the requirements of accurate form extraction, minimal time to market, and minimal long-term operational overhead. Amazon Textract and Amazon Comprehend are fully managed and serverless services that can perform OCR and extract relevant data from the forms, which eliminates the need to develop custom libraries or train and host models. Using AWS Step Functions and Lambda allows for easy automation of the process and the ability to scale as needed.

" A usage plan specifies who can access one or more deployed API stages and methods—and also how much and how fast they can access them. The plan uses API keys to identify API clients and meters access to the associated API stages for each key. It also lets you configure throttling limits and quota limits that are enforced on individual client API keys. " https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-api-usage-plans.html

A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action on IPs with rates that go over a limit. You set the limit as the number of requests per 5-minute time span...... The following caveats apply to AWS WAF rate-based rules: The minimum rate that you can set is 100. AWS WAF checks the rate of requests every 30 seconds, and counts requests for the prior five minutes each time. Because of this, it ' s possible for an IP address to send requests at too high a rate for 30 seconds before AWS WAF detects and blocks it. AWS WAF can block up to 10,000 IP addresses. If more than 10,000 IP addresses send high rates of requests at the same time, AWS WAF will only block 10,000 of them. " https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based.html

This option allows the company to use DAX to improve the performance and reduce the latency of the DynamoDB queries by caching the results in memory1. By updating the application to use DAX, the company can reduce the load on the DynamoDB tables and avoid throttling errors1. By creating an Auto Scaling group for the EC2 instances, the company can adjust the number of instances based on the demand and ensure high availability2. By creating an ALB, the company can distribute the incoming traffic across multiple EC2 instances and improve fault tolerance3. By updating the Route 53 record to use a simple routing policy that targets the ALB’s DNS alias, the company can route users to the ALB endpoint and leverage its health checks and load balancing features4. By configuring scheduled scaling for the EC2 instances before the content updates, the company can anticipate and handle traffic spikes during peak periods5.

What is Amazon DynamoDB Accelerator (DAX)?

What is Amazon EC2 Auto Scaling?

What is an Application Load Balancer?

Choosing a routing policy

Scheduled scaling for Amazon EC2 Auto Scaling