Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Amazon Web Services AWS Certified Professional SAP-C02 Questions and answers with Dumpstech

Exam SAP-C02 Premium Access

View all detail and faqs for the SAP-C02 exam

Go to Exam

Practice at least 50% of the questions to maximize your chances of passing.

Viewing page 3 out of 13 pages

Viewing questions 31-45 out of questions

Questions # 31:

A company is deploying a new application on AWS. The application consists of an Amazon EKS cluster and an Amazon ECR repository. The EKS cluster has an AWS managed node group.

The company's security guidelines state that all resources on AWS must be continuously scanned for security vulnerabilities.

Which solution will meet this requirement with the LEAST operational overhead?

Options:

Activate AWS Security Hub. Configure Security Hub to scan the EKS nodes and the ECR repository.

Activate Amazon Inspector to scan the EKS nodes and the ECR repository.

Launch a new Amazon EC2 instance and install a vulnerability scanning tool from AWS Marketplace. Configure the EC2 instance to scan the EKS nodes. Configure Amazon ECR to perform a basic scan on push.

Install the Amazon CloudWatch agent on the EKS nodes. Configure the CloudWatch agent to scan continuously. Configure Amazon ECR to perform a basic scan on push.

Answer

Explanation

The requirement is to continuously scan all AWS resources in this solution for security vulnerabilities with the least operational overhead. The environment includes Amazon EKS worker nodes in a managed node group and an Amazon ECR repository that stores container images used by the EKS cluster.

Amazon Inspector is a managed vulnerability scanning service that integrates directly with multiple AWS resource types. It can automatically discover Amazon EC2 instances (including EKS managed node group instances) and perform continuous vulnerability assessments against them, using software inventory and known CVE databases. Inspector also integrates with Amazon ECR to scan container images for vulnerabilities when images are pushed to the repository and periodically thereafter, providing continuous assessment of image security posture without requiring separate scanners or infrastructure.

By activating Amazon Inspector for the account and region, the service will automatically start tracking supported resources, including EKS-managed EC2 instances and ECR repositories, and will begin scanning them for known vulnerabilities. Findings are provided through the Inspector console and can be integrated with other services such as AWS Security Hub or Amazon EventBridge for further aggregation and automation, but no separate infrastructure deployment or maintenance is required.

Option B, therefore, provides end-to-end vulnerability scanning for both the EKS nodes and the ECR images with minimal operational overhead, because it leverages a fully managed AWS service that automatically discovers and scans supported resources.

Option A is not correct because AWS Security Hub does not itself perform vulnerability scanning. Security Hub aggregates and normalizes security findings from various AWS services, including Amazon Inspector, GuardDuty, and others. It is a security posture management and aggregation service, not a vulnerability scanner.

Option C introduces additional operational overhead by requiring the company to provision, configure, secure, and maintain a separate EC2 instance running a third-party vulnerability scanning tool. While ECR basic scan-on-push can detect some image vulnerabilities, the EC2-based scanner must be managed, updated, and scaled by the customer, which violates the requirement for the least operational overhead when a fully managed alternative exists.

Option D is incorrect because the Amazon CloudWatch agent is used for metrics and log collection from EC2 instances and other environments; it does not perform vulnerability scanning or CVE analysis. Configuring CloudWatch for monitoring and logging does not meet the requirement to continuously scan for security vulnerabilities. ECR basic scans also provide only image-level scanning and do not cover the EKS nodes themselves.

Therefore, enabling Amazon Inspector to scan both the EKS nodes and the ECR repository, as described in option B, is the solution that meets the continuous vulnerability scanning requirement with the least operational overhead.

[References:AWS documentation for Amazon Inspector capabilities including automated discovery and continuous vulnerability scanning for EC2 instances and Amazon ECR images.AWS documentation describing AWS Security Hub as a security findings aggregation and posture management service rather than a vulnerability scanner.AWS documentation for the Amazon CloudWatch agent and its role in collecting metrics and logs, not performing security scans., , ]

Questions # 32:

A solutions architect is designing a solution to automatically provision new AWS accounts in an organization in AWS Organizations. The solutions architect has enabled AWS Control Tower for the organization. The solution must enable security controls and create resources such as billing alarms after creating new AWS accounts. The solution must be scalable. Which solution meets these requirements with the LEAST operational overhead?

Options:

Create a new AWS account in the organization. Deploy a blueprint to the new AWS account. Define a blueprint that creates resources such as billing alarms. Configure AWS Control Tower to apply the blueprint after creating the new AWS account

Create a new AWS account in the organization. Establish trusted access to the account by using an AWS Cloud Formation template. Enroll the new AWS account into AWS Control Tower. Deploy a blueprint to the new AWS account by using AWS Control Tower to provision resources.

