SAP-C02

Domain: Design for New Solutions

Your team is developing a new Lambda function for a microservice component. You need to package and deploy the Lambda function as a container image. The container image should be built based on the python:buster image with other dependencies and libraries installed. In order to use the container image properly for the Lambda function, which of the following actions is required?

Correct​ ​Answer​: D

• Option​ ​A is ​incorrect because there is no need to assume the IAM role in the Dockerfile. Users should configure the IAM role when creating the Lambda function.

• Option​ B is​ ​incorrect because Lambda automatically forwards logs to CloudWatch Logs. Users do not need to install the CloudWatch agent in Dockerfile.

• Option​ ​C ​is​ ​incorrect because after the Docker image has been built, users should push the image to ECR. There is no ECR agent that needs to be installed in the Docker image.

• Option​ ​D ​is​ CORRECT because the container image for Lambda must implement the Lambda Runtime API that is added by the open-source runtime interface client.

(SAP-C02)

Domain: Accelerate Workload Migration and Modernization

A financial company is embarking on a journey to migrate its on-premises legacy applications to AWS. The company’s purpose of migration is to boost agility and improve business continuity; hence, they are talking about the decomposition of the monoliths to microservices. You are hired as a solution architect to help the company guide in the process of migration. After a few meetings with the business and tech team, you plan to use AWS serverless services to build the microservices.

Which migration strategy best suits this case?

Correct Answer: C

• Option A is incorrect because you use Relocate for your applications that already reside on VMware, containers, etc., and migrate those into the cloud for ease of management and cost savings of scale.

• Option B is incorrect because Replatform is known as: “Lift, tinker and shift” or “Lift and reshape”. With a few modifications, many applications can be easily fit to leverage Cloud native services. For example, you can reduce the management overhead of your database by using Amazon Relational Database (RDS) Service; or you can save on licensing costs by using open-source software such as Linux or Apache Tomcat. This can lead to functional benefits and/or cost savings.

• Option C is CORRECT because Refactor is also known as Re-architect or “Decouple and Rewrite for Cloud”. This option entails the biggest investment - but yields the best returns. It is often driven by a strong business need for new features, performance, or the ability to scale.

Refactoring/Rearchitecting, a tired old legacy application to take advantage of being Cloud-native is one of the best reasons to migrate to the Cloud.

• Option D is incorrect because Rehost is also known as: “Lift and shift” In this case, the application is shifted from a dedicated IT environment into a shared one either manually or through automation. It also makes future refactoring easier as the application, its data, and access are already Cloud-based.

(SAP-C02)

Domain: Accelerate Workload Migration and Modernization

While prioritizing applications for migration to AWS, the focus is on establishing initial criteria to define workloads that are good candidates for pilot applications. Which one of these would define the highest priority application to migrate?

Correct Answer: D

• Option D gets the highest score on the priority scale. In the stage of prioritizing applications, the focus is on establishing initial criteria to prioritize low-risk and low-complexity workloads. These workloads are good candidates for pilot applications. Using low-risk, low-complexity workloads in initial migrations reduces the risk and gives teams the opportunity to gain experience. Always pick an application that is ready to move to the cloud and comes under Rehost or Lift and Shift type of migration strategy, even though the business critical is minimum.

(SAA-C03)

Domain: Design Resilient Architectures

Your application has two tiers in AWS: the frontend layer and the backend layer. The frontend includes an Auto Scaling group deployed in a public subnet. The backend Auto Scaling group is located in another private subnet. The backend instances should only allow the incoming traffic from the frontend ASG through a custom port. For the backend security group, how would you configure the source in its inbound rule?

Correct​ ​Answer​ ​–​ A

Refer to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html#security-group-rules for how to configure security group rules.

• Option​ ​A ​is​ CORRECT:​ By configuring the frontend security group as the source, any frontend instances that have the specified security group are allowed to access the backend.

• Option​ ​B ​is​ ​incorrect:​ Other instances in this subnet can also access the backend. This option is not as good as option A.

• Option​ ​C ​is​ ​incorrect:​ Because Auto Scaling group ARN cannot be configured in the source of a security group inbound rule.

• Option​ ​D ​is​ ​incorrect:​ Because the launch configuration cannot be configured in the source.

• (SAA-C03)

• Domain: Design Secure Architectures

• You are working as an AWS Architect for a start-up company. The company has a two-tier production website on AWS with web servers in the front end & database servers in the back end. The third-party firm has been looking after the operations of these database servers. They need to access these database servers in private subnets on the SSH port. As per standard operating procedure provided by the Security team, all access to these servers should be over a jumpbox accessible from internet. What will be the best solution to meet this requirement?

Correct Answer – D

External users will be unable to access the instance in private subnets directly. To provide such access, we need to deploy Bastion hosts in public subnets. In case of the above requirement, third-party users will initiate a connection to Bastion hosts in public subnets & from there, they will access SSH connection to database servers in private subnets.

• Option A is incorrect as Bastion hosts need to be in Public subnets & not in Private subnets, as third-party users will be accessing these servers from the internet.

• Option B is incorrect as NAT instance is used to provide internet traffic to hosts in private subnets. Users from the internet will not be able to do SSH connections to hosts in private subnets using NAT instance. NAT instance is always present in Public subnets.

• Option C is incorrect as NAT instance is used to provide internet traffic to hosts in private subnets. Users from the internet will not be able to do SSH connections to hosts in private subnets using NAT instance.