CCNA Sap Operations Questions

75 of 491 questions · Page 1/7 · Sap Operations topic · Answers revealed

1
MCQeasy

A company needs to monitor the CPU utilization of SAP EC2 instances and send an alert if it exceeds 90% for 5 consecutive minutes. Which AWS service should be used?

A.AWS Config
B.Amazon CloudWatch Alarms
C.AWS Trusted Advisor
D.AWS CloudTrail
AnswerB

CloudWatch Alarms can monitor CPU and trigger alerts.

Why this answer

Option C is correct because CloudWatch Alarms monitor metrics and trigger actions. Option A (CloudTrail) is for API auditing. Option B (Config) is for configuration compliance.

Option D (Trusted Advisor) provides best-practice checks.

2
MCQhard

An SAP system is experiencing slow performance. The SAP team suspects a memory bottleneck in the HANA database. The database runs on an r5.24xlarge instance with 768 GB RAM. CloudWatch metrics show the HANA memory usage is consistently above 90%. Which action should be taken first?

A.Reduce the number of HANA services.
B.Upgrade the instance to a larger memory-optimized type.
C.Increase the HANA memory allocation parameter in the global.ini file.
D.Increase the swap space on the instance.
AnswerC

Adjusting the memory allocation can reduce pressure without changing instance type.

Why this answer

Option A is correct because increasing the HANA memory allocation dynamically can address the immediate bottleneck. Option B is wrong because scaling up is a later step. Option C is wrong because increasing swap is a workaround, not a solution.

Option D is wrong because it would reduce available memory.

3
MCQmedium

Refer to the exhibit. An SAP administrator has created this IAM policy for a backup user. The user can list and download backups but cannot delete them. However, the user is unable to list the objects in the bucket. What is the most likely cause?

A.The IAM policy does not include s3:ListBucket for the bucket.
B.There is an additional bucket policy that denies s3:ListBucket to this user.
C.The user needs s3:GetObjectVersion permission to list objects.
D.The Deny statement also denies s3:ListBucket because of the wildcard resource.
AnswerB

A bucket policy might be overriding the IAM policy.

Why this answer

Option C is correct because the Deny statement for s3:DeleteObject uses a condition that might not be evaluated correctly, but more importantly, the Deny statement does not affect ListBucket. The user has ListBucket permission, so the issue must be a bucket policy that denies list access. Option A is wrong because the Deny on DeleteObject does not affect list.

Option B is wrong because GetObject is allowed. Option D is wrong because the policy allows ListBucket.

4
MCQmedium

A company runs SAP HANA on AWS and uses AWS Systems Manager to automate patching of the operating system. After a recent patching cycle, the SAP HANA database failed to start. The administrator checked the logs and found that the HANA service was not starting due to a missing library dependency. What should the administrator do to prevent this issue in future patching cycles?

A.Use AWS Systems Manager Patch Manager to apply patches but exclude the library in question
B.Test patches in a non-production environment and create a new AMI after successful validation
C.Create a script to reinstall the missing library after patching
D.Set up a maintenance window that stops HANA before patching and starts it after
AnswerB

Testing and creating a new AMI ensures the image is validated and includes all dependencies.

Why this answer

Creating a new AMI with all patches and HANA dependencies ensures that instances launched from that AMI are consistent. Option D is correct.

5
MCQhard

A company is running SAP on AWS and wants to ensure high availability for the SAP Central Services (ASCS) instance. They have set up a cluster using Amazon Route 53 with health checks. During a failover test, the ASCS instance fails but the DNS record does not update immediately. What is the most likely cause?

A.The TTL on the DNS record is set too high
B.The health check is not configured to check the ASCS service port
C.The Route 53 record is using simple routing instead of failover
D.The Route 53 record set is not updatable
AnswerA

High TTL causes clients to cache old IPs, delaying failover.

Why this answer

Option C is correct because the TTL (Time to Live) on the Route 53 record determines how long clients cache the DNS response. A high TTL delays failover. Option A is wrong because health checks are separate from TTL.

Option B is wrong because the failover routing policy works with health checks. Option D is wrong because Route 53 record sets can be updated.

6
MCQhard

An organization runs SAP ERP on a single EC2 instance with a separate RDS for Oracle database. The Operations team needs to patch the operating system of the EC2 instance without causing downtime for the SAP application. What is the most effective approach?

A.Create an AMI of the instance, launch a new instance from the AMI, and patch it.
B.Use an Auto Scaling group with a launch template that references a patched AMI, and perform a rolling update.
C.Apply patches using AWS Systems Manager Patch Manager during a maintenance window.
D.Use AWS Systems Manager to run a script that patches the OS without rebooting.
AnswerB

Rolling updates replace instances gradually, minimizing downtime.