Use Account Factory to initiate the creation of a new AWS account by using AWS Service Catalog. Configure a lifecycle event in AWS Control Tower that invokes an AWS Lambda function. Configure the Lambda function to deploy an AWS CloudFormation template by using the AWSControlTowerExecution role.

Use Account Factory to initiate the creation of a new AWS account by using AWS Control Tower. Define a blueprint that creates resources such as billing alarms. Configure AWS Control Tower to apply the blueprint after creating the new AWS account.

Questions # 33:

A solutions architect must provide a secure way for a team of cloud engineers to use the AWS CLI to upload objects into an Amazon S3 bucket Each cloud engineer has an IAM user. IAM access keys and a virtual multi-factor authentication (MFA) device The IAM users for the cloud engineers are in a group that is named S3-access The cloud engineers must use MFA to perform any actions in Amazon S3

Which solution will meet these requirements?

Options:

Attach a policy to the S3 bucket to prompt the 1AM user for an MFA code when the 1AM user performs actions on the S3 bucket Use 1AM access keys with the AWS CLI tocall Amazon S3

Update the trust policy for the S3-access group to require principals to use MFA when principals assume the group Use 1AM access keys with the AWS CLI to call Amazon S3

Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Use 1AM access keys with the AWS CLI to call Amazon S3

Attach a policy to the S3-access group to deny all S3 actions unless MFA is present Request temporary credentials from AWS Security Token Service (AWS STS) Attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3

Answer

Explanation

The company should attach a policy to the S3-access group to deny all S3 actions unless MFA is present. The company should request temporary credentials from AWS Security Token Service (AWS STS). The company should attach the temporary credentials in a profile that Amazon S3 will reference when the user performs actions in Amazon S3. This solution will meet the requirements because AWS STS is a service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users). You can use MFA with AWS STS to provide an extra layer of security when requesting temporary credentials1. You can use the sts get-session-token AWS CLI command to request temporary credentials that include an MFA token2. You can then use these credentials with the AWS CLI to access Amazon S3 resources. To do this, you need to attach a policy to the IAM group that denies all S3 actions unless MFA is present3.You also need to create a profile in the AWS CLI configuration file that references the temporary credentials.

The other options are not correct because:

Attaching a policy to the S3 bucket to prompt the IAM user for an MFA code when the IAM user performs actions on the S3 bucket would not work because policies attached to S3 buckets cannot enforce MFA authentication. Policies attached to S3 buckets are resource-based policies that define what actions can be performed on the bucket and by whom. They do not have any logic to prompt for an MFA code or verify it.

Updating the trust policy for the S3-access group to require principals to use MFA when principals assume the group would not work because trust policies are used for roles, not groups. Trust policies are policies that define which principals can assume a role. They do not apply to groups, which are collections of IAM users that share permissions.

Creating an Amazon Route 53 Resolver DNS Firewall domain list that contains the allowed domains and configuring a DNS Firewall rule group with rules to allow or block requests based on the domain list would not help with enforcing MFA authentication for Amazon S3 actions. Amazon Route 53 Resolver DNS Firewall is a feature that enables you to filter and regulate outbound DNS traffic for your VPC. You can create reusable collections of filtering rules in DNS Firewall rule groups and associate them with your VPCs. You can specify lists of domain names to allow or block, and you can customize the responses for the DNS queries that you block. This feature is useful for controlling access to sites and blocking DNS-level threats, but not for requiring MFA authentication.

[References:, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_enable_cliapi.html, https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-policies.html, https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html, https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html, , , , , , ]

Questions # 34:

A company has created an OU in AWS Organizations for each of its engineering teams Each OU owns multiple AWS accounts. The organization has hundreds of AWS accounts A solutions architect must design a solution so that each OU can view a breakdown of usage costs across its AWS accounts. Which solution meets these requirements?

Options:

Create an AWS Cost and Usage Report (CUR) for each OU by using AWS Resource Access Manager Allow each team to visualize the CUR through an Amazon QuickSight dashboard.

Create an AWS Cost and Usage Report (CUR) from the AWS Organizations management account- Allow each team to visualize the CUR through an Amazon QuickSight dashboard

Create an AWS Cost and Usage Report (CUR) in each AWS Organizations member account Allow each team to visualize the CUR through an Amazon QuickSight dashboard.

