AWS Certified SAP on AWS Specialty PAS-C01 (PAS-C01) — Questions 901975

1733 questions total · 24pages · All types, answers revealed

Page 12

Page 13 of 24

Page 14
901
MCQeasy

A company runs SAP HANA on AWS and needs to ensure that the database can be restored to any point in time within the last 48 hours with minimal data loss. Which backup strategy should be used?

A.Use Amazon EBS snapshots every 6 hours.
B.Schedule daily full backups and hourly incremental log backups to Amazon S3 using Backint.
C.Use AWS Backup with a daily backup plan.
D.Take weekly full backups and daily differential backups to Amazon S3.
AnswerB

This combination allows point-in-time recovery with minimal data loss.

Why this answer

Option B is correct because SAP HANA supports Backint integration with Amazon S3 for log backups, enabling point-in-time recovery (PITR) with minimal data loss. Daily full backups combined with hourly incremental log backups ensure that any transaction committed within the last 48 hours can be restored, meeting the RPO requirement of minimal data loss.

Exam trap

The trap here is that candidates often confuse EBS snapshots or AWS Backup with SAP HANA's specific requirement for Backint-based log backups, assuming general-purpose backup tools can achieve the same PITR granularity without understanding SAP HANA's dependency on transaction log continuity.

How to eliminate wrong answers

Option A is wrong because Amazon EBS snapshots every 6 hours cannot achieve point-in-time recovery to any moment within 48 hours; they only provide recovery points every 6 hours, leading to potential data loss of up to 6 hours. Option C is wrong because AWS Backup with a daily backup plan does not support the granular log backups needed for SAP HANA PITR; it lacks the Backint integration for transaction log backups. Option D is wrong because weekly full backups with daily differential backups do not provide the hourly log backup granularity required for minimal data loss; differential backups capture changes since the last full backup, not transaction-level logs, so PITR within 48 hours is not possible.

902
MCQmedium

A company runs SAP on AWS and uses a shared Amazon EFS file system for /sapmnt and /usr/sap/trans. The administrator wants to control access to specific directories based on the source IP address of the SAP application servers. Which method should be used to achieve this?

A.Configure security group rules to allow only specific IP addresses
B.Use Amazon S3 bucket policies with IP conditions
C.Use Amazon EFS access points with IAM policies
D.Use network ACLs to restrict access by IP
AnswerC

Access points enforce directory access, IAM policies can restrict by IP.

Why this answer

Option C is correct because EFS access points with IAM authorization can enforce user/group and root directory permissions, and IAM policies can restrict access based on source IP. Option A is wrong because security group rules apply at the network level, not directory level. Option B is wrong because NACLs are stateless and not directory-aware.

Option D is wrong because S3 bucket policies are for S3, not EFS.

903
MCQmedium

An SAP system on AWS uses an Application Load Balancer (ALB) to distribute traffic to multiple SAP application servers. The ALB is configured with a TCP listener. Users report that some sessions are terminated unexpectedly. What is the MOST likely cause?

A.The ALB is not configured with SSL termination.
B.The target group health check interval is set too low.
C.The ALB idle timeout setting is shorter than the SAP session timeout.
D.The ALB is configured with cross-zone load balancing disabled.
AnswerC

If idle timeout is lower than SAP session timeout, connections are dropped.

Why this answer

The ALB's idle timeout setting controls how long the load balancer keeps a connection open without data transfer. If this timeout is shorter than the SAP session timeout, the ALB will close the connection prematurely, causing the user's session to be terminated unexpectedly. This is a common mismatch when long-running SAP transactions or background jobs do not send data within the ALB's idle timeout window.

Exam trap

The trap here is that candidates often confuse the ALB's idle timeout with the target group health check interval, assuming that frequent health checks cause session drops, when in fact health checks do not affect established connections.

How to eliminate wrong answers

Option A is wrong because SSL termination is not required for TCP listeners; TCP listeners pass traffic through without decryption, and the lack of SSL termination does not cause session termination. Option B is wrong because setting the health check interval too low would cause the target group to mark instances as unhealthy more frequently, potentially dropping connections, but the described symptom is unexpected session termination, not health check failures; a low interval actually increases health check frequency, which does not directly terminate established sessions. Option D is wrong because disabling cross-zone load balancing affects traffic distribution across Availability Zones, not the persistence of individual TCP sessions; it may cause uneven load but does not terminate active sessions.

904
MCQmedium

A company is running SAP Business Suite on AWS. The system includes a central services (ASCS) instance, a primary application server (PAS), and a database server running SAP HANA. The company recently experienced an outage when the EC2 instance hosting the ASCS instance failed due to a hardware issue. The system was down for 4 hours while the IT team manually recovered the ASCS instance from an AMI. The company wants to implement a highly available ASCS instance with automatic failover and a Recovery Time Objective (RTO) of less than 15 minutes. The system is currently running in a single Availability Zone. What should the company do to meet these requirements?

A.Place the ASCS instance behind an Application Load Balancer and configure health checks.
B.Configure an Auto Scaling group for the ASCS instance with a minimum of 1 and maximum of 2, and use a lifecycle hook to attach an Elastic IP.
C.Deploy a second ASCS instance in a different Availability Zone, set up SAP enqueue replication, and use a virtual IP address with Route 53 health checks for failover.
D.Enable CloudWatch EC2 Auto Recovery on the ASCS instance and configure it to start a new instance in a different AZ.
AnswerC

SAP's enqueue replication and multi-AZ deployment with DNS failover meets RTO and provides high availability.

Why this answer

Option A is correct because SAP's enqueue replication and ASCS clustering across AZs with a virtual hostname provides automatic failover. Option B is wrong because ASG does not provide application-level clustering. Option C is wrong because CloudWatch recoveries only restart the instance in the same AZ, not cross-AZ, and does not handle enqueue state.

Option D is wrong because ELB is not for ASCS failover.

905
MCQeasy

An SAP application server on an EC2 instance is unable to connect to the SAP HANA database on another EC2 instance. Both instances are in the same VPC and security groups allow traffic. What is the most likely cause?

A.The VPC does not have an Internet Gateway
B.The security group for the database instance does not allow inbound traffic on the HANA port
C.Network ACLs are blocking traffic
D.The route table does not have a local route
AnswerB

HANA uses port 3XX13; must be allowed.

Why this answer

Option B is correct because the most likely cause is that the security group attached to the SAP HANA database instance does not have an inbound rule allowing traffic on the SAP HANA database port (typically 3<span>00</span>15 for HANA system DB or 3<span>NN</span>13 for tenant DBs). Even if the security group for the application server allows outbound traffic, the database security group must explicitly permit inbound TCP traffic from the application server's security group or IP address on the correct HANA port. Without this rule, the database will reject the connection at the instance level.

Exam trap

The trap here is that candidates often confuse security groups (stateful, instance-level) with Network ACLs (stateless, subnet-level) and assume that if the security group allows outbound traffic from the app server, the connection should work, forgetting that the database's security group must also allow inbound traffic on the specific HANA port.

How to eliminate wrong answers

Option A is wrong because an Internet Gateway is only required for instances to communicate with the internet or with other VPCs via public IPs; it is not needed for communication between two EC2 instances within the same VPC. Option C is wrong because Network ACLs are stateless and, by default, allow all inbound and outbound traffic in a default VPC; even if custom NACLs were used, they would need to explicitly block traffic on the HANA port, which is less common than a missing security group rule. Option D is wrong because the route table in a VPC always includes a local route for the VPC CIDR by default, which enables direct communication between instances in the same VPC without any additional configuration.

906
MCQmedium

An SAP system is experiencing performance issues during peak hours. The SAP application servers are running on EC2 instances behind a Network Load Balancer (NLB). The NLB is configured to use cross-zone load balancing. The issue is that one application server receives significantly more traffic than others. What is the most likely cause?

A.The application servers have different instance sizes, causing the NLB to send more traffic to larger instances
B.The NLB is using round-robin algorithm and one server is slower
C.The flow hash algorithm is causing an uneven distribution of client traffic
D.The health check is failing on the other servers
AnswerC

NLB uses a flow hash based on source IP, port, and protocol; with few clients, distribution can be uneven.

Why this answer

Option D is correct because NLB distributes traffic based on flow hash, which can lead to uneven distribution, especially with fewer flows. Option A is wrong because NLB does not use round-robin. Option B is wrong because NLB does not have a health check that would skew traffic.

Option C is wrong because NLB distributes traffic regardless of instance size.

907
Multi-Selecteasy

Which TWO AWS services can be used to store SAP backup data? (Choose two.)

Select 2 answers
A.Amazon S3
B.Amazon S3 Glacier
C.Amazon RDS
D.Amazon DynamoDB
E.Amazon EBS
AnswersA, B

S3 is a common backup target.

Why this answer

Options A and D are correct. Amazon S3 is an object storage service commonly used for backups. Amazon S3 Glacier is a low-cost archive storage for long-term backups.

Option B is wrong because Amazon EBS is block storage attached to EC2, not a backup target. Option C is wrong because Amazon RDS is a managed database service, not storage for SAP backups. Option E is wrong because Amazon DynamoDB is a NoSQL database.

908
MCQhard

An IAM policy for a migration team is shown in the exhibit. The team is unable to start a DMS replication task. What is the most likely missing permission?

