AWS Certified SAP on AWS Specialty PAS-C01 (PAS-C01) — Questions 751825

1733 questions total · 24pages · All types, answers revealed

Page 10

Page 11 of 24

Page 12
751
MCQmedium

A company is migrating an SAP HANA database from on-premises to AWS. The current system uses 8 TB of data. The migration must be completed within a 4-hour downtime window. The network link has 1 Gbps throughput. What is the MOST efficient migration strategy?

A.Use AWS Database Migration Service (DMS) with ongoing replication
B.Use AWS Direct Connect to increase bandwidth
C.Use AWS Application Migration Service (MGN)
D.Use AWS Snowball Edge to transfer the data offline
AnswerD

Snowball Edge can transfer 8 TB offline within the required time.

Why this answer

At 1 Gbps, transferring 8 TB over the network would take approximately 18 hours (8 TB * 1024 GB/TB * 8 bits/byte / 1 Gbps = 65536 seconds = ~18 hours), exceeding the 4-hour window. AWS Snowball Edge can transport 8 TB offline. Option B (AWS Snowball Edge) is correct.

Option A (AWS DMS) would not meet the time constraint. Option C (AWS MGN) is for server migration, not database. Option D (Direct Connect) still has the same bandwidth limitation.

752
MCQhard

A company is running SAP ERP on AWS and notices performance degradation during peak hours. The application servers are in an Auto Scaling group behind an Application Load Balancer. Which configuration change would best handle the increased load?

A.Increase the minimum and maximum instance count in the Auto Scaling group
B.Configure a step scaling policy based on memory utilization
C.Replace the Application Load Balancer with a Network Load Balancer
D.Change the Auto Scaling policy to use a target tracking policy based on CPU utilization
AnswerD

CPU utilization is a more relevant metric for SAP application server load.

Why this answer

Option A is correct because scaling policies based on memory utilization are not standard; CPU utilization is a better metric for SAP application servers. Option B is wrong because increasing instance size may be costly and not as dynamic. Option C is wrong because changing to Network Load Balancer does not solve performance.

Option D is wrong because a step scaling policy based on CPU utilization is appropriate, but the question asks for a change; option A directly addresses the issue of using memory-based scaling.

753
MCQeasy

A company is migrating its SAP system to AWS and needs to assess the current on-premises environment for compatibility. Which AWS tool should be used to collect system configuration and usage data for SAP systems?

A.AWS Application Discovery Service
B.AWS Migration Hub
C.AWS Systems Manager
D.AWS Server Migration Service (AWS SMS)
AnswerA

Application Discovery Service collects configuration and usage data to support migration planning.

Why this answer

Option D is correct. AWS Application Discovery Service helps plan migrations by collecting configuration and usage data. Option A (AWS Migration Hub) tracks progress but does not collect data.

Option B (AWS Server Migration Service) is for agentless replication. Option C (AWS Systems Manager) is for management, not discovery.

754
MCQmedium

A company is migrating a large SAP HANA database to AWS. The database is 4 TB in size. They need to transfer the initial data with the least possible network usage and minimal impact on production. The data is stored on a network-attached storage (NAS) device. Which approach should they use?

A.Use AWS CLI with multipart upload over AWS Direct Connect
B.Use AWS DataSync to transfer data over the internet
C.Use AWS Database Migration Service (DMS) for continuous replication
D.Use AWS Snowball Edge to transfer data offline
AnswerD

Snowball Edge enables offline transfer, no network usage, and handles large volumes.

Why this answer

AWS Snowball Edge is designed for large-scale data transfer with encryption and can handle 4 TB efficiently without network usage. Option A is incorrect because AWS DataSync would use network bandwidth. Option B is incorrect because AWS DMS would also use network and may impact production.

Option D is incorrect because using AWS CLI over AWS Direct Connect still uses network bandwidth, though more stable than internet.

755
MCQhard

A company is running SAP NetWeaver on AWS with a multi-ABAP application server setup. They want to implement a load balancing solution for HTTP traffic to the SAP Web Dispatcher. The solution must be highly available and support SSL termination. Which AWS service should be used?

A.Application Load Balancer (ALB)
B.Amazon CloudFront
C.Classic Load Balancer (CLB)
D.Network Load Balancer (NLB)
AnswerA

ALB supports HTTP/HTTPS, SSL termination, and health checks.

Why this answer

Option B is correct because Application Load Balancer supports HTTP/HTTPS traffic, SSL termination, and is highly available across AZs. Option A is wrong because NLB is for TCP/UDP, not HTTP-specific features. Option C is wrong because CloudFront is a CDN.

Option D is wrong because Classic Load Balancer is legacy and less feature-rich.

756
MCQhard

A company is deploying SAP NetWeaver on AWS and needs to ensure that the SAP application servers can communicate with the SAP HANA database using the hostname. The environment uses a Windows Domain Controller for Active Directory. Which DNS resolution strategy should be used?

A.Use AWS Directory Service for Microsoft Active Directory with DNS
B.Configure DHCP option sets to use custom DNS
C.Install a DNS server on an Amazon Linux instance
D.Use Amazon Route 53 Resolver outbound endpoint
AnswerA

Provides DNS integrated with AD for hostname resolution.

Why this answer

Option A is correct because AWS Directory Service for Microsoft Active Directory provides a managed DNS service that integrates with Active Directory. This allows SAP application servers to resolve the SAP HANA database hostname via DNS, which is essential for SAP NetWeaver's hostname-based communication. The managed service ensures automatic DNS record updates and supports Windows-native DNS resolution without requiring custom infrastructure.

Exam trap

The trap here is that candidates often assume any DNS solution (like Route 53 Resolver or a Linux DNS server) can handle Windows Active Directory hostname resolution, overlooking the need for native Windows DNS integration with dynamic updates and Kerberos authentication.

How to eliminate wrong answers

Option B is wrong because DHCP option sets can specify custom DNS servers, but they do not provide the Active Directory-integrated DNS resolution required for Windows Domain Controller environments; they only point to existing DNS servers. Option C is wrong because installing a DNS server on an Amazon Linux instance does not natively integrate with Active Directory for dynamic DNS updates and Windows authentication, leading to potential resolution failures for SAP hostnames. Option D is wrong because Amazon Route 53 Resolver outbound endpoints are used for hybrid DNS resolution between on-premises and AWS, not for providing Active Directory-integrated DNS within a VPC; they lack the Windows-specific features needed for SAP hostname resolution.

757
Multi-Selecteasy

A company is planning to migrate its SAP environment to AWS. The SAP landscape includes development, test, and production systems. The company wants to ensure data security and compliance. Which THREE AWS services should the company use to achieve this?

Select 3 answers
A.AWS Key Management Service (KMS) for encryption of EBS volumes and S3 buckets.
B.AWS Identity and Access Management (IAM) for user and role management.
C.AWS Direct Connect for dedicated network connection.
D.AWS CloudTrail for auditing API calls.
E.Elastic Load Balancing for distributing traffic.
AnswersA, B, D

KMS provides encryption key management.

Why this answer

Option A is correct because KMS encrypts data at rest. Option C is correct because CloudTrail logs API calls for auditing. Option D is correct because IAM manages access control.

Option B is wrong because Direct Connect is for connectivity, not security. Option E is wrong because Elastic Load Balancing is for traffic distribution.

758
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a high transaction rate. The migration must have minimal downtime. Which AWS service should be used for the migration?

A.AWS Snowball Edge
B.AWS Server Migration Service (SMS)
C.AWS DataSync
D.AWS Database Migration Service (DMS)
AnswerD

DMS supports live migration with ongoing replication.

Why this answer

AWS Database Migration Service (DMS) supports ongoing replication to minimize downtime during migration. Option A is wrong because AWS Server Migration Service is for server migrations, not databases. Option C is wrong because AWS DataSync is for file-based data transfers.

Option D is wrong because AWS Snowball is for large-scale offline data transfer, not suitable for minimal downtime scenarios.

759
MCQeasy

A company is implementing SAP HANA on AWS and needs to ensure that the storage configuration meets the required IOPS and throughput. The SAP HANA system uses a scale-out architecture with multiple worker nodes. Which type of Amazon EBS volume is recommended for the /hana/data and /hana/log volumes in a production environment?

A.Throughput Optimized HDD (st1)
B.General Purpose SSD (gp2 or gp3)
C.Provisioned IOPS SSD (io1 or io2)
D.Cold HDD (sc1)
AnswerC

Provides consistent low-latency performance required for HANA.

Why this answer

For SAP HANA, AWS recommends Provisioned IOPS (io1 or io2) volumes for /hana/data and /hana/log to ensure consistent high performance. Option B is correct. gp2/gp3 are burstable and may not sustain required performance. st1/sc1 are throughput-optimized and not suitable for HANA data or log.

760
MCQmedium

A company wants to implement a disaster recovery (DR) strategy for its SAP landscape on AWS. The primary site is in us-east-1, and the DR site is in us-west-2. They need to replicate SAP HANA database asynchronously with a Recovery Point Objective (RPO) of 15 minutes. Which AWS service should they use?

A.AWS Elastic Disaster Recovery (DRS)
B.SAP HANA System Replication
C.Amazon S3 cross-region replication for HANA backup files
D.AWS Database Migration Service (DMS) with ongoing replication
AnswerB

SAP HANA System Replication is the correct method for asynchronous replication.

Why this answer

SAP HANA System Replication is the native mechanism for asynchronous replication of HANA databases. AWS does not provide a managed replication service for HANA.

761
Multi-Selecthard

Which TWO of the following are required to enable SAP HANA System Replication across two AWS Availability Zones?

