SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

A is correct because AWS recommends using oneconnection alias per Region, associated witheach directory. Then, configure a Route 53 failover policy so that if the primary Region becomes unhealthy, users are directed to the failover Region automatically. “Evaluate Target Health” ensures automatic detection and failover.

Comprehensive and Detailed Explanation:

This question tests knowledge of private access patterns to Amazon S3 from:

resources inside a VPC, and

users in an on-premises environment connected through Site-to-Site VPN.

The correct answer is B because the company has two different traffic sources with different endpoint requirements.

Why B is correct

For the EC2 instance inside the private VPC:

An S3 gateway endpoint is the standard and most cost-effective method for private access from resources in the VPC to Amazon S3. With a gateway endpoint, traffic from the VPC to S3 stays on the AWS network and does not require a NAT gateway or internet gateway. This satisfies the requirement to remove the NAT gateways for the application’s S3 access.

For the on-premises users over the Site-to-Site VPN:

Gateway endpoints are for use within the VPC and are not accessed from on-premises networks over VPN or Direct Connect. To allow on-premises clients to access S3 privately through the VPC, the architecture needs an S3 interface endpoint with private DNS enabled. Interface endpoints create elastic network interfaces in the VPC and can be reached privately from connected on-premises environments, assuming routing and DNS are configured correctly.

Therefore, the combination is required:

S3 gateway endpoint for VPC resources

S3 interface endpoint with private DNS for on-premises access through VPN

This design allows both the EC2 application and on-premises users to access S3 without using the public internet.

Why A is incorrect

An S3 gateway endpoint works for VPC resources, but it does not provide private access for on-premises users over Site-to-Site VPN. On-premises networks cannot route directly to a gateway endpoint in the way described. That makes A incomplete and incorrect.

Why C is incorrect

Mountpoint for Amazon S3 is a way to mount an S3 bucket for file-like access from an EC2 instance or similar compute environment. It does not solve the connectivity requirement for on- premises users, and it does not address the broader network design requirement of private S3 access without NAT gateways for all stated users. It also does not replace the need for appropriate VPC endpoint architecture.

Why D is incorrect

Storage Browser for S3 is not the solution to provide private network connectivity for an application and on-premises users. It is unrelated to the core architecture requirement. The question is asking about private access paths to S3, not a user interface or client-side browser tool.

Key design principle being tested

This question checks whether you know the distinction between:

S3 gateway endpoints for traffic originating from within the VPC

S3 interface endpoints for private access from on-premises environments over hybrid connectivity

It also tests whether you understand that removing NAT gateways is possible for S3 access from private subnets when a VPC endpoint is used.

Final justification

Because the company needs:

private S3 access from an EC2 instance in a private VPC, and

private S3 access from on-premises users over VPN,

while removing NAT gateways,

the correct design is to use:

an S3 gateway endpoint for the VPC application, and

an S3 interface endpoint with private DNS for the on-premises users.

That makes B the best answer.

The requirement is to continuously scan all AWS resources in this solution for security vulnerabilities with the least operational overhead. The environment includes Amazon EKS worker nodes in a managed node group and an Amazon ECR repository that stores container images used by the EKS cluster.

Amazon Inspector is a managed vulnerability scanning service that integrates directly with multiple AWS resource types. It can automatically discover Amazon EC2 instances (including EKS managed node group instances) and perform continuous vulnerability assessments against them, using software inventory and known CVE databases. Inspector also integrates with Amazon ECR to scan container images for vulnerabilities when images are pushed to the repository and periodically thereafter, providing continuous assessment of image security posture without requiring separate scanners or infrastructure.

By activating Amazon Inspector for the account and region, the service will automatically start tracking supported resources, including EKS-managed EC2 instances and ECR repositories, and will begin scanning them for known vulnerabilities. Findings are provided through the Inspector console and can be integrated with other services such as AWS Security Hub or Amazon EventBridge for further aggregation and automation, but no separate infrastructure deployment or maintenance is required.

Option B, therefore, provides end-to-end vulnerability scanning for both the EKS nodes and the ECR images with minimal operational overhead, because it leverages a fully managed AWS service that automatically discovers and scans supported resources.

