AWS Certified SAP on AWS Specialty PAS-C01 (PAS-C01) — Questions 451525

1733 questions total · 24pages · All types, answers revealed

Page 6

Page 7 of 24

Page 8
451
MCQmedium

A company is planning to run SAP NetWeaver on AWS and wants to use Auto Scaling for the application server tier. Which consideration is critical when implementing Auto Scaling for SAP application servers?

A.Ensure the database can scale automatically with the application tier.
B.Enable termination protection on all Auto Scaling instances.
C.Use encrypted EBS volumes for all instances.
D.Automatically register new instances with the SAP Central Services instance.
AnswerD

New app servers must be registered with ASCS to join the SAP system.

Why this answer

Option D is correct because SAP application servers must be registered with the SAP Central Services instance (ASCS/SCS) to be recognized as part of the SAP system. Auto Scaling can launch new instances, but without automatic registration via sapstartsrv or the SAP Host Agent, the new instances will not be able to communicate with the Central Services instance, and the SAP system will not utilize them for workload.

Exam trap

The trap here is that candidates often focus on infrastructure-level concerns like encryption or termination protection, overlooking the application-level dependency that SAP application servers must be explicitly registered with Central Services to function as part of the SAP system.

How to eliminate wrong answers

Option A is wrong because the database tier in an SAP NetWeaver landscape is typically a single, stateful component that cannot be scaled automatically with the application tier; Auto Scaling is designed for stateless application servers, and the database must be scaled independently, often requiring manual intervention or separate database clustering solutions. Option B is wrong because termination protection is a safety feature to prevent accidental deletion of instances, but it is not a critical consideration for implementing Auto Scaling for SAP application servers; in fact, Auto Scaling requires the ability to terminate instances during scale-in events, and enabling termination protection would break the scaling process. Option C is wrong while encrypted EBS volumes are a security best practice, they are not a critical consideration specific to Auto Scaling for SAP application servers; encryption does not affect the ability to scale or register instances with Central Services.

452
MCQeasy

An administrator receives this error when trying to register an SAP system in AWS Systems Manager. What is the likely cause?

A.The SAP Host Agent is not installed on the EC2 instance.
B.The IAM role assigned to the instance does not have the required permissions.
C.The AWS Systems Manager Agent (SSM Agent) is not running.
D.The SAP system is not installed correctly.
AnswerA

The error message explicitly states that the SAP Host Agent is not installed.

Why this answer

Option A is correct because the SAP Host Agent must be installed on the EC2 instance for Systems Manager to manage the SAP system. Option B is incorrect because SSM Agent may be installed but the error specifically says SAPHostAgent. Option C is incorrect because the error is not about the SAP application itself.

Option D is incorrect because IAM role issues would give a different error (e.g., access denied).

453
MCQeasy

Your SAP system on AWS uses a shared file system with Amazon EFS. The operations team notices that the SAP application is experiencing latency when reading files from EFS. Which action can improve read performance?

A.Use Amazon FSx for Windows File Server instead.
B.Move the file system to Amazon EBS with provisioned IOPS.
C.Use Amazon S3 with Transfer Acceleration.
D.Enable EFS performance mode 'max I/O'.
AnswerD

Improves throughput.

Why this answer

Option D is correct because enabling EFS 'max I/O' performance mode increases the file system's ability to handle a high number of concurrent read operations by distributing data across multiple servers within the AWS region. This mode is specifically designed for workloads like SAP that require high throughput and low-latency access to shared files, as it scales I/O operations horizontally without the bottleneck of a single file server.

Exam trap

The trap here is that candidates often confuse EFS performance modes with throughput settings, assuming 'max I/O' only helps with write-heavy workloads, when in fact it is critical for read-heavy, high-concurrency scenarios like SAP shared file systems.

How to eliminate wrong answers

Option A is wrong because Amazon FSx for Windows File Server uses the SMB protocol, which is not optimized for SAP's typical NFS-based shared file system requirements and can introduce additional latency due to protocol translation overhead. Option B is wrong because moving to Amazon EBS with provisioned IOPS would require attaching the volume to a single EC2 instance, breaking the shared file system requirement for SAP's distributed architecture and failing to provide concurrent access across multiple application servers. Option C is wrong because Amazon S3 with Transfer Acceleration is an object storage service that does not support file-level locking or POSIX semantics required by SAP for shared file systems, and Transfer Acceleration only improves upload speeds over long distances, not read latency for existing files.

454
MCQmedium

Refer to the exhibit. An administrator runs the AWS CLI command shown and receives the output. The instance is running, but the SAP application on the instance is not accessible. Which additional AWS CLI command should the administrator run to troubleshoot the network connectivity?

A.aws ec2 describe-subnets
B.aws ec2 describe-network-interfaces
C.aws ec2 describe-security-groups
D.aws ec2 describe-instances --instance-ids i-0abcd1234efgh5678 --query 'Reservations[0].Instances[0].NetworkInterfaces'
AnswerD

This query returns network interface details including public IP, security groups, etc.

Why this answer

Option C is correct because the describe-instances command with the query for NetworkInterfaces can provide the public IP address, security groups, and subnet information, which are crucial for network troubleshooting. Option A is wrong because describe-network-interfaces provides similar info but without instance context. Option B is wrong because describe-security-groups alone doesn't show which groups are attached.

Option D is wrong because describe-subnets doesn't show instance-level network details.

455
MCQmedium

A company is migrating its SAP HANA database to AWS and needs to choose the most appropriate EC2 instance type. The workload requires high memory bandwidth and is CPU-intensive. Which instance family would best meet these requirements?

A.M5 instance family
B.I3 instance family
C.C5 instance family
D.X1e instance family
AnswerD

X1e instances are memory-optimized with high memory bandwidth, ideal for SAP HANA workloads.

Why this answer

The X1e instance family is purpose-built for high-memory, CPU-intensive SAP HANA workloads, offering up to 3.9 TB of memory and high memory bandwidth per vCPU. This aligns with SAP HANA's requirement for large in-memory databases and compute-intensive processing, making D the correct choice.

Exam trap

The trap here is that candidates often confuse compute-optimized (C5) or storage-optimized (I3) families with SAP HANA requirements, overlooking that SAP HANA's in-memory nature demands memory-optimized instances like X1e with high memory bandwidth and capacity, not just raw CPU or I/O performance.

How to eliminate wrong answers

Option A is wrong because the M5 instance family is a general-purpose option that balances compute, memory, and networking, but lacks the high memory bandwidth and large memory capacity required for SAP HANA. Option B is wrong because the I3 instance family is storage-optimized with high local NVMe SSD performance, designed for I/O-intensive workloads like databases with high throughput, not for CPU-intensive, high-memory-bandwidth SAP HANA. Option C is wrong because the C5 instance family is compute-optimized, focusing on high CPU performance for workloads like batch processing or web servers, but it does not provide the large memory footprint or memory bandwidth needed for SAP HANA in-memory operations.

456
MCQeasy

A company is using SAP HANA on AWS and needs to restore a backup to a new HANA instance. Which AWS service should be used to automate the backup and restore process?

A.AWS Backup
B.Amazon Data Lifecycle Manager (DLM)
C.AWS CloudFormation
D.Amazon S3
AnswerA

AWS Backup supports SAP HANA with Backint integration for automated backups.

Why this answer

Option C is correct because AWS Backup can automate backups of SAP HANA databases using Backint. Option A is wrong because S3 is storage, not automation. Option B is wrong because DLM manages EBS snapshots, not HANA backups.

Option D is wrong because CloudFormation is for infrastructure provisioning.

457
Multi-Selecteasy

A company is deploying SAP on AWS and needs to ensure high availability for the SAP application servers. Which TWO strategies can be used to achieve this? (Choose TWO.)

Select 2 answers
A.Use Amazon RDS Multi-AZ for the application tier
B.Use a single large EC2 instance with an Elastic IP
C.Use an Auto Scaling group with an Application Load Balancer
D.Attach the same EBS volume to multiple instances
E.Deploy application servers in multiple Availability Zones
AnswersC, E

Auto Scaling replaces failed instances, ALB distributes traffic.

Why this answer

Option A and Option B are correct. Deploying across multiple Availability Zones and using an Auto Scaling group with a load balancer provides HA and scalability. Option C is wrong because a single instance does not provide HA.

Option D is wrong because EBS Multi-Attach is limited and not for application servers. Option E is wrong because RDS is for databases, not application servers.

458
MCQmedium

A company is migrating a legacy application to AWS that requires a static IP address for client whitelisting. The application will run on EC2 instances behind an Application Load Balancer (ALB). The company wants to ensure the IP address does not change over time. What should the company do?

A.Assign an Elastic IP to each EC2 instance
B.Use Route 53 latency-based routing to point to the ALB
C.Use AWS Global Accelerator to get two static IP addresses
D.Use a Network Load Balancer (NLB) with an Elastic IP address
AnswerD

NLB supports static IP via Elastic IP, which can be whitelisted.

Why this answer

Option D is correct because a Network Load Balancer (NLB) supports static IP addresses by allowing you to assign Elastic IPs directly to each of its Availability Zone subnets. This provides fixed IP endpoints for client whitelisting, while the NLB can forward traffic to the EC2 instances behind an ALB, preserving the application's architecture.

Exam trap

The trap here is that candidates often choose Global Accelerator because it offers static IPs, but they overlook that an NLB with Elastic IPs is the simpler, cost-effective solution for a single-region static IP requirement, and Global Accelerator is intended for global traffic acceleration, not just static IP assignment.

How to eliminate wrong answers

Option A is wrong because assigning Elastic IPs to EC2 instances would expose individual instance IPs, not a stable front-end IP for the ALB, and the instances are behind the ALB, so client whitelisting should target the load balancer's IP, not the instances. Option B is wrong because Route 53 latency-based routing resolves to the ALB's DNS name, which can change IP addresses over time, and does not provide static IP addresses. Option C is wrong because AWS Global Accelerator provides two static IP addresses, but it is designed for global traffic optimization and adds unnecessary complexity and cost; the question requires a simple static IP for whitelisting, which the NLB with Elastic IPs directly achieves.