Select 2 answers
A.The primary and secondary instances must be in the same AWS region
B.A Virtual Private Gateway must be attached to the VPC
C.The EBS volumes must be configured for multi-attach or use a shared file system
D.A cluster placement group must be used
E.An Application Load Balancer must be configured for the replication traffic
AnswersA, C

Cross-region replication is possible but not within the same region requirement; however, for low latency, same region is essential.

Why this answer

SAP HANA System Replication requires both primary and secondary instances to be in the same AWS region because the replication protocol (based on TCP/IP) relies on low-latency, synchronous or asynchronous data transfer that is only feasible within a region's Availability Zones. Cross-region replication would introduce latency exceeding SAP's recommended thresholds (typically <1 ms RTT for synchronous replication), risking data consistency and failover reliability.

Exam trap

The trap here is that candidates confuse SAP HANA System Replication (which requires same-region AZs) with SAP HANA scale-out or backup scenarios that might use shared storage or cross-region replication, leading them to select EBS multi-attach or cross-region options incorrectly.

762
MCQhard

An SAP administrator created the IAM policy shown in the exhibit for a team managing SAP HANA instances. What is the effective permission for the team regarding an EC2 instance with the tag 'Environment=Production'?

A.The team can start, stop, and terminate the instance.
B.The team cannot start, stop, or terminate the instance.
C.The team can only describe the instance.
D.The team can start and stop the instance, but cannot terminate it.
AnswerD

The Deny for TerminateInstances blocks termination.

Why this answer

Option B is correct: Even though the first statement allows TerminateInstances, the second Deny statement explicitly denies the same action for the same condition. An explicit Deny overrides any Allow. Options A, C, D are incorrect because the Deny prohibits termination; start and stop remain allowed.

763
Drag & Dropmedium

Drag and drop the steps to optimize SAP HANA performance by moving to an Amazon RDS for SAP HANA instance into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Performance optimization via RDS migration involves assessment, sizing, data migration, configuration, and testing.

764
MCQhard

The exhibit shows the output of the describe-replication-tasks command for an ongoing migration from SAP HANA to Amazon RDS for MySQL. The task status is 'running' but no data has been transferred after 2 hours. What is the most likely cause?

A.The replication instance has insufficient memory
B.The source endpoint is not accessible from the replication instance
C.The target endpoint is pointing to the wrong database
D.The HANA database is not configured as a target
AnswerB

If the source is not accessible, the task may get stuck in a running state without transferring data.

Why this answer

Option D is correct because a running task with no data transfer often indicates that the task has not started processing due to pending validation or network issues. However, given the status is 'running', it may be stuck in validation. The most common cause is that the source endpoint is not accessible.

Option A is wrong because if the target endpoint were wrong, the task would fail. Option B is wrong because the status is 'running', not 'failed'. Option C is wrong because the HANA database is the source, not the target.

765
Multi-Selecthard

A company runs SAP on AWS and needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which TWO services should be used together to achieve this?

Select 2 answers
A.Amazon S3
B.VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS Config
E.AWS CloudTrail
AnswersC, E

CloudWatch Logs can store and analyze CloudTrail logs.

Why this answer

Option A is correct because AWS CloudTrail logs API calls. Option D is correct because Amazon CloudWatch Logs can store and analyze the logs. Option B is wrong because AWS Config records resource configurations, not API calls.

Option C is wrong because VPC Flow Logs are for network traffic. Option E is wrong because Amazon S3 can store logs, but the question asks for services used together.

766
Multi-Selecteasy

An SAP administrator needs to set up disaster recovery for an SAP system on AWS. Which TWO AWS services can be used to replicate data across regions?

Select 2 answers
A.Amazon CloudFront
B.Amazon EFS replication
C.Amazon EBS snapshots copied to another region
D.Amazon S3 Cross-Region Replication
E.Amazon RDS read replicas in another region
AnswersC, D

Snapshots can be copied cross-region for volume replication.

Why this answer

Amazon EBS snapshots can be copied to another AWS region, providing a reliable mechanism for disaster recovery of SAP systems by creating point-in-time backups of critical volumes. This allows the SAP administrator to restore the system in a different region if the primary region fails, ensuring data durability and recoverability.

Exam trap

The trap here is that candidates may confuse Amazon RDS read replicas with cross-region disaster recovery replication, but read replicas are designed for read scaling and do not support write operations or failover for SAP systems.

767
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy for its SAP environment on AWS. The primary site is in us-east-1, and the DR site must be in us-west-2. The Recovery Point Objective (RPO) is 15 minutes, and the Recovery Time Objective (RTO) is 4 hours. Which TWO AWS services should be used to meet these objectives?

Select 2 answers
A.Amazon Route 53 health checks to fail over DNS to the DR site.
B.Amazon EC2 Auto Scaling groups to launch instances in us-west-2 on failover.
C.SAP HANA System Replication configured with asynchronous replication to a HANA instance in us-west-2.
D.AWS Elastic Disaster Recovery (AWS DRS) to continuously replicate SAP servers to us-west-2.
E.AWS Backup to copy EBS snapshots to us-west-2 every 15 minutes.
AnswersC, D

Asynchronous replication can achieve RPO of seconds to minutes.

Why this answer

SAP HANA System Replication with asynchronous mode can achieve an RPO of 15 minutes or less by continuously replicating log buffers from the primary HANA database in us-east-1 to a secondary HANA instance in us-west-2. This is the native SAP replication mechanism and is the only option that directly meets the database-level RPO requirement without additional overhead.

Exam trap

The trap here is that candidates often choose AWS Backup (Option E) thinking frequent snapshots can meet a 15-minute RPO, but they overlook that snapshot creation is not instantaneous and cannot provide the sub-15-minute consistency required for SAP HANA, whereas native HANA replication and AWS DRS are designed for continuous replication.

768
MCQmedium

A company is running SAP Business Suite on AWS with a Microsoft SQL Server database. The operations team needs to implement automated database backups with point-in-time recovery. Which AWS service should be used to achieve this?

A.AWS Storage Gateway
B.AWS Backup
C.AWS Database Migration Service (DMS)
D.Amazon RDS for SQL Server
AnswerB

AWS Backup can automate backups of SQL Server on EC2 with point-in-time recovery.

Why this answer

Option D is correct because AWS Backup supports SQL Server databases running on EC2, enabling automated backups and point-in-time recovery. Option A is wrong because RDS is for managed databases, not for SQL Server on EC2. Option B is wrong because Storage Gateway is for hybrid storage.

Option C is wrong because DMS is for migration, not backup.

769
MCQeasy

An SAP system administrator needs to grant an external auditor read-only access to view EC2 instance configurations and CloudWatch logs. Which IAM policy should they use?

A.AWS managed policy: SecurityAudit
B.AWS managed policy: ReadOnlyAccess
C.AWS managed policy: AdministratorAccess
D.AWS managed policy: PowerUserAccess
AnswerB

ReadOnlyAccess provides read-only access to all services, suitable for auditors.

Why this answer

Option A is correct because ReadOnlyAccess grants read-only permissions to all AWS services, including EC2 and CloudWatch Logs. Option B is wrong because AdministratorAccess grants full access. Option C is wrong because PowerUserAccess allows creating resources, violating read-only.

Option D is wrong because SecurityAudit is limited to security services.

770
MCQhard

An SAP system on AWS experiences performance degradation during peak hours. Monitoring shows high CPU utilization on the application server EC2 instances. The instances are in an Auto Scaling group with a step scaling policy based on CPU utilization. Despite scaling, performance does not improve. What is the most likely cause?

A.The selected EC2 instance types lack sufficient memory for SAP applications.
B.The CloudWatch alarm is not configured to trigger the scaling policy.
C.The step scaling policy has a cooldown period that prevents immediate scaling.
D.The Auto Scaling group is not associated with an Elastic Load Balancer.
AnswerC

Cooldown periods can delay scaling actions, causing performance degradation during rapid load changes.

Why this answer

Option C is correct because step scaling policies have a cooldown period that prevents additional scaling activities, which can delay response during rapid changes. Option A (not registered with ELB) would affect traffic distribution but not scaling policy. Option B (insufficient instance types) is possible but less likely given scaling is happening.

Option D (CloudWatch alarm misconfiguration) would prevent scaling from triggering.

771
Multi-Selecthard

Which TWO actions should be taken to securely manage database credentials for an SAP system running on Amazon RDS for Oracle? (Choose 2)

Select 2 answers
A.Store the credentials as an S3 object with server-side encryption.
B.Use AWS Systems Manager Parameter Store with a secure string parameter.
C.Use IAM database authentication to manage access without passwords.
D.Use AWS Secrets Manager to store and automatically rotate the database passwords.
E.Store the credentials in AWS CloudHSM.
AnswersC, D

IAM database authentication allows IAM users to connect using an authentication token.

Why this answer

Options A and D are correct. Option A: AWS Secrets Manager can automatically rotate credentials. Option D: IAM database authentication allows using IAM users and roles for access, avoiding hardcoded passwords.

Option B is wrong because CloudHSM is for hardware security modules, not credential management. Option C is wrong because storing credentials in S3 is less secure. Option E is wrong because Systems Manager Parameter Store can store secrets, but it does not natively rotate RDS credentials.

772
MCQeasy

An administrator is setting up an SAP system on AWS and needs to assign a static private IP address to the SAP application server. Which AWS resource should be used to ensure the private IP address remains the same even after an instance stop/start?

A.VPC endpoint
B.Elastic Network Interface (ENI) with a primary private IP
C.Secondary private IP address on the primary network interface
D.Elastic IP address
AnswerB

An ENI retains its private IP address even when detached or attached to a different instance.

