SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESwap.html

For a development environment that requires frequent resource recreation and connectivity to applications hosted in a shared services account, the most efficient solution involves using AWS Resource Access Manager (RAM) and the transit gateway in the shared services account. By turning on automatic acceptance for the transit gateway in the shared services account and sharing it with the development account through AWS RAM, the development team can easily recreate their connection as needed without manual intervention. This setup allows for scalable, flexible connectivity between accounts while minimizing operational overhead and ensuring consistent access to shared services.

AWS Documentation on AWS Resource Access Manager and Transit Gateway provides guidance on sharing network resources across AWS accounts and enabling automatic acceptance for transit gateway attachments. This approach is also supported by AWS best practices for multi-account strategies using AWS Organizations and network architecture.

https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html

The company is building an active-active, multi-Region architecture for an ECS-based web application behind ALBs, with shared container images in ECR and a relational database in Aurora MySQL. The goal is to duplicate the setup in a second Region with minimal operational overhead while allowing minor replication latency.

A is required because ACM certificates are Regional for use with Regional resources like an Application Load Balancer. An ALB in the secondary Region needs an ACM certificate that exists in that same Region to terminate HTTPS. Requesting (or importing) a certificate in the secondary Region and attaching it to the ALB HTTPS listener is the standard managed approach with low operational overhead.

B is not correct because ACM certificates are not shared “across Regions” for direct use by a Regional ALB in another Region. Sharing via AWS RAM is used for sharing resources across accounts within a Region (and for supported resource types), but it does not provide a mechanism to use an ACM certificate issued in one Region directly on an ALB in a different Region.

D is required because the application runs in both Regions and must be able to pull container images locally with minimal operational work. Amazon ECR supports cross-Region replication so images pushed in the primary Region can be replicated automatically to the secondary Region’s ECR repositories. This avoids building custom copy pipelines and reduces the chance of drift. Once replication is enabled, updating images in the primary Region can automatically populate the secondary Region repository.

C is not the best fit. A VPC endpoint for ECR is about private connectivity to ECR within a Region. It does not solve the multi-Region image availability problem by itself, and it introduces the idea of pulling images from the primary Region, which is unnecessary and less optimal when cross-Region replication can keep images local to each Region.

E is required because the database must support multi-Region application operation with tolerable replication latency. Aurora Global Database is the managed feature designed to replicate an Aurora cluster to a secondary Region with low-latency replication and minimal operational overhead compared to custom replication. Enabling write forwarding allows applications in the secondary Region to send write requests to the secondary cluster endpoint, with Aurora forwarding those writes to the primary writer. This reduces application changes compared to forcing all writes to go directly to the primary Region endpoints, and it supports an active-active application deployment pattern where both Regions can accept traffic.

F is not correct because “cross-Region writes between DB clusters” and “multiple writer instances in the primary Region” do not provide a managed, multi-Region, multi-writer Aurora design as described. Aurora’s managed multi-Region pattern is Aurora Global Database with a single primary writer in one Region (with the option to promote a secondary Region during failover) and optional write forwarding from a secondary Region to the primary. The option’s described cross-Region multi-writer behavior is not a standard supported Aurora configuration and would not be the least operational overhead approach.

Therefore, the least operational overhead combination that correctly addresses HTTPS termination in the secondary Region, image availability in both Regions, and managed multi-Region database replication is A, D, and E.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The scenario describes a central event broker and multiple microservices running in separate AWS accounts that all need to consume the same events. The requirement is to distribute events from a central location to many microservices across accounts in a scalable and loosely coupled way, as part of modernizing to a microservices architecture.

Amazon EventBridge is a serverless event bus service designed for event-driven architectures. It supports centralized event buses, rich content-based filtering with rules, and cross-account event routing. With EventBridge, you can create an event bus in a central account and define rules that match specific event patterns (for example, by microservice or event type). Each rule can have one or more targets, including event buses in other AWS accounts. This supports the pattern of having a central event bus in one account and distributing relevant events to other accounts, where each microservice consumes events either directly from its own event bus or through additional rules and targets in its own account.

In this solution, you create a new EventBridge event bus in the central account and grant the appropriate permissions for cross-account access (option B). You then define EventBridge rules on the central event bus, filtered per microservice or per event category, and configure the rules to send events to the respective event buses or targets in the microservices’ accounts. EventBridge handles the fan-out and delivery of events across accounts in a managed, scalable way, which aligns with the modernization goal and reduces the operational overhead of managing custom routing or polling logic.

