A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access.Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
Answer(s): C,D
The correct choices C and D implement secure bastion-based SSH access: the bastion’s SG allows inbound SSH only from the company’s external IP range, and the application instances’ SG allows inbound SSH only from the bastion host’s private IP, enforcing via private path through the bastion.A is wrong because restricting to application IPs would block initial SSH from the bastion’s public endpoint. B is wrong because allowing only internal IPs would block the on-premises to-bastion connection via the internet. E is wrong because permitting from the bastion’s public IP on the app instances would expose SSH to the external interface; traffic from the public IP must reach the bastion, then traverse to private IPs through the VPC.
A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company.How should security groups be configured in this situation? (Choose two.)
Answer(s): A,C
A) The web tier SG should permit inbound 443 from the internet (0.0.0.0/0) to allow HTTPS access from users. B is incorrect because outbound from 0.0.0.0/0 is not required for web access and is unnecessary for standard web traffic; inbound is what matters. C) The DB tier SG should allow inbound 1433 only from the web tier's SG, ensuring the database accepts connections only from the web layer, not from anywhere else. D is incorrect because outbound 443/1433 from DB to web tier is unnecessary; traffic is initiated by the web tier. E is incorrect because inbound 443 on DB is not needed; DB should only receive 1433 from the web tier.
A company wants to move a multi-tiered application from on premises to the AWS Cloud to improve the application's performance. The application consists of application tiers that communicate with each other by way of RESTful services. Transactions are dropped when one tier becomes overloaded. A solutions architect must design a solution that resolves these issues and modernizes the application.Which solution meets these requirements and is the MOST operationally efficient?
Answer(s): A
A) Uses API Gateway and Lambda for the application tier, with SQS as the decoupled messaging backbone. This reduces coupling, elastically scales responsive endpoints, and prevents cascading failures when a tier is overloaded, satisfying operational efficiency through serverless components and asynchronous queues.B) Relies on manual scaling of EC2 instances based on historic metrics; does not address decoupling or prevent overloads and is not operationally efficient.C) SNS is a pub/sub fan-out service, not designed as a reliable queue for request/response between tightly coupled tiers; monitoring queue length in SNS is not applicable for autoscaling decisions in this pattern.D) SQS decouples components but pairing with EC2 ASGs and monitoring queue length is less efficient than a serverless approach; also does not leverage API Gateway/Lambda for core modernization.
A company receives 10 TB of instrumentation data each day from several machines located at a single factory. The data consists of JSON files stored on a storage area network (SAN) in an on-premises data center located within the factory. The company wants to send this data to Amazon S3 where it can be accessed by several additional systems that provide critical near-real-time analytics. A secure transfer is important because the data is considered sensitive.Which solution offers the MOST reliable data transfer?
Answer(s): B
AWS DataSync over AWS Direct Connect provides a secure, high-bandwidth, low-latency transfer path from on-premises SAN to S3 with reliable, incremental transfers and strong encryption, meeting near-real-time analytics needs.A) DataSync over public internet is less reliable and sensitive to internet variability and potential security exposure.C) DMS is for database replication, not bulk file/object transfers to S3, and not optimal for file-based JSON on SAN data.D) DMS over Direct Connect is not appropriate for file/object migration to S3; DMS specializes in database migrations rather than general object storage transfers.
A company needs to configure a real-time data ingestion architecture for its application. The company needs an API, a process that transforms data as the data is streamed, and a storage solution for the data.Which solution will meet these requirements with the LEAST operational overhead?
Answer(s): C
The correct option is C because API Gateway → Kinesis Data Stream → Firehose → S3 provides a fully managed, real-time ingestion pipeline with built-in data transformation via Lambda and minimal operational overhead.A) Uses EC2 for API, then Firehose consumes from Kinesis data stream and Lambda transforms—unnecessary EC2 and more moving parts; still feasible but higher operational burden.B) AWS Glue is not a real-time streaming ingestion endpoint and deploying on EC2 increases management; Glue is ETL/batch-oriented, not ideal for low-latency streaming with API gateway.D) API Gateway to Glue with Lambda lacks real-time streaming integration and Firehose buffering/delivery that reduce ops; Glue is not the streaming endpoint here.
