Free Amazon Web Services SAP-C02 Practice Exam with Questions & Answers | Set: 4

Configuring read replicas for Amazon RDS MySQL and using the single reader endpoint in the web application can significantly reduce the load on the backend database tier, improving overall application performance. Additionally, implementing an Amazon ElastiCache cluster between the web application and RDS MySQL instances can further reduce database load by caching frequently accessed data, thereby enhancing the application's resilience and scalability. These changes address the root cause of the outage by alleviating the database tier's high load and preventing similar issues in the future.

AWS Documentation on Amazon RDS Read Replicas and Amazon ElastiCache provides comprehensive guidance on improving application performance and scalability by offloading read traffic from the primary database and caching common queries. These solutions are in line with AWS best practices for building resilient and scalable web applications.

Since the company is already using Kubernetes manifests,Amazon EKSis a natural fit. It’s a managed Kubernetes control plane and works withAmazon Aurora PostgreSQL, a highly available DB service.

What is EKS?

The company needs to upgrade DocumentDB to the latest version with no data loss while allowing continuous reads and writes. The company also must be able to test and verify the upgrade before switching production traffic. This is a classic requirement for performing an upgrade using a blue/green approach: build a new target environment on the new version, keep it in sync with the source, validate it, and then cut over by changing the endpoint (here, Route 53 DNS).

Option A implements this pattern using a new DocumentDB cluster running the latest version and AWS DMS to continuously migrate and replicate changes from the old cluster to the new cluster. Because the workload is continuously changing, a one-time export/import is insufficient; continuous replication is needed to keep the target cluster current during the test period. AWS DMS supports a “migrate and replicate” style of task that performs a full load and then applies ongoing changes (CDC) so the target stays synchronized. The question also states that change streams are enabled with a 24-hour retention period, which supports capturing and applying changes during migration/validation and helps ensure the replication stream can be maintained while testing.

Option A also addresses indexes by using the DocumentDB Index Tool to export and import indexes, which is important because indexes can affect query performance and behavior. After the company validates the new cluster, the cutover is done by updating the Route 53 record to point to the new cluster endpoint, switching all backend services without changing application configuration beyond DNS resolution.

Option B uses MongoDB CLI tools to export/import. This is not suitable for continuous write workloads because export/import is a point-in-time operation and would require downtime or risk data divergence during the test period. It also adds more operational overhead and does not provide continuous replication for the duration of validation.

Option C performs an in-place major version upgrade. That does not satisfy the requirement to test and verify the upgrade before backend services use the upgraded version because the upgrade happens directly on the production cluster. Even though a snapshot exists for rollback, production is still exposed to the upgrade immediately, which violates the requirement for pre-cutover verification.

Option D is incorrect because AWS DataSync transfers files between storage systems such as NFS/SMB and AWS storage services. It is not a database migration or replication service and cannot copy a DocumentDB database in a way that preserves database semantics and supports continuous replication.

Therefore, creating a new DocumentDB cluster, keeping it synchronized using AWS DMS (supported by change stream retention), validating it, and then cutting over via Route 53 DNS update (option A) meets all requirements.

Aurora Auto Scaling enables your Aurora DB cluster to handle sudden increases in connectivity or workload. When the connectivity or workload decreases, Aurora AutoScaling removes unnecessary Aurora Replicas so that you don't pay for unused provisioned DB instances

it covers all the requirements mentioned in the question, it will allow collecting the detailed metrics, including process information and it provides a way to query and analyze the data using Amazon Athena.

Migrate the database to Amazon Aurora MySQL. - Create an Amazon Aurora Replica. - Use RDS Proxy in front of the database. - These options are correct because they address the requirement of reducing the failover time to less than 20 seconds. Migrating to Amazon Aurora MySQL and creating an Aurora replica can reduce the failover time to less than 20 seconds. Aurora has a built-in, fault-tolerant storage system that can automatically detect and repair failures. Additionally, Aurora has a feature called "Aurora Global Database" which allows you to create read-only replicas across multiple AWS regions which can further help to reduce the failover time. Creating an Aurora replica can also help to reduce the failover time as it can take over as the primary DB instance in case of a failure. Using RDS proxy can also help to reduce the failover time as it can route the queries to the healthy DB instance, it also helps to balance the load across multiple DB instances.

