매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
AWS Certified Solutions Architect - Professional 온라인 연습
최종 업데이트 시간: 2026년06월04일
당신은 온라인 연습 문제를 통해 Amazon SAP-C02 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 SAP-C02 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 318개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
The company should deploy a new Amazon Elastic File System (Amazon EFS) Multi-AZ file system. The company should configure the file system for 75 MiBps of provisioned throughput. The company should implement replication to a file system in the DR Region. This solution will meet the requirements because Amazon EFS is a serverless, fully elastic file storage service that lets you share file data without provisioning or managing storage capacity and performance. Amazon EFS is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files1. By deploying a new Amazon EFS Multi-AZ file system, the company can create a single location for updates to application data for all instances. A Multi-AZ file system replicates data across multiple Availability Zones (AZs) within a Region, providing high availability and durability2. By configuring the file system for 75 MiBps of provisioned throughput, the company can ensure that it meets the peak operations requirement of 225 MiBps of read throughput. Provisioned throughput is a feature that enables you to specify a level of throughput that the file system can drive independent of the file system’s size or burst credit balance3. By implementing replication to a file system in the DR Region, the company can make a copy of the data available in another AWS Region for disaster recovery. Replication is a feature that enables you to replicate data from one EFS file system to another EFS file system across AWS Regions. The replication process has an RPO of less than 1 hour.
The other options are not correct because:
Deploying a new Amazon FSx for Lustre file system would not provide a single location for updates to application data for all instances. Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance storage for compute workloads. However, it does not support concurrent write access from multiple instances. Using AWS Backup to back up the file system to the DR Region would not provide real-time replication of data. AWS Backup is a service that enables you to centralize and automate data protection across AWS services. However, it does not support continuous data replication or cross-Region disaster recovery.
Deploying a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume with 225 MiBps of throughput would not provide a single location for updates to application data for all
instances. Amazon EBS is a service that provides persistent block storage volumes for use with Amazon EC2 instances. However, it does not support concurrent access from multiple instances, unless Multi-Attach is enabled. Enabling Multi-Attach for the EBS volume would not provide Multi-AZ resilience or cross-Region replication. Multi-Attach is a feature that enables you to attach an EBS volume to multiple EC2 instances within the same Availability Zone. Using AWS Elastic Disaster Recovery to replicate the EBS volume to the DR Region would not provide real-time replication of data. AWS Elastic Disaster Recovery (AWS DRS) is a service that enables you to orchestrate and automate disaster recovery workflows across AWS Regions. However, it does not support continuous data replication or sub-hour RPOs.
Deploying an Amazon FSx for OpenZFS file system in both the production Region and the DR Region would not be as simple or cost-effective as using Amazon EFS. Amazon FSx for OpenZFS is a fully managed service that provides high-performance storage with strong data consistency and advanced data management features for Linux workloads. However, it requires more configuration and management than Amazon EFS, which is serverless and fully elastic. Creating an AWS DataSync scheduled task to replicate the data from the production file system to the DR file system every 10 minutes would not provide real-time replication of data. AWS DataSync is a service that enables you to transfer data between on-premises storage and AWS services, or between AWS services. However, it does not support continuous data replication or sub-minute RPOs.
Reference:
https://aws.amazon.com/efs/
https://docs.aws.amazon.com/efs/latest/ug/how-it-works.html#how-it-works-azs
https://docs.aws.amazon.com/efs/latest/ug/performance.html#provisioned-throughput
https://docs.aws.amazon.com/efs/latest/ug/replication.html
https://aws.amazon.com/fsx/lustre/
https://aws.amazon.com/backup/
https://aws.amazon.com/ebs/
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-volumes-multi.html
정답:
Explanation:
This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.
The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement.
The solution must:
Support automated transfer of raw and processed data.
Offer multiprotocol support.
Be directly usable from the EKS cluster as a mounted volume.
Minimize operational effort by using managed services where possible.
AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.
Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.
In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.
Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.
Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.
Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.
Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.
Reference: AWS documentation on AWS DataSync for automated, scheduled data transfers between on-premises storage, FSx file systems, and Amazon S3. AWS documentation on Amazon FSx for NetApp ONTAP including its multiprotocol support (NFS and SMB) and integration with Kubernetes and Amazon EKS.
정답:
Explanation:
The best solution is to modify the Kinesis Data Firehose configuration and Athena table definition to partition the data by date and time. This will reduce the amount of data scanned by Athena and improve the query performance. Changing the Athena query to view the relevant partitions will also help to filter out unnecessary data. This solution requires minimal operational overhead as it does not involve creating additional resources or changing the log format.
