SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

Connect to RDS outside of Lambda handler method to improve performancehttps://awstut.com/en/2022/04/30/connect-to-rds-outside-of-lambda-handler-method-to-improve-performance-en/

Using RDS Proxy, you can handle unpredictable surges in database traffic. Otherwise, these surges might cause issues due to oversubscribing connections or creating new connections at a fast rate. RDS Proxy establishes a database connection pool and reuses connections in this pool. This approach avoids the memory and CPU overhead of opening a new database connection each time. To protect the database against oversubscription, you can control the number of database connections that are created.https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html

This option allows the company to use Amazon CloudFront to improve the latency and availability of the API requests by caching the responses at the edge locations closest to the clients1. By enabling caching in the production stage, the company can reduce the number of calls made to the backend services, such as Lambda functions and Aurora Serverless DB cluster, and save on costs and resources2. This option also helps to handle traffic spikes and reduce database memory errors by serving cached responses instead of querying the database repeatedly.

Choosing an API endpoint type

Enabling API caching to enhance responsiveness

Option B is the best answer because separate regional Aurora PostgreSQL clusters keep raw customer PII in the Region where the data is collected, while AWS Glue DataBrew can transform, mask, or redact PII before datasets are used for cross-Region analytics. AWS documentation states that DataBrew can identify and mask PII using techniques such as substitution and shuffling, and AWS Glue sensitive-data transforms can detect, mask, or remove PII entities. Amazon Redshift Serverless then provides a managed analytics layer without requiring the company to operate data warehouse infrastructure. Option D is incorrect because Amazon Macie discovers and helps secure sensitive data in S3; it does not anonymize the data. Option C relies on custom Lambda anonymization and an awkward cross-Region QuickSight database access pattern.

Option B is correct because high-risk agent actions require a durable pause, human approval, and a controlled resume or cancellation path. Step Functions callback with task token is the cleanest pattern for this requirement. The workflow can stop progressing while waiting for approval without running compute continuously, and the task token uniquely correlates the pending approval response to the correct workflow execution. AWS documentation states that callback tasks pause a workflow until the task token is returned and that this pattern is suitable for human approvals and third-party integrations. Option A requires a custom polling application. Option C wastes compute by polling DynamoDB. Option D violates the requirement for human approval because a second agent automatically approves or rejects actions.

The best solution is to turn on the Concurrency Scaling feature for the Amazon Redshift cluster. This feature allows the cluster to automatically add additional capacity to handle bursts of read queries without affecting the performance of write queries. The additional capacity is transparent to the users and is billed separately based on the usage. This solution meets the business requirements of servicing read and write queries at all times andis also cost-effective compared to the other options, which involve provisioning additional resources or resizing the cluster. References: Amazon Redshift Documentation, Concurrency Scaling in Amazon Redshift

The key requirement is to provide access to a private Git repository while keeping the SageMaker notebook instances isolated from the internet. The environment is intentionally configured without internet access, and connectivity to AWS services is provided through VPC endpoints. Introducing a NAT gateway and routing to the internet would violate the requirement to keep the notebook instances isolated from the internet, and network ACLs cannot reliably restrict outbound access by URL or domain name because NACLs operate at the IP and port level and do not provide DNS-aware URL filtering.

SageMaker supports integrating Git repositories so that notebooks can pull code directly as part of the workflow. When using a private repository, credentials must be handled securely. Using AWS Secrets Manager to store and reference Git credentials allows authentication without embedding usernames and passwords in code or URLs and without granting broad network access. This approach meets the requirement with low operational overhead because it relies on managed SageMaker Git integration and managed secret storage rather than custom networking controls.

Option A uses SageMaker’s Git repository integration with the remote URL and stores credentials in AWS Secrets Manager. This allows notebooks to access the private repository in a controlled, auditable way while preserving the “no internet access” posture of the VPC design (because it does not require adding a NAT gateway or public routes).

Option B is not appropriate because embedding credentials (even just usernames) in URLs is not a secure or robust credential management practice. It also does not solve private authentication in a secure manner and can lead to credential leakage through logs or configuration.

Options C and D are not correct because they require adding a NAT gateway and routing to the internet. That directly conflicts with the requirement that SageMaker notebook instances remain isolated from the internet. Additionally, the proposed restriction mechanism is invalid: network ACLs cannot restrict traffic to a specific URL. They only allow/deny traffic based on IP addresses, ports, and protocols. A Git repository can resolve to multiple IPs, can change IPs, and can use CDNs, making NACL-based IP allowlisting brittle and operationally heavy.

Therefore, integrating the Git repository with SageMaker and using Secrets Manager for credentials is the best solution with the least operational overhead while maintaining internet isolation.

Option A is incorrect because creating a Direct Connect gateway in the central account and creating an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway does not enable active-passive failover between the regions. A Direct Connect gateway is a globally available resource that enables you to connect your AWS Direct Connect connection over a private virtual interface (VIF) to one or more VPCs in any AWS Region. A virtual private gateway is the VPN concentrator on the Amazon side of a VPN connection. You can associate a Direct Connect gateway with either a transit gateway or a virtual private gateway. However, a Direct Connect gateway does not provide any load balancing or failover capabilities by itself1

Option B is correct because creating a Direct Connect gateway and a transit gateway in the central network account and attaching the transit gateway to the Direct Connect gateway by using a transit VIF meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. A transit VIF is a type of private VIF that you can use to connect your AWS Direct Connect connection to a transit gateway or a Direct Connect gateway. A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. By using a transit VIF, you can route traffic between your on-premises network and multiple VPCs across different AWS accounts and Regions through a single connection23

Option C is incorrect because provisioning an internet gateway, attaching the internet gateway to subnets, and allowing internet traffic through the gateway does not meet the requirement of routing cloud resources to the internet through its on-premises data center. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. By using an internet gateway, you are routing cloud resources directly to the internet, not through your on-premises data center.

Option D is correct because sharing the transit gateway with other accounts and attaching VPCs to the transit gateway meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. You can share your transit gateway with other AWS accounts within the same organization by using AWS Resource Access Manager (AWS RAM). This allows you to centrally manage connectivity from multiple accounts without having to create individual peering connections between VPCs or duplicate network appliances in each account. You can attach VPCs from different accounts and Regions to your shared transit gateway and enable routing between them.

Option E is incorrect because provisioning VPC peering as necessary does not meet the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within asingle Region. However, VPC peering does not allow you to route traffic from your on-premises network to your VPCs or between multiple Regions. You would need to create multiple VPN connections or Direct Connect connections for each VPC peering connection, which increases operational complexity and costs.

Option F is correct because provisioning only private subnets, opening the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center meets the requirement of routing cloud resources to the internet through its on-premises data center. A private subnet is a subnet that’s associated with a route table that has no route to an internet gateway. Instances in a private subnet can communicate with other instances in the same VPC but cannot access resources on the internet directly. To enable outbound internet access from instances in private subnets, you can use NAT devices such as NAT gateways or NAT instances that are deployed in public subnets. A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway. Alternatively, you can use your on-premises data center as a NAT device by configuring routes on your transit gateway and customer gateway that direct outbound internet traffic from your private subnets through your VPN connection or Direct Connect connection. This way, you can route cloud resources to the internet through your on-premises data center instead of using an internet gateway.