Free Amazon Web Services SAP-C02 Practice Exam with Questions & Answers | Set: 6

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

The requirement is to reduce application latency for a globally distributed user base, with users primarily in the United States but increasing usage in Europe and the Middle East. The application is read-heavy and uses Amazon DynamoDB as its data store. Reducing latency for global users requires placing both the application compute and the data closer to users in each Region.

Option D uses the correct multi-Region architecture. Deploying the application to multiple AWS Regions places Amazon EKS workloads closer to end users. Converting the DynamoDB table to a global table creates fully managed, multi-Region replicas of the data with low-latency replication. This allows reads to be served locally from the nearest DynamoDB replica, significantly reducing read latency for users outside the primary Region. Because the workload is read-heavy, this design is particularly effective.

Route 53 geolocation routing directs users to the Region closest to them based on their geographic location. Combined with health checks and Evaluate Target Health, this ensures users are routed to the nearest healthy Region, improving both latency and availability.

Option A is incorrect because global secondary indexes do not replicate data across Regions. GSIs operate within a single Region and are used to support alternative query patterns, not global data distribution. Additionally, Route 53 failover routing is designed for disaster recovery, not for performance optimization or global load balancing.

Option B uses DynamoDB Accelerator (DAX), which improves read latency by caching data in memory, but DAX is Region-specific and does not reduce cross-Region network latency for users in Europe and the Middle East accessing a US-based application. It also does not address application-level latency caused by distance to the EKS cluster.

Option C is not valid because DynamoDB does not support read replicas in the same way relational databases do. DynamoDB replication for latency and global access is achieved through global tables, not through read replicas in a single Region. CloudFront can reduce latency for static or cacheable HTTP content, but it does not solve backend application latency or DynamoDB access latency for dynamic, read-heavy requests.

Therefore, deploying the application and DynamoDB as global tables across Regions and using Route 53 geolocation routing is the correct solution to minimize latency for all global users.

The company needs the application in the secondary Region to operate independently from the primary Region during disaster recovery. That means both the DynamoDB data and the relational customer data must be present and usable in the secondary Region without cross-Region dependencies at runtime. The company also wants the least development effort, which usually means using native managed replication features rather than building custom replication logic.

For DynamoDB, global tables are the managed multi-Region, multi-active replication feature. Global tables replicate changes between Regions automatically and allow applications in each Region to read and write to local DynamoDB tables, removing dependencies on the primary Region.

For the RDS for MySQL database, the straightforward managed approach for cross-Region disaster recovery with minimal development change is to create a cross-Region read replica in the secondary Region. A read replica uses asynchronous replication to keep data up to date. During a disaster recovery event, the company can promote the read replica in the secondary Region to become a standalone primary database instance. This provides a simple, low-development approach for having the data in the secondary Region. The application in the secondary Region can be configured to use the replica endpoint in normal times and can continue operating with the promoted instance during failover.

Option A combines DynamoDB global tables with an RDS read replica in the secondary Region. This is the least development effort because it uses AWS-managed replication for both data stores and requires only configuration changes and endpoint selection in the secondary application.

Option B is not correct because DAX is a caching layer for DynamoDB, not a replication or disaster recovery mechanism. DAX does not replicate DynamoDB tables into another Region and cannot replace having the DynamoDB data present in the secondary Region.

Option C is incorrect because RDS Multi-AZ is a high availability feature within a single Region, using synchronous replication to a standby in another Availability Zone. Multi-AZ does not create a standby in a different Region, and it does not provide cross-Region DR by itself.

Option D is less desirable because it requires custom development and operations: processing DynamoDB streams, building and operating a replication pipeline, and ensuring correctness and ordering across Regions. This is higher development effort than enabling DynamoDB global tables.

Therefore, using DynamoDB global tables plus an RDS read replica in the secondary Region (option A) meets the DR independence requirement with the least development effort.

Using AWS Database Migration Service (DMS) with an Amazon Aurora PostgreSQL target and the AWS Schema Conversion Tool (SCT) ensures a rapid migration with minimal downtime.

DMS continuously replicates data, supporting near-zero downtime migration while keeping the source and target in sync.

SCT automatically converts the Oracle schema and stored procedures to PostgreSQL-compatible format, minimizing manual effort.

Aurora provides a managed, highly available database that scales across multiple AZs, ensuring high availability for the migrated workload.This method leverages AWS-managed services for database and migration, ensuring a secure, reliable, and low-overhead transition to the cloud.

The company should use AWS IoT Greengrass to deploy the ML model to the local server and provide local feedback to the factory workers. AWS IoT Greengrass is a service that extends AWS cloud capabilities to local devices, allowing them to collect and analyze data closer to the source of information,react autonomously to local events, and communicate securely with each other on local networks1. AWS IoT Greengrass also supports MLinference at the edge, enabling devices to run ML models locally without requiring internet connectivity2.

The other options are not correct because:

Setting up an Amazon Kinesis video stream from each IP camera to AWS would not work if the factory’s internet connectivity is down. It would also incur unnecessary costs and latency to stream video data to the cloud and back.

