SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

The company does not have a data inventory and needs to identify which S3 buckets contain sensitive data. The appropriate AWS managed service for discovering and classifying sensitive data in S3 is Amazon Macie. Macie is designed to discover, classify, and report on sensitive data such as PII in S3 buckets. Amazon Inspector is primarily focused on vulnerability management for compute and container resources and does not provide S3 sensitive data classification in the way Macie does.

After identifying sensitive data locations, the company needs to ensure sensitive data is encrypted with a key that only administrators can access. SSE-S3 uses S3-managed keys and does not provide fine-grained administrative control of key usage in the same way as SSE-KMS with a customer managed key. Using AWS KMS customer managed keys allows the company to control access through key policies and IAM policies so that only designated administrator principals can use or manage the key.

The requirement also implies existing objects already encrypted with SSE-S3 need to be re-encrypted with SSE-KMS for sensitive objects. Changing default encryption only affects new objects. Existing objects must be rewritten (copied over themselves or copied to a new location) using SSE-KMS with the customer managed key. An orchestrated workflow is a common approach to iterate over identified objects and perform copy operations with the desired encryption settings.

Option C uses Macie for discovery, creates a KMS customer managed key restricted to administrators, sets bucket default encryption to SSE-KMS for future objects, and uses a Step Functions workflow to re-encrypt existing sensitive objects. This meets both the discovery requirement and the encryption/control requirement.

Option A is incorrect because Inspector is not the right service to inventory sensitive data in S3. Although the use of a customer managed KMS key and bucket policy enforcement is directionally correct for controlling encryption on writes, the first step (sensitive data discovery) is wrong.

Option B is incorrect because AWS managed keys cannot have their key policies modified by customers in the way customer managed keys can. Also, Inspector is not the right tool for sensitive data discovery in S3.

Option D is incorrect for the same reasons: it relies on Macie correctly for discovery but then attempts to modify an AWS managed key policy, which is not the correct method for restricting access. To restrict access, the company should use a KMS customer managed key with an appropriate key policy.

Therefore, using Amazon Macie plus an AWS KMS customer managed key and a workflow to re-encrypt existing sensitive objects is the correct solution.

Answer B (AWS Global Accelerator) best meets both requirements: fastest failover from application failures and the lowest response time for global users. Global Accelerator is designed for global, latency-sensitive, highly available applications. It uses static Anycast IP addresses so users enter the AWS network at the nearest edge location, then traffic is carried over the AWS global backbone to the closest healthy regional endpoint (in this case, each Region’s ALB). It continuously performs health checks and can rapidly shift traffic away from unhealthy endpoints, which helps “handle application failures quickly” without being constrained by DNS caching behavior.

Why the other options are less suitable:

C (Route 53 latency-based routing + health checks) can improve routing and failover, but it is still DNS-based. DNS-based failover can be delayed by DNS resolver caching and TTL propagation, meaning failover may not be as fast or as consistent as Global Accelerator for rapid recovery.

A (CloudFront with origin group) can provide origin failover and performance benefits mainly for cacheable or edge-optimizable content. For a payment processing API (typically dynamic and not cache-friendly), CloudFront is not the primary service for achieving the least response time globally with fast multi-Region failover compared with Global Accelerator’s Anycast + edge routing model.

D (AWS Cloud WAN) addresses private network connectivity and centralized network policy across Regions/VPCs. It does not directly optimize public user-to-application latency or provide the same kind of edge-based, Anycast-driven rapid failover for internet-facing API endpoints.

Option B is correct because CloudFormation Git sync is built specifically to connect CloudFormation stacks to source-controlled templates and deployment files in Git repositories. It supports GitHub Enterprise as a provider, can monitor repository changes, and can update stacks after approved changes are merged. AWS documentation states that Git sync works with pull requests and can post comments explaining what changes will be made before a stack update. This directly satisfies the requirement for automatic change set visibility on pull requests without building custom CodePipeline logic or manually processing templates. Option A introduces a custom pipeline, which the question explicitly rejects. Drift detection compares deployed resources against expected configuration; it does not create pull-request change sets. Lambda Hooks evaluate resources during CloudFormation operations but do not provide native Git pull-request synchronization.

This solution will meet the requirements with the least operational overhead because it allows the company to modify the existing environment ' s capacity configuration, so it becomes a load-balanced environment type. By selecting all availability zones, the company can ensure that the application is running in multiple availability zones, which can help to improve the availability and scalability of the application. The company can also add a scale-out rule that will run if the average CPU utilization is over 85% for 5 minutes, which can help to mitigate the performance issues. This solution does not require creating new Elastic Beanstalk environments or rebuilding the existing one, which reduces the operational overhead.

You can refer to the AWS Elastic Beanstalk documentation for more information on how to use this service:https://aws.amazon.com/elasticbeanstalk/You can refer to the AWS documentation for more information on how to use autoscaling:https://aws.amazon.com/autoscaling/

Configuring the Aurora MySQL DB cluster to publish slow query and error logs to AmazonCloudWatch Logs will allow the solutions architect to monitor and troubleshoot the database performance by identifying slow or problematic queries1. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Implementing the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for Java will allow the solutions architect to measure and map the end-to-end latency and performance of the web application3. X-Ray traces show how requests travel through the application components, such as web servers, load balancers, microservices, and databases4. X-Ray also provides features such as service maps, annotations, histograms, and error rates to analyze and optimize the application performance.

Installing and configuring an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs will allow the solutions architect to monitor and troubleshoot the web server performance by collecting and storing the Apache access and error logs. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Publishing Aurora MySQL logs to Amazon CloudWatch Logs

Working with log data in CloudWatch Logs

Instrumenting your application with the X-Ray SDK for Java

Tracing requests with AWS X-Ray

[Analyzing application performance with AWS X-Ray]

[Using CloudWatch Logs with your Apache web server]

D is correct becauseRDS for PostgreSQLsupportsforeign data wrappers (FDW)that allow querying remote Oracle databases. WithAWS Schema Conversion Tool (SCT)andDatabase Migration Service (DMS), schema and data can be migrated effectively.AWS Direct Connectensures secure, private connectivity to on-prem databases. Cron jobs can be run via EventBridge or external orchestration.

A doesn ' t support relational/spatial querying.

B doesn’t support FDW or spatial types.

C introduces unnecessary complexity.

Option A is correct because SageMaker AI Notebook Instances support Git repositories as SageMaker resources, and private repository credentials can be stored in AWS Secrets Manager. This satisfies the requirement with the least operational overhead because the notebook instances can remain isolated from direct internet access while SageMaker manages repository association and authentication. Placing credentials inside a URL is insecure and does not properly solve credential management. NAT gateway options introduce internet egress into the VPC, which conflicts with the isolation requirement and adds operational and security complexity. Network ACLs are not suitable for controlling access to a specific Git URL because they operate at the subnet and IP/port level, not at an application URL level. (AWS Documentation)

===============