Download AWS Certified Solutions Architect - Professional.SAP-C02.Dump4Pass.2025-06-08.139q.vcex

Vendor: Amazon
Exam Code: SAP-C02
Exam Name: AWS Certified Solutions Architect - Professional
Date: Jun 08, 2025
File Size: 297 KB
Download Exam

How to open VCEX files?

Files with VCEX extension can be opened by ProfExam Simulator.

Download
ProfExam Simulator

Purchase
Coupon: TAURUSSIM_20OFF

Discount: 20%

ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator ProfExam Simulator

Demo Questions

Question 1
A solutions architect needs to implement a client-side encryption mechanism for objects that will be stored in a new Amazon S3 bucket. The solutions architect created an AWS Key Management Service (AWS KMS) key for this purpose.    
The solutions architect created the following IAM policy and attached it to an IAM role: 
  
   
    
During tests, the solutions architect was able to successfully get existing test objects in the S3 bucket.  
However, attempts to upload a new object resulted in an error message. The error message stated that the action was forbidden.    
Which action must the solutions architect add to the IAM policy to meet all the requirements?
  1. kms:GenerateDataKey
  2. kms:GetKeyPolicy
  3. kms:GetPublicKey
  4. Activate Windows 
  5. kms:Sign
Correct answer: A
Question 2
A retail company has an on-premises data center in Europe. The company also has a multi-Region AWS presence that includes the eu-west-1 and us-east-1 Regions. The company wants to be able to route network traffic from its on-premises infrastructure into VPCs in either of those Regions. The company also needs to support traffic that is routed directly between VPCs in those Regions. No single points of failure can exist on the network.    
The company already has created two 1 Gbps AWS Direct Connect connections from its on-premises data center. Each connection goes into a separate Direct Connect location in Europe for high availability. These two locations are named DX-A and DX-B, respectively. Each Region has a single AWS Transit Gateway that is configured to route all inter-VPC traffic within that Region.    
Which solution will meet these requirements?
  1. Create a private VIF from the DX-A connection into a Direct Connect gateway. Create a private VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with the Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.  
  2. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Associate the eu-west-1 transit gateway with this Direct Connect gateway. Create a transit VIF from the DX-B connection into a separate Direct Connect gateway. Associate the us-east-1 transit gateway with this separate Direct Connect gateway. Peer the Direct Connect gateways with each other to support high availability and cross-Region routing.
  3. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Configure the Direct Connect gateway to route traffic between the transit gateways.
  4. Create rate a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.
Correct answer: D
Question 3
A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company's security team is concerned about how to integrate the security tool with AWS technology.    
The company plans to deploy the application migration to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a dedicated VPC. The company needs to use the security tool to inspect all packets that come in and out of the VPC. This inspection must occur in real time and must not affect the application's performance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region.    
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)
  1. Deploy the security tool on EC2 instances in a new Auto Scaling group in the existing VPC.
  2. Deploy the web application behind a Network Load Balancer.
  3. Deploy an Application Load Balancer in front of the security tool instances.
  4. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool.
  5. Provision a transit gateway to facilitate communication between VPCs.
Correct answer: AD
Question 4
A company has an application that runs as a Replica Set of multiple pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The EKS cluster has nodes in multiple Availability Zones. The application generates many small files that must be accessible across all running instances of the application. The company needs to back up the files and retain the backups for 1 year.    
Which solution will meet these requirements while providing the FASTEST storage performance?
  1. Create an Amazon Elastic File System (Amazon EFS) file system and a mount target for each subnet that contains nodes in the EKS cluster. Configure the ReplicaSet to mount the file system. Direct the application to store files in the file system. Configure AWS Backup to back up and retain copies of the data for 1 year.
  2. Create an Amazon Elastic Block Store (Amazon EBS) volume. Enable the EBS Multi-Attach feature. Configure the ReplicaSet to mount the EBS volume. Direct the application to store files in the EBS volume. Configure AWS Backup to back up and retain copies of the data for 1 year.
  3. Create an Amazon S3 bucket. Configure the ReplicaSet to mount the S3 bucket. Direct the application to store files in the S3 bucket. Configure S3 Versioning to retain copies of the data. Configure an S3 Lifecycle policy to delete objects after 1 year.
  4. Configure the ReplicaSet to use the storage available on each of the running application pods to store the files locally. Use a third-party tool to back up the EKS cluster for 1 year.
Correct answer: A
Question 5
A company wants to migrate to AWS. The company wants to use a multi-account structure with centrally managed access to all accounts and applications. The company also wants to keep the traffic on a private network. Multi-factor authentication (MFA) is required at login, and specific roles are assigned to user groups.    
The company must create separate accounts for development, staging, production, and shared network.  
The production account and the shared network account must have connectivity to all accounts. The development account and the staging account must have access only to each other.    
Which combination of steps should a solutions architect take to meet these requirements? (Select THREE.)
  1. Deploy a landing zone environment by using AWS Control Tower. Enroll accounts and invite existing accounts into the resulting organization in AWS Organizations.
  2. Enable AWS Security Hub in all accounts to manage cross-account access. Collect findings through AWS CloudTrail to force MFA login.
  3. Create transit gateways and transit gateway VPC attachments in each account. Configure appropriate route tables.
  4. Set up and enable AWS IAM Identity Center (AWS Single Sign-On). Create appropriate permission sets with required MFA for existing accounts.