Ordering an AWS Snowball device would not be a scalable or cost-effective solution for deploying the ML model. AWS Snowball is a service that provides physical devices for data transfer and edge computing, but it is not designed for continuous operation or frequent updates3.

Deploying Amazon Monitron devices on each IP camera would not work because Amazon Monitron is a service that monitors the condition and performance of industrial equipment using sensors and machine learning, not cameras4.

To attribute AWS costs to specific applications or teams and enable detailed cost analysis and forecasting, the solution architect should recommend the following actions: A. Activating user-defined cost allocation tags for resources associated with each application and team allows for detailed tracking of costs by these identifiers. C. Creating a cost category for each application within AWS Billing and Cost Management enables the organization to group costs according to application, facilitating detailed reporting and analysis. F. Enabling Cost Explorer is essential for analyzing and visualizing AWS spending over time. It provides the capability to view historical costs and forecast future expenses, supporting the company's requirement for cost comparison and forecasting.

AWS Billing and Cost Management Documentation: Covers the activation of cost allocation tags, creation of cost categories, and the use of Cost Explorer for cost management.

AWS Tagging Strategies: Provides best practices for implementing tagging strategies that support cost allocation and reporting.

AWS Cost Explorer Documentation: Details how to use Cost Explorer to analyze and forecast AWS costs.

Comprehensive and Detailed in Depth Explanation:

C is correct because AWS Transit Gateway is the most scalable and efficient way to interconnect hundreds of VPCs. By deploying one transit gateway per OU and sharing it with AWS RAM, each OU can isolate its network traffic and maintain internal communication without affecting or exposing other OUs.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/DownloadDistS3AndCustomOrigins.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html

You can set up CloudFront with origin failover for scenarios that require high availability. To get started, you create an origin group with two origins: a primary and a secondary. If the primary origin is unavailable, or returns specific HTTP response status codes that indicate a failure, CloudFront automatically switches to the secondary origin.

The modernized application needs to store and serve video files up to 4 GB. Large binary content should not be stored directly in a database because it negatively affects database performance, scaling, and backup/restore times. The standard AWS pattern is to store large objects in Amazon S3 and keep only references (such as keys or URLs) in the database.

User profile data is simple, text-based, and currently lives in a single table. This is a good fit for a key-value or document-style data model such as Amazon DynamoDB, which provides fully managed horizontal scaling and predictable performance at scale.

Option B migrates the profile table to DynamoDB using AWS DMS with AWS Schema Conversion Tool (SCT). Video files are stored as objects in Amazon S3, which is designed for large, durable, and highly scalable object storage. The DynamoDB item stores only the S3 key that corresponds to each user’s video, keeping the database small and responsive. S3 can scale rapidly and independently of the database, and offloads the heavy I/O load of large objects away from the transactional store, so overall application performance is not negatively impacted by video storage or retrieval.

Option A stores the videos as base64-encoded strings in a TEXT column in a relational database. Storing multi-gigabyte objects directly in a relational database table leads to large row sizes, larger indexes, longer backup times, and degraded performance as the table grows. This does not meet the requirement to avoid affecting application performance.

Option C uses Amazon Keyspaces (for Apache Cassandra) as the profile store and S3 for video. While storing videos in S3 is correct, Keyspaces is typically chosen when there is already a Cassandra-based workload or a need for Cassandra-compatible interfaces. For a simple single-table user profile store being migrated from MySQL, DynamoDB is the more natural, managed choice and aligns better with AWS migration and modernization guidance.

Option D stores the videos as base64-encoded strings in DynamoDB items. DynamoDB has a maximum item size of 400 KB, which is far smaller than the 4 GB video size requirement. This makes option D technically infeasible.

Therefore, migrating user profile data to DynamoDB and storing video files in Amazon S3, with S3 keys stored in the corresponding DynamoDB items (option B), provides scalable video storage and protects application performance.

https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.alb-accelerator.html Option A is wrong. AWS WAF does not support associating with NLB. https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html Option B is wrong. An ALB does not support an Elastic IP address.https://aws.amazon.com/elasticloadbalancing/features/

The best option is to use an Auto Scaling group, a Network Load Balancer, Amazon Route 53, and Amazon DynamoDB to create a scalable, highly available, and low-latency online game application. An Auto Scaling group can automatically adjust the number of EC2 instances based on the demand and traffic in each Region. A Network Load Balancer can distribute the incoming traffic across the EC2 instances and handle millions of requests per second. Amazon Route 53 can use latency-based routing to direct the users to the Region that provides the best performance. Amazon DynamoDB global tables can replicate the game metadata across multiple Regions, ensuring consistency and availability of thedata. This approach minimizes the operational overhead and cost, as it leverages fully managed services and avoids custom logic or replication.

Option A is not optimal because using an EC2 Spot Fleet can introduce the risk of losing the EC2 instances if the Spot price exceeds the bid price, which can affect the availability and performance of the game. Using AWS Global Accelerator can improve the network performance, but it is not necessary if Amazon Route 53 can already route the users to the closest Region. Using Amazon RDS for MySQL can store the game metadata, but it requires setting up read replicas and managing the replication lag across Regions, which can increase the complexity and cost.

