SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

When an IAM user appears to have the correct permissions but still receives Access Denied errors, especially in an AWS Organizations environment, the effective permissions must be evaluated across all permission layers. In AWS, permissions are the intersection of all applicable controls, and an explicit deny at any layer overrides any allow.

First, because the company uses AWS Organizations, service control policies (SCPs) must be evaluated. SCPs define the maximum permissions that accounts or organizational units can have. Even if an IAM user or IAM policy allows an action, an SCP attached to the account or OU can explicitly or implicitly deny that action. If an SCP does not allow s3:ListAllMyBuckets or related S3 read actions, the IAM user will not be able to list buckets in the S3 console and will see no buckets at all. Therefore, checking the SCPs applied to the OU or account is a required troubleshooting step.

Second, IAM permissions boundaries can further restrict the effective permissions of an IAM user. A permissions boundary defines the maximum permissions that an IAM user can exercise, regardless of what their attached policies allow. If the permissions boundary does not include the required Amazon S3 read-only permissions (such as s3:ListAllMyBuckets or s3:GetBucketLocation), the user will receive access denied errors even though the user’s IAM policy appears to allow read-only access. Reviewing whether a permissions boundary is attached, and whether it allows the necessary S3 actions, is essential.

Option A (checking bucket policies) can be relevant for access to specific buckets or objects, but a user seeing no buckets at all in the S3 console is more commonly caused by missing or denied account-level list permissions rather than individual bucket policies. Bucket policies generally do not control the ability to list all buckets in an account unless they contain explicit denies, which is less common as a first troubleshooting step in an Organizations setup.

Option B (checking ACLs) is less relevant because ACLs primarily control object-level and bucket-level access and are not typically used to manage console-level visibility of all buckets in an account. ACLs also do not commonly block the ListAllMyBuckets action.

Option E is incorrect because IAM users do not require IAM roles to access AWS services. Roles are assumed by users or services, but the presence or absence of a role attached to an IAM user does not affect the user’s direct permissions.

Therefore, the most appropriate troubleshooting steps are to check the SCPs applied through AWS Organizations and to verify whether an IAM permissions boundary is restricting the user’s effective permissions.

For an EC2 instance to appear as a managed instance in AWS Systems Manager, several prerequisites must be met. Two of the most fundamental requirements are that the Systems Manager Agent (SSM Agent) is installed and running on the instance, and that the instance has an IAM role attached that grants the necessary permissions for Systems Manager to communicate with the service.

When importing a VM from an on-premises environment, the resulting AMI might not include the SSM Agent by default, or the agent might not be enabled to start automatically. If the agent is missing or not running, the instance cannot register with Systems Manager, and it will not appear in the Systems Manager console as a managed instance. Therefore, verifying that the SSM Agent is installed and running is a primary troubleshooting step.

Additionally, the EC2 instance must have an IAM instance profile (role) attached that includes the permissions required by Systems Manager. Typically, this is achieved by attaching a role that includes the AmazonSSMManagedInstanceCore managed policy. Without the appropriate IAM role, even a correctly installed and running agent will not be able to register the instance or perform Systems Manager operations.

Option C (VPC endpoint existence) is not required in this scenario because the instance is in a public subnet and has a public IP address. In this case, the instance can communicate with the Systems Manager endpoints over the internet. VPC endpoints are required when instances do not have internet access (for example, in private subnets without NAT or public IPs), which is not the case here.

Option D (Application Discovery Agent) is unrelated. The AWS Application Discovery Agent is used for migration assessment and discovery of on-premises workloads, not for Systems Manager managed instance registration.

Option E (service-linked roles) is generally not a common cause for a single instance failing to appear as managed, especially when other Systems Manager functionality is working in the account. Service-linked roles for Systems Manager are usually created automatically when needed and do not typically prevent an individual instance from registering if the agent and instance role are correctly configured.

Therefore, the correct troubleshooting steps are to verify the presence and operation of the Systems Manager Agent and to ensure the EC2 instance has the correct IAM role attached.

Auto Scaling Group with Application Load Balancer:

Moving the Tomcat server to an Auto Scaling group ensures that the number of instances adjusts dynamically based on the traffic load. An Application Load Balancer (ALB) distributes incoming traffic across multiple instances, improving the application's reliability and availability.

Migrate to Amazon Aurora with Replica:

Migrating the MySQL database to Amazon Aurora and adding an Aurora Replica enhances the database's scalability and availability. Aurora is optimized for performance, and replicas help distribute read traffic, reducing the load on the primary instance.

