SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

The correct answers are C and D. The IAM user appears to have read-only S3 permissions, but AWS authorization is the result of multiple policy layers. In AWS Organizations, a service control policy can set the maximum permissions available to principals in member accounts. If an OU-level SCP denies or does not allow S3 actions, the IAM user’s read-only policy will not be enough. A permissions boundary can also restrict the maximum permissions an IAM user can exercise, even if an identity-based policy appears to allow access. Bucket policies can affect access to specific buckets and objects, but the symptom says no buckets are listed in the console, which points more strongly to identity-side effective permission limits. ACLs are legacy resource controls and are not the primary place to troubleshoot this issue. (AWS Documentation)

===============

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

The correct answer is B.

B. This solution meets the requirements because it uses AWS Cost Anomaly Detection, which is a feature of AWS Cost Management that uses machine learning to identify and alert on anomalous spend and usage patterns. By configuring a monitor type of AWS Service and applying a filter of Amazon EC2, the solution can track the EC2 usage as a metric across the organization’s accounts.By configuring an alert subscription with a threshold of 10%, the solution can notify the architecture team via email or AmazonSNS if the EC2 usage is more than 10% higher than the average usage for the last 30 days12

A. This solution is incorrect because it uses AWS Budgets, which is a feature of AWS Cost Management that helps to plan and track costs and usage. However, AWS Budgets does not support usage type of EC2 running hours as a budget type. The only supported usage types are Amazon S3 storage, Amazon EC2 RI utilization, and Amazon EC2 RI coverage. Moreover, AWS Budgets does not support setting the budget amount based on the reported average usage from AWS Cost Explorer.The budget amount has to be a fixed or variable value34

C. This solution is incorrect because it uses AWS Trusted Advisor, which is a feature of AWS Premium Support that provides recommendations to follow best practices for cost optimization, security, performance, and fault tolerance. However, AWS Trusted Advisor does not support configuring custom alerts based on EC2 usage or average usage for the last 30 days.The only supported alerts are based on predefined checks and thresholds that are applied to all services and resources in the account56

D. This solution is incorrect because it uses Amazon Detective, which is a service that helps to analyze and visualize security data to investigate potential security issues. However, Amazon Detective does not support configuring EC2 usage anomaly alerts basedon average usage for the last 30 days.The only supported alerts are based on GuardDuty findings and other security-related events that are detected by machine learning models78

This solution requires the least amount of effort as it only requires to update the API endpoint to private in API Gateway and create an interface VPC endpoint. Then create a resource policy and attach it to the API. This will make the API only accessible from the VPC and still keep the authentication mechanism intact. Reference:

https://aws.amazon.com/premiumsupport/knowledge-center/private-api-gateway-vpc-endpoint/

https://aws.amazon.com/api-gateway/features/

The requirement is preventive enforcement during CloudFormation provisioning. AWS CloudFormation Hooks are designed to evaluate CloudFormation and Cloud Control API operations before resources are created or updated. If a resource is noncompliant, a Hook can fail the operation and prevent provisioning. Lambda Hooks allow custom logic, which fits predefined company-specific rules. Deploying and protecting Hooks centrally with StackSets, SCPs, and IAM policies gives consistent enforcement across the organization with low operational overhead. AWS Config custom rules are detective controls; they evaluate resources after deployment and cannot reliably prevent initial creation. CloudFormation macros require templates to explicitly use the macro and are not a universal enforcement layer. Manually invoking CloudFormation Guard through a Lambda function does not automatically block every CloudFormation deployment unless separately integrated.

The modernized application needs to store and serve video files up to 4 GB. Large binary content should not be stored directly in a database because it negatively affects database performance, scaling, and backup/restore times. The standard AWS pattern is to store large objects in Amazon S3 and keep only references (such as keys or URLs) in the database.

User profile data is simple, text-based, and currently lives in a single table. This is a good fit for a key-value or document-style data model such as Amazon DynamoDB, which provides fully managed horizontal scaling and predictable performance at scale.

Option B migrates the profile table to DynamoDB using AWS DMS with AWS Schema Conversion Tool (SCT). Video files are stored as objects in Amazon S3, which is designed for large, durable, and highly scalable object storage. The DynamoDB item stores only the S3 key that corresponds to each user’s video, keeping the database small and responsive. S3 can scale rapidly and independently of the database, and offloads the heavy I/O load of large objects away from the transactional store, so overall application performance is not negatively impacted by video storage or retrieval.

Option A stores the videos as base64-encoded strings in a TEXT column in a relational database. Storing multi-gigabyte objects directly in a relational database table leads to large row sizes, larger indexes, longer backup times, and degraded performance as the table grows. This does not meet the requirement to avoid affecting application performance.

Option C uses Amazon Keyspaces (for Apache Cassandra) as the profile store and S3 for video. While storing videos in S3 is correct, Keyspaces is typically chosen when there is already a Cassandra-based workload or a need for Cassandra-compatible interfaces. For a simple single-table user profile store being migrated from MySQL, DynamoDB is the more natural, managed choice and aligns better with AWS migration and modernization guidance.

Option D stores the videos as base64-encoded strings in DynamoDB items. DynamoDB has a maximum item size of 400 KB, which is far smaller than the 4 GB video size requirement. This makes option D technically infeasible.

Therefore, migrating user profile data to DynamoDB and storing video files in Amazon S3, with S3 keys stored in the corresponding DynamoDB items (option B), provides scalable video storage and protects application performance.

It can prevent the issue from happening again by monitoring the file system with the FreeStorageCapacity metric in Amazon CloudWatch and using Amazon EventBridge to invoke an AWS Lambda function to increase the capacity as required. This ensures that the file system always has enough free space to store user profiles and avoids reaching maximum capacity.

To meet the requirements for automatic key rotation of EC2 SSH key pairs with minimal downtime, storing the keys in AWS Secrets Manager and defining a rotation schedule is the most suitable solution. AWS Secrets Manager supports automatic rotation of secrets, including SSH keys, by invoking a Lambda function that can handle the creation of new key pairs and the replacement of public keys on EC2 instances. Updating the corresponding private keys in Secrets Manager ensures secure and centralized management of SSH keys, complying with the key rotation policy and minimizing operational overhead.

AWS Secrets Manager Documentation: Describes how to store and rotate secrets, including SSH keys, using Secrets Manager and Lambda functions.

AWS Lambda Documentation: Provides information on creating Lambda functions for custom secret rotation logic.

AWS Best Practices for Security: Highlights the importance of key rotation and how AWS services like Secrets Manager can facilitate secure and automated key management.