Amazon Web Services Updated SAP-C02 Exam Questions and Answers by omari

This solution uses a combination of AWS Resource Access Manager (RAM) and automated backups to migrate the Lambda functions and the Aurora database to theTarget account while minimizing downtime. In this solution, the Lambda function deployment package is downloaded from the Source account and used to create new Lambda functions in the Target account. The Aurora DB cluster is shared with the Target account using AWS RAM and the Target account is granted permission to clone the Aurora DB cluster, allowing for a new copy of the Aurora database to be created in the Target account. This approach allows for the data to be migrated to the Target account while minimizing downtime, as the Target account can use the cloned Aurora database while the original Aurora database continues to be used in the Source account.

The company wants a centralized enforcement mechanism across hundreds of AWS accounts. The control must ensure that any S3 access points that product teams create are VPC-only and cannot be internet-accessible. The most operationally efficient solution is one that applies across the organization without requiring per-account deployments, per-bucket policies, or per-access-point configuration.

Service control policies (SCPs) in AWS Organizations are designed to provide centralized guardrails that define the maximum available permissions for accounts in an organization. By attaching an SCP at the organization root (or to OUs as needed), the company can enforce that no principal in any account can create an S3 access point unless the request specifies a VPC network origin. This aligns directly with the requirement to enforce “VPC-only” access points consistently across all accounts with minimal ongoing operational work.

Option B uses an SCP at the root to deny s3:CreateAccessPoint unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC. This is the correct organization-wide preventive control.

Option A is not correct because an S3 access point resource policy is attached to an access point after it exists and is primarily used to control access to the access point. It is not a reliable organization-wide preventive mechanism to enforce how access points are created across hundreds of accounts. Also, it requires access point-by-access point management, which increases operational overhead.

Option C is less operationally efficient because StackSets deployment across hundreds of accounts introduces additional operational steps and drift management. It also relies on account-level IAM permissions being properly used and does not provide a simple, centralized “cannot be bypassed” guardrail in the same way that an SCP does.

Option D is incorrect because S3 bucket policies control access to bucket resources and objects. They do not function as an organization-wide control to prevent creation of access points across accounts, and they would require bucket-by-bucket management rather than a centralized enforcement mechanism.

Therefore, a root-level SCP that denies access point creation unless the access point network origin is VPC is the most operationally efficient enforcement approach.

The best migration strategy to meet the requirement of minimizing database service interruption before the DNS cutover is to use AWS DMS to migrate data between the two Aurora DB clusters. AWS DMS can perform continuous replication of data with high availability and consolidate databases into a petabyte-scale data warehouse by streaming data to Amazon Redshift and Amazon S31. AWS DMS supports homogeneous migrations such as migrating from one Aurora MySQL DB cluster to another, as well as heterogeneous migrations between different database platforms2. AWS DMS also supports cross-account migrations, as long as the source and target databases are in the same AWS Region3.

The other options are not optimal for the following reasons:

Option A: Taking a snapshot of the existing Aurora database and restoring it in the new account would require a downtime during the snapshot and restore process, which could be significant for large databases. Moreover, any changes made to the source database after the snapshot would not be replicated to the target database, resulting in data inconsistency4.

Option C: Using AWS Backup to share an Aurora database backup from the existing AWS account to the new AWS account would have the same drawbacks as option A, as AWS Backup uses snapshots to create backups of Aurora databases.

Option D: Using AWS Application Migration Service to migrate data between the two Aurora DB clusters is not a valid option, as AWS Application Migration Service is designed to migrate applications, not databases, to AWS. AWS Application Migration Service can migrate applications from on-premises or other cloud environments to AWS, using agentless or agent-based methods.

B is correct because it implements a fully serverless ingestion-and-streaming design that decouples request intake from processing and delivers real-time updates to clients over WebSockets. The HTTP API provides a serverless front door for REST requests. Sending requests to Amazon SQS buffers bursts and smooths spikes, preventing the backend from being overwhelmed as traffic grows. The SQS → Lambda pattern provides scalable, asynchronous processing. For the “stream data to clients through WebSockets” requirement, AWS AppSync Events (real-time publish/subscribe) allows clients to subscribe over persistent WebSocket connections and receive pushed updates with minimal latency, while producers (the Lambda function) publish events to channels that subscribers receive.

Why the other options are incorrect:

A: AWS Step Functions is an orchestration service for workflows. It does not provide a native mechanism to “set clients as targets” and push data back to arbitrary REST clients over WebSockets.

C: Amazon EventBridge rules can target AWS services (Lambda, SQS, SNS, etc.), but clients are not valid EventBridge targets for direct WebSocket streaming. This does not solve “stream to clients through WebSockets.”

D: CloudFront Functions are for lightweight request/response manipulation at the edge and cannot act as an origin or run complex business logic. Also, writing to an MQTT topic from a CloudFront Function is not a supported pattern. While AWS IoT Core can support MQTT over WebSockets for clients, the proposed CloudFront Function integration is not valid.