Why this answer

Option D is correct because using an Auto Scaling group with a launch template that includes the updated AMI allows for rolling updates with minimal downtime. Option A is wrong because patching a running instance requires a reboot, causing downtime. Option B is wrong because Systems Manager Patch Manager also requires a reboot.

Option C is wrong because Snapshots are for data backup, not OS patching.

7
MCQhard

An SAP Basis administrator is troubleshooting a slow-running SAP HANA query. The administrator wants to identify which SQL statements are consuming the most CPU time in the HANA database. Which SAP HANA view or tool should they query?

A.M_ACTIVE_STATEMENTS
B.M_TABLES
C.M_LOAD_HISTORY
D.M_SERVICE_REPLICATION
AnswerA

Shows currently running statements with CPU time.

Why this answer

Option C is correct because the M_ACTIVE_STATEMENTS view shows currently executing statements with resource usage. Option A is wrong because M_SERVICE_REPLICATION is for replication status. Option B is wrong because M_TABLES shows table metadata.

Option D is wrong because M_LOAD_HISTORY shows load history.

8
Multi-Selecteasy

Which TWO services can be used to centrally manage and enforce backup policies for SAP systems on AWS? (Choose TWO.)

Select 2 answers
A.Amazon Data Lifecycle Manager
B.AWS Backup
C.AWS CloudFormation
D.AWS Config
E.Amazon S3
AnswersA, B

DLM automates creation, retention, and deletion of EBS snapshots.

Why this answer

Amazon Data Lifecycle Manager (DLM) automates the creation, retention, and deletion of EBS snapshots and EBS-backed AMIs. For SAP systems, you can use DLM to enforce backup policies for the underlying EBS volumes (e.g., /usr/sap, /sapmnt, data volumes) by scheduling snapshots and applying retention rules. AWS Backup provides a centralized, policy-based backup service that supports SAP HANA databases (via Backint integration) and EC2 instances, enabling you to define backup plans, assign resources, and enforce compliance across your SAP landscape.

Exam trap

The trap here is that candidates often confuse AWS Config's compliance evaluation (which can detect missing backups) with actual backup policy enforcement, or they assume Amazon S3's storage capabilities include policy management, when in fact only DLM and AWS Backup provide the scheduling, retention, and enforcement mechanisms required for centralized backup management.

9
MCQmedium

An operations team needs to ensure that all changes to AWS resources related to SAP systems are tracked and audited. Which AWS service should they use?

A.AWS CloudTrail
B.Amazon CloudWatch
C.AWS Config
D.AWS Trusted Advisor
AnswerA

CloudTrail logs all API activity for auditing.

Why this answer

Option A is correct because CloudTrail records API calls for auditing. Option B is wrong because Config tracks configuration changes, not API calls. Option C is wrong because CloudWatch is for monitoring.

Option D is wrong because Trusted Advisor is for best practices.

10
MCQhard

A company uses AWS Lambda functions with reserved concurrency to process messages from an SQS queue. The operations team notices that the Lambda function sometimes throttles, causing messages to remain in the queue. What is the MOST likely cause and solution?

A.The SQS visibility timeout is too short; increase it.
B.The Lambda function's dead-letter queue (DLQ) is not configured; set up a DLQ.
C.The SQS queue's redrive policy is too aggressive; reduce the maxReceiveCount.
D.The reserved concurrency is set too low; increase the reserved concurrency for the function.
AnswerD

Reserved concurrency limits concurrent executions, causing throttling when exceeded.

Why this answer

Option D is correct because Lambda throttling occurs when the reserved concurrency limit is reached, preventing the function from processing new invocations. Since the function uses reserved concurrency, setting it too low restricts the number of concurrent executions, causing SQS messages to remain in the queue until concurrency becomes available. Increasing the reserved concurrency allows more parallel invocations, reducing throttling and improving message processing throughput.

Exam trap

The trap here is that candidates often confuse throttling with message processing failures and incorrectly focus on DLQ or visibility timeout settings, rather than recognizing that reserved concurrency directly controls the maximum number of concurrent Lambda executions and is the primary cause of throttling when set too low.

How to eliminate wrong answers

Option A is wrong because the SQS visibility timeout controls how long a message is hidden after being polled, not the cause of Lambda throttling; a short visibility timeout would cause duplicate processing, not throttling. Option B is wrong because a dead-letter queue (DLQ) captures messages that fail processing after multiple retries, but it does not prevent throttling or address the root cause of messages staying in the queue due to concurrency limits. Option C is wrong because the redrive policy's maxReceiveCount determines how many times a message can be received before being sent to a DLQ, and reducing it would send messages to the DLQ sooner, not resolve throttling issues.

11
MCQmedium

An SAP administrator needs to ensure that all EC2 instances in the SAP landscape have the correct patches and configurations. Which AWS service can be used to automate OS patch management?

A.AWS CloudFormation
B.AWS Systems Manager Patch Manager
C.AWS OpsWorks
D.AWS Config
AnswerB

Automates OS patching.

