Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Amazon
  3. SAP-C02

Amazon SAP-C02 Exam (page: 6)
Amazon AWS Certified Solutions Architect - Professional SAP-C02
Updated on: 09-Feb-2026

Viewing Page 6 of 68
SAP-C02 PDF 533 Questions

A solutions architect needs to advise a company on how to migrate its on-premises data processing application to the AWS Cloud. Currently, users upload input files through a web portal. The web server then stores the uploaded files on NAS and messages the processing server over a message queue. Each media file can take up to 1 hour to process. The company has determined that the number of media files awaiting processing is significantly higher during business hours, with the number of files rapidly declining after business hours.

What is the MOST cost-effective migration recommendation?

  1. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. When there are messages in the queue, invoke an AWS Lambda function to pull requests from the queue and process the files. Store the processed files in an Amazon S3 bucket.
  2. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are messages in the queue, create a new Amazon EC2 instance to pull requests from the queue and process the files. Store the processed files in Amazon EFS. Shut down the EC2 instance after the task is complete.
  3. Create a queue using Amazon MQ. Configure the existing web server to publish to the new queue. When there are messages in the queue, invoke an AWS Lambda function to pull requests from the queue and process the files. Store the processed files in Amazon EFS.
  4. Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. Use Amazon EC2 instances in an EC2 Auto Scaling group to pull requests from the queue and process the files. Scale the EC2 instances based on the SQS queue length. Store the processed files in an Amazon S3 bucket.

Answer(s): D

Explanation:

D) Create a queue using Amazon SQS. Configure the existing web server to publish to the new queue. Use Amazon EC2 instances in an EC2 Auto Scaling group to pull requests from the queue and process the files. Scale the EC2 instances based on the SQS queue length. Store the processed files in an Amazon S3 bucket is the correct solution because it is the most cost-effective option.

Amazon SQS provides a reliable and scalable message queue for handling the file processing requests.
EC2 Auto Scaling ensures that the number of instances dynamically adjusts based on the load (queue length), saving costs during low-demand periods.
Storing the processed files in Amazon S3 is cost-efficient and scalable for long-term storage, compared to more expensive options like Amazon EFS.
This setup provides flexibility, cost savings, and the ability to handle varying loads throughout the day.



A company is using Amazon OpenSearch Service to analyze data. The company loads data into an OpenSearch Service cluster with 10 data nodes from an Amazon S3 bucket that uses S3 Standard storage. The data resides in the cluster for 1 month for read-only analysis. After 1 month, the company deletes the index that contains the data from the cluster. For compliance purposes, the company must retain a copy of all input data.

The company is concerned about ongoing costs and asks a solutions architect to recommend a new solution. Which solution will meet these requirements MOST cost-effectively?

  1. Replace all the data nodes with UltraWarm nodes to handle the expected capacity. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.
  2. Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the expected capacity. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the data. Transition the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy.
  3. Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the expected capacity. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the data. Add cold storage nodes to the cluster Transition the indexes from UltraWarm to cold storage. Delete the input data from the S3 bucket after 1 month by using an S3 Lifecycle policy.
  4. Reduce the number of data nodes in the cluster to 2. Add instance-backed data nodes to handle the expected capacity. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.

Answer(s): B

Explanation:

B) Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the expected capacity. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the data. Transition the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy is the correct answer.

This solution significantly reduces costs by:

Reducing the number of data nodes (which are more expensive) to only 2.
Using UltraWarm nodes for cost-effective storage of read-only data that is frequently queried for the first month.
Using an S3 Lifecycle policy to transition the input data to S3 Glacier Deep Archive, the most cost-effective long-term storage solution, once the data is no longer needed for analysis in OpenSearch.
This combination reduces costs for both the OpenSearch cluster and S3 storage, meeting the company's cost requirements.



A company has 10 accounts that are part of an organization in AWS Organizations. AWS Config is configured in each account. All accounts belong to either the Prod OU or the NonProd OU.

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source. The company’s security team is subscribed to the SNS topic.

For all accounts in the NonProd OU, the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source.

Which solution will meet this requirement with the LEAST operational overhead?