459
MCQmedium

A company is designing a highly available SAP HANA system on AWS. They need to replicate data synchronously to a secondary site in a different Availability Zone. Which AWS service should they use?

A.Amazon S3 cross-region replication
B.AWS Database Migration Service (DMS)
C.Amazon RDS Multi-AZ
D.SAP HANA System Replication (HSR)
AnswerD

HSR is SAP's native replication for HANA.

Why this answer

Option B is correct because the SAP HANA System Replication (HSR) with synchronous replication is the standard approach for HA across AZs. Options A, C, and D are not SAP HANA replication mechanisms.

460
MCQhard

Refer to the exhibit. An IAM policy is attached to a user who manages SAP EC2 instances. Which of the following actions can the user perform?

A.Describe all EC2 instances, but start and stop only those with the tag Environment=production.
B.Describe, start, and stop all EC2 instances regardless of tags.
C.Start and stop any EC2 instance in the account.
D.Terminate any EC2 instance with the tag Environment=production.
AnswerA

The describe action is wildcard; start/stop have condition.

Why this answer

Option C is correct because the policy allows ec2:Describe* on all resources, and StartInstances and StopInstances only on instances with tag Environment=production. The user cannot start/stop instances without the tag. Option A is wrong because the user can describe all instances.

Option B is wrong because the user can only start/stop production instances. Option D is wrong because the policy does not allow termination.

461
MCQmedium

An SAP administrator created the IAM policy shown in the exhibit to allow a monitoring tool to start and stop SAP application servers tagged with Environment=Production. When testing the policy, the tool fails to start an instance. What is the most likely cause?

A.The policy requires the instance to be stopped before starting.
B.The policy is missing the ec2:DescribeInstances action.
C.The policy does not allow starting instances that are already running.
D.The resource ARN does not match the instance ID.
AnswerC

ec2:StartInstances only works on stopped instances; attempting to start a running instance fails.

Why this answer

Option C is correct because the policy uses a condition that checks if the instance is already running (`ec2:InstanceState/Name` equals `running`). The `ec2:StartInstances` action is only allowed when the instance is in the `running` state, but starting an instance requires it to be in the `stopped` state. This mismatch causes the start action to fail for production-tagged instances.

Exam trap

The trap here is that candidates assume the condition `ec2:InstanceState/Name` equals `running` is correct for starting instances, confusing the required state for start (stopped) with the state for stop (running).

How to eliminate wrong answers

Option A is wrong because the policy does not require the instance to be stopped before starting; the condition incorrectly requires the instance to be running, which is the opposite of what is needed for a start operation. Option B is wrong because the `ec2:DescribeInstances` action is not required for starting instances; the `ec2:StartInstances` action alone is sufficient, and the failure is due to the condition, not a missing action. Option D is wrong because the resource ARN uses a wildcard (`*`) for the instance ID, which matches any instance ID, so the ARN format is not the issue.

462
MCQhard

Refer to the exhibit. An IAM policy is created for an automated script that starts and stops EC2 instances. The script is failing to stop an instance with the tag 'Environment: non-production'. What is the most likely cause?

A.The EC2 instance does not have the tag 'Environment' with value 'non-production'.
B.The policy does not include ec2:StopInstances action.
C.The policy does not allow ec2:Describe* actions for instances.
D.The condition is applied to the ec2:StartInstances action but not ec2:StopInstances.
AnswerA

The condition requires the instance to have that exact tag; otherwise, the action is denied.

Why this answer

Option B is correct because the policy allows StartInstances and StopInstances, but the condition requires the instance to have the tag 'Environment' with value 'non-production'. If the instance does not have this exact tag, the action is denied. Option A is wrong because the condition is on the resource, not the request.

Option C is wrong because the policy does allow StopInstances for specific resources. Option D is wrong because the policy allows Describe* for all resources.

463
MCQmedium

An SAP administrator attaches the above IAM policy to a user. What actions can the user perform?

A.Describe, start, and stop EC2 instances, but not terminate them.
B.Perform all EC2 actions including terminate.
C.Only describe EC2 instances.
D.Only start and stop instances.
AnswerA

Allow actions include describe, start, stop; deny overrides for terminate.

Why this answer

Option B is correct. The policy allows Describe* (read) and Start/Stop instances, and explicitly denies Terminate. Thus the user can start and stop instances but cannot terminate them.

Option A is wrong because terminate is denied. Option C is wrong because start/stop are allowed. Option D is wrong because describe is allowed.

464
MCQeasy

A company is running SAP HANA on an r5.8xlarge instance. They want to scale up to meet increased memory requirements. Which instance family would be the MOST suitable for a scale-up scenario?

A.x1e.32xlarge
B.r5.24xlarge
C.i3.16xlarge
D.c5.18xlarge
AnswerA

x1e is designed for large SAP HANA scale-up.

Why this answer

The x1e.32xlarge instance is part of the X1e family, which is specifically designed for high-memory workloads like SAP HANA. With 3,904 GiB of memory, it provides the largest memory capacity among AWS instances, making it the most suitable for scaling up SAP HANA to meet increased memory requirements. SAP HANA is an in-memory database, so scaling up requires instances with high memory-to-vCPU ratios, which the X1e family delivers.

Exam trap

The trap here is that candidates may choose the r5.24xlarge because it is memory-optimized, but they overlook that the X1e family offers much higher memory capacity specifically required for SAP HANA scale-up scenarios.

How to eliminate wrong answers

Option B (r5.24xlarge) is wrong because while the R5 family is memory-optimized, it offers only 768 GiB of memory, which is significantly less than the x1e.32xlarge and may not meet the increased memory requirements for a scale-up scenario. Option C (i3.16xlarge) is wrong because the I3 family is storage-optimized with high local NVMe SSD performance, not designed for large memory capacity; it provides only 488 GiB of memory, which is insufficient for SAP HANA scale-up. Option D (c5.18xlarge) is wrong because the C5 family is compute-optimized, focusing on high CPU performance with only 144 GiB of memory, making it completely unsuitable for memory-intensive SAP HANA workloads.

465
MCQmedium

A company is migrating an on-premises Oracle database to Amazon RDS for Oracle. The database is 2 TB in size and has a 4-hour maintenance window. Which AWS service should be used to minimize downtime during the migration?

A.AWS Server Migration Service
B.AWS Database Migration Service (DMS)
C.AWS Data Pipeline
D.AWS Snowball
AnswerB

DMS supports ongoing replication to minimize downtime during database migration.

Why this answer

AWS Database Migration Service (DMS) supports ongoing replication to minimize downtime. Option A (AWS Server Migration Service) is for server-level migrations. Option C (AWS Data Pipeline) is for data processing.

Option D (AWS Snowball) is for large data transfers but not minimal downtime.

466
MCQeasy

An SAP system on AWS requires persistent storage for its database logs. Which storage option should be used to meet the performance requirements of SAP HANA?

A.Instance store volumes
B.Amazon EBS io2 Block Express volumes
C.Amazon S3
D.Amazon EFS
AnswerB

io2 Block Express offers high IOPS and low latency for HANA.

Why this answer

Option C is correct because SAP HANA requires high-performance, low-latency storage, and EBS io2 Block Express volumes provide consistent low latency and high IOPS. Options A, B, and D do not meet the performance requirements.

467
MCQeasy

An SAP workload on AWS uses a single Availability Zone deployment. The company wants to improve high availability without changing the existing architecture significantly. Which action should be taken?

A.Use an Amazon EBS volume attached to multiple instances across AZs.
B.Add a second SAP application server in a different Availability Zone and configure load balancing.
C.Increase the size of the EC2 instances to handle failover.
D.Enable EBS Multi-Attach on the database volume.
AnswerB

This provides application tier HA across AZs.

Why this answer

Adding a second SAP application server in a different Availability Zone and configuring load balancing provides high availability by distributing traffic across multiple AZs, ensuring that if one AZ fails, the application remains accessible. This approach aligns with SAP's recommended architecture for multi-AZ deployments without requiring significant changes to the existing single-AZ setup, as it only adds an additional application tier instance and a load balancer.

Exam trap

The trap here is that candidates often confuse scaling (increasing instance size) with high availability, or assume EBS Multi-Attach works across Availability Zones, when in fact it is restricted to a single AZ and specific volume types.

How to eliminate wrong answers

Option A is wrong because an Amazon EBS volume cannot be attached to multiple EC2 instances across different Availability Zones; EBS volumes are AZ-specific and can only be attached to instances within the same AZ, and multi-attach is limited to specific volume types and instances within the same AZ. Option C is wrong because increasing the size of EC2 instances does not provide high availability; it only improves performance or capacity for a single instance, which remains a single point of failure in the event of an AZ outage. Option D is wrong because EBS Multi-Attach is only supported for io1 or io2 volumes within a single Availability Zone and cannot be used across AZs; it also does not address application-level high availability and is not suitable for SAP database volumes that require consistent read/write access from multiple instances.

468
Multi-Selectmedium

Which THREE factors should be considered when choosing a migration strategy for a legacy application to AWS? (Choose three.)

Select 3 answers
A.Physical location of the source server
B.Programming language used
C.Total cost of ownership (TCO)
D.Business continuity requirements (RTO/RPO)
E.Data sensitivity and compliance requirements
AnswersC, D, E

TCO influences re-architecture vs. lift-and-shift.

Why this answer

Correct options: A, C, D. Business continuity, data sensitivity, and cost are critical. Options B and E are incorrect: Physical location is less relevant; programming language alone does not determine strategy.

469
Multi-Selecthard

Which THREE actions should be taken to ensure a secure and compliant SAP environment on AWS? (Choose 3)

Select 3 answers
A.Place all SAP servers in a public subnet for easy access
B.Restrict IAM permissions to only necessary actions
C.Use security groups to restrict inbound and outbound traffic
D.Enable encryption on EBS volumes and RDS instances
E.Store all application logs in Amazon S3 with public read access
AnswersB, C, D

Least privilege reduces security risks.