Why this answer

Option D is correct because AWS Systems Manager Patch Manager automates patching. Option A is wrong because OpsWorks is for Chef/Puppet. Option B is wrong because CloudFormation is for infrastructure.

Option C is wrong because Config is for compliance.

12
MCQeasy

An SAP administrator needs to ensure that all API calls made to AWS services are logged for auditing purposes. Which AWS service should be enabled?

A.AWS Config
B.AWS CloudTrail
C.Amazon CloudWatch Logs
D.VPC Flow Logs
AnswerB

CloudTrail provides a record of API activity.

Why this answer

Option A is correct. AWS CloudTrail records API calls. Option B is incorrect because CloudWatch Logs is for log data.

Option C is incorrect because Config is for configuration changes. Option D is incorrect because VPC Flow Logs capture network traffic.

13
MCQmedium

A company is running SAP ERP on AWS and uses SAP HANA as the database. The system administrator needs to apply an OS patch that requires a reboot. The SAP HANA database is running in a scale-out configuration across multiple EC2 instances. What is the best approach to minimize downtime?

A.Perform a rolling reboot of the HANA nodes, rebooting one node at a time.
B.Take EBS snapshots of all volumes before patching, then patch one by one.
C.Create an AMI of the master node and launch a new instance with the patch applied.
D.Stop all EC2 instances, apply the patch, and start them in sequence.
AnswerA

HANA scale-out allows rolling maintenance without full downtime.

Why this answer

Option C is correct because HANA scale-out supports rolling updates; rebooting one node at a time allows the database to remain operational. Option A is wrong because stopping all instances causes full downtime. Option B is wrong because taking EBS snapshots does not help with patching.

Option D is wrong because creating an AMI is unnecessary and still requires downtime for the master.

14
Multi-Selecthard

A company is running SAP on AWS and uses an Application Load Balancer (ALB) to distribute traffic to SAP Web Dispatchers. The operations team notices that some requests are failing with 502 errors. Which THREE actions should be taken to troubleshoot the issue?

Select 3 answers
A.Disable cross-zone load balancing to isolate the issue.
B.Increase the idle timeout setting on the ALB.
C.Review the ALB access logs to identify the target response codes.
D.Verify the security group rules for the ALB and the target instances.
E.Check the health check configuration and target group health status.
AnswersC, D, E

Access logs provide detailed information about the requests and responses.

Why this answer

Option A is correct because checking health checks can reveal if targets are unhealthy. Option C is correct because reviewing ALB access logs can show the response codes and target details. Option E is correct because checking security group rules ensures the ALB can communicate with the targets.

Option B is incorrect because increasing idle timeout is not a direct fix for 502 errors. Option D is incorrect because disabling cross-zone load balancing does not affect 502 errors.

15
MCQmedium

A company uses AWS Systems Manager Patch Manager to patch a fleet of EC2 instances. After a recent patching operation, some instances failed with the error 'Unable to retrieve patch baseline'. The instances are in a private subnet with a VPC endpoint for SSM. What is the MOST likely cause?

A.The VPC endpoint for SSM does not have a security group that allows HTTPS outbound to the endpoint
B.The CodeDeploy agent on the instances is outdated
C.The instances are not registered as managed instances with the SSM ManagedInstance role
D.The instances do not have an IAM instance profile attached
AnswerA

Missing outbound HTTPS from the instance to the SSM endpoint prevents communication.

Why this answer

The error 'Unable to retrieve patch baseline' indicates that the EC2 instances cannot communicate with the AWS Systems Manager service to fetch the patch baseline configuration. Since the instances are in a private subnet with a VPC endpoint for SSM, the most likely cause is that the VPC endpoint's security group does not allow HTTPS outbound traffic (port 443) to the endpoint itself. Without this outbound rule, the SSM Agent on the instance cannot establish the TLS connection required to retrieve the patch baseline from the SSM API.

Exam trap

The trap here is that candidates often assume the error is due to missing IAM permissions (Option D) or instance registration (Option C), but the specific error message 'Unable to retrieve patch baseline' is a network connectivity error, not an authorization error, and the VPC endpoint security group misconfiguration is the classic cause in private subnet scenarios.

How to eliminate wrong answers

Option B is wrong because the CodeDeploy agent is unrelated to Systems Manager Patch Manager; the error is specific to SSM communication, not CodeDeploy. Option C is wrong because the 'SSM ManagedInstance role' is not a valid AWS concept; instances use an IAM instance profile with the AmazonSSMManagedInstanceCore policy to register as managed instances, and the error message points to a network connectivity issue, not registration. Option D is wrong because while an IAM instance profile is required for SSM operations, the error 'Unable to retrieve patch baseline' is a network-level error, not an authorization error (which would typically return 'AccessDenied' or similar).

