Free Amazon Web Services SAP-C02 Practice Exam with Questions & Answers | Set: 6

This option allows the solutions architect to use an identity policy that grants the user readand write access to their own personal folder on the S3 bucket1. By adding a condition that specifies that the S3 paths must be prefixed with ${aws:username}, the solutions architect can ensure that each scientist can only access their own folder2. By applying the policy on the scientists’ IAM user group, the solutions architect can simplify the management of permissions for all the scientists3. By configuring a trail with AWS CloudTrail to capture all object-level events in the S3 bucket, the solutions architect can record and store information about every action performed on the S3 objects4. By storing the trail output in another S3 bucket, thesolutions architect can secure and archive the log files5. By using Amazon Athena to query the logs and generate reports, the solutions architect can use a serverless interactive query service that can analyze data in S3 using standard SQL.

Identity-based policies

Policy variables

IAM groups

Object-level logging

Creating a trail that applies to all regions

[What is Amazon Athena?]

https://docs.aws.amazon.com/compute-optimizer/latest/APIReference/API_ExportLambdaFunctionRecommendations.html

Comprehensive and Detailed Explanation:

This question tests knowledge of private access patterns to Amazon S3 from:

resources inside a VPC, and

users in an on-premises environment connected through Site-to-Site VPN.

The correct answer is B because the company has two different traffic sources with different endpoint requirements.

Why B is correct

For the EC2 instance inside the private VPC:

An S3 gateway endpoint is the standard and most cost-effective method for private access from resources in the VPC to Amazon S3. With a gateway endpoint, traffic from the VPC to S3 stays on the AWS network and does not require a NAT gateway or internet gateway. This satisfies the requirement to remove the NAT gateways for the application’s S3 access.

For the on-premises users over the Site-to-Site VPN:

Gateway endpoints are for use within the VPC and are not accessed from on-premises networks over VPN or Direct Connect. To allow on-premises clients to access S3 privately through the VPC, the architecture needs an S3 interface endpoint with private DNS enabled. Interface endpoints create elastic network interfaces in the VPC and can be reached privately from connected on-premises environments, assuming routing and DNS are configured correctly.

Therefore, the combination is required:

S3 gateway endpoint for VPC resources

S3 interface endpoint with private DNS for on-premises access through VPN

This design allows both the EC2 application and on-premises users to access S3 without using the public internet.

Why A is incorrect

An S3 gateway endpoint works for VPC resources, but it does not provide private access for on-premises users over Site-to-Site VPN. On-premises networks cannot route directly to a gateway endpoint in the way described. That makes A incomplete and incorrect.

Why C is incorrect

Mountpoint for Amazon S3 is a way to mount an S3 bucket for file-like access from an EC2 instance or similar compute environment. It does not solve the connectivity requirement for on-premises users, and it does not address the broader network design requirement of private S3 access without NAT gateways for all stated users. It also does not replace the need for appropriate VPC endpoint architecture.

Why D is incorrect

Storage Browser for S3 is not the solution to provide private network connectivity for an application and on-premises users. It is unrelated to the core architecture requirement. The question is asking about private access paths to S3, not a user interface or client-side browser tool.

Key design principle being tested

This question checks whether you know the distinction between:

S3 gateway endpoints for traffic originating from within the VPC

S3 interface endpoints for private access from on-premises environments over hybrid connectivity

It also tests whether you understand that removing NAT gateways is possible for S3 access from private subnets when a VPC endpoint is used.

Final justification

Because the company needs:

private S3 access from an EC2 instance in a private VPC, and

private S3 access from on-premises users over VPN,

while removing NAT gateways,

the correct design is to use:

an S3 gateway endpoint for the VPC application, and

an S3 interface endpoint with private DNS for the on-premises users.

That makes B the best answer.

Create Amazon S3 gateway endpoint in the VPC and add a VPC endpoint policy. This VPC endpoint policy will have a statement that allows S3 access only via access points owned by the organization.

Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type " Email " that targets the team ' s mailing list. This will create a topic for sending notifications and add a subscription for the team ' s email list to that topic. C. Add a Catch field to all Task, Map, and Parallel states that have a statement of " ErrorEquals " : [ " States.ALL " ] and " Next " : " Email " . This will ensure that any errors that occur in any of the steps in the workflow will trigger the " Email " task, which will forward the inputarguments to the SNS topic created in step A. B. Create a task named " Email " that forwards the input arguments to the SNS topic. This will allow the company to send email notifications to the team ' s mailing list in case of any errors occurred in any step in the workflow.

The company wants logging that helps troubleshoot email delivery issues and also wants to search by recipient, subject, and time sent. Amazon SES provides event publishing for email sending and delivery events through configuration sets. With a configuration set, SES can publish sending events such as send, delivery, bounce, complaint, reject, and rendering failure to destinations such as Amazon CloudWatch, Amazon SNS, or Amazon Kinesis Data Firehose. For building a searchable log store, delivering these events into Amazon S3 through Kinesis Data Firehose is an effective approach because S3 provides durable storage and integrates well with query services.

Option A creates an SES configuration set with a Kinesis Data Firehose destination that delivers logs to an S3 bucket. This captures detailed SES event data that is directly useful for troubleshooting delivery issues and retaining historical records for analysis.

Once logs are stored in Amazon S3, Amazon Athena can query the data using SQL. Athena is designed to query data in S3 and is well suited for ad hoc searches. This meets the requirement to search based on recipient, subject, and time sent, assuming the event schema includes these fields (or they are included in the published event payload). Therefore, option C completes the solution by enabling searches over the stored log dataset.

Option B (CloudTrail) records API activity, such as calls made to SES APIs, but it is not designed to capture per-message delivery outcomes (deliveries, bounces, complaints) in a way that supports troubleshooting delivery behavior and detailed email event searching. CloudTrail is useful for auditing who called SES APIs, not for tracking message-level delivery events and outcomes.

Option D (CloudWatch log group) is another valid SES event publishing destination, but if the requirement is to perform flexible searches by multiple dimensions over a potentially large historical dataset, storing the logs in S3 and querying with Athena is a more direct and scalable pattern. Also, the provided option E is incorrect because Athena queries data in S3, not in CloudWatch Logs. CloudWatch Logs has its own query mechanism, but Athena is not used to query CloudWatch Logs directly in the way described.

Option E is incorrect because Amazon Athena does not query CloudWatch Logs as a log store. The typical searchable pattern for Athena is S3-backed datasets.

Therefore, the best combination to satisfy logging and searchable analysis requirements is to publish SES events to S3 via Kinesis Data Firehose (option A) and query those logs with Athena (option C).

The most operationally efficient solution for turning on AWS CloudTrail across multiple AWS accounts managed within an AWS Organization is to create a single CloudTrail trail in the organization ' s management account and configure it to log events for all accounts within the organization. This approach leverages CloudTrail ' s ability to consolidate logs from all accounts in an organization, thereby simplifying management, reducing overhead, and ensuring consistent logging across accounts. This method eliminates the need for manual intervention in each account, making it an operationally efficient choice for organizations planning to scale their AWS usage.

AWS CloudTrail Documentation: Provides detailed instructions on setting up CloudTrail, including how to configure it for an organization.

AWS Organizations Documentation: Offers insights into best practices for managing multiple AWS accounts and how services like CloudTrail integrate with AWS Organizations.

AWS Best Practices for Security and Governance: Guides on how to effectively use AWS services to maintain a secure and well-governed AWS environment, with a focus on centralized logging and monitoring.

D is correct because thehealth check grace perioddefines how long Auto Scaling waits after launching an instance before checking its health status. With the larger content added to the S3 bucket, the instance initialization (via user data) is taking longer. Increasing the grace period allows the instance time to complete startup tasks before it’s marked as unhealthy.

Option A would not necessarily reduce startup time — the issue is likely network latency or the size of the content.

Option B only affects the timeout for health check responses, not the delay before they begin.

Option C is not applicable unless the health check path itself is invalid (which isn ' t mentioned).

