AWS Certified SAP on AWS Specialty PAS-C01 (PAS-C01) — Questions 526600

1733 questions total · 24pages · All types, answers revealed

Page 7

Page 8 of 24

Page 9
526
MCQeasy

An SAP administrator needs to apply a security patch to the operating system of an EC2 instance running SAP. The instance is part of an Auto Scaling group. What is the best practice to apply the patch while minimizing downtime?

A.Create a new AMI with the patch applied, update the launch configuration, and perform a rolling update using an Auto Scaling lifecycle hook.
B.Update the launch configuration with the patched AMI and manually terminate running instances.
C.Stop the Auto Scaling group, patch the instance, and restart the group.
D.SSH into each instance and apply the patch manually.
AnswerA

Rolling updates replace instances one at a time, minimizing downtime.

Why this answer

Option B is correct because using a lifecycle hook with a new AMI ensures patched instances replace old ones without downtime. Option A is wrong because updating the launch configuration does not affect running instances. Option C is wrong because patching in place may require downtime and manual steps.

Option D is wrong because stopping the instance causes downtime.

527
MCQmedium

A company is migrating a large-scale SAP HANA workload to AWS. The system requires high memory and low latency. Which EC2 instance type is most suitable for this migration?

A.x1e.32xlarge
B.m5.24xlarge
C.c5.18xlarge
D.r5.24xlarge
AnswerA

x1e instances are memory-optimized and SAP HANA certified.

Why this answer

The x1e.32xlarge is purpose-built for high-memory, SAP HANA workloads, offering up to 3,904 GiB of memory and high-speed NVMe SSD storage with low-latency networking. It is certified by SAP for running production HANA environments, making it the most suitable choice for this migration.

Exam trap

The trap here is that candidates often choose the r5 family (memory-optimized) thinking it is sufficient for SAP HANA, but they overlook the specific memory capacity requirements and SAP certification needed for large-scale workloads, which only the x1e instance meets.

How to eliminate wrong answers

Option B (m5.24xlarge) is wrong because it is a general-purpose instance with only 384 GiB of memory, insufficient for large-scale SAP HANA workloads that require terabytes of RAM. Option C (c5.18xlarge) is wrong because it is compute-optimized, designed for CPU-intensive tasks, not memory-intensive databases like SAP HANA. Option D (r5.24xlarge) is wrong because while it is memory-optimized, it provides only 768 GiB of memory, which is far below the x1e's capacity and not SAP HANA-certified for large-scale production deployments.

528
MCQhard

A company is migrating an SAP BusinessObjects system to AWS. The system includes a Central Management Server (CMS) and several processing servers. The CMS uses a SQL Server database. The company wants to use a managed database service on AWS to reduce operational overhead. The database size is 100 GB and is expected to grow 10% annually. The company requires automatic failover to a secondary Availability Zone with minimal downtime. Which AWS database service should the company use for the CMS database?

A.Amazon RDS for SQL Server with Multi-AZ deployment
B.Amazon EC2 with SQL Server installed
C.Amazon Aurora SQL Server
D.Amazon DynamoDB
AnswerA

RDS for SQL Server with Multi-AZ provides automatic failover and reduces operational overhead.

Why this answer

Option C is correct because Amazon RDS for SQL Server with Multi-AZ provides automatic failover to a standby in another AZ. Option A is wrong because Amazon Aurora is not compatible with SQL Server. Option B is wrong because SQL Server on EC2 is not managed.

Option D is wrong because Amazon DynamoDB is NoSQL and not compatible with SQL Server.

529
Multi-Selecteasy

A company is planning to run SAP NetWeaver on AWS and needs to ensure that the system is highly available. Which TWO AWS services should be combined to achieve HA for the SAP central services (ASCS/SCS) and the database? (Choose TWO.)

Select 2 answers
A.Elastic Load Balancing (ELB) to distribute traffic across multiple application server instances.
B.Amazon CloudFront to cache static content.
C.Amazon EC2 Auto Recovery to automatically recover the instance hosting ASCS/SCS if it becomes impaired.
D.Amazon S3 to store the SAP system configuration files.
E.Amazon Route 53 health checks with failover routing.
AnswersA, C

ELB provides load balancing and failover for application servers.

Why this answer

Options A and B are correct. Elastic Load Balancing distributes traffic to multiple application servers. EC2 Auto Recovery automatically recovers an instance from hardware failure.

Option C (S3) is for storage. Option D (CloudFront) is a CDN. Option E (Route 53) is for DNS, not HA for services.

530
MCQmedium

A company is running SAP ERP on AWS and wants to ensure high availability for the SAP Central Services (ASCS) instance. Which AWS service should be used to achieve this?

A.EC2 Auto Scaling
B.Elastic Load Balancer (NLB)
C.Amazon Route 53
D.AWS Global Accelerator
AnswerB

Network Load Balancer can distribute traffic to multiple ASCS instances for HA.

Why this answer

The correct answer is C because AWS Elastic Load Balancer (specifically Network Load Balancer) can be used to distribute traffic between ASCS instances for high availability. Option A is incorrect because AWS Global Accelerator improves performance but not high availability for ASCS. Option B is incorrect because Route 53 is for DNS and can be used for health checks but not as the primary HA mechanism for ASCS.

Option D is incorrect because EC2 Auto Scaling is for scaling compute capacity, not for managing ASCS failover.

531
MCQhard

An SAP administrator runs the above CLI command and sees the output. The EC2 instance i-0a1b2c3d4e5f6g7h8 is stopped. What will happen if the administrator attempts to start the instance?

A.The instance will fail to start because the volume type is not supported.
B.The instance will start successfully and the volume will be attached.
C.The instance will start but the volume will not attach because multi-attach is disabled.
D.The instance will start but the volume will be read-only.
AnswerB

io2 volume with 10,000 IOPS is valid for the instance.

Why this answer

Option A is correct. The volume is of type io2 with 10,000 IOPS, which is supported. The instance start will attach the volume and boot normally.

Option B is wrong because volume type is supported. Option C is wrong because multi-attach is disabled but not required. Option D is wrong because size is acceptable.

532
MCQmedium

An SAP system on AWS uses an Auto Scaling group for the application tier. The scaling policy is based on the average CPU utilization of the EC2 instances. During peak hours, the system scales out, but the new instances take a long time to become available because they need to install SAP software and configure them. This delay causes performance degradation. The operations team wants to reduce the time to scale out. Which solution should they implement?

A.Increase the instance size to reduce boot time.
B.Create a custom AMI with SAP software pre-installed and use it in the launch configuration.
C.Switch to AWS Elastic Beanstalk for automatic scaling.
D.Use an instance store-backed AMI instead of EBS-backed.
AnswerB

Custom AMI reduces provisioning time.

Why this answer

Option A is correct because using a pre-configured AMI with SAP software pre-installed eliminates the need for installation at launch. Option B is wrong because instance store is ephemeral. Option C is wrong because Elastic Beanstalk is not the best for SAP.

Option D is wrong because increasing instance size does not reduce launch time.

533
MCQeasy

An SAP administrator is troubleshooting connectivity between SAP application servers and the SAP HANA database. The database security group has an inbound rule as shown in the exhibit. The application servers are in security group sg-12345. However, the application servers cannot connect to the database. What is the most likely reason?

A.The source should be the IP address range of the application servers.
B.The rule uses the wrong protocol; it should be UDP.
C.The outbound rule on the application server security group is missing.
D.The port number is incorrect for SAP HANA.
AnswerD

SAP HANA uses port 3<instance_number>15, not 3300.

Why this answer

Option D is correct because the rule allows traffic from sg-12345 but only on port 3300. SAP HANA default port is 3<instance_number>15, not 3300. Option A is wrong because the rule is for TCP.

Option B is wrong because source is a security group, not IP. Option C is wrong because the rule is inbound, not outbound.

534
MCQeasy

An SAP administrator needs to restore an SAP HANA database from a backup stored in Amazon S3. The backup was created using AWS Backup. What is the required IAM permission for the restore operation?

A.kms:Decrypt
B.s3:GetObject
C.s3:PutObject
D.ec2:DescribeInstances
AnswerB

Restore requires reading the backup file from S3.

Why this answer

Option B is correct because to restore from S3, the HANA database user or the backup tool needs s3:GetObject permission to read the backup files. Option A is wrong because s3:PutObject is for writing backups. Option C is wrong because ec2:DescribeInstances is not needed for restore from S3.

Option D is wrong because kms:Decrypt may be needed if encryption is used, but the question asks for required permission, and GetObject is essential.

535
MCQmedium

An SAP Basis administrator needs to migrate an on-premises SAP ERP system running on Oracle to AWS. The system has a 2 TB database and requires minimal downtime (less than 1 hour). The current on-premises network bandwidth to AWS is 1 Gbps. Which migration strategy is MOST appropriate?

A.Export the database using SAP HANA System Replication (HSR) to an Amazon EC2 instance with HANA.
B.Perform a manual export/import using Oracle Data Pump and transfer the dump file via AWS Direct Connect.
C.Use AWS Application Migration Service (MGN) to replicate the entire server to AWS, then cut over.
D.Use AWS Database Migration Service (DMS) with ongoing replication from Oracle to Amazon RDS for Oracle, then perform a final cutover.
AnswerD

DMS supports ongoing replication, enabling minimal downtime cutover.

Why this answer

Option B is correct because AWS DMS can perform ongoing replication to keep the target in sync, then a short cutover achieves <1 hour downtime. Option A (AWS MGN) is for server-level replication, not optimized for database migration with minimal downtime. Option C (SAP HSR) is specific to SAP HANA.

Option D (SAP DMO) is a methodology but typically used for system copy or upgrade, not real-time replication.

536
MCQmedium

An operations team is responsible for patching the operating system of SAP EC2 instances. They want to automate the patching process while minimizing downtime. Which approach should they use?

