New 2026 SAP-C02 Dumps for AWS Certified Solutions Architect Certified Exam Questions & Answer [Q109-Q124]

New 2026 SAP-C02 Dumps for AWS Certified Solutions Architect Certified Exam Questions and Answer

Realistic Verified SAP-C02 exam dumps Q&As - SAP-C02 Free Update

To pass the SAP-C02 exam, a candidate should have a thorough understanding of AWS services and architectures, an ability to design and deploy scalable, fault-tolerant, and highly available systems on AWS, and a deep knowledge of security and compliance requirements in AWS deployments. SAP-C02 exam consists of 75 multiple-choice and multiple-answer questions and has a duration of 180 minutes.

 

NEW QUESTION # 109
A company is migrating an application from on-premises infrastructure to the AWS Cloud. During migration design meetings, the company expressed concerns about the availability and recovery options for its legacy Windows file server. The file server contains sensitive business-critical data that cannot be recreated in the event of data corruption or data loss. According to compliance requirements, the data must not travel across the public internet. The company wants to move to AWS managed services where possible.
The company decides to store the data in an Amazon FSx for Windows File Server file system. A solutions architect must design a solution that copies the data to another AWS Region for disaster recovery (DR) purposes.
Which solution will meet these requirements?

• A. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity between the VPC in the primary Region and the VPC in the DR Region by using AWS Transit Gateway in each Region. Use AWS Transfer Family to copy files between the FSx for Windows File Server file system in the primary Region and the FSx for Windows File Server file system in the DR Region over the private AWS backbone network.
• B. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity between the VPC in the primary Region and the VPC in the DR Region by using VPC peering. Configure AWS DataSync to communicate by using interface VPC endpoints with AWS PrivateLink.
• C. Create an FSx for Windows File Server file system in the DR Region. Establish connectivity between the VPC in the primary Region and the VPC in the DR Region by using AWS Site-to-Site VPN. Configure AWS DataSync to communicate by using VPN endpoints.
• D. Create a destination Amazon S3 bucket in the DR Region. Establish connectivity between the FSx for Windows File Server file system in the primary Region and the S3 bucket in the DR Region by using Amazon FSx File Gateway. Configure the S3 bucket as a continuous backup source in FSx File Gateway.

Answer: B

Explanation:
The best solution is to create an FSx for Windows File Server file system in the DR Region and establish connectivity between the VPCs in both Regions by using VPC peering. This will ensure that the data does not travel across the public internet and meets the compliance requirements. By using AWS DataSync with interface VPC endpoints and AWS PrivateLink, the data can be copied securely and efficiently between the FSx for Windows File Server file systems in both Regions. This solution also provides the ability to fail over to the DR Region in case of a disaster. Reference: [Amazon FSx for Windows File Server User Guide], [AWS DataSync User Guide], [Amazon VPC User Guide]

NEW QUESTION # 110
A company has an Amazon VPC that is divided into a public subnet and a pnvate subnet. A web application runs in Amazon VPC. and each subnet has its own NACL. The public subnet has a CIDR of 10.0.0 0/24 An Application Load Balancer is deployed to the public subnet. The private subnet has a CIDR of 10.0.1.0/24. Amazon EC2 instances that run a web server on port 80 are launched into the private subnet.
Onty network traffic that is required for the Application Load Balancer to access the web application can be allowed to travel between the public and private subnets
What collection of rules should be written to ensure that the private subnet's NACL meets the requirement? (Select TWO.)

• A. An inbound rule for port 80 from source 0.0 0.0/0
• B. An outbound rule for ports 1024 through 65535 to destination 10.0.0.0/24
• C. An outbound rule for port 80 to destination 0.0.0.0/0
• D. An outbound rule for port 80 to destination 10.0.0.0/24
• E. An inbound rule for port 80 from source 10.0 0 0/24

Answer: B,E

NEW QUESTION # 111
An external audit of a company's serverless application reveals IAM policies that grant too many permissions.
These policies are attached to the company's AWS Lambda execution roles. Hundreds of the company's Lambda functions have broad access permissions, such as full access to Amazon S3 buckets and Amazon DynamoDB tables. The company wants each function to have only the minimum permissions that the function needs to complete its task.
A solutions architect must determine which permissions each Lambda function needs.
What should the solutions architect do to meet this requirement with the LEAST amount of effort?

