Amazon AWS Certified Solutions Architect - Professional SAP-C02 AWS Certified Solutions Architect - Professional SAP-C02 Dumps in PDF

Free Amazon AWS Certified Solutions Architect - Professional SAP-C02 Real Questions (page: 55)

A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN. The company is hosting internal applications with VPCs in multiple AWS accounts. Currently, the applications are accessible from the company's on-premises office network through an AWS Site-to-Site VPN connection. The VPC in the company's main AWS account has peering connections established with VPCs in other AWS accounts.

A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home.

What is the MOST cost-effective solution that meets these requirements?

  1. Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications.
  2. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.
  3. Create a Client VPN endpoint in the main AWS account. Provision a transit gateway that is connected to each AWS account. Configure required routing that allows access to internal applications.
  4. Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN.

Answer(s): B

Explanation:

B) Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.

Creating a Client VPN endpoint in the main AWS account is the most cost-effective solution because it centralizes the VPN management while allowing remote employees to access internal applications hosted across multiple VPCs. By configuring the necessary routing, employees can connect securely to the applications without needing multiple VPN endpoints in each account, reducing both complexity and cost. This setup leverages the existing infrastructure efficiently while ensuring scalability as more users connect remotely.



A company is running an application in the AWS Cloud. Recent application metrics show inconsistent response times and a significant increase in error rates. Calls to third-party services are causing the delays. Currently, the application calls third-party services synchronously by directly invoking an AWS Lambda function.

A solutions architect needs to decouple the third-party service calls and ensure that all the calls are eventually completed.

Which solution will meet these requirements?

  1. Use an Amazon Simple Queue Service (Amazon SQS) queue to store events and invoke the Lambda function.
  2. Use an AWS Step Functions state machine to pass events to the Lambda function.
  3. Use an Amazon EventBridge rule to pass events to the Lambda function.
  4. Use an Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke the Lambda function.

Answer(s): A

Explanation:

A) Use an Amazon Simple Queue Service (Amazon SQS) queue to store events and invoke the Lambda function.

Using Amazon SQS allows the application to decouple the calls to third-party services, which helps in managing inconsistent response times and reducing error rates. By placing the service calls in an SQS queue, the application can continue processing other tasks while the Lambda function retrieves and processes the messages asynchronously. This design ensures that all calls to third-party services are eventually completed, even if there are temporary issues, thus enhancing the overall reliability and performance of the application.



A company is running applications on AWS in a multi-account environment. The company's sales team and marketing team use separate AWS accounts in AWS Organizations.

The sales team stores petabytes of data in an Amazon S3 bucket. The marketing team uses Amazon QuickSight for data visualizations. The marketing team needs access to data that the sates team stores in the S3 bucket. The company has encrypted the S3 bucket with an AWS Key Management Service (AWS KMS) key. The marketing team has already created the IAM service role for QuickSight to provide QuickSight access in the marketing AWS account. The company needs a solution that will provide secure access to the data in the S3 bucket across AWS accounts.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create a new S3 bucket in the marketing account. Create an S3 replication rule in the sales account to copy the objects to the new S3 bucket in the marketing account. Update the QuickSight permissions in the marketing account to grant access to the new S3 bucket.
  2. Create an SCP to grant access to the S3 bucket to the marketing account. Use AWS Resource Access Manager (AWS RAM) to share the KMS key from the sates account with the marketing account. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
  3. Update the S3 bucket policy in the marketing account to grant access to the QuickSight role. Create a KMS grant for the encryption key that is used in the S3 bucket. Grant decrypt access to the QuickSight role. Update the QuickSight permissions in the marketing account to grant access to the S3 bucket.
  4. Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight rote, to create a trust relationship with the new IAM role in the sales account.

Answer(s): D

Explanation:

D) Create an IAM role in the sales account and grant access to the S3 bucket. From the marketing account, assume the IAM role in the sales account to access the S3 bucket. Update the QuickSight role to create a trust relationship with the new IAM role in the sales account.