Why this answer

Option C is correct because an Elastic Network Interface (ENI) retains its private IP address and can be attached to an instance. Option A is wrong because Elastic IP is for public IPs. Option B is wrong because a secondary private IP on an ENI can change if not attached.

Option D is wrong because a VPC endpoint is for connecting to AWS services, not for instance IPs.

773
MCQmedium

A company is running a critical SAP application on AWS. The operations team receives a notification that the SAP HANA database is running low on memory. Which AWS service should be used to automatically increase memory capacity without downtime?

A.Amazon ElastiCache
B.Amazon EC2 Auto Scaling
C.Amazon DynamoDB
D.AWS Lambda
AnswerA

ElastiCache provides in-memory caching to offload data.

Why this answer

Option C is correct because Amazon ElastiCache provides in-memory caching and can be integrated with SAP to offload data. Option A is incorrect because Auto Scaling adjusts compute capacity, not memory. Option B is incorrect because Lambda is compute, not memory.

Option D is incorrect because DynamoDB is a database, not memory cache.

774
MCQeasy

An SAP system administrator needs to apply an operating system patch to an Amazon EC2 instance running SAP NetWeaver. The instance is part of an Auto Scaling group. What is the BEST approach to minimize downtime?

A.Detach the instance from the Auto Scaling group, apply the patch, and reattach.
B.Stop the instance, apply the patch, and start it.
C.Use a rolling update by updating the launch configuration and performing an instance refresh.
D.Terminate the instance and let Auto Scaling launch a new one with the patch.
AnswerC

Minimizes downtime by replacing instances gradually.

Why this answer

Option C is correct because an instance refresh in an Auto Scaling group allows you to apply a new launch configuration (which includes the patched AMI or user data) to all instances in a rolling, controlled manner. This minimizes downtime by replacing instances one at a time or in batches, ensuring the SAP NetWeaver application remains available throughout the process. Detaching, stopping, or terminating individual instances would cause unnecessary disruption or require manual reattachment, which is not optimal for high-availability SAP landscapes.

Exam trap

The trap here is that candidates often choose Option A (detach and reattach) thinking it gives manual control, but they overlook that Auto Scaling's instance refresh is the designed, automated method for applying updates with minimal downtime, and detaching breaks the group's lifecycle management.

How to eliminate wrong answers

Option A is wrong because detaching an instance from an Auto Scaling group removes it from the group's management, and after patching, you must manually reattach it, which does not leverage Auto Scaling's automated health checks or rolling update capabilities, potentially causing longer downtime. Option B is wrong because stopping an EC2 instance for patching causes a full outage for that instance, and SAP NetWeaver typically requires high availability; stopping also does not integrate with Auto Scaling's lifecycle hooks or instance refresh mechanisms. Option D is wrong because terminating the instance and relying on Auto Scaling to launch a new one with a patched AMI is disruptive—it causes a complete loss of that instance's state and does not provide a controlled, rolling replacement, which can lead to downtime if the application is not designed for sudden instance termination.

775
Multi-Selecthard

Which THREE AWS services can be used to monitor and log SAP system activities for security and compliance? (Choose three.)

Select 3 answers
A.Amazon Athena
B.Amazon VPC Flow Logs
C.Amazon CloudWatch Logs
D.AWS CloudTrail
E.AWS Config
AnswersC, D, E

Stores application and system logs.

Why this answer

Options A, B, and C are correct. CloudTrail logs API calls, CloudWatch Logs stores log data, and Config tracks configuration changes. Option D is wrong because VPC Flow Logs capture network traffic, not system activities.

Option E is wrong because Athena is a query service, not a logging service.

776
MCQmedium

A company runs SAP on AWS and uses AWS KMS for encryption of EBS volumes. The security team requires that the EBS volumes used for SAP HANA data and log files be encrypted with a customer-managed key. They also want to ensure that the key cannot be deleted. What should the security team do to protect the KMS key?

A.Set a key policy that prevents the kms:ScheduleKeyDeletion action.
B.Use an AWS managed key instead of a customer-managed key.
C.Store the key in AWS Secrets Manager.
D.Enable automatic key rotation.
AnswerA

A key policy can explicitly deny the deletion action.

Why this answer

Option B is correct because enabling key rotation does not prevent deletion; the correct approach is to use a multi-Region key (not relevant) or implement deletion protection via a resource-based policy, but the simplest is to enable deletion protection by setting a key policy that denies deletion. However, among the options, 'Enable automatic key rotation' is a best practice but does not prevent deletion. The actual method to prevent deletion is to set a key policy that denies the kms:ScheduleKeyDeletion action.

Since that is not an option, the closest is to set a key policy to prevent deletion, but it's not listed. Given the choices, option B is the only one that helps with key management but not deletion prevention. The question is flawed; I'll correct: The correct answer is to set a key policy that denies deletion.

None of the options directly say that, so I'll adjust the options. Revised:

777
MCQhard

A company is migrating an SAP ERP system to AWS and needs to ensure high availability for the SAP Central Services (ASCS) and Enqueue Replication Server (ERS). The solution must use a shared file system for the SAP transport directory. Which combination of AWS services should be used?

A.Amazon FSx for Windows File Server for the transport directory
B.Amazon S3 as the transport directory with two application servers
C.Amazon EFS for the transport directory and two EC2 instances with a floating IP
D.Amazon EBS volumes attached to both ASCS and ERS instances
AnswerC

EFS provides shared NFS; floating IP enables failover for ASCS/ERS.

Why this answer

Option D is correct because Amazon EFS provides a shared NFS file system for the transport directory, and using two EC2 instances in an active/passive configuration with a floating IP (e.g., via Route 53 or Elastic IP reassignment) provides high availability for ASCS/ERS. Option A is incorrect because EBS volumes cannot be attached to multiple instances simultaneously. Option B is incorrect because S3 is not a POSIX-compliant file system for SAP.

Option C is incorrect because Amazon FSx for Windows File Server is for Windows workloads, not Linux SAP.

778
MCQeasy

Refer to the exhibit. A company is migrating an SAP application server running on Windows to AWS. They launched an EC2 instance with Windows Server. After launching, they run the command and get the output shown. They need to install SAP software. What additional step is required before installing SAP?

A.Change the instance type to a memory-optimized instance
B.Stop and start the instance to initialize the Windows OS
C.Modify the security group to allow SAP-specific ports
D.Join the EC2 instance to an Active Directory domain
AnswerD

SAP on Windows typically requires domain membership.

Why this answer

Option A is correct because SAP on Windows requires joining a domain (or using a local domain) for Kerberos authentication. Option B is incorrect because the instance is already running. Option C is incorrect because SAP installation does not require a specific instance type beyond requirements.

Option D is incorrect because the security group can be modified anytime.

779
MCQhard

A large enterprise is migrating its SAP S/4HANA system to AWS. The system includes a production SAP HANA database (4 TB) and a development SAP HANA database (1 TB). The migration strategy is to use SAP HANA System Replication (HSR) for both databases to EC2 instances in the same AWS region. The company has a compliance requirement that the production database must be in a different AWS account than the development database. The network between on-premises and AWS uses AWS Direct Connect with 10 Gbps bandwidth. During the test migration, the HSR replication for the development database works, but the production database fails to establish replication. The error log shows: "HSR connection timed out." The security groups and network ACLs for the production target EC2 instance allow inbound traffic on port 30101 from the on-premises source IP. What is the most likely cause of the failure?

A.The production target EC2 instance is in a different AWS account, and there is no VPC peering or Transit Gateway between the accounts to allow connectivity.
B.The production source HANA instance is not configured to replicate to a different AWS account.
C.The production target EC2 instance is using the wrong port for HSR.
D.The security group on the production target EC2 instance does not allow inbound traffic on port 443.
AnswerA

Cross-account communication needs VPC peering or Transit Gateway.

Why this answer

HSR requires communication between the source and target HANA instances. If the target is in a different account, VPC peering or Transit Gateway is needed for cross-account connectivity. Option A is correct because cross-account communication requires VPC peering or Transit Gateway.

Option B is wrong because the port is correct. Option C is wrong because HSR does not use port 443. Option D is wrong because the source is on-premises, not in another AWS account.

780
MCQmedium

A company is migrating an on-premises SAP HANA database to AWS. The database is 10 TB and requires high IOPS. Which EC2 instance type and storage configuration is most appropriate?

A.x1e.32xlarge with EBS io1 volumes
B.r5.24xlarge with EBS io1 volumes
C.x1e.32xlarge with instance store volumes
D.r5.24xlarge with EBS gp2 volumes
AnswerA

x1e is certified for HANA, io1 provides high IOPS.

Why this answer

Option D is correct because x1e instances are SAP HANA certified and EBS io1 provides high IOPS. Option A is incorrect because gp2 is not suitable for high IOPS. Option B is incorrect because r5 instances are not HANA optimized.

Option C is incorrect because instance store is ephemeral.

781
Multi-Selecteasy

Which TWO AWS services are commonly used to monitor the performance of SAP applications and infrastructure?

Select 2 answers
A.AWS X-Ray
B.AWS CloudTrail
C.Amazon CloudWatch
D.AWS Config
E.AWS Trusted Advisor
AnswersA, C

X-Ray helps trace and debug application performance.

Why this answer

Option A (CloudWatch) and Option D (AWS X-Ray) are monitoring services. Option B is wrong because CloudTrail is for auditing. Option C is wrong because Config is for compliance.

Option E is wrong because Trusted Advisor is for best practices.

782
Multi-Selectmedium

A company is planning to migrate a large SAP HANA database to AWS using AWS Snowball Edge devices. The database size is 50 TB and the migration must be completed within a week. Which TWO actions should the company take to ensure a successful migration?

