SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

This solution uses a combination of AWS Resource Access Manager (RAM) and automated backups to migrate the Lambda functions and the Aurora database to theTarget account while minimizing downtime. In this solution, the Lambda function deployment package is downloaded from the Source account and used to create new Lambda functions in the Target account. The Aurora DB cluster is shared with the Target account using AWS RAM and the Target account is granted permission to clone the Aurora DB cluster, allowing for a new copy of the Aurora database to be created in the Target account. This approach allows for the data to be migrated to the Target account while minimizing downtime, as the Target account can use the cloned Aurora database while the original Aurora database continues to be used in the Source account.

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

Comprehensive and Detailed Explanation From Exact Extract:

A is correct because when a Lambda function is configured to run inside a VPC, it uses ENIs in the selected subnets and does not receive a public IPv4 address. To reach the public internet from private subnets, outbound IPv4 traffic must go through a NAT gateway (or NAT instance). A NAT gateway uses an Elastic IP address (EIP) for its public source address. Therefore, if the external provider requires public IPv4 allowlisting, the company should place the Lambda function in private subnets with a route to the NAT gateways, then provide the provider with the EIPs of the NAT gateways that will be used for egress. This satisfies the requirement to provide connectivity details in advance and ensures the provider sees only the approved public IPv4 addresses.

Why the other options are incorrect:

B (egress-only internet gateway): An egress-only internet gateway is for IPv6 outbound-only traffic, not IPv4. It does not provide an IPv4 address to allowlist, and it is not used to solve “public IPv4 allowlist” requirements.

C (associate EIP with an internet gateway): You cannot associate an Elastic IP address with an internet gateway. Internet gateways do not have a single, customer-assigned EIP for all egress. Also, placing Lambda in public subnets does not automatically give Lambda a stable public IP; Lambda in a VPC still uses private IPs on ENIs and would need NAT (for private subnet egress) or different architecture for stable egress IPs.

D (ENA for Lambda): Lambda does not support attaching a custom ENA device or installing an ENA driver via a Lambda layer to control a stable public source IP. Lambda’s VPC networking is managed by AWS; you cannot present an ENI’s private IP as an internet-routable public IPv4 allowlist address.

https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-overview-developer-experience.html

This solution will allow the detection logic to be run as soon as the image is uploaded to the S3 bucket, before it is served to users via the CloudFront distribution. This way, the detection logic can quickly identify any corrupted images and prevent them from being served to users, minimizing latency between ingestion and serving.

The current Redshift configuration uses eight ra3.4xlarge nodes with on-demand pricing and is paused outside an 8-hour daily window. The ingestion workload runs only 3 hours per day and has about 85% CPU utilization during ingestion, which indicates that the existing node size and count are adequate for performance. The main opportunity is cost optimization for a workload that is time-bound and does not require a continuously running provisioned cluster.

Amazon Redshift Serverless is designed for such intermittent or variable workloads. With Redshift Serverless, you configure compute capacity in terms of Redshift Processing Units (RPUs) and pay per use based on the RPU-hours consumed when queries and data ingestion jobs are actually running. When there is no activity, there is no compute charge. Redshift Serverless can also be created from an existing provisioned Redshift snapshot, allowing an easy migration path from a node-based cluster to a serverless endpoint without re-ingesting or manually moving data.

Option C creates a new Redshift Serverless endpoint with 64 RPUs from the most recent snapshot. This takes advantage of snapshots that already exist on the current cluster. The internal applications are then updated to read from the new serverless endpoint, and the existing cluster is deleted to stop incurring node-based charges. For a workload that runs only a few hours per day, moving to serverless compute is usually more cost-effective than maintaining a provisioned cluster, even if that cluster is paused outside the ingestion window, because serverless eliminates the need to manage cluster sizing and pausing and optimizes billing around actual usage.

Option A proposes staying on provisioned RA3 nodes and additionally purchasing 1-year Reserved Nodes. Reserved Nodes apply discount to node hours whether or not the cluster is paused or fully utilized, and they are designed to be cost-effective for steady, predictable, long-running workloads. For an 8-hour-per-day workload, especially with only 3 hours of intensive ingestion, Reserved Nodes are likely to be less cost-optimal than an on-demand, usage-based serverless model. Also, concurrency scaling is primarily for handling bursty query concurrency, not for cost reduction of a regular ingestion workload.

Option B replaces the existing eight ra3.4xlarge nodes with six ra3.16xlarge nodes and enables auto scaling. ra3.16xlarge provides significantly more capacity per node and is generally more expensive. The original workload already runs at acceptable utilization (about 85% during ingestion), so scaling up to larger nodes is not necessary for performance. Adding auto scaling on top of this likely increases costs and complexity without a clear benefit for a predictable, time-bound daily ingestion pattern.

Option D uses Redshift Spectrum and unloads data from the cluster to Amazon S3 for querying. Redshift Spectrum allows querying data stored in S3 using external tables from within a Redshift cluster, and is charged per amount of data scanned. However, the option still depends on maintaining a Redshift cluster and does not fundamentally optimize the compute cost of the ingestion workload. It also changes query patterns and data access architecture for the internal applications and may increase query cost if large volumes of S3 data are scanned by Spectrum.

Therefore, using Redshift Serverless created from the existing snapshot and paying only for compute usage during ingestion and queries, as described in option C, is the best way to optimize cost for this specific workload pattern.

A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast-2) for SageMaker training and endpoint usage. This enablesautomatic quota increasesfor newly created accounts in the org.

B, C, and D misconfigure either region or quota type.