SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

The requirement is to estimate total cost of ownership before migration. This includes comparing current on-premises costs with projected AWS costs for compute, storage, databases, and related services, and producing a consolidated business-focused TCO view.

AWS Migration Evaluator is the AWS service specifically designed to help customers build data-driven business cases for migrating workloads to AWS. Migration Evaluator collects inventory and utilization data from on-premises environments by using a collector. It then allows architects to model different migration scenarios, map on-premises resources to AWS services such as Amazon EKS managed node groups and Amazon RDS for PostgreSQL, and generate reports that estimate costs, savings, and TCO impacts. The Quick Insights report provides a summarized, executive-level view of the estimated AWS costs, on-premises costs, and projected savings, which directly satisfies the requirement.

Option B is not sufficient because AWS DMS assessment reports focus on database migration feasibility and compatibility, not full workload TCO. The AWS Pricing Calculator can estimate AWS service costs, but it does not automatically incorporate on-premises cost data or provide a consolidated TCO comparison without significant manual effort.

Option C is incorrect because AWS Application Migration Service focuses on rehosting servers and testing migrations. It does not produce comprehensive TCO reports comparing on-premises and AWS environments for container platforms like EKS and managed databases.

Option D is incorrect because the AWS Cloud Economics Center and Cloud Value Framework provide conceptual guidance and methodology, not a workload-specific TCO report. AWS Cost and Usage Reports are used to analyze existing AWS usage, not to estimate costs for workloads that have not yet been migrated.

Therefore, using Migration Evaluator to collect on-premises data, model the target EKS and RDS architecture, and export a Quick Insights TCO report is the correct solution.

To migrate an on-premises SFTP site to AWS with high availability and a set of static public IP addresses for external vendors, the best solution is to create an AWS Transfer Family server with an internet-facing VPC endpoint. Assigning Elastic IP addresses to each subnet and configuring the server to store files in an Amazon Elastic File System (EFS) that spans multiple Availability Zones ensures high availability and consistent access. This approach minimizes operational overhead by leveraging AWS managed services and eliminates the need to manage underlying infrastructure.

AWS Documentation on AWS Transfer Family and Amazon Elastic File System provides detailed instructions on setting up a highly available SFTP environment on AWS. This solution is in line with AWS best practices for migrating and modernizing applications with minimal disruption and ensuring high availability and security.

The company wants logging that helps troubleshoot email delivery issues and also wants to search by recipient, subject, and time sent. Amazon SES provides event publishing for email sending and delivery events through configuration sets. With a configuration set, SES can publish sending events such as send, delivery, bounce, complaint, reject, and rendering failure to destinations such as Amazon CloudWatch, Amazon SNS, or Amazon Kinesis Data Firehose. For building a searchable log store, delivering these events into Amazon S3 through Kinesis Data Firehose is an effective approach because S3 provides durable storage and integrates well with query services.

Option A creates an SES configuration set with a Kinesis Data Firehose destination that delivers logs to an S3 bucket. This captures detailed SES event data that is directly useful for troubleshooting delivery issues and retaining historical records for analysis.

Once logs are stored in Amazon S3, Amazon Athena can query the data using SQL. Athena is designed to query data in S3 and is well suited for ad hoc searches. This meets the requirement to search based on recipient, subject, and time sent, assuming the event schema includes these fields (or they are included in the published event payload). Therefore, option C completes the solution by enabling searches over the stored log dataset.

Option B (CloudTrail) records API activity, such as calls made to SES APIs, but it is not designed to capture per-message delivery outcomes (deliveries, bounces, complaints) in a way that supports troubleshooting delivery behavior and detailed email event searching. CloudTrail is useful for auditing who called SES APIs, not for tracking message-level delivery events and outcomes.

Option D (CloudWatch log group) is another valid SES event publishing destination, but if the requirement is to perform flexible searches by multiple dimensions over a potentially large historical dataset, storing the logs in S3 and querying with Athena is a more direct and scalable pattern. Also, the provided option E is incorrect because Athena queries data in S3, not in CloudWatch Logs. CloudWatch Logs has its own query mechanism, but Athena is not used to query CloudWatch Logs directly in the way described.

Option E is incorrect because Amazon Athena does not query CloudWatch Logs as a log store. The typical searchable pattern for Athena is S3-backed datasets.

Therefore, the best combination to satisfy logging and searchable analysis requirements is to publish SES events to S3 via Kinesis Data Firehose (option A) and query those logs with Athena (option C).

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The current CI/CD pipeline uses an IAM user with long-lived access keys stored in GitHub Actions. The new requirement is that pipelines must not use long-lived secret keys. Instead, the solution should provide short-lived credentials with minimal operational overhead.