Create an AWS Cost and Usage Report (CUR) by using AWS Systems Manager Allow each team to visualize the CUR through Systems Manager OpsCenter dashboards

Questions # 35:

A company migrated to AWS and uses AWS Business Support. The company wants to monitor thecost-effectiveness of Amazon EC2 instances. The EC2 instances have tags for department, business unit, and environment. Development EC2 instances have high cost but low utilization.

The company needs to detect and stop any underutilized development EC2 instances. Instances are underutilized if they had 10% or less average CPU utilization and 5 MB or less network I/O for at least 4 of the past 14 days.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Configure Amazon CloudWatch dashboards to monitor EC2 instance utilization based on tags for department, business unit, and environment. Create an Amazon EventBridge rule that invokes an AWS Lambda function to stop underutilized development EC2 instances.

Configure AWS Systems Manager to track EC2 instance utilization and report underutilized instances to Amazon CloudWatch. Filter the CloudWatch data by tags for department, business unit, and environment. Create an Amazon EventBridge rule that invokes an AWS Lambda function to stop underutilized EC2 instances.

Create an Amazon EventBridge rule to detect low utilization of EC2 instances reported by AWS Trusted Advisor. Configure the rule to invoke a Lambda function that filters the data by tags for department, business unit, and environment and stops underutilized development EC2 instances.

Create an AWS Lambda function to run daily to retrieve utilization data for all EC2 instances. Save the data to an Amazon DynamoDB table. Create a QuickSight dashboard that uses the DynamoDB table as a data source to identify and stop underutilized development EC2 instances.

Questions # 36:

A large mobile gaming company has successfully migrated all of its on-premises infrastructure tothe AWS Cloud. A solutions architect is reviewing the environment to ensure that it was built according to the design and that it is running in alignment with the Well-Architected Framework.

While reviewing previous monthly costs in Cost Explorer, the solutions architect notices that the creation and subsequent termination of several large instance types account for a high proportion of the costs. The solutions architect finds out that the company's developers are launching new Amazon EC2 instances as part of their testing and that the developers are not using the appropriate instance types.

The solutions architect must implement a control mechanism to limit the instance types that only the developers can launch.

Which solution will meet these requirements?

Options:

Create a desired-instance-type managed rule in AWS Config. Configure the rule with the instance types that are allowed. Attach the rule to an event to run each time a new EC2 instance is launched.

In the EC2 console, create a launch template that specifies the instance types that are allowed. Assign the launch template to the developers' IAM accounts.

Create a new IAM policy. Specify the instance types that are allowed. Attach the policy to an IAM group that contains the IAM accounts for the developers

Use EC2 Image Builder to create an image pipeline for the developers and assist them in the creation of a golden image.

Questions # 37:

A company wants to modernize a monolithic application in the company's data center and deploy the application on AWS. The monolithic application consists of an event broker in a central account and multiple microservices in individual AWS accounts. The event broker and the microservices are deployed on Amazon ECS clusters that use the Fargate launch type.

Multiple microservices need access to the same events from the event broker. The company wants to distribute events from the central event broker to each microservice across accounts.

Which solution will meet these requirements?

Options:

Create an Amazon SNS topic in the central account. Add a topic policy to allow other accounts to subscribe to the topic. Create an Amazon SQS queue in each individual AWS account. Subscribe the SQS queue to the SNS topic. Configure the microservices to read events from their own SQS queue.

Create a new Amazon EventBridge event bus in the central account with the required permissions. Add EventBridge rules filtered by service for each microservice. Invoke the rules to route events to other accounts.

Create a data stream in Amazon Kinesis Data Streams in the central account. Create an IAM policy to grant the necessary permissions to access the data stream. Set each of the microservices as an event source on the Kinesis stream. Configure the stream to invoke each microservice.

Create a new Amazon SQS queue as the event broker in the central account. Grant the required permissions. Configure each of the microservices to read messages from the central SQS queue.

Answer

Explanation

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The scenario describes a central event broker and multiple microservices running in separate AWS accounts that all need to consume the same events. The requirement is to distribute events from a central location to many microservices across accounts in a scalable and loosely coupled way, as part of modernizing to a microservices architecture.

Amazon EventBridge is a serverless event bus service designed for event-driven architectures. It supports centralized event buses, rich content-based filtering with rules, and cross-account event routing. With EventBridge, you can create an event bus in a central account and define rules that match specific event patterns (for example, by microservice or event type). Each rule can have one or more targets, including event buses in other AWS accounts. This supports the pattern of having a central event bus in one account and distributing relevant events to other accounts, where each microservice consumes events either directly from its own event bus or through additional rules and targets in its own account.

