SAP-C02 Amazon Web Services AWS Certified Solutions Architect

AWS Certified Solutions Architect - Professional

Last Update 13 hours ago Total Questions : 674

The AWS Certified Solutions Architect - Professional content is now fully updated, with all current exam questions added 13 hours ago. Deciding to include SAP-C02 practice exam questions in your study plan goes far beyond basic test preparation.

You'll find that our SAP-C02 exam questions frequently feature detailed scenarios and practical problem-solving exercises that directly mirror industry challenges. Engaging with these SAP-C02 sample sets allows you to effectively manage your time and pace yourself, giving you the ability to finish any AWS Certified Solutions Architect - Professional practice test comfortably within the allotted time.

Question # 196

A company runs an unauthenticated static website (www.example.com) that includes a registration form for users. The website uses Amazon S3 for hosting and uses Amazon CloudFront as the content delivery network with AWS WAF configured. When the registration form is submitted, the website calls an Amazon API Gateway API endpoint that invokes an AWS Lambda function to process the payload and forward the payload to an external API call.

During testing, a solutions architect encounters a cross-origin resource sharing (CORS) error. The solutions architect confirms that the CloudFront distribution origin has the Access-Control-Allow-Origin header set towww.example.com.

What should the solutions architect do to resolve the error?

Change the CORS configuration on the S3 bucket. Add rules for CORS to the Allowed Origin element forwww.example.com.

Enable the CORS setting in AWS WAF. Create a web ACL rule in which the Access-Control-Allow-Origin header is set towww.example.com.

Enable the CORS setting on the API Gateway API endpoint. Ensure that the API endpoint is configured to return all responses that have the Access-Control -Allow-Origin header set towww.example.com.

Enable the CORS setting on the Lambda function. Ensure that the return code of the function has the Access-Control-Allow-Origin header set towww.example.com.

Question # 197

A large company is running a popular web application. The application runs on several Amazon EC2 Linux Instances in an Auto Scaling group in a private subnet. An Application Load Balancer is targeting the Instances In the Auto Scaling group in the private subnet. AWS Systems Manager Session Manager Is configured, and AWS Systems Manager Agent is running on all the EC2 instances.

The company recently released a new version of the application Some EC2 instances are now being marked as unhealthy and are being terminated As a result, the application is running at reduced capacity A solutions architect tries to determine the root cause by analyzing Amazon CloudWatch logs that are collected from the application, but the logs are inconclusive

How should the solutions architect gain access to an EC2 instance to troubleshoot the issue1?

Suspend the Auto Scaling group ' s HealthCheck scaling process. Use Session Manager to log in to an instance that is marked as unhealthy

Enable EC2 instance termination protection Use Session Manager to log In to an instance that is marked as unhealthy.

Set the termination policy to Oldestinstance on the Auto Scaling group. Use Session Manager to log in to an instance that is marked as unhealthy

Suspend the Auto Scaling group ' s Terminate process. Use Session Manager to log in to an instance that is marked as unhealthy

Question # 198

A company has a new requirement to store all database backups in an isolated AWS account. The company is using AWS Organizations and has created a central write-once, read-many (WORM) account for the backups.

The company has 40 Amazon RDS for MySQL databases in its production account. The databases are encrypted with the default RDS AWS KMS key. RDS automated backups of the databases occur daily and have a retention period of 30 days.

Which solution will successfully copy the database backups to the central account?

Enable Organizations trusted access and backup policies for AWS Backup. Configure the central account as the delegated administrator for AWS Backup. Create IAM policies and backup policies. Enable cross-account management. Create a backup vault in the central account. Create a KMS key for the backup vault and share the key with the production account. In the production account, restore the databases from a snapshot and apply the shared KMS

Enable Organizations trusted access and backup policies for AWS Backup. Configure the central account as the delegated administrator for AWS Backup. Create IAM policies and backup policies. Enable cross-account management. In the production account, share the default RDS KMS key with the central account. Create a backup vault in the central account. Apply the shared default RDS KMS key to the backup vault. Create a backup plan in the centra

Create an Amazon EventBridge rule to invoke an AWS Lambda function every day. Program the Lambda function to decrypt the snapshots and to initiate a copy request of all unencrypted snapshots to the central account. After the copy job is complete, create a new KMS key. Use the new KMS key to encrypt the database snapshots in the central account.

Create an Amazon EventBridge rule to invoke an AWS Lambda function every day. In the production account, share the default RDS KMS key with the central account. Program the Lambda function to decrypt the snapshots and to initiate a copy request of all unencrypted snapshots to the central account. After the copy job is complete, encrypt the database snapshots with the shared default RDS KMS key in the central account.

Answer:

Explanation:

The company wants backups to be stored in an isolated central account designed for WORM storage. With AWS Organizations, AWS Backup supports centralized, cross-account backup management through delegated administration, backup policies, and cross-account backup vault usage. This provides the least operational overhead and scales to dozens of databases.

A key constraint is encryption. The databases are encrypted with the default RDS AWS KMS key. AWS-managed KMS keys (including the default RDS KMS key) are not customer-managed and generally cannot be shared across accounts for cross-account snapshot copy and cross-account backup workflows that require key sharing and explicit grants. For cross-account backup copies, the source backups must be encrypted with a customer managed KMS key that can be shared (via key policy and grants) with the destination account. Therefore, the company must move away from using the default RDS AWS-managed key for encryption of snapshots that will be copied across accounts.