This solution allows the marketing team to access the S3 bucket in the sales account securely without duplicating data or creating additional complexities. By creating an IAM role in the sales account that has permissions to access the S3 bucket and allowing the marketing account to assume that role, the company maintains a single source of truth for the data and leverages IAM roles for secure cross-account access. Additionally, this method requires minimal operational overhead since it does not involve data replication or the need for complex configurations.



A company is planning to migrate its business-critical applications from an on-premises data center to AWS. The company has an on-premises installation of a Microsoft SQL Server Always On cluster. The company wants to migrate to an AWS managed database service. A solutions architect must design a heterogeneous database migration on AWS.

Which solution will meet these requirements?

  1. Migrate the SQL Server databases to Amazon RDS for MySQL by using backup and restore utilities.
  2. Use an AWS Snowball Edge Storage Optimized device to transfer data to Amazon S3. Set up Amazon RDS for MySQL. Use S3 integration with SQL Server features, such as BULK INSERT.
  3. Use the AWS Schema Conversion Tool to translate the database schema to Amazon RDS for MySQL. Then use AWS Database Migration Service (AWS DMS) to migrate the data from on-premises databases to Amazon RDS.
  4. Use AWS DataSync to migrate data over the network between on-premises storage and Amazon S3. Set up Amazon RDS for MySQL. Use S3 integration with SQL Server features, such as BULK INSERT.

Answer(s): C

Explanation:

C) Use the AWS Schema Conversion Tool to translate the database schema to Amazon RDS for MySQL. Then use AWS Database Migration Service (AWS DMS) to migrate the data from on-premises databases to Amazon RDS.

This solution effectively addresses the requirement for a heterogeneous database migration from Microsoft SQL Server to Amazon RDS for MySQL. The AWS Schema Conversion Tool helps to convert the database schema from SQL Server to the MySQL format, ensuring compatibility. AWS DMS then facilitates the data migration while minimizing downtime, as it can replicate ongoing changes from the source database to the target. This approach is suitable for business-critical applications, providing a seamless transition with the necessary tools to manage schema changes and data migration efficiently.



A publishing company's design team updates the icons and other static assets that an ecommerce web application uses. The company serves the icons and assets from an Amazon S3 bucket that is hosted in the company's production account. The company also uses a development account that members of the design team can access.

After the design team tests the static assets in the development account, the design team needs to load the assets into the S3 bucket in the production account. A solutions architect must provide the design team with access to the production account without exposing other parts of the web application to the risk of unwanted changes.

Which combination of steps will meet these requirements? (Choose three.)

  1. In the production account, create a new IAM policy that allows read and write access to the S3 bucket.
  2. In the development account, create a new IAM policy that allows read and write access to the S3 bucket.
  3. In the production account, create a role Attach the new policy to the role. Define the development account as a trusted entity.
  4. In the development account, create a role. Attach the new policy to the role Define the production account as a trusted entity.
  5. In the development account, create a group that contains all the IAM users of the design team Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role In the production account.
  6. In the development account, create a group that contains all the IAM users of the design team Attach a different IAM policy to the group to allow the sts:AssumeRole action on the role in the development account.

Answer(s): A,C,E

Explanation:

A) In the production account, create a new IAM policy that allows read and write access to the S3 bucket.
This policy ensures that the design team can interact with the specific S3 bucket where the static assets are stored, allowing them to upload new assets and manage existing ones without affecting other resources in the production account.

C) In the production account, create a role. Attach the new policy to the role. Define the development account as a trusted entity.
Creating a role in the production account with the necessary permissions and defining the development account as a trusted entity allows users from the development account to assume this role and gain temporary access to the S3 bucket.

E) In the development account, create a group that contains all the IAM users of the design team. Attach a different IAM policy to the group to allow the sts
action on the role in the production account.
This step allows the design team members in the development account to assume the role created in the production account, enabling them to perform actions on the S3 bucket without directly granting them access to the production account.