A company needs to keep user transaction data in an Amazon DynamoDB table. The company must retain the data for 7 years.What is the MOST operationally efficient solution that meets these requirements?
AWS Backup provides centralized, automated backup planning with schedules and long-term retention policies for DynamoDB, meeting the 7-year retention requirement with minimal operational overhead.A) Point-in-time recovery is continuous restores for 35 days (default), not long-term archival for 7 years.C) On-demand DynamoDB backups stored in S3 require manual initiation and separate lifecycle management; less scalable for policy-driven retention.D) Event-driven Lambda backup introduces operational overhead and risk of gaps; not as efficient as a managed backup service with retention policies.B) Correct: centralized, policy-driven backup schedules and retention via AWS Backup.
A company is planning to use an Amazon DynamoDB table for data storage. The company is concerned about cost optimization. The table will not be used on most mornings. In the evenings, the read and write traffic will often be unpredictable. When traffic spikes occur, they will happen very quickly.What should a solutions architect recommend?
D) incorrect because global tables are for multi-region replication, not cost optimization for bursty traffic. A) correct because DynamoDB on-demand mode automatically handles unpredictable traffic with pay-per-request pricing, eliminating provisioning and scaling concerns. B) incorrect; a global secondary index does not address throughput provisioning or bursting behavior. C) incorrect; provisioned capacity with auto scaling can handle some variability but relies on historical patterns and may not respond instantly to sudden spikes, whereas on-demand is designed for unpredictable workloads. E) option not present. Overall, on-demand is best for infrequent usage with highly variable, sudden traffic.
A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs ta share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots.What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?
Sharing the AMI with launch permissions to the MSP Partner’s account and allowing the keys used to decrypt EBS snapshots via KMS key policy is the correct and secure approach (option B). It preserves encryption, avoids public exposure, and restricts access to the intended account.A is incorrect because making the AMI and snapshots public is insecure and contradicts least-privilege; it also improperly modifies the key policy to share the key publicly.C is incorrect because trusting a new MSP-owned KMS key for encryption is unnecessary and adds complexity; the original KMS key can be shared with the MSP account via proper key policy.D is incorrect because exporting to S3 and recreating the AMI in the MSP account is unnecessary and risks integrity; sharing the AMI with proper launch permissions is simpler and secure.
Share your comments for Amazon SAA-C02 exam with other users:
i appreciated the mix of multiple-choice and short answer questions. i passed my exam this morning.
great to find this website, thanks
examination questions seem to be relevant.
planning to take psm test
please allow to download
please provide dumps
is the answer to question 15 correct ? i feel like the answer should be b
its getting more technical
i think these questions are what i need.
helpful assessment
i am confused about the answers to the questions. do you know if the answers are correct?
hi, please make the dumps available for my upcoming examination.
good practice
so far it is really informative
hi i want it please please upload it
am preparing for exam ,just nice questions
please upload c_tadm_23 exam
can we get tdvan4 vantage data engineering pdf?
want to clear the exam.
could you please upload the dumps of sap c_sac_2302
asm management configuration is about storage
kool thumb up
just passed the az-500 exam this last friday. most of the questions in this exam dumps are in the exam. i bought the full version and noticed some of the questions which were answered wrong in the free version are all corrected in the full version. this site is good but i wish the had it in an interactive version like a test engine simulator.
i can practice for exam
please i need this exam.
i need the dump
i want it bad, even if cs6 maybe retired, i want to learn cs6
i hate comptia with all my heart with their "choose the best" answer format as an argument could be made on every question. they say "the "comptia way", lmao no this right here boys is the comptia way 100%. take it from someone whos failed this exam twice but can configure an entire complex network that these are the questions that are on the test 100% no questions asked. the pbqs are dead on! nice work
very good materials
thanks for your support.
iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.
not bad but you question database from isaca
awesome contents
answer to 134 is casb. while data loss prevention is the goal, in order to implement dlp in cloud applications you need to deploy a casb.