Option B is not optimal because using geoproximity routing can direct the users to the Region that is geographically closer, but it does not account for the network latency or performance. Using MySQL databases on EC2 instances can store the game metadata, but it requires managing the EC2 instances, the database software, the backups, the patches, and the replication across Regions, which can increase the operational overhead and cost.

Option D is not optimal because using EC2 Global View is not a valid service. Using a custom DNS server on an EC2 instance can redirect the user to the Region that provides the lowest latency, but it requires developing and maintaining the custom logic, as well as managing the EC2 instance, which can increase the operational overhead and cost. Using Amazon Aurora global database can store the game metadata, but it is more expensive and complex than using Amazon DynamoDB global tables.

Auto Scaling groups

Network Load Balancer

Amazon Route 53

Amazon DynamoDB global tables

Configuring read replicas for Amazon RDS MySQL and using the single reader endpoint in the web application can significantly reduce the load on the backend database tier, improving overall application performance. Additionally, implementing an Amazon ElastiCache cluster between the web application and RDS MySQL instances can further reduce database load by caching frequently accessed data, thereby enhancing the application's resilience and scalability. These changes address the root cause of the outage by alleviating the database tier's high load and preventing similar issues in the future.

AWS Documentation on Amazon RDS Read Replicas and Amazon ElastiCache provides comprehensive guidance on improving application performance and scalability by offloading read traffic from the primary database and caching common queries. These solutions are in line with AWS best practices for building resilient and scalable web applications.

The analytics team wants to copy only a subset of the data, run the copy as soon as data is ready, and receive notifications when the process completes. AWS DataSync supports the use of manifest files to control exactly which files or objects are transferred. By generating a manifest file on premises that lists only the relevant data and uploading that manifest to Amazon S3, the company can precisely limit what DataSync copies, which reduces data transfer costs and processing overhead.

Option A satisfies the requirement to identify only analytics-relevant data by creating and uploading a manifest file that lists the objects to be transferred. This avoids copying unnecessary data and is cost-effective.

Option D uses Amazon S3 Event Notifications to trigger an AWS Lambda function as soon as the manifest file is uploaded. The Lambda function starts the DataSync task and references the manifest file. This ensures that the copy process begins immediately after data generation, rather than waiting for a fixed schedule, which meets the “as soon as possible” requirement.

Option E provides a fully managed and scalable notification mechanism. AWS DataSync publishes task execution state changes as events. Amazon EventBridge can capture SUCCESS or ERROR states and route those events to Amazon SNS, which can then send email notifications. This approach avoids custom polling logic and minimizes operational overhead.

Option B and C introduce Amazon DynamoDB unnecessarily. DataSync can directly consume a manifest file from Amazon S3, so loading manifest data into DynamoDB and orchestrating copy logic manually adds cost and complexity without benefit.

Option F relies on a custom Lambda function to monitor task state changes, which increases operational overhead compared to the native EventBridge integration with DataSync.

Therefore, using S3-based manifests, event-driven invocation of DataSync, and EventBridge-based notifications is the most cost-effective and operationally efficient solution.

The correct solution is to use the authenticate-oidc action for the ALB listener rule and configure it with the details of the AWS Directory Service for Microsoft Active Directory directory. This way, the ALB can use OpenID Connect (OIDC) to authenticate users against the directory and grant them access to the intranet web application. The app client in the directory is used to register the ALB as an OIDC client and provide the necessary credentials and endpoints. The callback URL is the URL that the ALB redirects the user to after a successful authentication. This solution does not require any additional services or roles, and it leverages the existing directory accounts for all users.

The other solutions are incorrect because they either use the wrong action for the ALB listener rule, or they involve unnecessary or incompatible services or roles. For example:

Solution B is incorrect because it uses Amazon Cognito user pool, which is a separate user directory service that does not integrate with AWS Directory Service for Microsoft Active Directory. To use this solution, the company would have to migrate or synchronize their users from the directory to the user pool, which is not required by the question. Moreover, the authenticate-cognito action for the ALB listener rule only works with Amazon Cognito user pools, not with federated identity providers (IdPs) that have metadata from the directory.

Solution C is incorrect because it uses IAM as an identity provider (IdP), which is not compatible with AWS Directory Service for Microsoft Active Directory. IAM can only be used as an IdP for web identity federation, which allows users to sign in with social media or other third-party IdPs, not with Active Directory. Moreover, the authenticate-oidc action for the ALB listener rule requires an OIDC IdP, not a SAML 2.0 federation IdP, which is what IAM provides.

Solution D is incorrect because it uses AWS IAM Identity Center (AWS Single Sign-On), which is a service that simplifies the management of SSO access to multiple AWS accounts and business applications. This service is not needed for the scenario in the question, which only involves a single intranet web application. Moreover, the authenticate-cognito action for the ALB listener rule does not work with external IdPs that use SAML, such as AWS IAM Identity Center.

Authenticate users using an Application Load Balancer

What is AWS Directory Service for Microsoft Active Directory?

Using OpenID Connect for user authentication