SAP-C02 Dumps with Practice Exam Questions Answers

Log Tenant ID and RCUs/WCUs:

Update the AWS Lambda functions to log the tenant ID and the number of Read Capacity Units (RCUs) and Write Capacity Units (WCUs) consumed from DynamoDB for each transaction.This data will be logged to Amazon CloudWatch Logs.

Calculate Tenant Costs:

Deploy an additional Lambda function that reads the logs from CloudWatch Logs, calculates the RCUs and WCUs used by each tenant, and then uses the AWS Cost Explorer API to retrieve the overall cost of DynamoDB usage. This function will then allocate the costs to each tenant based on their usage.

Scheduled Cost Calculation:

Create an Amazon EventBridge rule to trigger the cost calculation Lambda function at regular intervals (e.g., daily or hourly). This ensures that cost allocation is continuously updated and tenants are billed accurately based on their consumption.

This solution minimizes operational effort by automating the cost allocation process and ensuring that the company can accurately bill tenants based on their resource consumption.

References

AWS Cost Explorer Documentation

Amazon CloudWatch Logs Documentation

AWS Lambda Documentation

Store Secret in AWS Secrets Manager:

Create a random string in AWS Secrets Manager to be used as a custom HTTP header value.

Set Up Automatic Rotation:

Implement a Lambda function to handle automatic rotation of the secret in AWS Secrets Manager, ensuring the header value remains secure.

Configure CloudFront Custom Header:

In the CloudFront distribution settings, configure an origin custom header with the name and value from AWS Secrets Manager. This header will be included in requests forwarded to the ALB.

Create AWS WAF Web ACL:

Create a Web ACL in AWS WAF with a string match rule to allow requests that include the custom header with the correct value.

Associate the Web ACL with the ALB to filter incoming traffic based on the custom header.

By using this method, you can ensure that only requests coming through CloudFront (which injects the custom header) can reach the ALB, enhancing the origin security

The company needs the application in the secondary Region to operate independently from the primary Region during disaster recovery. That means both the DynamoDB data and the relational customer data must be present and usable in the secondary Region without cross-Region dependencies at runtime. The company also wants the least development effort, which usually means using native managed replication features rather than building custom replication logic.

For DynamoDB, global tables are the managed multi-Region, multi-active replication feature. Global tables replicate changes between Regions automatically and allow applications in each Region to read and write to local DynamoDB tables, removing dependencies on the primary Region.

For the RDS for MySQL database, the straightforward managed approach for cross-Region disaster recovery with minimal development change is to create a cross-Region read replica in the secondary Region. A read replica uses asynchronous replication to keep data up to date. During a disaster recovery event, the company can promote the read replica in the secondary Region to become a standalone primary database instance. This provides a simple, low-development approach for having the data in the secondary Region. The application in the secondary Region can be configured to use the replica endpoint in normal times and can continue operating with the promoted instance during failover.

Option A combines DynamoDB global tables with an RDS read replica in the secondary Region. This is the least development effort because it uses AWS-managed replication for both data stores and requires only configuration changes and endpoint selection in the secondary application.

Option B is not correct because DAX is a caching layer for DynamoDB, not a replication or disaster recovery mechanism. DAX does not replicate DynamoDB tables into another Region and cannot replace having the DynamoDB data present in the secondary Region.

Option C is incorrect because RDS Multi-AZ is a high availability feature within a single Region, using synchronous replication to a standby in another Availability Zone. Multi-AZ does not create a standby in a different Region, and it does not provide cross-Region DR by itself.

Option D is less desirable because it requires custom development and operations: processing DynamoDB streams, building and operating a replication pipeline, and ensuring correctness and ordering across Regions. This is higher development effort than enabling DynamoDB global tables.

Therefore, using DynamoDB global tables plus an RDS read replica in the secondary Region (option A) meets the DR independence requirement with the least development effort.

However A ' s explanation is incorrect -https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

" SCPs are similar to AWS Identity and Access Management (IAM) permission policies and use almost the same syntax. However, an SCP never grants permissions. "

SCPs alone are not sufficient to granting permissions to the accounts in your organization. No permissions are granted by an SCP. An SCP defines a guardrail, or sets limits, on the actions that the account ' s administrator can delegate to the IAM users and roles in the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM users or roles, or to the resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by the IAM and resource-based policies.

The correct answer is A, C, and F. The company wants to host a private DNS namespace, myvpc.example.com, inside AWS and allow on-premises devices to resolve records in that namespace. A Route 53 private hosted zone is the correct hosted zone type because the domain is intended for private VPC resolution, not public internet DNS. To allow DNS queries from the on-premises network into AWS, Route 53 Resolver inbound endpoints are required. The on-premises DNS resolvers then need conditional forwarding rules that forward queries for myvpc.example.com to the IP addresses of the inbound Resolver endpoint. An outbound endpoint is used when AWS resources need to resolve DNS names hosted on premises. That is not the stated requirement here. A public hosted zone would expose records publicly and is not appropriate for private VPC DNS.

===============