Why this answer

Options A, B, and D are correct. A: IAM policies enforce least privilege. B: Encryption protects data at rest.

D: Security groups control network access. Option C is wrong because public subnets expose resources. Option E is wrong because CloudTrail is for auditing, not storing logs.

470
MCQeasy

A company is deploying SAP NetWeaver on AWS and needs to configure the SAP application server instances for high availability. Which AWS feature is used to distribute traffic across multiple application server instances in different Availability Zones?

A.Auto Scaling group
B.Amazon Route 53 weighted routing
C.Application Load Balancer
D.NAT Gateway
AnswerC

ALB distributes traffic across instances in multiple AZs.

Why this answer

An Application Load Balancer (ALB) can distribute HTTP/HTTPS traffic across multiple targets in different AZs. Option D is correct. Route 53 is a DNS service, not a load balancer.

NAT Gateway is for outbound traffic. Auto Scaling groups manage instance count, not traffic distribution.

471
Multi-Selectmedium

Which TWO of the following are valid strategies for reducing the total cost of ownership (TCO) for SAP workloads on AWS?

Select 2 answers
A.Schedule start/stop of non-production instances using Instance Scheduler
B.Use Reserved Instances for production systems
C.Use GP2 EBS volumes instead of GP3
D.Use Graviton-based instances for SAP application servers
E.Deploy SAP HANA in Multi-AZ configuration
AnswersA, B

Stops instances when not needed.

Why this answer

Option A is correct because AWS Instance Scheduler allows you to define start and stop schedules for non-production SAP instances, significantly reducing compute costs during off-hours. This is a direct TCO reduction strategy for SAP workloads, as non-production environments often run 24/7 unnecessarily.

Exam trap

The trap here is that candidates may confuse cost-reduction strategies with performance or availability strategies, such as choosing GP2 over GP3 (which actually increases cost) or assuming Graviton is supported for SAP when it is not.

472
MCQmedium

A company is running SAP on AWS and needs to reduce the cost of their development and test systems. The systems are only needed during business hours on weekdays. Which AWS service can be used to automatically stop and start the EC2 instances on a schedule?

A.AWS Instance Scheduler
B.Amazon EC2 Auto Scaling
C.Amazon CloudWatch Alarms
D.AWS Systems Manager Maintenance Windows
AnswerA

Instance Scheduler automates start/stop on a schedule.

Why this answer

Option A is correct because AWS Instance Scheduler is a solution that automatically stops and starts instances based on a schedule. Option B is wrong because Auto Scaling is for scaling, not scheduling. Option C is wrong because Systems Manager Maintenance Windows are for patching.

Option D is wrong because CloudWatch Alarms trigger based on metrics, not time-based schedules.

473
MCQhard

A company has an SAP S/4HANA system running on AWS with a custom backup solution that uses AWS Backup. The backup policy includes daily backups with a retention of 30 days. The operations team notices that backup jobs for the SAP application server are failing intermittently. What should the team do to troubleshoot the issue?

A.Verify that the IAM role used by AWS Backup has sufficient permissions.
B.Review the CloudWatch Logs for the backup job to identify error messages.
C.Switch to using SAP HANA Studio for backups.
D.Increase the backup frequency to capture more recovery points.
AnswerB

CloudWatch Logs contain detailed error information for troubleshooting.

Why this answer

Option D is correct because checking CloudWatch Logs for backup job errors provides specific details on failures. Option A is wrong because increasing backup frequency does not address the root cause. Option B is wrong because moving to a different backup tool may not be necessary.

Option C is wrong while helpful, checking IAM roles may not be the only issue.

474
MCQeasy

An SAP system administrator needs to restart a critical SAP application server EC2 instance that is part of a cluster. Which approach minimizes downtime?

A.Modify the instance type in the AWS Management Console.
B.Reboot the instance from the AWS Management Console.
C.Stop and start the instance from the AWS Management Console.
D.Terminate the instance and launch a new one with the same AMI.
AnswerB

Reboot is the fastest recovery without changing the host.

Why this answer

Option A is correct because a reboot does not change the underlying host, and the instance retains its public and private IP addresses. Option B is wrong because stop/start changes the underlying host and may take longer. Option C is wrong because terminating and launching a new instance loses all data on instance store volumes.

Option D is wrong because modifying instance type requires stop/start.

475
MCQmedium

An SAP system running on AWS is experiencing high latency to its S3-backed backup destination. Which architectural change would most effectively reduce backup latency?

A.Configure an S3 Gateway Endpoint in the VPC to route traffic to S3 privately.
B.Increase the size of the EC2 instance running SAP to improve I/O throughput.
C.Move the SAP instance to a different Availability Zone closer to the S3 bucket.
D.Enable S3 Transfer Acceleration on the backup bucket.
AnswerA

An S3 Gateway Endpoint keeps traffic within the AWS network, reducing latency and improving performance.

Why this answer

An S3 Gateway Endpoint provides a private, low-latency path from the SAP EC2 instance to S3 without traversing the public internet or NAT gateways. This eliminates network hops and reduces latency by keeping traffic within the AWS network, directly addressing the high-latency issue for S3-backed backups.

Exam trap

The trap here is that candidates often confuse S3 Transfer Acceleration (which is for long-distance, cross-region speed) with a solution for within-region latency, or assume that moving to a different Availability Zone reduces latency to a regional service like S3.

How to eliminate wrong answers

Option B is wrong because increasing EC2 instance size improves compute and I/O throughput for local storage, but does not reduce network latency to S3, which is the root cause. Option C is wrong because moving the SAP instance to a different Availability Zone does not change the physical distance to the S3 bucket (S3 is a regional service), and may even increase latency if the new AZ is farther from the S3 endpoints. Option D is wrong because S3 Transfer Acceleration optimizes upload speed over long distances via edge locations, but adds overhead and cost; it does not reduce latency for backups within the same region and may actually increase latency for short-distance transfers.

476
Multi-Selecthard

A company is migrating its SAP ECC system to SAP S/4HANA on AWS. The current database is running on Oracle. They want to minimize downtime during the migration. Which THREE services or features should they consider to achieve a near-zero downtime migration? (Select THREE.)

Select 3 answers
A.Use AWS Snowball to transfer the initial Oracle data dump to AWS.
B.Use SAP HANA System Replication (HSR) for the final synchronization.
C.Use EC2 Hibernate to pause the source instance during cutover.
D.Use AWS Database Migration Service (DMS) for ongoing replication from Oracle to HANA.
E.Use Amazon EBS Snapshots for point-in-time recovery and replication.
AnswersB, C, D

HSR can be used to keep the HANA target in sync during the cutover.

Why this answer

Options A, C, and D are correct. AWS DMS can replicate data from Oracle to SAP HANA with minimal downtime. SAP HANA System Replication can be used for the final sync.

EBS Snapshots provide a backup and restore option but are not for zero downtime. Option B (Snowball) is for large data transfer, not for ongoing replication. Option E (EC2 Hibernate) is not applicable for database migration.

477
MCQeasy

A company is running SAP on AWS and needs to encrypt all data at rest for the SAP HANA database. Which AWS service should be used to manage the encryption keys?

A.AWS CloudHSM
B.AWS Key Management Service (KMS)
C.AWS Secrets Manager
D.AWS Certificate Manager (ACM)
AnswerB

KMS is used to manage encryption keys for data at rest.

Why this answer

Option B is correct because AWS KMS is the managed service for creating and controlling encryption keys used for EBS volumes, RDS, etc. Option A is wrong because CloudHSM provides dedicated hardware but is not required. Option C is wrong because Secrets Manager is for secrets, not encryption keys.

Option D is wrong because ACM is for SSL/TLS certificates.

478
MCQhard

An SAP system on AWS uses a shared file system with Amazon EFS. The operations team notices that file operations have high latency during peak hours. The EFS file system is configured with Bursting Throughput mode. The team monitors the CloudWatch metric PercentIOLimit and sees it consistently at 100%. What should the team do to improve performance?

A.Enable encryption at rest for the file system
B.Change the performance mode to General Purpose
C.Increase the size of the file system by adding more files
D.Change the file system to Provisioned Throughput mode
AnswerD

Provisioned Throughput ensures consistent throughput regardless of burst credits.

Why this answer

PercentIOLimit at 100% indicates the file system is using all its burst credits. To avoid throttling, the team should change to Provisioned Throughput mode or increase the amount of data stored to earn more credits. Changing to General Purpose performance mode affects latency, not throughput.

Enabling encryption adds overhead. Increasing file system size indirectly helps earn more credits but is not a direct solution.

479
MCQmedium

An SAP administrator runs the above CLI command to find the public IP of an m5.2xlarge instance. The output is null. Which of the following is the most likely reason?

A.The security group blocks the public IP
B.The CLI command has a syntax error
C.The instance type m5.2xlarge does not support public IP addresses
D.The instance does not have a public IP address assigned
AnswerD

The instance may be in a private subnet or launched without a public IP.

Why this answer

A null value for Association.PublicIp means the instance does not have a public IP address assigned. Option A is wrong because the instance type does not affect public IP assignment. Option C is wrong because a security group does not assign public IPs.

Option D is wrong because the command syntax is correct.

480
MCQeasy

An SAP administrator is troubleshooting connectivity between an SAP application server (security group sg-12345) and an SAP HANA database server. The inbound rule on the database security group is shown in the exhibit. Which additional configuration is required for the application server to communicate with the database?

A.Add an inbound rule allowing traffic from the application server's IP address.
B.Add an inbound rule to the application server's security group.
C.Modify the network ACL to allow inbound traffic on port 3300.
D.No additional rule is needed; the rule allows traffic from sg-12345.
AnswerC

NACLs are stateless and must allow both inbound and outbound traffic.

