SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

Question # 109

A company is running a web application in a VPC. The web application runs on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is using AWS WAF.

An external customer needs to connect to the web application. The company must provide IP addresses to all external customers.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Replace the ALB with a Network Load Balancer (NLB). Assign an Elastic IP address to the NLB.

Allocate an Elastic IP address. Assign the Elastic IP address to the ALProvide the Elastic IP address to the customer.

Create an AWS Global Accelerator standard accelerator. Specify the ALB as the accelerator's endpoint. Provide the accelerator's IP addresses to the customer.

Configure an Amazon CloudFront distribution. Set the ALB as the origin. Ping the distribution's DNS name to determine the distribution's public IP address. Provide the IP address to the customer.

Buy Now

Question # 110

Question:

A company runs an application on Amazon EC2 and AWS Lambda. The application stores temporary data in Amazon S3. The S3 objects are deleted after 24 hours.

The company deploys new versions of the application by launching AWS CloudFormation stacks. The stacks create the required resources. After validating a new version, the company deletes the old stack. The deletion of an old development stack recently failed.

A solutions architect needs to resolve this issue without major architecture changes.

Which solution will meet these requirements?

Options:

Create a Lambda function to delete objects from the S3 bucket. Add the Lambda function as a custom resource in the CloudFormation stack with a DependsOn attribute that points to the S3 bucket resource.

Modify the CloudFormation stack to attach a DeletionPolicy attribute with a value of Delete to the S3 bucket.

Update the CloudFormation stack to add a DeletionPolicy attribute with a value of Snapshot for the S3 bucket resource.

Update the CloudFormation template to create an Amazon EFS file system to store temporary files instead of Amazon S3. Configure the Lambda functions to run in the same VPC as the EFS file system.

Buy Now

Question # 111

An international delivery company hosts a delivery management system on AWS. Drivers use the system to upload confirmation of delivery. Confirmation includes the recipient's signature or a photo of the package with the recipient. The driver's handheld device uploads signatures and photos through FTP to a single Amazon EC2 instance. Each handheld device saves a file in a directory based on the signed-in user, and the file name matches the delivery number. The EC2 instance then adds metadata to the file after querying a central database to pull delivery information. The file is then placed in Amazon S3 for archiving.

As the company expands, drivers report that the system is rejecting connections. The FTP server is having problems because of dropped connections and memory issues. In response to these problems, a system engineer schedules a cron task to reboot the EC2 instance every 30 minutes. The billing team reports that files are not always in the archive and that the central system is not always updated.

A solutions architect needs to design a solution that maximizes scalability to ensure that the archive always receives the files and that systems are always updated. The handheld devices cannot be modified, so the company cannot deploy a new application.

Which solution will meet these requirements?

Options:

Create an AMI of the existing EC2 instance. Create an Auto Scaling group of EC2 instances behind an Application Load Balancer. Configure the Auto Scaling group to have a minimum of three instances.

Use AWS Transfer Family to create an FTP server that places the files in Amazon Elastic File System (Amazon EFS). Mount the EFS volume to the existing EC2 instance. Point the EC2 instance to the new path for file processing.

Use AWS Transfer Family to create an FTP server that places the files in Amazon S3. Use an S3 event notification through Amazon Simple Notification Service (Amazon SNS) to invoke an AWS Lambda function. Configure the Lambda function to add the metadata and update the delivery system.

Update the handheld devices to place the files directly in Amazon S3. Use an S3 eventnotification through Amazon Simple Queue Service (Amazon SQS) to invoke an AWS Lambda function. Configure the Lambda function to add the metadata and update the delivery system.

Buy Now

Question # 112

A company has an application that analyzes and stores image data on premises The application receives millions of new image files every day Files are an average of 1 MB in size The files are analyzed in batches of 1 GB When the application analyzes a batch the application zips the imagestogether The application then archives the images as a single file in an on-premises NFS server for long-term storage

The company has a Microsoft Hyper-V environment on premises and has compute capacity available The company does not have storage capacity and wants to archive the images on AWS The company needs the ability to retrieve archived data within t week of a request.

The company has a 10 Gbps AWS Direct Connect connection between its on-premises data center and AWS. The company needs to set bandwidth limits and schedule archived images to be copied to AWS dunng non-business hours.

Which solution will meet these requirements MOST cost-effectively?