• A. Set up Amazon CodeGuru to profile the Lambda functions and search for AWS API calls. Create an inventory of the required API calls and resources for each Lambda function. Create new IAM access policies for each Lambda function. Review the new policies to ensure that they meet the company's business requirements.
• B. Turn on AWS CloudTrail logging for the AWS account. Export the CloudTrail logs to Amazon S3. Use Amazon EMR to process the CloudTrail logs in Amazon S3 and produce a report of API calls and resources used by each execution role. Create a new IAM access policy for each role. Export the generated roles to an S3 bucket. Review the generated policies to ensure that they meet the company's business requirements.
• C. Turn on AWS CloudTrail logging for the AWS account. Use AWS Identity and Access Management Access Analyzer to generate IAM access policies based on the activity recorded in the CloudTrail log.
  Review the generated policies to ensure that they meet the company's business requirements.
• D. Turn on AWS CloudTrail logging for the AWS account. Create a script to parse the CloudTrail log, search for AWS API calls by Lambda execution role, and create a summary report. Review the report.
  Create IAM access policies that provide more restrictive permissions for each Lambda function.

Answer: C

Explanation:
IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.
https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

NEW QUESTION # 112
A company is running an application in the AWS Cloud. The application collects and stores a large amount of unstructured data in an Amazon S3 bucket. The S3 bucket contains several terabytes of data and uses the S3 Standard storage class. The data increases in size by several gigabytes every day.
The company needs to query and analyze the data. The company does not access data that is more than
1-year-old. However, the company must retain all the data indefinitely for compliance reasons.
Which solution will meet these requirements MOST cost-effectively?

• A. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
• B. Use S3 Select to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.
• C. Use Amazon Redshift Spectrum to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Intelligent-Tiering.
• D. Use an AWS Glue Data Catalog and Amazon Athena to query the data. Create an S3 Lifecycle policy to transition data that is more than 1 year old to S3 Glacier Deep Archive.

Answer: D

Explanation:
Generally, unstructured data should be converted structured data before querying them. AWS Glue can do that. https://docs.aws.amazon.com/glue/latest/dg/schema-relationalize.html
https://docs.aws.amazon.com/athena/latest/ug/glue-athena.html

NEW QUESTION # 113
Question:
A company has an application that stores user-uploaded videos in an Amazon S3 bucket using S3 Standard storage. Users access videos frequently for the first 180 days, and rarely after that. Most videos are over 100 MB. Users often have poor internet connectivity, and the company uses multipart uploads.
A solutions architect needs tooptimize S3 storage costs.
Which combination of actions will meet these requirements? (Select TWO.)

• A. Create a lifecycle rule to transition objects toS3 Glacier Instant Retrieval after 1 day.
• B. Create a lifecycle rule to expireincomplete multipart uploadsafter 7 days.
• C. Use S3 Transfer Acceleration to upload the videos.
• D. Configure the S3 bucket to be a Requester Pays bucket.
• E. Create a lifecycle rule to transition objects toS3 Standard-IA after 180 days.

Answer: B,E

Explanation:
* C: Multipart uploads can leave incomplete parts behind, which incur storage costs. Expiring them after
7 days minimizes waste and saves cost.
* E: Since objects are infrequently accessed after 180 days, transitioning toS3 Standard-IAis cost- effective, especially for large files >128 KB (your 100 MB+ files qualify).
* Ais for shifting download cost, not reducing your S3 storage expenses.
* Bhelps with upload speed butincreases cost.
* Dis too aggressive; Glacier is not suited for access patterns within the first few days.
Reference:https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-configuration-examples.
htmlhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html

NEW QUESTION # 114
A company is running an application in the AWS Cloud. The application consists of microservices that run on a fleet of Amazon EC2 instances in multiple Availability Zones behind an Application Load Balancer. The company recently added a new REST API that was implemented in Amazon API Gateway. Some of the older microservices that run on EC2 instances need to call this new API.
The company does not want the API to be accessible from the public internet and does not want proprietary data to traverse the public internet What should a solutions architect do to meet these requirements?