Why this answer

Option A is correct because the rule references the source security group, but the direction is inbound; the database needs an inbound rule allowing traffic from sg-12345. Without that, traffic is blocked. Option B is wrong because the rule already references sg-12345.

Option C is wrong because NACLs are stateless and need both inbound and outbound rules, but the question is about security group. Option D is wrong because the application server needs an outbound rule, not inbound.

481
MCQhard

An SAP Basis administrator is troubleshooting a performance issue on a SAP HANA database running on an r5.4xlarge instance with dedicated tenancy. The instance is part of a placement group named 'sap-cluster'. The administrator suspects network throughput is suboptimal. Based on the exhibit, what is the MOST likely reason?

A.Dedicated tenancy prevents the use of Enhanced Networking.
B.The instance type r5.4xlarge does not support Enhanced Networking.
C.The placement group 'sap-cluster' restricts network throughput.
D.The instance is using the Xen hypervisor, which does not support Enhanced Networking with ENA.
AnswerD

Xen hypervisor indicates no Enhanced Networking.

Why this answer

The r5.4xlarge instance uses the Nitro hypervisor, not Xen. However, the exhibit shows that Enhanced Networking is not enabled, and the instance is using the Xen PV network driver. This indicates that the instance was launched with an older Amazon Machine Image (AMI) that does not support the Elastic Network Adapter (ENA).

Without ENA, the instance cannot achieve the high network throughput required for SAP HANA, leading to suboptimal performance.

Exam trap

The trap here is that candidates may assume all modern instance types automatically have Enhanced Networking enabled, but the actual driver and AMI support determine whether ENA is used, and the exhibit's network driver information reveals the root cause.

How to eliminate wrong answers

Option A is wrong because dedicated tenancy does not prevent the use of Enhanced Networking; Enhanced Networking with ENA is supported on dedicated instances. Option B is wrong because the r5.4xlarge instance type fully supports Enhanced Networking with ENA. Option C is wrong because placement groups do not restrict network throughput; they can actually improve network performance by placing instances in close proximity within a single Availability Zone.

482
Multi-Selectmedium

Which THREE factors should be considered when selecting an EC2 instance type for an SAP HANA production system? (Choose three.)

Select 3 answers
A.The instance type must have sufficient memory capacity for the HANA database.
B.The instance type must provide adequate network bandwidth for replication and backups.
C.The instance type must have GPU acceleration for HANA analytics.
D.The instance type must be certified by SAP for SAP HANA.
E.The instance type must have a high number of vCPUs regardless of memory.
AnswersA, B, D

HANA is memory-intensive.

Why this answer

Options A, B, and C are correct. A: SAP HANA certification is required for production. B: Memory is critical for HANA.

C: Network bandwidth affects performance. Option D is wrong because HANA does not use GPUs. Option E is wrong because vCPU count is important but not the only factor; memory is more critical.

483
MCQhard

An SAP administrator notices that the sapstartsrv process on an EC2 instance is failing to start after a system reboot. The instance is running SUSE Linux Enterprise Server (SLES) for SAP Applications. Which of the following log files should be examined FIRST to diagnose the issue?

A./var/log/messages
B./usr/sap/<SID>/SYS/global/sapstartsrv.log
C.SAP HANA studio trace files
D.Amazon CloudWatch logs for the instance
AnswerB

The sapstartsrv log file contains detailed information about the startup process of the SAP start service.

Why this answer

Option A is correct because sapstartsrv logs are stored in the SAP system profile directory. Option B is wrong because /var/log/messages contains system messages but not SAP-specific logs. Option C is wrong because the SAP HANA studio log is for database issues.

Option D is wrong because CloudWatch logs would not contain local boot logs unless configured.

484
MCQhard

A company is designing a high-availability architecture for SAP NetWeaver on AWS. The architecture includes two application server instances in different Availability Zones, a shared file system using Amazon EFS, and a database using SAP HANA with HANA System Replication (HSR). During a failover test, the application servers cannot connect to the database after the HANA secondary becomes the primary. What is the most likely cause?

A.HANA System Replication is not configured correctly for automatic failover.
B.The SAP application servers are configured with the hostname of the primary HANA instance, which did not update after failover.
C.The Amazon EFS file system is not available in the secondary Availability Zone.
D.The security group of the application servers does not allow outbound traffic to the secondary HANA instance.
AnswerB

Application servers need to have a virtual hostname or use a DNS name that updates to the new primary.

Why this answer

In SAP NetWeaver, application servers connect to the database using a fixed hostname or virtual IP address. After HANA System Replication (HSR) failover, the secondary becomes the primary but retains its own hostname unless a virtual hostname (e.g., using Amazon Route 53 or Elastic IP) is configured to automatically update. If the application servers are hardcoded with the original primary's hostname, they cannot resolve or reach the new primary, causing connection failure.

Exam trap

The trap here is that candidates often assume HSR automatic failover (Option A) is the root cause, but the real issue is the lack of a virtual hostname or DNS update mechanism, which is a common misconfiguration in SAP on AWS architectures.

How to eliminate wrong answers

Option A is wrong because HSR automatic failover is not required for the application servers to reconnect; even with manual failover, the connection would fail if the hostname is not updated. Option C is wrong because Amazon EFS is a regional, multi-AZ service that is available in all Availability Zones simultaneously, so its availability does not affect database connectivity. Option D is wrong because outbound traffic from application servers to the secondary HANA instance is typically allowed by default in security groups; the issue is name resolution, not network access.

485
MCQhard

An SAP system on AWS is experiencing high latency between the application server and the database server. Both servers are in the same VPC but in different Availability Zones. Which action should the administrator take to reduce latency?

A.Create a placement group and launch both instances in it
B.Move the application and database servers to the same Availability Zone
C.Upgrade the instance types to compute-optimized instances
D.Use AWS Direct Connect to connect the servers
AnswerB

Reduces network latency.

Why this answer

Option A is correct because placing both instances in the same AZ reduces network hops. Option B is wrong because increasing instance size does not directly reduce latency. Option C is wrong because using a VPN adds complexity and may not reduce latency.

Option D is wrong while using a placement group may help, placing in same AZ is more direct.

486
MCQhard

An SAP administrator uses an IAM role attached to an EC2 instance to perform backups. The backup script fails when trying to write to an S3 bucket and create EBS snapshots. What is the most likely cause?

A.The S3 bucket policy denies all writes from this role.
B.The trust policy does not include the EC2 service principal.
C.The role does not have permission to create snapshots due to an explicit deny.
D.The policy lacks 's3:ListBucket' and 'ec2:CreateSnapshot' requires volume ARN.
AnswerD

Missing permissions for S3 listing and snapshot resource restriction.

Why this answer

Option C is correct. The policy allows 's3:PutObject' but does not include the necessary action 's3:PutObjectAcl' or 's3:GetObject' for the backup process. Also, while 'ec2:CreateSnapshot' is allowed, it requires specific resource ARN for the volume, not '*' for all resources.

However, the most common issue is that the backup script needs to list the bucket or object, which is not allowed. Option A is wrong because there is no explicit deny for 'ec2:CreateSnapshot'. Option B is wrong because the trust policy is not shown.

Option D is wrong because there is no 's3:ListBucket' action.

487
MCQhard

A company runs a critical application on an EC2 instance that uses a large EBS volume for database storage. The volume is not encrypted at rest. To meet compliance requirements, the company must enable encryption on the volume with minimal downtime. Which solution meets these requirements?

A.Take a snapshot of the volume with encryption enabled, create a new encrypted volume from the snapshot, detach the original volume, and attach the new volume
B.Use the AWS Management Console to modify the volume and enable encryption in place
C.Take a snapshot of the volume, copy the snapshot with encryption enabled, then restore to a new volume and attach it to the instance
D.Detach the volume, enable encryption using the ModifyVolume API, then reattach
AnswerA

Creating an encrypted snapshot and restoring it to a new encrypted volume is the standard procedure with minimal downtime.

Why this answer

Option A is correct because taking a snapshot of the unencrypted volume with encryption enabled creates an encrypted snapshot. From that snapshot, you can create a new encrypted EBS volume. Detaching the original volume and attaching the new encrypted volume to the same EC2 instance achieves encryption with minimal downtime—only the brief period required for the detach/attach operations.

This approach does not require copying the snapshot, which would add unnecessary time.

Exam trap

The trap here is that candidates may think the ModifyVolume API or console modification can enable encryption on an existing volume, but AWS does not support in-place encryption changes—only snapshot-based workflows are valid.

How to eliminate wrong answers

Option B is wrong because the AWS Management Console does not support enabling encryption in place on an existing EBS volume; encryption can only be applied during volume creation or via snapshot operations. Option C is wrong because while it works, it introduces unnecessary additional time by copying the snapshot before restoring, which increases downtime compared to directly creating the volume from the original encrypted snapshot. Option D is wrong because the ModifyVolume API does not support enabling encryption on an existing volume; it can only modify size, volume type, or IOPS, not encryption attributes.

488
MCQmedium

A company wants to centralize monitoring of EC2 instance metrics across multiple AWS accounts. Which solution is MOST scalable and cost-effective?

A.Log in to each account and view CloudWatch metrics individually.
B.Use CloudWatch cross-region metrics to aggregate metrics in a single account.
C.Configure each account to publish metrics to an S3 bucket and use Athena to query.
D.Set up CloudWatch cross-account observability with a monitoring account.
AnswerD

Provides centralized, real-time monitoring with minimal overhead.

Why this answer

CloudWatch cross-account observability allows you to centralize monitoring by designating a monitoring account that can view metrics, logs, and traces from multiple source accounts. This approach is scalable because it uses a single monitoring account without requiring manual logins or complex data pipelines, and it is cost-effective because you only pay for the metrics you ingest and store in the monitoring account, avoiding redundant data transfers or storage costs.

Exam trap

The trap here is that candidates may confuse cross-region metrics (which aggregate across regions but not accounts) with cross-account observability, or they may overcomplicate the solution by choosing S3 and Athena, which is less efficient and more costly than the native cross-account feature.