In this solution, you create a new EventBridge event bus in the central account and grant the appropriate permissions for cross-account access (option B). You then define EventBridge rules on the central event bus, filtered per microservice or per event category, and configure the rules to send events to the respective event buses or targets in the microservices’ accounts. EventBridge handles the fan-out and delivery of events across accounts in a managed, scalable way, which aligns with the modernization goal and reduces the operational overhead of managing custom routing or polling logic.

Option A uses an SNS topic with SQS queues in each account. This is a valid fan-out pattern and supports cross-account subscriptions, but it is more suited to traditional pub/sub messaging and does not provide the event routing, filtering, and observability features that EventBridge offers for modern event-driven microservices. In scenarios that explicitly mention an event broker and modernization, EventBridge is the recommended service.

Option C is incorrect because Kinesis Data Streams is designed for high-throughput streaming data and requires building and managing consumer applications. The description in the option is also technically inaccurate; Kinesis does not “invoke” microservices directly as event targets in the same way as EventBridge or SNS does. Instead, applications must read from the stream.

Option D uses a single central SQS queue that all microservices read from. SQS provides at-least-once delivery to competing consumers, which means multiple consumers reading from the same queue will typically share messages rather than each getting all messages. This does not satisfy the requirement for multiple microservices to each receive the same events independently. It also reduces decoupling and observability compared to an event bus model.

Therefore, creating an Amazon EventBridge event bus in the central account with rules to distribute events across accounts (option B) best meets the requirements for distributing events from a central broker to multiple microservices across accounts in a modernized architecture.

[References:AWS documentation on Amazon EventBridge event buses, cross-account event routing, and rule-based filtering and targeting.AWS guidance for event-driven microservices architectures and centralized event broker patterns.]

Questions # 38:

Question:

A company mandates that all internal AWS communications useprivate IPs. A solutions architect createdinterface VPC endpointsfor public AWS services like S3. However, service names are still resolving topublic IP addresses, and the internal apps cannot connect.

What should the architect do to resolve this issue?

Options:

Update the subnet route table with a route to the interface endpoint.

Enable the private DNS option on the VPC attributes.

Configure the security group on the interface endpoint to allow access.

Configure a private hosted zone with conditional forwarding.

Questions # 39:

A company wants to use AWS for disaster recovery for an on-premises application. The company has hundreds of Windows-based servers that run the application. All the servers mount a common share.

The company has an RTO of 15 minutes and an RPO of 5 minutes. The solution must support native failover and fallback capabilities.

Which solution will meet these requirements MOST cost-effectively?

Options:

Create an AWS Storage Gateway File Gateway. Schedule daily Windows server backups. Save the data lo Amazon S3. During a disaster, recover the on-premises servers from the backup. During failback. run the on-premises servers on Amazon EC2 instances.

Create a set of AWS CloudFormation templates to create infrastructure. Replicate all data to Amazon Elastic File System (Amazon EFS) by using AWS DataSync. During a disaster, use AWS CodePipeline to deploy the templates to restore the on-premises servers. Fail back the data by using DataSync.

Create an AWS Cloud Development Kit (AWS CDK) pipeline to stand up a multi-site active-active environment on AWS. Replicate data into Amazon S3 by using the s3 sync command. During a disaster, swap DNS endpoints to point to AWS. Fail back the data by using the s3 sync command.

Use AWS Elastic Disaster Recovery to replicate the on-premises servers. Replicate data to an Amazon FSx for Windows File Server file system by using AWS DataSync. Mount the file system to AWS servers. During a disaster, fail over the on-premises servers to AWS. Fail back to new or existing servers by using Elastic Disaster Recovery.

Questions # 40:

A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.

A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.

Which combination of steps should the solutions architect take to meet the requirements? (Select THREE.)

Options:

Create a destination Amazon Kinesis data stream in the central logging account.

Create a destination Amazon SQS queue in the central logging account.

Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data stream. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.

Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon SQS queue. Create a trust policy. Specify the trust policy in the IAM role. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.

Create an AWS Lambda function. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.

Create an AWS Lambda function. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.

Questions # 41:

A company has a few AWS accounts for development and wants to move its production application to AWS. The company needs to enforce Amazon Elastic Block Store (Amazon EBS) encryption at rest current production accounts and future production accounts only. The company needs a solution that includes built-in blueprints and guardrails.

Which combination of steps will meet these requirements? (Choose three.)

Options:

Use AWS CloudFormation StackSets to deploy AWS Config rules on production accounts.

Create a new AWS Control Tower landing zone in an existing developer account. Create OUs for accounts. Add production and development accounts to production and development OUs, respectively.