GitHub Actions natively supports integration with cloud providers using OpenID Connect (OIDC). With OIDC, GitHub acts as an identity provider that can issue OIDC tokens to workflows. On the AWS side, IAM supports configuring an OIDC identity provider and roles that can be assumed by principals presenting valid OIDC tokens through the sts:AssumeRoleWithWebIdentity API. This pattern enables short-lived, automatically rotated credentials for CI/CD jobs without storing long-lived secrets.

In the correct solution (option B), you configure an IAM OIDC identity provider for GitHub in the AWS account. You then create a new IAM role with a trust policy that allows the Github OIDC provider to call sts:AssumeRoleWithWebIdentity, with conditions that restrict which repositories or workflows can assume the role. The existing IAM policy that grants deployment permissions is attached to that role. In GitHub Actions, you update the pipeline configuration to request an OIDC token and assume the IAM role at runtime. Each workflow run receives short-lived credentials without storing static keys, and AWS automatically handles the token verification and temporary credential issuance. This approach is the AWS-recommended pattern for integrating GitHub Actions with AWS without long-lived secrets and has low operational overhead once configured.

Option A uses SAML 2.0, which is typically used for enterprise single sign-on for users, not for GitHub Actions workflows. GitHub does not natively use SAML to obtain AWS credentials for CI/CD pipelines in the same streamlined way as OIDC, and implementing a SAML-based integration would add unnecessary complexity.

Option C introduces Amazon Cognito as an indirection layer. Although Cognito can federate with external identity providers, including social providers, using it as an intermediary to obtain temporary AWS credentials for a machine-to-machine CI/CD pipeline is not necessary when IAM OIDC federation with GitHub is directly supported. This adds additional configuration and operational overhead.

Option D uses IAM Roles Anywhere with client certificates from AWS Private CA. Roles Anywhere is designed for workloads running outside AWS that need to assume IAM roles using X.509 certificates instead of access keys. While technically possible, it requires managing private certificates, trust anchors, and a credential helper tool, which is more complex and operationally heavier than the direct OIDC integration specifically designed for GitHub Actions.

Therefore, configuring an IAM OIDC identity provider for GitHub and creating an IAM role to be assumed via sts:AssumeRoleWithWebIdentity (option B) meets the requirement to replace long-lived secret keys with short-lived credentials with the least operational overhead.

Migrating the containers that run the application to AWS Fargate for Amazon Elastic Container Service (Amazon ECS) will meet the requirement of not administering the Docker hosting environment. AWS Fargate is a serverless compute engine that runs containerswithout requiring any infrastructure management3. Creating an Amazon Elastic File System (Amazon EFS) file system and adding a volume to the Fargate task definition to point to the EFS file system will meet the requirement of low-latency storage that will automatically scale throughput to meet increased demand. Amazon EFS is a fully managed file system service that provides shared access to data from multiple containers, supports NFSv4 protocol, and offers consistent performance and high availability4. Amazon EFS also supports automatic scaling of throughput based on the amount of data stored in the file system5.

Creating a quota request template in the us-east-1 Region of the management account ensures it applies to all newly provisioned accounts in the organization.

By specifying the required ml.p2.xlarge training job and endpoint usage quotas in ap-southeast-2, the accounts will automatically receive these higher quotas upon creation, supporting the student lab environments without additional manual quota requests.

This process integrates seamlessly with AWS Organizations for automated and standardized account provisioning.

The correct answer is A, C, and F. The company wants to host a private DNS namespace, myvpc.example.com, inside AWS and allow on-premises devices to resolve records in that namespace. A Route 53 private hosted zone is the correct hosted zone type because the domain is intended for private VPC resolution, not public internet DNS. To allow DNS queries from the on-premises network into AWS, Route 53 Resolver inbound endpoints are required. The on-premises DNS resolvers then need conditional forwarding rules that forward queries for myvpc.example.com to the IP addresses of the inbound Resolver endpoint. An outbound endpoint is used when AWS resources need to resolve DNS names hosted on premises. That is not the stated requirement here. A public hosted zone would expose records publicly and is not appropriate for private VPC DNS.

===============

C is correct: AWS Transfer Family can store uploaded files directly into Amazon S3.S3 event notificationscan triggerAWS Glue jobsto transform the data. Upon successful transformation, Glue can send a message toAmazon SQS, enabling event-driven architecture with minimal management.

A and D involve cron jobs or scheduled Glue jobs, which increase operational overhead and delay.

B (EMR) is overkill for frequent, lightweight transformations.

in this solution, two transit VIFs are created - one from the DX-A connection and one from the DX-B connection - into the same Direct Connect gateway for high availability. Both the eu-west-1 and us-east-1 transit gateways are then associated with this Direct Connect gateway. The transit gateways are then peered with each other to support cross-Region routing. This solution meets the requirements of the company by creating a highly available connection between the on-premises data center and the VPCs in both the eu-west-1 and us-east-1 regions, and by enabling direct traffic routing between VPCs in those regions.

