Amazon Web Services Updated SAP-C02 Exam Questions and Answers by lando

This option uses AWS DataSync to replicate the on-premises images to the EFS file system over the Direct Connect connection. AWS DataSync is a service that automates and accelerates data transfer between on-premises storage systems and AWS storage services. It can transfer data to and from Amazon EFS, Amazon FSx for Windows File Server, and Amazon S3. To use AWS DataSync, the company needs to deploy an AWS DataSync agent to an on-premises server that has access to the NFS file system. The agent connects to the AWS DataSync service endpoint in the AWS Region where the EFS file system is located. The company can use an AWS PrivateLink interface endpoint to connect to the service endpoint securely and privately over the Direct Connect connection. The company can then create a task in AWS DataSync that specifies the source location (the NFS file system), the destination location (the EFS file system), and the options for the data transfer (such as schedule, bandwidth limit, and verification). AWS DataSync will then perform the data transfer efficiently and securely, using encryption in transit and at rest.

B is correct because it implements a fully serverless ingestion-and-streaming design that decouples request intake from processing and delivers real-time updates to clients over WebSockets. The HTTP API provides a serverless front door for REST requests. Sending requests to Amazon SQS buffers bursts and smooths spikes, preventing the backend from being overwhelmed as traffic grows. The SQS → Lambda pattern provides scalable, asynchronous processing. For the “stream data to clients through WebSockets” requirement, AWS AppSync Events (real-time publish/subscribe) allows clients to subscribe over persistent WebSocket connections and receive pushed updates with minimal latency, while producers (the Lambda function) publish events to channels that subscribers receive.

Why the other options are incorrect:

A: AWS Step Functions is an orchestration service for workflows. It does not provide a native mechanism to “set clients as targets” and push data back to arbitrary REST clients over WebSockets.

C: Amazon EventBridge rules can target AWS services (Lambda, SQS, SNS, etc.), but clients are not valid EventBridge targets for direct WebSocket streaming. This does not solve “stream to clients through WebSockets.”

D: CloudFront Functions are for lightweight request/response manipulation at the edge and cannot act as an origin or run complex business logic. Also, writing to an MQTT topic from a CloudFront Function is not a supported pattern. While AWS IoT Core can support MQTT over WebSockets for clients, the proposed CloudFront Function integration is not valid.

The data scientists’ EC2 instances in a separate account must access S3 data in a controlled way that satisfies the policy: only authorized networks may access the IoT data. “Authorized networks” in this context means traffic must originate from approved VPCs and must not traverse the public internet.

First, traffic from the EC2 instances to S3 must stay on the AWS network without using public endpoints. A gateway VPC endpoint for S3 in the data scientists’ VPC (option A) allows EC2 instances in that VPC to reach S3 over private connectivity. When using a gateway VPC endpoint, the route tables of the subnets associated with the endpoint automatically route S3 traffic through the endpoint. This ensures that access to S3 is from an authorized network (the VPC) instead of from the public internet.

Second, access must be constrained such that only calls made through the intended S3 access mechanism are allowed. The data lake bucket already has an S3 access point. S3 access points can be restricted by policy and can be referenced in bucket policies through the s3:DataAccessPointArn condition key. By using an S3 bucket policy that allows s3:GetObject only when s3:DataAccessPointArn matches the expected access point ARN (option E), the company can enforce that all valid access uses the approved access point configuration. Combined with the access point’s own network configuration and the VPC endpoint, access is limited to authorized networks.

Option B, blocking public access on the access point, is a good general security practice but does not by itself guarantee that access is restricted to authorized VPC networks. The main enforcement must be through VPC endpoints and bucket/access point policies.

Option C denies s3:GetObject when s3:DataAccessPointArn is a valid access point ARN, which is the opposite of what is required. This would prevent intended access via the access point rather than allow it.

Option D is not correct because gateway VPC endpoints for S3 are configured via endpoint associations with route tables, not by directly routing to an access point in the route table. Traffic to S3 is routed to the VPC endpoint, and the endpoint plus S3 policies determine access.

Therefore, creating a gateway VPC endpoint for S3 in the data scientists’ VPC (option A) and using a bucket policy condition on s3:DataAccessPointArn to allow access only through the authorized access point (option E) together meet the requirement of secure, network-restricted access from authorized networks.