Options:

Deploy an AWS DataSync agent on a new GPU-based Amazon EC2 instance Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Glacier Instant Retrieval After the successful copy delete the data from the on-premises storage

Deploy an AWS DataSync agent as a Hyper-V VM on premises Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Glacier Deep Archive After the successful copy delete the data from the on-premises storage

Deploy an AWS DataSync agent on a new general purpose Amazon EC2 instance Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Standard After the successful copy deletes the data from the on-premises storage Create an S3 Lifecycle rule to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 day

Deploy an AWS Storage Gateway Tape Gateway on premises in the Hyper-V environment Connect the Tape Gateway to AWS Use automatic tape creation Specify an Amazon S3 Glacier Deep Archive pool Eject the tape after the batch of images is copied

Buy Now

Question # 113

A company has an IoT data lake that is stored in Amazon S3. Data scientists in a separate AWS account need to analyze the data on Amazon EC2 instances in a VPC. Company policy requires that only authorized networks access the IoT data. The EC2 instances already have an IAM role that allows access to Amazon S3. An S3 access point exists on the data lake S3 bucket.

The company needs to provide secure access to the S3 data lake for the EC2 instances while complying with the policy that requires access from only authorized networks.

Which combination of steps will meet these requirements? (Select TWO.)

Options:

Create a gateway VPC endpoint for Amazon S3 in the data scientists’ VPC.

Update the S3 access point settings to block public access.

Update the EC2 instance role. Add a policy with a condition that denies the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.

Update the VPC route table to route S3 traffic to the S3 access point.

Add an S3 bucket policy with a condition that allows the s3:GetObject action when the value for the s3:DataAccessPointArn condition key is a valid access point ARN.

Buy Now

Answer:

A, E

Explanation:

The data scientists’ EC2 instances in a separate account must access S3 data in a controlled way that satisfies the policy: only authorized networks may access the IoT data. “Authorized networks” in this context means traffic must originate from approved VPCs and must not traverse the public internet.

First, traffic from the EC2 instances to S3 must stay on the AWS network without using public endpoints. A gateway VPC endpoint for S3 in the data scientists’ VPC (option A) allows EC2 instances in that VPC to reach S3 over private connectivity. When using a gateway VPC endpoint, the route tables of the subnets associated with the endpoint automatically route S3 traffic through the endpoint. This ensures that access to S3 is from an authorized network (the VPC) instead of from the public internet.

Second, access must be constrained such that only calls made through the intended S3 access mechanism are allowed. The data lake bucket already has an S3 access point. S3 access points can be restricted by policy and can be referenced in bucket policies through the s3:DataAccessPointArn condition key. By using an S3 bucket policy that allows s3:GetObject only when s3:DataAccessPointArn matches the expected access point ARN (option E), the company can enforce that all valid access uses the approved access point configuration. Combined with the access point’s own network configuration and the VPC endpoint, access is limited to authorized networks.

Option B, blocking public access on the access point, is a good general security practice but does not by itself guarantee that access is restricted to authorized VPC networks. The main enforcement must be through VPC endpoints and bucket/access point policies.

Option C denies s3:GetObject when s3:DataAccessPointArn is a valid access point ARN, which is the opposite of what is required. This would prevent intended access via the access point rather than allow it.

Option D is not correct because gateway VPC endpoints for S3 are configured via endpoint associations with route tables, not by directly routing to an access point in the route table. Traffic to S3 is routed to the VPC endpoint, and the endpoint plus S3 policies determine access.

Therefore, creating a gateway VPC endpoint for S3 in the data scientists’ VPC (option A) and using a bucket policy condition on s3:DataAccessPointArn to allow access only through the authorized access point (option E) together meet the requirement of secure, network-restricted access from authorized networks.

[References:AWS documentation on S3 gateway VPC endpoints for private access to S3 from VPCs.AWS documentation on S3 access points and the use of s3:DataAccessPointArn condition keys in bucket policies to control access paths., ]

Question # 114

A company's solutions architect needs to provide secure Remote Desktop connectivity to users for Amazon EC2 Windows instances that are hosted in a VPC. The solution must integrate centralized user management with the company's on-premises Active Directory. Connectivity to the VPC is through the internet. The company has hardware that can be used to establish an AWS Site-to-Site VPN connection.

Which solution will meet these requirements MOST cost-effectively?

Options:

Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory.Deploy an EC2 instance as a bastion host in the VPC. Ensure that the EC2 instance is joined to the domain. Use the bastion host to access the target instances through RDP.