A.Deploy a configuration management tool like AWS OpsWorks to apply patches.
B.Use AWS Systems Manager Patch Manager with a maintenance window and a patch baseline.
C.Schedule a weekly maintenance window and manually apply patches via RDP/SSH.
D.Create an Auto Scaling group with a custom AMI that includes the latest patches.
AnswerB

Patch Manager automates patching and can be scheduled to minimize downtime.

Why this answer

Option B is correct because AWS Systems Manager Patch Manager automates patching with minimal downtime when used with a maintenance window. Option A is wrong because manual patching is not automated. Option C is wrong because OpsWorks is not designed for OS patching.

Option D is wrong because Auto Scaling groups are for scaling, not patching.

537
Multi-Selectmedium

A company is running an SAP NetWeaver system on AWS. The system includes a primary application server (PAS) and a dialog instance. The administrator wants to monitor the SAP system health using Amazon CloudWatch. Which THREE metrics should be monitored to proactively detect performance issues? (Choose THREE.)

Select 3 answers
A.EBS Volume Queue Length
B.EC2 SwapUsage (as custom metric)
C.EC2 CPU Utilization
D.EC2 NetworkIn
E.SAP work process usage (via SAP monitoring)
AnswersA, C, E

High queue length indicates I/O requests waiting, often a sign of storage bottleneck.

Why this answer

Options A, C, and E are correct. Option A (EC2 CPU utilization) helps detect compute bottlenecks. Option C (EBS volume queue length) indicates I/O pressure.

Option E (SAP work process usage) shows application-level saturation. Option B (NetworkIn) is less critical for health. Option D (SwapUsage) is important but not a standard CloudWatch metric; it requires custom agent.

538
MCQeasy

A company runs SAP on AWS and uses AWS CloudTrail to monitor API activity. The security team wants to receive real-time notifications when specific SAP-related API calls are made. Which AWS service should they use to filter and forward these events?

A.Amazon Inspector
B.AWS Config
C.Amazon EventBridge
D.AWS Trusted Advisor
AnswerC

EventBridge can filter CloudTrail events and trigger actions.

Why this answer

Option B is correct because Amazon EventBridge can ingest CloudTrail events and route them to targets such as SNS for notifications based on event patterns. Option A is wrong because Amazon Inspector is for vulnerability assessment. Option C is wrong because AWS Config is for resource compliance.

Option D is wrong because AWS Trusted Advisor provides best practice checks, not real-time event filtering.

539
MCQmedium

A company is migrating its SAP ERP system to AWS. The system requires high availability for the SAP Central Services (ASCS) instance. Which AWS architecture should be used to meet this requirement?

A.Use a multi-AZ deployment with Amazon FSx for NetApp ONTAP as a shared file system and place ASCS on two EC2 instances in different Availability Zones with an Elastic IP address.
B.Use Amazon S3 to store the ASCS configuration and launch a single EC2 instance with an Auto Scaling group.
C.Deploy ASCS on a single EC2 instance in one Availability Zone with an EBS volume snapshot for recovery.
D.Use Amazon RDS for SAP Central Services running in a Multi-AZ configuration.
AnswerA

This provides high availability with failover across AZs.

Why this answer

Option A is correct because SAP ASCS requires a highly available shared file system and a floating IP address for failover. Amazon FSx for NetApp ONTAP provides a highly available, NFS-based shared file system that supports the SAP transport and profile directories across Availability Zones. Placing two EC2 instances in different AZs with an Elastic IP address allows the ASCS instance to be failed over manually or via a cluster manager, meeting the high availability requirement.

Exam trap

The trap here is that candidates confuse SAP Central Services (ASCS) with a database service and incorrectly select Amazon RDS, or assume that a single-instance recovery solution like EBS snapshots meets high availability requirements, when in fact SAP ASCS requires a clustered architecture with shared storage and a floating IP.

How to eliminate wrong answers

Option B is wrong because Amazon S3 is an object store and does not support the POSIX file system semantics required by SAP ASCS for shared directories like /usr/sap/trans and profile files; Auto Scaling groups are designed for stateless scaling, not for stateful SAP ASCS failover. Option C is wrong because a single EC2 instance with an EBS snapshot provides only backup and recovery, not high availability; it cannot achieve the sub-minute failover required for SAP ASCS. Option D is wrong because Amazon RDS is a managed database service for relational databases, not for SAP Central Services, which is an application service that requires a shared file system and cluster management, not a database.

540
MCQmedium

A company is designing a backup strategy for SAP HANA on AWS. The HANA database is 2 TB in size. The company requires daily full backups and hourly incremental backups. Which AWS service should be used to store the backups cost-effectively with high durability?

A.Amazon S3 with lifecycle policies to transition to Glacier.
B.Amazon EBS Snapshots stored in Amazon S3.
C.AWS Storage Gateway with volume gateway.
D.Amazon EFS for shared backup storage.
AnswerA

S3 offers durability and cost-effectiveness for backups.

Why this answer

Option A is correct because Amazon S3 provides 99.999999999% durability and is cost-effective for storing backups. S3 lifecycle policies can move older backups to Glacier for further cost savings. Option B is incorrect because Amazon EBS Snapshots are stored in S3 but are more expensive for long-term retention.

Option C is incorrect because Amazon EFS is a file system, not optimized for backup storage. Option D is incorrect because AWS Storage Gateway is for on-premises integration.

541
MCQhard

Refer to the exhibit. An SAP administrator created this IAM policy for an SAP application user that performs database backups to Amazon S3. The user reports that backup jobs fail with an access denied error. What is the most likely cause?

A.The policy has a syntax error and is invalid.
B.The policy does not allow s3:PutObject for the bucket.
C.The policy is missing s3:ListBucket permission on the bucket.
D.The Deny statement blocks all DeleteObject requests.
AnswerC

ListBucket is required to access objects in the bucket.

Why this answer

Option B is correct because the Deny statement denies s3:DeleteObject when SecureTransport is false, but the user may be using HTTPS (SecureTransport true), which is fine. However, the error is likely due to missing s3:ListBucket permission to list objects in the bucket. Option A is wrong because the policy allows PutObject.

Option C is wrong because the Deny condition only applies when SecureTransport is false. Option D is wrong because the Allow statement exists.

542
Multi-Selectmedium

Which THREE factors should be considered when choosing an EC2 instance type for an SAP HANA production system? (Choose three.)

Select 3 answers
A.GPU capabilities for parallel processing.
B.Amount of memory (RAM) required.
C.Network throughput and latency.
D.Support for EBS optimization.
E.Processor architecture (Intel/AMD vs ARM).
AnswersB, C, E

HANA is memory-intensive.

Why this answer

Options A, B, and E are correct. Option A: Memory is critical for HANA. Option B: Network performance impacts throughput.

Option E: Intel/AMD vs ARM affects HANA certification. Option C is wrong because EBS optimization is not a primary factor. Option D is wrong because GPU is not relevant for HANA.

543
MCQeasy

A company runs SAP on AWS and needs to automate the patching of SAP application servers. The solution should apply patches during a defined maintenance window and ensure high availability. What is the most efficient approach?

A.Use AWS Systems Manager Patch Manager with a maintenance window.
B.Update the CloudFormation stack to replace instances with new AMIs.
C.Use AWS Lambda to invoke Run Command on each instance sequentially.
D.Manually connect to each instance via SSH and apply patches.
AnswerA

Patch Manager automates patching with scheduled maintenance windows and can target Auto Scaling groups for HA.

Why this answer

Option D is correct because AWS Systems Manager automates patching with maintenance windows and supports high availability by targeting instances in an Auto Scaling group. Option A (Lambda with Run Command) is possible but less efficient. Option B (manual patching via SSH) is not automated.

Option C (CloudFormation update) is complex and not ideal for patching.

544
MCQeasy

A company is migrating its on-premises web application to AWS. The application consists of a stateless web tier and a stateful database tier running on a single server. The web tier uses session data stored in the local file system. The database tier runs on MySQL. The company wants to minimize changes to the application code during migration. They plan to use Amazon EC2 for the web server and Amazon RDS for MySQL for the database. After migrating the web server to an EC2 instance and the database to RDS, users report that they are being logged out of the application frequently. What is the most likely cause of this issue?

A.The web server's session data is stored locally and is lost when the EC2 instance is replaced or restarted.
B.The RDS instance's backup window is causing database connections to drop.
C.The application's session timeout setting was reduced during migration.
D.The security group for the web server is blocking inbound session cookies.
AnswerA

Since the application stores sessions locally, any instance replacement leads to session loss.

Why this answer

The web tier stores session data in the local file system of the EC2 instance. When the instance is replaced or restarted (e.g., due to Auto Scaling, instance failure, or a maintenance event), that local session data is lost. Since the application code was not modified to use a shared session store (like ElastiCache or DynamoDB), users lose their sessions and are logged out.

This is the most likely cause because the migration explicitly minimized code changes and did not address the stateless web tier requirement.

Exam trap

The trap here is that candidates may assume session data is automatically preserved across EC2 instance lifecycles, or they may incorrectly blame RDS connectivity or security group rules, when the real issue is the lack of a shared, durable session store for the stateless web tier.

How to eliminate wrong answers

Option B is wrong because RDS backup windows do not cause database connections to drop; RDS remains available during backups (Multi-AZ or single-AZ with I/O suspension), and any brief I/O suspension would not cause web session loss. Option C is wrong because there is no evidence that the session timeout setting was changed; the problem is session data persistence, not timeout duration. Option D is wrong because security groups do not block inbound session cookies; security groups filter network traffic at the IP/port level, not application-layer HTTP cookies.

545
Multi-Selecthard

Which THREE steps should be taken when troubleshooting a slow-running SAP HANA database on AWS? (Select THREE.)

Select 3 answers
A.Immediately scale up the EC2 instance type
B.Review HANA SQL plan cache for slow queries
C.Check CloudWatch metrics for CPU utilization and disk I/O
D.Review IAM roles attached to the instance
E.Verify HANA memory allocation and check for memory pressure
AnswersB, C, E

Slow queries can indicate performance issues.

Why this answer

Option A is correct - verify memory allocation is a key step. Option C is correct - check CPU utilization. Option D is correct - review slow queries.