16
Multi-Selecteasy

Which TWO AWS services can be used to monitor the health of SAP application servers? (Choose 2)

Select 2 answers
A.Amazon Route 53
B.Amazon S3
C.AWS CloudTrail
D.Amazon CloudWatch
E.AWS Systems Manager
AnswersD, E

Monitors EC2 metrics and logs.

Why this answer

Options B and C are correct. CloudWatch can monitor EC2 CPU/memory metrics, and Systems Manager can run custom scripts for health checks. Option A (CloudTrail) is for API auditing.

Option D (Route 53) is for DNS health checks but not application-level. Option E (S3) is storage.

17
MCQmedium

An SAP system is deployed on EC2 instances with EBS volumes. The operations team needs to implement a backup strategy that provides point-in-time recovery for the EBS volumes with minimal downtime. Which AWS service should they use?

A.AWS Storage Gateway
B.AWS Backup
C.Amazon EBS Snapshots
D.Amazon S3
AnswerC

EBS Snapshots are designed for point-in-time backup of EBS volumes.

Why this answer

Option A is correct because EBS Snapshots provide point-in-time backups and can be taken while the volume is attached and in use (with some performance impact). Option B is wrong because AWS Backup can orchestrate snapshots but is not the service that directly creates them. Option C is wrong because S3 is object storage, not for EBS backups.

Option D is wrong because Storage Gateway is for hybrid storage, not for backing up EBS volumes.

18
MCQhard

An SAP system running on AWS is experiencing intermittent connectivity issues between the application server and the database server. Both servers are in the same VPC but different subnets. The security groups and network ACLs are correctly configured. Which AWS service can help diagnose the network path and identify packet loss?

A.AWS Direct Connect
B.VPC Flow Logs
C.AWS CloudTrail
D.AWS Site-to-Site VPN
AnswerB

VPC Flow Logs capture network traffic information for analysis.

Why this answer

VPC Flow Logs capture IP traffic metadata and can be analyzed to detect packet loss or rejected connections. Option D is correct. Option A is wrong because CloudTrail logs API calls.

Option B is wrong because Direct Connect is for on-premises connectivity. Option C is wrong because VPN is also for external connectivity.

19
MCQmedium

A company runs SAP HANA on AWS using a single EC2 instance with EBS volumes. The system experiences performance degradation during peak hours. Which approach would provide the MOST immediate improvement in disk I/O performance without downtime?

A.Add additional EBS volumes and configure RAID 0 across them.
B.Migrate the EC2 instance to a larger instance type.
C.Modify the EBS volume type and IOPS using Elastic Volumes.
D.Create a new EBS volume with higher performance and copy data using rsync.
AnswerC

Elastic Volumes allow online modification of volume type and IOPS without downtime.

Why this answer

Option B is correct because EBS elastic volumes allow modifying volume type (e.g., to gp3 or io2) and IOPS without detaching the volume or stopping the instance. Option A is wrong because migrating to a larger instance type may improve CPU but not necessarily disk I/O immediately. Option C is wrong because creating a new volume and migrating data requires downtime.

Option D is wrong because adding more volumes with RAID0 requires reconfiguration and possible downtime.

20
Multi-Selecteasy

An SAP administrator is setting up monitoring for an SAP HANA database. Which TWO metrics should be monitored from the HANA database using Amazon CloudWatch?

Select 2 answers
A.CPU utilization of the HANA process
B.SAPS (SAP Application Performance Standard)
C.EBS volume queue length
D.Network packet loss
E.Memory usage (used memory / total memory)
AnswersA, E

CPU utilization directly affects query performance.

Why this answer

Options A and D are correct because memory usage and CPU usage are critical for HANA performance. Option B is wrong because EBS volume metrics are not HANA-specific. Option C is wrong because SAPS is not a standard CloudWatch metric.

Option E is wrong because network packet loss is not a standard HANA metric.

21
Multi-Selecteasy

A company is planning to run SAP HANA on AWS. Which three are best practices for configuring the EC2 instance for SAP HANA? (Choose THREE.)

Select 3 answers
A.Enable CPU hyper-threading
B.Use burstable instance types (T2/T3)
C.Use EBS-optimized instances
D.Allocate swap space on the instance
E.Use placement groups for HANA instances
AnswersA, C, E

Hyper-threading is recommended for HANA.

Why this answer

Option A (Enable CPU hyper-threading) is correct for HANA performance. Option C (Use EBS-optimized instances) is correct for storage performance. Option D (Use placement groups) is correct for high network throughput.

Option B is wrong because swap space is not recommended for HANA. Option E is wrong because T2/T3 instances are burstable and not suitable for production HANA.

22
Multi-Selecthard

An SAP system on AWS is experiencing high latency. Which THREE metrics should be examined in Amazon CloudWatch to diagnose the issue?

Select 3 answers
A.NetworkIn/NetworkOut
B.DiskReadBytes
C.StatusCheckFailed
D.CPUUtilization
E.EBS VolumeQueueLength
AnswersA, D, E

Network metrics can reveal congestion.