How to eliminate wrong answers

Option A is wrong because manually logging into each account to view metrics individually is not scalable and introduces operational overhead, especially as the number of accounts grows. Option B is wrong because CloudWatch cross-region metrics aggregate metrics across regions, not across accounts; they do not solve the multi-account centralization requirement. Option C is wrong because publishing metrics to an S3 bucket and querying with Athena incurs additional costs for S3 storage, Athena query execution, and data transfer, and it adds latency and complexity compared to native CloudWatch cross-account observability.

489
MCQhard

An SAP system is experiencing high CPU utilization on the application server. CloudWatch metrics show that the CPU credit balance for the T3 instance is frequently depleted. What is the most cost-effective solution to resolve this issue while maintaining performance?

A.Add more vCPUs by changing to a C5 instance.
B.Enable T3 unlimited on the instance.
C.Change the instance type to M5.large.
D.Increase the size of the EBS volumes.
AnswerB

T3 unlimited allows the instance to burst beyond the baseline, paying extra only when credits are exhausted, which is cost-effective for intermittent spikes.

Why this answer

T3 instances are burstable and may run out of CPU credits under sustained load. Changing to a T3 unlimited instance avoids performance throttling but incurs additional charges if credits are exhausted. M5 instances are non-burstable and provide consistent performance.

The most cost-effective solution is to switch to a T3 unlimited configuration if the workload is intermittent; however, for sustained high CPU, an M5 instance is more appropriate. The best answer here is to use T3 unlimited because it is cost-effective for variable workloads.

490
MCQeasy

A company is deploying a new SAP BusinessObjects system on AWS. The system will consist of multiple servers: a CMS database server, an audit database server, and several processing servers. The administrator needs to ensure that all servers can communicate with each other and with corporate on-premises systems via a VPN connection. The AWS environment is in a single VPC with public and private subnets. Which network architecture should be used to meet these requirements?

A.Place servers in private subnets and use a NAT Gateway for outbound internet and a VPN gateway for on-premises connectivity.
B.Place all servers in public subnets with Elastic IPs and use security groups to restrict access.
C.Use a single public subnet for all servers and rely on network ACLs for isolation.
D.Place servers in private subnets and use a bastion host for all inter-server communication.
AnswerA

Private subnets with NAT and VPN provide secure connectivity.

Why this answer

Placing the SAP BusinessObjects servers in private subnets ensures they are not directly exposed to the internet, which is a security best practice. A NAT Gateway provides outbound internet access for tasks like software updates, while a VPN Gateway (or Virtual Private Gateway) establishes encrypted connectivity to the corporate on-premises systems, meeting the requirement for inter-server and hybrid communication.

Exam trap

The trap here is that candidates often confuse the purpose of a NAT Gateway (outbound internet only) with a bastion host (administrative access) or mistakenly think public subnets are acceptable for SAP servers, ignoring the security and compliance requirements for private, isolated workloads.

How to eliminate wrong answers

Option B is wrong because placing all servers in public subnets with Elastic IPs exposes them directly to the internet, violating security best practices and increasing the attack surface unnecessarily. Option C is wrong because using a single public subnet for all servers and relying solely on network ACLs for isolation does not provide the private, secure environment required for SAP workloads and does not address the need for VPN-based on-premises connectivity. Option D is wrong because a bastion host is used for administrative access to private instances, not for inter-server communication; inter-server traffic should flow directly within the VPC using private IPs, not be routed through a bastion host.

491
Multi-Selectmedium

Which TWO AWS services can be used to monitor the performance of SAP HANA databases running on EC2 instances? (Choose two.)

Select 1 answer
A.Amazon CloudWatch
B.Amazon Inspector
C.Amazon RDS Performance Insights
D.AWS X-Ray
E.AWS Config
AnswersA

CloudWatch can monitor SAP HANA metrics via custom metrics.

Why this answer

Amazon CloudWatch is correct because it can collect and monitor custom metrics from SAP HANA databases running on EC2 instances, such as CPU utilization, memory usage, and disk I/O, via the CloudWatch agent or direct API calls. Additionally, SAP HANA-specific metrics like row store memory and column store memory can be exposed through CloudWatch by integrating with SAP HANA's monitoring views or using AWS-provided solutions like the SAP HANA CloudWatch monitoring script.

Exam trap

The trap here is that candidates often confuse Amazon RDS Performance Insights (which is specific to RDS-managed databases) with a general-purpose database monitoring tool, forgetting that SAP HANA on EC2 is self-managed and requires custom metric collection via CloudWatch.

492
MCQmedium

A company is migrating its SAP landscape to AWS and wants to use SAP HSR (System Replication) for high availability. Which AWS feature is required to support SAP HSR?

A.Elastic IP addresses for each instance
B.Internet Gateway attached to the VPC
C.Both instances in the same VPC with private IP connectivity
D.NAT Gateway for outbound traffic
AnswerC

Low-latency private IP connectivity is required for SAP HSR.

Why this answer

SAP HSR requires low-latency connectivity between the primary and secondary instances. Placing them in the same VPC with private IPs meets this requirement. Option A is correct.

Option B (Elastic IP) is not necessary. Option C (Internet Gateway) exposes instances to the internet. Option D (NAT Gateway) is for outbound internet.

493
MCQmedium

A company is running an SAP HANA database on an AWS EC2 instance. The system administrator needs to ensure that the database logs are automatically backed up to Amazon S3 and retained for 30 days. Which combination of AWS services can achieve this with minimal operational overhead?

A.Use Amazon CloudWatch Logs with a retention policy of 30 days.
B.Use an S3 Lifecycle Policy to transition logs to S3 Glacier after 30 days.
C.Use an S3 Lifecycle Policy to transition logs to S3 Standard-IA after 30 days.
D.Use AWS Backup to schedule backups of the EC2 instance.
AnswerB

Glacier is cost-effective for long-term retention and the policy can delete after 30 days.

Why this answer

Option B is correct because it uses a Lifecycle Policy to transition logs to S3 Glacier after 30 days, meeting the retention requirement with minimal overhead. Option A involves manual scripting and lifecycle rules that don't automatically delete logs after 30 days. Option C uses CloudWatch Logs but doesn't automatically delete logs after 30 days.

Option D uses AWS Backup, which is for EC2 backups, not log files.

494
MCQmedium

A company runs SAP on AWS and uses an Application Load Balancer (ALB) to distribute traffic to a fleet of EC2 instances running SAP Web Dispatcher. The ALB has a target group with health checks configured on port 8080. Recently, the operations team noticed that some instances are being deregistered due to health check failures. The instances are healthy and the Web Dispatcher is running. The health check response time is consistently below 2 seconds. What is the most likely cause?

A.The health check interval is too short, causing the threshold to be exceeded.
B.The security group for the instances blocks inbound traffic from the internet.
C.The instances are running out of memory.
D.The health check path is incorrect.
AnswerA

Short interval with low threshold can cause intermittent failures.

Why this answer

Option B is correct because the health check threshold may be set too low, causing false positives. Option A is wrong because if the path were wrong, all health checks would fail. Option C is wrong because the ALB health checks come from its own IPs, not the internet.

Option D is wrong if the instances are healthy.

495
MCQmedium

A company is migrating an SAP ERP system to AWS. The SAP system uses a central instance (CI) and dialog instances. The migration must minimize downtime. Which AWS service should be used to replicate the application servers in near real-time?

A.Amazon S3 Replication
B.AWS DataSync
C.AWS Elastic Disaster Recovery (AWS DRS)
D.AWS Backup
AnswerC

AWS DRS provides continuous block-level replication for low RPO.

Why this answer

Option C is correct. AWS Elastic Disaster Recovery (DRS) provides continuous replication of block-level data, enabling near real-time replication of application servers. Option A (AWS Backup) is for scheduled backups, not real-time replication.

Option B (AWS DataSync) is for one-time data transfers. Option D (Amazon S3 replication) is for S3 objects.

496
MCQmedium

A company is running an SAP HANA database on an EC2 instance with EBS volumes. The operations team notices that the /hana/data filesystem is growing faster than expected and the available space is critically low. Which action should be taken to monitor the disk space usage proactively?

A.Configure AWS Budgets to alert on storage costs.
B.Use AWS Config rules to monitor disk space.
C.Publish custom CloudWatch metrics for disk space and set an alarm.
D.Create an AWS Trusted Advisor check for disk utilization.
AnswerC

Custom CloudWatch metrics can monitor disk space and trigger alarms.

Why this answer

Option C is correct because CloudWatch custom metrics can be used to monitor disk space utilization on EC2 instances, and an alarm can be set to notify when usage exceeds a threshold. Option A is wrong because AWS Trusted Advisor does not monitor disk space on EC2 instances directly. Option B is wrong because AWS Config evaluates resource configurations, not disk space.

Option D is wrong because AWS Budgets tracks cost usage, not disk space.

497
MCQeasy

A company is planning to run SAP HANA on AWS and needs to ensure that the instance is optimally placed for low latency between the application and database tiers. Which AWS feature should be used?

A.Application Load Balancer
B.VPC endpoint
C.Cluster placement group
D.Auto Scaling group
AnswerC

Cluster placement groups provide low-latency network performance within an AZ.

Why this answer

Option C is correct because a cluster placement group is designed for low-latency, high-throughput communication between instances. Option A is wrong because an Auto Scaling group is for scaling, not placement. Option B is wrong because an ALB is for load balancing.

Option D is wrong because a VPC endpoint does not affect instance placement.

498
Multi-Selecthard

A company runs SAP ERP on AWS. The system includes a primary application server and a secondary application server for high availability. The secondary server is not receiving updates from the primary. Which THREE steps should the administrator take to investigate?