Configure AWS IAM Identity Center (AWS Single Sign-On) to integrate with the on-premises Active Directory by using the AWS Directory Service for MicrosoftActive Directory AD Connector. Configure permission sets against user groups for access to AWS Systems Manager. Use Systems Manager Fleet Manager toaccess the target instances through RDP.

Implement a VPN between the on-premises environment and the target VPC. Ensure that the target instances are joined to the on-premises Active Directory domain over the VPN connection. Configure RDP access through the VPN. Connect from the company's network to the target instances.

Deploy a managed Active Directory by using AWS Directory Service for Microsoft Active Directory. Establish a trust with the on-premises Active Directory.Deploy a Remote Desktop Gateway on AWS by using an AWS Quick Start. Ensure that the Remote Desktop Gateway is joined to the domain. Use the Remote Desktop Gateway to access the target instances through RDP.

Buy Now

Question # 115

A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company’s marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Instruct each business unit to add a unique secondary CIDR range to the business unit's VPC. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.

Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account's VPC. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit's VPC. Perform NAT where necessary.

Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.

Create a Network Load Balancer (NLB) in front of the marketing application in a private subnet. Create an API Gateway API. Use the Amazon API Gateway private integration to connect the API to the NLB. Activate IAM authorization for the API. Grant access to the accounts of the other business units.

Buy Now

Question # 116

A company has an application that uses an Amazon Aurora PostgreSQL DB cluster for the application's database. The DB cluster contains one small primary instance and three larger replica instances. The application runs on an AWS Lambda function. The application makes many short-lived connections to the database's replica instances to perform read-only operations.

During periods of high traffic, the application becomes unreliable and the database reports that too many connections are being established. The frequency of high-traffic periods is unpredictable.

Which solution will improve the reliability of the application?

Options:

Use Amazon RDS Proxy to create a proxy for the DB cluster. Configure a read-only endpoint for the proxy. Update the Lambda function to connect to the proxyendpoint.

Increase the max_connections setting on the DB cluster's parameter group. Reboot all the instances in the DB cluster. Update the Lambda function to connect to the DB cluster endpoint.

Configure instance scaling for the DB cluster to occur when the DatabaseConnections metric is close to the max _ connections setting. Update the Lambda function to connect to the Aurora reader endpoint.

Use Amazon RDS Proxy to create a proxy for the DB cluster. Configure a read-only endpoint for the Aurora Data API on the proxy. Update the Lambda function to connect to the proxy endpoint.

Buy Now

Question # 117

A company uses a software package for surveys. During surveys, data is uploaded from a field operator's device to an Amazon S3 bucket. A custom application that runs on several Amazon EC2 instances polls the S3 bucket for new data. When new data is available, the software processes the data.

The data uploads are infrequent. The processing software can take up to 25 minutes to analyze each data upload. The company wants to optimize the application workflow to process the S3 data.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Modify the application to accept new S3 object keys as inputs. Containerize the application. Deploy the container to an Amazon ECS cluster that uses the AWS Fargate launch type. Configure S3 bucket notifications to send events to Amazon EventBridge when new objects are uploaded. Create an EventBridge rule that invokes an ECS task to run the application when a new S3 object event occurs.

Modify the application to accept new S3 object keys as inputs. Containerize the application. Deploy the container image to AWS Lambda functions. Create a new AWS Step Functions state machine to invoke the Lambda functions. Configure the state machine with a Task state that calls the Lambda functions. Set the Task state's Timeout property to 30 minutes.

Modify the application to accept new S3 object keys as inputs. Move the application from EC2 instances to Amazon ECS by using the EC2 capacity provider. Create an AWS Glue crawler to check the S3 bucket and invoke the application. Configure the application to process the data when the data is uploaded to Amazon S3.

Modify the application to use HTTP to poll new S3 object keys that reference data to process. Containerize the application. Deploy the container image to AWS Lambda functions. Configure S3 bucket notifications to send events to Amazon EventBridge when new objects are uploaded. Create an EventBridge rule that invokes the Lambda functions to post the new objects to HTTP endpoints by using fan-out.

Buy Now

Question # 118

A company uses AWS Organizations. The company creates a central VPC in an AWS account that is designated for networking in a single AWS Region. The central VPC has an AWS Site-to-Site VPN connection to the company's on-premises network. A solutions architect must create another AWS account that uses the same networking resources that the central VPC uses.