  1. Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic. Deploy the updated rule to the NonProd OU.
  2. Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU.
  3. Configure an SCP to allow the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU.
  4. Configure an SCP to deny the ec2:AuthorizeSecurityGroupIngress action when the value of the aws:SourceIp condition key is 0.0.0.0/0. Apply the SCP to the NonProd OU.

Answer(s): C

Explanation:

C) Configure an SCP to allow the ec2
action when the value of the aws
condition key is not 0.0.0.0/0. Apply the SCP to the NonProd OU is the correct solution.

Using a Service Control Policy (SCP) in AWS Organizations is the most effective way to prevent security group rules from allowing 0.0.0.0/0 (i.e., open to the internet) in the NonProd OU. This SCP can be applied across all accounts in the NonProd OU and will prevent any user from creating security group rules that include this source IP.

This approach minimizes operational overhead as the SCP is centrally managed and enforced across all accounts, ensuring that the restriction is consistently applied without needing to modify or deploy additional AWS Config rules or EventBridge rules.



A company hosts a Git repository in an on-premises data center. The company uses webhooks to invoke functionality that runs in the AWS Cloud. The company hosts the webhook logic on a set of Amazon EC2 instances in an Auto Scaling group that the company set as a target for an Application Load Balancer (ALB). The Git server calls the ALB for the configured webhooks. The company wants to move the solution to a serverless architecture.

Which solution will meet these requirements with the LEAST operational overhead?

  1. For each webhook, create and configure an AWS Lambda function URL. Update the Git servers to call the individual Lambda function URLs.
  2. Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. Update the Git servers to call the API Gateway endpoint.
  3. Deploy the webhook logic to AWS App Runner. Create an ALB, and set App Runner as the target. Update the Git servers to call the ALB endpoint.
  4. Containerize the webhook logic. Create an Amazon Elastic Container Service (Amazon ECS) cluster, and run the webhook logic in AWS Fargate. Create an Amazon API Gateway REST API, and set Fargate as the target. Update the Git servers to call the API Gateway endpoint.

Answer(s): B

Explanation:

B) Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. Update the Git servers to call the API Gateway endpoint is the correct solution because it offers a fully serverless architecture with minimal operational overhead. Using API Gateway allows the Git server to call a single endpoint, and each webhook can trigger a different AWS Lambda function, which processes the webhook logic. This solution is cost-effective, scales automatically, and removes the need to manage EC2 instances or an Auto Scaling group.



A company is planning to migrate 1,000 on-premises servers to AWS. The servers run on several VMware clusters in the company’s data center. As part of the migration plan, the company wants to gather server metrics such as CPU details, RAM usage, operating system information, and running processes. The company then wants to query and analyze the data.

Which solution will meet these requirements?

  1. Deploy and configure the AWS Agentless Discovery Connector virtual appliance on the on-premises hosts. Configure Data Exploration in AWS Migration Hub. Use AWS Glue to perform an ETL job against the data. Query the data by using Amazon S3 Select.
  2. Export only the VM performance information from the on-premises hosts. Directly import the required data into AWS Migration Hub. Update any missing information in Migration Hub. Query the data by using Amazon QuickSight.
  3. Create a script to automatically gather the server information from the on-premises hosts. Use the AWS CLI to run the put-resource-attributes command to store the detailed server data in AWS Migration Hub. Query the data directly in the Migration Hub console.
  4. Deploy the AWS Application Discovery Agent to each on-premises server. Configure Data Exploration in AWS Migration Hub. Use Amazon Athena to run predefined queries against the data in Amazon S3.

Answer(s): D

Explanation:

D) Deploy the AWS Application Discovery Agent to each on-premises server. Configure Data Exploration in AWS Migration Hub. Use Amazon Athena to run predefined queries against the data in Amazon S3 is the correct answer.

This solution allows for detailed metrics collection from on-premises servers, such as CPU details, RAM usage, and running processes, through the AWS Application Discovery Agent. The data can be explored through AWS Migration Hub, and Amazon Athena provides a powerful querying capability for the data stored in S3. This approach ensures comprehensive data gathering and analysis while preparing for the migration to AWS.



A company is building a serverless application that runs on an AWS Lambda function that is attached to a VPC. The company needs to integrate the application with a new service from an external provider. The external provider supports only requests that come from public IPv4 addresses that are in an allow list.