Select 3 answers
A.Restart the secondary application server to force a resync.
B.Verify network connectivity between the primary and secondary servers using ping or telnet on SAP ports.
C.Review the SAP message server trace logs for errors.
D.Check the status of SAP enqueue replication using transaction SM51.
E.Check the SAP Gateway service status on the primary server.
AnswersB, C, D

Network issues are a common cause of replication failure.

Why this answer

Options B, C, and D are correct. Checking the SAP enqueue replication status (B) verifies that locks are being replicated. Reviewing the SAP message server logs (C) can show communication errors.

Verifying network connectivity between servers (D) is fundamental. Option A is wrong because the SAP Gateway is not directly related to replication. Option E is wrong because the secondary server should not be restarted without investigation.

499
MCQhard

An SAP administrator created the above IAM policy for an EC2 instance that performs automated SAP HANA backups. The backup script runs successfully but fails to upload the backup files to the S3 bucket. What is the most likely cause?

A.The S3 bucket policy denies the upload
B.The IAM policy does not include permissions for multipart upload operations
C.The IAM policy does not allow s3:PutObject
D.The EC2 instance does not have permission to create snapshots
AnswerB

Multipart uploads require additional actions like s3:AbortMultipartUpload.

Why this answer

The policy allows s3:PutObject and s3:GetObject on objects in the bucket, but does not include s3:ListBucket or s3:PutObjectAcl. However, the failure is most likely because the script uses multipart upload and the policy does not include s3:AbortMultipartUpload or s3:ListMultipartUploadParts. Option A is wrong because the policy allows PutObject.

Option C is wrong because the bucket policy is not shown. Option D is wrong because ec2:CreateSnapshot is allowed.

500
MCQeasy

A company is migrating an SAP system to AWS. They need to ensure that the migration complies with regulatory requirements for data residency. Which of the following is the most important consideration?

A.Use AWS Artifact to get compliance reports.
B.Select an AWS Region that meets data residency requirements.
C.Encrypt the data at rest using AWS KMS.
D.Store backups in an S3 bucket in a different Region.
AnswerB

Region selection is the primary control for data residency.

Why this answer

Selecting an AWS Region that meets data residency requirements is crucial. AWS Artifact provides compliance reports but does not enforce data residency. Encryption and backup locations are secondary to region selection.

501
Multi-Selecthard

An SAP system on AWS uses an Oracle database on EC2. The database is experiencing I/O bottlenecks. Which THREE design changes can improve I/O performance?

Select 3 answers
A.Provision Amazon EBS volumes with Provisioned IOPS (io2) for the database.
B.Use an EBS-optimized instance for dedicated bandwidth to EBS.
C.Configure EBS Multi-Attach to allow multiple instances to share the same volume for parallel I/O.
D.Use instance store volumes for the database files to reduce latency.
E.Offload database backups to Amazon S3 using the Oracle Secure Backup module.
AnswersA, B, C

Provisioned IOPS volumes deliver consistent, low-latency performance for I/O-intensive workloads.

Why this answer

Option A is correct because Amazon EBS io2 volumes provide consistent, low-latency I/O performance with a guaranteed IOPS rate, which directly addresses I/O bottlenecks for Oracle databases on EC2. By provisioning dedicated IOPS, you eliminate the variability of burstable gp2/gp3 volumes, ensuring predictable throughput for SAP workloads.

Exam trap

The trap here is that candidates confuse EBS-optimized instances (which ensure network bandwidth) with actual I/O performance improvements, or they mistakenly think Multi-Attach can parallelize I/O for a single database, when it is designed for multi-instance shared access only.

502
MCQmedium

A company is running SAP on AWS and needs to ensure high availability for their SAP HANA database. They have set up a multi-AZ deployment with replication. During a planned failover test, the secondary node fails to take over. Which AWS service should be used to monitor and automatically remediate the replication status?

A.AWS Lambda
B.AWS Systems Manager Automation
C.Amazon CloudWatch
D.AWS Elastic Beanstalk
AnswerB

Systems Manager Automation provides runbooks that can monitor and auto-remediate HANA replication issues.

Why this answer

Option B (AWS Systems Manager Automation) is correct because it can run automated runbooks to check and remediate replication issues. Option A (AWS Lambda) can be used but requires custom scripting and is not as integrated for remediation. Option C (Amazon CloudWatch) only monitors, does not automatically remediate.

Option D (AWS Elastic Beanstalk) is not relevant for HANA replication.

503
MCQhard

An SAP administrator is troubleshooting a failed backup of an SAP HANA database running on an EC2 instance. The backup is configured to use AWS Backup with a backup vault. The error log shows: 'AccessDenied: User: arn:aws:sts::123456789012:assumed-role/AWSBackupRole/backup-job is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:us-east-1:123456789012:key/abcd1234-...' Which IAM policy modification is required to resolve this issue?

A.Add cloudhsm:Decrypt permission to the backup role.
B.Add kms:Decrypt permission to the backup role on the KMS key.
C.Add kms:CreateGrant permission to the backup role.
D.Add kms:Encrypt permission to the backup role.
AnswerB

The error shows that the backup role is not authorized to perform kms:Decrypt on the KMS key; adding this permission will resolve the issue.

Why this answer

Option C is correct because the backup role needs kms:Decrypt permission on the KMS key used to encrypt the backup vault. Option A is wrong because kms:Encrypt is required for writing, but the error shows a failure at decrypt. Option B is wrong because kms:CreateGrant is not needed for this operation.

Option D is wrong because cloudhsm:Decrypt is not relevant.

504
MCQhard

An SAP landscape on AWS includes several instances in a VPC. The administrator needs to ensure that SAProuter can connect to the SAP system from the internet securely. Which networking component should be used?

A.AWS Direct Connect with a public VIF
B.Internet Gateway with a public IP on the SAProuter instance
C.AWS CloudFront with a security group
D.AWS VPN connection to the customer's network
AnswerD

VPN provides encrypted tunnel for secure SAProuter communication.

Why this answer

Option D is correct because an AWS VPN connection establishes an encrypted tunnel over the internet between the customer's on-premises network and the VPC, allowing SAProuter to connect securely to the SAP system without exposing any instance to the public internet. This aligns with the requirement for secure, authenticated connectivity from the internet while maintaining network isolation.

Exam trap

The trap here is that candidates often confuse 'secure connectivity from the internet' with simply providing internet access via an Internet Gateway, overlooking the need for encrypted tunneling and network isolation that a VPN provides.

How to eliminate wrong answers

Option A is wrong because AWS Direct Connect with a public VIF provides a dedicated network connection to AWS public services, but it does not inherently secure SAProuter traffic from the internet; it bypasses the internet but still requires additional security measures and does not address the 'from the internet' requirement directly. Option B is wrong because attaching an Internet Gateway with a public IP on the SAProuter instance exposes the instance directly to the internet, violating security best practices for SAP systems and increasing the attack surface. Option C is wrong because AWS CloudFront is a content delivery network (CDN) for distributing static and dynamic web content, not a networking component for routing SAProuter traffic; it cannot establish a secure tunnel for SAProuter's proprietary protocol.

505
MCQeasy

A company is migrating its SAP ERP system (with Oracle database) to AWS using the SAP-certified approach. The current on-premises environment uses Oracle RAC for high availability. The company wants to reduce licensing costs and simplify the architecture on AWS. Which of the following is the MOST efficient migration strategy?

A.Use AWS DMS to migrate the database to Amazon RDS for Oracle, but then configure RDS for Oracle RAC.
B.Use AWS DataSync to copy the Oracle database files to EBS volumes, then restore on an EC2 instance.
C.Use AWS DMS to migrate the Oracle database to Amazon RDS for Oracle with a single instance. Use AWS MGN for the application servers.
D.Lift-and-shift the Oracle RAC cluster to EC2 using AWS Application Migration Service.
AnswerC

This reduces licensing costs and simplifies the architecture. DMS supports Oracle as source and target RDS Oracle.

Why this answer

AWS does not support Oracle RAC in a fully supported manner for SAP. The best practice is to migrate to Amazon RDS for Oracle or use Oracle single instance on EC2. Using AWS DMS with ongoing replication can minimize downtime.

Option B is correct because it uses DMS and moves to RDS, which reduces licensing overhead. Option A uses RAC which is not recommended on AWS. Option C uses DMS but then keeps RAC, which is costly and unsupported.

Option D uses DataSync which is not for database replication.

506
MCQeasy

An SAP system on AWS needs to be highly available across two Availability Zones. The application tier runs on EC2 instances behind an Application Load Balancer. The database tier uses an RDS Multi-AZ deployment. What additional step is REQUIRED to ensure complete high availability for the application tier?

A.Use a larger EC2 instance type.
B.Launch EC2 instances in at least two different Availability Zones.
C.Enable EBS Multi-Attach for the root volumes.
D.Configure an Auto Scaling group with a dynamic scaling policy.
AnswerB

Ensures application survives AZ failure.

Why this answer

Option B is correct because EC2 instances must be deployed in multiple AZs to survive an AZ outage. Option A is wrong because Auto Scaling handles scaling, not HA. Option C is wrong because instance size does not affect HA.

Option D is wrong because EBS Multi-Attach is not used for HA of application servers.

507
MCQmedium

An SAP HANA system is deployed on AWS with a cluster of EC2 instances. The system requires high network throughput between the nodes for HANA scale-out. Which EC2 networking feature should be used?

A.Use multiple Elastic Network Interfaces (ENIs) per instance.
B.Enable Elastic Network Adapter (ENA) support on the instances.
C.Use the Intel 82599 VF (ixgbevf) driver for enhanced networking.
D.Place all nodes in a cluster placement group.
AnswerB

ENA provides high throughput and low latency, essential for HANA scale-out.

Why this answer

For SAP HANA scale-out clusters requiring high network throughput between EC2 instances, the correct feature is Elastic Network Adapter (ENA) support. ENA is a custom network interface optimized for high-throughput and low-latency packet processing, providing up to 100 Gbps of network bandwidth on supported instance types. This directly meets the performance demands of HANA's inter-node communication.