• A. Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API Add a resource policy to API Gateway to only allow access from the VPC endpoint.
  Change the API Gateway endpoint type to private.
• B. Create an accelerator in AWS Global Accelerator, and connect the accelerator to the API Gateway.
  Update the route table for all VPC subnets with a route to the created Global Accelerator endpoint IP address. Add an API key for each service to use for authentication.
• C. Create an AWS Site-to-Site VPN connection between the VPC and the API Gateway. Use API Gateway to generate a unique API key for each microservice. Configure the API methods to require the key.
• D. Modify the API Gateway to use 1AM authentication. Update the 1AM policy for the 1AM role that is assigned to the EC2 Instances to allow access to the API Gateway. Move the API Gateway into a new VPC Deploy a transit gateway and connect the VPCs.

Answer: A

Explanation:
Explanation
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-vpc-endpoint-policies.html

NEW QUESTION # 115
A company has dozens of AWS accounts for different teams, applications, and environments. The company has defined a custom set of controls that all accounts must have. The company is concerned that potential misconfigurations in the accounts could lead to security issues or noncompliance. A solutions architect must design a solution that deploys the custom controls by using infrastructure as code (IaC) in a repeatable way. Which solution will meet these requirements with the LEAST operational overhead?

• A. Enable AWS Security Hub in all the accounts to aggregate findings in a central administrator account.Develop AWS CloudFormation templates to create Amazon EventBridge rules, AWS Lambda functions, and CloudFormation stacks in each account to remediate Security Hub findings. Deploy the CloudFormation stacks during account provisioning to set up the automated remediation.
• B. Enable AWS Control Tower to set up and govern the multi-account environment. Use blueprints that enforce security best practices. Use Customizations for AWS Control Tower and CloudFormation templates to define the custom controls for each account. Use Amazon EventBridge to deploy Customizations for AWS Control Tower during account-provisioning lifecycle events.
• C. Configure AWS Systems Manager associations to remediate configuration issues across accounts.
  Define the desired configuration state in an AWS CloudFormation template by using AWS::SSM::
  Association. Deploy the CloudFormation templates as stack sets to all accounts during account creation.
• D. Configure AWS Config rules in each account to evaluate the account settings against the custom controls. Define AWS Lambda functions in AWS CloudFormation templates. Program the Lambda functions to remediate noncompliant AWS Config rules. Deploy the CloudFormation templates as stack sets during account creation. Configure the stack sets to invoke the Lambda functions.

Answer: B

Explanation:
Comprehensive and Detailed Explanation:
Option C offers a scalable and low-overhead solution for managing custom controls across multiple AWS accounts:
* AWS Control Tower provides a pre-configured environment to set up and govern a secure, multi- account AWS environment based on AWS best practices.
* Customizations for AWS Control Tower (CfCT) allows for the deployment of custom configurations and resources, such as AWS Config rules and IAM policies, across accounts and organizational units using AWS CloudFormation templates.
* Amazon EventBridge integrates with AWS Control Tower to automate the deployment of customizations during account provisioning events, ensuring that all new accounts adhere to the defined controls without manual intervention.
This approach ensures consistent enforcement of custom controls across all accounts with minimal operational overhead.
References:
AWS Control Tower: Automates the setup of a baseline environment, or landing zone, that is a secure, well- architected multi-account AWS environment.
Customizations for AWS Control Tower: Enables you to customize your AWS Control Tower landing zone using AWS CloudFormation templates and service control policies (SCPs).
Amazon EventBridge: A serverless event bus that makes it easier to build event-driven applications at scale using events generated from your applications, integrated SaaS applications, and AWS services.

NEW QUESTION # 116
An application is using an Amazon RDS for MySQL Multi-AZ DB instance in the us-east-1 Region. After a failover test, the application lost the connections to the database and could not re-establish the connections. After a restart of the application, the application re-established the connections.
A solutions architect must implement a solution so that the application can re-establish connections to the database without requiring a restart.
Which solution will meet these requirements?

