Amazon Web Services Updated SAP-C02 Exam Questions and Answers by gwen

The CAPABILITY_NAMED_IAM capability is required when creating or updating CloudFormation stacks that contain IAM resources with custom names. This capability acknowledges that the template mightcreate IAM resources that have broad permissions or affect other resources in the AWS account. The stack set’s template contains an IAM role that has a custom name, so this capability is needed. Enabling the new Regions in all relevant accounts is also necessary to deploy the stack set across multiple Regions and accounts.

Option B is incorrect because the Service Quotas console is used to view and manage the quotas for AWS services, not for CloudFormation stacks. The number of stacks per Region per account is not a service quota that can be increased.

Option C is incorrect because the SELF_MANAGED permissions model is used when the administrator wants to retain full permissions to manage stack sets and stack instances. This model does not affect the creation of the stack set or the requirement for the CAPABILITY_NAMED_IAM capability.

Option D is incorrect because an administration role ARN is optional when creating a stack set. It is used to specify a role that CloudFormation assumes to create stack instances in the target accounts. It does not affect the creation of the stack set or the requirement for the CAPABILITY_NAMED_IAM capability.

1: AWS CloudFormation stack sets

2: Acknowledging IAM resources in AWS CloudFormation templates

3: AWS CloudFormation stack set permissions

A is correct because:

App2Containersupports packaging .NET Framework apps into containers without porting to .NET Core.

ECS with EC2gives full control over the OS and patching.

ALBhandles microservice-level load balancing.

RDS for SQL Serverwith Multi-AZ ensures high availability.

Options B, C, and D involve Aurora MySQL (incompatible with SQL Server features) orrequire .NET Core, which involves more significant application changes.

AWS Elastic Disaster Recovery (AWS DRS) is a service that minimizes downtime and data loss with fast, reliable recovery of on-premises and cloud-based applications using affordable storage, minimal compute, and point-in-time recovery1. Users can set up AWS DRS on their source servers to initiate secure data replication to a staging area subnet in their AWS account, in the AWS Region they select. Users can then launch recovery instances on AWS within minutes, using the most up-to-date server state or a previous point in time.

To configure a cloud backup of the application with AWS DRS, users need to create a VPC that has at least two public subnets, a virtual private gateway, and an internet gateway. AVPC is a logically isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that they define2. A public subnet is a subnet that has a route to an internet gateway3. A virtualprivate gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection4. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the internet. Users need to create at least two public subnets for redundancy and high availability. Users need to create a virtual private gateway and attach it to the VPC to enable VPN connectivity between the on-premises network and the target AWS network. Users need to create an internet gateway and attach it to the VPC to enable internet access for the replication servers.

To ensure that replication traffic does not travel through the public internet, users need to create an AWS Direct Connect connection and a Direct Connect gateway between the on-premises network and the target AWS network. AWS Direct Connect is a service that establishes a dedicated network connection from an on-premises network to one or more VPCs. A Direct Connect gateway is a globally available resource that allows users to connect multiple VPCs across different Regions to their on-premises networks using one or more Direct Connect connections. Users need to create an AWS Direct Connect connection between their on-premises network and an AWS Region. Users need to create a Direct Connect gateway and associate it with their VPC and their Direct Connect connection.

To ensure that the application is not accessible from the internet, users need to select the option to use private IP addresses for data replication during configuration of the replication servers. This option configures the replication servers with private IP addresses only, without assigning any public IP addresses or Elastic IP addresses. This way, the replication servers can only communicate with other resources within the VPC or through VPN connections.

Option A is incorrect because creating a VPC that has at least two private subnets, two NAT gateways, and a virtual private gateway is not necessary or cost-effective. A private subnet is a subnet that does not have a route to an internet gateway3. A NAT gateway is a highly available, managed Network Address Translation (NAT) service that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances. Users do not need to createprivate subnets or NAT gateways for this use case, as they can use public subnets with private IP addresses for data replication.

Option C is incorrect because creating an AWS Site-to-Site VPN connection between the on-premises network and the target AWS network will not ensure that replication traffic does not travel through the public internet. A Site-to-Site VPN connection consists of two VPN tunnels between an on-premises customer gateway device and a virtual private gateway in your VPC4. The VPN tunnels are encrypted using IPSec protocols, but they still use public IP addresses for communication. Users need to use AWS Direct Connect instead of Site-to-Site VPN for this use case.

Option F is incorrect because selecting the option to ensure that the Recovery instance’s private IP address matches the source server’s private IP address during configuration of the launch settings for the target servers will not ensure that the application is not accessible from the internet. This option configures the Recovery instance with an identical private IP address as its source server when launched in drills or recovery mode. However, this option does not prevent assigning public IP addresses or Elastic IP addresses to the Recovery instance. Users need to select the option to use private IP addresses for data replication instead.

The company wants backups to be stored in an isolated central account designed for WORM storage. With AWS Organizations, AWS Backup supports centralized, cross-account backup management through delegated administration, backup policies, and cross-account backup vault usage. This provides the least operational overhead and scales to dozens of databases.

A key constraint is encryption. The databases are encrypted with the default RDS AWS KMS key. AWS-managed KMS keys (including the default RDS KMS key) are not customer-managed and generally cannot be shared across accounts for cross-account snapshot copy and cross-account backup workflows that require key sharing and explicit grants. For cross-account backup copies, the source backups must be encrypted with a customer managed KMS key that can be shared (via key policy and grants) with the destination account. Therefore, the company must move away from using the default RDS AWS-managed key for encryption of snapshots that will be copied across accounts.

Option A uses the correct managed approach: enable trusted access and backup policies in Organizations, make the central account the delegated administrator, and use AWS Backup to manage cross-account backups into a central backup vault. It also correctly introduces a customer managed KMS key in the central account for the backup vault and shares that key with the production account. Because the existing databases are encrypted with the default RDS AWS-managed key, option A includes the necessary remediation step: restore (or otherwise recreate) the databases so they are encrypted with the shared customer managed KMS key, enabling future backups and copies to be encrypted with a shareable key and stored in the central vault.

Option B is not workable because it requires “sharing the default RDS KMS key” with another account and using it for the central vault. AWS-managed keys are not shared and are not controlled by customers in a way that supports this cross-account backup model. Therefore, this option fails the encryption requirement.

Option C and option D rely on decrypting snapshots, copying them as unencrypted, and then re-encrypting. This is not a valid or safe operational pattern for RDS automated backups at scale, and it conflicts with typical constraints around snapshot encryption transitions. It also introduces substantial custom automation and operational overhead, and it undermines the objective of a controlled WORM backup account by manipulating encryption state through custom code. Additionally, “decrypting snapshots” is not how encrypted RDS snapshots are typically handled; encrypted snapshots remain encrypted and are copied re-encrypted with a different KMS key that the destination can use, which requires a customer managed key and proper permissions.

Therefore, the successful and scalable solution is to centralize backups with AWS Backup and ensure the databases are encrypted with a customer managed KMS key that can be shared cross-account, as described in option A.