Exam trap

The trap here is that candidates often confuse 'enhanced networking' with the older ixgbevf driver or think that multiple ENIs or placement groups alone can solve throughput bottlenecks, but only ENA provides the high-bandwidth, low-latency performance required for modern HANA scale-out workloads.

How to eliminate wrong answers

Option A is wrong because using multiple Elastic Network Interfaces (ENIs) per instance does not inherently increase network throughput; it only provides additional IP addresses and separate network paths, but the aggregate bandwidth is still limited by the instance's underlying hardware and ENA support. Option C is wrong because the Intel 82599 VF (ixgbevf) driver is an older enhanced networking driver for instances using the Intel 82599 Virtual Function, which supports only up to 10 Gbps and is not available on modern instance types; it lacks the performance and features of ENA. Option D is wrong because placing all nodes in a cluster placement group reduces network latency and provides up to 10 Gbps of single-flow bandwidth, but it does not increase the maximum network throughput beyond the instance's capabilities; ENA is required to achieve the higher throughput needed for HANA scale-out.

508
MCQmedium

A company is migrating an on-premises SAP HANA database to AWS. The database is 2 TB in size and has a 4-hour downtime window. Which AWS service should be used to transfer the initial data copy to AWS?

A.AWS Snowball Edge
B.Amazon S3 Transfer Acceleration
C.AWS DataSync
D.AWS Direct Connect
AnswerA

AWS Snowball Edge provides petabyte-scale data transport with built-in storage and compute, ideal for large initial data loads within a short downtime window.

Why this answer

Option A is correct because AWS Snowball Edge can transfer large volumes of data faster over the network. Option B (AWS Direct Connect) is good for ongoing replication but not for initial bulk transfer within limited downtime. Option C (AWS DataSync) is for smaller transfers.

Option D (S3 Transfer Acceleration) speeds up uploads but still limited by network bandwidth.

509
MCQmedium

A company is migrating a monolithic application to AWS. The application has a relational database with complex queries and requires low-latency read replicas. Which database migration strategy minimizes downtime and supports heterogeneous migrations?

A.Use AWS Backup to take a full backup and restore to Amazon RDS.
B.Use AWS Schema Conversion Tool (SCT) to convert the schema and perform a homogeneous migration.
C.Use Amazon Redshift Spectrum to query the data in place.
D.Use AWS Database Migration Service (DMS) with ongoing replication.
AnswerD

DMS supports heterogeneous migrations and minimizes downtime.

Why this answer

Option C is correct because AWS Database Migration Service (DMS) supports heterogeneous migrations (e.g., Oracle to Aurora) and can minimize downtime using ongoing replication. Option A is wrong because it is for homogeneous migrations. Option B is wrong because it is a backup/restore tool, not a live migration service.

Option D is wrong because it is for data warehouse workloads, not transactional databases.

510
Multi-Selectmedium

A company runs SAP HANA on AWS and needs to implement a disaster recovery (DR) strategy. The DR site must have a Recovery Time Objective (RTO) of 30 minutes and a Recovery Point Objective (RPO) of 15 minutes. Which two AWS services should be used together to achieve these objectives? (Choose TWO.)

Select 2 answers
A.AWS Database Migration Service
B.SAP HANA System Replication
C.AWS CloudEndure Disaster Recovery
D.Amazon S3
E.Amazon EBS snapshots
AnswersB, E

Provides near-synchronous replication for low RPO.

Why this answer

Option B (HANA System Replication) is correct because it provides near-synchronous replication with low RPO. Option D (Amazon EBS snapshots) is correct if combined with replication, but for RPO of 15 minutes, HANA replication is more suitable. However, the question expects two services: HANA System Replication (for real-time replication) and Amazon EBS snapshots (for additional recovery points).

Option A is wrong because S3 is not used for HANA replication. Option C is wrong because DMS is for database migration, not DR. Option E is wrong because CloudEndure is for server-level replication, but not specifically for HANA.

511
MCQmedium

Refer to the exhibit. An IAM policy is attached to a role used by AWS DMS to write data to an S3 bucket. The migration fails with an access denied error. What is the most likely cause?

A.The policy does not allow s3:PutObject.
B.The policy does not include s3:AbortMultipartUpload.
C.The bucket has default encryption enabled.
D.The bucket name is incorrect.
AnswerB

DMS uses multipart uploads and requires the abort action.

Why this answer

Option B is correct because DMS needs s3:PutObject and s3:AbortMultipartUpload actions. Option A is incorrect because the bucket exists. Option C is incorrect because encryption settings are not shown.

Option D is incorrect because the policy allows PutObject.

512
MCQeasy

A company is deploying an SAP BusinessObjects (BOBJ) platform on AWS. The platform consists of multiple web application servers, a CMS database, and an audit database. The company wants to ensure high availability for the CMS database using native SAP tools. Which AWS service should be used to host the CMS database to facilitate the use of SAP's native replication?

A.Amazon RDS
B.Amazon DynamoDB
C.Amazon ElastiCache
D.Amazon S3
AnswerA

RDS supports the databases used by BOBJ CMS and provides Multi-AZ for high availability.

Why this answer

Option A is correct because SAP BusinessObjects CMS uses a relational database (e.g., SQL Server, Oracle, or SAP ASE) that can be hosted on Amazon RDS, which supports native replication features like Multi-AZ. Option B is wrong because DynamoDB is NoSQL and not supported by BOBJ. Option C is wrong because S3 is object storage.

Option D is wrong because ElastiCache is in-memory cache.

513
MCQeasy

An SAP system is running on EC2 with a single Availability Zone. The company needs to increase availability for the SAP application layer. Which is the most cost-effective and reliable approach?

A.Deploy a second EC2 instance in the same AZ and configure a Route 53 weighted routing policy.
B.Use an Auto Scaling group with EC2 instances in two Availability Zones behind an Application Load Balancer.
C.Use a multi-AZ RDS database and keep the application on a single EC2 instance.
D.Use an EC2 instance in a different region and use Route 53 latency-based routing.
AnswerB

Auto Scaling with multiple AZs provides cost-effective high availability and load distribution.

Why this answer

Option A is correct because Auto Scaling across AZs provides high availability and cost efficiency. Option B is wrong because it is more expensive and complex. Option C is wrong because it provides failover but not load distribution.

Option D is wrong because it does not help with application availability.

514
MCQeasy

An SAP Basis administrator needs to monitor the memory usage of an SAP HANA database running on an EC2 instance. Which AWS service should be used to collect and visualize custom memory metrics from the OS?

A.AWS CloudTrail
B.Amazon CloudWatch with the CloudWatch Agent
C.AWS Systems Manager Inventory
D.AWS Config
AnswerB

CloudWatch Agent collects custom OS metrics like memory and sends them to CloudWatch.

Why this answer

Option A is correct because CloudWatch Agent can collect custom metrics from the OS and send them to CloudWatch. Option B is wrong because AWS Config is for resource configuration tracking. Option C is wrong because Systems Manager Inventory collects software inventory, not real-time memory metrics.

Option D is wrong because CloudTrail logs API activity, not OS metrics.

515
Multi-Selecthard

A company is running an SAP S/4HANA system on AWS. The system uses an SAP HANA database with a current size of 1.5 TB. The company wants to implement a backup strategy that allows point-in-time recovery (PITR) with an RPO of 5 minutes and an RTO of 4 hours. The backup must be stored in Amazon S3. Which combination of steps should the company take? (Choose TWO.)

Select 2 answers
A.Schedule full backups every 12 hours and log backups every 2 hours.
B.Configure log backup to run every 5 minutes using Backint.
C.Install and configure the SAP HANA Backint agent to stream full and log backups to Amazon S3.
D.Use Amazon EBS snapshots of the HANA data volume as the primary backup mechanism.
E.Set up SAP HANA System Replication to a second instance in another Availability Zone.
AnswersB, C

5-minute log backups meet the RPO.

Why this answer

Option A and D are correct. Backint agent is the recommended way to stream HANA backups to S3, and log backups every 5 minutes achieve RPO of 5 minutes. Option B is wrong because EBS snapshots are not PITR for database.

Option C is wrong because 2-hour log backup interval exceeds RPO. Option E is wrong because HSR is for replication, not backup.

516
MCQhard

A company is planning to run SAP S/4HANA on AWS and needs to ensure that the system can automatically recover from an Availability Zone failure. They want to use SAP HANA System Replication with automatic failover. Which AWS configuration is required?

A.AWS Auto Scaling groups with lifecycle hooks
B.Pacemaker cluster with STONITH across two Availability Zones
C.Amazon RDS Multi-AZ deployment
D.Amazon EFS as shared storage for HANA data
AnswerB

Pacemaker with STONITH provides automatic failover and fencing.

Why this answer

Pacemaker cluster with STONITH ensures automatic failover by fencing failed nodes. EBS Multi-Attach is not supported across AZs, so NFS or other shared storage is used.

517
MCQeasy

An SAP administrator is designing a new SAP NetWeaver system on AWS. They need to choose an EC2 instance type that is certified for SAP. Which source should they consult?

A.Amazon EC2 console
B.AWS Pricing Calculator
C.SAP Note 2235581 (SAP HANA Hardware Directory)
D.AWS documentation on EC2 instance types
AnswerC

SAP Note 2235581 provides the official SAP HANA hardware directory.

Why this answer

SAP Note 2235581 is the authoritative source for the SAP HANA Hardware Directory, which lists all EC2 instance types certified for SAP HANA and SAP NetWeaver. AWS relies on SAP's own certification process, so only SAP's official directory provides the definitive list of supported instance types.

Exam trap

The trap here is that candidates assume AWS documentation or the EC2 console would list SAP-certified instances, but SAP maintains its own hardware directory independently, and only SAP Note 2235581 is the definitive source.

How to eliminate wrong answers

Option A is wrong because the Amazon EC2 console does not display SAP certification status; it only shows general instance type information and features. Option B is wrong because the AWS Pricing Calculator is a cost estimation tool and does not include SAP certification data. Option D is wrong because AWS documentation on EC2 instance types describes general capabilities but does not maintain the official SAP certification list, which is exclusively managed by SAP.