Why this answer

Options A, C, and E are correct. A (CPUUtilization) can indicate CPU bottleneck. C (NetworkIn/NetworkOut) shows network throughput.

E (EBS VolumeQueueLength) indicates storage I/O wait. B (StatusCheckFailed) is for instance health, not latency. D (DiskReadBytes) alone is less informative without queue length.

23
MCQeasy

An operations team needs to monitor the disk space usage of SAP application servers running on EC2. Which combination of AWS services should they use?

A.Amazon CloudWatch and AWS CloudTrail
B.Amazon CloudWatch agent and Amazon CloudWatch alarms
C.AWS Lambda and Amazon DynamoDB
D.Amazon S3 and Amazon SNS
AnswerB

CloudWatch agent collects disk metrics, and alarms can notify when thresholds are exceeded.

Why this answer

Amazon CloudWatch agent is required to collect custom metrics like disk space usage from EC2 instances, as the standard CloudWatch metrics only cover CPU, memory, network, and disk I/O. By installing the agent and configuring it to report disk space metrics, you can then set CloudWatch alarms to trigger notifications when thresholds are breached, enabling proactive monitoring of SAP application servers.

Exam trap

The trap here is that candidates assume standard EC2 CloudWatch metrics include disk space usage, but they only include disk read/write operations (I/O), not percentage of disk space used, so the CloudWatch agent is mandatory for this specific monitoring requirement.

How to eliminate wrong answers

Option A is wrong because AWS CloudTrail records API activity and governance events, not system-level metrics like disk space usage; it cannot monitor disk space. Option C is wrong because AWS Lambda and Amazon DynamoDB are serverless compute and database services, not designed for collecting or alerting on EC2 disk metrics; they lack native agent-based metric collection. Option D is wrong because Amazon S3 is object storage and Amazon SNS is a notification service; while SNS can send alerts, S3 cannot collect or analyze disk space data from EC2 instances, and this combination omits the necessary metric collection agent.

24
MCQmedium

An SAP administrator runs the CLI commands shown in the exhibit for a production EC2 instance. The output indicates that the instance is running but the system status is impaired. Which action should the administrator take to recover the instance?

A.Reboot the instance using the AWS console.
B.Restart the SAP application services.
C.Configure EC2 Auto Recovery and wait for recovery.
D.Stop and start the instance.
AnswerC

Auto Recovery handles hardware impairment automatically.

Why this answer

Option D is correct because EC2 Auto Recovery can automatically recover an instance when system status is impaired. Option A is wrong because the instance is already running. Option B is wrong because rebooting might not fix underlying hardware issues.

Option C is wrong because stopping and starting moves the instance to new hardware, which is similar to recovery, but EC2 Auto Recovery is the automated solution.

25
MCQhard

A company recently migrated SAP ERP to AWS. The SAP application logs indicate repeated 'ORA-1555 snapshot too old' errors in the Oracle database. Which AWS-specific parameter could be causing this?

A.Enhanced Networking is disabled
B.Incorrect Oracle DB parameter settings
C.EBS snapshot schedule is too frequent
D.EBS volume queue depth is too low causing I/O throttling
AnswerD

Low queue depth leads to I/O bottlenecks and rollback segments issues.

Why this answer

Option C is correct because EBS volume queue depth can cause I/O delays leading to transaction rollback. Option A is wrong as snapshot creation does not affect live database. Option B is wrong as DB parameter groups don't cause this error directly.

Option D is wrong as Enhanced Networking is for network, not storage.

26
Multi-Selectmedium

An SAP system administrator is troubleshooting a failed HANA database backup to Amazon S3. The backup job returns an error: 'Access Denied'. Which TWO actions should the administrator take to resolve the issue?

Select 2 answers
A.Review the S3 bucket policy for any deny statements that may block the backup.
B.Enable S3 Transfer Acceleration on the bucket.
C.Check the IAM role attached to the EC2 instance for S3 permissions.
D.Verify that the S3 bucket's KMS key is enabled.
E.Set up a VPC endpoint for S3.
AnswersA, C

Bucket policies can explicitly deny access to certain principals.

Why this answer

Options B and D are correct because ensuring correct IAM permissions and bucket policies are common causes of access denied errors. Option A is wrong because KMS key might be separate but not the direct issue. Option C is wrong because S3 Transfer Acceleration is for speed, not access.

Option E is wrong because VPC endpoint is not required if using public S3.

27
Multi-Selecteasy

Which TWO AWS services can be used to automate the deployment of SAP infrastructure using infrastructure as code? (Choose 2)

Select 2 answers
A.AWS Service Catalog
B.AWS CloudFormation
C.AWS OpsWorks
D.AWS CodeDeploy
E.AWS Elastic Beanstalk
AnswersB, E

CloudFormation provisions AWS resources using templates.

