Free Amazon Web Services SAP-C02 Practice Exam with Questions & Answers | Set: 10

Hosting the .NET Core components on Amazon ECS with the Amazon EC2 launch type will meet the requirements of having complex orchestration and full control over networking and host configuration. Amazon ECS is a fully managed container orchestration service that supports both AWS Fargate and Amazon EC2 as launch types. The Amazon EC2 launch type allows users to choose their own EC2 instances, configure their own networking settings, and access their own host operating systems. Hosting the database on Amazon Aurora MySQL Serverless v2 will meet the requirements of having a strongly relational database model and using the same database engine as SQL Server. MySQL is a compatible relational database engine with SQL Server, and it can support most of the legacy application’s database model. Amazon Aurora MySQL Serverless v2 is a serverless version of Amazon Aurora MySQL that can scale up and down automatically based on demand. Using Amazon SQS for asynchronous messaging will meet the requirements of providing a compatible replacement for MSMQ, which is a queue-based messaging system3. Amazon SQS is a fully managed message queuing service that enables decoupled and scalable microservices, distributed systems, and serverless applications.

Option Ais the most lightweight and scalable approach. By updating the VPC’sDHCP options set, you automatically configure all EC2 instances to use your on-premises NTP server. No extra software or infrastructure is required.

VPC DHCP Options Docs

The requirement is to continuously scan all AWS resources in this solution for security vulnerabilities with the least operational overhead. The environment includes Amazon EKS worker nodes in a managed node group and an Amazon ECR repository that stores container images used by the EKS cluster.

Amazon Inspector is a managed vulnerability scanning service that integrates directly with multiple AWS resource types. It can automatically discover Amazon EC2 instances (including EKS managed node group instances) and perform continuous vulnerability assessments against them, using software inventory and known CVE databases. Inspector also integrates with Amazon ECR to scan container images for vulnerabilities when images are pushed to the repository and periodically thereafter, providing continuous assessment of image security posture without requiring separate scanners or infrastructure.

By activating Amazon Inspector for the account and region, the service will automatically start tracking supported resources, including EKS-managed EC2 instances and ECR repositories, and will begin scanning them for known vulnerabilities. Findings are provided through the Inspector console and can be integrated with other services such as AWS Security Hub or Amazon EventBridge for further aggregation and automation, but no separate infrastructure deployment or maintenance is required.

Option B, therefore, provides end-to-end vulnerability scanning for both the EKS nodes and the ECR images with minimal operational overhead, because it leverages a fully managed AWS service that automatically discovers and scans supported resources.

Option A is not correct because AWS Security Hub does not itself perform vulnerability scanning. Security Hub aggregates and normalizes security findings from various AWS services, including Amazon Inspector, GuardDuty, and others. It is a security posture management and aggregation service, not a vulnerability scanner.

Option C introduces additional operational overhead by requiring the company to provision, configure, secure, and maintain a separate EC2 instance running a third-party vulnerability scanning tool. While ECR basic scan-on-push can detect some image vulnerabilities, the EC2-based scanner must be managed, updated, and scaled by the customer, which violates the requirement for the least operational overhead when a fully managed alternative exists.

Option D is incorrect because the Amazon CloudWatch agent is used for metrics and log collection from EC2 instances and other environments; it does not perform vulnerability scanning or CVE analysis. Configuring CloudWatch for monitoring and logging does not meet the requirement to continuously scan for security vulnerabilities. ECR basic scans also provide only image-level scanning and do not cover the EKS nodes themselves.

Therefore, enabling Amazon Inspector to scan both the EKS nodes and the ECR repository, as described in option B, is the solution that meets the continuous vulnerability scanning requirement with the least operational overhead.

A. High performance computing (HPC) workload cluster should be in a single AZ.

C. Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instances to accelerate High Performance Computing (HPC)

F. Amazon FSx for Lustre - Use it for workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling.

Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-https-connection-fails/

Using an Amazon S3 bucket

Using a MediaStore container or a MediaPackage channel

Using an Application Load Balancer

Using a Lambda function URL

Using Amazon EC2 (or another custom origin)

Using CloudFront origin groups

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html

Option C is the correct and most efficient solution, aligning with AWS best practices for secure and private connectivity:

Create VPC Endpoints for Systems Manager and Amazon S3:

Systems Manager VPC Endpoints: By creating interface VPC endpoints for Systems Manager (com.amazonaws.region.ssm, com.amazonaws.region.ec2messages, and com.amazonaws.region.ssmmessages), the EC2 instances can communicate with Systems Manager services without requiring internet access. This setup ensures that patching operations can be conducted securely within the AWS network.

Amazon S3 VPC Endpoint: A gateway VPC endpoint for Amazon S3 (com.amazonaws.region.s3) allows EC2 instances to access S3 buckets privately. This is essential for accessing application data stored in S3 without traversing the public internet.

Configuring an S3 Lifecycle policy to expire incomplete multipart uploads after 7 days prevents storage of partially uploaded objects, avoiding unnecessary costs from failed uploads.