A.dms:CreateReplicationInstance and dms:CreateEndpoint
B.s3:ListBucket
C.kms:Decrypt
D.ec2:CreateNetworkInterface
AnswerA

DMS needs these to set up the migration infrastructure.

Why this answer

Option C is correct because DMS requires permissions to create and manage DMS resources like replication instances, endpoints, and subnet groups. The policy lacks 'dms:CreateReplicationInstance' and 'dms:CreateEndpoint' which are necessary for the task to function. Option A is wrong because S3 permissions are present.

Option B is wrong because EC2 Describe actions are present. Option D is wrong because KMS is not mentioned and may not be needed.

909
MCQmedium

A company runs SAP HANA on EC2 with EBS io1 volumes. The administrator notices that the disk queue depth is consistently high during peak hours, causing increased latency. The volume is 2 TB with 5000 provisioned IOPS. The instance is an r5.4xlarge with EBS bandwidth of 4750 Mbps. The database workload is write-intensive. The administrator wants to reduce latency without increasing costs significantly. Which action should the administrator take?

A.Increase the provisioned IOPS to 10,000
B.Enable EBS Multi-Attach and use multiple instances to share the volume
C.Change the volume type to gp3 with 5000 IOPS
D.Upgrade the EC2 instance to an r5.8xlarge
AnswerA

Higher IOPS reduces queue depth and latency.

Why this answer

Option A is correct because increasing IOPS to 10,000 will double the IOPS, reducing queue depth. Option B is wrong because changing to gp3 may not provide the same performance. Option C is wrong because instance size increases cost.

Option D is wrong because enabling Multi-Attach does not address queue depth.

910
MCQhard

An SAP on AWS environment is experiencing intermittent connectivity issues between the SAP application servers and the SAP HANA database. Both are in the same VPC but in different Availability Zones. The network team has confirmed that the security groups allow traffic on the required ports. What is a likely cause of the issue?

A.AWS Shield Advanced is blocking legitimate traffic.
B.Network ACLs are misconfigured, blocking return traffic.
C.VPC Flow Logs are enabled and dropping packets.
D.The VPC is using AWS Direct Connect, which adds latency.
AnswerB

NACLs are stateless and must allow both inbound and outbound.

Why this answer

Network ACLs are stateless, meaning they evaluate inbound and outbound traffic separately. Even if inbound rules allow traffic from the SAP application servers to the HANA database, the outbound rules on the database subnet's NACL must explicitly allow the return traffic (ephemeral ports) back to the application servers. Misconfigured outbound rules in the NACL can drop the response packets, causing intermittent connectivity issues between the application and database tiers across Availability Zones.

Exam trap

The trap here is that candidates often assume security groups (which are stateful) are the only firewall layer, forgetting that Network ACLs are stateless and require explicit outbound rules for return traffic, especially when traffic crosses Availability Zones.

How to eliminate wrong answers

Option A is wrong because AWS Shield Advanced is a DDoS protection service that does not block legitimate traffic based on application-layer rules; it only mitigates volumetric attacks and requires explicit configuration to filter traffic. Option C is wrong because VPC Flow Logs are a monitoring feature that captures metadata about IP traffic; they do not drop or block packets. Option D is wrong because AWS Direct Connect provides a dedicated network connection that reduces latency compared to the public internet; it does not add latency and is not the cause of intermittent connectivity within the same VPC.

911
MCQhard

An SAP system on AWS is experiencing intermittent connectivity issues between the application servers and the HANA database. The network team has confirmed that the VPC and subnets are configured correctly. What should the operations team check NEXT?

A.DNS resolution for the database endpoint.
B.VPC route tables for the application subnet.
C.Security group rules on the database server.
D.Network ACLs on the database subnet.
AnswerC

Security group rules can cause intermittent issues if not properly configured for HANA ports.

Why this answer

Option B is correct because security group rules for HANA database default deny inbound traffic; if not properly configured, they can block application traffic. Option A is wrong because NACLs are stateless and less likely to cause intermittent issues. Option C is wrong because route tables typically do not change.

Option D is wrong because DNS resolution is not the likely cause of intermittent connectivity.

912
MCQmedium

A company is using AWS DMS to migrate an SAP database. The full load is complete, but the CDC latency is high. Which step should the company take to reduce latency?

A.Increase the compute capacity of the DMS replication instance.
B.Increase the size of the target database instance.
C.Restart the DMS replication task.
D.Disable change data capture (CDC) on the source database.
AnswerA

A larger replication instance can process CDC faster.

Why this answer

Option C is correct because increasing the instance size of the DMS replication instance can improve performance and reduce CDC latency. Option A is wrong because disabling logging would break CDC. Option B is wrong because increasing the target database size may help but not directly reduce DMS latency.

Option D is wrong because restarting the task may cause temporary downtime but does not address the root cause.

913
MCQmedium

An AWS IAM policy is attached to a role used by an SAP migration tool. The migration fails because the tool cannot create EC2 instances. What is the missing permission?

A.ec2:DescribeImages
B.ec2:RunInstances
C.ec2:AllocateAddress
D.ec2:CreateVolume
AnswerB

RunInstances is required to create new EC2 instances.

Why this answer

The policy allows Describe, Start, Stop, and volume operations but does not include 'ec2:RunInstances' which is required to create instances. 'ec2:CreateVolume' is not needed if attaching existing volumes. 'ec2:Describe*' is not sufficient.

914
MCQmedium

An SAP system on AWS uses an Application Load Balancer (ALB) to distribute traffic to multiple SAP Web Dispatchers. The system is experiencing intermittent session drops. What is the most likely cause?

A.The ALB is not configured for sticky sessions.
B.The ALB deletion protection is enabled.
C.The ALB health check interval is too short.
D.Cross-zone load balancing is not enabled on the ALB.
AnswerA

Without sticky sessions, subsequent requests may go to different Web Dispatchers, breaking session state.

Why this answer

The ALB operates at Layer 7 and, by default, distributes each request independently across healthy targets. SAP Web Dispatchers maintain user session state (e.g., logon tickets, application context) locally. Without sticky sessions (session affinity) enabled on the ALB, subsequent requests from the same user can be routed to a different Web Dispatcher, causing the new dispatcher to lack the session context and dropping the user's session.

Enabling stickiness based on the ALB-generated cookie ensures all requests from a session are sent to the same Web Dispatcher, preventing these intermittent drops.

Exam trap

The trap here is that candidates often confuse health check intervals or cross-zone load balancing with session persistence, assuming that any routing issue must be caused by target availability or distribution, rather than recognizing that the ALB's default stateless behavior is the root cause of session drops in stateful SAP Web Dispatcher deployments.

How to eliminate wrong answers

Option B is wrong because deletion protection only prevents accidental deletion of the ALB itself; it has no effect on traffic routing or session persistence. Option C is wrong because a health check interval that is too short would cause the ALB to mark targets as unhealthy more aggressively, potentially removing them from rotation, but it would not cause intermittent session drops for requests that reach a healthy target; the described symptom is session affinity loss, not target availability. Option D is wrong because cross-zone load balancing distributes traffic evenly across targets in all Availability Zones, which improves utilization but does not affect session stickiness; without sticky sessions, requests can still be routed to different targets regardless of cross-zone settings.

915
MCQeasy

A company is migrating its SAP landscape to AWS and wants to automate the deployment of SAP applications using infrastructure as code. Which AWS service should the company use to define and provision the AWS infrastructure?

A.AWS Elastic Beanstalk
B.AWS CloudFormation
C.AWS CodeDeploy
D.AWS OpsWorks
AnswerB

CloudFormation enables infrastructure as code.

Why this answer

Option B is correct because AWS CloudFormation allows infrastructure as code. Option A is wrong because OpsWorks is for Chef/Puppet, not primary IaC. Option C is wrong because Elastic Beanstalk is for web apps, not SAP.

Option D is wrong because CodeDeploy is for application deployment, not infrastructure.

916
MCQmedium

An operations team manages an SAP ERP system on AWS that uses a single EC2 instance for the SAP central services (SCS) and multiple instances for application servers. The system is running in a VPC with both public and private subnets. The team notices that the SCS instance is unreachable from the application servers after a maintenance window where network ACLs were updated. The application servers are in private subnets, and the SCS instance is in a public subnet. The team has verified that the security groups allow the required traffic. Which step should the team take to resolve the connectivity issue?

A.Review the network ACL rules for both the public and private subnets.
B.Verify that the route tables have a route to the internet gateway.
C.Assign an Elastic IP to the SCS instance.
D.Check the security group rules on the application servers.
AnswerA

Network ACLs can block traffic if misconfigured.

Why this answer

Option C is correct because network ACLs are stateless and require both inbound and outbound rules. During maintenance, the NACL might have been modified to block required traffic. Option A is wrong because security groups are already verified.

Option B is wrong because route tables affect routing, not connectivity if they are within the same VPC. Option D is wrong because the issue is not about Elastic IPs.

917
MCQhard

An SAP application on EC2 is experiencing high CPU utilization. The instance is part of an Auto Scaling group. The CPU metric shows spikes every hour. Which scaling policy should be used to preemptively scale out before the spike?

A.Simple scaling policy based on CPU > 80%
B.Step scaling policy with multiple thresholds
C.Target tracking scaling policy with CPU target 75%
D.Scheduled scaling policy to add capacity just before the spike
AnswerD

Scheduled scaling can anticipate predictable patterns.

