Amazon Web Services certkiller sap-c02 Exam Questions Tutorials by Ahad q84 vce pdf

Page: 13 / 50

Exam Name:	AWS Certified Solutions Architect - Professional
Exam Code:	SAP-C02 Dumps
Vendor:	Amazon Web Services	Certification:	AWS Certified Professional
Questions:	674 Q&A's	Shared By:	ahad

Question 52

A manufacturing company is building an inspection solution for its factory. The company has IPcameras at the end of each assembly line. The company has used Amazon SageMaker to train a machine learning (ML) model to identify common defects from still images.

The company wants to provide local feedback to factory workers when a defect is detected. The company must be able to provide this feedback even if the factory’s internet connectivity is down. The company has a local Linux server that hosts an API that provides local feedback to the workers.

How should the company deploy the ML model to meet these requirements?

Options:

Set up an Amazon Kinesis video stream from each IP camera to AWS. Use Amazon EC2 instances to take still images of the streams. Upload the images to an Amazon S3 bucket. Deploy a SageMaker endpoint with the ML model. Invoke an AWS Lambda function to call the inference endpoint when new images are uploaded. Configure the Lambda function to call the local API when a defect is detected.

Deploy AWS IoT Greengrass on the local server. Deploy the ML model to the Greengrass server. Create a Greengrass component to take still images from the cameras and run inference. Configure the component to call the local API when a defect is detected.

Order an AWS Snowball device. Deploy a SageMaker endpoint the ML model and an Amazon EC2 instance on the Snowball device. Take still images from the cameras. Run inference from the EC2 instance. Configure the instance to call the local API when a defect is detected.

Deploy Amazon Monitron devices on each IP camera. Deploy an Amazon Monitron Gateway on premises. Deploy the ML model to the Amazon Monitron devices. Use Amazon Monitron health state alarms to call the local API from an AWS Lambda function when a defect is detected.

Discussion

Question 53

A company has 10 accounts that are part of an organization in AWS Organizations AWS Config is configured in each account All accounts belong to either the Prod OU or the NonProd OU

The company has set up an Amazon EventBridge rule in each AWS account to notify an Amazon Simple Notification Service (Amazon SNS) topic when an Amazon EC2 security group inbound rule is created with 0.0.0.0/0 as the source The company ' s security team is subscribed to the SNS topic

For all accounts in the NonProd OU the security team needs to remove the ability to create a security group inbound rule that includes 0.0.0.0/0 as the source

Which solution will meet this requirement with the LEAST operational overhead?

Options:

Modify the EventBridge rule to invoke an AWS Lambda function to remove the security group inbound rule and to publish to the SNS topic Deploy the updated rule to the NonProd OU

Add the vpc-sg-open-only-to-authorized-ports AWS Config managed rule to the NonProd OU

Configure an SCP to allow the ec2 AulhonzeSecurityGrouplngress action when the value of the aws Sourcelp condition key is not 0.0.0.0/0 Apply the SCP to the NonProd OU

Configure an SCP to deny the ec2 AuthorizeSecurityGrouplngress action when the value of the aws Sourcelp condition key is 0.0.0.0/0 Apply the SCP to the NonProd OU

Discussion

Question 54

A company is changing the way that it handles patching of Amazon EC2 instances in its application account. The company currently patches instances over the internet by using a NAT gateway in a VPC in the application account. The company has EC2 instances set up as a patch source repository in a dedicated private VPC in a core account. The company wants to use AWS Systems Manager Patch Manager and the patch source repository in the core account to patch the EC2 instances in the application account. The company must prevent all EC2 instances in the application account from accessing the internet. The EC2 instances in the application account need to access Amazon S3, where the application data is stored. These EC2 instances need connectivity to Systems Manager and to the patch source repository in the private VPC in the core account. Which solution will meet these requirements?

Options:

Create a network ACL that blocks outbound traffic on port 80. Associate the network ACL with all subnets in the application account. In the application account and the core account, deploy one EC2 instance that runs a custom VPN server. Create a VPN tunnel to access the private VPC. Update the route table in the application account.

Create private VIFs for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route table in the core account.

Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.

Create a network ACL that blocks inbound traffic on port 80. Associate the network ACL with all subnets in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.