Select 2 answers
A.Use AWS Direct Connect to accelerate data transfer from Snowball Edge to AWS.
B.Order multiple Snowball Edge devices to transfer data in parallel.
C.Split the data into smaller chunks because each Snowball Edge can only hold 10 TB.
D.Copy the data directly to an Amazon S3 bucket using the Snowball Edge client.
E.Compress the HANA data files before loading them onto the Snowball Edge devices.
AnswersB, E

Parallel transfers reduce overall time.

Why this answer

Options A and B are correct: Using multiple Snowball Edge devices in parallel and compressing data before transfer reduce time. Option C is wrong: AWS Direct Connect is not used with Snowball. Option D is wrong: Snowball Edge supports NFS; using S3 would require additional steps.

Option E is wrong: Snowball Edge can handle up to 80 TB per device.

783
Multi-Selecthard

A company is migrating an SAP HANA database from on-premises to AWS using SAP HANA System Replication (HSR). They have set up the replication but the target database is not in sync. Which THREE configuration items should the migration team verify? (Choose THREE.)

Select 3 answers
A.The hostname resolution between source and target
B.The HANA version and build number are compatible
C.The SAP HANA license is activated on the target
D.The network connectivity and firewall rules allow HSR traffic
E.The storage type (SSD vs HDD) is identical
AnswersA, B, D

HSR uses hostnames; DNS or /etc/hosts must be correct.

Why this answer

Option A is correct because HSR requires the same hostname or proper name resolution. Option C is correct because the HANA version must be compatible (same major version). Option E is correct because the system replication port must be open.

Option B is incorrect because the source and target can have different storage types. Option D is incorrect because the HANA license is not required for replication (it's per system).

784
Multi-Selectmedium

Which TWO of the following are best practices for running SAP HANA on AWS? (Select TWO.)

Select 2 answers
A.Use Amazon EFS as the storage layer for HANA data files.
B.Use T3 instances for production to save costs.
C.Use Amazon RDS Multi-AZ for HANA database replication.
D.Use EBS Snapshots for backup of HANA data volumes.
E.Use EC2 instances from the SAP HANA certified instance list.
AnswersD, E

EBS Snapshots provide crash-consistent backups.

Why this answer

Option D is correct because EBS Snapshots provide a consistent, crash-consistent backup mechanism for HANA data volumes when used with application-consistent procedures (e.g., pre-freeze/post-thaw scripts via AWS Backup or custom automation). Snapshots are block-level, incremental, and can be automated for point-in-time recovery, aligning with SAP HANA backup best practices on AWS.

Exam trap

The trap here is that candidates confuse general-purpose backup services (like EFS or RDS) with the specific storage and replication requirements of SAP HANA, leading them to select options that sound reasonable but are technically incompatible or uncertified.

785
MCQeasy

A company wants to automate the deployment of SAP systems on AWS. Which AWS service is most appropriate for infrastructure as code (IaC) for SAP?

A.AWS OpsWorks
B.AWS Elastic Beanstalk
C.AWS CodeDeploy
D.AWS CloudFormation
AnswerD

CloudFormation is the standard IaC service on AWS.

Why this answer

AWS CloudFormation is the most appropriate service for infrastructure as code (IaC) for SAP because it allows you to define and provision AWS infrastructure declaratively using templates. This enables repeatable, version-controlled deployments of complex SAP landscapes, including EC2 instances, networking, storage, and security groups, which is critical for SAP's strict architectural requirements.

Exam trap

The trap here is that candidates often confuse AWS CodeDeploy or Elastic Beanstalk with IaC because they involve 'deployment,' but they are designed for application code or PaaS, not for provisioning the underlying SAP infrastructure, which requires full control over compute, storage, and networking.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks is a configuration management service based on Chef and Puppet, not a declarative IaC tool; it is designed for application configuration and lifecycle management, not for provisioning the underlying SAP infrastructure. Option B is wrong because AWS Elastic Beanstalk is a PaaS service that abstracts infrastructure management for web applications, but it does not support the custom, granular control required for SAP systems (e.g., specific instance types, HANA-specific storage, or high-availability setups). Option C is wrong because AWS CodeDeploy is a deployment automation service for application code updates, not for provisioning infrastructure; it cannot define or manage the underlying AWS resources needed for an SAP environment.

786
MCQmedium

An SAP administrator receives an alert that the HANA database has switched to read-only mode. The administrator checks the disk space and finds that the /hana/data volume is 100% full. What is the most efficient way to resolve this issue?

A.Delete old HANA backup files from the volume
B.Restart the HANA database to clear temporary files
C.Create a new EC2 instance with larger disks and migrate
D.Increase the size of the EBS volume using the console or CLI
AnswerD

EBS allows live expansion without downtime, providing immediate space.

Why this answer

Option B is correct because EBS volumes can be modified online to increase size, adding more space immediately. Option A is wrong because deleting old backups may not free enough space and is not a long-term solution. Option C is wrong because restarting the database will not add space.

Option D is wrong because creating a new instance takes time and causes longer downtime.

787
MCQhard

An SAP administrator notices that the SAP HANA database on an EC2 instance is experiencing high I/O latency. The instance is using EBS gp2 volumes. Which change would most effectively reduce I/O latency for the SAP HANA data volume?

A.Use instance store SSDs for the SAP HANA data volume.
B.Switch to io2 Block Express EBS volumes for the data volume.
C.Increase the size of the EBS gp2 volume to increase baseline IOPS.
D.Configure RAID 0 across multiple gp2 volumes.
AnswerB

io2 Block Express provides sub-millisecond latency and high IOPS.

Why this answer

Option B is correct because io2 Block Express volumes provide consistent, high-performance IOPS with sub-millisecond latency, which is critical for SAP HANA data volumes. Unlike gp2, which relies on burst credits and has variable performance, io2 Block Express delivers predictable low latency and up to 256,000 IOPS per volume, directly addressing the high I/O latency issue.

Exam trap

The trap here is that candidates may assume increasing gp2 volume size or using RAID 0 will solve latency issues, but these approaches do not address the fundamental lack of consistent low-latency performance that io2 Block Express provides.

How to eliminate wrong answers

Option A is wrong because instance store SSDs are ephemeral and do not persist data across instance stops or terminations, making them unsuitable for SAP HANA data volumes that require durability and high availability. Option C is wrong because increasing the size of a gp2 volume only raises the baseline IOPS (at a rate of 3 IOPS per GB), but gp2 still suffers from burst bucket limitations and does not guarantee the sub-millisecond latency required for SAP HANA. Option D is wrong because RAID 0 across multiple gp2 volumes increases throughput and IOPS but does not reduce latency per I/O operation; it also introduces a single point of failure if any volume fails, which is unacceptable for SAP HANA data persistence.

788
MCQhard

A company has deployed SAP BusinessObjects (BO) on AWS using a multi-tier architecture with a Windows-based application server and a SQL Server database hosted on Amazon RDS. The application server is behind an Application Load Balancer (ALB) that handles HTTPS traffic. Users report that sometimes they receive a '502 Bad Gateway' error when accessing the BO web interface. The error occurs intermittently and is not reproducible on demand. The operations team checks the ALB logs and sees that the target response time occasionally exceeds 120 seconds. The BO application has a default timeout of 60 seconds. The team also notices that the ALB idle timeout is set to 60 seconds. What is the most likely cause of the 502 errors?

A.Place an Amazon CloudFront distribution in front of the ALB to cache responses and reduce load.
B.Increase the max_connections parameter in the RDS SQL Server instance.
C.Increase the idle timeout of the Application Load Balancer to 180 seconds.
D.Increase the deregistration delay on the ALB target group to 300 seconds.
AnswerC

The ALB request timeout (idle timeout) can be increased to accommodate longer application processing times, preventing premature connection closure.

Why this answer

Option B is correct. The ALB idle timeout is 60 seconds, but the application sometimes takes longer than 120 seconds to respond. However, the ALB idle timeout is for idle connections, not request processing.

Actually, the ALB has a request timeout (the time it waits for a response from the target). By default, the ALB request timeout is 60 seconds. If the application takes longer than 60 seconds to respond, the ALB will return a 502 error.

The stem says 'ALB idle timeout' but the relevant timeout is the request timeout. The correct answer should be to increase the ALB request timeout to 180 seconds. Option B says 'Increase the idle timeout of the ALB to 180 seconds.' That would actually be the request timeout.

In AWS, the 'idle timeout' for ALB is the maximum time the connection can be idle before the ALB closes it. For request timeout, it's the time the ALB waits for the target to respond. The idle timeout doesn't affect request processing; the request timeout is fixed at 60 seconds and cannot be changed.

That is a trick. Actually, the ALB request timeout is configurable from 1 to 3600 seconds. So Option B is correct.

Option A is wrong because increasing target group deregistration delay doesn't affect 502s. Option C is wrong because CloudFront doesn't help. Option D is wrong because increasing RDS connections doesn't address the timeout.

789
Multi-Selecteasy

A company is migrating an SAP Business Suite system to AWS. They want to reduce storage costs by using Amazon S3 for archiving. Which TWO AWS services can be used to integrate SAP with Amazon S3 for archiving?

Select 2 answers
A.Amazon S3 Batch Operations
B.Amazon S3 Glacier
C.Amazon CloudFront
D.AWS Storage Gateway (file gateway)
E.SAP Data Archiving with S3 as the archive store
AnswersD, E

File gateway presents a file interface to S3 for SAP archiving.

Why this answer

Options A and D are correct. AWS Storage Gateway provides a file interface to S3, and SAP Data Archiving can use S3 as a target. Option B is wrong because Glacier is a storage class, not a service.

Option C is wrong because CloudFront is a CDN. Option E is wrong because S3 Batch Operations is for bulk actions, not archiving.