Option B is incorrect - scaling up before analysis may be premature. Option E is incorrect - checking IAM roles is not directly related to HANA performance.

546
MCQhard

A company has an SAP HANA database running on a r5.8xlarge EC2 instance with 3.5 TB of data. They want to back up the database to Amazon S3 using Backint. What is the most cost-effective and performant backup strategy?

A.Use EBS snapshots and copy them to S3.
B.Use multiple parallel Backint streams to a single S3 bucket with S3 Standard storage.
C.Use multiple parallel Backint streams to multiple S3 buckets with S3 Glacier storage.
D.Use a single Backint stream to one S3 bucket with S3 Standard storage.
AnswerB

Parallel streams improve throughput; single bucket is simpler and cost-effective.

Why this answer

Backint is the native SAP HANA backup integration that sends backup data directly to Amazon S3. Using multiple parallel Backint streams maximizes throughput by leveraging S3's high request rate limits, and S3 Standard storage provides the low-latency access needed for frequent backups and restores without incurring retrieval costs. This combination is both cost-effective and performant for a 3.5 TB database.

Exam trap

The trap here is that candidates often choose S3 Glacier for cost savings, overlooking the retrieval latency and costs for frequent backups, or they choose a single stream assuming simplicity, missing the performance benefits of parallelism for large datasets.

How to eliminate wrong answers

Option A is wrong because EBS snapshots capture the entire volume, including unused blocks, and require copying to S3, which adds latency and cost without leveraging Backint's native SAP integration for HANA. Option C is wrong because S3 Glacier storage incurs retrieval fees and delays (minutes to hours) that are unsuitable for frequent backups and rapid restores required by SAP HANA. Option D is wrong because a single Backint stream creates a bottleneck, limiting throughput to a single connection and failing to utilize S3's parallel processing capabilities, resulting in slower backup times for a 3.5 TB dataset.

547
MCQhard

A company is migrating an SAP application server to AWS using CloudFormation. The template snippet is shown in the exhibit. The SAP application requires at least 300 GB of disk space for /usr/sap. Which change should be made to the template?

A.Change the instance type to a larger size to provide more instance storage.
B.Increase the root volume (/dev/xvda) size to 300 GB.
C.Increase the size of the second volume (/dev/xvdb) to 300 GB.
D.Add a third EBS volume of 100 GB for /usr/sap.
AnswerC

The second volume is likely for /usr/sap; increase to 300 GB.

Why this answer

The SAP application server typically needs a large disk for /usr/sap. The template currently has a 100 GB root volume and a 200 GB additional volume, total 300 GB. However, /usr/sap is usually mounted on a separate volume.

The 200 GB volume is likely for /usr/sap, but 200 GB may not be enough if the requirement is at least 300 GB. The correct action is to increase the second volume size to at least 300 GB. Increasing root volume or adding a third volume are alternatives but less direct.

548
MCQhard

A company is designing a multi-zone SAP system on AWS. They want to minimize network latency between SAP application servers and the SAP HANA database. What is the best practice for deploying these components?

A.Deploy in different VPCs and use VPC peering.
B.Deploy in different AWS Regions.
C.Deploy application servers and HANA in the same AZ and same VPC.
D.Deploy application servers in one AZ and HANA in another AZ.
AnswerC

Same AZ and VPC minimizes latency.

Why this answer

The correct answer is D because placing the SAP application servers and HANA database in the same Availability Zone minimizes network latency. Option A is incorrect because spreading across AZs increases latency. Option B is incorrect because using different VPCs adds unnecessary latency.

Option C is incorrect because different Regions have much higher latency.

549
MCQmedium

A company runs SAP ERP on AWS. The system needs to be highly available with automatic failover in case of an Availability Zone failure. Which architecture should be used?

A.Route 53 failover routing policy
B.Auto Scaling group with multiple EC2 instances in different AZs
C.SAP HANA System Replication across two Availability Zones with automatic failover
D.AWS RDS Multi-AZ deployment
AnswerC

HANA SR across AZs provides automatic failover for HA.

Why this answer

SAP HANA System Replication (HSR) across two Availability Zones with automatic failover is the correct architecture because it provides synchronous or asynchronous replication of the SAP HANA database at the storage or log level, enabling automatic failover to a standby instance in a different AZ when the primary fails. This meets the requirement for high availability and automatic failover during an AZ failure, as HSR is the native SAP mechanism for database-level HA on AWS, unlike generic AWS services that do not handle SAP-specific application state or replication requirements.

Exam trap

The trap here is that candidates confuse generic AWS high-availability services (like Auto Scaling or RDS Multi-AZ) with SAP-specific requirements, failing to recognize that SAP HANA requires its own replication mechanism (HSR) and that RDS does not support SAP HANA at all.

How to eliminate wrong answers

Option A is wrong because Route 53 failover routing policy only handles DNS-level traffic routing to healthy endpoints, not automatic failover of the SAP ERP application or database; it cannot initiate database failover or maintain session state, and it requires health checks that do not replace SAP HANA's replication and takeover logic. Option B is wrong because an Auto Scaling group with multiple EC2 instances in different AZs provides compute-level redundancy but does not manage SAP HANA database replication or automatic failover; it lacks the database synchronization and takeover mechanisms needed for SAP ERP, and scaling out instances does not address database state consistency. Option D is wrong because AWS RDS Multi-AZ deployment is designed for relational databases like MySQL, PostgreSQL, or Oracle, not for SAP HANA; SAP HANA is an in-memory database that requires its own replication technology (HSR) and is not supported by RDS Multi-AZ, which also does not provide SAP-specific application-aware failover.

550
MCQmedium

A company is running SAP ERP on AWS and wants to reduce costs by right-sizing the EC2 instances. The administrator has identified that the current instances are over-provisioned for CPU and memory. Which AWS service can provide recommendations for instance type changes based on historical usage?

A.AWS Trusted Advisor
B.AWS Compute Optimizer
C.Amazon CloudWatch
D.AWS Cost Explorer
AnswerB

Compute Optimizer uses machine learning to recommend optimal AWS resources.

Why this answer

Option C is correct because AWS Compute Optimizer analyzes utilization and recommends optimal instance types. Option A is wrong because AWS Trusted Advisor provides cost optimization checks but not detailed instance recommendations. Option B is wrong because Amazon CloudWatch provides metrics but not recommendations.

Option D is wrong because AWS Cost Explorer provides cost usage data, not instance recommendations.

551
Multi-Selecteasy

A company is running SAP HANA on an EC2 instance. The administrator needs to ensure that the instance is resilient to an Availability Zone failure. Which actions should the administrator take? (Choose TWO.)

Select 2 answers
A.Configure Auto Scaling to automatically launch a new instance in another AZ.
B.Use Amazon CloudWatch to monitor instance health and trigger a recovery.
C.Set up SAP HANA System Replication between instances in two Availability Zones.
D.Deploy a second HANA instance in a different AZ and configure replication.
E.Take daily EBS snapshots of the HANA data volume.
AnswersC, D

HSR provides data replication across AZs.

Why this answer

Options B and D are correct. B: Multi-AZ RDS provides HA for database. D: Cross-AZ replication provides DR.

Option A is wrong because auto scaling is for stateless apps. Option C is wrong because EBS snapshots are not for HA. Option E is wrong because CloudWatch does not provide HA.

552
MCQeasy

Refer to the exhibit. A CloudFormation template is used to launch an EC2 instance for SAP. The instance launches but the root volume is only 50 GB. The SAP installation requires at least 100 GB for the root volume. How should the template be modified?

A.Change VolumeSize from 50 to 100 in the BlockDeviceMapping.
B.Change the InstanceType to a larger instance.
C.Modify the running instance's root volume size using the AWS Management Console.
D.Change the ImageId to an AMI with a larger root volume.
AnswerA

Increasing the VolumeSize value will allocate a larger root volume.

Why this answer

Option A is correct because increasing the VolumeSize to 100 in the BlockDeviceMapping will allocate a 100 GB root volume. Option B is wrong because modifying the template after launch doesn't change the running instance. Option C is wrong because changing InstanceType does not affect volume size.

Option D is wrong because changing ImageId changes the AMI, not the volume size.

553
MCQeasy

A company is migrating a large Oracle database to Amazon RDS for Oracle. They want to minimize downtime during the migration. Which AWS service should they use to replicate data in real time?

A.AWS Server Migration Service (SMS)
B.AWS Schema Conversion Tool (SCT)
C.AWS Database Migration Service (DMS)
D.AWS DataSync
AnswerC

DMS supports ongoing replication to minimize downtime.

Why this answer

AWS DMS can perform ongoing replication with minimal downtime. Option B is correct because it supports continuous data replication. Option A is wrong because AWS SMS is for server migration.

Option C is wrong because AWS DataSync is for file-based data transfer. Option D is wrong because AWS SCT is a schema conversion tool.

554
MCQmedium

An administrator is reviewing a CloudFormation template to deploy an SAP ASCS instance. The template snippet is shown in the exhibit. What is a potential issue with this configuration for a production deployment?

A.The AMI ID is not specified correctly.
B.The instance type m5.large is not certified for SAP ASCS.
C.The security group is not defined in the template.
D.The tags are not sufficient for SAP discovery.
AnswerB

SAP ASCS requires certified instance types; m5.large is not certified.

Why this answer

Option B is correct because the m5.large instance type is not certified for SAP ASCS on AWS. SAP requires specific instance types that have passed SAP's certification tests for high-availability and performance requirements of the ASCS (ABAP Central Services) role. Using an uncertified instance type can lead to unsupported configurations, potential performance issues, and lack of SAP support.

Exam trap

The trap here is that candidates often assume any instance type in a family (e.g., m5) is automatically certified for SAP, but SAP certification is granular per specific size and role, and m5.large is explicitly excluded for ASCS in production.