Discussion

Answer:

Explanation:

Option C is the correct and most efficient solution, aligning with AWS best practices for secure and private connectivity:

Create VPC Endpoints for Systems Manager and Amazon S3:

Systems Manager VPC Endpoints: By creating interface VPC endpoints for Systems Manager (com.amazonaws.region.ssm, com.amazonaws.region.ec2messages, and com.amazonaws.region.ssmmessages), the EC2 instances can communicate with Systems Manager services without requiring internet access. This setup ensures that patching operations can be conducted securely within the AWS network.

Amazon S3 VPC Endpoint: A gateway VPC endpoint for Amazon S3 (com.amazonaws.region.s3) allows EC2 instances to access S3 buckets privately. This is essential for accessing application data stored in S3 without traversing the public internet.

[Reference: docs.aws.amazon.com, Delete the NAT Gateway:, Removing the NAT gateway ensures that EC2 instances in the application account cannot access the internet, satisfying the requirement to prevent internet access. This action enhances the security posture by eliminating a potential vector for unauthorized outbound traffic., Create a VPC Peering Connection:, Establishing a VPC peering connection between the application account's VPC and the core account's private VPC enables direct, private communication between the EC2 instances in both accounts. This setup allows the application account's EC2 instances to access the patch source repository hosted in the core account securely., Reference: docs.aws.amazon.com, Update Route Tables in Both Accounts:, After setting up the VPC peering connection, it's crucial to update the route tables in both VPCs to allow traffic to flow between them. This configuration ensures that the EC2 instances in the application account can reach the patch source repository in the core account and vice versa., Why Other Options Are Incorrect:, Option A: Implementing a custom VPN solution introduces unnecessary complexity and operational overhead. Additionally, merely blocking outbound traffic on port 80 does not comprehensively prevent internet access, as other ports (e.g., 443 for HTTPS) remain open., Option B: Creating private virtual interfaces (VIFs) is typically associated with AWS Direct Connect, which is not applicable in this scenario. Moreover, using a transit gateway, while feasible, is more complex and may be unnecessary for this use case., Option D: Blocking inbound traffic on port 80 does not prevent outbound internet access. Furthermore, employing a transit gateway adds complexity and cost, which may not be justified given the requirements., Conclusion:, Option C provides a secure, efficient, and cost-effective solution that meets all the specified requirements:, Prevents EC2 instances from accessing the internet., Enables access to Amazon S3 and Systems Manager services via VPC endpoints., Facilitates secure communication with the patch source repository in the core account through VPC peering., This approach leverages AWS's native networking features to maintain a secure and private environment for patch management operations., , , ]

Question 55

A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company’s marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Instruct each business unit to add a unique secondary CIDR range to the business unit ' s VPC. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.

Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account ' s VPC. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit ' s VPC. Perform NAT where necessary.

Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.

Create a Network Load Balancer (NLB) in front of the marketing application in a private subnet. Create an API Gateway API. Use the Amazon API Gateway private integration to connect the API to the NLB. Activate IAM authorization for the API. Grant access to the accounts of the other business units.

Discussion

Fatima

Hey I passed my exam. The world needs to know about it. I have never seen real exam questions on any other exam preparation resource like I saw on Cramkey Dumps.

Niamh May 4, 2026

That's true. Cramkey Dumps are simply the best when it comes to preparing for the certification exam. They have all the key information you need and the questions are very similar to what you'll see on the actual exam.

Lennox

Something Special that they provide a comprehensive overview of the exam content. They cover all the important topics and concepts, so you can be confident that you are well-prepared for the test.

Aiza May 16, 2026

That makes sense. What makes Cramkey Dumps different from other study materials?

Ayra

How these dumps are necessary for passing the certification exam?

Damian May 8, 2026

They give you a competitive edge and help you prepare better.

Cecilia

Yes, I passed my certification exam using Cramkey Dumps.

Helena May 28, 2026

Great. Yes they are really effective

Ayesha

They are study materials that are designed to help students prepare for exams and certification tests. They are basically a collection of questions and answers that are likely to appear on the test.

Ayden May 7, 2026

That sounds interesting. Why are they useful? Planning this week, hopefully help me. Can you give me PDF if you have ?

Page: 13 / 50

Title

Questions

Posted

amazon web services.examstopics.aws certified professional sap-c02 reddit questions.by omari.q421.vce.pdf

421

2026-05-15

amazon web services.crack4sure.sap-c02 actual questions.by keegan.q42.vce.pdf

2026-06-01

amazon web services.pass4success.newly released sap-c02 exam pdf.by bernard.q295.vce.pdf