Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAP-C02

Amazon SAP-C02 Exam Questions
AWS Certified Solutions Architect - Professional SAP-C02 (Page 14 )

Updated On: 23-Mar-2026
Page 14 of 107
PDF with 533 Questions

A company wants to migrate an application to Amazon EC2 from VMware Infrastructure that runs in an on-premises data center. A solutions architect must preserve the software and configuration settings during the migration.

What should the solutions architect do to meet these requirements?

  1. Configure the AWS DataSync agent to start replicating the data store to Amazon FSx for Windows File Server. Use the SMB share to host the VMware data store. Use VM Import/Export to move the VMs to Amazon EC2.
  2. Use the VMware vSphere client to export the application as an image in Open Virtualization Format (OVF) format. Create an Amazon S3 bucket to store the image in the destination AWS Region. Create and apply an IAM role for VM Import. Use the AWS CLI to run the EC2 import command.
  3. Configure AWS Storage Gateway for files service to export a Common Internet File System (CIFS) share. Create a backup copy to the shared folder. Sign in to the AWS Management Console and create an AMI from the backup copy. Launch an EC2 instance that is based on the AMI.
  4. Create a managed-instance activation for a hybrid environment in AWS Systems Manager. Download and install Systems Manager Agent on the on-premises VM. Register the VM with Systems Manager to be a managed instance. Use AWS Backup to create a snapshot of the VM and create an AMI. Launch an EC2 instance that is based on the AMI.

Answer(s): B

Explanation:

B) Use the VMware vSphere client to export the application as an image in Open Virtualization Format (OVF) format. Create an Amazon S3 bucket to store the image in the destination AWS Region. Create and apply an IAM role for VM Import. Use the AWS CLI to run the EC2 import command is the correct answer.

This solution preserves the application, software, and configuration settings by exporting the VMware VM as an Open Virtualization Format (OVF) image, which can be imported directly into AWS using the VM Import/Export service. By storing the image in an S3 bucket, you can transfer it to AWS and use the EC2 import command to convert it into an Amazon Machine Image (AMI). This approach ensures that the application runs as it did in the on-premises VMware environment without requiring reinstallation or reconfiguration.

This method is specifically designed for VMware-to-EC2 migrations and meets the requirement to preserve all software and configuration settings during the migration.



A video processing company has an application that downloads images from an Amazon S3 bucket, processes the images, stores a transformed image in a second S3 bucket, and updates metadata about the image in an Amazon DynamoDB table. The application is written in Node.js and runs by using an AWS Lambda function. The Lambda function is invoked when a new image is uploaded to Amazon S3.

The application ran without incident for a while. However, the size of the images has grown significantly. The Lambda function is now failing frequently with timeout errors. The function timeout is set to its maximum value. A solutions architect needs to refactor the application’s architecture to prevent invocation failures. The company does not want to manage the underlying infrastructure.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  1. Modify the application deployment by building a Docker image that contains the application code. Publish the image to Amazon Elastic Container Registry (Amazon ECR).
  2. Create a new Amazon Elastic Container Service (Amazon ECS) task definition with a compatibility type of AWS Fargate. Configure the task definition to use the new image in Amazon Elastic Container Registry (Amazon ECR). Adjust the Lambda function to invoke an ECS task by using the ECS task definition when a new file arrives in Amazon S3.
  3. Create an AWS Step Functions state machine with a Parallel state to invoke the Lambda function. Increase the provisioned concurrency of the Lambda function.
  4. Create a new Amazon Elastic Container Service (Amazon ECS) task definition with a compatibility type of Amazon EC2. Configure the task definition to use the new image in Amazon Elastic Container Registry (Amazon ECR). Adjust the Lambda function to invoke an ECS task by using the ECS task definition when a new file arrives in Amazon S3.
  5. Modify the application to store images on Amazon Elastic File System (Amazon EFS) and to store metadata on an Amazon RDS DB instance. Adjust the Lambda function to mount the EFS file share.

Answer(s): A,B

Explanation:

The correct answers are:

A) Modify the application deployment by building a Docker image that contains the application code. Publish the image to Amazon Elastic Container Registry (Amazon ECR).
By containerizing the application, you can overcome the Lambda function's limitations related to execution time and resource constraints. The Docker image can handle larger image processing workloads, and storing the image in Amazon ECR allows it to be easily deployed in other services, like ECS.

B) Create a new Amazon Elastic Container Service (Amazon ECS) task definition with a compatibility type of AWS Fargate. Configure the task definition to use the new image in Amazon Elastic Container Registry (Amazon ECR). Adjust the Lambda function to invoke an ECS task by using the ECS task definition when a new file arrives in Amazon S3.
This solution offloads the image processing task to AWS Fargate, which provides a serverless container service, ensuring that the company does not need to manage the infrastructure. Fargate can handle larger processing tasks and can scale based on demand. The Lambda function would trigger an ECS task to process the images, which solves the timeout issue.

These steps provide a scalable, serverless solution without the need to manage underlying infrastructure while handling the increased image sizes.