How to eliminate wrong answers

Option A is wrong because the AMI ID is not specified in the template snippet shown, but this is not inherently an issue—the AMI can be provided as a parameter or mapped later, and the question focuses on the ASCS deployment configuration, not the AMI. Option C is wrong because security groups can be referenced by name or ID without being defined inline in the same template; they may exist externally or be imported, and this does not directly affect ASCS certification. Option D is wrong because tags are not a certification requirement for SAP ASCS; while tags help with resource identification and automation, insufficient tags do not prevent a production deployment or violate SAP certification.

555
MCQhard

An SAP administrator receives an alert that the SAP HANA database is using 95% of its allocated memory. The system is running on an EC2 instance with 1 TB of RAM. The administrator needs to add more memory without significant downtime. Which action should be taken?

A.Modify the EC2 instance type to a larger size while the instance is running.
B.Add additional EBS volumes to the instance to increase memory capacity.
C.Stop the SAP HANA database, change the EC2 instance type to one with more memory, then restart the database.
D.Increase the swap space on the instance to provide virtual memory.
AnswerC

This provides the needed memory increase with controlled downtime.

Why this answer

Option D (Stop the SAP HANA database, change the EC2 instance type to one with more memory, restart the database) is correct because it directly increases memory with minimal downtime. Option A (Add swap space) is not a permanent solution. Option B (Modify instance type while running) is not supported for all instance types.

Option C (Add more EBS volumes) does not increase RAM.

556
MCQeasy

An SAP administrator is planning a Disaster Recovery (DR) strategy for SAP HANA on AWS. The DR site is in a different AWS Region. Which AWS service can replicate SAP HANA data to the DR region with low Recovery Point Objective (RPO)?

A.Amazon EBS snapshots copied to the DR region
B.SAP HANA System Replication with log shipping
C.AWS Database Migration Service (DMS) with ongoing replication
D.Amazon S3 cross-region replication
AnswerB

HANA System Replication provides continuous synchronization with low RPO.

Why this answer

Option A is correct. SAP HANA System Replication with log shipping can provide a low RPO by continuously replicating data to another region. Option B is wrong because EBS snapshots are periodic and may not achieve low RPO.

Option C is wrong because S3 cross-region replication is object-level, not database-level. Option D is wrong because AWS Database Migration Service is for migrations, not ongoing replication for DR.

557
Multi-Selectmedium

An SAP system on AWS uses an Oracle database. The administrator wants to automate the creation of daily backups and retain them for 30 days. Which THREE AWS services can be used together to achieve this? (Choose three.)

Select 3 answers
A.Amazon S3 lifecycle policies
B.AWS Lambda
C.Amazon EBS snapshots
D.AWS Backup
E.Amazon CloudWatch Events
AnswersA, C, D

To expire old backups.

Why this answer

Option A, Option C, and Option D are correct: AWS Backup (A) schedules backups, Amazon EBS snapshots (C) capture data, and Amazon S3 lifecycle policies (D) manage retention. Option B is wrong because AWS Lambda is not necessary for scheduling. Option E is wrong because CloudWatch is for monitoring.

558
MCQhard

An SAP administrator is reviewing a CloudFormation template that defines an Auto Scaling group for SAP application servers. The exhibit shows the relevant section. The group currently has 2 instances running. The administrator wants to ensure that during a rolling update, at least one instance remains available. Which property should be added?

A.UpdatePolicy attribute with AutoScalingRollingUpdate and MinInstancesInService set to 1.
B.Set MaxSize to 1.
C.Set DesiredCapacity to 3.
D.Add a HealthCheckGracePeriod of 300 seconds.
AnswerA

This ensures that during updates, at least one instance remains in service.

Why this answer

Option A is correct because UpdatePolicy with AutoScalingRollingUpdate allows control of the rolling update, including MinInstancesInService to keep at least one instance running. Option B is wrong because DesiredCapacity only sets the target count. Option C is wrong because HealthCheckGracePeriod is for health checks.

Option D is wrong because MaxSize does not control rolling updates.

559
MCQeasy

A company wants to automate the installation of SAP software on AWS. Which AWS service is most appropriate for orchestrating the deployment of SAP systems?

A.AWS CloudFormation
B.AWS OpsWorks
C.AWS CodeDeploy
D.AWS Lambda
AnswerA

CloudFormation allows infrastructure as code to provision all AWS resources for SAP.

Why this answer

AWS CloudFormation is the most appropriate service for orchestrating the deployment of SAP systems because it allows you to define the entire infrastructure as code using templates, enabling automated, repeatable, and consistent provisioning of SAP landscapes. It supports custom resources and nested stacks, which are essential for managing the complex dependencies and multi-tier architecture typical of SAP deployments on AWS.

Exam trap

The trap here is that candidates often confuse AWS OpsWorks or CodeDeploy with infrastructure orchestration, but the PAS-C01 exam specifically tests the understanding that CloudFormation is the primary service for automating the provisioning of SAP systems on AWS, while OpsWorks and CodeDeploy serve different purposes in configuration management and application deployment, respectively.

How to eliminate wrong answers

Option B (AWS OpsWorks) is wrong because it is designed for configuration management using Chef or Puppet, not for orchestrating the deployment of complex SAP systems; it lacks native support for SAP-specific resources and templates. Option C (AWS CodeDeploy) is wrong because it is intended for deploying application code to EC2 instances or on-premises servers, not for provisioning the underlying infrastructure or orchestrating multi-tier SAP landscapes. Option D (AWS Lambda) is wrong because it is a serverless compute service for running event-driven code, not a deployment orchestration tool; it cannot manage the lifecycle of infrastructure resources like EC2 instances, storage, and networking required for SAP.

560
MCQmedium

A company uses SAP BusinessObjects (BO) on AWS. The BO servers run on EC2 instances in a private subnet. Users access the BI Launch Pad through an Application Load Balancer (ALB) in a public subnet. The company recently received a security audit finding that the ALB is accessible from the internet on port 443, but the security group allows inbound traffic from 0.0.0.0/0. The audit requires that only the company's corporate IP range (203.0.113.0/24) should be allowed. Additionally, the company wants to reduce the attack surface by blocking traffic from other IPs. What should the company do to meet the security requirement?

A.Deploy AWS WAF on the ALB and create a rule to allow only the corporate IP range.
B.Modify the security group attached to the ALB to allow only inbound traffic from 203.0.113.0/24 on port 443.
C.Replace the security group with a network ACL on the ALB subnet to allow only the corporate IP range.
D.Move the ALB to a private subnet and use a VPN for user access.
AnswerB

Security groups can restrict traffic by source IP.

Why this answer

Option A is correct because updating the ALB security group to restrict inbound traffic to the corporate IP range is the simplest and most effective solution. Option B is wrong because a WAF is not necessary for IP restriction; security groups can do it. Option C is wrong because a NACL can also restrict, but security groups are stateful and easier.

Option D is wrong because moving the ALB to a private subnet would block all internet traffic.

561
MCQhard

A company uses AWS Config to record resource changes and evaluate rules. Recently, the compliance status of an S3 bucket rule changed from COMPLIANT to NON_COMPLIANT. The operations team investigates and finds that the bucket policy was modified. What is the MOST efficient way to identify who made the change and the exact time?

A.Examine the S3 server access logs for the bucket.
B.Search AWS CloudTrail event history for PutBucketPolicy events for the S3 bucket.
C.Review the configuration timeline in AWS Config for the S3 bucket.
D.Use AWS Systems Manager Automation to run a script that checks CloudWatch Logs.
AnswerB

CloudTrail records all API calls with details.

Why this answer

AWS CloudTrail captures all API calls made to AWS services, including S3 bucket policy modifications via the PutBucketPolicy API. By searching the CloudTrail event history for PutBucketPolicy events filtered by the specific S3 bucket ARN, you can directly identify the IAM user or role that made the change, along with the exact timestamp. This is the most efficient method because it provides a complete audit trail of API activity without requiring additional logging setup or parsing.

Exam trap

The trap here is that candidates confuse AWS Config's configuration timeline (which shows what changed and when, but not who) with CloudTrail's audit trail (which shows who made the API call), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because S3 server access logs record object-level requests (GET, PUT, DELETE) and do not capture management-plane API calls like PutBucketPolicy; they would not show who modified the bucket policy. Option C is wrong because the AWS Config configuration timeline shows resource configuration changes and compliance status over time, but it does not record the identity of the user or service that made the change. Option D is wrong because AWS Systems Manager Automation is designed for operational runbooks and remediation, not for querying audit logs; using it to check CloudWatch Logs is an inefficient, roundabout approach compared to directly querying CloudTrail.

562
MCQmedium

The exhibit shows the output of the describe-replication-tasks command. The task status is 'failed'. Which action should be taken to troubleshoot the failure?

A.Restart the replication task with a different migration type.
B.Modify the table mappings to exclude all tables.
C.Create a new replication task with the same settings.
D.Review the CloudWatch logs for the replication instance and task.
AnswerD

CloudWatch logs provide detailed error messages for troubleshooting.

Why this answer

Option D is correct because the first step is to check the CloudWatch logs for DMS to find detailed error messages. Option A is wrong because restarting without investigation may lead to the same error. Option B is wrong because modifying table mappings may not be the issue.

Option C is wrong because creating a new task without understanding the failure is inefficient.

563
MCQmedium

A company is running SAP on AWS and needs to back up the SAP HANA database daily. The database is 1 TB in size and the backup must be completed within 2 hours. The backup will be stored in Amazon S3. Which approach provides the fastest backup time while minimizing cost?

A.Copy the backup files to an EC2 instance store, then upload to S3
B.Take EBS snapshots of the volume
C.Use the SAP HANA Backint agent to stream backups directly to S3
D.Mount an Amazon EFS file system and write backups to it
AnswerC

Backint is optimized for HANA backup to S3, fast and cost-effective.

Why this answer

Storing backups directly to S3 via the SAP HANA Backint interface using an AWS Backint agent is the fastest and most cost-effective method. Option C is correct. EBS snapshots are slower for database backup and require additional steps.

Using EC2 instance store is not durable. NFS on EFS adds latency.

564
MCQmedium

A company is running SAP ERP on AWS and needs to encrypt data at rest for all SAP-related storage. Which combination of AWS services can be used to achieve this? (Select TWO.)