• A. Create an Amazon Aurora MySQL Serverless v1 DB instance. Migrate the RDS DB instance to the Aurora Serverless v1 DB instance. Update the connection settings in the application to point to the Aurora reader endpoint.
• B. Create a two-node Amazon Aurora MySQL DB cluster. Migrate the RDS DB instance to the Aurora DB cluster. Create an RDS proxy. Configure the existing RDS endpoint as a target. Update the connection settings in the application to point to the RDS proxy endpoint.
• C. Create an RDS proxy. Configure the existing RDS endpoint as a target. Update the connection settings in the application to point to the RDS proxy endpoint.
• D. Create an Amazon S3 bucket. Export the database to Amazon S3 by using AWS Database Migration Service (AWS DMS). Configure Amazon Athena to use the S3 bucket as a data store. Install the latest Open Database Connectivity (ODBC) driver for the application. Update the connection settings in the application to point to the Athena endpoint

Answer: C

Explanation:
Creating an RDS Proxy and configuring the existing RDS endpoint as a target, and then updating the connection settings in the application to point to the RDS proxy endpoint will meet the requirement of the application being able to re-establish connections to the database without requiring a restart.
Amazon RDS Proxy is a fully managed, highly available database proxy for Amazon RDS that makes applications more scalable, more resilient to database failures, and more secure. With RDS Proxy, applications can pool and share connections to RDS databases, reducing the number of connections each RDS instance needs to handle. This can improve the performance and scalability of the application.
In the event of a failover or interruption, RDS Proxy automatically redirects connections to the new primary instance, so the application can continue to function without interruption. RDS Proxy also provides connection pooling, which reduces the number of connections to the primary RDS instance, so the primary instance can handle more traffic.
Here is an example of how to set up an RDS proxy and configure it to work with an existing RDS instance: 1.Create an RDS proxy in the AWS Management Console, and configure it to use the existing RDS instance as a target.
Update the connection settings in the application to use the RDS proxy endpoint instead of the RDS instance endpoint.
Reference:
https://aws.amazon.com/rds/proxy/
https://aws.amazon.com/blogs/database/using-amazon-rds-proxy-with-amazon-rds-for-mysql-and-amazon-aurora-mysql-to-improve-app-scalability-and-availability/

NEW QUESTION # 117
A company's public API runs as tasks on Amazon Elastic Container Service (Amazon ECS). The tasks run on AWS Fargate behind an Application Load Balancer (ALB) and are configured with Service Auto Scaling for the tasks based on CPU utilization. This service has been running well for several months.
Recently, API performance slowed down and made the application unusable. The company discovered that a significant number of SQL injection attacks had occurred against the API and that the API service had scaled to its maximum amount.
A solutions architect needs to implement a solution that prevents SQL injection attacks from reaching the ECS API service. The solution must allow legitimate traffic through and must maximize operational efficiency.
Which solution meets these requirements?

• A. Create a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks.
• B. Create a new AWS WAF web ACL. Create a new empty IP set in AWS WAF. Add a new rule to the web ACL to block requests that originate from IP addresses in the new IP set. Create an AWS Lambda function that scrapes the API logs for IP addresses that send SQL injection attacks, and add those IP addresses to the IP set. Attach the web ACL to the ALB in front of the ECS tasks.
• C. Create a new AWS WAF Bot Control implementation. Add a rule in the AWS WAF Bot Control managed rule group to monitor traffic and allow only legitimate traffic to the ALB in front of the ECS tasks.
• D. Create a new AWS WAF web ACL. Add a new rule that blocks requests that match the SQL database rule group. Set the web ACL to allow all other traffic that does not match those rules. Attach the web ACL to the ALB in front of the ECS tasks.