Reference: [AWS WAF Developer Guide], [Amazon Kinesis Data Firehose User Guide], [Amazon Athena User Guide]
정답:
Explanation:
The company does not have a data inventory and needs to identify which S3 buckets contain sensitive data. The appropriate AWS managed service for discovering and classifying sensitive data in S3 is Amazon Macie. Macie is designed to discover, classify, and report on sensitive data such as PII in S3 buckets. Amazon Inspector is primarily focused on vulnerability management for compute and container resources and does not provide S3 sensitive data classification in the way Macie does.
After identifying sensitive data locations, the company needs to ensure sensitive data is encrypted with a key that only administrators can access. SSE-S3 uses S3-managed keys and does not provide fine-grained administrative control of key usage in the same way as SSE-KMS with a customer managed key. Using AWS KMS customer managed keys allows the company to control access through key policies and IAM policies so that only designated administrator principals can use or manage the key.
The requirement also implies existing objects already encrypted with SSE-S3 need to be re-encrypted with SSE-KMS for sensitive objects. Changing default encryption only affects new objects. Existing objects must be rewritten (copied over themselves or copied to a new location) using SSE-KMS with the customer managed key. An orchestrated workflow is a common approach to iterate over identified objects and perform copy operations with the desired encryption settings.
Option C uses Macie for discovery, creates a KMS customer managed key restricted to administrators, sets bucket default encryption to SSE-KMS for future objects, and uses a Step Functions workflow to re-encrypt existing sensitive objects. This meets both the discovery requirement and the encryption/control requirement.
Option A is incorrect because Inspector is not the right service to inventory sensitive data in S3. Although the use of a customer managed KMS key and bucket policy enforcement is directionally correct for controlling encryption on writes, the first step (sensitive data discovery) is wrong.
Option B is incorrect because AWS managed keys cannot have their key policies modified by customers in the way customer managed keys can. Also, Inspector is not the right tool for sensitive data discovery in S3.
Option D is incorrect for the same reasons: it relies on Macie correctly for discovery but then attempts to modify an AWS managed key policy, which is not the correct method for restricting access. To restrict access, the company should use a KMS customer managed key with an appropriate key policy.
Therefore, using Amazon Macie plus an AWS KMS customer managed key and a workflow to re-encrypt existing sensitive objects is the correct solution.
Reference: AWS documentation on Amazon Macie for discovering and classifying sensitive data in Amazon S3. AWS documentation on SSE-KMS with AWS KMS customer managed keys for encryption control and administrative access restrictions. AWS documentation and best practices describing that changing S3 default encryption affects new objects and that existing objects must be rewritten to change encryption settings.
정답:
정답:
Explanation:
to connect out from the private subnet you need an NAT gateway and since only one Elastic IP whitelisted on firewall its one NAT Gateway at time and if AZ failure happens Lambda creates a new NATGATEWAY in a different AZ using the Same Elastic IP, dont be tempted to select D since application that needs to connect is on a private subnet whose outbound connections use the NAT Gateway Elastic IP
정답:
Explanation:
D is required because the only reliable way to ensure newly launched Auto Scaling instances are patched is to make the launch template reference an AMI that already includes the latest security updates (an immutable image approach). AWS Systems Manager can automate building and maintaining patched AMIs (for example, through automated image creation workflows), after which the launch template is updated to the new AMI and the fleet is updated using Instance Refresh. Instance Refresh performs a controlled rolling replacement of instances so that the Auto Scaling group converges to the new AMI baseline.
C complements D by ensuring safe replacement and availability during the refresh/replacement process. Placing an ALB in front of the Auto Scaling group with health checks ensures that only healthy, fully bootstrapped/patched instances receive traffic, and that traffic is drained away from instances being replaced. Monitoring target health confirms the rollout is successful and minimizes risk during patch-driven reboots or instance replacement.
Why the other options are incorrect:
A: A termination policy setting does not ensure new instances are patched. It only affects which instances are terminated first. It does not solve the “launch patched instances” requirement.
B: Running two Auto Scaling groups and continuing in-place patching increases operational overhead and still risks drift and unpatched capacity when scaling occurs outside the maintenance window. It also does not address the core issue: the launch template AMI baseline.
E: NLB + termination protection does not ensure instances are patched at launch. Termination protection can interfere with Auto Scaling’s ability to replace instances, and NLB does not inherently provide the same application-layer health check behavior and deployment safety patterns typically used for rolling replacements (compared to ALB target group health checks).
Reference: AWS Systems Manager Documentation: patching and automation capabilities; creating/maintaining updated images for fleets
Amazon EC2 Auto Scaling Documentation: launch templates, Instance Refresh, and rolling replacement of instances to a new AMI
Elastic Load Balancing Documentation (Application Load Balancer): target groups, health checks, and safe traffic shifting during instance replacement
AWS Well-Architected Framework (Operational Excellence / Reliability): immutable infrastructure patterns, automated fleet updates, and minimizing configuration drift
정답:
Explanation:
https://docs.aws.amazon.com/appsync/latest/devguide/graphql-overview.html
AWS AppSync is a fully managed GraphQL service that allows applications to securely access, manipulate, and receive data as well as real-time updates from multiple data sources1. AWS AppSync supports GraphQL subscriptions to perform real-time operations and can push data to clients that choose to listen to specific events from the backend1. AWS AppSync uses WebSockets to establish and maintain a secure connection between the clients and the API endpoint2. Therefore, using AWS AppSync and leveraging WebSockets is a suitable design to reduce comment latency and improve user experience.