Create a new AWS Control Tower landing zone in the company’s management account. Addproduction and development accounts to production and development OUs. respectively.

Invite existing accounts to join the organization in AWS Organizations. Create SCPs to ensure compliance.

Create a guardrail from the management account to detect EBS encryption.

Create a guardrail for the production OU to detect EBS encryption.

Questions # 42:

A company has developed a new release of a popular video game and wants to make it available for public download The new release package is approximately 5 GB in size. The company provides downloads for existing releases from a Linux-based publicly facing FTP site hosted in an on-premises data center The company expects the new release will be downloaded by users worldwide The company wants a solution that provides improved download performance and low transfer costs regardless of a user's location

Which solutions will meet these requirements'?

Options:

Store the game files on Amazon EBS volumes mounted on Amazon EC2 instances within an Auto Scaling group Configure an FTP service on the EC2 instances Use an Application Load Balancer in front of the Auto Scaling group. Publish the game download URL for users to downloadthe package

Store the game files on Amazon EFS volumes that are attached to Amazon EC2 instances within an Auto Scaling group Configure an FTP service on each of the EC2 instances Use an Application Load Balancer in front of the Auto Scaling group Publish the game download URL for users to download the package

Configure Amazon Route 53 and an Amazon S3 bucket for website hosting Upload the game files to the S3 bucket Use Amazon CloudFront for the website Publish the game download URL for users to download the package

Configure Amazon Route 53 and an Amazon S3 bucket for website hosting Upload the game files to the S3 bucket Set Requester Pays for the S3 bucket Publish the game download URL for users to download the package

Questions # 43:

A company is using AWS Organizations lo manage multiple AWS accounts For security purposes, the company requires the creation of an Amazon Simple Notification Service (Amazon SNS) topic that enables integration with a third-party alerting system in all the Organizations member accounts

A solutions architect used an AWS CloudFormation template to create the SNS topic and stack sets to automate the deployment of CloudFormation stacks Trusted access has been enabled in Organizations

What should the solutions architect do to deploy the CloudFormation StackSets in all AWS accounts?

Options:

Create a stack set in the Organizations member accounts. Use service-managed permissions. Set deployment options to deploy to an organization. Use CloudFormation StackSets drift detection.

Create stacks in the Organizations member accounts. Use self-service permissions. Set deployment options to deploy to an organization. Enable the CloudFormation StackSets automatic deployment.

Create a stack set in the Organizations management account Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets automatic deployment.

Create stacks in the Organizations management account. Use service-managed permissions. Set deployment options to deploy to the organization. Enable CloudFormation StackSets drift detection.

Questions # 44:

A company needs to optimize the cost of its application on AWS. The application uses AWS Lambda functions and Amazon ECS containers that run on AWS Fargate. The application is write-heavy and stores data in an Amazon Aurora MySQL database.

The load on the application is not consistent. The application experiences long periods of no usage, followed by sudden and significant increases and decreases in traffic. The database runs on a memory optimized DB instance and has high utilization during peak times. A solutions architect must design a solution that can scale to handle the changes in traffic.

Which solution will meet these requirements MOST cost-effectively?

Options:

Add additional read replicas to the database. Purchase Instance Savings Plans and reserved DB instances for Aurora.

Migrate the database to an Aurora DB cluster that has multiple writer instances. Purchase Instance Savings Plans.

Migrate the database to an Aurora global database. Purchase Compute Savings Plans and reserved DB instances for Aurora.

Migrate the database to Aurora Serverless v2. Purchase Compute Savings Plans.

Questions # 45:

A company's solutions architect is reviewing a web application that runs on AWS. The application references static assets in an Amazon S3 bucket in the us-east-1 Region. The company needs resiliency across multiple AWS Regions. The company already has created an S3 bucket in a second Region.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Configure the application to write each object to both S3 buckets. Set up an Amazon Route 53 public hosted zone with a record set by using a weighted routing policy for each S3 bucket. Configure the application to reference the objects by using the Route 53 DNS name.

Create an AWS Lambda function to copy objects from the S3 bucket in us-east-1 to the S3 bucket in the second Region. Invoke the Lambda function each time an object is written to the S3 bucket in us-east-1. Set up an Amazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.

Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region Set up an Amazon CloudFront distribution with an origin group that contains the two S3 buckets as origins.

Configure replication on the S3 bucket in us-east-1 to replicate objects to the S3 bucket in the second Region. If failover is required, update the application code to load S3 objects from the S3 bucket in the second Region.

Viewing page 3 out of 13 pages

Viewing questions 31-45 out of questions