SAP-C02 Free Practice Test

- (Exam Topic 3)
A company needs to monitor a growing number of Amazon S3 buckets across two AWS Regions. The company also needs to track the percentage of objects that are encrypted in Amazon S3. The company needs a dashboard to display this information for internal compliance teams.
Which solution will meet these requirements with the LEAST operational overhead?

1. A. Create a new S3 Storage Lens dashboard in each Region to track bucket and encryption metrics.Aggregate data from both Region dashboards into a single dashboard in Amazon QuickSight for the compliance teams.
2. B. Deploy an AWS Lambda function in each Region to list the number of buckets and the encryption status of object
3. C. Store this data in Amazon S3. Use Amazon Athena queries to display the data on a custom dashboard in Amazon QuickSight for the compliance teams.
4. D. Use the S3 Storage Lens default dashboard to track bucket and encryption metric
5. E. Give the compliance teams access to the dashboard directly in the S3 console.
6. F. Create an Amazon EventBridge rule to detect AWS Cloud Trail events for S3 object creatio
7. G. Configure the rule to invoke an AWS Lambda function to record encryption metrics in Amazon DynamoD
8. H. Use Amazon QuickSight to display the metrics in a dashboard for the compliance teams.

Correct Answer: C
This option uses the S3 Storage Lens default dashboard to track bucket and encryption metrics across two AWS Regions. S3 Storage Lens is a feature that provides organization-wide visibility into object storage usage and activity trends, and delivers actionable recommendations to improve cost-efficiency and apply data protection best practices. S3 Storage Lens delivers more than 30 storage metrics, including metrics on encryption, replication, and data protection. The default dashboard provides a summary of the entire S3 usage and activity across all Regions and accounts in an organization. The company can give the compliance teams access to the dashboard directly in the S3 console, which requires the least operational overhead.

- (Exam Topic 3)
A live-events company is designing a scaling solution for its ticket application on AWS. The application has high peaks of utilization during sale events. Each sale event is a one-time event that is scheduled.
The application runs on Amazon EC2 instances that are in an Auto Scaling group. The application uses PostgreSOL for the database layer.
The company needs a scaling solution to maximize availability during the sale events. Which solution will meet these requirements?

1. A. Use a predictive scaling policy for the EC2 instance
2. B. Host the database on an Amazon Aurora PostgreSOL Serverless v2 Multi-AZ DB instance with automatically scaling read replica
3. C. Create an AWS Step Functions state machine to run parallel AWS Lambda functions to pre-warm the database before a sale even
4. D. Create an Amazon EventBridge rule to invoke the state machine.
5. E. Use a scheduled scaling policy for the EC2 instance
6. F. Host the database on an Amazcyl ROS for PostgreSQL Multi-AZ DB instance with automatically scaling read replica
7. G. Create an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger read replica before a sale even
8. H. Fail over to the larger read replic
9. I. Create another EventBridge rule that invokes another Lambda function to scale down the read replica after the sale event.
10. J. Use a predictive scaling policy for the EC2 instance
11. K. Host the database on an Amazon RDS for PostgreSOL Multi-AZ DB instance with automatically scaling read replic
12. L. Create an AWS Step Functions state machine to run parallel AWS Lambda functions to pre-warm the database before a sale even
13. M. Create an Amazon EventBridge rule to invoke the state machine.
14. N. Use a scheduled scaling policy for the EC2 instance
15. O. Host the database on an Amazon Aurora PostgreSQL Multi-AZ DB duste
16. P. Create an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger Aurora Replica before a sale even
17. Q. Fail over to the larger Aurora Replic
18. R. Create another EventBridge rule that invokes another Lambda function to scale down the Aurora Replica after the sale event.

Correct Answer: D
The correct answer is D. Use a scheduled scaling policy for the EC2 instances. Host the database on an Amazon Aurora PostgreSQL Multi-AZ DB cluster. Create an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger Aurora Replica before a sale event. Fail over to the larger Aurora Replica. Create another EventBridge rule that invokes another Lambda function to scale down the Aurora Replica after the sale event.
This solution will meet the requirements of maximizing availability during the sale events. A scheduled scaling policy for the EC2 instances will allow the application to scale up and down according to the predefined schedule of the sale events. Hosting the database on an Amazon Aurora PostgreSQL Multi-AZ DB cluster will provide high availability and durability, as well as compatibility with PostgreSQL. Creating an Amazon EventBridge rule that invokes an AWS Lambda function to create a larger Aurora Replica before a sale event will ensure that the database can handle the increased read traffic during the peak periods. Failing over to the larger Aurora Replica will make it the primary instance, which will also improve the write performance of the database. Creating another EventBridge rule that invokes another Lambda function to scale down the Aurora Replica after the sale event will reduce the cost and resources of the database.
Reference: [3], section “Scaling Amazon Aurora MySQL and PostgreSQL with Aurora Auto Scaling”