Option A uses an SNS topic with SQS queues in each account. This is a valid fan-out pattern and supports cross-account subscriptions, but it is more suited to traditional pub/sub messaging and does not provide the event routing, filtering, and observability features that EventBridge offers for modern event-driven microservices. In scenarios that explicitly mention an event broker and modernization, EventBridge is the recommended service.

Option C is incorrect because Kinesis Data Streams is designed for high-throughput streaming data and requires building and managing consumer applications. The description in the option is also technically inaccurate; Kinesis does not “invoke” microservices directly as event targets in the same way as EventBridge or SNS does. Instead, applications must read from the stream.

Option D uses a single central SQS queue that all microservices read from. SQS provides at-least-once delivery to competing consumers, which means multiple consumers reading from the same queue will typically share messages rather than each getting all messages. This does not satisfy the requirement for multiple microservices to each receive the same events independently. It also reduces decoupling and observability compared to an event bus model.

Therefore, creating an Amazon EventBridge event bus in the central account with rules to distribute events across accounts (option B) best meets the requirements for distributing events from a central broker to multiple microservices across accounts in a modernized architecture.

Migrating to an Amazon EKS cluster with managed node groups minimizes the effort required because:

EKS is fully managed, offering native Kubernetes support, making it easy to deploy the existing Kubernetes manifests without major changes.

Copying containers to Amazon ECR allows for fully managed, scalable container image storage in AWS, eliminating reliance on the on-premises container repository.

Deploying the existing manifests directly to EKS reuses all the existing configuration, such as service definitions, deployments, and scaling policies, simplifying migration.

Using Amazon Aurora PostgreSQL provides a fully managed, highly available database service that is compatible with PostgreSQL, reducing operational overhead compared to managing a self-hosted database.This approach leverages the power of AWS managed services while preserving the existing microservices and deployment practices, ensuring minimal disruption and fastest migration path.

Resource-based policies are policies that you attach to a resource, such as an IAM role, to specify who can access the resource and what actions they can perform on it1. Identity-based policies are policies that you attach to an IAM user, group, or role to specify what actions they can perform on which resources2. Trust policies are special types of resource-based policies that define which principals (such as IAM users or roles) can assume a role3.

To allow an IAM user in Account A to assume a role in Account B, the solutions architect needs to do the following:

Configure the resource-based policy on the target role in Account B to allow the action sts:AssumeRole for the IAM user in Account A. This policy grants permission to the IAM user to assume the role4.

Configure the identity-based policy on the user in Account A to allow the action sts:AssumeRole for the target role in Account B. This policy grants permission to the user to perform the action of assuming the role5.

Configure the trust policy on the target role in Account B to allow the principal of the IAM user in Account A. This policy defines who can assume the role.

Resource-based policies

Identity-based policies

Trust policies

Granting a user permissions to switch roles

Switching roles

[Modifying a role trust policy]

A is correct becauseSSM Agent must be installed and actively runningon the instance for it to be managed by Systems Manager. Imported VMs typically do not have the agent installed by default.

B is also correct becausean IAM instance profilewith at least the AmazonSSMManagedInstanceCore policy must be attached to the instance to allow communication with SSM.

Option C is unnecessary if the instance has internet access (via public IP).

Option D relates to migration assessments, not Systems Manager.

Option E is good practice but not required for the instance to appear as managed.

•Use Amazon S3 for web hosting with AWS AppSync for database API services. Use Amazon Simple Queue Service (Amazon SQS) for order queuing. Use AWS Lambda for business logic with an Amazon SQS dead-letter queue for retaining failed orders.

This solution will allow you to:

•Host a static website on Amazon S3 without provisioning or managing servers1.

•Use AWS AppSync to create a scalable GraphQL API that connects to your database and other data sources1.

•Use Amazon SQS to decouple and scale your order processing microservices1.

•Use AWS Lambda to run code for your business logic without provisioning or managing servers1.

•Use an Amazon SQS dead-letter queue to retain messages that can’t be processed by your Lambda function1.

The goal is to ensure the application operates across multiple Availability Zones. That means removing single points of failure in compute, database, and network egress for private subnets.

For compute, the Auto Scaling group currently has min=1 and max=1, which guarantees only one instance is running at a time. Even if the Auto Scaling group spans multiple subnets, a single-instance configuration cannot provide multi-AZ active capacity because a failure of the Availability Zone hosting the single instance would cause downtime until a new instance is launched in a different zone. To operate across multiple Availability Zones, the solution should run multiple instances across different AZs, which implies increasing the minimum capacity above 1 and allowing the group to launch across multiple subnets/AZs.