Answer: D

Explanation:
Explanation
The company should create a new AWS WAF web ACL. The company should add a new rule that blocks requests that match the SQL database rule group. The company should set the web ACL to allow all other traffic that does not match those rules. The company should attach the web ACL to the ALB in front of the ECS tasks. This solution will meet the requirements because AWS WAF is a web application firewall that lets you monitor and control web requests that are forwarded to your web applications. You can use AWS WAF to define customizable web security rules that control which traffic can access your web applications and which traffic should be blocked1. By creating a new AWS WAF web ACL, the company can create a collection of rules that define the conditions for allowing or blocking web requests. By adding a new rule that blocks requests that match the SQL database rule group, the company can prevent SQL injection attacks from reaching the ECS API service. The SQL database rule group is a managed rule group provided by AWS that contains rules to protect against common SQL injection attack patterns2. By setting the web ACL to allow all other traffic that does not match those rules, the company can ensure that legitimate traffic can access the API service. By attaching the web ACL to the ALB in front of the ECS tasks, the company can apply the web security rules to all requests that are forwarded by the load balancer.
The other options are not correct because:
Creating a new AWS WAF Bot Control implementation would not prevent SQL injection attacks from reaching the ECS API service. AWS WAF Bot Control is a feature that gives you visibility and control over common and pervasive bot traffic that can consume excess resources, skew metrics, cause downtime, or perform other undesired activities. However, it does not protect against SQL injection attacks, which are malicious attempts to execute unauthorized SQL statements against your database3.
Creating a new AWS WAF web ACL to monitor the HTTP requests and HTTPS requests that are forwarded to the ALB in front of the ECS tasks would not prevent SQL injection attacks from reaching the ECS API service. Monitoring mode is a feature that enables you to evaluate how your rules would perform without actually blocking any requests. However, this mode does not provide any protection against attacks, as it only logs and counts requests that match your rules4.
Creating a new AWS WAF web ACL and creating a new empty IP set in AWS WAF would not prevent SQL injection attacks from reaching the ECS API service. An IP set is a feature that enables you to specify a list of IP addresses or CIDR blocks that you want to allow or block based on their source IP address. However, this approach would not be effective or efficient against SQL injection attacks, as it would require constantly updating the IP set with new IP addresses of attackers, and it would not block attackers who use proxies or VPNs.
References:
https://aws.amazon.com/waf/
https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html#sql-injection-
https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html
https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-monitoring-mode.html
https://docs.aws.amazon.com/waf/latest/developerguide/waf-ip-sets.html

NEW QUESTION # 118
A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.
The company needs a solution that will prevent internet traffic from directly accessing the ALB.
Which solution will meet these requirements with the LEAST operational overhead?

• A. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
• B. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.
• C. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
• D. Associate the existing web ACL with the ALB.

Answer: A

Explanation:
https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

NEW QUESTION # 119
A car rental company has built a serverless REST API to provide data to its mobile app.
The app consists of an Amazon API Gateway API with a Regional endpoint, AWS Lambda function and an Amazon Aurora MySQL Serverless DB cluster.
The company recently opened the API to mobile apps of partners.
A significant increase in the number of requests resulted, causing sporadic database memory errors.
Analysis of the API traffic indicates that clients are making multiple http GET requests for the same queries in a short period of time.
Traffic is concentrated during business hours, with spikes around holidays and other events.
The company needs to improve its ability to support the additional usage while minimizing the increase in costs associated with the solution.
Which strategy meets these requirements?

• A. Implement an Amazon ElasticCache for Redis cache to store the results of the database calls.
  Modify the Lambda functions to use the cache.
• B. Convert the API Gateway Regional endpoint to an edge-optimized endpoint Enable caching in the production stage.
• C. Modify the Aurora Serverless DB cluster configuration to increase the maximum amount of available memory.
• D. Enable throttling in the API Gateway production stage
  Set the rate and burst values to limit the incoming calls.

Answer: B

Explanation:
You can enabled cached on API gateway. no need for extra cache layer for additional cost. also changing to Edge-optimized endpoint would also help caching content base on Cookie.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

NEW QUESTION # 120
A software company has deployed an application that consumes a REST API by using Amazon API Gateway.
AWS Lambda functions, and an Amazon DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.
A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API's reputation.
What should the solutions architect recommend to improve the customer experience?

• A. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.
• B. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests.
  Verify that the cache capacity is appropriate for the workload.
• C. Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
• D. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.

Answer: D

Explanation:
https://aws.amazon.com/premiumsupport/knowledge-center/aws-batch-requests-error/
https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-429-limit/

NEW QUESTION # 121
A company wants to design a disaster recovery (DR) solution for an application that runs in the company's data center. The application writes to an SMB file share and creates a copy on a second file share. Both file shares are in the data center. The application uses two types of files:
metadata files and image files.
The company wants to store the copy on AWS. The company needs the ability to use SMB to access the data from either the data center or AWS if a disaster occurs. The copy of the data is rarely accessed but must be available within 5 minutes.

