SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

Searching for workable clues to ace the Amazon Web Services SAP-C02 Exam? You’re on the right place! ExamCert has realistic, trusted and authentic exam prep tools to help you achieve your desired credential. ExamCert’s SAP-C02 PDF Study Guide, Testing Engine and Exam Dumps follow a reliable exam preparation strategy, providing you the most relevant and updated study material that is crafted in an easy to learn format of questions and answers. ExamCert’s study tools aim at simplifying all complex and confusing concepts of the exam and introduce you to the real exam scenario and practice it with the help of its testing engine and real exam dumps

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
10
Next
Last >>

Question # 33

A company has an loT platform that runs in an on-premises environment. The platform consists of a server that connects to loT devices by using the MQTT protocol. The platform collects telemetry data from the devices at least once every 5 minutes The platform also stores device metadata in a MongoDB cluster

An application that is installed on an on-premises machine runs periodic jobs to aggregate and transform the telemetry and device metadata The application creates reports that users view by using another web application that runs on the same on-premises machine The periodic jobs take 120-600 seconds to run However, the web application is always running.

The company is moving the platform to AWS and must reduce the operational overhead of the stack.

Which combination of steps will meet these requirements with the LEAST operational overhead? (Select THREE.)

Use AWS Lambda functions to connect to the loT devices

Configure the loT devices to publish to AWS loT Core

Write the metadata to a self-managed MongoDB database on an Amazon EC2 instance

Write the metadata to Amazon DocumentDB (with MongoDB compatibility)

Use AWS Step Functions state machines with AWS Lambda tasks to prepare the reports and to write the reports to Amazon S3 Use Amazon CloudFront with an S3origin to serve the reports

Use an Amazon Elastic Kubernetes Service (Amazon EKS) cluster with Amazon EC2 instances to prepare the reports Use an ingress controller in the EKS cluster to serve the reports

Full Access

Question # 34

A company operates quick-service restaurants. The restaurants follow a predictable model with high sales traffic for 4 hours daily Sales traffic is lower outside of those peak hours.

The point of sale and management platform is deployed in the AWS Cloud and has a backend that is based on Amazon DynamoDB. The database table uses provisioned throughput mode with 100.000 RCUs and 80.000 WCUs to match known peak resource consumption.

The company wants to reduce its DynamoDB cost and minimize the operational overhead for the IT staff.

Which solution meets these requirements MOST cost-effectively?

Reduce the provisioned RCUs and WCUs

Change the DynamoDB table to use on-demand capacity.

Enable Dynamo DB auto scaling tor the table

Purchase 1-year reserved capacity that is sufficient to cover the peak load for 4 hours each day.

Full Access

Question # 35

A company is using AWS CloudFormation to deploy its infrastructure. The company is concerned that, if a production CloudFormation stack is deleted, important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted.

How can the company prevent users from accidentally deleting data in this way?

Modify the CloudFormation templates to add a DeletionPolicy attribute to RDS and EBS resources.

Configure a stack policy that disallows the deletion of RDS and EBS resources.

Modify 1AM policies to deny deleting RDS and EBS resources that are tagged with an " awsrcloudformation: stack-name " tag.

Use AWS Config rules to prevent deleting RDS and EBS resources.

Full Access

Question # 36

A company has many separate AWS accounts and uses no central billing or management. Each AWS account hosts services for different departments in the company. The company has a Microsoft Azure Active Directory that is deployed.

A solution architect needs to centralize billing and management of the companyâ€™s AWS accounts. The company wants to start using identify federation instead of manual user management. The company also wants to use temporary credentials instead of long-lived access keys.

Which combination of steps will meet these requirements? (Select THREE)

Create a new AWS account to serve as a management account. Deploy an organization in AWS Organizations. Invite each existing AWS account to join the organization. Ensure that each account accepts the invitation.

Configure each AWS Accountâ€™s email address to be aws+ < account id > @example.com so that account management email messages and invoices are sent to the same place.

Deploy AWS IAM Identity Center (AWS Single Sign-On) in the management account. Connect IAM Identity Center to the Azure Active Directory. Configure IAM Identity Center for automatic synchronization of users and groups.

Deploy an AWS Managed Microsoft AD directory in the management account. Share the directory with all other accounts in the organization by using AWS Resource Access Manager (AWS RAM).

