SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

The workload uses EC2 Spot Instances, which are subject to capacity availability constraints. Using a single instance type significantly increases the risk of launch failures when Spot capacity for that instance type is constrained. This directly impacts application reliability and increases user wait times.

Attribute-based instance type selection allows Auto Scaling to choose from multiple compatible instance types based on defined requirements such as vCPU count, memory, and architecture. This improves the probability that Spot capacity is available at launch time because Auto Scaling can select from a broader pool of instance types instead of a single one.

Option D correctly applies attribute-based instance type selection within a new version of the existing launch template. Auto Scaling groups are designed to work with launch templates, and updating the template version is the modern and recommended approach. This change increases Spot placement flexibility and reliability without altering application behavior or introducing additional infrastructure.

Option A is incorrect because launch configurations are an older construct and do not support attribute-based instance type selection. They are also not recommended for new or updated Auto Scaling designs.

Option B does not address the root cause of Spot launch failures. Simply using a larger instance type may actually reduce available Spot capacity and worsen reliability.

Option C increases the number of placement groups, but placement groups do not solve Spot capacity shortages. They influence instance placement for networking or latency characteristics, not Spot availability across instance types.

Therefore, updating the launch template to use attribute-based instance type selection is the most effective way to improve reliability for a Spot-based Auto Scaling workload.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

The AWS Application Discovery Service can help plan migration projects by collecting data about on-premises servers, such as configuration, performance, and network connections. The data collection agent is a lightweight software that can be installed on each server to gather this information. This option is more cost-effective than agentless discovery, which requires deploying a virtual appliance in the VMware environment, or using CloudWatch agent, which incurs additional charges for CloudWatch Logs. Scanning the servers over a VPN is not a valid option for AWS Application Discovery Service. References: What is AWS Application Discovery Service?, Data collection methods

The company should use Amazon Aurora global database and Amazon DynamoDB global table to deploy the data tier components across two Regions. Amazon Aurora globaldatabase is a feature that allows a single Aurora database to span multiple AWS Regions, enabling low-latency global reads and fast recovery from Region-wide outages1. Amazon DynamoDB global table is a feature that allows a single DynamoDB table to span multiple AWS Regions, enabling low-latency global reads and writes and fast recovery from Region-wide outages2.

Create AWS Organization:

In the AWS Management Console, navigate to AWS Organizations and create a new organization in the parent account.

Invite LOB Accounts:

Invite each Line of Business (LOB) account to join the organization. This allows centralized management and governance of all accounts.

Enable Consolidated Billing:

Enable consolidated billing in the billing console of the parent account. Link all LOB accounts to ensure a single consolidated invoice that breaks down costs per account.

Apply Service Control Policies (SCPs):

Implement Service Control Policies (SCPs) to define the services and features permitted for each LOB account as per the governance policy, while still delegating full administrative permissions to the LOB accounts.

By consolidating billing and using AWS Organizations, the company can achieve centralized billing and governance while maintaining independent administrative control for each LOB account

The company requires two different types of security analysis: vulnerability scanning for CVEs and code-level scanning for sensitive data exposure. Amazon Inspector provides both Lambda Standard Scanning and Lambda Code Scanning. These capabilities allow Inspector to examine Lambda deployment packages and Lambda layers for software vulnerabilities, and also perform static code analysis to detect insecure coding patterns. To meet the requirement that only certain Lambda functions receive deeper code scanning, Inspector allows enabling or disabling code scanning at the individual Lambda function level through the function's Monitor settings. Inspector additionally supports resource exclusion based on tagging, allowing administrators to prevent specific Lambda functions from participating in code scans. Tag-based exclusion satisfies the requirement to scan only a subset of Lambda functions.

Option B is required because enabling both Lambda standard scanning and Lambda code scanning activates the functionality necessary for CVE detection and code security analysis.

Option D is required because enabling scanning at the function level ensures that code scanning runs only for selected Lambda functions.

Option E is required because resource exclusion using tags allows the administrator to exclude non-target Lambda functions from code scanning automatically.

Options A and C do not satisfy the requirement because simply activating Amazon Inspector does not configure per-function scanning behavior, and GuardDuty Lambda Protection does not scan for CVEs or code vulnerabilities. Option F is not valid because Amazon Inspector does not perform scans directly against objects stored in Amazon S3; scanning occurs against the deployed Lambda function versions themselves.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

Using Amazon API Gateway with an SQS queue ensures all data sent to the API is durably stored for processing, even during traffic surges.

API Gateway service integration with SQS provides a managed, serverless ingestion layer that absorbs unpredictable traffic bursts without data loss.

The AWS Lambda function processes messages from SQS, providing scalable, on-demand compute to handle environmental data efficiently.

This solution aligns with AWS best practices for building resilient, serverless, event-driven architectures that can handle high-volume, bursty workloads.