Why this answer

Options A and C are correct. AWS CloudFormation allows defining infrastructure in templates; AWS Elastic Beanstalk can deploy and manage applications but is less commonly used for SAP. Option B is wrong because OpsWorks is for Chef/Puppet, not typical for SAP.

Option D is wrong because CodeDeploy deploys applications, not infrastructure. Option E is wrong because Service Catalog creates a catalog of products, not direct deployment.

28
MCQhard

A company runs SAP HANA on AWS using a multi-node scale-out configuration. During a routine maintenance window, the administrator needs to apply an HANA database software update. What is the BEST practice to minimize downtime?

A.Perform a rolling update by updating one node at a time while keeping the system operational.
B.Use HANA System Replication to fail over to a standby system, then update the primary.
C.Stop all HANA services, apply the update to all nodes, then restart.
D.Create a new HANA cluster with the updated version and migrate data.
AnswerA

Rolling updates minimize downtime by keeping most nodes active.

Why this answer

Option C is correct because HANA scale-out supports rolling updates, allowing nodes to be updated one by one with minimal downtime. Option A is wrong because stopping all services causes full downtime. Option B is wrong because using HSR failover is complex and may cause data inconsistency if not properly managed.

Option D is wrong because creating a new cluster and migrating is not efficient for a minor update.

29
MCQhard

A company is deploying SAP S/4HANA on AWS and needs to ensure high availability for the central services (ASCS and ERS). The architecture uses two EC2 instances in different Availability Zones with a shared file system using Amazon EFS for /sapmnt. The SAP system is configured with an enqueue replication server. The operations team needs to automate the failover of the ASCS instance in case of a failure. The team is considering using AWS services for this purpose. Which approach should the team use?

A.Use Amazon Route 53 with health checks and a custom script to update DNS record on failover.
B.Use an Application Load Balancer with a target group containing both ASCS instances.
C.Use an Auto Scaling group with a minimum of 2 instances and a lifecycle hook to handle failover.
D.Enable EC2 Auto Recovery to automatically recover the ASCS instance on new hardware.
AnswerA

DNS-based failover can redirect clients to the secondary ASCS instance.

Why this answer

Using AWS Route 53 health checks to monitor the ASCS instance and a custom script to update DNS records on failover provides a simple and effective HA solution. Option D is correct. Option A is wrong because ALB cannot direct traffic to a single SAP instance for ASCS.

Option B is wrong because Auto Scaling is for scaling out, not HA for stateful services. Option C is wrong because EC2 Auto Recovery recovers the instance but does not handle failover to another AZ.

30
MCQhard

An SAP HANA database on AWS experiences a failover from the primary to the secondary node. After the failover, the secondary node (now primary) is running on a different AZ. The SAP application cannot connect to the new primary. What is the MOST likely cause?

A.HANA system replication is not configured correctly.
B.The security group for the new primary does not allow inbound traffic from the app.
C.The EBS volumes are not attached to the new primary.
D.The application connection string points to the old primary's IP address.
AnswerD

After failover, the new primary has a different private IP; the app must use a virtual IP or DNS that updates.

Why this answer

Option B is correct because the SAP application likely uses the private IP of the old primary; after failover, the new primary has a different IP. Option A is wrong because HANA replication is independent of DNS. Option C is wrong because security groups are not AZ-specific.

Option D is wrong because storage type does not affect connectivity.

31
MCQmedium

A company is running SAP ERP on AWS and wants to set up a disaster recovery (DR) strategy using AWS Regions. The DR site must have a copy of the SAP application and database data. Which solution provides the fastest recovery time objective (RTO) with the lowest data loss?

A.Use an EC2 instance with SAP HANA system replication across regions.
B.Take daily snapshots of the database and copy them to the DR region. Restore from snapshots during a disaster.
C.Use an RDS Multi-AZ DB cluster with a cross-region read replica.
D.Use AWS Database Migration Service (DMS) to continuously replicate changes to a database in the DR region.
AnswerC

Cross-region read replicas provide asynchronous replication with minimal data loss and allow fast promotion to primary during disaster.

Why this answer

Multi-AZ DB cluster provides synchronous replication and automatic failover, but it is within a single region. For cross-region DR, using a standby DB instance in another region with Amazon RDS for SAP ASE cross-region read replicas provides near-synchronous replication and fast failover.

32
MCQeasy

An SAP system administrator wants to automate the patching of SAP HANA database instances running on EC2. Which AWS service can schedule and execute patching workflows with approval gates?

A.AWS Systems Manager Maintenance Windows
B.AWS Config
C.AWS CloudFormation
D.Amazon CloudWatch Events
AnswerA

Maintenance Windows can schedule patching with approval gates.