Additional Public Subnet:

Creating an additional public subnet in a different Availability Zone enhances fault tolerance. This ensures that the website remains accessible even if one Availability Zone experiences issues.

References

AWS Well-Architected Framework

Amazon Aurora Documentation

For migration planning, AWS provides specific tooling to discover on-premises servers, collect detailed performance and configuration data, and analyze application dependencies. The primary service for this purpose is AWS Application Discovery Service, which integrates with AWS Migration Hub.

The AWS Application Discovery Agent is installed on on-premises physical servers and VMs. It collects detailed information such as CPU, memory, and disk utilization; processes and services running on the system; system configuration details; and network connections between systems. This allows the company to understand how servers communicate, what applications are running, and what dependencies exist between components.

This data is sent to AWS Application Discovery Service and surfaced through AWS Migration Hub, where the company can view discovered servers, group them logically into applications, and analyze migration readiness. Migration Hub can use this collected data to provide recommendations for EC2 instance sizing that are based on actual on-premises utilization metrics, helping choose appropriate EC2 instance types and sizes.

Option C directly describes installing the AWS Application Discovery Agent, using AWS Migration Hub to discover and group servers into applications, and using Migration Hub to generate EC2 instance recommendations. This aligns with AWS’s migration assessment tooling and meets all the stated goals: performance measurement, system configuration listing, network connection understanding, dependency analysis, and instance sizing recommendations.

Option A uses AWS Systems Manager Agent and Application Manager. While Systems Manager can manage servers and collect some information, it is not the primary tool for detailed migration discovery, networking dependency mapping, and migration-focused analysis. It also suggests using AWS Pricing Calculator for instance recommendations, which requires manual input and does not automatically derive recommendations from observed utilization and dependencies.

Option B suggests using the Amazon Inspector agent to gather performance and usage information. Amazon Inspector is designed for vulnerability and security assessments, not for detailed migration discovery or dependency mapping. Additionally, AWS Compute Optimizer currently bases its recommendations on usage metrics from AWS resources, not on-premises servers.

Option D uses the CloudWatch agent to collect metrics and then Migration Hub and Compute Optimizer. The CloudWatch agent is not the standard agent for migration discovery and dependency analysis of on-premises workloads. Also, Compute Optimizer focuses on optimization of existing AWS resources rather than creating recommendations based on on-premises utilization.

Therefore, installing the AWS Application Discovery Agent and using AWS Migration Hub (option C) is the correct solution to satisfy all the requirements for migration assessment and EC2 sizing recommendations.

https://repost.aws/knowledge-center/kinesis-readprovisionedthroughputexceeded

Follow Data Streams best practices

To mitigate ReadProvisionedThroughputExceeded exceptions, apply these best practices:

• Reshard your stream to increase the number of shards in the stream.

• Use consumers with enhanced fan-out. For more information about enhanced fan-out, see Developing custom consumers with dedicated throughput (enhanced fan-out).

• Use an error retry and exponential backoff mechanism in the consumer logic if ReadProvisionedThroughputExceeded exceptions are encountered. For consumer applications that use an AWS SDK, the requests are retried by default.

The best solution is to use AWS Database Migration Service (AWS DMS) to migrate thedata to AWS. AWS DMS is a web service that can migrate data from various sources to various targets, including MySQL databases. AWS DMS can perform full load and change data capture (CDC) migrations, which means that it can copy the existing data and also capture the ongoing changes to keep the source and target databases in sync. This minimizes the downtime during the migration process. AWS DMS also supports encryption at rest and in transit by using AWS Key Management Service (AWS KMS) and TLS, respectively. This ensures that the data is protected during the migration. AWS DMS can also leverage AWS Direct Connect to transfer the data over a private connection, avoiding the internet. This solution meets all the requirements of the company. References: AWS Database Migration Service Documentation, Migrating Data to Amazon RDS for MySQL or MariaDB, Using SSL to Encrypt a Connection to a DB Instance

Amazon AppStream 2.0 offers a streamlined solution for rehosting a Windows-based desktop application on AWS with minimal development effort. By creating an AppStream 2.0image that includes the application and using an On-Demand fleet for streaming, the application becomes accessible from any device, including Linux machines. AppStream 2.0 user pools can be used for authentication, simplifying access management without the need for extensive changes to the application or infrastructure.

AWS Documentation on Amazon AppStream 2.0 provides insights into setting up application streaming solutions. This approach is recommended for delivering desktop applications to diverse operating systems without the complexity of managing virtual desktops or extensive application refactoring.