Why this answer

Option B is correct because a scheduled scaling policy can anticipate predictable spikes. Option A is incorrect because a simple scaling policy reacts to alarms after the spike. Option C is incorrect because a step scaling policy also reacts after alarms.

Option D is incorrect because a target tracking policy maintains an average, not preempt spikes.

918
MCQmedium

An SAP administrator notices that the SAP application server on AWS is experiencing high latency when connecting to the SAP HANA database. The database is on a separate EC2 instance in the same VPC. What is the MOST likely cause?

A.Enhanced Networking is not enabled on the EC2 instances.
B.EBS optimization is not enabled on the application server.
C.The HANA database is using a public IP address.
D.The instances are not in a placement group.
AnswerA

Enhanced Networking reduces latency and packet drops.

Why this answer

High latency between an SAP application server and a SAP HANA database in the same VPC is most likely caused by Enhanced Networking not being enabled on the EC2 instances. Enhanced Networking uses the Elastic Network Adapter (ENA) to provide higher bandwidth, higher packet-per-second performance, and consistently lower inter-instance latencies. Without it, network traffic is handled by the Xen or Nitro hypervisor's default driver, which introduces additional overhead and latency, especially under the high-throughput, low-latency requirements of SAP HANA communication.

Exam trap

The trap here is that candidates often confuse EBS optimization (storage I/O) with network performance, or assume that being in the same VPC automatically guarantees low latency, overlooking that Enhanced Networking is a required feature for high-performance workloads like SAP HANA.

How to eliminate wrong answers

Option B is wrong because EBS optimization affects storage I/O performance between the EC2 instance and its attached EBS volumes, not network latency between two EC2 instances. Option C is wrong because using a public IP address would introduce additional routing through the internet gateway and potential NAT overhead, but the question states both instances are in the same VPC, so traffic would still use the local VPC routing unless explicitly configured otherwise; the most likely cause is a missing network performance feature, not a public IP. Option D is wrong because placement groups reduce network latency by ensuring instances are in close physical proximity, but they are not required for low-latency communication; Enhanced Networking is a prerequisite for achieving the lowest latency even within a placement group.

919
MCQhard

Refer to the exhibit. An IAM policy is attached to an EC2 instance role used by SAP HANA backup scripts. The backup script attempts to upload a file to the S3 bucket without specifying server-side encryption. What will happen?

A.The upload fails because there is no Allow statement without condition.
B.The upload succeeds because there is an Allow statement.
C.The upload fails because of the Deny statement.
D.The upload succeeds because the Deny condition does not match.
AnswerC

The Deny statement explicitly denies PutObject when encryption is not AES256.

Why this answer

The first statement allows PutObject only if encryption is AES256. The second statement denies PutObject if encryption is not AES256. Since the request does not specify encryption, it does not match the condition in the Allow statement (so not allowed) and it matches the Deny statement because encryption is not AES256 (StringNotEquals).

Therefore, the request is denied.

920
MCQeasy

A company is migrating a SAP HANA database to AWS. Which storage configuration is recommended for SAP HANA to meet performance requirements?

A.Amazon EC2 instance store volumes
B.Amazon S3 as a block device
C.Amazon EBS gp2 volumes
D.Amazon EBS io2 Block Express volumes
AnswerD

io2 Block Express offers high IOPS and low latency.

Why this answer

Option B is correct because SAP HANA requires high IOPS and low latency, which is best provided by EBS io2 Block Express volumes. Option A is wrong because gp2 does not provide consistent high IOPS. Option C is wrong because instance store is ephemeral.

Option D is wrong because S3 is not block storage and cannot be used for database files.

921
Multi-Selecteasy

A company is migrating its SAP ERP system from an on-premises environment to AWS. The database is SAP HANA. The migration must minimize downtime. Which TWO approaches should the company consider?

Select 2 answers
A.Use AWS Database Migration Service (DMS) with full load only.
B.Use VM Import/Export to migrate the entire on-premises virtual machine to AWS.
C.Use the SAP Software Provisioning Manager (SWPM) to perform a homogeneous system copy over the network.
D.Use AWS DMS with full load and ongoing change data capture (CDC).
E.Set up SAP HANA System Replication from the on-premises HANA database to AWS HANA.
AnswersD, E

CDC keeps the target updated with minimal downtime.

Why this answer

Option D is correct because AWS DMS with full load and ongoing change data capture (CDC) enables a near-zero-downtime migration by continuously replicating changes from the source SAP HANA database to the target on AWS after the initial full load, allowing the cutover to occur with minimal disruption. Option E is correct because SAP HANA System Replication provides a native, asynchronous or synchronous replication mechanism that can be configured between the on-premises HANA database and an AWS-hosted HANA instance, supporting a controlled switchover with very low downtime.

Exam trap

The trap here is that candidates often overlook the native SAP HANA System Replication option (E) because they assume only AWS-native services like DMS are valid, or they mistakenly believe that VM Import/Export (B) can achieve minimal downtime without understanding the need for ongoing replication.

922
Multi-Selectmedium

Which TWO AWS services can be used to automate the startup and shutdown of SAP application servers based on a schedule to reduce costs? (Select TWO.)

Select 2 answers
A.Amazon CloudWatch Events
B.AWS CodePipeline
C.AWS Instance Scheduler
D.Amazon EC2 Auto Scaling
E.AWS Systems Manager Maintenance Windows
AnswersC, E

Instance Scheduler is a solution to start/stop instances on a schedule.

Why this answer

Option A is correct because Systems Manager Maintenance Windows can schedule actions. Option D is correct because Instance Scheduler is a solution for automated start/stop. Option B is incorrect because CloudWatch Events triggers actions but not directly scheduling on instances without a Lambda.

Option C is incorrect because Auto Scaling adjusts capacity but not start/stop of specific instances. Option E is incorrect because CodePipeline is for CI/CD.

923
MCQeasy

A company is planning to run SAP S/4HANA on AWS. They need to ensure that the SAP system can be accessed from the corporate network via a secure VPN connection. Which AWS service should be used to establish this connectivity?

A.AWS Client VPN
B.AWS Transit Gateway
C.AWS Site-to-Site VPN
D.AWS Direct Connect
AnswerC

Provides secure IPsec VPN between corporate network and AWS VPC.

Why this answer

AWS Site-to-Site VPN creates a secure IPsec tunnel between the corporate network's on-premises VPN device and a Virtual Private Gateway (VGW) attached to the VPC hosting the SAP S/4HANA system. This enables encrypted communication over the public internet, meeting the requirement for secure VPN connectivity from the corporate network to the SAP workload.

Exam trap

The trap here is that candidates confuse AWS Client VPN (remote access for individual users) with Site-to-Site VPN (network-to-network connectivity), or assume Transit Gateway alone provides VPN connectivity without understanding it requires a VPN attachment.

How to eliminate wrong answers

Option A is wrong because AWS Client VPN is a managed remote-access VPN service that connects individual clients (e.g., laptops) to AWS, not a site-to-site connection between a corporate network and AWS. Option B is wrong because AWS Transit Gateway is a network transit hub that interconnects VPCs and on-premises networks, but it does not itself establish a VPN connection; it requires a VPN attachment (e.g., Site-to-Site VPN) to connect to the corporate network. Option D is wrong because AWS Direct Connect provides a dedicated private physical connection, not a VPN over the internet, and does not use IPsec encryption by default; it is a separate service for dedicated bandwidth and lower latency, not a VPN solution.

924
Multi-Selectmedium

Which TWO AWS services can be used to monitor the performance of an SAP HANA database on AWS? (Select TWO.)

Select 2 answers
A.AWS Trusted Advisor
B.Amazon CloudWatch
C.AWS X-Ray
D.Amazon RDS Performance Insights
E.AWS Config
AnswersB, D

CloudWatch collects metrics and logs from EC2 instances and can monitor HANA.

Why this answer

Options A and D are correct. Amazon CloudWatch can monitor metrics like CPU and memory. Amazon RDS Performance Insights provides database-specific metrics.

Option B is wrong because AWS Trusted Advisor provides best-practice checks, not performance monitoring. Option C is wrong because AWS X-Ray is for tracing distributed applications. Option E is wrong because AWS Config is for configuration auditing.

925
Multi-Selecthard

A company is deploying a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must meet high availability and low latency requirements. The company expects traffic to spike unpredictably. Which THREE strategies should the company implement to ensure the application can handle the load? (Choose THREE.)

Select 3 answers
A.Enable API Gateway caching with a suitable TTL
B.Set the Lambda function timeout to the maximum value of 15 minutes
C.Configure provisioned concurrency for the Lambda functions
D.Configure DynamoDB auto scaling with a minimum capacity of 10 read and 10 write capacity units
E.Use DynamoDB on-demand capacity mode for the tables
AnswersA, C, E

Caching reduces backend load and improves response times for repeated requests, helping handle spikes.

Why this answer

Option A is correct because API Gateway caching stores responses from your endpoints, reducing the number of calls made to the backend Lambda function and DynamoDB. By setting a suitable TTL, you ensure that frequently accessed data is served from the cache, which lowers latency and offloads the backend during unpredictable traffic spikes. This directly supports high availability by preventing backend overload.

Exam trap

The trap here is that candidates often confuse auto scaling (Option D) with on-demand capacity mode, not realizing that auto scaling has a lag time and requires manual capacity planning, whereas on-demand mode is designed for unpredictable traffic with instant scaling.