정답:
Explanation:
The company should use Amazon Aurora global database and Amazon DynamoDB global table to deploy the data tier components across two Regions. Amazon Aurora global database is a feature that allows a single Aurora database to span multiple AWS Regions, enabling low-latency global reads and fast recovery from Region-wide outages1. Amazon DynamoDB global table is a feature that allows a single DynamoDB table to span multiple AWS Regions, enabling low-latency global reads and writes and fast recovery from Region-wide outages2.
Reference:
https://aws.amazon.com/rds/aurora/global-database/
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables_HowItWorks.html
https://aws.amazon.com/route53/application-recovery-controller/
정답:
정답:
Explanation:
Amazon ECS on Fargateis ideal forevent-driven, long-running jobs with minimal management.
Combine S3event notifications with Event Bridge rulesto trigger a Fargate task per upload.
Using Fargate with EventBridge
정답:
Explanation:
https://aws.amazon.com/about-aws/whats-new/2020/11/announcing-amazon-mq-rabbitmq/
정답:
Explanation:
The best solution is to create a tag policy that contains the allowed project tag values in the
organization’s management account and create an SCP that denies the cloud formation: Create Stack
API operation unless a project tag is added. A tag policy is a type of policy that can help standardize tags across resources in the organization’s accounts. A tag policy can specify the allowed tag keys, values, and case treatment for compliance. A service control policy (SCP) is a type of policy that can restrict the actions that users and roles can perform in the organization’s accounts. An SCP can deny access to specific API operations unless certain conditions are met, such as having a specific tag. By creating a tag policy in the management account and attaching it to each OU, the organization can enforce consistent tagging across all accounts. By creating an SCP that denies the cloud formation: Create Stack API operation unless a project tag is added, the organization can prevent users from creating new resources without proper tagging. This solution will meet the requirements with the least effort, as it does not involve creating additional resources or modifying existing ones.
Reference: Tag policies - AWS Organizations, Service control policies - AWS Organizations, AWS
CloudFormation User Guide
정답:
Explanation:
A: To run on Graviton, containers must supportARM64.
C: Graviton-based EC2 instances offer significant cost savings and better price-performance.
E: Once migrated, aSavings Planfor the new instance family ensures additional cost optimization. B is a non-sensical option.
D and F continue with x86, which is more expensive.
Reference: AWS Graviton Instances
정답:
Explanation:
C is correct because it converts the singleCAvailability Zone, single-EC2-instance ECS design into a managed, multi-AZ, self-healing architecture with minimal day-to-day operations. The current design has multiple single points of failure: one EC2 instance for ECS capacity and one Availability Zone for all components. Moving the ECS service to AWS Fargate removes the need to manage EC2 instances (capacity provisioning, patching, and scaling of the container instances) and allows the service to run tasks across multiple Availability Zones for higher availability. On the database side, modifying Aurora PostgreSQL to a Multi-AZ DB cluster (by adding a replica in another AZ) increases availability and supports faster recovery from an AZ failure with AWS-managed failover.
Why the other options are less suitable:
A: Making Aurora Multi-AZ improves database availability, but it does not address the compute layer’s biggest issue: ECS is on a single EC2 instance in one AZ with no auto scaling. RDS Proxy can help with connection management, but it does not fix the application’s single-AZ ECS single-instance availability risk.
B: Cross-Region read replicas and manual failover scripts increase operational burden. Also, it keeps ECS on EC2 (still requires instance management) and introduces a manual failover process, which is the opposite of “least operational overhead.”
D: Multi-Region active-active plus Aurora global database can deliver very high availability, but it adds significant complexity (multi-Region deployment, routing strategy, global database considerations, operational procedures). That is higher operational overhead than a straightforward multi-AZ design using managed services.
Reference: Amazon ECS Documentation: service placement across multiple Availability Zones; high availability patterns for ECS services
AWS Fargate Documentation: serverless container compute that removes the need to manage EC2 instances and supports multi-AZ task placement
Amazon Aurora PostgreSQL Documentation: Multi-AZ Aurora architecture, replicas across Availability Zones, and managed failover behavior
AWS Well-Architected Framework (Reliability Pillar): eliminating single points of failure with multi-AZ architectures and using managed services to reduce operational burden
AWS Certified Solutions Architect C Professional (SAP-C02) Exam Guide: designing highly available workloads, selecting managed services to reduce operational overhead