Why this answer

Option A is correct because AWS Systems Manager Maintenance Windows allow scheduling of patching with optional approval workflows. Option B is wrong because AWS Config is for compliance, not patching. Option C is wrong because CloudWatch Events can trigger actions but lacks built-in approval gates.

Option D is wrong because CloudFormation is for infrastructure provisioning, not patching.

33
MCQhard

A company runs SAP on AWS and uses a Multi-AZ RDS for SAP HANA database. The database fails over unexpectedly, causing application downtime. The operations team wants to analyze the cause of the failover. Which set of logs should be examined?

A.AWS CloudTrail logs and S3 access logs.
B.RDS events and DB instance logs.
C.CloudWatch Logs from the EC2 instance hosting the database.
D.VPC Flow Logs and Network Load Balancer logs.
AnswerB

RDS events and DB logs contain failover causes.

Why this answer

Option B is correct because RDS events and DB instance logs (error log, slow query log) provide information about failover causes. Option A is wrong because CloudTrail logs API calls, not database events. Option C is wrong because VPC Flow Logs are for network traffic.

Option D is wrong because CloudWatch Logs for the OS are not available for RDS.

34
MCQmedium

A company manages a multi-account AWS environment using AWS Organizations. The operations team needs to ensure that all accounts have CloudTrail enabled and that logs are delivered to a centralized S3 bucket. What is the MOST efficient way to enforce this configuration?

A.Configure CloudTrail in the management account with an S3 bucket policy that grants access to all member accounts.
B.Deploy an AWS CloudFormation StackSet with a template that enables CloudTrail and configures the S3 bucket in every account and region.
C.Create a custom script using AWS CLI to enable CloudTrail in each account and region.
D.Use AWS Service Catalog to publish a CloudTrail product and require each account to launch it.
AnswerB

StackSets provide centralized, consistent deployment and drift detection.

Why this answer

Option B is correct because AWS CloudFormation StackSets allow you to deploy a CloudTrail configuration template across multiple accounts and regions in a single, automated operation. This approach ensures consistent enforcement of the policy without manual intervention, leveraging the centralized management capabilities of AWS Organizations.

Exam trap

The trap here is that candidates often assume a single CloudTrail configuration in the management account with a shared S3 bucket is sufficient, but CloudTrail must be enabled independently in each account to capture its own API activity.

How to eliminate wrong answers

Option A is wrong because configuring CloudTrail in the management account only enables it for that account, not for member accounts; the S3 bucket policy alone does not enable CloudTrail in other accounts. Option C is wrong because a custom CLI script is less efficient, error-prone, and does not provide automated drift detection or centralized rollback compared to StackSets. Option D is wrong because AWS Service Catalog requires each account to manually launch the product, which does not enforce the configuration automatically across all accounts.

35
Multi-Selectmedium

Which TWO actions should be taken to improve the high availability of a single-instance SAP HANA database running on EC2? (Choose two.)

Select 2 answers
A.Set up HANA System Replication to a second EC2 instance in a different Availability Zone.
B.Enable Multi-AZ on the RDS instance.
C.Move the HANA data files to Amazon FSx for Lustre.
D.Increase the instance size to a larger type.
E.Configure automated EBS snapshots for the HANA data volumes.
AnswersA, E

HANA System Replication provides automatic failover across AZs.

Why this answer

Options B and D are correct. Option B creates a standby instance in another AZ using replication. Option D creates automated snapshots for point-in-time recovery.

Option A is wrong because increasing instance size does not improve availability. Option C is wrong because Multi-AZ RDS is for RDS, not EC2-based HANA. Option E is wrong because Amazon FSx does not replace the database.

36
MCQhard

An SAP Basis administrator notices that the SAP application server logs show repeated connection timeouts to the database. The database is running on an RDS for SAP HANA instance. The application server and database are in the same VPC but different subnets. The security groups allow inbound traffic from the application server's security group on port 3xx17. Network ACLs allow both inbound and outbound traffic on ephemeral ports. Despite this, connections fail intermittently. What is the most likely cause?

A.The RDS instance's DNS name resolves to a different IP address intermittently.
B.The network ACL is stateful and blocking return traffic.
C.The security group for the RDS instance does not allow inbound traffic on the HANA internal communication port (e.g., 3xx18).
D.The application server's subnet has a route table that points to a NAT gateway instead of the database subnet.
AnswerC

HANA requires multiple ports; missing one causes intermittent failures.

Why this answer

Option A is correct because RDS for SAP HANA uses a database port (e.g., 3xx17) but also requires an additional port for internal services. If the security group does not allow traffic on that additional port, connections may fail. Option B is incorrect because NACLs are stateless but properly configured.

Option C is incorrect because RDS does not use DNS-based routing issues typically. Option D is incorrect because the issue is not about routing tables if within same VPC.

37
Multi-Selectmedium

Which THREE factors should be considered when planning a recovery point objective (RPO) and recovery time objective (RTO) for an SAP system on AWS?