Option A uses the correct managed approach: enable trusted access and backup policies in Organizations, make the central account the delegated administrator, and use AWS Backup to manage cross-account backups into a central backup vault. It also correctly introduces a customer managed KMS key in the central account for the backup vault and shares that key with the production account. Because the existing databases are encrypted with the default RDS AWS-managed key, option A includes the necessary remediation step: restore (or otherwise recreate) the databases so they are encrypted with the shared customer managed KMS key, enabling future backups and copies to be encrypted with a shareable key and stored in the central vault.

Option B is not workable because it requires “sharing the default RDS KMS key” with another account and using it for the central vault. AWS-managed keys are not shared and are not controlled by customers in a way that supports this cross-account backup model. Therefore, this option fails the encryption requirement.

Option C and option D rely on decrypting snapshots, copying them as unencrypted, and then re-encrypting. This is not a valid or safe operational pattern for RDS automated backups at scale, and it conflicts with typical constraints around snapshot encryption transitions. It also introduces substantial custom automation and operational overhead, and it undermines the objective of a controlled WORM backup account by manipulating encryption state through custom code. Additionally, “decrypting snapshots” is not how encrypted RDS snapshots are typically handled; encrypted snapshots remain encrypted and are copied re-encrypted with a different KMS key that the destination can use, which requires a customer managed key and proper permissions.

Therefore, the successful and scalable solution is to centralize backups with AWS Backup and ensure the databases are encrypted with a customer managed KMS key that can be shared cross-account, as described in option A.

[References:, AWS documentation on AWS Backup centralized management with AWS Organizations, including delegated administrator and backup policies for cross-account governance., AWS documentation on cross-account backup and snapshot copy requirements for encryption, including the need to use AWS KMS customer managed keys for cross-account sharing and re-encryption., AWS guidance that AWS-managed KMS keys (service-managed default keys) are not shareable across accounts for these cross-account encryption and copy workflows., , , , ]

Question # 199

A company has automated the nightly retraining of its machine learning models by using AWS Step Functions. The workflow consists of multiple steps that use AWS Lambda Each step can fail for various reasons and any failure causes a failure of the overall workflow

A review reveals that the retraining has failed multiple nights in a row without the company noticing the failure A solutions architect needs to improve the workflow so that notifications are sent for all types of failures in the retraining process

Which combination of steps should the solutions architect take to meet these requirements? (Select THREE)

Create an Amazon Simple Notification Service (Amazon SNS) topic with a subscription of type " Email " that targets the team ' s mailing list.

Create a task named " Email " that forwards the input arguments to the SNS topic

Add a Catch field all Task Map. and Parallel states that have a statement of " Error Equals " : [ “States. ALL”] and " Next " : " Email " .

Add a new email address to Amazon Simple Email Service (Amazon SES). Verify the email address.

Create a task named " Email " that forwards the input arguments to the SES email address

Add a Catch field to all Task Map, and Parallel states that have a statement of " Error Equals " : [ " states. Runtime”] and " Next " : " Email " .

Question # 200

A company is migrating to the cloud. It wants to evaluate the configurations of virtual machines in its existing data center environment to ensure that it can size new Amazon EC2 instances accurately. The company wants to collect metrics, such as CPU. memory, and disk utilization, and it needs an inventory of what processes are running on each instance. The company would also like to monitor network connections to map communications between servers.

Which would enable the collection of this data MOST cost effectively?

Use AWS Application Discovery Service and deploy the data collection agent to each virtual machine in the data center.

Configure the Amazon CloudWatch agent on all servers within the local environment and publish metrics to Amazon CloudWatch Logs.

Use AWS Application Discovery Service and enable agentless discovery in the existing visualization environment.

Enable AWS Application Discovery Service in the AWS Management Console and configure the corporate firewall to allow scans over a VPN.

Question # 201

A company has millions of objects in an Amazon S3 bucket. The objects are in the S3 Standard storage class. All the S3 objects are accessed frequently. The number of users and applications that access the objects is increasing rapidly. The objects are encrypted with server-side encryption with AWS KMS Keys (SSE-KMS).

A solutions architect reviews the company ' s monthly AWS invoice and notices that AWS KMS costs are increasing because of the high number of requests from Amazon S3. The solutions architect needs to optimize costs with minimal changes to the application.

Which solution will meet these requirements with the LEAST operational overhead?

Create a new S3 bucket that has server-side encryption with customer-provided keys (SSE-C) as the encryption type. Copy the existing objects to the new S3 bucket. Specify SSE-C.

Create a new S3 bucket that has server-side encryption with Amazon S3 managed keys (SSE-S3) as the encryption type. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Specify SSE-S3.

Use AWS CloudHSM to store the encryption keys. Create a new S3 bucket. Use S3 Batch Operations to copy the existing objects to the new S3 bucket. Encrypt the objects by using the keys from CloudHSM.

Use the S3 Intelligent-Tiering storage class for the S3 bucket. Create an S3 Intelligent-Tiering archive configuration to transition objects that are not accessed for 90 days to S3 Glacier Deep Archive.