Together, these steps create a secure and controlled access mechanism for the design team, allowing them to manage static assets while minimizing risks to other parts of the production environment.



A company developed a pilot application by using AWS Elastic Beanstalk and Java. To save costs during development, the company's development team deployed the application into a single-instance environment. Recent tests indicate that the application consumes more CPU than expected. CPU utilization is regularly greater than 85%, which causes some performance bottlenecks.

A solutions architect must mitigate the performance issues before the company launches the application to production.

Which solution will meet these requirements with the LEAST operational overhead?

  1. Create a new Elastic Beanstalk application. Select a load-balanced environment type. Select all Availability Zones. Add a scale-out rule that will run if the maximum CPU utilization is over 85% for 5 minutes.
  2. Create a second Elastic Beanstalk environment. Apply the traffic-splitting deployment policy. Specify a percentage of incoming traffic to direct to the new environment in the average CPU utilization is over 85% for 5 minutes.
  3. Modify the existing environment’s capacity configuration to use a load-balanced environment type. Select all Availability Zones. Add a scale-out rule that will run if the average CPU utilization is over 85% for 5 minutes.
  4. Select the Rebuild environment action with the load balancing option. Select an Availability Zones. Add a scale-out rule that will run if the sum CPU utilization is over 85% for 5 minutes.

Answer(s): C

Explanation:

C) Modify the existing environment’s capacity configuration to use a load-balanced environment type. Select all Availability Zones. Add a scale-out rule that will run if the average CPU utilization is over 85% for 5 minutes.
This option allows the existing Elastic Beanstalk application to scale horizontally by adding more instances when CPU utilization exceeds 85%. It leverages Elastic Beanstalk's built-in capabilities to manage scaling and load balancing with minimal operational overhead. By modifying the current environment instead of creating a new one, the solution is efficient and straightforward, allowing the development team to focus on application performance without significant changes to their deployment setup.

This approach ensures that the application can handle increased load effectively while maintaining operational simplicity.



A finance company is running its business-critical application on current-generation Linux EC2 instances. The application includes a self-managed MySQL database performing heavy I/O operations. The application is working fine to handle a moderate amount of traffic during the month. However, it slows down during the final three days of each month due to month-end reporting, even though the company is using Elastic Load Balancers and Auto Scaling within its infrastructure to meet the increased demand.

Which of the following actions would allow the database to handle the month-end load with the LEAST impact on performance?

  1. Pre-warming Elastic Load Balancers, using a bigger instance type, changing all Amazon EBS volumes to GP2 volumes.
  2. Performing a one-time migration of the database cluster to Amazon RDS, and creating several additional read replicas to handle the load during end of month.
  3. Using Amazon CloudWatch with AWS Lambda to change the type, size, or IOPS of Amazon EBS volumes in the cluster based on a specific CloudWatch metric.
  4. Replacing all existing Amazon EBS volumes with new PIOPS volumes that have the maximum available storage size and I/O per second by taking snapshots before the end of the month and reverting back afterwards.

Answer(s): B

Explanation:

B) Performing a one-time migration of the database cluster to Amazon RDS, and creating several additional read replicas to handle the load during end of month.
Migrating to Amazon RDS provides several advantages, including automated management tasks such as backups, scaling, and patching, which can significantly reduce the operational burden. By creating additional read replicas, the company can distribute the read workload during peak times like month-end reporting, thus improving performance and reducing the load on the primary database instance. This approach allows for better scalability and performance optimization with minimal manual intervention and operational overhead.



A company runs a Java application that has complex dependencies on VMs that are in the company's data center. The application is stable. but the company wants to modernize the technology stack. The company wants to migrate the application to AWS and minimize the administrative overhead to maintain the servers.

Which solution will meet these requirements with the LEAST code changes?