Additionally, implementing a lifecycle policy to transition objects to S3 Standard-IA after 180 days ensures older videos that are rarely accessed move to a lower-cost storage class, significantly reducing storage costs.

These measures are aligned with AWS cost optimization best practices for S3 data lifecycle management.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/security-best-practices.html#use-iam-to-control-accesshttps://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html

it describes a solution that uses an Application Load Balancer (ALB) and an Auto Scaling group for the MQTT broker. The ALB distributes incoming traffic across the instances in the Auto Scaling group and allows for automatic scaling based on incoming traffic. The use of an alias record in Route 53 allows for easy updates to the DNS record without changing the IP address. This solution improves the reliability of the MQTT broker by allowing it to automatically scale based on incoming traffic, reducing the likelihood of lost data due to broker overload.

The company should create a Network Load Balancer (NLB) and associate it with one static IP address in multiple Availability Zones. The company should also create an ALB-type target group for the NLB and add the existing ALB. The company should add the NLB IP addresses to the firewall appliance and update the clients to connect to the NLB. This solution will allow traffic flow to AWS from the on-premises network by using static IP addresses that can be added to the firewall appliance’s allow list. The NLB will forward requests to the ALB, which will use path-based routing to forward requests to the target groups.

The company should use AWS Amplify to create a static website for uploads of media files. The company should use Amplify Hosting to serve the website through Amazon CloudFront. The company should use Amazon S3 to store the uploaded media files. The company should use Amazon Cognito to authenticate users. This solution will meet the requirements with the least operational overhead because AWS Amplify is a complete solution that lets frontend web and mobile developers easily build, ship, and host full-stack applications on AWS, with the flexibility to leverage the breadth of AWS services as use cases evolve. No cloud expertise needed1. By using AWS Amplify, the company can refactor the application to a serverless architecture that reduces operational complexity and costs. AWS Amplify offers the following features and benefits:

Amplify Studio: A visual interface that enables you to build and deploy a full-stack app quickly, including frontend UI and backend.

Amplify CLI: A local toolchain that enables you to configure and manage an app backend with just a few commands.

Amplify Libraries: Open-source client libraries that enable you to build cloud-powered mobile and web apps.

Amplify UI Components: Open-source design system with cloud-connected components for building feature-rich apps fast.

Amplify Hosting: Fully managed CI/CD and hosting for fast, secure, and reliable static and server-side rendered apps.

By using AWS Amplify to create a static website for uploads of media files, the company can leverage Amplify Studio to visually build a pixel-perfect UI and connect it to a cloud backend in clicks. By using Amplify Hosting to serve the website through Amazon CloudFront, the company can easily deploy its web app or website to the fast, secure, and reliable AWS content delivery network (CDN), with hundreds of points of presence globally. Byusing Amazon S3 to store the uploaded media files, the company can benefit from a highly scalable, durable, and cost-effective object storage service that can handle any amount of data2. By using Amazon Cognito to authenticate users, the company can add user sign-up, sign-in, and access control to its web app with a fully managed service that scales to support millions of users3.

The other options are not correct because:

Using AWS Application Migration Service to migrate the application server to Amazon EC2 instances would not refactor the application or accelerate development. AWS Application Migration Service (AWS MGN) is a service that enables you to migrate physical servers, virtual machines (VMs), or cloud servers from any source infrastructure to AWS without requiring agents or specialized tools. However, this would not address the challenges of overutilization and data uploads failures. It would also not reduce operational overhead or costs compared to a serverless architecture.

Creating a static website for uploads of media files and using AWS AppSync to create an API would not be as simple or fast as using AWS Amplify. AWS AppSync is a service that enables you to create flexible APIs for securely accessing, manipulating, and combining data from one or more data sources. However, this would require more configuration and management than using Amplify Studio and Amplify Hosting. It would also not provide authentication features like Amazon Cognito.

Setting up AWS IAM Identity Center (AWS Single Sign-On) to give users the ability to sign in to the application would not be as suitable as using Amazon Cognito. AWS Single Sign-On (AWS SSO) is a service that enables you to centrally manage SSO access and user permissions across multiple AWS accounts and business applications. However, this service is designed for enterprise customers who need to manage access for employees or partners across multiple resources. It is not intended for authenticating end users of web or mobile apps.

The Auto Scaling group can automatically launch and terminate EC2 instances based on the demand and health of the web application. The launch template can specify the configuration of the EC2 instances, such as the AMI, instance type, security group, and user data. The existing ALB can distribute the traffic to the EC2 instances in the Auto Scaling group. The existing EC2 instances can be attached to the Auto Scaling group without deleting them or the ALB. This option minimizes downtime and preserves the current setup of the web application. References: [What is Amazon EC2 Auto Scaling?], [Launch templates], [Attach a load balancer to your Auto Scaling group], [Attach EC2 instances to your Auto Scaling group]

https://repost.aws/knowledge-center/ecs-fargate-service-auto-scaling

Migration Hub Discovery Agentcollectsdeep host-level data, includingprocesses, connections, dependencies, etc. Combined withStrategy Recommendations, it offers accurate insights for planning cloud migration.

Migration Hub Strategy Recommendations