518
MCQhard

An administrator needs to back up SAP HANA database to S3 with encryption. The backup must be encrypted at rest in S3. Which combination of actions should be taken?

A.Use AWS CloudHSM to generate keys and store them in S3
B.Enable S3 Versioning and use S3-managed keys
C.Configure S3 bucket with default encryption using SSE-S3 or SSE-KMS
D.Use AWS Backup to back up to S3 with default settings
AnswerC

Default encryption ensures all objects are encrypted at rest.

Why this answer

Option C is correct because configuring an S3 bucket with default encryption using SSE-S3 or SSE-KMS ensures that backups written to S3 are automatically encrypted at rest. SSE-S3 uses Amazon-managed keys with AES-256, while SSE-KMS allows you to use AWS KMS customer managed keys (CMKs) for additional control. This meets the requirement for encryption at rest in S3 without requiring additional infrastructure or manual key management.

Exam trap

The trap here is that candidates confuse S3 Versioning (which protects against accidental deletion) with encryption, or assume that AWS Backup automatically enforces encryption without explicitly configuring bucket default encryption.

How to eliminate wrong answers

Option A is wrong because AWS CloudHSM generates keys that are stored in the HSM itself, not in S3; storing keys in S3 would defeat the purpose of a hardware security module and is not a supported pattern for S3 encryption. Option B is wrong because enabling S3 Versioning provides object versioning, not encryption; S3-managed keys (SSE-S3) are a valid encryption method, but Versioning alone does not encrypt data. Option D is wrong because AWS Backup with default settings does not guarantee encryption at rest in S3; default settings may use SSE-S3, but the question requires a specific action to ensure encryption, and AWS Backup does not inherently configure S3 bucket encryption.

519
MCQhard

A company uses AWS Organizations with multiple accounts. The security team wants to enforce that all S3 buckets in the organization are encrypted with SSE-KMS using a specific KMS key. What is the MOST effective way to enforce this policy?

A.Use AWS Config rules to detect noncompliant buckets and send notifications.
B.Create an IAM policy in each account that denies s3:PutBucketEncryption unless the correct KMS key is specified.
C.Attach a service control policy (SCP) to the root organizational unit that denies s3:PutBucketEncryption unless the encryption settings include the specific KMS key.
D.Use AWS CloudFormation StackSets to deploy a template that creates all buckets with the required encryption.
AnswerC

SCPs apply to all accounts in the OU and can prevent noncompliant bucket creation, including by the root user.

Why this answer

Service control policies (SCPs) are the most effective way to enforce encryption requirements across all accounts in an AWS Organization because they act as a centralized guardrail that cannot be overridden by account administrators. By attaching an SCP to the root organizational unit that denies s3:PutBucketEncryption unless the request includes the specific KMS key ARN, the security team ensures that no bucket can be created or modified without the mandated encryption, regardless of IAM permissions within individual accounts.

Exam trap

The trap here is that candidates often choose detective controls like AWS Config (Option A) or account-level IAM policies (Option B) because they are familiar with them, failing to recognize that only SCPs provide preventive, organization-wide enforcement that cannot be bypassed by account administrators.

How to eliminate wrong answers

Option A is wrong because AWS Config rules are detective, not preventive; they can only detect noncompliant buckets after they are created and send notifications, but they do not prevent the violation from occurring. Option B is wrong because IAM policies are account-specific and can be overridden by account administrators with full administrative privileges, making them unreliable for organization-wide enforcement. Option D is wrong because CloudFormation StackSets can deploy templates that create buckets with encryption, but they do not prevent users from creating buckets outside of CloudFormation or modifying existing buckets to remove encryption.

520
MCQeasy

An SAP administrator needs to back up SAP HANA database to Amazon S3. Which AWS service or feature should be used to automate this backup?

A.Amazon EBS snapshots
B.SAP HANA Backup and Recovery with Backint
C.AWS Backup
D.S3 Lifecycle policies
AnswerB

Backint enables HANA to backup directly to S3.

Why this answer

Option B is correct because the SAP HANA Backup and Recovery feature can back up directly to S3 via the Backint agent. Option A is incorrect because S3 Lifecycle policies manage object retention, not backup initiation. Option C is incorrect because AWS Backup supports some databases but not SAP HANA directly.

Option D is incorrect because EBS snapshots capture the entire volume, not just the HANA database, and are not SAP HANA-aware.

521
MCQhard

An SAP system on AWS uses a custom AMI for its application servers. The operations team needs to update the AMI to include a new security patch. What is the MOST efficient way to update all existing instances without downtime?

A.Create a new AMI version, update the Auto Scaling group's launch template, and perform a rolling update.
B.Stop all instances, apply the patch, create a new AMI, and start instances.
C.Use AWS Systems Manager Patch Manager to apply the patch to all running instances.
D.Create a new AMI, launch new instances manually, and terminate old ones.
AnswerA

This approach updates the AMI and replaces instances with minimal downtime.

Why this answer

Option B is correct because using a launch template with a new AMI version and rolling update via Auto Scaling group minimizes downtime. Option A is wrong because patching each instance individually is manual and error-prone. Option C is wrong because stopping instances causes downtime.

Option D is wrong because creating new instances manually is inefficient.

522
Multi-Selecthard

Which TWO considerations are critical when planning a migration of an SAP system to AWS? (Choose 2.)

Select 2 answers
A.Storage performance and IOPS requirements
B.AWS Region availability for SAP services
C.Database compatibility with target
D.Network connectivity and latency between components
E.Number of security groups allowed
AnswersA, D

Sufficient IOPS is critical for database performance.

Why this answer

Network connectivity and storage performance are critical. Option A (database compatibility) is important but more specific. Option B (network latency) is critical for performance.

Option C (storage IOPS) is critical for database performance. Option D (number of security groups) is not critical. Option E (AWS Region) is important but not as critical as performance factors.

523
MCQmedium

An SAP HANA database is experiencing high memory utilization. The operations team needs to determine if the database is using more memory than allocated. Which CloudWatch metric should they monitor?

A.MemoryUtilization
B.SwapUsage
C.CPUUtilization
D.HANA_Memory_Usage
AnswerA

This metric (published by the SAP HANA agent) shows memory utilization percentage.

Why this answer

Option D is correct because `MemoryUtilization` is a custom metric typically published by the SAP HANA agent. Option A is not a standard metric name. Option B (`SwapUsage`) shows swap, not memory.

Option C (`CPUUtilization`) is for CPU.

524
MCQmedium

An SAP Basis administrator is troubleshooting a performance issue on an SAP application server running on an Amazon EC2 instance. The administrator notices high CPU utilization. Which AWS tool can provide detailed insights into the CPU usage at the process level without installing additional agents?

A.AWS Systems Manager Inventory
B.Amazon CloudWatch CPU Utilization metric
C.Amazon EC2 Instance Connect
D.AWS Systems Manager Run Command
AnswerD

Run Command can execute scripts like 'top' to get process-level CPU usage without additional agents.

Why this answer

AWS Systems Manager Inventory collects metadata about instances but not process-level CPU. EC2 Instance Connect is for shell access. CloudWatch metrics provide aggregate CPU, not per-process.

Systems Manager Run Command can execute scripts to gather process data, but the question asks for a tool that provides the information directly without agents; however, Systems Manager with default agent can run commands to get process-level data, which is more direct than the others. CloudWatch does not provide process-level CPU without custom metrics.

525
MCQmedium

A company is running SAP ERP on AWS with an Oracle database. The application servers are deployed in an Auto Scaling group across three Availability Zones. The database is hosted on a single EC2 instance in us-east-1a. The company wants to improve availability with minimal changes to the application. The database must be highly available with automatic failover and no data loss. The database size is 1 TB. The current RTO is 2 hours and RPO is 1 hour. The company is considering using Oracle Data Guard for replication. Which solution should the company implement to meet the HA requirements?

A.Use AWS Database Migration Service (DMS) to replicate the Oracle database to a second EC2 instance in another AZ, and use an Amazon Route 53 health check to redirect traffic.
B.Migrate the Oracle database to Amazon RDS for Oracle with Multi-AZ deployment and automatic failover.
C.Configure Oracle Data Guard with synchronous replication and Fast-Start Failover (FSFO) to automatically fail over to a standby instance in another AZ.
D.Configure Oracle Data Guard with asynchronous replication to a standby instance in us-east-1b, and use a custom script to detect failure and promote the standby.
AnswerC

Synchronous replication ensures zero data loss; FSFO provides automatic failover.

Why this answer

Option C is correct because Oracle Data Guard with synchronous replication ensures zero data loss by committing transactions only after they are written to both primary and standby redo logs. Fast-Start Failover (FSFO) automates the failover process without manual intervention, meeting the RTO of 2 hours and RPO of 1 hour while requiring minimal application changes since the database remains Oracle-native.

Exam trap

The trap here is that candidates often assume AWS-managed services like RDS Multi-AZ are always the best choice for high availability, but the question explicitly requires minimal application changes and zero data loss, making Oracle-native Data Guard with synchronous replication the correct fit despite the operational overhead.

How to eliminate wrong answers

Option A is wrong because AWS DMS is a migration tool, not a high-availability replication solution; it does not support automatic failover or synchronous replication, and using Route 53 health checks for traffic redirection introduces DNS propagation delays that violate the RTO. Option B is wrong because migrating to Amazon RDS for Oracle with Multi-AZ is not a minimal change—it requires application connection string changes and may not support all SAP ERP-specific Oracle features or customizations, and Multi-AZ uses asynchronous replication by default, risking data loss. Option D is wrong because asynchronous replication does not guarantee zero data loss (RPO=0), and relying on a custom script for failover detection and promotion introduces complexity and potential delays that could exceed the RTO.

Page 6

Page 7 of 24

Page 8