790
MCQeasy

A company is planning to run SAP S/4HANA on AWS. The architect needs to ensure that the EC2 instances are SAP certified for the specific SAP HANA version. Where should the architect verify the instance certification?

A.SAP Support Portal
B.AWS Management Console under EC2 instance types
C.SAP Certified and Supported SAP HANA Hardware Directory
D.AWS documentation for SAP on AWS
AnswerC

This directory is the official source for SAP HANA hardware certification.

Why this answer

The SAP Certified and Supported SAP HANA Hardware Directory lists all certified hardware, including AWS instance types. Option A is wrong because the AWS documentation may not list all certifications. Option C is wrong because the AWS Management Console does not show SAP certification status.

Option D is wrong because the SAP Support Portal is for incidents, not hardware certification.

791
MCQmedium

A company is running SAP HANA on AWS and needs to back up the database to Amazon S3. Which approach provides the most efficient and cost-effective backup strategy?

A.Use AWS Storage Gateway with tapes.
B.Use SAP HANA Backint agent to back up directly to S3.
C.Take EBS snapshots of the HANA data volumes.
D.Copy HANA data files to EC2 instance store.
AnswerB

Backint integrates with SAP HANA for efficient backups.

Why this answer

The correct answer is C because using SAP HANA's native backup to S3 via the Backint agent is the most efficient and cost-effective method. Option A is incorrect because EBS snapshots are for entire volumes and may include unused space. Option B is incorrect because copying to EC2 instance store is not durable.

Option D is incorrect because AWS Storage Gateway is more suited for on-premises integration.

792
MCQhard

A company is running SAP BusinessObjects on AWS and needs to back up the CMS database (an SAP HANA database) daily. The backup must be stored in Amazon S3 for long-term retention and must be recoverable within 4 hours. Which backup strategy meets these requirements?

A.Copy the HANA data files to an Amazon EBS volume in a different Availability Zone.
B.Configure the SAP HANA Backint agent to back up directly to Amazon S3.
C.Use AWS Backup to create application-consistent backups of the HANA database.
D.Take daily EBS snapshots of the HANA volumes.
AnswerB

Backint is the recommended method for HANA backups to S3, providing consistency and fast recovery.

Why this answer

Option A is correct because using HANA backup to S3 via the backint agent is a native and efficient method. Option B is wrong because taking EBS snapshots is not a database-consistent backup for HANA. Option C is wrong because AWS Backup does not natively support HANA database backups.

Option D is wrong because copying to EBS volumes is not a long-term storage solution.

793
MCQmedium

During an SAP migration, the migration team needs to ensure that all SAP system IDs (SIDs) are unique across the AWS environment. Which AWS service can be used to centrally manage and enforce this uniqueness?

A.AWS Service Catalog
B.AWS Config
C.AWS Resource Access Manager
D.AWS CloudTrail
AnswerA

Service Catalog allows creating a product with constraints that enforce unique SIDs.

Why this answer

Option A is correct because AWS Service Catalog can define product portfolios with constraints, including preventing duplicate SIDs. Option B is wrong because AWS Config audits resources but doesn't enforce uniqueness. Option C is wrong because AWS CloudTrail logs API calls.

Option D is wrong because AWS Resource Access Manager shares resources, not manages SIDs.

794
MCQmedium

A company runs SAP on AWS and uses a multi-AZ deployment for SAP HANA. The operations team notices that the secondary HANA node in the standby replica is not automatically taking over during a planned failover test. What is the most likely cause?

A.HANA system replication is not configured with 'PRIMARY' and 'SECONDARY' roles.
B.Security Groups are blocking replication traffic.
C.The secondary instance is launched in a different instance family.
D.The EBS volumes are not configured for replication across AZs.
AnswerA

Automatic failover requires proper HANA system replication configuration.

Why this answer

Option B is correct because automatic failover requires the HANA system replication to be configured with the correct mode. Option A is wrong because EBS volumes are replicated across AZs. Option C is wrong because HANA usually runs on the same instance type.

Option D is wrong because Security Groups do not affect failover.

795
MCQhard

A company runs SAP HANA on an m5.24xlarge EC2 instance. The instance has an EBS-optimized attachment and a high-performance EBS volume for data. The database team reports that write latency to the data volume is consistently above 5 ms during peak hours. Which action would most effectively reduce write latency?

A.Provision the data volume as an io2 Block Express volume with higher IOPS.
B.Use an Elastic Fabric Adapter (EFA) for storage traffic.
C.Change the data volume type to gp3.
D.Enable EBS optimization on the instance.
AnswerA

io2 Block Express provides sub-millisecond latency and high IOPS, suitable for SAP HANA.

Why this answer

Option D is correct because io2 Block Express volumes offer higher IOPS and lower latency for demanding workloads. Option A is wrong because enabling EBS optimization is already present on m5.24xlarge. Option B is wrong because gp3 is a general-purpose SSD with lower performance than io2.

Option C is wrong because Elastic Fabric Adapter is for HPC, not EBS latency.

796
MCQeasy

Your company runs SAP Business Suite on AWS. The system has a three-tier architecture with a web dispatcher, application servers, and a HANA database. The operations team has been receiving alerts about high CPU usage on the application servers during peak hours. The application servers are currently running on m5.large instances. You need to ensure consistent performance without over-provisioning. What is the most cost-effective solution?

A.Add more application servers manually during peak hours
B.Upgrade all application servers to m5.xlarge instances
C.Use reserved instances to lower cost but keep existing instances
D.Configure Auto Scaling with a step scaling policy based on CPU utilization
AnswerD

Auto Scaling adjusts capacity dynamically based on demand, cost-effective.

Why this answer

Using an Auto Scaling group with a scaling policy based on CPU utilization ensures that instances are added only when needed, saving costs. Option A is correct.

797
MCQmedium

A company runs its SAP ERP system on AWS. The database is SAP HANA on an EC2 instance. The system is critical and requires a recovery point objective (RPO) of less than 5 minutes and a recovery time objective (RTO) of less than 2 hours. Which solution meets these requirements with the LEAST operational overhead?

A.Use AWS Backup with the SAP HANA Backup and Restore feature (Backint integration) to perform continuous backups to S3.
B.Use EBS snapshots of the root and data volumes taken every 5 minutes.
C.Set up HANA system replication across two EC2 instances in different Availability Zones with manual failover.
D.Schedule manual HANA backups to S3 using cron scripts and hdbsql commands.
AnswerA

Continuous backups provide low RPO; automated restore meets RTO with low overhead.

Why this answer

AWS Backup with the SAP HANA Backup and Restore feature (Backint integration) provides continuous, incremental backups to Amazon S3, achieving an RPO of less than 5 minutes with automated, policy-driven backups. This solution minimizes operational overhead by eliminating manual scripting and infrastructure management, while supporting point-in-time recovery within the required RTO of under 2 hours.

Exam trap

The trap here is that candidates often overestimate the simplicity of EBS snapshots (Option B) for database workloads, not realizing that SAP HANA requires application-consistent backups and that frequent snapshots alone cannot achieve sub-5-minute RPO without significant custom orchestration.

How to eliminate wrong answers

Option B is wrong because EBS snapshots taken every 5 minutes cannot guarantee an RPO of less than 5 minutes due to snapshot initiation delays and the need to quiesce the HANA database, and they require manual or custom automation for consistency, increasing operational overhead. Option C is wrong because HANA system replication across Availability Zones with manual failover introduces significant operational overhead (manual intervention) and cannot meet the RTO of less than 2 hours reliably, as failover requires human action and coordination. Option D is wrong because scheduling manual HANA backups to S3 using cron scripts and hdbsql commands is error-prone, lacks automated monitoring, and requires custom scripting and maintenance, resulting in higher operational overhead and potential RPO/RTO gaps.

798
MCQeasy

A company is designing a disaster recovery (DR) strategy for its SAP system on AWS. The primary site is in us-east-1 and the DR site in us-west-2. The RTO is 4 hours and RPO is 1 hour. Which AWS service should be used for cross-region replication of the SAP HANA database backups stored in Amazon S3?

A.AWS Backup with a cross-region backup plan.
B.Use AWS Storage Gateway to replicate backups.
C.Amazon S3 Cross-Region Replication (CRR).
D.Enable S3 Versioning on the source bucket.
AnswerC

S3 CRR automatically replicates new objects to another region, meeting RPO.

Why this answer

Amazon S3 Cross-Region Replication (CRR) is the correct choice because it automatically replicates objects (including SAP HANA database backups) from a source S3 bucket in us-east-1 to a destination bucket in us-west-2, meeting the 1-hour RPO by ensuring backups are available in the DR region within minutes of upload. CRR operates asynchronously at the object level, requires no additional infrastructure, and directly supports the stated requirement for cross-region replication of S3-stored backups without introducing extra latency or complexity.

Exam trap

The trap here is that candidates often confuse AWS Backup (which manages backup schedules and retention) with S3 CRR (which handles object-level replication), leading them to select AWS Backup despite it not being designed for cross-region replication of existing S3 objects.

How to eliminate wrong answers

Option A is wrong because AWS Backup with a cross-region backup plan is designed for scheduling and managing backups of AWS resources (e.g., EBS, RDS, DynamoDB) but does not natively replicate existing S3 objects; it would require creating separate backup copies, adding overhead and potentially missing the 1-hour RPO. Option B is wrong because AWS Storage Gateway is a hybrid storage service for on-premises to AWS connectivity (e.g., file, volume, or tape gateways) and is not designed for cross-region replication of S3 objects; it would introduce unnecessary complexity and latency. Option D is wrong because enabling S3 Versioning on the source bucket only preserves multiple versions of objects within the same bucket and region, providing protection against accidental deletion or overwrite, but does not replicate data to a different region, thus failing to meet the DR requirement for cross-region availability.