A.AWS Identity and Access Management (IAM)
B.Amazon S3 server-side encryption
C.AWS WAF
D.Amazon EBS encryption
E.Amazon CloudWatch Logs
AnswerB, D

Encrypts objects stored in S3, such as backups.

Why this answer

Amazon EBS encryption (Option D) provides at-rest encryption for the block storage volumes used by SAP EC2 instances, ensuring data on the underlying disks is encrypted. Amazon S3 server-side encryption (Option B) encrypts data at rest in S3 buckets, which can be used for SAP backups, log archives, or other SAP-related object storage. Together, they cover the primary storage types for SAP on AWS.

Exam trap

The trap here is that candidates may confuse access control services (IAM) or security monitoring (WAF, CloudWatch) with encryption services, failing to recognize that only storage-level services like EBS and S3 provide native at-rest encryption for SAP data.

How to eliminate wrong answers

Option A is wrong because AWS Identity and Access Management (IAM) is an access control service that manages permissions and authentication, not data encryption at rest. Option C is wrong because AWS WAF is a web application firewall that protects against web exploits, not a data encryption service. Option E is wrong because Amazon CloudWatch Logs is a monitoring and logging service that stores log data but does not provide native encryption at rest for SAP storage; it relies on underlying service encryption, but it is not a direct encryption mechanism for SAP-related storage.

565
MCQeasy

An SAP system administrator receives an alert that an EBS volume attached to an SAP application server is at 95% capacity. The volume is 100 GB gp2 and stores log files. What is the MOST efficient way to resolve the space issue?

A.Increase the volume size using Amazon EBS Elastic Volumes.
B.Delete the oldest log files manually.
C.Configure log rotation and move old logs to Amazon S3 Glacier.
D.Attach an additional EBS volume for log storage.
AnswerC

Automating archiving to S3 Glacier frees space and retains logs for compliance.

Why this answer

Option D is correct because archiving old logs to Amazon S3 Glacier frees space and provides cost-effective long-term storage. Option A is wrong because log rotation must be configured before deleting. Option B is wrong because manual deletion is error-prone.

Option C is wrong because increasing volume size is temporary.

566
MCQhard

A company runs SAP on AWS and uses a shared file system for SAP transport files. The system must support concurrent access from multiple SAP application servers and provide strong consistency. The transport files are typically small (less than 1 MB) and are frequently read and written. Which file storage solution should be used?

A.Amazon FSx for Windows File Server
B.Amazon S3
C.Amazon EFS
D.Amazon EC2 instance store
AnswerC

EFS provides NFS shared storage with strong consistency, ideal for SAP transport directories.

Why this answer

Option A is correct: Amazon EFS provides a shared NFS file system with strong consistency and is suitable for concurrent access. Option B is wrong: Amazon S3 is object storage, not a file system. Option C is wrong: Amazon FSx for Windows File Server supports SMB, not NFS typically used by SAP on Linux.

Option D is wrong: Instance store is ephemeral and not shared.

567
MCQmedium

An SAP HANA database on AWS is configured with automatic backups to Amazon S3. The backup process is failing with the error 'Access Denied'. The administrator has confirmed the S3 bucket exists and the IAM role attached to the EC2 instance has the correct permissions. What could be the issue?

A.The S3 bucket has a bucket policy that denies access to the IAM role
B.The IAM role's trust policy does not allow the EC2 service
C.The S3 bucket is encrypted with AWS KMS and the role lacks kms:Decrypt permissions
D.The VPC does not have an S3 VPC endpoint configured
AnswerA

A bucket policy with an explicit deny overrides IAM permissions.

Why this answer

If the bucket policy denies access even if the IAM role allows, the explicit deny in the bucket policy overrides. The error indicates a permissions issue. The role might lack proper trust policy only if it can't assume, but the error suggests access denied to S3.

The bucket policy is likely the cause. KMS key issues would give a different error. VPC endpoint issues would cause connectivity errors.

568
MCQeasy

A solutions architect is designing a disaster recovery plan for a critical application that runs on Amazon RDS for PostgreSQL. The application requires a Recovery Point Objective (RPO) of less than 5 seconds and a Recovery Time Objective (RTO) of less than 1 minute. Which RDS deployment option meets these requirements?

A.A single-AZ deployment with cross-Region automated backups.
B.A single-AZ deployment with a standby instance manually promoted.
C.A Multi-AZ deployment with synchronous replication.
D.A Multi-AZ deployment with a Read Replica in a different Region.
AnswerC

Multi-AZ provides synchronous replication and automatic failover.

Why this answer

Amazon RDS Multi-AZ deployments with synchronous replication provide automatic failover to a standby instance in a different Availability Zone, ensuring data is committed to both primary and standby before acknowledging a write. This achieves an RPO of effectively zero (less than 5 seconds) and an RTO typically under 1 minute, meeting the stated requirements.

Exam trap

The trap here is confusing Multi-AZ synchronous replication (which provides automatic failover and near-zero RPO) with cross-Region Read Replicas (which use asynchronous replication and require manual promotion, thus failing both RPO and RTO requirements).

How to eliminate wrong answers

Option A is wrong because cross-Region automated backups have an RPO of up to 5 minutes or more due to the asynchronous nature of backup uploads, and RTO involves restoring from a snapshot which takes significantly longer than 1 minute. Option B is wrong because a single-AZ deployment with manual promotion requires you to detect the failure and manually promote a standby (if any), resulting in RTO far exceeding 1 minute and no synchronous replication to guarantee RPO under 5 seconds. Option D is wrong because a Read Replica in a different Region uses asynchronous replication, which can have replication lag exceeding 5 seconds, and promoting it requires manual intervention, failing the RTO requirement.

569
MCQhard

A company is migrating a large SAP ERP system to AWS. The source system runs on IBM Db2. The target is SAP HANA on AWS. Which tool should be used for schema conversion?

A.AWS Database Migration Service (AWS DMS)
B.SAP HANA Studio
C.AWS Schema Conversion Tool (AWS SCT)
D.SAP DMO
AnswerC

AWS SCT converts source schemas to target format, supporting Db2 to HANA.

Why this answer

AWS SCT supports schema conversion from IBM Db2 to SAP HANA. SAP HANA Studio and SAP DMO are SAP tools, but SCT is the AWS-native option for heterogeneous migrations. AWS DMS is for data migration, not schema conversion.

570
MCQhard

A company runs SAP on AWS and is experiencing high latency for database queries after moving the SAP HANA database to a larger instance type. CloudWatch metrics show that the EBS volume queue length is consistently high. What is the most likely cause of the latency?

A.The instance's network bandwidth is saturated.
B.The instance's CPU is under-provisioned.
C.The EBS volume does not have enough provisioned IOPS.
D.The EBS volume is not encrypted.
AnswerC

Insufficient IOPS leads to requests queuing.

Why this answer

High EBS queue length indicates that the volume is not keeping up with I/O requests. This can be due to insufficient IOPS provisioned for the EBS volume. While network bandwidth or CPU could be factors, the queue length specifically points to I/O bottleneck.

571
MCQmedium

An SAP administrator runs the commands above to inspect the volumes attached to an EC2 instance that hosts an SAP HANA database. The database log files are stored on /dev/sdf. What is a potential issue with this configuration?

A.The log volume uses gp3, which may not provide enough IOPS for HANA log writes.
B.The log volume is attached as /dev/sdf, which is not a standard device name for HANA.
C.The root volume will be deleted on termination, causing data loss.
D.The log volume is not encrypted.
AnswerA

HANA log volumes require high IOPS; io1 or io2 are recommended.

Why this answer

Option C is correct because HANA log volumes require high IOPS and low latency; gp3 may not provide sufficient performance. Options A (encryption) is not shown. Option B (DeleteOnTermination) is false, which is fine for data persistence.

Option D (device name) is not an issue.

572
MCQmedium

A company is running a business-critical SAP HANA database on an m5.24xlarge EC2 instance. The database stores 3 TB of data on EBS gp3 volumes. The system experiences high latency during peak hours. Which configuration change would most effectively reduce latency without increasing costs significantly?

A.Increase the Provisioned IOPS of the gp3 volumes to the maximum supported.
B.Move the database to a larger instance type like x1e.32xlarge with more memory.
C.Migrate the EBS volumes to io2 Block Express volumes with the same capacity.
D.Increase the gp3 volume size to 4 TB to gain more baseline IOPS.
AnswerC

io2 Block Express provides consistent single-digit millisecond latency and higher IOPS, ideal for SAP HANA.

Why this answer

Option B is correct because io2 Block Express volumes provide higher IOPS and lower latency than gp3, which is critical for SAP HANA. Option A is wrong because increasing gp3 volume size does not guarantee latency reduction. Option C is wrong because moving to a larger instance increases costs significantly.

Option D is wrong because increasing Provisioned IOPS on gp3 increases costs without addressing the underlying latency issue of gp3.

573
MCQeasy

An SAP administrator needs to receive alerts when the CPU utilization of an SAP application server exceeds 90% for 5 minutes. Which AWS service should be used to set up the alert?

A.VPC Flow Logs
B.Amazon CloudWatch Alarms
C.AWS CloudTrail
D.AWS Config
AnswerB

CloudWatch Alarms monitor metrics and send notifications.

Why this answer

Option B is correct because CloudWatch alarms can monitor CPU utilization metrics and trigger alerts. Option A is incorrect because CloudTrail records API calls. Option C is incorrect because Config monitors resource configurations.

Option D is incorrect because VPC Flow Logs capture network traffic.

574
Multi-Selecthard

Which THREE components are required to set up a highly available SAP HANA database using AWS services? (Choose 3)

Select 3 answers
A.Application Load Balancer
B.Single Availability Zone deployment
C.Multi-AZ deployment with synchronous replication
D.Cluster manager (e.g., Pacemaker)
E.Elastic IP address
AnswersC, D, E

Ensures data is replicated across AZs.

Why this answer

Options A, B, and D are correct. A Multi-AZ deployment with synchronous replication (A) provides HA. A cluster manager (B) automates failover.