Option A is not correct because AWS Security Hub does not itself perform vulnerability scanning. Security Hub aggregates and normalizes security findings from various AWS services, including Amazon Inspector, GuardDuty, and others. It is a security posture management and aggregation service, not a vulnerability scanner.

Option C introduces additional operational overhead by requiring the company to provision, configure, secure, and maintain a separate EC2 instance running a third-party vulnerability scanning tool. While ECR basic scan-on-push can detect some image vulnerabilities, the EC2- based scanner must be managed, updated, and scaled by the customer, which violates the requirement for the least operational overhead when a fully managed alternative exists.

Option D is incorrect because the Amazon CloudWatch agent is used for metrics and log collection from EC2 instances and other environments; it does not perform vulnerability scanning or CVE analysis. Configuring CloudWatch for monitoring and logging does not meet the requirement to continuously scan for security vulnerabilities. ECR basic scans also provide only image-level scanning and do not cover the EKS nodes themselves.

Therefore, enabling Amazon Inspector to scan both the EKS nodes and the ECR repository, as described in option B, is the solution that meets the continuous vulnerability scanning requirement with the least operational overhead.

Because MSK has Maximum number of client connections 1000 per second and the company has 10,000 sensors, the MSK likely will not be able to handle all connectionshttps://docs.aws.amazon.com/msk/latest/developerguide/limits.html

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.html

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption AWS is now transitioning the previous term ' guardrail ' new term ' control ' .

D is correct because thehealth check grace perioddefines how long Auto Scaling waits after launching an instance before checking its health status. With the larger content added to the S3 bucket, the instance initialization (via user data) is taking longer. Increasing the grace period allows the instance time to complete startup tasks before it’s marked as unhealthy.

Option A would not necessarily reduce startup time — the issue is likely network latency or the size of the content.

Option B only affects the timeout for health check responses, not the delay before they begin.

Option C is not applicable unless the health check path itself is invalid (which isn ' t mentioned).

For an application requiring low-latency access to financial information and high availability with a Recovery Time Objective (RTO) of 30 seconds, using Amazon DynamoDB for data storage and Amazon QuickSight for reporting is the most suitable solution. DynamoDB offers fast, consistent, and single-digit millisecond latency for data retrieval, meeting the latency requirements. QuickSight ' s ability to directly query DynamoDB datasets and provide embedded dashboards for reporting enables real-time financial report generation. This combination ensures high availability and meets the RTO requirement, providing a robust solution for the application ' s needs.

Amazon DynamoDB Documentation: Describes the features and benefits of DynamoDB, emphasizing its performance and scalability for applications requiring low-latency access to data.

Amazon QuickSight Documentation: Provides information on using QuickSight for creating and embedding interactive dashboards, including direct querying of DynamoDB datasets for real-time data visualization.

https://aws.amazon.com/solutions/implementations/disaster-recovery-for-aws-iot/

Deploying the application on Amazon EKS with managed node groups simplifies the operational overhead of managing the Kubernetes cluster. Running the web servers and application as Kubernetes deployments ensures that the desired number of pods are always running and can scale up or down as needed. Storing the frontend web server session data in an Amazon DynamoDB table provides a fast, scalable, and durable storage option that can be accessed across multiple Availability Zones. Creating an Amazon EFS volume that all applications will mount at the time of deployment allows the application to share data that is frequently accessed between the web and application tiers. References:

https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html

https://docs.aws.amazon.com/eks/latest/userguide/deployments.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html

A is correct because:

CloudFormation templatesenable repeatable infrastructure deployment.

Route 53 latency-based routingensures users hit the closest Region.

DynamoDB global tablesallow multi-Region, active-active replication of application data.

Manual console work (B) is not scalable.

C lacks EC2/ALB replication.

D adds unnecessary services like Beanstalk and doesn’t scale cleanly.

https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/

C: Multipart uploads can leave incomplete parts behind, which incur storage costs. Expiring them after 7 days minimizes waste and saves cost.

E: Since objects are infrequently accessed after 180 days, transitioning toS3 Standard-IAis cost-effective, especially for large files > 128 KB (your 100 MB+ files qualify).

Ais for shifting download cost, not reducing your S3 storage expenses.

Bhelps with upload speed butincreases cost.

Dis too aggressive; Glacier is not suited for access patterns within the first few days.