Create AWS IAM Identity Center (AWS Single Sign-On) permission sets. Attach the permission sets to the appropriate IAM Identity Center groups and AWS accounts.

Configure AWS Identity and Access Management (IAM) in each AWS account to use AWS Managed Microsoft AD for authentication and authorization.

Full Access

Question # 37

A company runs a web application on AWS. The web application delivers static content from an Amazon S3 bucket that is behind an Amazon CloudFront distribution. The application serves dynamic content by using an Application Load Balancer (ALB) that distributes requests to a fleet of Amazon EC2 instances in Auto Scaling groups. The application uses a domain name setup in Amazon Route 53.

Some users reported occasional issues when the users attempted to access the website during peak hours. An operations team found that the ALB sometimes returned HTTP 503 Service Unavailable errors. The company wants to display a custom error message page when these errors occur. The page should be displayed immediately for this error code.

Which solution will meet these requirements with the LEAST operational overhead?

Set up a Route 53 failover routing policy. Configure a health check to determine the status of the ALB endpoint and to fail over to the failover S3 bucket endpoint.

Create a second CloudFront distribution and an S3 static website to host the custom error page. Set up a Route 53 failover routing policy. Use an active-passive configuration between the two distributions.

Create a CloudFront origin group that has two origins. Set the ALB endpoint as the primary origin. For the secondary origin, set an S3 bucket that is configured to host a static website Set up origin failover for the CloudFront distribution. Update the S3 static website to incorporate the custom error page.

Create a CloudFront function that validates each HTTP response code that the ALB returns. Create an S3 static website in an S3 bucket. Upload the custom error page to the S3 bucket as a failover. Update the function to read the S3 bucket and to serve the error page to the end users.

Full Access

Question # 38

A large payroll company recently merged with a small staffing company. The unified company now has multiple business units, each with its own existing AWS account.

A solutions architect must ensure that the company can centrally manage the billing and access policies for all the AWS accounts. The solutions architect configures AWS Organizations by sending an invitation to all member accounts of the company from a centralized management account.

What should the solutions architect do next to meet these requirements?

Create the OrganizationAccountAccess IAM group in each member account. Include the necessary IAM roles for each administrator.

Create the OrganizationAccountAccessPoIicy IAM policy in each member account. Connect the member accounts to the management account by using cross-account access.

Create the OrganizationAccountAccessRoIe IAM role in each member account. Grant permission to the management account to assume the IAM role.

Create the OrganizationAccountAccessRoIe IAM role in the management account. Attach the AdministratorAccess AWS managed policy to the IAM role.Assign the IAM role to the administrators in each member account.

Full Access

Question # 39

A company uses Microsoft Active Directory for user management and Microsoft Entra ID as an identity provider (IdP). The company uses an organization in AWS Organizations to manage multiple AWS accounts. The company establishes an AWS IAM Identity Center instance that is integrated with the IdP and creates the required user groups.

Multiple company departments and applications use Amazon S3. The company uses S3 bucket policies to manage permissions. As a result of the granular permissions the company creates, the policies grow so large that they reach the quota for S3 bucket policy length. The company needs to simplify the process of managing granular S3 bucket permissions for company identities.

Which solution will meet this requirement with the LEAST operational overhead?

Create an S3 Access Grant. Associate the S3 Access Grant with the IAM Identity Center instance. Create S3 Access Grants for the user groups based on business requirements by specifying the appropriate S3 bucket. Use the Amazon S3 API to grant the user groups temporary credentials to access the required S3 buckets.

Create an S3 access point for each of the S3 buckets. Create an AWS Lambda function to query data from Amazon S3 based on user permissions. Create an Object Lambda Access Point for the S3 access points. Associate the Lambda function with the Object Lambda Access Point.

Create an S3 access point for each of the S3 buckets. Block public access in the S3 access point settings. Create an access policy based on user requirements. Attach the access policy to the S3 access point. Use the S3 access point to access the S3 bucket.

Group users into appropriate OUs in Organizations. Create SCPs to grant access to specific S3 buckets based on business requirements. Attach the SCPs to the appropriate OUs. Use permission sets in IAM Identity Center to grant access the S3 buckets.