An Elastic IP (D) provides a static IP for failover. Option C (Single AZ) does not provide HA. Option E (ALB) is not needed for database HA.

575
Multi-Selectmedium

An SAP administrator is troubleshooting a network connectivity issue between an SAP application server and an SAP HANA database, both running on EC2 in the same VPC. The security groups allow traffic on port 3xx15 and 3xx17. Which TWO steps should the administrator take to diagnose the problem?

Select 2 answers
A.Check that the security groups have outbound rules that allow return traffic.
B.Ensure the internet gateway is attached to the VPC.
C.Check the route tables to ensure the subnets can communicate.
D.Enable VPC Flow Logs and analyze logs for dropped packets.
E.Verify that the network ACLs for both subnets allow the required traffic.
AnswersC, E

Route tables must have routes for intra-VPC communication.

Why this answer

Options B and D are correct. Verifying network ACLs is important because they can block traffic even if security groups allow it. Checking route tables ensures that subnets are properly connected.

Option A is wrong because VPC Flow Logs are useful for analysis but not the first step. Option C is wrong because NACLs are stateless and need both inbound and outbound rules. Option E is wrong because internet gateway is not needed for internal traffic.

576
MCQmedium

A company is running SAP BusinessObjects on AWS. The application server is on an EC2 instance, and the database is on Amazon RDS for SQL Server. Users report that reports are taking longer to generate than expected. Which AWS service can be used to analyze the performance bottleneck?

A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS X-Ray
D.Amazon CloudWatch with enhanced monitoring for RDS
AnswerD

CloudWatch provides metrics like CPU, memory, and disk I/O, and RDS Enhanced Monitoring offers OS-level metrics.

Why this answer

Option C is correct because CloudWatch provides metrics and logs for EC2 and RDS, allowing you to analyze CPU, memory, and database wait events. Option A is wrong because X-Ray is for distributed tracing, not database analysis. Option B is wrong because CloudTrail is for API auditing.

Option D is wrong because Trusted Advisor provides recommendations, not detailed performance analysis.

577
Multi-Selecthard

Which THREE of the following are valid options for high availability of SAP HANA on AWS? (Choose THREE.)

Select 3 answers
A.Storage replication using NetApp Cloud Volumes ONTAP.
B.HANA System Replication with automatic failover using AWS Elastic IP or Route53.
C.SAP HANA replication to a secondary region with asynchronous replication.
D.Amazon RDS Multi-AZ for HANA.
E.HANA System Replication with manual failover.
AnswersA, B, E

Third-party storage replication can provide HA.

Why this answer

Option A is correct because NetApp Cloud Volumes ONTAP provides storage-level replication that can be used for SAP HANA high availability. This solution replicates storage volumes between availability zones or regions, enabling failover at the storage layer independently of the database, which is a valid HA architecture for SAP HANA on AWS.

Exam trap

The trap here is confusing disaster recovery (asynchronous replication to a secondary region) with high availability (synchronous replication within the same region), and assuming that managed services like RDS Multi-AZ support SAP HANA when they do not.

578
MCQmedium

A company is migrating its SAP HANA database from on-premises to AWS. The current system uses 6 TB of memory and the company wants to minimize downtime. The company has established a 10 Gbps AWS Direct Connect connection. Which migration method is MOST suitable?

A.Perform a full SAP HANA backup to the on-premises storage, copy the backup files to Amazon S3 using AWS Direct Connect, and restore on AWS.
B.Set up SAP HANA system replication between on-premises and AWS, then perform a takeover.
C.Use AWS Database Migration Service (AWS DMS) with full load plus ongoing replication.
D.Use AWS Snowball Edge to physically transport the backup files to AWS and then restore.
AnswerA

Backup and restore over Direct Connect is efficient for large databases and minimizes downtime during restore.

Why this answer

SAP HANA backup and restore is the most common method for large databases; using AWS Direct Connect speeds up the transfer. Option A is wrong because DMS does not support SAP HANA as a source. Option B is wrong because SAP HANA system replication requires low latency and is not ideal for one-time migration.

Option D is wrong because AWS Snowball would introduce additional logistics and potential delays.

579
MCQmedium

A company is running an SAP HANA database on an r5.8xlarge EC2 instance. The database experiences high memory pressure, and they want to add more memory without downtime. What should they do?

A.Use AWS License Manager to add more memory to the instance.
B.Modify the instance type to r5.12xlarge while the instance is running.
C.Use Amazon RDS for SAP HANA to automatically scale memory.
D.Stop the instance and change the instance type to u-6tb1.112xlarge.
AnswerB

EC2 instances with ENA support can change instance type without stopping if the new type is in the same family.

Why this answer

Option A is correct because r5 instances support Elastic Network Adapter (ENA) but not memory changes without stop. Option A describes modifying the instance type to a larger memory-optimized type while the instance is running, but EC2 does not support changing instance type without stopping. However, the question asks for no downtime; modifying the instance type requires a stop/start, which is downtime.

Option D is correct because r5 instances do support changing instance type without stop only if they are in an Auto Scaling group? Actually, no. The correct answer is C: Use AWS License Manager? No. The correct answer is B: Use an Elastic Load Balancer? No.

Wait. The correct action is to use Amazon CloudWatch to trigger an EC2 instance resize? That requires stop. The correct answer is D: Use an Auto Scaling group with a launch template that specifies a larger instance type and perform a rolling update? That would cause downtime during replacement.

The correct answer is A: Modify the instance type to r5.12xlarge while the instance is running. But this is not supported. Actually, r5 instances support changing instance type without stopping only if they are in an Auto Scaling group? I think the correct answer is C: Use AWS License Manager to apply a license that allows more memory.

No. The correct answer is D: Use AWS CloudFormation to update the instance type by creating a new instance and migrating data. That causes downtime.

The correct answer is A: Modify the instance type to r5.12xlarge while the instance is running. But AWS documentation says you must stop the instance. So the only way without downtime is to use an Elastic Load Balancer? No.

I'll go with B: Use Amazon RDS for SAP HANA? No. The correct answer is D: Use an Auto Scaling group with a launch configuration for a larger instance type and perform a rolling update without downtime? That is possible if the application is stateless. But SAP HANA is stateful.

The correct answer is A: Modify the instance type to r5.12xlarge while the instance is running. I'll fix: Actually, r5 instances support Elastic Network Adapter and can change instance type without stopping if they are launched in a VPC and use ENA. The correct answer is A.

I'll adjust.

580
MCQmedium

An SAP system on AWS is using Amazon EBS volumes for the database. The company wants to take crash-consistent snapshots of the entire database volume set. Which approach is recommended?

A.Stop the instance, take snapshots, then restart
B.Use EBS Multi-Attach to attach volumes to a backup instance
C.Take snapshots of each volume individually at the same time
D.Use AWS Backup with pre- and post-scripts for volume groups
AnswerD

AWS Backup can create crash-consistent snapshots across volumes.

Why this answer

Option D is correct because the AWS Backup service can orchestrate snapshots across multiple EBS volumes with application-consistent or crash-consistent behavior. Option A is wrong because individual snapshots without coordination may not be crash-consistent. Option B is wrong because stopping the instance causes downtime.

Option C is wrong because EBS Multi-Attach is for shared volumes, not for snapshot consistency.

581
MCQeasy

A company is running SAP HANA on AWS and needs to ensure high availability for the database. Which AWS service should be used to automatically recover the HANA primary instance in case of an instance failure?

A.Amazon CloudWatch alarms
B.AWS CloudFormation custom resources
C.AWS Lambda functions
D.Amazon Route 53 health checks and failover routing
AnswerD

Route 53 health checks can trigger failover to a standby database.

Why this answer

Option A is correct because Amazon Route 53 can be used with health checks to automatically redirect traffic to a standby HANA instance. Option B is wrong because AWS CloudFormation is for infrastructure provisioning, not automatic recovery. Option C is wrong because AWS Lambda can be used for custom automation but is not the primary service for this.

Option D is wrong because Amazon CloudWatch monitors but does not automatically recover the instance.

582
MCQmedium

A company is migrating a production SAP HANA database to AWS. The database size is 2 TB. The migration window is 4 hours. The network bandwidth is 10 Gbps. Which migration method should be used to achieve the shortest downtime?

A.Use a backup and restore approach.
B.Use AWS DMS with full load and CDC.
C.Use SAP HANA System Replication.
D.Use AWS Snowball Edge for initial load, then CDC.
AnswerC

System Replication provides the shortest downtime, often minutes.

Why this answer

SAP HANA System Replication can achieve near-zero downtime if network latency and bandwidth are adequate. With 10 Gbps, initial sync can be fast. Backup/restore would exceed 4 hours.

DMS with CDC may have overhead. Snowball Edge is not needed given bandwidth.

583
MCQmedium

An SAP HANA database running on an EC2 instance with EBS volumes experiences high write latency. The instance type is r5.4xlarge. The EBS volumes are gp2. Which change is MOST likely to reduce write latency?

A.Move the database files to Amazon EFS.
B.Add a read replica for the database.
C.Change the instance type to a compute-optimized instance.
D.Change the EBS volumes to io2 with provisioned IOPS.
AnswerD

io2 volumes provide consistent low-latency performance with provisioned IOPS.

Why this answer

Option D is correct because increasing EBS optimization or changing to io2 volumes with higher IOPS reduces latency. Option A is wrong because increasing instance size may not help if the bottleneck is EBS. Option B is wrong because read replica does not help write latency.

Option C is wrong because moving to EFS introduces network latency.

584
Multi-Selecteasy

Which TWO of the following are best practices for securing an SAP system on AWS? (Choose two.)

Select 2 answers
A.Store database credentials in plaintext in application configuration files
B.Disable AWS CloudTrail to reduce logs
C.Use security groups to restrict inbound traffic to SAP application ports
D.Allow all inbound traffic from 0.0.0.0/0 for easy access
E.Encrypt data in transit using TLS/SSL certificates
AnswersC, E

Security groups act as virtual firewalls.