  1. Migrate the application to Amazon Elastic Container Service (Amazon ECS) on AWS Fargate by using AWS App2Container. Store container images in Amazon Elastic Container Registry (Amazon ECR). Grant the ECS task execution role permission 10 access the ECR image repository. Configure Amazon ECS to use an Application Load Balancer (ALB). Use the ALB to interact with the application.
  2. Migrate the application code to a container that runs in AWS Lambda. Build an Amazon API Gateway REST API with Lambda integration. Use API Gateway to interact with the application.
  3. Migrate the application to Amazon Elastic Kubernetes Service (Amazon EKS) on EKS managed node groups by using AWS App2Container. Store container images in Amazon Elastic Container Registry (Amazon ECR). Give the EKS nodes permission to access the ECR image repository. Use Amazon API Gateway to interact with the application.
  4. Migrate the application code to a container that runs in AWS Lambda. Configure Lambda to use an Application Load Balancer (ALB). Use the ALB to interact with the application.

Answer(s): A

Explanation:

A) Migrate the application to Amazon Elastic Container Service (Amazon ECS) on AWS Fargate by using AWS App2Container. Store container images in Amazon Elastic Container Registry (Amazon ECR). Grant the ECS task execution role permission to access the ECR image repository. Configure Amazon ECS to use an Application Load Balancer (ALB). Use the ALB to interact with the application.
This solution allows for minimal code changes while modernizing the application. Using AWS App2Container facilitates the migration of the existing application to containerized environments with little effort. By leveraging Amazon ECS on AWS Fargate, the company eliminates the need to manage underlying server infrastructure, thus minimizing administrative overhead. Additionally, using an ALB provides a scalable way to handle traffic to the application, ensuring high availability.



Share your comments for Amazon AWS Certified Solutions Architect - Professional SAP-C02 exam with other users:

A
AI Tutor Explanation
4/25/2026 1:42:20 PM

Question 104:

  • Correct answer: D) Multi-Terabyte (TB) Range

  • Brief explanation:
- clustering keys organize data into micro-partitions to improve pruning when queries filter on those columns. - The performance benefit is most significant for very large tables; for small tables the overhead of maintaining clustering outweighs gains. - Therefore, as a best practice, define clustering keys on tables at the TB scale.

C
Community Helper
4/25/2026 2:03:10 AM

Q23: Fabric Admin is correct. Because Domain admin cannot create domains. Only Fabric Admin can among the given options. Q51: Wrapping @pipeline.parameter.param1 inside {} will return a string. But question requires the expression to return Int, so correct answer should be @pipeline.parameter.param1 (no {})

A
AI Tutor Explanation
4/23/2026 3:07:03 PM

Question 62:

  • Correct answer: D (per the page)

  • Note: The explanation text on the page describes option B (use ZDX score and Analyze Score to trigger the Y Engine analysis), indicating a mismatch between the stated answer and the rationale.

  • Key concept: For fast root-cause analysis, leverage telemetry and auto-correlated insights:
- Use the user’s ZDX score for AWS and run Analyze Score to activate the Y Engine, which correlates metrics across network, client, and application to pinpoint the issue quickly.
  • Why the other options are less effective:
- A: Only checks for outages; doesn’t provide actionable root-cause analysis. - C: Deep Trace helps visibility but is manual and time-consuming. - D: Packet capture is invasive and slow; not the quickest path to root cause.

A
AI Tutor Explanation
4/23/2026 12:26:21 PM

Question 32:

  • Answer: A (2.4GHz)

  • Why: Lower-frequency signals have longer wavelengths and experience less attenuation when passing through walls and obstacles. Higher frequencies (5GHz, 6GHz) are more easily blocked by walls. NFC operates over very short distances and is not meant to penetrate walls. So 2.4 GHz best penetrates physical objects like walls.

A
AI Tutor Explanation
4/21/2026 8:48:36 AM

Question 3:

  • False is the correct answer (Option B).

Why:
  • In Snowflake, a database is a metadata object that exists within a single Snowflake account. Accounts are isolated—there isn’t one database that lives in multiple accounts.
  • You can access data across accounts via data sharing or database replication, but these create separate database objects in the other accounts (e.g., a database in the consumer account created from a share), not a single shared database across accounts.