926
MCQhard

A company is migrating an SAP ERP system to AWS. The SAP application servers use a shared /sapmnt filesystem. Which AWS storage solution is most suitable for this shared filesystem with high availability?

A.Amazon S3 with a mount point
B.Amazon FSx for Windows File Server
C.Amazon EBS with Multi-Attach enabled
D.Amazon EFS
AnswerD

EFS provides a shared NFS filesystem with high availability.

Why this answer

Option C is correct because Amazon EFS is a managed NFS filesystem that is highly available and can be shared across multiple EC2 instances. Option A is wrong because EBS volumes cannot be attached to multiple instances except with special configurations. Option B is wrong because S3 is object storage, not a filesystem.

Option D is wrong because FSx for Windows is for Windows-based workloads, not Linux/SAP.

927
MCQeasy

A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The application uses an Amazon RDS for PostgreSQL database. The operations team reports that the application becomes unresponsive for about 30 seconds every hour at the same time. The team checks the ALB access logs and notices that during the outage, the ALB returns HTTP 504 errors. The RDS monitoring shows a spike in CPU usage and active connections during the same period. The application team confirms there are no scheduled jobs during that time. What should the team do to diagnose the root cause?

A.Review the security group rules for the database to ensure the application can connect.
B.Review the ALB target group health checks and ensure the EC2 instances are passing the health check.
C.Increase the EC2 instance size to handle more concurrent connections.
D.Check the RDS Enhanced Monitoring metrics for the database instance to identify resource bottlenecks such as high memory pressure or disk I/O.
AnswerD

Enhanced Monitoring provides detailed OS-level metrics to pinpoint the root cause of the database spike.

Why this answer

Option D is correct because the symptoms—hourly 30-second unresponsiveness, HTTP 504 errors from the ALB, and a correlated spike in RDS CPU and active connections—point to a database-side bottleneck. RDS Enhanced Monitoring provides OS-level metrics (memory, disk I/O, CPU) that can reveal resource contention or throttling events (e.g., swap usage, IOPS exhaustion) not visible in standard CloudWatch metrics, enabling precise root cause identification.

Exam trap

The trap here is that candidates confuse HTTP 504 errors with ALB or EC2 health check failures, but 504 specifically indicates the ALB received no response from the target (often due to database timeout), not that the target is unhealthy.

How to eliminate wrong answers

Option A is wrong because security group rules are static and would cause persistent connectivity failures, not a predictable hourly 30-second outage. Option B is wrong because ALB target group health checks failing would cause 503 errors (not 504) and would not explain the correlated RDS CPU/connection spike. Option C is wrong because increasing EC2 instance size addresses compute capacity on the application tier, but the bottleneck is on the database tier (RDS CPU/connections spike), so it would not resolve the root cause.

928
MCQeasy

A company is designing a new SAP S/4HANA workload on AWS. Which storage service should be used for the SAP HANA data volume to meet the required throughput and latency for production systems?

A.Amazon EBS io2 Block Express volumes
B.Amazon S3
C.Amazon EFS
D.Amazon EBS gp3 volumes
AnswerA

io2 Block Express provides up to 256K IOPS and low latency, ideal for SAP HANA.

Why this answer

Option B is correct because SAP HANA requires high IOPS and low latency, which is best provided by Amazon EBS io2 Block Express volumes with provisioned IOPS. Option A is wrong because EBS gp3 may not provide sufficient performance for large production HANA systems. Option C is wrong because S3 is object storage, not block storage.

Option D is wrong because EFS is file storage, not block storage.

929
MCQmedium

A company has deployed SAP on AWS with a shared file system using Amazon EFS for the /sapmnt directory. The EFS file system is mounted on all SAP application servers. Recently, users reported that the SAP system is slow when accessing reports that are stored as PDF files in the /sapmnt directory. The operations team checks the CloudWatch metrics and finds that the EFS file system's PercentIOLimit metric is consistently at 100% during peak hours. The file system is using the General Purpose performance mode. The team also notices that the BurstCreditBalance is decreasing over time. What action should be taken to resolve this performance issue?

A.Enable EFS lifecycle management to move infrequently accessed files to Infrequent Access storage class.
B.Increase the size of the EFS file system to improve performance.
C.Increase the burst credit balance by enabling throughput mode.
D.Switch the EFS performance mode to Max I/O to get higher throughput.
AnswerD

Max I/O provides higher IOPS and throughput.

Why this answer

Option C is correct because switching to Max I/O performance mode provides higher IOPS and throughput for workloads with high I/O demands. Option A is wrong because the issue is I/O limit, not storage capacity. Option B is wrong because increasing burst credits is not possible; the file system needs higher baseline.

Option D is wrong because lifecycle management is for cost optimization, not performance.

930
MCQmedium

A company is migrating its SAP environment to AWS. The operations team needs to ensure that all changes to the SAP infrastructure are tracked and that unauthorized changes are detected. Which AWS service should they use?

A.AWS CloudTrail
B.AWS Config
C.Amazon GuardDuty
D.AWS Trusted Advisor
AnswerB

AWS Config provides configuration history and compliance checking.

Why this answer

Option A is correct. AWS Config records configuration changes and detects drift. Option B is incorrect because CloudTrail records API calls, not configuration state.

Option C is incorrect because Trusted Advisor provides best practice checks. Option D is incorrect because GuardDuty is for threat detection.

931
MCQmedium

Refer to the exhibit. An operations team uses this CloudFormation template to launch SAP application servers. After deployment, the application server fails to join the SAP system. The team verified that the security group allows outbound traffic to the SAP system. What is the MOST likely cause?

A.The instance type is not specified correctly.
B.The security group ID is not properly referenced.
C.The user data script is not base64 encoded correctly.
D.The `LatestAmiId` parameter is not defined in the template.
AnswerD

!Ref LatestAmiId requires a parameter or mapping that is not defined.

Why this answer

Option D is correct. The template uses `!Ref LatestAmiId` which does not exist as a parameter; it should be a parameter or a mapping. Option A is wrong because the instance type is parameterized.

Option B is wrong because the security group is referenced correctly. Option C is wrong because the user data script is base64 encoded correctly.

932
MCQhard

A company is migrating an SAP ERP system to AWS using an SAP-certified backup/restore method. After restoring the database to Amazon RDS for SAP ASE, the SAP application fails to start with an error 'database connection refused'. The security group allows inbound traffic from the application server. What is the most likely cause?

A.The RDS instance is in a 'stopped' state
B.The security group does not allow outbound traffic
C.The SAP application is using the wrong database hostname or port
D.The RDS instance is in a different VPC than the application server
AnswerC

After migration, the hostname/port may differ; need to update SAP profile.

Why this answer

Option A is incorrect because the security group is configured correctly. Option B is incorrect because the DB instance is in the same VPC. Option C is correct because the RDS instance might have a different endpoint than the hostname used by the SAP application; the hostname resolution must match.

Option D is incorrect because the RDS instance is running as expected.

933
MCQhard

A company is migrating its SAP ERP system running on Oracle to SAP HANA on AWS. The system has a database size of 2 TB. During migration planning, the team needs to minimize downtime. Which strategy should be used?

A.Take a full backup of Oracle, restore to SAP HANA, and then apply incremental logs.
B.Use SAP HANA System Replication to initially load data from the source SAP HANA (or migrate using SAP DMO with SUM) and then switch over.
C.Use the AWS Database Migration Service (DMS) to perform an online migration from Oracle to SAP HANA.
D.Perform an export/import using SAP tools while the source database is online.
AnswerB

SAP HANA System Replication allows near-zero downtime migration by replicating data while source is online.

Why this answer

Option D is correct because using SAP HANA System Replication with initial load and then switching over minimizes downtime as data is replicated while source is online. Option A is wrong because SAP HANA doesn't support heterogeneous replication directly. Option B is wrong because DMS does not natively support SAP HANA as a target.

Option C is wrong because it requires more downtime.

934
MCQmedium

A company is deploying a new SAP HANA database on AWS and needs to ensure the EBS volumes are optimized for throughput. Which EBS volume type should be used for the HANA data and log volumes?

A.sc1
B.io2 Block Express
C.gp3
D.st1
AnswerB

io2 Block Express offers high performance and is certified for SAP HANA.

Why this answer

The correct answer is D because io2 Block Express volumes provide high throughput, low latency, and are certified for SAP HANA. Option A is incorrect because gp3 is a general-purpose SSD with lower performance. Option B is incorrect because st1 is throughput-optimized but not suitable for databases.

Option C is incorrect because sc1 is cold HDD.

935
Multi-Selectmedium

Which TWO of the following are required for SAP HANA high availability on AWS using HANA System Replication (HSR) with automatic failover? (Select TWO.)

Select 2 answers
A.Application Auto Scaling to automatically scale HANA instances.
B.An Amazon Route 53 health check that monitors the primary instance and updates a DNS record to the secondary IP on failure.
C.An Elastic Load Balancer (ELB) in front of the HANA instances to distribute traffic.
D.Placement of primary and secondary HANA instances in different Availability Zones.
E.An Amazon Route 53 alias record pointing to the primary instance's private IP.
AnswersB, D

Route 53 health checks can be used to update DNS for automatic failover.

Why this answer

Option B is correct because Amazon Route 53 health checks can monitor the primary HANA instance's availability. On failure, a Route 53 failover routing policy automatically updates the DNS record to point to the secondary instance's private IP, enabling clients to reconnect without manual intervention. This is a key component of HANA System Replication (HSR) with automatic failover on AWS.