C is correct because the root cause is synchronous chaining of Lambda functions that causes the initial function to wait and time out. AWS Step Functions is designed to orchestrate multiple steps (including Lambda invocations) with managed state, retries, and timeouts at the workflow level. By moving the chaining logic into a Step Functions state machine and removing direct function-to-function invocations, the initial Lambda no longer needs to remain running while waiting for downstream functions. Step Functions can coordinate the sequence (or parallel branches), handle transient failures with retries/backoff, and maintain execution state without requiring a long-lived “waiting” Lambda invocation. This resolves timeouts while preserving the operational and cost advantages of a serverless Lambda-based architecture and typically requires minimal code change compared to rewriting or migrating platforms.

Why the other options are incorrect:

A: Migrating to containers/EKS is a major architectural change and increases operational overhead, violating “minimum application changes” and the desire to keep Lambda benefits.

B: Rewriting in Java is extensive and unnecessary. Adding SQS between functions changes invocation style and error handling and still requires significant redesign (and does not inherently solve orchestration/branching as cleanly as Step Functions).

D: Grouping functions into containers and running on ECS Spot changes the compute model and introduces more operational overhead and larger application changes than adopting Step Functions.

The goal is to ensure the application operates across multiple Availability Zones. That means removing single points of failure in compute, database, and network egress for private subnets.

For compute, the Auto Scaling group currently has min=1 and max=1, which guarantees only one instance is running at a time. Even if the Auto Scaling group spans multiple subnets, a single-instance configuration cannot provide multi-AZ active capacity because a failure of the Availability Zone hosting the single instance would cause downtime until a new instance is launched in a different zone. To operate across multiple Availability Zones, the solution should run multiple instances across different AZs, which implies increasing the minimum capacity above 1 and allowing the group to launch across multiple subnets/AZs.

For the database, a single-AZ RDS for MySQL instance is a single point of failure. Converting to an RDS Multi-AZ configuration provides synchronous replication to a standby in a different Availability Zone and managed failover to maintain availability when the primary AZ or instance fails.

For NAT, a single NAT gateway is an AZ-scoped managed resource. If private subnets in other AZs route to a NAT gateway in one AZ, an AZ outage can break outbound connectivity for workloads that depend on NAT. The resilient pattern is to deploy a NAT gateway in each Availability Zone and configure each private subnet’s route table to use the NAT gateway in the same AZ.

Option A addresses all three: it deploys additional NAT gateways per AZ and updates route tables accordingly, converts RDS to Multi-AZ, and adjusts Auto Scaling to launch across AZs with min and max set to 3 so there are instances running in multiple AZs simultaneously. This ensures the application remains available across AZ failures, meeting the requirement.

Option B replaces NAT with a virtual private gateway, which is used for VPN/Direct Connect connectivity, not for internet egress from private subnets. It does not satisfy the NAT functionality requirement. Although Aurora can provide high availability, the NAT replacement is not correct for the described architecture.

Option C increases operational overhead by replacing NAT gateway with NAT instances, which are self-managed and less resilient without additional design. It also changes the database engine to PostgreSQL unnecessarily and does not directly address the requirement with minimal change.

Option D improves NAT resiliency but only enables RDS automatic backups, which is a durability feature, not a high availability feature. Backups do not provide automatic failover and do not ensure the application will operate across multiple AZs. Also, keeping Auto Scaling min/max at 1 still leaves the application compute layer single-AZ at any given moment.

Therefore, option A is the correct solution.

Because MSK has Maximum number of client connections 1000 per second and the company has 10,000 sensors, the MSK likely will not be able to handle all connectionshttps://docs.aws.amazon.com/msk/latest/developerguide/limits.html

Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups. This solution meets the requirements with the least amount of operational overhead as it requires the security team to create and maintain a single customer-managed prefix list, and share it with the organization using AWS Resource Access Manager. The owners of each AWS account are then responsible for allowing the prefix list in their security groups, whicheliminates the need for the security team to manually notify each account owner when changes are made. This solution also eliminates the need for a separate AWS Lambda function in each account, reducing the overall complexity of the solution.

You can use a Glue crawler to populate the AWS Glue Data Catalog with tables. The Lambda function can be triggered using S3 event notifications when object create events occur. The Lambda function will then trigger the Glue ETL job to transform the records masking the sensitive data and modifying the output format to JSON. This solution meets all requirements.