Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAP-C01

Amazon SAP-C01 Exam
AWS Certified Solutions Architect - Professional SAP-C02 (Page 51 )

Updated On: 26-Jan-2026
Page 21 of 107
PDF with 533 Questions

A company wants to optimize AWS data-transfer costs and compute costs across developer accounts within the company's organization in AWS Organizations. Developers can configure VPCs and launch Amazon EC2 instances in a single AWS Region. The EC2 instances retrieve approximately 1 TB of data each day from Amazon S3.

The developer activity leads to excessive monthly data-transfer charges and NAT gateway processing charges between EC2 instances and S3 buckets, along with high compute costs. The company wants to proactively enforce approved architectural patterns for any EC2 instance and VPC infrastructure that developers deploy within the AWS accounts. The company does not want this enforcement to negatively affect the speed at which the developers can perform their tasks.

Which solution will meet these requirements MOST cost-effectively?

  1. Create SCPs to prevent developers from launching unapproved EC2 instance types. Provide the developers with an AWS CloudFormation template to deploy an approved VPC configuration with S3 interface endpoints. Scope the developers' IAM permissions so that the developers can launch VPC resources only with CloudFormation.
  2. Create a daily forecasted budget with AWS Budgets to monitor EC2 compute costs and S3 data-transfer costs across the developer accounts. When the forecasted cost is 75% of the actual budget cost, send an alert to the developer teams. If the actual budget cost is 100%, create a budget action to terminate the developers' EC2 instances and VPC infrastructure.
  3. Create an AWS Service Catalog portfolio that users can use to create an approved VPC configuration with S3 gateway endpoints and approved EC2 instances. Share the portfolio with the developer accounts. Configure an AWS Service Catalog launch constraint to use an approved IAM role. Scope the developers' IAM permissions to allow access only to AWS Service Catalog.
  4. Create and deploy AWS Config rules to monitor the compliance of EC2 and VPC resources in the developer AWS accounts. If developers launch unapproved EC2 instances or if developers create VPCs without S3 gateway endpoints, perform a remediation action to terminate the unapproved resources.

Answer(s): C

Explanation:

C) Creating an AWS Service Catalog portfolio allows the company to provide developers with pre-approved VPC configurations and EC2 instance types, which can include S3 gateway endpoints to minimize data transfer costs. By sharing the portfolio with the developer accounts, the company ensures that only approved infrastructure is deployed. Configuring an AWS Service Catalog launch constraint to use an approved IAM role and scoping developer permissions to Service Catalog enables governance without negatively impacting developer productivity. This solution provides cost optimization and proactive architectural enforcement with minimal operational overhead, making it the most cost-effective option.



A company runs an ecommerce application in a single AWS Region. The application uses a five-node Amazon Aurora MySQL DB cluster to store information about customers and their recent orders. The DB cluster experiences a large number of write transactions throughout the day.

The company needs to replicate the data in the Aurora database to another Region to meet disaster recovery requirements. The company has an RPO of 1 hour.

Which solution will meet these requirements with the LOWEST cost?

  1. Modify the Aurora database to be an Aurora global database. Create a second Aurora database in another Region.
  2. Enable the Backtrack feature for the Aurora database. Create an AWS Lambda function that runs daily to copy the snapshots of the database to a backup Region.
  3. Use AWS Database Migration Service (AWS DMS). Create a DMS change data capture (CDC) task that replicates the ongoing changes from the Aurora database to an Amazon S3 bucket in another Region.
  4. Turn off automated Aurora backups. Configure Aurora backups with a backup frequency of 1 hour. Specify another Region as the destination Region. Select the Aurora database as the resource assignment.

Answer(s): C

Explanation:

C) is the correct answer because using AWS Database Migration Service (AWS DMS) with a change data capture (CDC) task allows for near real-time replication of data changes from the primary Aurora database to an Amazon S3 bucket in another Region. This approach meets the RPO of 1 hour as it replicates ongoing changes and ensures that data is available in the backup Region without the need for creating a full replica of the Aurora database.
This solution is cost-effective because it leverages S3 storage for replication instead of provisioning an entire second Aurora cluster in another Region, which would significantly increase costs.



A company recently migrated a web application from an on-premises data center to the AWS Cloud. The web application infrastructure consists of an Amazon CloudFront distribution that routes to an Application Load Balancer (ALB), with Amazon Elastic Container Service (Amazon ECS) to process requests. A recent security audit revealed that the web application is accessible by using both CloudFront and ALB endpoints. However, the company requires that the web application must be accessible only by using the CloudFront endpoint.

Which solution will meet this requirement with the LEAST amount of effort?

  1. Create a new security group and attach it to the CloudFront distribution. Update the ALB security group ingress to allow access only from the CloudFront security group.
  2. Update ALB security group ingress to allow access only from the com.amazonaws.global.cloudfront.origin-facing CloudFront managed prefix list.
  3. Create a com.amazonaws.region.elasticloadbalancing VPC interface endpoint for Elastic Load Balancing. Update the ALB scheme from internet-facing to internal.
  4. Extract CloudFront IPs from the AWS provided ip-ranges.json document. Update ALB security group ingress to allow access only from CloudFront IPs.