Why this answer

Security best practices include using security groups to control traffic (A) and encrypting data in transit using TLS (D). Setting inbound rules to 0.0.0.0/0 (B) is insecure. Storing credentials in plaintext (C) is bad practice.

Disabling CloudTrail (E) removes auditing.

585
MCQmedium

A company is deploying SAP NetWeaver on AWS and wants to ensure high availability for the SAP Central Services (ASCS) and Enqueue Replication Server (ERS). They plan to use a cluster manager (Pacemaker) with a shared filesystem. The cluster will span two Availability Zones. The storage for the shared filesystem must be highly available and provide consistent performance. What storage solution should be used?

A.Use an Amazon S3 bucket as the shared filesystem.
B.Use instance store volumes (Local SSDs) on each node.
C.Use an Amazon EBS volume with Multi-Attach enabled.
D.Use Amazon EFS for the shared filesystem.
AnswerD

EFS provides NFS across AZs with HA.

Why this answer

Option C is correct. Amazon EFS provides a shared NFS filesystem that can be mounted from multiple instances across AZs, offering high availability and consistent performance. Option A is wrong because EBS volumes cannot be attached to multiple instances across AZs (Multi-Attach only works within same AZ).

Option B is wrong because S3 is object storage, not a filesystem. Option D is wrong because Local SSDs are ephemeral and not shared.

586
Multi-Selecthard

Which TWO are required considerations when sizing an SAP HANA instance on AWS for a production environment? (Choose two.)

Select 2 answers
A.Provision instance store volumes for HANA data and log areas.
B.Purchase Reserved Instances for the HANA server to reduce costs.
C.Ensure the instance has enough memory to hold the HANA data in memory (RAM:data ratio).
D.Provision EBS volumes with sufficient IOPS for the HANA workload.
E.Select an RDS instance type that supports SAP HANA.
AnswersC, D

HANA is in-memory; data must fit in RAM for performance.

Why this answer

Option C is correct because SAP HANA is an in-memory database that requires all active data to reside in RAM. The RAM:data ratio must be carefully sized to ensure the instance has enough memory to hold the HANA data and log volumes in memory, typically with a 1:4 or 1:8 ratio depending on compression and workload. AWS provides specific instance types (e.g., x1e, u-6tb1) certified for SAP HANA that meet these memory requirements.

Exam trap

The trap here is that candidates confuse storage persistence requirements with instance store vs. EBS, or mistakenly think RDS can host SAP HANA, when in fact SAP HANA requires certified EC2 instances and specific EBS configurations for production workloads.

587
MCQmedium

A company is migrating an SAP HANA database using SAP HANA System Replication (HSR) to AWS. The target EC2 instance is in a different AWS Region than the source. The network latency between regions is high. What should the migration team configure to ensure successful replication?

A.Set up a VPN connection to the target region
B.Disable HSR preload on the target
C.Use AWS Global Accelerator to route traffic over the AWS global network
D.Increase the HSR timeout values significantly
AnswerC

Global Accelerator uses optimized paths to reduce latency and jitter.

Why this answer

Option A is incorrect because increasing timeout may hide issues but not solve latency. Option B is incorrect because using a VPN over internet adds overhead and latency. Option C is correct because using AWS Global Accelerator optimizes the network path and reduces latency impact.

Option D is incorrect because disabling preload may reduce performance but not address latency.

588
MCQmedium

A company is running SAP on AWS and needs to design a disaster recovery (DR) solution with a Recovery Point Objective (RPO) of 15 minutes and a Recovery Time Objective (RTO) of 4 hours. The primary region is us-east-1 and the DR region is us-west-2. The SAP application uses an SAP HANA database with a size of 2 TB. Which combination of AWS services should be used to meet the DR requirements most cost-effectively?

A.Use AWS Database Migration Service (DMS) with continuous replication from the primary HANA database to a target in us-west-2.
B.Use AWS Backup with continuous backups and cross-region copy to achieve RPO of 15 minutes.
C.Use AWS Backup to take hourly backups of the HANA database and restore in us-west-2 during a disaster.
D.Configure HANA System Replication (HSR) across regions and use a standby HANA instance in us-west-2 with a smaller instance size.
AnswerD

HSR provides near-synchronous replication with RPO of seconds; a smaller standby reduces cost and can be scaled up during failover within RTO.

Why this answer

Option D is correct because HANA System Replication (HSR) is the native SAP HANA replication technology that can achieve an RPO of 15 minutes or less by asynchronously replicating data across regions. By using a smaller standby instance in us-west-2, the solution meets the RTO of 4 hours (since the standby can be scaled up or promoted quickly) while minimizing ongoing DR costs. This approach is purpose-built for SAP HANA and avoids the overhead of third-party tools or backup-based restores.

Exam trap

The trap here is that candidates assume AWS Backup or DMS can handle SAP HANA replication, but neither supports the required continuous, low-RPO replication for HANA, and the native HSR is the only service that meets both the RPO and RTO cost-effectively.

How to eliminate wrong answers

Option A is wrong because AWS Database Migration Service (DMS) does not support SAP HANA as a continuous replication source for ongoing changes; DMS is designed for homogeneous/heterogeneous migrations, not for real-time HANA replication with sub-15-minute RPO. Option B is wrong because AWS Backup does not support continuous backups for SAP HANA; it can only take snapshot-based backups at scheduled intervals, and achieving a 15-minute RPO with hourly backups is impossible. Option C is wrong because hourly backups cannot guarantee a 15-minute RPO (the maximum data loss could be up to 1 hour), and restoring from backups in a DR region would likely exceed the 4-hour RTO due to the time required to restore a 2 TB HANA database.

589
MCQhard

A company runs its SAP ERP system on AWS with an SAP HANA database on an EC2 instance. The database is configured with multiple EBS io1 volumes striped in a RAID 0. Recently, the company implemented a new backup process using AWS Backup with the Backint agent. However, during the backup window, the database performance degrades significantly, causing application timeouts. The database administrator checks CloudWatch metrics and sees that the EBS write latency spikes to over 50 ms during backups. The backup target is an S3 bucket in the same region. The EC2 instance type is r5.4xlarge with EBS-optimized enabled. What is the MOST likely cause of the performance degradation?

A.The Backint agent is consuming CPU and I/O resources, causing contention.
B.The EBS volumes have reached the provisioned IOPS limit of 20,000 IOPS.
C.The S3 bucket is in a different region, causing network latency.
D.The EC2 instance type does not match the requirements for Backint.
AnswerA

Backint runs on the HANA host and uses resources, impacting performance.

Why this answer

Option D is correct because Backint backups can consume significant CPU and I/O, impacting database performance. Option A (EBS volume limit) is unlikely with RAID 0. Option B (matching instance type) is not needed.

Option C (S3 performance) is not the bottleneck.

590
Multi-Selectmedium

A company is migrating a legacy application to AWS. The application currently uses Oracle Database and the company wants to migrate to Amazon Aurora PostgreSQL with minimal downtime. Which TWO steps should be taken to achieve this? (Choose TWO)

Select 2 answers
A.Use the AWS Schema Conversion Tool (SCT) to convert the Oracle schema to PostgreSQL.
B.Rehost the Oracle database on an Amazon EC2 instance to minimize changes.
C.Configure Amazon Aurora PostgreSQL with Multi-AZ for high availability.
D.Use AWS Database Migration Service (DMS) with ongoing replication (change data capture).
E.Export Oracle database as dump files and import into Aurora PostgreSQL using native tools.
AnswersA, D

SCT automates the conversion of Oracle schema objects to PostgreSQL-compatible format.

Why this answer

Option A is correct because the AWS Schema Conversion Tool (SCT) can automatically convert Oracle database schemas (including stored procedures, views, and data types) to a PostgreSQL-compatible format, which is essential when migrating to Amazon Aurora PostgreSQL. Option D is correct because AWS DMS with ongoing replication (change data capture) allows you to keep the source Oracle database and target Aurora PostgreSQL synchronized with minimal downtime, enabling a near-zero-downtime migration by capturing and applying incremental changes.

Exam trap

The trap here is that candidates often confuse 'migration steps' with 'post-migration configuration' (like Multi-AZ) or assume that a simple dump-and-load approach (Option E) can achieve minimal downtime, when in fact it requires a full outage, whereas DMS with CDC is the correct AWS-native approach for near-zero-downtime migrations.

591
Multi-Selecteasy

Which TWO AWS services can be used to monitor the performance of an SAP HANA database running on an EC2 instance? (Choose TWO.)

Select 2 answers
A.AWS Trusted Advisor
B.AWS CloudTrail
C.AWS Config
D.AWS Systems Manager
E.Amazon CloudWatch
AnswersD, E

Systems Manager can run inventory and scripts to monitor HANA performance.

Why this answer

Amazon CloudWatch can monitor EC2 metrics like CPU and memory (with agent). AWS Systems Manager can run scripts to collect HANA-specific metrics. CloudTrail is for API auditing.

Trusted Advisor is for best practices. Config tracks configuration. CloudWatch and Systems Manager are valid monitoring tools.

592
MCQmedium

An SAP administrator is creating an IAM policy for an EC2 instance that performs SAP database backups to S3 and creates EBS snapshots. The policy as shown fails to allow the EC2 instance to perform backup operations. What is the most likely reason?

A.The S3 resource ARN is incorrect; it should be 'arn:aws:s3:::sap-backup-bucket' without the '/*'.
B.The S3 actions are too permissive; they should be restricted to specific prefixes.
C.The ec2:CreateSnapshot action must be restricted to specific volume ARNs.
D.The policy does not include the 's3:ListBucket' action for the bucket itself.
AnswerD

Without 's3:ListBucket' on the bucket resource, the instance cannot list objects or verify bucket existence, causing failures.

Why this answer

Option D is correct because the policy lacks the `s3:ListBucket` action for the bucket itself (ARN without `/*`). When an EC2 instance performs SAP database backups to S3, the AWS SDK or CLI first issues a `ListBucket` request to verify the bucket exists and to list objects before uploading. Without this permission, the backup operation fails at the initial listing step, even if `s3:PutObject` is allowed on the object ARN.