The correct answer is B. The requirement is resource-side protection for all current and future private Amazon ECR repositories across the organization. AWS Organizations resource control policies are designed to centrally restrict permissions on resources in member accounts and are appropriate when external principals must be prevented from accessing organization-owned resources. AWS documentation lists Amazon Elastic Container Registry as a supported service for RCPs. A condition such as aws:PrincipalOrgID enforces that only principals from the same AWS Organization can access the resources. SCPs restrict principals in accounts, not resource exposure to external principals. Modifying IAM policies in hundreds of accounts is operationally poor and does not protect future repository policies consistently. AWS RAM is not the right control plane for private ECR repository access. (AWS Documentation)

===============

There are three core requirements: reduce/manage active database connections, keep communication private without internet exposure, and scale to many consumer accounts over time.

To manage and pool database connections to an Amazon RDS for PostgreSQL DB instance, the AWS-managed service designed for this purpose is Amazon RDS Proxy. RDS Proxy maintains a pool of database connections and multiplexes application connections onto fewer database connections. This reduces connection overhead on the database, improves resiliency during failovers, and helps control the number of active connections that reach the DB instance.

Next, the connectivity must be private across accounts and scalable as more consumer accounts are added. AWS PrivateLink provides scalable, private connectivity between VPCs and services across accounts without requiring VPC peering, transitive routing, or exposing traffic to the public internet. With PrivateLink, the database account can publish an endpoint service backed by a Network Load Balancer, and consumer accounts create interface endpoints in their VPCs to connect privately to that service. This is operationally scalable because adding new consumer accounts does not require managing a growing mesh of VPC peering relationships or complex route propagation; each consumer adds an interface endpoint.

Option B is the only option that addresses connection management by introducing RDS Proxy and uses PrivateLink to provide private, cross-account, scalable connectivity. The proxy endpoint being in private subnets aligns with the requirement that traffic stays private.

Option A is incorrect because a NAT gateway in a public subnet is used for outbound internet access from private subnets. It is not needed for private cross-account database access and introduces unnecessary public subnet components. Also, NAT gateways do not manage database connections. Transit gateway can provide private connectivity, but it does not address connection pooling, and the NAT gateway component is not appropriate for the stated requirement of avoiding internet exposure.

Option C is incorrect because an Application Load Balancer is not used to proxy raw PostgreSQL database traffic. PostgreSQL uses TCP, and ALB is primarily for HTTP/HTTPS and higher-layer routing. Also, VPC peering to each consumer VPC does not scale well as the number of accounts grows, and it creates operational overhead to manage many peering connections and route tables. It also does not manage DB connections.

Option D is incorrect because it uses VPC peering and NAT gateway. NAT gateway is again not the correct mechanism for private database access and does not provide connection pooling. VPC peering per consumer is not scalable and increases operational overhead.

Therefore, using RDS Proxy to manage connections and AWS PrivateLink (via an NLB-backed endpoint service) to provide private, scalable cross-account access is the correct solution.

an AWS Lambda function in the backup region to promote the read replica and modify the Auto Scaling group values, and then configuring Route 53 with a health check that monitors the web application and sends an Amazon SNS notification to the Lambda function when the health check status is unhealthy. Finally, the application ' s Route 53 record should be updated with a failover policy that routes traffic to the ALB in the backup region when a health check failure occurs. This approach provides automatic failover to the backup region when a health check failure occurs, reducing the RTO to less than 15 minutes. Additionally, this approach is cost-effective as it does not require an active-active strategy.

B is correct because it implements a fully serverless ingestion-and-streaming design that decouples request intake from processing and delivers real-time updates to clients over WebSockets. The HTTP API provides a serverless front door for REST requests. Sending requests to Amazon SQS buffers bursts and smooths spikes, preventing the backend from being overwhelmed as traffic grows. The SQS → Lambda pattern provides scalable, asynchronous processing. For the “stream data to clients through WebSockets” requirement, AWS AppSync Events (real-time publish/subscribe) allows clients to subscribe over persistent WebSocket connections and receive pushed updates with minimal latency, while producers (the Lambda function) publish events to channels that subscribers receive.

Why the other options are incorrect:

A: AWS Step Functions is an orchestration service for workflows. It does not provide a native mechanism to “set clients as targets” and push data back to arbitrary REST clients over WebSockets.

C: Amazon EventBridge rules can target AWS services (Lambda, SQS, SNS, etc.), but clients are not valid EventBridge targets for direct WebSocket streaming. This does not solve “stream to clients through WebSockets.”

D: CloudFront Functions are for lightweight request/response manipulation at the edge and cannot act as an origin or run complex business logic. Also, writing to an MQTT topic from a CloudFront Function is not a supported pattern. While AWS IoT Core can support MQTT over WebSockets for clients, the proposed CloudFront Function integration is not valid.