Free Amazon Web Services SAP-C02 Practice Exam with Questions & Answers | Set: 9

The correct answers are C and D. The IAM user appears to have read-only S3 permissions, but AWS authorization is the result of multiple policy layers. In AWS Organizations, a service control policy can set the maximum permissions available to principals in member accounts. If an OU-level SCP denies or does not allow S3 actions, the IAM user’s read-only policy will not be enough. A permissions boundary can also restrict the maximum permissions an IAM user can exercise, even if an identity-based policy appears to allow access. Bucket policies can affect access to specific buckets and objects, but the symptom says no buckets are listed in the console, which points more strongly to identity-side effective permission limits. ACLs are legacy resource controls and are not the primary place to troubleshoot this issue. (AWS Documentation)

===============

The correct design is to use CloudWatch usage metrics and service quota metric math. AWS publishes usage metrics for some services in the AWS/Usage namespace, and these metrics correspond to service quotas. CloudWatch can use the SERVICE_QUOTA metric math function to compare current usage against the quota and trigger an alarm when usage approaches a defined threshold. This is exactly the requirement: notify the team when Fargate task usage reaches 80% of the maximum allowed tasks. Amazon SNS is the standard low-overhead notification target for CloudWatch alarms. Polling ECS with Lambda is unnecessary custom engineering. AWS Config evaluates resource compliance, not quota utilization trends. Monitoring each ECS service’s sample count would not accurately represent account-level Fargate task quota consumption. (AWS Documentation)

===============

https://aws.amazon.com/es/blogs/industries/how-to-monitor-alert-and-remediate-non-compliant-hipaa-findings-on-aws/

Creating an AWS Cost and Usage Report for the organization and defining tags and cost categories in the report will allow for detailed cost reporting for the different companies that have been consolidated into one organization. By creating a table in Amazon Athena and an Amazon QuickSight dataset based on the Athena table, the finance team will be able to easily query and generate reports on the costs for all the companies. The dataset can then be shared with the finance team for them to use for their reporting needs.

https://docs.aws.amazon.com/drs/latest/userguide/what-is-drs.htmlhttps://docs.aws.amazon.com/drs/latest/userguide/recovery-workflow-gs.html

To minimize EKS compute costs:

A. Rebuild the application container images to support ARM64 architecture: Graviton instances (ARM-based) require container images built for the ARM64 architecture. This ensures compatibility and allows leveraging Graviton-based compute.

C. Migrate the EKS nodes to the most recent generation of Graviton-based instances: AWS Graviton instances (e.g., c7g, m7g) offer significant price/performance benefits over x86_64 instances. By migrating EKS worker nodes to Graviton, the company can reduce compute costs substantially.

E. Purchase a new EC2 Instance Savings Plan for the newly selected Graviton instance family: Savings Plans provide cost savings compared to On-Demand pricing. After moving to Graviton, purchasing a new Savings Plan tailored for these instance families ensures continued cost savings.This approach aligns with AWS cost optimization best practices—migrating to the latest instance types and purchasing Savings Plans to match the new usage pattern—while ensuring full compatibility with EKS.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-cross-account-role " When you create a member account using the AWS Organizations console, AWS Organizations automatically creates an IAM role named OrganizationAccountAccessRole in the account " you need OrganizationAccountAccessRole in member account to create an read-only role and use role from security team to assume this read-only role.

To ensure that game assets are fetched from the closest region and have a fallback option in case the assets become unavailable in the closest region, a solution architect should leverage Amazon CloudFront, a global content delivery network (CDN) service. By creating an Amazon CloudFront distribution and setting up origin groups, the architect can specify multiple origins (in this case, the Application Load Balancers in each region). The primary origin will serve content under normal circumstances, and if the content becomes unavailable, CloudFront will automatically switch to the secondary origin. This approach not only meets the requirement of regional proximity and redundancy but also optimizes latency and enhances the gaming experience by serving assets from the nearest geographical location to the end-user.