Exam trap

The trap here is that candidates often confuse load balancers (ELB) with DNS-based failover, but ELBs are stateless and cannot handle HANA's direct client connections or replication state, making Route 53 health checks with failover routing the correct choice for HSR automatic failover.

936
MCQmedium

A company is running SAP on AWS and wants to ensure high availability for SAP Central Services (ASCS) and Enqueue Replication Server (ERS). Which architecture meets this requirement?

A.Deploy ASCS and ERS on the same EC2 instance with S3 replication.
B.Configure Route 53 health checks to switch between two instances in the same AZ.
C.Deploy ASCS and ERS on separate EC2 instances in different Availability Zones, with a Network Load Balancer.
D.Use a single EC2 instance with an S3 bucket for shared storage and Lambda for failover.
AnswerC

Multi-AZ with separate instances and NLB ensures HA.

Why this answer

Option C is correct because SAP Central Services (ASCS) and Enqueue Replication Server (ERS) must run on separate EC2 instances in different Availability Zones to achieve high availability. A Network Load Balancer (NLB) is used to distribute traffic and provide a single endpoint, while the enqueue replication mechanism (enrep) synchronizes the lock table between the two instances, enabling automatic failover without data loss.

Exam trap

The trap here is that candidates often assume ASCS and ERS can be co-located on the same instance or in the same AZ for simplicity, but the PAS-C01 exam explicitly tests the requirement for separate instances in different AZs with an NLB to meet SAP's HA architecture for critical services.

How to eliminate wrong answers

Option A is wrong because deploying ASCS and ERS on the same EC2 instance creates a single point of failure; S3 replication does not provide the low-latency shared storage or enqueue replication required for SAP HA. Option B is wrong because placing both instances in the same Availability Zone does not protect against AZ-level failures, and Route 53 health checks alone cannot handle the rapid, stateful failover required for SAP enqueue replication. Option D is wrong because a single EC2 instance is a single point of failure, S3 is not a supported shared filesystem for SAP (it lacks POSIX semantics and low latency), and Lambda cannot perform the real-time enqueue replication or orchestrate the failover of SAP Central Services.

937
Multi-Selecthard

An SAP system is running on AWS with a Multi-AZ deployment. The system uses an Amazon RDS for SAP HANA database. Which TWO actions should be taken to ensure high availability?

Select 2 answers
A.Create a read replica in a different region
B.Configure automated backups with a retention period
C.Enable Multi-AZ on the RDS instance
D.Deploy the RDS instance in a single Availability Zone
E.Take manual snapshots every hour
AnswersB, C

Automated backups enable point-in-time recovery, which is essential for HA.

Why this answer

Enabling Multi-AZ on RDS automatically provisions a standby in a different AZ and handles failover. Configuring automated backups allows point-in-time recovery. Read replicas are for read scaling, not HA.

Manual snapshots are not automatic. Using a single AZ does not provide HA.

938
MCQeasy

A company wants to migrate its SAP BusinessObjects system to AWS. The system includes a CMS database that runs on Microsoft SQL Server. The company wants to use AWS DMS to migrate the database with minimal downtime. Which migration method should they use?

A.Snapshot restore to Amazon RDS
B.Full load with one-time restore
C.Full load with ongoing replication (change data capture)
D.Full load only
AnswerC

Ongoing replication syncs changes, minimizing downtime.

Why this answer

Option C is correct because ongoing replication (change data capture) allows DMS to keep the target database in sync with the source, minimizing downtime. Options A, B, D are incorrect because full load only, one-time restore, or snapshot restore do not minimize downtime.

939
MCQmedium

A company is running SAP HANA on an EC2 instance. The storage is configured with multiple EBS volumes striped using LVM. The SAP administrator notices that disk I/O latency spikes during peak hours. Which change would MOST effectively reduce latency without incurring additional cost?

A.Increase the size of the EBS volumes
B.Provision additional IOPS on the EBS volumes
C.Switch from LVM to RAID 0 striping
D.Use an EBS-optimized EC2 instance type
AnswerD

EBS-optimized instances provide dedicated bandwidth to EBS, reducing latency.

Why this answer

Option B is correct because EBS-optimized instances provide dedicated network bandwidth for EBS I/O, reducing contention. Option A is incorrect because increasing volume size does not directly reduce latency. Option C is incorrect because RAID 0 increases throughput but not lower latency.

Option D is incorrect because provisioning IOPS increases cost.

940
MCQmedium

A company is running SAP HANA on a memory-optimized EC2 instance with an EBS volume for /hana/data and /hana/log. The database administrator notices that the /hana/log volume is experiencing high write latency. The current volume is a gp2 volume with 1000 GB size. Which change would most effectively reduce write latency?

A.Change the volume type to st1 (throughput optimized) for better write throughput.
B.Increase the volume size to 2000 GB to get more IOPS.
C.Enable Multi-Attach on the volume to distribute writes.
D.Ensure the EC2 instance is EBS-optimized and use a higher instance type with dedicated EBS bandwidth.
AnswerD

EBS-optimized instances provide dedicated throughput to EBS, reducing latency.

Why this answer

Option D is correct because using EBS-optimized instances with dedicated EBS bandwidth reduces contention and latency. Option A is wrong because increasing volume size increases IOPS but not necessarily reduces latency. Option B is wrong because changing to st1 is not ideal for log writes.

Option C is wrong because enabling Multi-Attach does not reduce latency.

941
MCQmedium

An SAP system uses a Network Load Balancer (NLB) to distribute traffic to SAP application servers. The application servers are in private subnets. The operations team notices that the health checks are failing for one of the application servers. The health check is configured to use TCP on port 3200. The application server's security group allows inbound traffic on port 3200 from the NLB's subnet CIDR. The network ACL allows inbound and outbound traffic on ephemeral ports. What is the most likely cause of the health check failure?

A.The security group does not allow inbound traffic from the NLB's private IP addresses.
B.The network ACL is blocking the health check traffic.
C.The SAP application is not listening on port 3200.
D.The NLB is configured to use the instance's public IP address.
AnswerA

Health checks come from NLB's IPs, not client IPs.

Why this answer

Option C is correct because the NLB health checks originate from its own IP addresses, not from the client IPs. The security group must allow traffic from the NLB's private IP addresses. Option A is wrong because the application may be listening correctly.

Option B is wrong because NACLs are properly configured. Option D is wrong because the NLB communicates with targets using their private IPs.

942
MCQmedium

A company is migrating an on-premises Microsoft SQL Server database to Amazon RDS for SQL Server. The database is 5 TB and the migration must be completed within a 2-hour downtime window. Which AWS service should be used to perform the initial full load and then replicate ongoing changes?

A.AWS Snowball Edge
B.AWS Database Migration Service (DMS)
C.AWS Application Migration Service (MGN)
D.AWS DataSync
AnswerB

Supports full load and ongoing replication.

Why this answer

AWS DMS can perform a full load and then continuously replicate changes. Option A (AWS DataSync) is for file transfers. Option B (AWS MGN) is for server migration.

Option D (AWS Snowball Edge) is for large data transfer but does not support ongoing replication.

943
MCQhard

A company is running SAP HANA on AWS using a scale-out architecture with multiple worker nodes. The system is used for real-time analytics. Recently, query performance has degraded. The HANA administrator notices that the data is not evenly distributed across nodes. What is the best course of action?

A.Redistribute the tables across nodes using HANA's table partitioning features.
B.Increase the memory allocation for the HANA database.
C.Add more worker nodes to the scale-out cluster to distribute the load.
D.Upgrade the EC2 instance type of all nodes to a memory-optimized type.
AnswerA

Partitioning and redistribution ensures even data distribution.

Why this answer

HANA scale-out relies on table partitioning and distribution to ensure even data distribution. Redistributing tables using ALTER TABLE with REORGANIZE or reloading data can fix imbalance. Option A (add nodes) may help but does not fix existing imbalance.

Option B (change instance type) is not directly related. Option D (memory) is not the issue. Option C is the targeted fix.

944
MCQhard

An SAP Basis team is designing a high-availability (HA) setup for SAP NetWeaver on AWS. They plan to use a shared file system for transport directories. Which storage solution provides the most cost-effective NFS share with support for automatic failover across Availability Zones?

A.Amazon Elastic File System (EFS)
B.Amazon EBS Multi-Attach gp3 volume
C.Amazon FSx for NetApp ONTAP
D.Amazon S3 with AWS Storage Gateway file gateway
AnswerC

FSx for NetApp ONTAP provides a fully managed NFS share with cross-AZ HA, suitable for SAP transport directories.

Why this answer

Amazon FSx for NetWeaver (FSx for NetApp ONTAP) provides a fully managed NFS share with HA across AZs. Option A is wrong because EFS is a POSIX file system but not specifically optimized for SAP transport directories and may have cost implications. Option B is wrong because EBS can't be mounted across AZs.

Option C is wrong because S3 is object storage, not a file system.

945
MCQmedium

A company is migrating an SAP system to AWS and needs to ensure high availability for the SAP Central Services (ASCS) instance. Which architecture should be used to meet this requirement?

A.Use a cluster of EC2 instances across two Availability Zones with shared storage and a cluster manager.
B.Deploy the ASCS on a single large EC2 instance with a Multi-Attach EBS volume.
C.Use an Auto Scaling group with a launch configuration for ASCS.
D.Deploy two EC2 instances in the same Availability Zone with a replicated file system.
AnswerA

This provides HA across AZs with failover.