Which solution meets these requirements MOST cost-effectively?

Options:

Create a VPC in the new AWS account. Create a new Site-to-Site VPN connection for the on-premises connection.

Use AWS Resource Access Manager to share the VPN connection in the central VPC with the new AWS account.

Create a VPC in the new AWS account. Configure a virtual private gateway to connect to the central VPC.

Use AWS Resource Access Manager to share the subnets in the central VPC with the new AWS account.

Buy Now

Question # 119

A company has multiple AWS accounts. The company recently had a security audit that revealed many unencrypted Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon EC2 instances.

A solutions architect must encrypt the unencrypted volumes and ensure that unencrypted volumes will be detected automatically in the future. Additionally, the company wants a solution that can centrally manage multiple AWS accounts with a focus on compliance and security.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Options:

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the strongly recommended guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.

Use the AWS CLI to list all the unencrypted volumes in all the AWS accounts. Run a script to encrypt all the unencrypted volumes in place.

Create a snapshot of each unencrypted volume. Create a new encrypted volume from the unencrypted snapshot. Detach the existing volume, and replace it with the encrypted volume.

Create an organization in AWS Organizations. Set up AWS Control Tower, and turn on the mandatory guardrails. Join all accounts to the organization. Categorize the AWS accounts into OUs.

Turn on AWS CloudTrail. Configure an Amazon EventBridge (Amazon CloudWatch Events) rule to detect and automatically encrypt unencrypted volumes.

Buy Now

Question # 120

A company has on-premises Linux, Windows, and Ubuntu servers that run many applications. The servers run on physical machines and VMs. The company plans to migrate the servers to Amazon EC2 instances.

The company needs to accomplish the following goals:

• Measure actual server usage, system performance, and running processes.

• List system configurations.

• Understand details of the network connections between systems.

• Analyze application components and dependencies within on-premises workloads.

• Receive EC2 instance sizing recommendations from AWS.

Which solution will meet these requirements?

Options:

Install AWS Systems Manager Agent (SSM Agent) on the physical machines and VMs to gather performance and usage information from servers. Use Systems Manager Application Manager to discover existing servers and to group servers into applications before the migration. Generate EC2 instance recommendations by using AWS Pricing Calculator.

Install the Amazon Inspector agent on the physical machines and VMs to gather performance and usage information from servers. Use AWS Migration Hub to discover existing servers and to group servers into applications before the migration. Generate EC2 instance recommendations by using AWS Compute Optimizer.

Install the AWS Application Discovery Agent on the physical machines and VMs to gather performance and usage information from servers. Use AWS Migration Hub to discover existing servers and to group servers into applications before the migration. Generate EC2 instance recommendations by using Migration Hub.

Install the unified Amazon CloudWatch agent on the physical machines and VMs to gather performance and usage information from servers. Use AWS Migration Hub to discover existing servers and to group servers into applications before the migration. Generate EC2 instance recommendations by using AWS Compute Optimizer.

Buy Now

Answer:

Explanation:

For migration planning, AWS provides specific tooling to discover on-premises servers, collect detailed performance and configuration data, and analyze application dependencies. The primary service for this purpose is AWS Application Discovery Service, which integrates with AWS Migration Hub.

The AWS Application Discovery Agent is installed on on-premises physical servers and VMs. It collects detailed information such as CPU, memory, and disk utilization; processes and services running on the system; system configuration details; and network connections between systems. This allows the company to understand how servers communicate, what applications are running, and what dependencies exist between components.

This data is sent to AWS Application Discovery Service and surfaced through AWS Migration Hub, where the company can view discovered servers, group them logically into applications, and analyze migration readiness. Migration Hub can use this collected data to provide recommendations for EC2 instance sizing that are based on actual on-premises utilization metrics, helping choose appropriate EC2 instance types and sizes.

Option C directly describes installing the AWS Application Discovery Agent, using AWS Migration Hub to discover and group servers into applications, and using Migration Hub to generate EC2 instance recommendations. This aligns with AWS’s migration assessment tooling and meets all the stated goals: performance measurement, system configuration listing, network connection understanding, dependency analysis, and instance sizing recommendations.

