Pass SAP-C02 Exam Guide

B is correct. WhenPrivate DNSis enabled for an interface endpoint, AWS automatically updates the public service DNS names (e.g., s3.amazonaws.com) to resolve toprivate IPsinside the VPC. This ensures all traffic stays within the AWS network and complies with the private IP policy.

A is not necessary — VPC endpoints already route via local network.

C only affects security group rules, not DNS resolution.

D is unnecessary unless using custom DNS resolution systems.

The correct solution is to use an Amazon S3 File Gateway to store the copy of the SMB file share on AWS. An S3 File Gateway enables on-premises applications to store and access objects in Amazon S3 using the SMB protocol. The S3 File Gateway can also be accessed from AWS using the SMB protocol, which provides the ability to use the data from either the data center or AWS if a disaster occurs. The S3 File Gateway supports tiering of data to different S3 storage classes based on the file type. This allows the company to optimizethe storage costs by using S3 Standard-Infrequent Access (S3 Standard-IA) for the metadata files, which are rarely accessed but must be available within 5 minutes, and S3 Glacier Deep Archive for the image files, which are the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. This solution is the most cost-effective because it does not require any additional hardware, software, or replication services.

The other solutions are incorrect because they either use more expensive or unnecessary services or components, or they do not meet the requirements. For example:

Solution A is incorrect because it uses AWS Outposts with Amazon S3 storage, which is a very expensive and complex solution for the scenario in the question. AWS Outposts is a service that extends AWS infrastructure, services, APIs, and tools to virtually any data center, co-location space, or on-premises facility. It is designed for customers who need low latency and local data processing. Amazon S3 storage on Outposts provides a subset of S3 features and APIs to store and retrieve data on Outposts. However, this solution does not provide SMB access to the data on Outposts, which requires a Windows EC2 instance on Outposts as a file server. This adds more cost and complexity to the solution, and it does not provide the ability to access the data from AWS if a disaster occurs.

Solution B is incorrect because it uses Amazon FSx File Gateway and Amazon FSx for Windows File Server Multi-AZ file system that uses SSD storage, which are both more expensive and unnecessary services for the scenario in the question. Amazon FSx File Gateway is a service that enables on-premises applications to store and access data in Amazon FSx for Windows File Server using the SMB protocol. Amazon FSx for Windows File Server is a fully managed service that provides native Windows file shares with the compatibility, features, and performance that Windows-based applications rely on. However, this solution does not meet the requirements because it does not provide the ability to use different storage classes for the metadata files and image files, and it does not provide the ability to access the data from AWS if a disaster occurs. Moreover, using a Multi-AZ file system that uses SSD storage is overprovisioned and costly for the scenario in the question, which involves rarely accessed data that must be available within 5 minutes.

Solution D is incorrect because it uses an S3 File Gateway that uses S3 Standard-IA for both the metadata files and image files, which is not the most cost-effective solution for the scenario in the question. S3 Standard-IA is a storage class that offers high durability, availability, and performance for infrequently accessed data. However, it is more expensive than S3 Glacier Deep Archive, which is the lowest-cost storage class and suitable for long-term retention of data that is rarely accessed. Therefore, using S3 Standard-IA for the image files, which are likely to be larger and more numerous than the metadata files, is not optimal for the storage costs.

What is S3 File Gateway?

Using Amazon S3 storage classes with S3 File Gateway

Accessing your file shares from AWS

The company wants a centralized enforcement mechanism across hundreds of AWS accounts. The control must ensure that any S3 access points that product teams create are VPC-only and cannot be internet-accessible. The most operationally efficient solution is one that applies across the organization without requiring per-account deployments, per-bucket policies, or per-access-point configuration.

Service control policies (SCPs) in AWS Organizations are designed to provide centralized guardrails that define the maximum available permissions for accounts in an organization. By attaching an SCP at the organization root (or to OUs as needed), the company can enforce that no principal in any account can create an S3 access point unless the request specifies a VPC network origin. This aligns directly with the requirement to enforce “VPC-only” access points consistently across all accounts with minimal ongoing operational work.

Option B uses an SCP at the root to deny s3:CreateAccessPoint unless the s3:AccessPointNetworkOrigin condition key evaluates to VPC. This is the correct organization-wide preventive control.

Option A is not correct because an S3 access point resource policy is attached to an access point after it exists and is primarily used to control access to the access point. It is not a reliable organization-wide preventive mechanism to enforce how access points are created across hundreds of accounts. Also, it requires access point-by-access point management, which increases operational overhead.

Option C is less operationally efficient because StackSets deployment across hundreds of accounts introduces additional operational steps and drift management. It also relies on account-level IAM permissions being properly used and does not provide a simple, centralized “cannot be bypassed” guardrail in the same way that an SCP does.

Option D is incorrect because S3 bucket policies control access to bucket resources and objects. They do not function as an organization-wide control to prevent creation of access points across accounts, and they would require bucket-by-bucket management rather than a centralized enforcement mechanism.

Therefore, a root-level SCP that denies access point creation unless the access point network origin is VPC is the most operationally efficient enforcement approach.

Creating an AUTH token and storing it in AWS Secrets Manager and configuring the existing cluster to use the AUTH token and configure encryption in transit, and updating the application to retrieve the AUTH token from Secrets Manager when necessary and to use the AUTH token for authentication, would meet the requirements for user authentication and end-to-end encryption.

AWS Secrets Manager is a service that enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Secrets Manager also enables you to encrypt the data and ensure that only authorized users and applications can access it.

By configuring the existing cluster to use the AUTH token and encryption in transit, all data will be encrypted as it is sent over the network, providing additional security for the data stored in ElastiCache.

Additionally, by updating the application to retrieve the AUTH token from Secrets Manager when necessary and to use the AUTH token for authentication, it ensures that only authorized users and applications can access the cache.