Why this answer

Option B is correct because SAP ASCS can be set up in a cluster across multiple Availability Zones using shared storage (e.g., Amazon EFS or FSx) and a cluster manager like Pacemaker. Option A is wrong because a single EC2 instance does not provide high availability. Option C is wrong because an Auto Scaling group is for horizontal scaling of stateless applications, not for SAP ASCS.

Option D is wrong because placing both nodes in the same AZ does not protect against AZ failure.

946
Multi-Selecteasy

A company is migrating a SAP system to AWS and wants to use AWS Systems Manager for patching. Which TWO prerequisites are required to use AWS Systems Manager Patch Manager?

Select 2 answers
A.The EC2 instance must be in a public subnet.
B.The EC2 instance must be running Amazon Linux 2.
C.The AWS Systems Manager Agent (SSM Agent) must be installed on the EC2 instance.
D.An IAM role with permissions for Systems Manager must be attached to the EC2 instance.
E.A maintenance window must be configured with a reboot option.
AnswersC, D

SSM Agent is required for Systems Manager to manage the instance.

Why this answer

Correct options are A and D. The SSM Agent must be installed and running on the EC2 instances, and the instances must have an IAM role that grants Systems Manager permissions. Option B is wrong because Patch Manager does not require the instance to be in a public subnet.

Option C is wrong because Patch Manager works with both Amazon Linux and Windows. Option E is wrong because Patch Manager does not require a reboot schedule.

947
MCQeasy

An SAP system on AWS is configured with a Multi-AZ deployment for high availability. During a failover test, the operations team notices that the secondary instance does not take over correctly. What is the most likely cause?

A.The SAP application layer is not configured to retry connections.
B.The CloudWatch alarm thresholds for failover are set too high.
C.The route tables or security groups do not allow traffic to the secondary instance.
D.The secondary instance's IP address is not automatically updated in DNS.
AnswerC

Network configuration errors can prevent failover from completing.

Why this answer

Option B is correct because incorrect DNS resolution or routing can prevent the secondary instance from being reachable after failover. Option A is wrong because Multi-AZ automatically handles IP changes if configured properly. Option C is wrong because application layer misconfiguration may not affect the failover itself.

Option D is wrong because CloudWatch alarms do not control failover.

948
MCQeasy

A company has an SAP HANA database running on an RDS for SAP HANA instance. The operations team wants to automate the backup process and retain backups for 90 days. Which AWS service should they use?

A.RDS automated backups
B.Amazon S3 lifecycle policies
C.AWS Backup
D.AWS Storage Gateway
AnswerC

AWS Backup can schedule and retain backups for 90 days.

Why this answer

Option A is correct because AWS Backup can manage backups of RDS instances with customizable retention. Option B is wrong because S3 is for object storage, not native RDS backups. Option C is wrong because Storage Gateway is for hybrid storage.

Option D is wrong because RDS automated backups have a max retention of 35 days; manual snapshots are needed beyond that, but AWS Backup can manage them.

949
MCQeasy

A company is migrating its SAP application from on-premises to AWS. The SAP application uses a shared file system (NFS) for transport directories. Which AWS service should the company use to replace the on-premises NFS?

A.Amazon FSx for Windows File Server
B.Amazon S3
C.Amazon EBS
D.Amazon EFS
AnswerD

Amazon EFS supports NFS and can be shared across instances for SAP transport directories.

Why this answer

Option A is correct because Amazon EFS provides a scalable NFS file system that can be shared across multiple EC2 instances. Option B is wrong because Amazon S3 is object storage, not a file system. Option C is wrong because Amazon FSx for Windows File Server is for SMB, not NFS for Linux.

Option D is wrong because Amazon EBS is block storage attached to a single instance.

950
MCQeasy

A company is running SAP S/4HANA on AWS with an RDS for SAP HANA database. The operations team needs to perform a minor version upgrade of the database. They want to minimize downtime and ensure that the upgrade can be rolled back if needed. What should they do?

A.Take a manual snapshot before the upgrade, then perform the upgrade.
B.Enable Multi-AZ, then perform the upgrade.
C.Use the clone feature of SAP HANA to create a copy.
D.Create a read replica, promote it after the upgrade.
AnswerA

Snapshot allows restore to pre-upgrade state if needed.

Why this answer

Option D is correct because creating a snapshot before the upgrade allows rollback, and RDS supports minor version upgrades with minimal downtime (usually a few minutes). Option A is wrong because creating a read replica does not help with upgrade rollback. Option B is wrong because Multi-AZ does not directly help with upgrade rollback.

Option C is wrong because cloning is for Aurora, not RDS for HANA.

951
MCQhard

A company is migrating its SAP ERP system to AWS using the SAP S/4HANA migration approach. They need to replicate the source system continuously to the target before cutover. Which AWS service should be used for this continuous replication?

A.AWS Schema Conversion Tool (SCT)
B.AWS Server Migration Service (SMS)
C.AWS Database Migration Service (DMS)
D.AWS CloudEndure Migration
AnswerC

DMS supports continuous replication for SAP migrations.

Why this answer

AWS DMS can perform ongoing replication from SAP systems to target databases. Option A is correct. Option B (SCT) is for schema conversion only.

Option C (SMS) is for server-level migration. Option D (CloudEndure) is for disaster recovery, not SAP-specific migration.

952
MCQeasy

An SAP system administrator needs to ensure that all SAP application logs are centrally collected and monitored for errors. Which AWS service should they use to aggregate logs from multiple EC2 instances?

A.Amazon S3 with server access logs
B.Amazon Kinesis Data Firehose
C.Amazon CloudWatch Logs
D.AWS Lambda to process logs from each instance
AnswerC

CloudWatch Logs with the unified CloudWatch agent can collect and aggregate logs from multiple EC2 instances.

Why this answer

Amazon CloudWatch Logs is the correct service because it provides a centralized, agent-based log aggregation solution. The CloudWatch Logs agent (or unified CloudWatch agent) can be installed on each EC2 instance to automatically collect, encrypt, and stream SAP application logs to a central CloudWatch Logs group. This allows the administrator to monitor logs in real time, set metric filters for error patterns, and trigger alarms without needing to build custom infrastructure.

Exam trap

The trap here is that candidates often confuse Amazon Kinesis Data Firehose as a direct log collector, but it requires a separate data producer and is not an agent-based aggregation service like CloudWatch Logs.

How to eliminate wrong answers

Option A is wrong because Amazon S3 with server access logs only captures HTTP requests made to the S3 bucket itself, not application logs from EC2 instances. Option B is wrong because Amazon Kinesis Data Firehose is a streaming data delivery service that requires a separate producer (e.g., a CloudWatch Logs subscription filter or a custom agent) to send logs; it does not natively collect logs from EC2 instances without additional setup. Option D is wrong because AWS Lambda is a serverless compute service that can process logs but cannot directly aggregate them from multiple EC2 instances; it would need to be triggered by another service (like CloudWatch Logs or S3) and is not designed for continuous log collection.

953
Multi-Selecteasy

A company is migrating an SAP HANA database to AWS. The database must be backed up automatically. Which TWO AWS services can be used for this purpose? (Choose 2.)

Select 2 answers
A.Amazon RDS
B.Amazon S3
C.AWS Database Migration Service
D.AWS Backup
E.Amazon EFS
AnswersB, D

SAP HANA can back up directly to S3 using the S3 API.

Why this answer

Amazon S3 is correct because it can be used as a target for SAP HANA backup and recovery using the SAP HANA Backup to S3 feature, which allows direct backup of HANA databases to S3 buckets via the SAP HANA Studio or hdbsql commands. AWS Backup is correct because it provides a fully managed backup service that can automate and centralize backups of SAP HANA databases running on Amazon EC2 instances, using the AWS Backup console or API to create and manage backup policies.

Exam trap

The trap here is that candidates often confuse AWS Database Migration Service (DMS) as a backup tool because it can replicate data, but DMS is for migration and continuous replication, not for creating point-in-time backups of SAP HANA databases.

954
Multi-Selectmedium

A company is designing a disaster recovery (DR) strategy for a critical application that runs on EC2 instances in a single AWS Region. The application uses an Amazon RDS MySQL Multi-AZ DB instance. The company wants to achieve a Recovery Point Objective (RPO) of 1 minute and a Recovery Time Objective (RTO) of 15 minutes for both compute and database tiers. Which TWO options should the company implement? (Choose TWO.)

Select 2 answers
A.Configure a cross-Region read replica for the RDS MySQL DB instance in the secondary Region
B.Create Amazon Machine Images (AMIs) of the EC2 instances and copy them to the secondary Region
C.Use Amazon EBS snapshots of the EC2 instances and copy them to the secondary Region every minute
D.Migrate the database to Amazon Aurora MySQL and configure an Aurora Global Database
E.Enable cross-Region automated backups for the RDS Multi-AZ DB instance
AnswersA, B

A cross-Region read replica can be promoted to a primary in seconds, meeting the RPO of 1 minute.

Why this answer

Option A is correct because a cross-Region read replica for RDS MySQL can be promoted to a standalone primary in the secondary Region within minutes, meeting the 15-minute RTO. The asynchronous replication lag is typically under 1 minute, satisfying the 1-minute RPO. This provides a managed, low-latency DR database tier without needing to restore from backups.

