Amazon Web Services Updated SAP-C02 Exam Questions and Answers by lowen

The correct answer is B. The requirement is resource-side protection for all current and future private Amazon ECR repositories across the organization. AWS Organizations resource control policies are designed to centrally restrict permissions on resources in member accounts and are appropriate when external principals must be prevented from accessing organization-owned resources. AWS documentation lists Amazon Elastic Container Registry as a supported service for RCPs. A condition such as aws:PrincipalOrgID enforces that only principals from the same AWS Organization can access the resources. SCPs restrict principals in accounts, not resource exposure to external principals. Modifying IAM policies in hundreds of accounts is operationally poor and does not protect future repository policies consistently. AWS RAM is not the right control plane for private ECR repository access. (AWS Documentation)

===============

The company’s goal is to modernize the application while minimizing operational overhead. The current architecture relies heavily on self-managed EC2 instances for web serving, APIs, search, and relational data storage. This increases operational burden related to patching, scaling, availability, and troubleshooting.

Option B replaces self-managed components with fully managed AWS services that are purpose-built for each workload type. Hosting the static web application on Amazon S3 with Amazon CloudFront removes the need to manage web servers such as NGINX and provides global content delivery with built-in scalability and high availability. Migrating the search data to Amazon OpenSearch Service eliminates the need to manage an EC2-based OpenSearch node, providing a managed search service with built-in scaling, patching, and monitoring. Migrating PostgreSQL to Amazon Aurora PostgreSQL removes the operational overhead of managing database instances on EC2 and provides managed backups, high availability, and performance optimizations. Running APIs on AWS App Runner further reduces operational effort by abstracting infrastructure management, scaling, and deployment, allowing the team to focus on application code.

Option A still requires running and operating containerized databases and search engines, which is not recommended and does not significantly reduce operational overhead compared to EC2-based deployments. Databases and OpenSearch are better consumed as managed services rather than as containers.

Option C introduces Amazon EKS, which adds significant operational complexity. Even with managed node groups, Kubernetes requires cluster management, networking configuration, upgrades, and ongoing operational expertise. This contradicts the requirement for the least operational overhead.

Option D attempts to run databases and OpenSearch on AWS App Runner. App Runner is designed for stateless web services and APIs, not for stateful services such as databases or search engines. This architecture is not aligned with AWS best practices and would introduce reliability and operational challenges.

Therefore, using managed services such as Amazon CloudFront, Amazon S3, Amazon OpenSearch Service, Amazon Aurora PostgreSQL, and AWS App Runner provides the most modern architecture with the least operational overhead.

CloudFormation cannot delete an S3 bucket that contains objects. When the developers attempt to delete temporary stacks, the delete operation fails if the associated S3 bucket still has objects. Because the bucket name is derived from the stack name, failed deletions can also prevent re-creation of stacks with the same names until the bucket is manually emptied and deleted. This causes friction for development and continuous integration workflows.

To resolve this, the solution must ensure that, during stack deletion, all objects are removed from the S3 bucket so that CloudFormation can delete the bucket successfully. CloudFormation does not natively support automatic deletion of bucket contents. However, CloudFormation custom resources can be used to perform custom actions during stack lifecycle events.

Option A proposes associating a Lambda function with a CloudFormation custom resource. The custom resource can be invoked during stack deletion to list and delete all objects (and object versions if versioning is enabled) in the specified bucket. Once the bucket is emptied by the Lambda function, the standard CloudFormation deletion process can successfully delete the bucket resource.

In addition to emptying the bucket, the IAM role used by CloudFormation must have permissions to delete objects in the bucket. If CloudFormation uses an execution role that lacks s3:DeleteObject (and potentially s3:ListBucket) permissions, the bucket-cleanup Lambda function or CloudFormation itself would not be able to remove objects. Option D ensures that CloudFormation operations are invoked by a role that has s3:DeleteObject permissions on bucket objects, enabling the custom resource to perform the deletions.

Option B is incorrect because, although DeletionPolicy can be set to Delete, there is no such capability as CAPABILITY_DELETE_NONEMPTY in CloudFormation, and DeletionPolicy alone does not override the S3 service requirement that buckets must be empty before deletion.

Option C’s Retain DeletionPolicy leaves the bucket behind when the stack is deleted. While an external AWS Config rule could clean up stale buckets, it complicates the design and does not directly solve the problem of re-creating stacks with the same bucket name in a predictable, immediate way.

Option E configures a bucket policy to grant s3:DeleteObject permissions, but this is not sufficient alone. CloudFormation still must assume a role with the appropriate permissions. Bucket policy and IAM role permissions must both be considered, but the key action to resolve the deletion failure is to explicitly empty the bucket through a custom resource, as in option A, and ensure the execution role has delete permissions, as in option D.

Therefore, implementing a Lambda-backed custom resource to empty the S3 bucket during stack deletion (option A) and ensuring the CloudFormation execution role has s3:DeleteObject permissions (option D) resolves the deletion errors and allows developers to delete and recreate stacks freely.

Mountpoint for Amazon S3allows EC2 instances to directly access files in S3 as aPOSIX-compliant mount point, ensuring they always get the latest data without copying or syncing.

It’s simple and cost-effective for read-heavy patterns.

Mountpoint for Amazon S3