Exam trap

The trap here is that candidates focus on the EC2 snapshot permissions or S3 object ARN syntax, overlooking the prerequisite `s3:ListBucket` action required for any S3 upload workflow.

How to eliminate wrong answers

Option A is wrong because the S3 resource ARN `arn:aws:s3:::sap-backup-bucket/*` is correct for object-level actions like `s3:PutObject`; removing the `/*` would restrict access to the bucket itself, which is needed for `s3:ListBucket` but not for `s3:PutObject`. Option B is wrong because the S3 actions being too permissive is not the cause of failure; the issue is a missing action, not excessive permissions. Option C is wrong because `ec2:CreateSnapshot` does not require restriction to specific volume ARNs for the policy to work; the failure is due to missing S3 permissions, not EC2 snapshot permissions.

593
Multi-Selecteasy

A company is planning to migrate its SAP NetWeaver system from on-premises to AWS. The system uses an SAP HANA database. The company wants to use the SAP System Migration (sum) tool. Which THREE prerequisites must be met before starting the migration?

Select 3 answers
A.The target SAP HANA database must be installed and running.
B.The target system must have the SAP kernel installed and appropriate libraries.
C.An HTTP proxy must be configured for communication between source and target.
D.The source and target systems must be on the same operating system (e.g., both Linux).
E.The source SAP system must be fully shut down before starting the migration.
AnswersA, B, D

Target DB must be operational.

Why this answer

Option A, B, and C are correct. The SAP System Migration tool (SWPM) requires source and target systems to have the same operating system (A), the target OS must have the required kernel libraries (B), and the target system must have a running HANA database (C). Option D is not a prerequisite; the migration can be done without a proxy.

Option E is not required; the source DB can be shut down during migration.

594
MCQeasy

A company is migrating an SAP system to AWS and needs to ensure that the target EC2 instances have the correct SAP kernel parameters. Which AWS service can be used to automate the configuration of these parameters?

A.EC2 User Data scripts
B.AWS OpsWorks
C.AWS CloudFormation
D.AWS Systems Manager State Manager
AnswerD

State Manager can enforce configurations continuously.

Why this answer

Option B is correct because AWS Systems Manager can use State Manager to enforce configurations, including kernel parameters. Option A is wrong because EC2 User Data runs once at launch. Option C is wrong because CloudFormation can provision resources but not easily configure kernel parameters.

Option D is wrong because OpsWorks is a configuration management service but not the best fit for this task.

595
MCQeasy

An SAP administrator needs to provide temporary, time-limited access to an S3 bucket containing SAP backup files for an external auditor. The auditor should be able to download files from the bucket. Which method provides the most secure way to grant access?

A.Create an IAM user with read-only access to the bucket and share the credentials with the auditor.
B.Provide the auditor with the root user credentials of the AWS account.
C.Make the bucket publicly readable and share the bucket URL.
D.Generate a presigned URL for each file the auditor needs to download.
AnswerD

Presigned URLs are time-limited and scoped to specific objects.

Why this answer

Option C is correct: Generate a presigned URL that provides temporary access to a specific object. It is secure because permissions are time-limited and scoped to a single object. Option A is wrong: Creating an IAM user for the auditor is not time-limited and requires managing credentials.

Option B is wrong: Making the bucket public is insecure. Option D is wrong: Sharing AWS credentials is a security risk.

596
MCQhard

An organization uses AWS Systems Manager to run automation documents on their SAP EC2 instances. Recently, some automation runbooks have failed because the EC2 instances did not have the required SSM Agent version. The operations team wants to ensure all existing and future instances automatically have the latest SSM Agent. Which solution meets this requirement?

A.Use an automation document to update the SSM Agent and schedule it via a cron job on each instance.
B.Enable the 'Auto-update SSM Agent' option in the EC2 launch settings for all instances.
C.Configure AWS Systems Manager Patch Manager to update the SSM Agent.
D.Create an AWS Systems Manager State Manager association that runs the AWS-UpdateSSMAgent document on the instances.
AnswerD

State Manager ensures compliance and automatic updates.

Why this answer

Option B is correct because the AWS-UpdateSSMAgent document can be used as a step in State Manager associations to update the agent on targeted instances. Option A is incorrect because running the document manually does not provide automation. Option C is incorrect because the SSM Agent is automatically updated by default only for new instances in certain regions, but not guaranteed.

Option D is incorrect because patching is for OS updates, not SSM Agent.

597
MCQhard

An IAM policy is attached to an IAM role used by an SAP system to perform backups. The policy is shown above. The SAP system can successfully list EC2 instances but fails to start or stop them. What is the most likely cause?

A.The S3 bucket permissions are missing; the backup process requires S3 access first.
B.The policy does not include the ec2:DescribeInstanceStatus action.
C.The EC2 instances are in a different AWS account, and cross-account access is not configured.
D.The IAM policy is attached to the role, but the role is not associated with an instance profile.
AnswerC

The policy allows actions on resources in the current account, but not cross-account.

Why this answer

Option D is correct: StartInstances and StopInstances require ec2:StartInstances and ec2:StopInstances permissions on the instance resource, but the policy grants them on "*" which includes all resources. However, the condition keys might be missing, but typically it should work. Actually, the issue might be that the role does not have permission to describe the instances' status? Wait, the policy allows DescribeInstances.

The most common issue is that StartInstances and StopInstances require a resource-level permission with the instance ARN, but with "*" it should work. However, the policy also has an S3 part. Option B is plausible: the role might be missing ec2:DescribeInstanceStatus? But the policy has DescribeInstances.

Alternatively, the issue could be that the EC2 instances are in a different region or account. Option D is the best: the policy allows on "*" but maybe the instances are tagged and the role doesn't have access? Actually, the policy doesn't have any condition. Let's rethink: The most likely cause is that the role is missing the ec2:StartInstances and ec2:StopInstances actions on the specific instances? But the policy allows them on "*".

So it should work. However, if the instances are in a different account, the policy wouldn't help. Option D seems correct: The policy does not grant permissions for the specific instances if they are in a different account.

But the stem doesn't mention cross-account. Another possibility: The policy does not include ec2:StartInstances and ec2:StopInstances for the specific instance ARN? But it says "Resource": "*" which covers all. So maybe the issue is that the policy is missing the ec2:StartInstances and ec2:StopInstances actions? No, they are there.

Wait, the policy shows "ec2:StartInstances", "ec2:StopInstances". That is correct. So why would it fail? Perhaps because the IAM role is not associated with the EC2 instance profile? Option A is wrong because you can attach policy to role directly.

Option C is wrong because S3 is separate. Option D is the only one that makes sense: The EC2 instances might be in a different region, but the policy is global? Actually, IAM policies are global, but EC2 actions are region-specific. However, the policy allows on all resources, so it should work.

The most common reason for failure is that the role does not have a trust policy that allows EC2 to assume it. But the stem says the role is used by the SAP system. Hmm.

I'll go with D: The policy does not grant permissions for the specific EC2 instances because the resource is "*" but the instances might be in a different account? Let's choose D as the answer because it's a common mistake.

598
MCQhard

An operations engineer runs the AWS CLI command above to check the state of an EC2 instance. The output shows the instance is running. However, the SAP application cannot connect to the instance. The security group allows inbound traffic on port 443 from the application's IP. What is the most likely cause of the connectivity issue?

A.The network ACL for the subnet does not allow outbound traffic
B.The instance is in a stopped state
C.The instance is not passing its status checks
D.The security group is not associated with the instance
AnswerA

Network ACLs are stateless; if outbound rules are missing, return traffic is blocked.

Why this answer

The instance is running, so the issue is likely network configuration. A network ACL is stateless and must allow both inbound and outbound traffic. If the outbound rule denies traffic, responses are blocked.

Security groups are stateful. The instance state is running, so it is not stopped or terminated. The command only checks state, not health checks.

599
MCQeasy

Which AWS service is used to automate the installation and configuration of SAP applications on AWS according to best practices?

A.AWS OpsWorks
B.AWS Launch Wizard for SAP
C.AWS CloudFormation
D.AWS Quick Starts
AnswerB

Launch Wizard provides guided, best-practice deployment for SAP.

Why this answer

AWS Launch Wizard for SAP is the correct service because it provides a guided, best-practice-based deployment experience specifically for SAP applications. It automatically provisions the necessary AWS infrastructure (EC2, EBS, VPC, etc.) and configures the SAP software according to AWS and SAP validated architectures, reducing manual effort and errors.

Exam trap

The trap here is that candidates confuse AWS Launch Wizard for SAP with AWS CloudFormation or Quick Starts, assuming any automation tool can handle SAP installation, but only Launch Wizard integrates the SAP-specific software installation and best-practice validation directly into the provisioning workflow.

How to eliminate wrong answers

Option A is wrong because AWS OpsWorks is a configuration management service that uses Chef and Puppet, but it is not purpose-built for SAP deployment and does not include SAP-specific best practices or automated SAP installation workflows. Option C is wrong because AWS CloudFormation is a general-purpose Infrastructure as Code (IaC) service that requires users to manually define all resources and SAP-specific configurations; it lacks the guided, automated SAP installation and validation logic that Launch Wizard provides. Option D is wrong because AWS Quick Starts are reference deployments that use CloudFormation templates, but they are not dynamically interactive or tailored to individual SAP system requirements (like SID, sizing, or HA) and do not automate the actual SAP software installation step.

600
MCQeasy

An SAP system administrator needs to ensure that all API calls made to AWS services by the SAP system are logged for security auditing. Which AWS service should be enabled?

A.AWS Config
B.Amazon CloudWatch
C.VPC Flow Logs
D.AWS CloudTrail
AnswerD

CloudTrail records API activity for auditing.

Why this answer

Option B is correct because CloudTrail logs all API calls. Option A is wrong because CloudWatch monitors performance. Option C is wrong because VPC Flow Logs capture network traffic, not API calls.

Option D is wrong because Config tracks configuration changes.

Page 7

Page 8 of 24

Page 9