799
Multi-Selecteasy

A company uses AWS Systems Manager to automate patching of SAP application servers. Which TWO resources are required to use Systems Manager Patch Manager?

Select 2 answers
A.An Application Load Balancer in front of the instances
B.AWS Systems Manager Agent (SSM Agent) installed on the EC2 instances
C.A NAT gateway for outbound internet access
D.An IAM role that grants Systems Manager permissions attached to the EC2 instances
E.An internet gateway attached to the VPC
AnswersB, D

SSM Agent is required for Systems Manager to communicate with instances.

Why this answer

Options A and B are correct. The SSM Agent must be installed on the EC2 instances to receive commands, and an IAM role with appropriate permissions must be attached to the instances. Option C is wrong because an internet gateway is not required if using VPC endpoints.

Option D is wrong because a load balancer is not needed for patching. Option E is wrong because a NAT gateway is not required if using VPC endpoints.

800
Multi-Selecteasy

A company is migrating an on-premises SAP HANA database to AWS. They want to use AWS DMS for ongoing replication. Which TWO prerequisites must be met before starting the replication? (Choose TWO.)

Select 2 answers
A.The source database must be running on an EC2 instance.
B.The source database must have binary logging enabled (for CDC).
C.The source database must be accessible from the DMS replication instance.
D.The target database must be Amazon RDS for Oracle.
E.The schema must be converted using AWS SCT first.
AnswersB, C

Binary logging is required for change data capture.

Why this answer

AWS DMS requires a source endpoint that is accessible (Option A) and binary logging enabled for CDC (Option C). Option B is optional for performance. Option D is not required.

Option E is for SCT, not DMS.

801
MCQhard

An SAP system on AWS is experiencing performance degradation. The CloudWatch metrics show that the EBS volumes used for the HANA data files have an average queue length of 10 and average latency of 50 ms. What is the most likely cause?

A.EBS encryption is causing additional overhead.
B.EBS snapshots are being taken too frequently.
C.The EBS volume's provisioned IOPS are insufficient for the workload.
D.EBS optimization is not enabled on the instance.
AnswerC

Insufficient IOPS cause queuing and increased latency.

Why this answer

An average EBS queue length of 10 and average latency of 50 ms indicate that the volume is saturated with I/O requests. The queue length persistently exceeds the recommended threshold (typically <1 for optimal performance), and latency spikes above the 1–10 ms range for gp3 or io2 volumes. This directly points to insufficient provisioned IOPS for the SAP HANA workload, causing requests to queue up and wait for service.

Exam trap

The trap here is that candidates confuse high queue length with a snapshot or encryption issue, but AWS explicitly documents that queue length and latency are the primary indicators of IOPS exhaustion, not of background operations like snapshots or encryption.

How to eliminate wrong answers

Option A is wrong because EBS encryption uses AES-256 and is handled by the Nitro chip or instance hardware with negligible performance overhead; it does not cause queue buildup or latency spikes. Option B is wrong because EBS snapshots are incremental and taken from the control plane; they do not directly impact data-plane I/O latency or queue depth unless the volume is heavily utilized during a snapshot (which would still manifest as insufficient IOPS). Option D is wrong because EBS optimization is enabled by default on all current-generation instance types (e.g., m5, r5, x1e) and cannot be disabled; if it were missing on an older instance, it would cause a fixed bandwidth cap, not a queue-length symptom.

802
MCQeasy

An organization wants to ensure that its SAP HANA database backups are stored in a separate AWS Region for disaster recovery. The backups are currently stored in Amazon S3 in the primary Region. Which AWS service should be used to replicate the backups to another Region automatically?

A.Amazon S3 Cross-Region Replication (CRR).
B.AWS Storage Gateway with volume gateway.
C.AWS Backup with a cross-region backup plan.
D.Amazon S3 Transfer Acceleration.
AnswerA

S3 CRR automatically replicates objects to another Region.

Why this answer

Option C is correct because S3 Cross-Region Replication is designed to automatically replicate objects to a destination bucket in another Region. Option A (AWS Backup) can copy backups but is not S3-specific and requires additional setup. Option B (S3 Transfer Acceleration) speeds up uploads but does not replicate.

Option D (AWS Storage Gateway) is for on-premises integration.

803
MCQeasy

A company wants to use AWS Systems Manager to automate patching of SAP application servers. What is a prerequisite for Systems Manager to manage these EC2 instances?

A.Enable SSH access to the instances.
B.Assign a separate IAM role to each instance.
C.Install the SSM Agent on the EC2 instances.
D.Ensure the instances have public IP addresses.
AnswerC

SSM Agent is required for Systems Manager to communicate with instances.

Why this answer

AWS Systems Manager requires the SSM Agent to be installed and running on EC2 instances to enable communication with the Systems Manager service for patching and other management tasks. Without the agent, Systems Manager cannot send commands, initiate patching workflows, or gather inventory data from the instances. The SSM Agent is pre-installed on many Amazon Linux and Windows AMIs but must be manually installed on custom or imported images.

Exam trap

The trap here is that candidates often assume SSH or public IP addresses are required for remote management, but Systems Manager is designed to work without them, relying solely on the SSM Agent and IAM permissions over HTTPS.

How to eliminate wrong answers

Option A is wrong because SSH access is not required for Systems Manager; the service uses the SSM Agent over HTTPS (port 443) to communicate, not SSH. Option B is wrong because while an IAM role is necessary, a single IAM role can be shared across multiple instances; assigning a separate role to each instance is not a prerequisite. Option D is wrong because Systems Manager can manage instances in private subnets without public IP addresses, using VPC endpoints or Systems Manager managed instances with a NAT gateway.

804
Multi-Selectmedium

Which TWO AWS services can be used to automate the patching of SAP EC2 instances? (Choose two.)

Select 2 answers
A.AWS Systems Manager Maintenance Windows
B.AWS Systems Manager Patch Manager
C.Amazon Inspector
D.AWS CloudFormation
E.AWS CodeDeploy
AnswersA, B

Schedules patching activities.

Why this answer

Options A and B are correct. Option C is wrong because CloudFormation is for infrastructure provisioning. Option D is wrong because CodeDeploy is for application deployment.

Option E is wrong because Inspector is for vulnerability scanning.

805
MCQmedium

A company runs SAP S/4HANA on AWS and needs to ensure that the system can automatically recover from an Availability Zone failure. The solution must use synchronous replication for zero data loss. Which AWS architecture meets these requirements?

A.EBS snapshots taken every 5 minutes
B.Multi-AZ RDS for SAP HANA
C.Cluster placement group spanning two AZs
D.SAP HANA System Replication with synchronous replication
AnswerD

Synchronous HSR provides zero RPO and automatic failover across AZs.

Why this answer

Option D is correct because SAP HANA System Replication with synchronous replication across Availability Zones ensures zero data loss and automatic failover. Option A is incorrect because Multi-AZ RDS is not supported for HANA. Option B is incorrect because EBS snapshots are asynchronous and do not provide zero data loss.

Option C is incorrect because cluster placement groups are within a single AZ and do not provide cross-AZ failover.

806
MCQhard

An SAP Basis administrator notices that the SAP application server on an EC2 instance is experiencing intermittent high latency when writing to the SAP HANA database. The HANA database is on a separate EC2 instance in the same VPC and Availability Zone. Which configuration change is most likely to resolve the issue?

A.Launch the instances in a cluster placement group
B.Enable EBS optimization on both instances
C.Change the Elastic Network Adapter (ENA) to SR-IOV
D.Enable Jumbo Frames on the network interfaces
AnswerD

Jumbo Frames reduce overhead for large packets, improving network throughput and reducing latency for HANA communication.

Why this answer

The intermittent high latency when writing to SAP HANA is likely caused by network packet fragmentation. Enabling Jumbo Frames (MTU 9001) on the network interfaces of both the SAP application server and the HANA database EC2 instances reduces the number of packets required for large data transfers, lowers CPU overhead for packet processing, and improves throughput. This is a standard recommendation for SAP on AWS to optimize network performance between application and database layers.

Exam trap

The trap here is that candidates often confuse network performance issues with compute or storage optimizations, leading them to choose EBS optimization or placement groups, when the real fix is a simple MTU adjustment to eliminate packet fragmentation overhead.

How to eliminate wrong answers

Option A is wrong because a cluster placement group is designed for low-latency, high-bandwidth communication between instances, but it does not address the underlying packet fragmentation issue; it would only help if the instances were in different AZs or needed enhanced network performance, which is not the case here. Option B is wrong because EBS optimization is a feature that dedicates bandwidth between the EC2 instance and EBS volumes, not between two EC2 instances; it would not resolve network latency between the SAP app server and HANA database. Option C is wrong because the Elastic Network Adapter (ENA) is already the default modern network interface for current-generation instances, and SR-IOV (Single Root I/O Virtualization) is an older technology (e.g., Intel 82599 VF) that is not applicable to ENA; changing to SR-IOV would not improve performance and could cause compatibility issues.

807
MCQhard

An SAP administrator runs the above CloudWatch Logs Insights query on an application log group. The query returns no results even though the administrator knows there are ERROR messages in the logs. What is the most likely cause?

A.The query uses a regex pattern that is not supported by CloudWatch Logs Insights.
B.The query syntax is incorrect; the filter should use 'like' instead of '/.../'.
C.The time range is set to a period when no ERROR messages were logged.
D.The log events are not in plain text; they are in JSON format and the ERROR string is within a JSON field.
AnswerD

If logs are JSON, @message contains the entire JSON string; the filter may need to target a specific field.