Exam trap

The trap here is that candidates may confuse cross-Region automated backups (Option E) with cross-Region read replicas, not realizing that backups have a higher RPO and longer restore times, while read replicas provide near-real-time replication and faster promotion.

955
MCQeasy

A company wants to implement a backup strategy for SAP HANA on AWS. The backup must be stored securely and be accessible for restore to a different AWS Region. Which combination of AWS services should be used?

A.Take EBS snapshots and copy them to another region
B.Use AWS Backup with cross-region backup copy
C.Store HANA backups in Amazon S3 Standard-IA
D.Use Amazon S3 Glacier Deep Archive
AnswerB

AWS Backup supports cross-region copies and is integrated with HANA.

Why this answer

AWS Backup with cross-region backup copy is the correct choice because it provides a fully managed, policy-driven backup service that natively supports SAP HANA on Amazon EC2, including automated cross-region copy for disaster recovery. This ensures backups are stored securely (encrypted at rest and in transit) and can be restored in a different AWS Region without manual intervention.

Exam trap

The trap here is that candidates often assume EBS snapshots (Option A) are sufficient for database backups, overlooking the need for application-consistent backups and the managed cross-region replication that AWS Backup provides.

How to eliminate wrong answers

Option A is wrong because EBS snapshots alone do not provide application-consistent backups for SAP HANA; they capture only the block-level state of the volume, which can lead to data corruption if the database is not quiesced. Option C is wrong because storing HANA backups directly in Amazon S3 Standard-IA does not include built-in cross-region copy capabilities, requiring additional custom scripting and infrastructure to replicate backups to another region. Option D is wrong because Amazon S3 Glacier Deep Archive is designed for long-term archival with retrieval times of 12 hours or more, making it unsuitable for operational backups that need to be accessible for restore to a different region within acceptable recovery time objectives (RTOs).

956
MCQhard

A global company is migrating its SAP ERP system to AWS. The system runs SAP ECC on IBM AIX with Oracle Database. The company plans to move to SAP S/4HANA on AWS. The source system is 5 TB in size. The network bandwidth between the on-premises data center and AWS is 100 Mbps. The migration must be completed within a 2-week window with minimal downtime. The company has a SAP license that allows running S/4HANA on certified hardware. They have already used AWS SCT to convert the database schema to SAP HANA-compatible format. They now need to execute the data migration. The team is considering the following options: Option A: Use AWS DMS with ongoing replication from Oracle to HANA, then perform a final cutover. Option B: Use AWS Snowball Edge to transfer the Oracle backup files to AWS, then restore to HANA. Option C: Use AWS DataSync to copy the Oracle data files to Amazon EFS, then import into HANA. Option D: Use SAP HANA system replication from the source Oracle database to the target HANA database. Which option is the most feasible and efficient for this migration?

A.Use SAP HANA system replication from the source Oracle database to the target HANA database
B.Use AWS Snowball Edge to transfer the Oracle backup files to AWS, then restore to HANA
C.Use AWS DataSync to copy the Oracle data files to Amazon EFS, then import into HANA
D.Use AWS DMS with ongoing replication from Oracle to HANA, then perform a final cutover
AnswerD

DMS supports heterogeneous migrations and ongoing replication to minimize downtime.

Why this answer

Option A is the most feasible because AWS DMS can handle the heterogeneous migration from Oracle to HANA, and the ongoing replication minimizes downtime. Option B is inefficient because restoring from backup may not support ongoing replication and adds complexity. Option C (DataSync) is for files, not databases.

Option D (HANA system replication) requires the source to be HANA, not Oracle.

957
MCQeasy

An SAP administrator runs the df command on an SAP HANA server and sees the output above. The /hana/data filesystem is 96% full. Which action should be taken to prevent the database from running out of space?

A.Increase the IOPS of the EBS volume
B.Delete old database logs to free up space
C.Increase the size of the EBS volume and extend the filesystem
D.Migrate the database to a larger instance type
AnswerC

This is the standard procedure to add more disk space.

Why this answer

The filesystem is nearly full. The best action is to increase the size of the EBS volume and then extend the filesystem. Option A is wrong because deleting logs may not be sufficient and could disrupt operations.

Option B is wrong because moving to a new instance requires migration. Option D is wrong because increasing IOPS does not add capacity.

958
MCQhard

A company is troubleshooting an issue where SAP users cannot log in to the SAP GUI. The SAP application server is running on an EC2 instance behind an Application Load Balancer (ALB). The ALB is configured to use the HTTPS listener on port 443. Which configuration is most likely causing the issue?

A.The ALB's target group is not configured with health checks.
B.The security group for the ALB does not allow inbound traffic on port 3300.
C.The ALB is terminating HTTPS connections, but the SAP application server expects unencrypted DIAG protocol.
D.The ALB's stickiness settings are misconfigured, causing session persistence issues.
AnswerC

SAP GUI uses DIAG (TCP 3200), not HTTP/HTTPS; an ALB is not suitable for non-HTTP traffic.

Why this answer

Option B is correct because SAP GUI typically uses DIAG protocol over TCP 3200, not HTTPS. The ALB should have a Network Load Balancer for TCP traffic. Option A is wrong because listener on 443 is fine for HTTPS but not for SAP GUI traffic.

Option C is wrong because security group rules are not the primary issue. Option D is wrong because health checks are not directly related to user login.

959
Multi-Selecteasy

An SAP system is running on AWS with a production HANA database. The database administrator wants to ensure that backups are consistent and can be restored. Which TWO approaches should be used together for a robust backup strategy?

Select 2 answers
A.AWS Backup with a backup plan that includes both EBS snapshots and Backint.
B.Regular EBS snapshots of the data volume.
C.Amazon EC2 Auto Scaling to create backup instances.
D.AWS Database Migration Service (DMS) for continuous replication.
E.SAP HANA Backint integration with AWS Backup.
AnswersA, E

Combining both provides crash-consistent and application-consistent backups.

Why this answer

Options A and D are correct. EBS snapshots (A) provide crash-consistent backups, and Backint (D) provides application-consistent backups. Option B (AWS Backup) can orchestrate both.

Option C (Auto Scaling) is not backup. Option E (Database Migration Service) is for migration.

960
MCQhard

An SAP HANA database running on an EC2 instance is configured with multiple EBS volumes using RAID 0 for increased throughput. During a backup operation, the instance experiences a significant drop in I/O performance. Which solution would best address this without affecting ongoing backups?

A.Add more EBS volumes to the RAID 0 array to increase total I/O bandwidth.
B.Use instance store volumes for the HANA data instead of EBS.
C.Use EBS snapshots for backup instead of file-level backup to reduce I/O load.
D.Reduce the number of EBS volumes to limit the RAID 0 penalty.
AnswerA

More volumes in RAID 0 increase parallelism and throughput, helping during backup.

Why this answer

Option C is correct because using multiple volumes and striping increases I/O. Option A is wrong because it reduces performance. Option B is wrong because EBS snapshots are asynchronous and can cause latency.

Option D is wrong because instance store is ephemeral and may not be suitable.

961
Multi-Selecthard

An SAP HANA database is running on an EC2 instance with multiple EBS volumes for /hana/data, /hana/log, and /hana/shared. Which TWO AWS features should be used to ensure that the EBS volumes are backed up consistently?

Select 2 answers
A.Amazon S3
B.AWS Storage Gateway
C.EBS snapshots
D.EBS Lifecycle Manager
E.AWS Backup
AnswersC, E

EBS snapshots are the primary backup mechanism.

Why this answer

EBS snapshots are the standard backup method for EBS volumes. However, to ensure consistency across multiple volumes (e.g., for a striped filesystem), the volumes should be snapshotted at the same point in time. AWS Backup can automate this with snapshot consistency groups.

While AWS Backup can create consistent snapshots, it also supports application-consistent backups. The two correct options are EBS snapshots and AWS Backup. Lifecycle Manager can create snapshots but does not ensure cross-volume consistency by default.

962
Multi-Selecthard

A company is deploying SAP S/4HANA on AWS and needs to choose instance types that are certified by SAP. Which THREE instance families are SAP-certified for production SAP HANA workloads?

Select 3 answers
A.R5
B.T3
C.X1e
D.M5
E.P3
AnswersA, C, D

R5 instances are memory-optimized and SAP-certified for HANA.

Why this answer

A, B, and D are SAP-certified for HANA. C (T3) is burstable and not certified for production HANA. E (P3) is GPU-optimized and not certified for HANA.

963
MCQhard

An SAP administrator runs the AWS CLI command shown in the exhibit. The SAP application is experiencing performance issues. The administrator notices that one instance is stopped. What is the most likely impact of this on the SAP landscape?

A.The SAP system will be fully functional as long as the database is running.
B.The running instance will automatically take over the workload.
C.The stopped instance will continue to incur charges.
D.The SAP application will be unavailable or have reduced capacity.
AnswerD

A stopped application server cannot serve requests.

Why this answer

If the SAP application server is stopped, the application will be unavailable or degraded. The database is not shown. Stopped instances do not incur compute charges.

Instance type mismatch is not the issue; the running instance is larger.

964
MCQmedium

An SAP system running on AWS uses a Multi-AZ RDS for SAP ASE database. The operations team notices that the database failover took longer than expected during a recent outage. What should the team investigate to reduce failover time?