Option A uses AWS Systems Manager Agent and Application Manager. While Systems Manager can manage servers and collect some information, it is not the primary tool for detailed migration discovery, networking dependency mapping, and migration-focused analysis. It also suggests using AWS Pricing Calculator for instance recommendations, which requires manual input and does not automatically derive recommendations from observed utilization and dependencies.

Option B suggests using the Amazon Inspector agent to gather performance and usage information. Amazon Inspector is designed for vulnerability and security assessments, not for detailed migration discovery or dependency mapping. Additionally, AWS Compute Optimizer currently bases its recommendations on usage metrics from AWS resources, not on-premises servers.

Option D uses the CloudWatch agent to collect metrics and then Migration Hub and Compute Optimizer. The CloudWatch agent is not the standard agent for migration discovery and dependency analysis of on-premises workloads. Also, Compute Optimizer focuses on optimization of existing AWS resources rather than creating recommendations based on on-premises utilization.

Therefore, installing the AWS Application Discovery Agent and using AWS Migration Hub (option C) is the correct solution to satisfy all the requirements for migration assessment and EC2 sizing recommendations.

[References:AWS documentation on AWS Application Discovery Service and AWS Migration Hub for discovering on-premises servers, analyzing dependencies, and planning migrations.AWS migration guidance on using discovery data to generate EC2 instance sizing recommendations.]

Question # 121

A company is deploying a distributed in-memory database on a fleet of Amazon EC2 instances. The fleet consists of a primary node and eight worker nodes. The primary node is responsible for monitoring cluster health, accepting user requests, distributing user requests to worker nodes, and sending an aggregate response back to a client. Worker nodes communicate with each other to replicate data partitions.

The company requires the lowest possible networking latency to achieve maximum performance.

Which solution will meet these requirements?

Options:

Launch memory optimized EC2 instances in a partition placement group.

Launch compute optimized EC2 instances in a partition placement group.

Launch memory optimized EC2 instances in a cluster placement group

Launch compute optimized EC2 instances in a spread placement group.

Buy Now

Question # 122

A company wants to migrate its on-premises data center to the AWS Cloud. This includes thousands of virtualized Linux and Microsoft Windows servers, SAN storage, Java and PHP applications with MYSQL, and Oracle databases. There are many dependent services hosted either in the same data center or externally.

The technical documentation is incomplete and outdated. A solutions architect needs to understand the current environment and estimate the cloud resource costs after the migration.

Which tools or services should solutions architect use to plan the cloud migration? (Choose three.)

Options:

AWS Application Discovery Service

AWS SMS

AWS x-Ray

AWS Cloud Adoption Readiness Tool (CART)

Amazon Inspector

AWS Migration Hub

Buy Now

Question # 123

A large company is running a popular web application. The application runs on several Amazon EC2 Linux Instances in an Auto Scaling group in a private subnet. An Application Load Balancer is targeting the Instances In the Auto Scaling group in the private subnet. AWS Systems Manager Session Manager Is configured, and AWS Systems Manager Agent is running on all the EC2 instances.

The company recently released a new version of the application Some EC2 instances are now being marked as unhealthy and are being terminated As a result, the application is running at reduced capacity A solutions architect tries to determine the root cause by analyzing Amazon CloudWatch logs that are collected from the application, but the logs are inconclusive

How should the solutions architect gain access to an EC2 instance to troubleshoot the issue1?

Options:

Suspend the Auto Scaling group's HealthCheck scaling process. Use Session Manager to log in to an instance that is marked as unhealthy

Enable EC2 instance termination protection Use Session Manager to log In to an instance that is marked as unhealthy.

Set the termination policy to Oldestinstance on the Auto Scaling group. Use Session Manager to log in to an instance that is marked as unhealthy

Suspend the Auto Scaling group's Terminate process. Use Session Manager to log in to an instance that is marked as unhealthy

Buy Now

Exam Code: SAP-C02

Exam Name: AWS Certified Solutions Architect - Professional

Last Update: Jan 31, 2026

Questions: 607

SAP-C02 PDF

$25.5 ~~$84.99~~

Add to Cart

SAP-C02 Testing Engine

$28.5 ~~$94.99~~

Add to Cart

SAP-C02 PDF + Testing Engine

$40.5 ~~$134.99~~

Add to Cart

Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: Board70

certsboard certification exams

Navigation:

SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

SAP-C02 PDF

SAP-C02 Testing Engine

SAP-C02 PDF + Testing Engine

Quick Links

Recently New Released Certification Exams

Site Secure