For the database, a single-AZ RDS for MySQL instance is a single point of failure. Converting to an RDS Multi-AZ configuration provides synchronous replication to a standby in a different Availability Zone and managed failover to maintain availability when the primary AZ or instance fails.

For NAT, a single NAT gateway is an AZ-scoped managed resource. If private subnets in other AZs route to a NAT gateway in one AZ, an AZ outage can break outbound connectivity for workloads that depend on NAT. The resilient pattern is to deploy a NAT gateway in each Availability Zone and configure each private subnet’s route table to use the NAT gateway in the same AZ.

Option A addresses all three: it deploys additional NAT gateways per AZ and updates route tables accordingly, converts RDS to Multi-AZ, and adjusts Auto Scaling to launch across AZs with min and max set to 3 so there are instances running in multiple AZs simultaneously. This ensures the application remains available across AZ failures, meeting the requirement.

Option B replaces NAT with a virtual private gateway, which is used for VPN/Direct Connect connectivity, not for internet egress from private subnets. It does not satisfy the NAT functionality requirement. Although Aurora can provide high availability, the NAT replacement is not correct for the described architecture.

Option C increases operational overhead by replacing NAT gateway with NAT instances, which are self-managed and less resilient without additional design. It also changes the database engine to PostgreSQL unnecessarily and does not directly address the requirement with minimal change.

Option D improves NAT resiliency but only enables RDS automatic backups, which is a durability feature, not a high availability feature. Backups do not provide automatic failover and do not ensure the application will operate across multiple AZs. Also, keeping Auto Scaling min/max at 1 still leaves the application compute layer single-AZ at any given moment.

Therefore, option A is the correct solution.

Using AWS Backup to create a scheduled daily backup plan for the EC2 instances will enable taking snapshots of the EC2 instances and their attached EBS volumes1. Configuring the backup task to copy the backups to a vault in the secondary Region will enable maintaining backups in a separate Region1. In the event of a failure, launching the CloudFormation template will enable deploying the network configuration in the secondary Region2. Restoring the instance volumes and configurations from the backup vault will enable recovering the EC2 instances and their data1. Transferring usage to the secondary Region will enable resuming operations2.

because Amazon CloudFront considers the case of parameter names and values when caching based on query string parameters , thus inconsistent query strings may cause CloudFront to forward mixed-cased/misordered requests to the origin. Triggering a Lambda@Edge function based on a viewer request event to sort parameters by name and force them to be lowercase is the best choice. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/QueryStringParameters.html#query-string-parameters-optimizing-cachinghttps://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-cloudfront-trigger-events.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html#lambda-examples-normalize-query-string-parameters

Comprehensive and Detailed Explanation From Exact Extract:

D is correct because the requirement explicitly calls for (1) dedicated private connectivity, (2) automated and centrally managed operation, and (3) connectivity between on-premises data centers and multiple AWS Regions.

AWS Direct Connect provides dedicated private connectivity from on-premises environments to AWS. This is the key differentiator versus internet-based connectivity options when performance and consistency are required to meet strict SLAs.

AWS Cloud WAN provides centralized, policy-based management of a global network across Regions and on-premises attachments. Using Direct Connect attachments to Cloud WAN lets the company centrally define routing/segmentation policies and connect multiple data centers to multiple Regions in a consistent, automated way—well aligned to “automated and centrally managed” requirements for a multi-Region payment platform.

Why the other options are incorrect:

A (Global Accelerator) improves performance for internet-facing endpoints using Anycast and edge routing, but it does not provide private, dedicated connectivity between on-premises networks and AWS services. It is not the right tool for private HSM-to-AWS service connectivity.

B (Site-to-Site VPN + Transit Gateway) can be centrally routed with Transit Gateway, but VPN tunnels run over the public internet and are not “dedicated private connectivity.” They can be acceptable for many cases, but they do not best meet “dedicated private connectivity” and strict SLA expectations compared to Direct Connect.

C (CloudHSM) changes the architecture by moving tokenization into AWS-managed HSM infrastructure. The question states the company manages on-premises HSMs and needs private connectivity between those HSMs and AWS payment services, so replacing them with CloudHSM does not satisfy the stated connectivity requirement.

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html