• A. Deploy an Amazon FSx File Gateway. Configure an Amazon FSx for Windows File Server Multi- AZ file system that uses SSD storage.
• B. Deploy an Amazon S3 File Gateway. Configure the S3 File Gateway to use Amazon S3 Standard-Infrequent Access (S3 Standard-IA) for the metadata files and image files.
• C. Deploy AWS Outposts with Amazon S3 storage. Configure a Windows Amazon EC2 instance on Outposts as a file server.
• D. Deploy an Amazon S3 File Gateway. Configure the S3 File Gateway to use Amazon S3 Standard-Infrequent Access (S3 Standard-IA) for the metadata files and to use S3 Glacier Deep Archive for the image files.

Answer: B

Explanation:
Amazon S3 File Gateway supports SMB and can be used to store and retrieve files in Amazon S3 using file-based interfaces. Using S3 Standard-Infrequent Access for both metadata and image files ensures that the data is available within the required 5 minutes while optimizing costs for infrequently accessed data.

NEW QUESTION # 122
A retail company needs to provide a series of data files to another company. which is its business partner.
These files are saved in an Amazon S3 bucket under Account A.
Which belongs to the retail company.
The business partner company wants one of its IAM users User_DataProcessor to access the files from its own AWS account (Account B)
Which combination of steps must the companies take so that User_DataProcessor can access the S3 bucket successfully? (Select TWO.)

• A. In Account A, set the S3 bucket policy to the following:
  
  Text, letter Description automatically generated
• B. InAccount B, set the permissions of User_DataProcessor to the following:
  
  Text Description automatically generated
• C. InAccount B, set the permissions of User_DataProcessor to the following:
  
  Text, letter Description automatically generated
• D. In Account A. set the S3 bucket policy to the following.
  
• E. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A.

Answer: B,E

NEW QUESTION # 123
A company is deploying a public-facing global application on AWS using Amazon CloudFront.
The application communicates with an external system. A solutions architect needs to .
Which combination of steps will satisfy these requirements? (Choose three.)

• A. Use SSL or encrypt data while communicating with the external system using a VPN.
• B. Provision Amazon EBS encrypted volumes using AWS KMS and ensure explicit encryption of data when writing to Amazon EBS.
• C. Create a public certificate for the required domain in AWS Certificate Manager and deploy it to CloudFront, an Application Load Balancer, and Amazon EC2 instances.
• D. Provision Amazon EBS encrypted volumes using AWS KMS.
• E. Communicate with the external system using plaintext and use the VPN to encrypt the data in transit.
• F. Acquire a public certificate from a third-party vendor and deploy it to CloudFront, an Application Load Balancer, and Amazon EC2 instances.

Answer: A,D,F

Explanation:
Q: Can I use certificates on Amazon EC2 instances or on my own servers?
You can use private certificates issued with ACM Private CA with EC2 instances, containers, and on your own servers. At this time, public ACM certificates can be used only with specific AWS services. See With which AWS services can I use ACM certificates?
https://aws.amazon.com/certificate-manager/faqs/?nc1=h_ls

NEW QUESTION # 124
......

Amazon SAP-C02 (AWS Certified Solutions Architect - Professional (SAP-C02)) Exam is a highly sought-after certification for IT professionals who want to demonstrate their expertise in designing and deploying scalable, highly available, and fault-tolerant systems on the Amazon Web Services (AWS) platform. SAP-C02 exam is designed for individuals who have already obtained the AWS Certified Solutions Architect – Associate certification and have significant experience in designing distributed applications and systems on AWS.

 

Use Real SAP-C02 Dumps - 100% Free SAP-C02 Exam Dumps: https://www.realexamfree.com/SAP-C02-real-exam-dumps.html

SAP-C02 Exam Dumps, Test Engine Practice Test Questions: https://drive.google.com/open?id=1sQORzgqa-sbG4x2jafcDAIa4dzyX_HzD