A.Increase the allocated storage for the database to improve I/O performance.
B.Ensure that the standby instance is in the same Availability Zone as the primary.
C.Check for long-running transactions that delay the failover.
D.Verify that the database is using asynchronous replication.
AnswerC

Long-running transactions can significantly increase failover time.

Why this answer

Option D is correct because Multi-AZ failover time is influenced by the time to complete in-flight transactions. Option A is wrong because synchronous replication is used, not asynchronous. Option B is wrong because Multi-AZ already has a standby in another AZ.

Option C is wrong because increasing instance size may not reduce failover time.

965
MCQeasy

An SAP system on AWS needs to store sensitive configuration files securely and automatically rotate the encryption keys. Which AWS service should be used?

A.AWS Systems Manager Parameter Store with AWS KMS.
B.Amazon S3 with server-side encryption.
C.AWS Key Management Service (KMS) alone.
D.AWS Secrets Manager.
AnswerA

Parameter Store can store configuration securely and use KMS for encryption with automatic key rotation.

Why this answer

Option A is correct because AWS Systems Manager Parameter Store securely stores configuration and can integrate with KMS for key rotation. Option B is wrong because S3 does not automatically rotate keys. Option C is wrong because Secrets Manager is for secrets, not configuration with automatic rotation of keys.

Option D is wrong because KMS manages keys, not configuration storage.

966
MCQmedium

A company is migrating an SAP system from an Oracle database to Amazon RDS for Oracle using AWS DMS. The DMS task fails with the error shown in the exhibit. What is the most likely cause?

A.The DMS replication instance does not have network access to the source database.
B.The source endpoint credentials are incorrect.
C.The DMS task requires additional IAM permissions.
D.The target endpoint is not configured correctly.
AnswerB

ORA-01017 indicates invalid username or password.

Why this answer

The error indicates invalid username/password for the source Oracle database. The source endpoint credentials are incorrect. The DMS replication instance may not have network access, but the error is a login failure.

The target endpoint is not the issue.

967
MCQhard

A company runs a critical SAP ERP system on AWS. The system consists of a single EC2 instance running SAP NetWeaver with an Oracle database on the same instance. The instance type is r5.4xlarge with 500 GB gp2 EBS volume for the database. The operations team receives a CloudWatch alarm that the EBS volume's 'BurstBalance' metric has dropped to 0%. Consequently, the database performance degrades significantly. The team needs to resolve the issue and prevent recurrence. The SAP system cannot tolerate more than 10 minutes of downtime. The budget is limited. Which action should the team take?

A.Migrate the database to an io2 Block Express volume with provisioned IOPS.
B.Add additional EBS volumes and configure RAID 0 striping to increase IOPS.
C.Change the EBS volume type from gp2 to gp3 and increase the IOPS and throughput settings as needed.
D.Increase the volume size to 1000 GB to increase baseline IOPS and burst credits.
AnswerC

gp3 provides consistent baseline performance without burst credits and is cost-effective.

Why this answer

Switching to gp3 provides baseline performance without burst credits and is cost-effective. Option C is correct. Option A is wrong because increasing to io2 volumes is more expensive and may require downtime if not using elasticity.

Option B is wrong because changing to st1 is for throughput-optimized workloads, not suitable for database. Option D is wrong because adding more volumes and striping is complex and may require downtime.

968
Multi-Selectmedium

Which TWO actions should an SAP administrator take to ensure high availability for an SAP HANA database on AWS? (Choose two.)

Select 2 answers
A.Enable SAP HANA system replication
B.Deploy the database on a single large instance
C.Schedule regular manual snapshots
D.Use a Multi-AZ deployment for the database
E.Use a single EBS volume with high IOPS
AnswersA, D

Provides data redundancy across nodes.

Why this answer

Options A and B are correct. Enabling system replication provides data redundancy, and using a Multi-AZ deployment ensures automatic failover. Option C is wrong because a single EBS volume does not provide HA.

Option D is wrong because manual snapshots are not automatic HA. Option E is wrong because a single instance lacks redundancy.

969
MCQeasy

A company runs a critical SAP application on AWS. The operations team needs to monitor the system for performance issues and receive alerts when CPU utilization exceeds 80% for 5 consecutive minutes. Which AWS service should be used to set up this monitoring and alerting?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch
D.AWS Health
AnswerC

CloudWatch monitors metrics and can trigger alarms based on thresholds.

Why this answer

Amazon CloudWatch can monitor CPU utilization and trigger alarms when a threshold is breached. CloudTrail is for API auditing, Config is for compliance, and AWS Health provides service health notifications.

970
MCQmedium

A company is running SAP NetWeaver on AWS and wants to implement a high-availability solution for the SAP Central Services (ASCS). Which AWS service can be used to manage the virtual IP address for failover?

A.Amazon Route 53 with failover routing
B.AWS Global Accelerator
C.Elastic Load Balancer (ELB)
D.Elastic IP address reassignment
AnswerA

Route 53 failover routing can redirect clients to the secondary ASCS.

Why this answer

Amazon Route 53 can be used for DNS-based failover by updating records. Elastic IP can be reassigned, but Route 53 is simpler for multi-AZ scenarios.

971
MCQhard

An SAP system on AWS is experiencing intermittent network connectivity issues between the application servers and the database server. Both are in the same VPC but different subnets. The security groups allow all traffic between them. What should the administrator check next?

A.Network ACL rules for the subnets
B.VPC Flow Logs to analyze dropped packets
C.Route tables to ensure proper routing
D.Security group rules for outbound traffic
AnswerA

NACLs are stateless and must allow ephemeral port return traffic.

Why this answer

Network ACLs are stateless and must allow both inbound and outbound traffic. If NACLs block return traffic, connectivity fails intermittently. VPC Flow Logs can help diagnose but are not the first check.

Route tables are typically correct within a VPC. The issue is likely at the NACL level.

972
MCQhard

A company is migrating an SAP NetWeaver system to AWS using the AWS Application Migration Service (AWS MGN). The source server runs SUSE Linux Enterprise Server (SLES) 12 SP5. After the cutover, the SAP application fails to start with an error indicating that the hostname resolution fails. The target EC2 instance has the same hostname as the source. What is the most likely cause?

A.The network configuration file /etc/sysconfig/network was not replicated
B.The /etc/hosts file on the target instance still references the source server's old private IP address
C.The source server's operating system is not supported by AWS MGN
D.The target instance is not registered in Amazon Route 53 private hosted zone
AnswerB

After migration, the target instance gets a new IP; /etc/hosts must be updated to reflect the new IP.

Why this answer

Option D is correct. AWS MGN does not automatically replicate the /etc/hosts file; after migration, the new instance's private IP changes, so /etc/hosts must be updated. Option A is incorrect because AWS MGN supports SLES.

Option B is incorrect because AWS MGN replicates the entire OS disk including /etc/sysconfig/network. Option C is incorrect because Route 53 is not required for internal hostname resolution.

973
Multi-Selectmedium

Which TWO are best practices for securing SAP on AWS?

Select 2 answers
A.Place all SAP systems in the default VPC.
B.Attach public IP addresses to all SAP EC2 instances for easy management.
C.Use security groups to control traffic between SAP components.
D.Disable security groups and rely on SSH key pairs only.
E.Use IAM roles for EC2 instances to access AWS services securely.
AnswersC, E

Security groups are stateful firewalls.

Why this answer

Option B is correct: Security groups act as virtual firewalls. Option D is correct: IAM roles for EC2 provide secure credential management. Option A is wrong because default VPC is not recommended.

Option C is wrong because public subnets expose instances. Option E is wrong because SSH key pair is for instance access, not security group.

974
MCQmedium

A company is running SAP HANA on AWS. The system administrator notices that the SAP HANA database is frequently running out of memory, causing performance degradation. Which AWS service should the administrator use to set up memory usage alarms and automate scaling of the SAP HANA instance?

A.Amazon EC2 Auto Scaling
B.AWS Lambda
C.AWS Systems Manager
D.Amazon CloudWatch and AWS Auto Scaling
AnswerD

CloudWatch monitors memory (via agent) and Auto Scaling can adjust instance type or add instances.

Why this answer

Option B is correct because Amazon CloudWatch can monitor memory metrics (via custom metrics) and trigger alarms; combined with AWS Auto Scaling, it can automatically adjust the instance size or add resources. Option A is wrong because AWS Lambda is a compute service, not a monitoring/scaling service. Option C is wrong because AWS Systems Manager is for management, not native monitoring and auto-scaling.

Option D is wrong because Amazon EC2 Auto Scaling works at the instance group level, not for vertical scaling of a single HANA instance.

975
Multi-Selectmedium

Which TWO actions should an operations team take to ensure high availability for SAP HANA in a single AWS Region?

Select 2 answers
A.Create read replicas of the HANA database.
B.Deploy SAP HANA in a Multi-AZ configuration using HANA System Replication.
C.Use HANA System Replication with automatic failover.
D.Configure automated backups to Amazon S3.
E.Use a single large EC2 instance in one Availability Zone.
AnswersB, C

Multi-AZ with HSR provides failover across Availability Zones.

Why this answer

Options A and D are correct. A: Multi-AZ deployment provides failover across Availability Zones. D: HANA System Replication with automatic failover ensures data consistency and failover.

Option B is wrong because a single instance in one AZ does not provide HA. Option C is wrong because backups do not provide automatic failover. Option E is wrong because read replicas are for read scaling, not HA.

Page 12

Page 13 of 24

Page 14