A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.Which combination of steps will meet these requirements? (Choose two.)
Answer(s): B,C
B) Add an outbound rule to the EC2 instances' security group. Specify the DB cluster's security group as the destination over the default Aurora port.This allows the EC2 instances to send requests to the Aurora DB cluster over the appropriate port, typically 3306 for MySQL-based Aurora.C) Add an inbound rule to the DB cluster's security group. Specify the EC2 instances' security group as the source over the default Aurora port.This allows the Aurora DB cluster to receive traffic from the EC2 instances, ensuring that only the specific EC2 instances' security group can access the DB cluster.This combination follows the principle of least privilege, ensuring that only the necessary traffic is allowed between the EC2 instances and the Aurora DB cluster over the required port.
A company wants to change its internal cloud billing strategy for each of its business units. Currently, the cloud governance team shares reports for overall cloud spending with the head of each business unit. The company uses AWS Organizations to manage the separate AWS accounts for each business unit. The existing tagging standard in Organizations includes the application, environment, and owner. The cloud governance team wants a centralized solution so each business unit receives monthly reports on its cloud spending. The solution should also send notifications for any cloud spending that exceeds a set threshold.Which solution is the MOST cost-effective way to meet these requirements?
Answer(s): B
B) Configure AWS Budgets in the organization's management account and configure budget alerts that are grouped by application, environment, and owner. Add each business unit to an Amazon SNS topic for each alert. Use Cost Explorer in the organization's management account to create monthly reports for each business unit.This solution is cost-effective because it centralizes cost management using AWS Budgets and Cost Explorer in the organization's management account. This allows the cloud governance team to configure budget alerts and generate monthly reports grouped by tags such as application, environment, and owner for each business unit. Notifications for budget thresholds are easily managed through Amazon SNS, ensuring each business unit is kept informed.
A company is using AWS CloudFormation to deploy its infrastructure. The company is concerned that, if a production CloudFormation stack is deleted, important data stored in Amazon RDS databases or Amazon EBS volumes might also be deleted.How can the company prevent users from accidentally deleting data in this way?
Answer(s): A
A) Modify the CloudFormation templates to add a DeletionPolicy attribute to RDS and EBS resources.By adding the DeletionPolicy attribute to the RDS and EBS resources in the CloudFormation template, you can specify actions to be taken when a stack is deleted. For critical resources like databases or EBS volumes, you can set the DeletionPolicy to Retain, ensuring that these resources are not deleted even if the CloudFormation stack is removed. This approach effectively prevents accidental data loss.
A company has VPC flow logs enabled for Its NAT gateway. The company is seeing Action = ACCEPT for inbound traffic that comes from public IP address 198.51.100.2 destined for a private Amazon EC2 instance.A solutions architect must determine whether the traffic represents unsolicited inbound connections from the internet. The first two octets of the VPC CIDR block are 203.0.Which set of steps should the solutions architect take to meet these requirements?
B) Open the Amazon CloudWatch console. Select the log group that contains the NAT gateway's elastic network interface and the private instance's elastic network interface. Run a query to filter with the destination address set as "like 203.0" and the source address set as "like 198.51.100.2". Run the stats command to filter the sum of bytes transferred by the source address and the destination address.Using Amazon CloudWatch to query the VPC flow logs for the NAT gateway and the private instance is the correct approach. The query filters with the destination address as "203.0" (the private VPC's CIDR) and the source address as "198.51.100.2" (the public IP). This will help determine if the traffic is unsolicited inbound traffic from the internet, and the stats command helps summarize the data transferred between the source and destination.
A company consists or two separate business units. Each business unit has its own AWS account within a single organization in AWS Organizations. The business units regularly share sensitive documents with each other. To facilitate sharing, the company created an Amazon S3 bucket in each account and configured low-way replication between the S3 buckets. The S3 buckets have millions of objects.Recently, a security audit identified that neither S3 bucket has encryption at rest enabled. Company policy requires that all documents must be stored with encryption at rest. The company wants to implement server-side encryption with Amazon S3 managed encryption keys (SSE-S3).What is the MOST operationally efficient solution that meets these requirements?
A) Turn on SSE-S3 on both S3 buckets. Use S3 Batch Operations to copy and encrypt the objects in the same location.This solution is the most operationally efficient. By turning on SSE-S3 (server-side encryption with Amazon S3 managed encryption keys), the company ensures that all new objects are encrypted. Using S3 Batch Operations to copy and encrypt the existing objects in place allows the company to retroactively apply encryption without having to manually copy objects or manage additional KMS keys. This approach minimizes complexity while ensuring compliance with the company's encryption policy.
Post your Comments and Discuss Amazon SAP-C02 exam dumps with other Community members:
AWS Learner Commented on April 11, 2025 This sample questions for SAP-C02 exam really helped me pass the exam from the first try. Anonymous
Mini monk Commented on March 09, 2025 Didn't test yet Anonymous
ry Commented on February 12, 2025 very helpful Anonymous
Vlad Commented on February 06, 2024 This is my 2nd time getting a test from you for AWS and first one worked out well lets hope this one does too UNITED STATES
Darnell Morris Commented on February 05, 2024 I'm looking forward to passing the AWS Solutions Architect Professional exam. My system crashed with my previous purchase and my subscription expired therefore I need to renew. UNITED STATES
Roberts Commented on October 24, 2023 I gave the AWS SAP-C02 test and studied through as it has latest mock tests available which helped me evaluate my performance and got me 906/1000. Anonymous
Andrew Commented on August 23, 2023 very helpful Anonymous
Mukesh Commented on July 10, 2023 Good questions UNITED KINGDOM
Mukesh Commented on July 10, 2023 good questions UNITED KINGDOM
Willard Commented on March 18, 2023 This guide is a one-way ticket to Successville - Passed my exam and now I am the mayor! AUSTRALIA
Mora Commented on February 09, 2023 Free-Braindumps.com helped me ace my exam. The practice practice questions were spot on and the explanations were helpful. UNITED STATES