Full Access

Answer:

Explanation:

The company has many S3 buckets and many identities across multiple AWS accounts. It currently uses S3 bucket policies for granular authorization. As requirements grow, the bucket policies have become very large and have hit the maximum size limits. The company needs a way to express granular, identity-based access to S3 resources without relying on increasingly complex bucket policies.

AWS provides S3 Access Grants to centrally manage S3 data access based on identities. S3 Access Grants integrate with IAM Identity Center and external identity providers such as Microsoft Entra ID (formerly Azure AD). With S3 Access Grants, you define grants that associate specific identities or groups (from IAM Identity Center) with permissions on specific S3 buckets, prefixes, or objects. Access Grants maintain a mapping between identities and S3 resources without requiring large, per-bucket policies.

Option A describes exactly this approach. You create an S3 Access Grant configuration associated with the IAM Identity Center instance that is already integrated with the companyâ€™s IdP. You then define S3 Access Grants for the various user groups according to business requirements, specifying the appropriate S3 buckets and prefixes. When users access S3 through AWS tools that support S3 Access Grants, temporary credentials are issued that reflect the grants. This centralizes authorization management, reduces the size and complexity of S3 bucket policies, and minimizes operational overhead because you manage permissions per identity group rather than constantly editing long bucket policies.

Option B uses S3 access points and Object Lambda Access Points with a Lambda function for data filtering. This is more suitable for content transformation or redaction rather than primary authorization management. It adds operational complexity by requiring custom Lambda code and Object Lambda configuration, and it does not directly solve the problem of large bucket policies for fine-grained permissions.

Option C uses per-bucket S3 access points with attached policies. While access points can simplify some aspects of access control and allow per-application policies, using many access points with detailed policies can still lead to significant policy complexity. It also does not take advantage of the existing IAM Identity Center integration and does not centrally align permissions with identity groups.

Option D uses AWS Organizations service control policies (SCPs). SCPs are intended to define high-level guardrails and maximum permissions at the account or organizational unit level, not detailed, per-bucket or per-prefix access control for individual users or groups. Using SCPs to express granular S3 bucket permissions would be complex, hard to maintain, and not aligned with the purpose of SCPs.

Therefore, using S3 Access Grants integrated with IAM Identity Center (option A) provides a centralized, identity-aware, low-overhead way to manage granular S3 access without hitting S3 bucket policy size limits.

[References:AWS documentation on S3 Access Grants for identity-based, fine-grained access control to S3 resources integrated with IAM Identity Center.AWS best practices for separating high-level guardrails (SCPs) from resource-level permissions and using identity-aware S3 controls instead of overly large bucket policies., , , ]

Question # 40

A company has an application that analyzes and stores image data on premises The application receives millions of new image files every day Files are an average of 1 MB in size The files are analyzed in batches of 1 GB When the application analyzes a batch the application zips the imagestogether The application then archives the images as a single file in an on-premises NFS server for long-term storage

The company has a Microsoft Hyper-V environment on premises and has compute capacity available The company does not have storage capacity and wants to archive the images on AWS The company needs the ability to retrieve archived data within t week of a request.

The company has a 10 Gbps AWS Direct Connect connection between its on-premises data center and AWS. The company needs to set bandwidth limits and schedule archived images to be copied to AWS dunng non-business hours.

Which solution will meet these requirements MOST cost-effectively?

Deploy an AWS DataSync agent on a new GPU-based Amazon EC2 instance Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Glacier Instant Retrieval After the successful copy delete the data from the on-premises storage

Deploy an AWS DataSync agent as a Hyper-V VM on premises Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Glacier Deep Archive After the successful copy delete the data from the on-premises storage

Deploy an AWS DataSync agent on a new general purpose Amazon EC2 instance Configure the DataSync agent to copy the batch of files from the NFS on-premises server to Amazon S3 Standard After the successful copy deletes the data from the on-premises storage Create an S3 Lifecycle rule to transition objects from S3 Standard to S3 Glacier Deep Archive after 1 day

Deploy an AWS Storage Gateway Tape Gateway on premises in the Hyper-V environment Connect the Tape Gateway to AWS Use automatic tape creation Specify an Amazon S3 Glacier Deep Archive pool Eject the tape after the batch of images is copied

Full Access