A company has an organization in AWS Organizations. The company is using AWS Control Tower to deploy a landing zone for the organization. The company wants to implement governance and policy enforcement. The company must implement a policy that will detect Amazon RDS DB instances that are not encrypted at rest in the company’s production OU.

Which solution will meet this requirement?

  1. Turn on mandatory guardrails in AWS Control Tower. Apply the mandatory guardrails to the production OU.
  2. Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU.
  3. Use AWS Config to create a new mandatory guardrail. Apply the rule to all accounts in the production OU.
  4. Create a custom SCP in AWS Control Tower. Apply the SCP to the production OU.

Answer(s): B

Explanation:

B) Enable the appropriate guardrail from the list of strongly recommended guardrails in AWS Control Tower. Apply the guardrail to the production OU is the correct answer.

AWS Control Tower offers strongly recommended guardrails, which include governance rules that can detect and enforce encryption for resources like Amazon RDS. By enabling the appropriate strongly recommended guardrail and applying it to the production OU, the company can enforce encryption for RDS instances and detect any non-compliance.

This option leverages AWS Control Tower's built-in governance features without needing to create custom rules or service control policies, ensuring policy enforcement with minimal operational overhead.



A startup company hosts a fleet of Amazon EC2 instances in private subnets using the latest Amazon Linux 2 AMI. The company’s engineers rely heavily on SSH access to the instances for troubleshooting.

The company’s existing architecture includes the following:

-A VPC with private and public subnets, and a NAT gateway.
-Site-to-Site VPN for connectivity with the on-premises environment.
-EC2 security groups with direct SSH access from the on-premises environment.

The company needs to increase security controls around SSH access and provide auditing of commands run by the engineers.

Which strategy should a solutions architect use?

  1. Install and configure EC2 Instance Connect on the fleet of EC2 instances. Remove all security group rules attached to EC2 instances that allow inbound TCP on port 22. Advise the engineers to remotely access the instances by using the EC2 Instance Connect CLI.
  2. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Install the Amazon CloudWatch agent on all EC2 instances and send operating system audit logs to CloudWatch Logs.
  3. Update the EC2 security groups to only allow inbound TCP on port 22 to the IP addresses of the engineer’s devices. Enable AWS Config for EC2 security group resource changes. Enable AWS Firewall Manager and apply a security group policy that automatically remediates changes to rules.
  4. Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager.

Answer(s): D

Explanation:

D) Create an IAM role with the AmazonSSMManagedInstanceCore managed policy attached. Attach the IAM role to all the EC2 instances. Remove all security group rules attached to the EC2 instances that allow inbound TCP on port 22. Have the engineers install the AWS Systems Manager Session Manager plugin for their devices and remotely access the instances by using the start-session API call from Systems Manager is the correct solution.

AWS Systems Manager Session Manager provides a secure and auditable way to manage SSH access to EC2 instances without needing to open port 22 for SSH access, which improves security. By attaching the AmazonSSMManagedInstanceCore managed policy to the instances, you enable Systems Manager features, including Session Manager.

This solution has the following advantages:

No need for SSH or inbound port 22 access, improving the security posture of the environment.
Full auditing of session activity through AWS CloudTrail and CloudWatch Logs.
The engineers can access the instances securely via the start-session API without needing SSH keys, which adds an extra layer of security and control.
This approach meets the requirements to enhance security, eliminate open SSH ports, and provide auditable logs of commands executed on the instances.



A company that uses AWS Organizations allows developers to experiment on AWS. As part of the landing zone that the company has deployed, developers use their company email address to request an account. The company wants to ensure that developers are not launching costly services or running services unnecessarily. The company must give developers a fixed monthly budget to limit their AWS costs.

Which combination of steps will meet these requirements? (Choose three.)

  1. Create an SCP to set a fixed monthly account usage limit. Apply the SCP to the developer accounts.
  2. Use AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process.
  3. Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts.
  4. Create an IAM policy to deny access to costly services and components. Apply the IAM policy to the developer accounts.
  5. Create an AWS Budgets alert action to terminate services when the budgeted amount is reached. Configure the action to terminate all services.
  6. Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reached. Invoke an AWS Lambda function to terminate all services.

Answer(s): B,C,F

Explanation:

B) Use AWS Budgets to create a fixed monthly budget for each developer’s account as part of the account creation process. AWS Budgets allows you to set a fixed monthly budget for each account, ensuring cost limits are in place from the start.

C) Create an SCP to deny access to costly services and components. Apply the SCP to the developer accounts. An SCP (Service Control Policy) restricts access to expensive services, preventing developers from launching costly resources.

F) Create an AWS Budgets alert action to send an Amazon Simple Notification Service (Amazon SNS) notification when the budgeted amount is reached. Invoke an AWS Lambda function to terminate all services. This ensures that when the budget is exceeded, an SNS alert triggers a Lambda function to terminate running services, effectively enforcing the cost limit.



Viewing page 14 of 107
Viewing questions 66 - 70 out of 533 questions



Post your Comments and Discuss Amazon SAP-C02 exam dumps with other Community members:

SAP-C02 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!