So a single database cannot exist in more than one Snowflake account.

A
Anonymous User
4/16/2026 10:54:18 AM

Question 1:

  • Correct answer: Edate = sys.argv[1]
  • Why this is correct:
- When a Databricks Job passes parameters to a notebook, those parameters are supplied to the notebook's Python process as command-line arguments. The first argument after the script name is sys.argv[1], so date = sys.argv[1] captures the passed date value directly.
  • How it compares to other options:
- date = spark.conf.get("date") reads from Spark config, not from job parameters. - input() waits for user input at runtime, which isn’t how job parameters are provided. - date = dbutils.notebooks.getParam("date") would work if the notebook were invoked via dbutils.notebook.run with parameters, not

A
Anonymous User
4/15/2026 4:42:07 AM

Question 528:

  • Correct answer: NSG flow logs for NSG1 (Option B)

  • Why:
- Traffic Analytics uses NSG flow logs to analyze traffic patterns. You must have NSG flow logs enabled for the NSGs you want to monitor. - An Azure Log Analytics workspace is also required to store and query the traffic data. - Network Watcher must be available in the subscription for traffic analytics to function.
  • What to configure (brief steps):
- Ensure Network Watcher is enabled in the East US region (for the subscription/region). - Enable NSG flow logs on NSG1. - Ensure a Log Analytics workspace exists and is accessible (read/write) so Traffic Analytics can store and query logs.
  • Why other options aren’t correct:
- “Diagnostic settings for VM1” or “Diagnostic settings for NSG1” alone don’t guarantee flow logs are captured and sent to Log Analytics, which Traffic Analytics relies on. - “Insights for VM1” is not how Traffic Analytics collects traffic data.

A
Anonymous User
4/15/2026 2:43:53 AM

Question 23:
The correct answer is Domain admin (option B), not Fabric admin.

  • Domain admin provides domain-level management: create domains/subdomains and assign workspaces within those domains, which matches the tasks while following least privilege.
  • Fabric admin is global-level access and is more privileges than needed for this scenario (it would grant broader control across the Fabric environment).

A
Anonymous User
4/14/2026 12:31:34 PM

Question 2:
For question 2, the key concept is the Longest Prefix Match. Routers pick the route whose subnet mask is the most specific (largest prefix length) that still matches the destination IP.
From the options:

  • A) 10.10.10.0/28 ? 10.10.10.0–10.10.10.15
  • B) 10.10.13.0/25 ? 10.10.13.0–10.10.13.127
  • C) 10.10.13.144/28 ? 10.10.13.144–10.10.13.159
  • D) 10.10.13.208/29 ? 10.10.13.208–10.10.13.215

The destination Host A’s IP must fall within 10.10.13.208–10.10.13.215 for the /29 to be the best match. Since /29 is the longest prefix among the matching options, Router1 will use 10.10.13.208/29.
Thus, the correct answer is D.

S
srameh
4/14/2026 10:09:29 AM

Question 3:

  • Correct answer: Phase 4, Post Accreditation

  • Explanation:
- In DITSCAP, the four phases are: - Phase 1: Definition (concept and requirements) - Phase 2: Verification (design and testing) - Phase 3: Validation (fielding and evaluation) - Phase 4: Post Accreditation (ongoing operations and lifecycle management) - The description—continuing operation of an accredited IT system and addressing changing threats throughout its life cycle—fits the Post Accreditation phase, which covers operations, maintenance, monitoring, and reauthorization as threats and environment evolve.

O
onibokun10
4/13/2026 7:50:14 PM

Question 129:
Correct answer: CNAME

  • A CNAME record creates an alias for a domain, so newapplication.comptia.org will resolve to whatever IP address www.comptia.org resolves to. This ensures both names point to the same resource without duplicating the IP.
  • Why not the others:
- SOA defines authoritative information for a zone. - MX specifies mail exchange servers. - NS designates name servers for a zone.
  • Notes: The alias name (newapplication.comptia.org) should not have other records if you use a CNAME for it, and CNAMEs aren’t used for the zone apex (root) domain. This scenario uses a subdomain, so a CNAME is appropriate.