  5. Enable AWS Control Tower in all accounts to manage routing between accounts. Collect findings through AWS CloudTrail to force MFA login.
  6. Create IAM users and groups. Configure MFA for all users. Set up Amazon Cognito user pools and identity pools to manage access to accounts and between accounts.
Correct answer: ACD
Question 6
A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.    
The company needs a solution that will prevent internet traffic from directly accessing the ALB.    
Which solution will meet these requirements with the LEAST operational overhead?
  1. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
  2. Associate the existing web ACL with the ALB.
  3. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
  4. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.
Correct answer: C
Question 7
A company runs a proprietary stateless ETL application on an Amazon EC2 Linux instance. The application is a Linux binary, and the source code cannot be modified. The application is single-threaded, uses 2 GB of RAM, and is highly CPU intensive. The application is scheduled to run every 4 hours and runs for up to 20 minutes. A solutions architect wants to revise the architecture for the solution.  
Which strategy should the solutions architect use?
  1. Use AWS Lambda to run the application. Use Amazon CloudWatch Logs to invoke the Lambda function every 4 hours.
  2. Use AWS Batch to run the application. Use an AWS Step Functions state machine to invoke the AWS Batch job every 4 hours.
  3. Use AWS Fargate to run the application. Use Amazon EventBridge to invoke the Fargate task every 4 hours.
  4. Use Amazon EC2 Spot Instances to run the application. Use AWS CodeDeploy to deploy and run the application every 4 hours.
Correct answer: C
Question 8
A company is running an application in the AWS Cloud. The company's security team must approve the creation of all new IAM users. When a new IAM user is created, all access for the user must be removed automatically. The security team must then receive a notification to approve the user. The company has a multi-Region AWS CloudTrail trail in the AWS account.    
Which combination of steps will meet these requirements? (Select THREE.)
  1. Create an Amazon EventBridge rule. Define a pattern with the detail-type value set to AWS API Call via CloudTrail and an eventName of CreateUser.
  2. Configure CloudTrail to send a notification for the CreateUser event to an Amazon Simple Notification Service (Amazon SNS) topic.
  3. Invoke a container that runs in Amazon Elastic Container Service (Amazon ECS) with AWS Fargate technology to remove access.  
  4. Invoke an AWS Step Functions state machine to remove access.
  5. Use Amazon Simple Notification Service (Amazon SNS) to notify the security team.
  6. Use Amazon Pinpoint to notify the security team.
Correct answer: ADE
Question 9
A company has migrated its forms-processing application to AWS. When users interact with the application, they upload scanned forms as files through a web application. A database stores user metadata and references to files that are stored in Amazon S3. The web application runs on Amazon EC2 instances and an Amazon RDS for PostgreSQL database.  
When forms are uploaded, the application sends notifications to a team through Amazon Simple Notification Service (Amazon SNS). A team member then logs in and processes each form. The team member performs data validation on the form and extracts relevant data before entering the information into another system that uses an API.    
A solutions architect needs to automate the manual processing of the forms. The solution must provide accurate form extraction, minimize time to market, and minimize long-term operational overhead.    
Which solution will meet these requirements?
  1. Develop custom libraries to perform optical character recognition (OCR) on the forms. Deploy the libraries to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster as an application tier. Use this tier to process the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data into an Amazon DynamoDB table.  Submit the data to the target system's API. Host the new application tier on EC2 instances.
  2. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use artificial intelligence and machine learning (AI/ML) models that are trained and hosted on an EC2 instance to perform optical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system's API.
  3. Host a new application tier on EC2 instances. Use this tier to call endpoints that host artificial intelligence and machine learning (AIIML) models that are trained and hosted in Amazon SageMaker to perform optical character recognition (OCR) on the forms. Store the output in Amazon ElastiCache. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system's API.
  4. Extend the system with an application tier that uses AWS Step Functions and AWS Lambda. Configure this tier to use Amazon Textract and Amazon Comprehend to perform optical character recognition (OCR) on the forms when forms are uploaded. Store the output in Amazon S3. Parse this output by extracting the data that is required within the application tier. Submit the data to the target system's API.
Correct answer: D
Question 10
A company has hundreds of AWS accounts. The company recently implemented a centralized internal process for purchasing new Reserved Instances and modifying existing Reserved Instances. This process requires all business units that want to purchase or modify Reserved Instances to submit requests to a dedicated team for procurement. Previously, business units directly purchased or modified Reserved Instances in their own respective AWS accounts autonomously.    
A solutions architect needs to enforce the new process in the most secure way possible.    
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO.)
  1. Ensure that all AWS accounts are part of an organization in AWS Organizations with all features enabled.
  2. Use AWS Config to report on the attachment of an IAM policy that denies access to the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
  3. In each AWS account, create an IAM policy that denies the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action.
  4. Create an SCP that denies the ec2:PurchaseReservedlnstancesOffering action and the ec2:ModifyReservedlnstances action. Attach the SCP to each OU of the organization. 
  5. Ensure that all AWS accounts are part of an organization in AWS Organizations that uses the consolidated billing feature.
Correct answer: AD
CONNECT US
HOW TO OPEN VCE FILES

Use VCE Exam Simulator to open VCE files
Avanaset

HOW TO OPEN VCEX FILES

Use ProfExam Simulator to open VCEX files
ProfExam Screen

ProfExam
ProfExam at a 20% markdown

You have the opportunity to purchase ProfExam at a 20% reduced price

Get Now!