SAP-C02 Dumps with Practice Exam Questions Answers

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-error-kms/

"An error occurred (AccessDenied) when calling the PutObject operation: Access Denied" This error message indicates that your IAM user or role needs permission for the kms:GenerateDataKey action.

B: Archiving inactive user uploads toGlacier Deep Archiveoffers the lowest storage cost.

E: Since the users are in Europe only, usingPrice Class 200reduces CloudFront delivery cost without affecting performance.

A (expiration) deletes data — not suitable.

C is invalid (App Runner does not support Spot).

D might save little unless read traffic is high.

The company wants a centralized enforcement mechanism across hundreds of AWS accounts. The control must ensure that any S3 access points that product teams create are VPC-only and cannot be internet-accessible. The most operationally efficient solution is one that applies across the organization without requiring per-account deployments, per-bucket policies, or per-access-point configuration.

Service control policies (SCPs) in AWS Organizations are designed to provide centralized guardrails that define the maximum available permissions for accounts in an organization. By attaching an SCP at the organization root (or to OUs as needed), the company can enforce that no principal in any account can create an S3 access point unless the request specifies a VPC network origin. This aligns directly with the requirement to enforce “VPC-only” access points consistently across all accounts with minimal ongoing operational work.

Option B uses an SCP at the root to deny s3:CreateAccessPoint unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC. This is the correct organization-wide preventive control.

Option A is not correct because an S3 access point resource policy is attached to an access point after it exists and is primarily used to control access to the access point. It is not a reliable organization-wide preventive mechanism to enforce how access points are created across hundreds of accounts. Also, it requires access point-by-access point management, which increases operational overhead.

Option C is less operationally efficient because StackSets deployment across hundreds of accounts introduces additional operational steps and drift management. It also relies on account-level IAM permissions being properly used and does not provide a simple, centralized “cannot be bypassed” guardrail in the same way that an SCP does.

Option D is incorrect because S3 bucket policies control access to bucket resources and objects. They do not function as an organization-wide control to prevent creation of access points across accounts, and they would require bucket-by-bucket management rather than a centralized enforcement mechanism.

Therefore, a root-level SCP that denies access point creation unless the access point network origin is VPC is the most operationally efficient enforcement approach.

https://docs.aws.amazon.com/controltower/latest/userguide/controls.html https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-controls.html#ebs-enable-encryption AWS is now transitioning the previous term 'guardrail' new term 'control'.

The key requirements are: OpenSearch Service must be deployed within a VPC (VPC-only access), and developers must access OpenSearch from their local machines across multiple locations, including home networks. The most suitable low-overhead approach is to provide remote users with secure client-based connectivity into the VPC so they can reach private endpoints.

AWS Client VPN is a managed client-based VPN service that allows individual users to establish secure TLS VPN connections from their devices into a VPC. By associating a Client VPN endpoint with a subnet in the VPC and configuring authorization rules and routes, developers can access private resources (including VPC-only Amazon OpenSearch Service endpoints) as if they were on the corporate network. Client VPN is designed for distributed workforces and supports users connecting from anywhere without requiring each remote location to have dedicated network appliances.

Option A matches the need for remote developer access from home and multiple offices with the least operational overhead because it is a managed service for user-based VPN access and does not require running and maintaining bastion fleets or building site-to-site networks for each location.

Option B is not correct because AWS Site-to-Site VPN is designed to connect networks (for example, an office network or data center) to AWS, not to provide individual developers remote access from arbitrary home networks. Also, instructing developers to use an OpenVPN client does not align with how Site-to-Site VPN is typically used; Site-to-Site VPN terminates on a customer gateway device, not on individual laptops.

Option C is not correct because Direct Connect is designed for dedicated private connectivity between on-premises networks and AWS. It is not a solution for individual developers connecting from home. Additionally, using a public VIF is for reaching public AWS endpoints, whereas the requirement is to keep access within a VPC. A public VIF does not provide private VPC access to VPC-only service endpoints.

Option D is not the best choice because a bastion host provides SSH access to instances, not direct, secure network-level access to VPC-only managed service endpoints from developer tools. It also increases operational overhead (patching, hardening, monitoring, scaling) and introduces additional security considerations. Developers also typically need browser-based or tool-based access to OpenSearch Dashboards, which is better served by VPN access into the VPC than SSH tunneling through a bastion host as a primary access mechanism.

Therefore, configuring AWS Client VPN to provide developers with secure connectivity into the VPC is the correct solution.