Why this answer

Option B is correct because the query filters on the @message field, but CloudWatch Logs stores the log event message in the @message field. However, if the log events are not parsed correctly (e.g., if using JSON logs), the filter may not match. Option A is wrong because the syntax is correct.

Option C is wrong because the query does not use regex. Option D is wrong because time range affects the results but does not cause zero results if errors exist.

808
MCQmedium

Refer to the exhibit. An administrator runs the AWS CLI command shown. The instance is running Windows. Which of the following is true based on the output?

A.The instance is in the 'stopped' state.
B.The instance is in the 'running' state, but the status of the SAP application is unknown from this output.
C.The instance type is t2.micro.
D.The instance is running Linux.
AnswerB

The CLI output only shows instance metadata, not application health.

Why this answer

Option B is correct because the command output shows the instance is running, but it does not provide any information about the SAP application status. Option A is wrong because the Platform value is 'windows'. Option C is wrong because the state is 'running', not 'stopped'.

Option D is wrong because the query does not return the instance type.

809
MCQhard

A company runs its SAP ERP system on AWS using a multi-tier architecture. The SAP application servers are in an Auto Scaling group across two Availability Zones, and the SAP HANA database runs on a single large EC2 instance (r5.24xlarge) with 768 GB of memory and EBS Provisioned IOPS SSD (io1) volumes. The operations team recently noticed that the database performance degrades intermittently during peak business hours. CloudWatch metrics show that the database instance's CPU utilization remains below 40%, but the ReadLatency and WriteLatency for the EBS volumes spike above 10 ms during these periods, and the VolumeQueueLength metric increases significantly. The database instance uses a single EBS volume for /hana/data and another for /hana/log. The team has already verified that there are no network bottlenecks and that the SAP application servers are not overwhelming the database with queries. What is the MOST likely cause of the latency spikes, and what action should be taken?

A.Change the EBS volume type from io1 to st1 for higher throughput.
B.Add more SAP application servers to distribute the load and reduce database contention.
C.Enable EBS encryption on the volumes to improve I/O performance.
D.Upgrade the EC2 instance to a Nitro-based instance type like r5b.24xlarge, which provides higher EBS bandwidth and lower latency.
AnswerD

Nitro instances offer better EBS performance.

Why this answer

Option B is correct because the symptoms suggest that the EBS volumes are not meeting the required IOPS, causing queueing and latency. Switching to Nitro instances that support EBS optimization at higher bandwidth can improve performance. Option A is wrong because adding more application servers would increase load, not reduce latency.

Option C is wrong because enabling encryption does not improve IOPS. Option D is wrong because changing volume type to st1 (throughput optimized) is not suitable for low-latency database workloads.

810
MCQeasy

A company is migrating an SAP NetWeaver system from on-premises to AWS. They plan to use the same SAP SID and keep the same hostname. The migration will be performed using SAP Software Provisioning Manager (SWPM) with the option 'System Rename' set to 'No'. What must be configured in the AWS environment to ensure the system functions correctly?

A.Ensure the same private IP address is assigned to the Amazon EC2 instance
B.Update the DNS records to point to the new public IP
C.Change the SAP SID to a new value
D.Assign a different private IP address to avoid conflicts
AnswerA

Matching IP avoids reconfiguration of application and database connections.

Why this answer

Option A is incorrect because the system uses the same hostname, so DNS updates are not needed. Option B is incorrect because AWS does not enforce different private IPs; the old IP can be reused. Option C is incorrect because the same SAP SID is allowed; no change required.

Option D is correct because the Amazon EC2 instance must have the same private IP as the on-premises hostname resolves to, or the hostname must be resolvable via DNS or /etc/hosts.

811
Multi-Selectmedium

A company is running SAP HANA on AWS and needs to ensure high availability for the SAP Central Services (ASCS/ERS) instance. Which TWO actions should be taken to achieve this? (Choose two.)

Select 2 answers
A.Configure ASCS and ERS on separate EC2 instances in different Availability Zones.
B.Use an Application Load Balancer to distribute traffic between ASCS and ERS instances.
C.Use a Network Load Balancer with a floating IP address for the SAP virtual hostname.
D.Deploy both ASCS and ERS on the same EC2 instance to reduce latency.
E.Place both ASCS and ERS in the same Availability Zone to minimize network latency.
AnswersA, C

Separate instances in different AZs provide high availability.

Why this answer

For SAP HANA high availability, the ASCS and ERS instances must run on separate EC2 instances (or separate Availability Zones) to avoid a single point of failure. Using a Network Load Balancer with a floating IP addresses for the virtual hostname ensures seamless failover. Option B (single instance) would not provide HA.

Option E (using a Classic Load Balancer) is not recommended for SAP ASCS/ERS; AWS recommends NLB. Option C (single AZ) defeats HA. Option D (application-based routing) is not needed; NLB uses IP/host-based routing.

812
Multi-Selecteasy

Which TWO AWS services can be used to migrate on-premises virtual machines to AWS without requiring agent installation? (Choose two.)

Select 2 answers
A.AWS CloudEndure Migration
B.AWS Database Migration Service (DMS)
C.AWS Application Migration Service (MGN) with agent
D.AWS Application Migration Service (MGN) agentless mode
E.AWS Server Migration Service (SMS)
AnswersD, E

MGN supports agentless for supported hypervisors.

Why this answer

AWS SMS is agentless for VMware. AWS MGN can be agentless for certain hypervisors. Option A and D are correct.

Options B and C are agent-based. Option E is for databases.

813
MCQeasy

A company runs SAP on AWS and wants to back up its SAP HANA database to Amazon S3. The database is 2 TB in size. The backup must be encrypted at rest in S3 and must be cost-effective. Which approach should the company use?

A.Use AWS Backup to directly back up the SAP HANA database to S3 with SSE-S3
B.Configure a cron job to copy the SAP HANA backup files from EBS to S3 using AWS CLI
C.Install the SAP HANA Backint agent for Amazon S3 and configure it to use SSE-S3 encryption
D.Use SAP HANA Studio to export the database to a file on EBS and then manually upload to S3
AnswerC

Backint is the recommended method for backing up SAP HANA to S3 with encryption.

Why this answer

Option C is correct because Backint agent for SAP HANA integrates with AWS Backup and uses S3, enabling server-side encryption with SSE-S3 at no extra cost. Option A is wrong because AWS Backup does not support direct backup of SAP HANA to S3 without Backint. Option B is wrong because the SAP HANA file-level backup would require backup to EBS and then to S3, adding complexity.

Option D is wrong because manual copy to S3 is not automated.

814
MCQeasy

An SAP system administrator needs to monitor the CPU utilization of an EC2 instance running SAP NetWeaver. The administrator wants to receive an alert when the CPU utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to create this alarm?

A.AWS CloudTrail
B.AWS Config
C.Amazon CloudWatch Logs
D.Amazon CloudWatch Alarms
AnswerD

CloudWatch Alarms can monitor CPU utilization metric.

Why this answer

Option B is correct because CloudWatch Alarms can monitor metrics and trigger actions. Option A is wrong because CloudWatch Logs is for log data. Option C is wrong because CloudTrail is for API activity.

Option D is wrong because Config is for resource configuration.

815
MCQmedium

Refer to the exhibit. An Application Load Balancer is configured to route traffic to an Auto Scaling group of web servers. The health check for the target group is failing. The web servers are healthy and running, but the health check endpoint is returning a 503 status code because the application cannot connect to the database. The database is an Amazon RDS instance in the same VPC. Which action should the solutions architect take to resolve the health check failure?

A.Restart the web server instances to reset the database connection.
B.Change the health check endpoint to a static page that does not require database connectivity.
C.Modify the application's health check endpoint to return a 200 OK status even when the database is unavailable.
D.Increase the health check interval to allow more time for the database to respond.
AnswerB

A static health check page will return 200 even if the database is down, allowing the instance to pass the health check.

Why this answer

Option B is correct because the health check endpoint should validate the web server's ability to serve traffic, not the database's availability. By changing the health check to a static page (e.g., /health.html) that does not depend on database connectivity, the load balancer will correctly assess the web server's health independently. This decouples the health check from the database, preventing cascading failures where a database outage causes all web servers to be marked unhealthy and removed from the target group.

Exam trap

The trap here is that candidates may think the health check must reflect the full application stack (including database connectivity), but AWS best practice is to keep health checks lightweight and independent of external dependencies to prevent cascading failures.

How to eliminate wrong answers

Option A is wrong because restarting the web server instances does not resolve the underlying database connectivity issue; the application will still fail to connect to the database after restart, and the health check will continue to return 503. Option C is wrong because modifying the application to return a 200 OK status even when the database is unavailable would mask a real application failure, causing the load balancer to route traffic to unhealthy servers that cannot serve complete requests, leading to user-facing errors. Option D is wrong because increasing the health check interval does not fix the database connectivity problem; it only delays the detection of the failure, and the health check will still fail when it eventually runs.

816
MCQeasy

Refer to the exhibit. An SAP system administrator checks disk usage on an SAP HANA instance. The /hana/log volume is at 80% usage. What is the recommended course of action to prevent issues?

A.Take a snapshot of the instance and terminate it.
B.Increase the size of the EBS volume for /hana/log and extend the filesystem.
C.Delete old backup files from /hana/log.
D.Move some data from /hana/log to /hana/data.
AnswerB

Increasing volume size provides more space for log files.

Why this answer

SAP HANA requires that the log volume have sufficient free space to avoid transaction log overflow. The best practice is to increase the size of the log volume. Deleting logs manually is risky, and moving data volumes is not appropriate.

The recommended action is to increase the EBS volume size and extend the filesystem.