AWS Documentation on Amazon CloudFront and origin groups provides detailed instructions on setting up distributions with multiple origins for high availability and performance optimization. Additionally, AWS whitepapers and best practices on content delivery and global applications offer insights into effectively utilizing CloudFront and other AWS services to achieve low latency and high availability.

Mountpoint for Amazon S3allows EC2 instances to directly access files in S3 as aPOSIX-compliant mount point, ensuring they always get the latest data without copying or syncing.

It’s simple and cost-effective for read-heavy patterns.

Mountpoint for Amazon S3

Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type " Email " that targets the team ' s mailing list. This will create a topic for sending notifications and add a subscription for the team ' s email list to that topic. C. Add a Catch field to all Task, Map, and Parallel states that have a statement of " ErrorEquals " : [ " States.ALL " ] and " Next " : " Email " . This will ensure that any errors that occur in any of the steps in the workflow will trigger the " Email " task, which will forward the inputarguments to the SNS topic created in step A. B. Create a task named " Email " that forwards the input arguments to the SNS topic. This will allow the company to send email notifications to the team ' s mailing list in case of any errors occurred in any step in the workflow.

D is required because the only reliable way to ensure newly launched Auto Scaling instances are patched is to make the launch template reference an AMI that already includes the latest security updates (an immutable image approach). AWS Systems Manager can automate building and maintaining patched AMIs (for example, through automated image creation workflows), after which the launch template is updated to the new AMI and the fleet is updated using Instance Refresh. Instance Refresh performs a controlled rolling replacement of instances so that the Auto Scaling group converges to the new AMI baseline.

C complements D by ensuring safe replacement and availability during the refresh/replacement process. Placing an ALB in front of the Auto Scaling group with health checks ensures that only healthy, fully bootstrapped/patched instances receive traffic, and that traffic is drained away from instances being replaced. Monitoring target health confirms the rollout is successful and minimizes risk during patch-driven reboots or instance replacement.

Why the other options are incorrect:

A: A termination policy setting does not ensure new instances are patched. It only affects which instances are terminated first. It does not solve the “launch patched instances” requirement.

B: Running two Auto Scaling groups and continuing in-place patching increases operational overhead and still risks drift and unpatched capacity when scaling occurs outside the maintenance window. It also does not address the core issue: the launch template AMI baseline.

E: NLB + termination protection does not ensure instances are patched at launch. Termination protection can interfere with Auto Scaling’s ability to replace instances, and NLB does not inherently provide the same application-layer health check behavior and deployment safety patterns typically used for rolling replacements (compared to ALB target group health checks).

https://aws.amazon.com/blogs/database/amazon-dynamodb-auto-scaling-performance-and-cost-optimization-at-any-scale/ " As you can see, there are compelling reasons to use DynamoDB auto scaling with actively changing traffic. Auto scaling responds quickly and simplifies capacity management, which lowers costs by scaling your table’s provisioned capacity and reducing operational overhead. "

A is correct becausedefault AWS-managed KMS keys cannot be shared across accounts. Therefore, the only way to enable cross-account backup is to restore each RDS instance using acustomer-managed key (CMK)andshare that keywith the central account.

Then, AWS Backup can performcross-account backup operationsusing AWS Organizations trusted access and backup policies.

Option B is incorrect due to theinability to share default keys.

Option C and D are technically invalid — RDS snapshots cannot be decrypted or re-encrypted manually.

The requirement has two separate controls: customer-controlled cryptographic root of trust and preventive regional governance. AWS KMS external key store (XKS) is the correct encryption model because AWS KMS forwards cryptographic operations to an external key manager that the customer controls outside AWS, such as an in-country HSM environment. That satisfies the requirement to operate the HSMs and retain control of the key root. AWS Control Tower Region deny control is the correct preventive governance control because it denies access to unlisted operations outside approved governed Regions for the selected organizational scope. AWS Config is detective, not preventive. AWS KMS multi-Region keys and standard customer managed keys do not keep the cryptographic root in customer-operated in-country HSMs. AWS CloudHSM custom key stores still use AWS CloudHSM clusters, not external in-country HSMs.