- (Exam Topic 3)
A company needs to aggregate Amazon CloudWatch logs from its AWS accounts into one central logging account. The collected logs must remain in the AWS Region of
creation. The central logging account will then process the logs, normalize the logs into standard output format, and stream the output logs to a security tool for more processing.
A solutions architect must design a solution that can handle a large volume of logging data that needs to be ingested. Less logging will occur outside normal business hours than during normal business hours. The logging solution must scale with the anticipated load. The solutions architect has decided to use an AWS Control Tower design to handle the multi-account logging process.
Which combination of steps should the solutions architect take to meet the requirements? (Select THREE.)

1. A. Create a destination Amazon Kinesis data stream in the central logging account.
2. B. Create a destination Amazon Simple Queue Service (Amazon SQS) queue in the central logging account.
3. C. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Kinesis data strea
4. D. Create a trust polic
5. E. Specify the trust policy in the IAM rol
6. F. In each member account, create a subscription filter for each log group to send data to the Kinesis data stream.
7. G. Create an IAM role that grants Amazon CloudWatch Logs the permission to add data to the Amazon Simple Queue Service (Amazon SQS) queu
8. H. Create a trust polic
9. I. Specify the trust policy in the IAM rol
10. J. In each member account, create a single subscription filter for all log groups to send data to the SQS queue.
11. K. Create an AWS Lambda functio
12. L. Program the Lambda function to normalize the logs in the central logging account and to write the logs to the security tool.
13. M. Create an AWS Lambda functio
14. N. Program the Lambda function to normalize the logs in the member accounts and to write the logs to the security tool.

Correct Answer: ACE

- (Exam Topic 1)
A company is running an application in the AWS Cloud. Recent application metrics show inconsistent
response times and a significant increase in error rates. Calls to third-party services are causing the delays. Currently, the application calls third-party services synchronously by directly invoking an AWS Lambda function.
A solutions architect needs to decouple the third-party service calls and ensure that all the calls are eventually completed.
Which solution will meet these requirements?

1. A. Use an Amazon Simple Queue Service (Amazon SQS) queue to store events and invoke the Lambda function.
2. B. Use an AWS Step Functions state machine to pass events to the Lambda function.
3. C. Use an Amazon EventBridge rule to pass events to the Lambda function.
4. D. Use an Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke the Lambda function.

Correct Answer: A
Using an SQS queue to store events and invoke the Lambda function will decouple the third-party service calls and ensure that all the calls are eventually completed. SQS allows you to store messages in a queue and process them asynchronously, which eliminates the need for the application to wait for a response from the third-party service. The messages will be stored in the SQS queue until they are processed by the Lambda function, even if the Lambda function is currently unavailable or busy. This will ensure that all the calls are eventually completed, even if there are delays or errors.
AWS Step Functions state machines can also be used to pass events to the Lambda function, but it would require additional management and configuration to set up the state machine, which would increase operational overhead.
Amazon EventBridge rule can also be used to pass events to the Lambda function, but it would not provide the same level of decoupling and reliability as SQS.
Using Amazon Simple Notification Service (Amazon SNS) topic to store events and Invoke the Lambda function, is similar to SQS, but SNS is a publish-subscribe messaging service and SQS is a queue service. SNS is used for sending messages to multiple recipients, SQS is used for sending messages to a single recipient, so SQS is more appropriate for this use case.
References:
AWS SQS
AWS Step Functions
AWS EventBridge
AWS SNS

- (Exam Topic 1)
A start up company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company's engineers rely heavily on SSH access to the instances for troubleshooting.
The company's existing architecture includes the following:
• A VPC with private and public subnets, and a NAT gateway
• Site-to-Site VPN for connectivity with the on-premises environment
• EC2 security groups with direct SSH access from the on-premises environment
The company needs to increase security controls around SSH access and provide auditing of commands executed by the engineers.
Which strategy should a solutions architect use?

1. A. Install and configure EC2 Instance Connect on the fleet of EC2 instance
2. B. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
3. C. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's device
4. D. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
5. E. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer's device
6. F. Enable AWS Config for EC2 security group resource change
7. G. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
8. H. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attache
9. I. Attach the IAM role to all the EC2 instance
10. J. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Correct Answer: D
Allows client machines to be able to connect to Session Manager using the AWS CLI instead of going through the AWS EC2 or AWS Server Manager console.
https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.ht https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-install-plugin.ht