817
MCQmedium

An organization is migrating a legacy SAP ERP system to AWS. The current system runs on IBM AIX with Oracle Database. They plan to use SAP HANA on AWS. Which AWS service should they use to assess the source system's readiness and generate a migration plan?

A.AWS CloudEndure Migration
B.AWS Application Migration Service (AWS MGN)
C.AWS Database Migration Service (DMS)
D.AWS Schema Conversion Tool (SCT)
AnswerB

AWS MGN provides assessment, replication, and automated migration.

Why this answer

AWS Application Migration Service (AWS MGN) can assess and migrate applications. It provides readiness checks and automates the migration. Option C is correct.

Option A (AWS DMS) is for database migration, not full system assessment. Option B (AWS SCT) is for schema conversion. Option D (AWS CloudEndure) is the predecessor to AWS MGN.

818
MCQhard

An SAP on AWS environment includes multiple instances across Availability Zones. The operations team needs to automatically replace an unhealthy EC2 instance that is part of an SAP application cluster. Which AWS service can automatically detect and replace the instance based on health checks?

A.Elastic Load Balancing
B.AWS Systems Manager Automation
C.Auto Scaling group
D.Amazon CloudWatch alarms
AnswerC

Auto Scaling replaces unhealthy instances based on health checks.

Why this answer

Option B is correct because an Auto Scaling group with health checks can automatically replace unhealthy instances. Option A is incorrect because ELB only distributes traffic, does not replace instances. Option C is incorrect because CloudWatch alarms only notify.

Option D is incorrect because Systems Manager automates tasks but does not replace instances automatically.

819
MCQmedium

Refer to the exhibit. An SAP administrator has attached the IAM policy above to an IAM role used by an EC2 instance for S3 backup operations. The backup process fails with 'Access Denied' when trying to upload a backup file. What is the most likely cause?

A.The policy does not include s3:ListBucket permission
B.The policy does not include kms:GenerateDataKey and kms:Encrypt
C.The policy allows kms:Decrypt on all resources, which is too permissive
D.The policy uses s3:PutObject but the bucket policy denies uploads
AnswerB

KMS encrypted S3 operations require these permissions.

Why this answer

The policy allows s3:PutObject but missing kms:GenerateDataKey and kms:Encrypt for server-side encryption. Without those, PutObject fails if the bucket uses KMS encryption. The s3:GetObject is not needed for upload. kms:Decrypt alone is insufficient.

820
MCQmedium

An administrator runs the AWS CLI command shown and receives the output. The administrator wants to retrieve the private IP address of the ASCS instance using CloudFormation stack outputs. What is the most efficient way to get this IP address?

A.Check the CloudFormation stack events for the private IP.
B.Use the AWS CLI to describe the EC2 instance using the instance ID.
C.Use AWS Systems Manager to find the IP from the instance ID.
D.Modify the CloudFormation template to add the private IP as an output.
AnswerD

Adding the private IP as an output in the template is the most direct way to expose it via CloudFormation.

Why this answer

Option B is correct because CloudFormation stack outputs can be passed as parameter values or referenced in other stacks. The ASCS instance ID is available, but the private IP is not directly in outputs. However, the question asks for 'most efficient way to get this IP address' using CloudFormation.

Option A is incorrect because the output does not include IP. Option C is incorrect because it's a different approach (EC2 API). Option D is incorrect because Systems Manager can get IP but is not using CloudFormation.

821
MCQhard

An SAP administrator is troubleshooting a failed backup of SAP HANA to Amazon S3. The backup is initiated by an SAP HANA BACKUP command using the S3 backint agent. The error log shows 'HTTP 403 Forbidden' when the agent tries to upload to the S3 bucket. The bucket policy allows s3:PutObject from the VPC endpoint. What is the most likely cause?

A.The S3 bucket does not exist.
B.The S3 bucket is not in the same AWS Region as the EC2 instance.
C.The S3 bucket uses server-side encryption with AWS KMS (SSE-KMS) and the IAM role lacks kms:GenerateDataKey.
D.The VPC endpoint policy for S3 does not grant the required actions to the IAM role.
AnswerD

VPC endpoint policies can restrict access even if bucket policy allows it.

Why this answer

Option C is correct because VPC endpoint policies are separate from bucket policies and often need to grant access explicitly. Option A is wrong because the bucket already exists. Option B is wrong because encryption settings would cause different errors (e.g., Access Denied if KMS key is missing).

Option D is wrong because the error is 403, not timeout.

822
MCQhard

A company runs SAP HANA on AWS using a clustered environment with two EC2 instances in an active/passive configuration. The cluster uses a shared EFS file system for the SAP HANA shared volume. The operations team recently migrated the EFS file system from the previous generation to Elastic Throughput mode to improve performance. After the migration, the HANA database becomes unresponsive intermittently. The team notices that the EFS mount target is in a different Availability Zone than the active HANA instance. What is the most likely cause of the unresponsiveness?

A.The EFS file system does not provide sufficient IOPS for HANA workloads.
B.The EFS Elastic Throughput mode is throttling the HANA database traffic.
C.The EFS mount target is in a different Availability Zone than the active HANA instance, causing high latency and potential timeouts.
D.The EFS file system has reached its maximum number of concurrent connections.
AnswerC

Accessing EFS across Availability Zones increases latency, which can cause HANA to become unresponsive.

Why this answer

Option B is correct. EFS access from a different Availability Zone incurs cross-AZ data transfer costs and higher latency, which can cause performance issues and timeouts for HANA. Option A is wrong because HANA does not require provisioned IOPS for shared storage; EFS is suitable.

Option C is wrong because Elastic Throughput mode is designed to handle variable workloads. Option D is wrong because HANA does not block a certain number of concurrent connections to EFS; the issue is latency.

823
MCQhard

An SAP system is running on EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The SAP application logs indicate intermittent timeouts. The operations team has enabled detailed CloudWatch metrics for the ALB. Which metric should they analyze to determine if the ALB is the cause of the timeouts?

A.HTTPCode_ELB_5XX
B.HealthyHostCount
C.TargetResponseTime
D.RequestCount per target
AnswerD

Reveals if some targets receive more requests, leading to timeouts.

Why this answer

Option D is correct because `RequestCount` per target helps identify if traffic is unbalanced. Option A (`HealthyHostCount`) shows health status but not request distribution. Option B (`TargetResponseTime`) indicates latency but not directly timeouts.

Option C (`HTTPCode_ELB_5XX`) shows ALB errors but not per-target imbalance.

824
MCQhard

A company runs SAP S/4HANA on AWS with a multi-tier landscape (DEV, QAS, PRD). The PRD system uses a clustered setup with two application servers behind an Application Load Balancer. The database is a single-node HANA on an r5.24xlarge instance. The administrator receives an alert that the PRD application is slow. CloudWatch metrics show high CPU utilization on the two application servers (average 95%) and high DB connection count. The ALB shows increased request latency. The database CPU is at 60%. The administrator suspects a SQL query performance issue. What should be the first step to identify the root cause?

A.Configure CloudWatch Logs to capture HANA trace logs and analyze them.
B.Enable detailed SQL trace in HANA to identify high-resource queries.
C.Add two more application servers to distribute the load.
D.Increase the size of the HANA database instance to reduce CPU pressure.
AnswerB

SQL trace identifies specific queries causing performance issues.

Why this answer

The symptoms (high CPU on app servers, high DB connections, increased ALB latency, DB CPU at 60%) strongly suggest a SQL query performance bottleneck, not a capacity issue. Enabling detailed SQL trace in HANA (option B) is the most direct first step to identify the specific high-resource queries causing the slowdown, as it captures execution plans, wait times, and resource consumption per query. This aligns with SAP's recommended troubleshooting methodology for HANA performance issues.

Exam trap

The trap here is that candidates may confuse high application server CPU with a scaling issue (option C) or assume high DB connections mean the database is underpowered (option D), rather than recognizing that a SQL performance problem can manifest as app-side symptoms while the DB CPU remains moderate.

How to eliminate wrong answers

Option A is wrong because CloudWatch Logs can capture HANA trace logs, but the first step should be to enable a targeted SQL trace to pinpoint problematic queries, not to passively collect general logs. Option C is wrong because adding application servers would not resolve a SQL query performance issue; it would only mask the symptom by distributing load, and the root cause (poor query) would remain. Option D is wrong because increasing the HANA database instance size would not fix a SQL query performance issue; the DB CPU is only at 60%, indicating the bottleneck is likely inefficient queries, not insufficient compute capacity.

825
MCQhard

An SAP administrator created the IAM policy shown above to control access to an S3 bucket used for SAP HANA backups. The policy is attached to an IAM role used by an EC2 instance. The instance fails to upload backups. What is the cause?

A.The policy does not allow encryption (SSE-S3) which is required for backups.
B.The 'aws:SecureTransport' condition in the Deny statement is incorrectly using 'BoolIfExists' instead of 'Bool'.
C.The VPC endpoint ID in the policy does not match the actual endpoint.
D.The Deny statement overrides the Allow statement for all actions.
AnswerB

Using 'BoolIfExists' will deny requests even if the key is absent, which may deny legitimate HTTPS requests if the condition is mis-evaluated. 'Bool' should be used to explicitly check for false.

Why this answer

Option D is correct because the Deny statement for 'aws:SecureTransport': 'false' will deny requests that are not using HTTPS. However, the condition 'BoolIfExists' evaluates to true if the key exists and is false, or if the key does not exist. If the request comes from an EC2 instance, the condition might not be met as expected.

Option A (wrong VPC endpoint) is not relevant. Option B (explicit deny) is not the issue. Option C (lack of encryption) is not enforced by the policy.

Page 10

Page 11 of 24

Page 12