A
Anonymous User
4/13/2026 6:29:58 PM

Question 1:

  • Correct answer: C

  • Why this is best:
- Uses OS Login with IAM, so SSH access is granted via Google accounts rather than distributing per-user SSH keys. - Granting the compute.osAdminLogin role to a Google group gives admin access to all team members in a centralized, auditable way. - Access is auditable: Cloud Audit Logs show who accessed which VM, satisfying the security requirement to determine who accessed a given instance.
  • How it works:
- Enable OS Login on the project/instances (enable-oslogin metadata). - Add the team’s

A
Anonymous User
4/13/2026 1:00:51 PM

Question 2:

  • Answer: D. Azure Advisor

  • Why: To view security-related recommendations for resources in the Compute and Apps area (including App Service Web Apps and Functions), you use Azure Advisor. Advisor surfaces personalized best-practice recommendations across resources, including security, and shows which resources are affected and the severity.

  • Why not the others:
- Azure Log Analytics is for ad-hoc querying of telemetry, not for viewing security recommendations. - Azure Event Hubs is for streaming telemetry data, not for security recommendations.
  • Quick tip: In the portal, navigate to Azure Advisor and check the Security recommendations for App Services to see actionable items and affe

D
Don
4/11/2026 5:36:42 AM

Recommend using AI for Solutions rather the Answer(s) submitted here

M
Mogae Malapela
4/8/2026 6:37:56 AM

This is very interesting

A
Anon
4/6/2026 5:22:54 PM

Are these the same questions you have to pay for in ExamTopics?

L
LRK
3/22/2026 2:38:08 PM

For Question 7 - while the answer description indicates the correct answer, the option no. mentioned is incorrect. Nice and Comprehensive. Thankyou

R
Rian
3/19/2026 9:12:10 AM

This is very good and accurate. Explanation is very helpful even thou some are not 100% right but good enough to pass.

G
Gerrard
3/18/2026 6:58:37 AM

The DP-900 exam can be tricky if you aren't familiar with Microsoft’s specific cloud terminology. I used the practice questions from free-braindumps.com and found them incredibly helpful. The site breaks down core data concepts and Azure services in a way that actually mirrors the real test. As a resutl I passed my exam.

V
Vineet Kumar
3/6/2026 5:26:16 AM

interesting

J
Joe
1/20/2026 8:25:24 AM

Passed this exam 2 days ago. These questions are in the exam. You are safe to use them.

N
NJ
12/24/2025 10:39:07 AM

Helpful to test your preparedness before giving exam

A
Ashwini
12/17/2025 8:24:45 AM

Really helped

J
Jagadesh
12/16/2025 9:57:10 AM

Good explanation

S
shobha
11/29/2025 2:19:59 AM

very helpful

P
Pandithurai
11/12/2025 12:16:21 PM

Question 1, Ans is - Developer,Standard,Professional Direct and Premier

E
Einstein
11/8/2025 4:13:37 AM

Passed this exam in first appointment. Great resource and valid exam dump.

D
David
10/31/2025 4:06:16 PM

Today I wrote this exam and passed, i totally relay on this practice exam. The questions were very tough, these questions are valid and I encounter the same.

T
Thor
10/21/2025 5:16:29 AM

Anyone used this dump recently?

V
Vladimir
9/25/2025 9:11:14 AM

173 question is A not D

K
khaos
9/21/2025 7:07:26 AM

nice questions

K
Katiso Lehasa
9/15/2025 11:21:52 PM

Thanks for the practice questions they helped me a lot.

E
Einstein
9/2/2025 7:42:00 PM

Passed this exam today. All questions are valid and this is not something you can find in ChatGPT.

V
vito
8/22/2025 4:16:51 AM

i need to pass exam for VMware 2V0-11.25

AI Tutor 👋 I’m here to help!