SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

The CAPABILITY_NAMED_IAM capability is required when creating or updating CloudFormation stacks that contain IAM resources with custom names. This capability acknowledges that the template mightcreate IAM resources that have broad permissions or affect other resources in the AWS account. The stack set’s template contains an IAM role that has a custom name, so this capability is needed. Enabling the new Regions in all relevant accounts is also necessary to deploy the stack set across multiple Regions and accounts.

Option B is incorrect because the Service Quotas console is used to view and manage the quotas for AWS services, not for CloudFormation stacks. The number of stacks per Region per account is not a service quota that can be increased.

Option C is incorrect because the SELF_MANAGED permissions model is used when the administrator wants to retain full permissions to manage stack sets and stack instances. This model does not affect the creation of the stack set or the requirement for the CAPABILITY_NAMED_IAM capability.

Option D is incorrect because an administration role ARN is optional when creating a stack set. It is used to specify a role that CloudFormation assumes to create stack instances in the target accounts. It does not affect the creation of the stack set or the requirement for the CAPABILITY_NAMED_IAM capability.

1: AWS CloudFormation stack sets

2: Acknowledging IAM resources in AWS CloudFormation templates

3: AWS CloudFormation stack set permissions

step function could run a scheduled task when triggered by eventbrige, but why would you add that layer of complexity just to run aws batch when you could directly invoke it through eventbridge. The link provided - https://aws.amazon.com/pt/blogs/compute/orchestrating-high-performance-computing-with-aws-step-functions-and-aws-batch/ makes sense only for HPC, this is a single instance that needs to be run

https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-suspend-resume-processes.html

Gateway VPC Endpoint for S3:

Create a gateway VPC endpoint for Amazon S3 in your VPC. This allows instances in your VPC to communicate with Amazon S3 without going through the internet, reducing data transfer costs and improving security.

Add Spot Instances to ECS Cluster:

Add another ECS capacity provider that uses an Auto Scaling group of Spot Instances. Configure this new capacity provider to share the load with the existing On-Demand Instances by setting an appropriate weight in the capacity provider strategy. Spot Instances offer significant cost savings compared to On-Demand Instances.

Configure Capacity Provider Strategy:

Adjust the ECS service's capacity provider strategy to utilize both On-Demand and Spot Instances effectively. This ensures a balanced distribution of tasks across both instance types, optimizing cost while maintaining availability.

By implementing a gateway VPC endpoint for S3 and incorporating Spot Instances into the ECS cluster, the company can significantly reduce operational costs without compromising on the availability or performance of the platform.

References

AWS Cost Optimization Blog on VPC Endpoints

AWS ECS Documentation on Capacity Providers

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

AWS IoT Core’spre-provisioning hookallows custom logic (like serial number validation)beforea device is registered. This ensures that only installed devices connect. Lambda is ideal for such logic.

AWS IoT Just-in-Time Provisioning

A Direct Connect gateway allows you to connect multiple VPCs across different Regions to a Direct Connect connection1. A public VIF allows you to access AWS public services such as EC21. A Site-to-Site VPN connection over the public VIF provides encryption and redundancy for the traffic between the on-premises data center and the VPCs2. This solution is cheaper than setting up additional Direct Connect connections or using a private VIF with VPC peering.

D is correct because thehealth check grace perioddefines how long Auto Scaling waits after launching an instance before checking its health status. With the larger content added to the S3 bucket, the instance initialization (via user data) is taking longer. Increasing the grace period allows the instance time to complete startup tasks before it’s marked as unhealthy.

Option A would not necessarily reduce startup time — the issue is likely network latency or the size of the content.

Option B only affects the timeout for health check responses, not the delay before they begin.

Option C is not applicable unless the health check path itself is invalid (which isn't mentioned).