A is correct because:

App2Containersupports packaging .NET Framework apps into containers without porting to .NET Core.

ECS with EC2gives full control over the OS and patching.

ALBhandles microservice-level load balancing.

RDS for SQL Serverwith Multi-AZ ensures high availability.

Options B, C, and D involve Aurora MySQL (incompatible with SQL Server features) orrequire .NET Core, which involves more significant application changes.

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

https://docs.aws.amazon.com/cur/latest/userguide/billing-cur-limits.html

The requirement is to allow each OU (which contains multiple accounts) to view a cost breakdown across its accounts. In an AWS Organizations setup with consolidated billing, the management account is the central place where organization-level cost and usage reporting is configured and aggregated. The Cost and Usage Report is designed to produce the most detailed cost and usage dataset, and it can include charges for linked (member) accounts. A single CUR created from the management account can include all accounts in the organization, and then filtering can be applied to show cost breakdowns per OU or per team.

Once the CUR is delivered to Amazon S3, analytics tools such as Amazon Athena and Amazon QuickSight can be used to create dashboards. Teams can be provided access to the dataset or curated views and can filter by linked account, tags, and other dimensions. With appropriate cost allocation tags and organizational mapping (for example, account-to-OU mapping maintained in reporting logic), each OU can see its consolidated view.

Option B meets the requirements because it creates one CUR centrally from the management account and uses QuickSight for visualization. This approach is scalable for hundreds of accounts and avoids duplicating CUR configuration in each member account.

Option A is incorrect because AWS Resource Access Manager is not used to create CURs per OU. CUR is not an OU-scoped resource created via RAM.

Option C is not operationally efficient because it requires creating and managing CURs in each member account, producing fragmented datasets and significantly increasing overhead at hundreds of accounts. It also makes it harder to generate a single view per OU across accounts.

Option D is incorrect because Systems Manager does not create CURs, and OpsCenter dashboards are not the standard tool for cost and usage reporting.

Therefore, a centrally created CUR in the management account with QuickSight visualization is the correct solution.

https://docs.aws.amazon.com/appsync/latest/devguide/graphql-overview.html

AWS AppSync is a fully managed GraphQL service that allows applications to securely access, manipulate, and receive data as well as real-time updates from multiple data sources1. AWS AppSync supports GraphQL subscriptions to perform real-time operations and can push data to clients that choose to listen to specific events from the backend1. AWS AppSync uses WebSockets to establish and maintain a secure connection between the clients and the API endpoint2. Therefore, using AWS AppSync and leveraging WebSockets is a suitable design to reduce comment latency and improve user experience.

https://aws.amazon.com/es/blogs/industries/how-to-monitor-alert-and-remediate-non-compliant-hipaa-findings-on-aws/

The company wants a centralized enforcement mechanism across hundreds of AWS accounts. The control must ensure that any S3 access points that product teams create are VPC-only and cannot be internet-accessible. The most operationally efficient solution is one that applies across the organization without requiring per-account deployments, per-bucket policies, or per-access-point configuration.

Service control policies (SCPs) in AWS Organizations are designed to provide centralized guardrails that define the maximum available permissions for accounts in an organization. By attaching an SCP at the organization root (or to OUs as needed), the company can enforce that no principal in any account can create an S3 access point unless the request specifies a VPC network origin. This aligns directly with the requirement to enforce “VPC-only” access points consistently across all accounts with minimal ongoing operational work.

Option B uses an SCP at the root to deny s3:CreateAccessPoint unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC. This is the correct organization-wide preventive control.

Option A is not correct because an S3 access point resource policy is attached to an access point after it exists and is primarily used to control access to the access point. It is not a reliable organization-wide preventive mechanism to enforce how access points are created across hundreds of accounts. Also, it requires access point-by-access point management, which increases operational overhead.

Option C is less operationally efficient because StackSets deployment across hundreds of accounts introduces additional operational steps and drift management. It also relies on account-level IAM permissions being properly used and does not provide a simple, centralized “cannot be bypassed” guardrail in the same way that an SCP does.

Option D is incorrect because S3 bucket policies control access to bucket resources and objects. They do not function as an organization-wide control to prevent creation of access points across accounts, and they would require bucket-by-bucket management rather than a centralized enforcement mechanism.

Therefore, a root-level SCP that denies access point creation unless the access point network origin is VPC is the most operationally efficient enforcement approach.