The company must provide a single public IP address to the external provider before the application can start using the new service.

Which solution will give the application the ability to access the new service?

  1. Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway.
  2. Deploy an egress-only internet gateway. Associate an Elastic IP address with the egress-only internet gateway. Configure the elastic network interface on the Lambda function to use the egress-only internet gateway.
  3. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the Lambda function to use the internet gateway.
  4. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the default route in the public VPC route table to use the internet gateway.

Answer(s): A

Explanation:

A) Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway is the correct solution. A NAT gateway allows resources within a private subnet (such as a Lambda function attached to a VPC) to access the internet or external services while keeping the internal resources private. By associating an Elastic IP address with the NAT gateway, you can ensure that all outbound traffic uses a single, predictable public IP address. This setup will satisfy the requirement of providing a single public IP address to the external provider for allow list purposes.



A solutions architect has developed a web application that uses an Amazon API Gateway Regional endpoint and an AWS Lambda function. The consumers of the web application are all close to the AWS Region where the application will be deployed. The Lambda function only queries an Amazon Aurora MySQL database. The solutions architect has configured the database to have three read replicas.

During testing, the application does not meet performance requirements. Under high load, the application opens a large number of database connections. The solutions architect must improve the application’s performance.

Which actions should the solutions architect take to meet these requirements? (Choose two.)

  1. Use the cluster endpoint of the Aurora database.
  2. Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database.
  3. Use the Lambda Provisioned Concurrency feature.
  4. Move the code for opening the database connection in the Lambda function outside of the event handler.
  5. Change the API Gateway endpoint to an edge-optimized endpoint.

Answer(s): B,D

Explanation:

B) Use RDS Proxy to set up a connection pool to the reader endpoint of the Aurora database, and
D) Move the code for opening the database connection in the Lambda function outside of the event handler are the correct answers.

RDS Proxy helps improve database performance by efficiently managing database connections through a connection pool, which is critical in high-load scenarios where too many connections could overwhelm the Aurora MySQL database. By directing traffic to the reader endpoint, it also offloads the read queries from the primary instance.
Moving the code for opening the database connection outside the Lambda function's event handler ensures that the database connection is reused across multiple invocations, reducing the overhead of repeatedly opening and closing connections, improving both performance and scalability.



A company is planning to host a web application on AWS and wants to load balance the traffic across a group of Amazon EC2 instances. One of the security requirements is to enable end-to-end encryption in transit between the client and the web server.

Which solution will meet this requirement?

  1. Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Export the SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  2. Associate the EC2 instances with a target group. Provision an SSL certificate using AWS Certificate Manager (ACM). Create an Amazon CloudFront distribution and configure it to use the SSL certificate. Set CloudFront to use the target group as the origin server.
  3. Place the EC2 instances behind an Application Load Balancer (ALB) Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances.
  4. Place the EC2 instances behind a Network Load Balancer (NLB). Provision a third-party SSL certificate and install it on the NLB and on each EC2 instance. Configure the NLB to listen on port 443 and to forward traffic to port 443 on the instances.

Answer(s): C

Explanation:

C) Place the EC2 instances behind an Application Load Balancer (ALB). Provision an SSL certificate using AWS Certificate Manager (ACM), and associate the SSL certificate with the ALB. Provision a third-party SSL certificate and install it on each EC2 instance. Configure the ALB to listen on port 443 and to forward traffic to port 443 on the instances is the correct solution.

This approach ensures end-to-end encryption by using an SSL certificate for both the Application Load Balancer (ALB) and the EC2 instances. The ALB handles the SSL termination for the initial client connection, and by installing a third-party SSL certificate on the EC2 instances, traffic between the ALB and the EC2 instances is also encrypted, ensuring end-to-end encryption.

This setup meets the security requirement while providing load balancing for traffic to the EC2 instances.



Viewing Page 6 of 68



Share your comments for Amazon SAP-C02 exam with other users:

Andrew 8/23/2023 6:02:00 PM

very helpful
Anonymous


Mukesh 7/10/2023 4:14:00 PM

good questions
UNITED KINGDOM