Answer(s): B

Explanation:

Option (B) is the most efficient solution because AWS provides a managed prefix list called com.amazonaws.global.cloudfront.origin-facing that contains the IP addresses used by CloudFront to forward requests to your origin, such as the ALB in this case. By updating the security group of the ALB to allow ingress traffic only from this CloudFront prefix list, you ensure that only requests originating from CloudFront can access the ALB, effectively blocking direct access to the ALB endpoint.
This solution requires the least effort because you don’t need to manually manage IP ranges or update configurations frequently, as AWS automatically maintains the CloudFront managed prefix list.
Option (A) involves unnecessary steps with security groups and doesn’t address the requirement as efficiently as the managed prefix list.
Option (C) changes the ALB from internet-facing to internal, which could potentially break access from CloudFront and requires more changes.
Option (D) involves manual management of CloudFront IPs, which is more complex and error-prone compared to using the managed prefix list.



A company's solutions architect is evaluating an AWS workload that was deployed several years ago. The application tier is stateless and runs on a single large Amazon EC2 instance that was launched from an AMI. The application stores data in a MySQL database that runs on a single EC2 instance.

The CPU utilization on the application server EC2 instance often reaches 100% and causes the application to stop responding. The company manually installs patches on the instances. Patching has caused downtime in the past. The company needs to make the application highly available.

Which solution will meet these requirements with the LEAST development me?

  1. Move the application tier to AWS Lambda functions in the existing VPC. Create an Application Load Balancer to distribute traffic across the Lambda functions. Use Amazon GuardDuty to scan the Lambda functions. Migrate the database to Amazon DocumentDB (with MongoDB compatibility.
  2. Change the EC2 instance type to a smaller Graviton powered instance type. Use the existing AMI to create a launch template for an Auto Scaling group. Create an Application Load Balancer to distribute traffic across the instances in the Auto Scaling group. Set the Auto Scaling group to scale based on CPU utilization. Migrate the database to Amazon DynamoD
  3. Move the application tier to containers by using Docker. Run the containers on Amazon Elastic Container Service (Amazon ECS) with EC2 instances. Create an Application Load Balancer to distribute traffic across the ECS cluster. Configure the ECS cluster to scale based on CPU utilization. Migrate the database to Amazon Neptune.
  4. Create a now AMI that is configured with AWS Systems Manager Agent (SSM Agent). Use the new AMI to create a launch template for an Auto Scaling group. Use smaller instances in the Auto Scaling group. Create an Application Load Balancer to distribute traffic across the instances in the Auto Scaling group. Set the Auto Scaling group to scale based on CPU utilization. Migrate the database to Amazon Aurora MySQL.

Answer(s): D

Explanation:

D) is the best solution because it meets the requirements with minimal development effort while making the application highly available.
-AMI with Systems Manager Agent (SSM Agent): This allows for automated patch management, which eliminates the need for manual patching and reduces downtime due to maintenance.
-Auto Scaling Group with smaller instances: This helps distribute traffic across multiple instances, providing high availability and scaling based on CPU utilization to handle increased loads, addressing the CPU saturation issue.
-Application Load Balancer: This distributes incoming traffic evenly across the Auto Scaling group, ensuring that the application remains responsive.
-Amazon Aurora MySQL: Migrating the database to Amazon Aurora MySQL provides a managed database solution that is highly available, with built-in automatic backups, replication, and failover.
This approach ensures high availability, scalability, and reduces operational overhead without significant re-architecting of the application.



A company is building an application that will run on an AWS Lambda function. Hundreds of customers will use the application. The company wants to give each customer a quota of requests for a specific time period. The quotas must match customer usage patterns. Some customers must receive a higher quota for a shorter time period.

Which solution will meet these requirements?

  1. Create an Amazon API Gateway REST API with a proxy integration to invoke the Lambda function. For each customer, configure an API Gateway usage plan that includes an appropriate request quota. Create an API key from the usage plan for each user that the customer needs.
  2. Create an Amazon API Gateway HTTP API with a proxy integration to invoke the Lambda function. For each customer configure an API Gateway usage plan that includes an appropriate request quota Configure route-level throttling for each usage plan. Create an API Key from the usage plan for each user that the customer needs.
  3. Create a Lambda function alias for each customer. Include a concurrency limit with an appropriate request quota. Create a Lambda function URL for each function alias. Share the Lambda function URL for each alias with the relevant customer.
  4. Create an Application Load Balancer (ALB) in a VPC. Configure the Lambda function as a target for the ALB. Configure an AWS WAF web ACL for the ALB. For each customer configure a rale-based rule that includes an appropriate request quota.

Answer(s): A

Explanation:

A) is the most appropriate solution because Amazon API Gateway provides a built-in mechanism for managing quotas, rate limiting, and access control. Here’s how this solution meets the requirements:
-API Gateway usage plans allow for setting request quotas and throttling limits, which can be configured per customer to match their usage patterns. Each customer can have different quotas for specific time periods, enabling flexibility in the allocation of resources.
-API keys can be assigned to individual customers, ensuring that each customer's requests are tracked and limited according to their quota.
-API Gateway provides seamless integration with AWS Lambda, allowing the application to scale efficiently while adhering to customer-specific quotas.
This solution is simple to implement and directly addresses the need for customer-specific request quotas.



Viewing page 51 of 107
Viewing questions 251 - 255 out of 533 questions



Post your Comments and Discuss Amazon SAP-C01 exam prep with other Community members:

Join the SAP-C01 Discussion