Select 3 answers
A.Storage type (EBS vs. instance store)
B.AWS Region and Availability Zone
C.EC2 instance type and size
D.Number of SAP users
E.Backup frequency and retention period
AnswersA, C, E

EBS volumes can be restored faster, affecting RTO.

Why this answer

RPO is determined by backup frequency and replication lag; RTO is affected by instance size and storage type; cross-region replication can help but RTO depends on failover time.

38
MCQmedium

A company runs SAP on AWS and needs to implement a disaster recovery (DR) strategy. The primary site is in us-east-1, and the DR site is in us-west-2. The database is SAP HANA. Which approach provides the lowest RPO?

A.SAP HANA system replication in asynchronous mode.
B.Database backups to S3 and cross-region replication of S3 bucket.
C.EBS snapshots replicated to the DR region using cross-region snapshot copy.
D.SAP HANA system replication in synchronous mode across regions.
AnswerD

Synchronous replication ensures data is committed at both sites, minimizing data loss.

Why this answer

Option A is correct because HANA system replication with synchronous mode provides near-zero RPO. Option B is wrong because asynchronous replication may have higher RPO. Option C is wrong because EBS snapshots have higher RPO.

Option D is wrong because restoring from S3 is slow and has higher RPO.

39
MCQmedium

A company runs SAP on AWS and has configured a cross-region DR strategy using Amazon EBS snapshots. The DR region is in us-west-2. After a region-wide outage, the administrator attempts to restore the snapshots but finds the latest snapshot is incomplete. What is the most likely cause?

A.The IAM role used for copying snapshots does not have permissions
B.The latest snapshot copy had not completed before the outage
C.The snapshots are encrypted with a KMS key that is not available in us-west-2
D.The snapshot ID used for recovery is not valid
AnswerB

Cross-region copy takes time; if outage occurs during copy, snapshot may be partial.

Why this answer

Option B is correct because cross-region snapshot copies are asynchronous and may fail if the source region becomes unavailable. Option A is wrong because IAM does not prevent copying. Option C is wrong because KMS keys can be used cross-region with proper configuration.

Option D is wrong because the snapshot ID would not become invalid.

40
MCQmedium

A company runs SAP HANA on AWS and wants to back up the database using Backint integration. Which AWS service is required to store the backups?

A.Amazon S3 Glacier
B.Amazon EBS
C.Amazon EFS
D.Amazon S3
AnswerD

Backint for SAP HANA on AWS sends backups to an S3 bucket.

Why this answer

Option B is correct because Backint for SAP HANA on AWS uses Amazon S3 as the backup target. Option A is wrong because EBS is for block storage, not Backint. Option C is wrong because Glacier is for archival, not direct Backint.

Option D is wrong because EFS is file storage, not supported by Backint.

41
MCQmedium

Refer to the exhibit. An SAP administrator uses the CloudFormation template snippet to create an application server. After deployment, the administrator cannot connect to the instance using AWS Systems Manager Session Manager. What is the most likely missing configuration?

A.The UserData script fails to install the SSM Agent
B.The instance does not have an IAM instance profile with Systems Manager permissions
C.The security group does not allow outbound traffic to the Systems Manager endpoint
D.The instance type does not support Systems Manager
AnswerB

An IAM role with AmazonSSMManagedInstanceCore policy is required for Session Manager.

Why this answer

Session Manager requires the SSM Agent and an IAM role with proper permissions. The template installs the agent via UserData, but it does not attach an IAM instance profile. Without the profile, the instance cannot authenticate to Systems Manager.

The security group allows HTTPS inbound, but that is for web traffic, not SSM. The instance type is fine.

42
MCQmedium

A company runs an SAP HANA database on an EC2 instance with a large EBS volume. The operations team receives alerts that the volume's burst balance has dropped to 10%. Which action should be taken to prevent performance degradation?

A.Change the volume type to io2 with provisioned IOPS.
B.Increase the volume size to increase the baseline IOPS.
C.Enable EBS optimization on the instance.
D.Convert the volume to gp3.
AnswerB

Increasing volume size raises baseline IOPS and improves burst balance replenishment.

Why this answer

Option B is correct because increasing the volume size increases the baseline IOPS and burst balance replenishment rate. Option A is wrong because gp3 volumes do not have burst balance. Option C is wrong because it does not address burst balance.

Option D is wrong because it does not affect burst balance.

43
MCQeasy

A company runs SAP on AWS and needs to ensure that all changes to the SAP system's underlying infrastructure are recorded and auditable. Which AWS service should be enabled to meet this requirement?

A.Amazon CloudWatch Logs
B.AWS CloudTrail
C.AWS Config
D.AWS Trusted Advisor
AnswerB

CloudTrail records all AWS API calls for audit purposes.

Why this answer

AWS CloudTrail records API calls for auditing. CloudWatch Logs is for log monitoring. Config tracks resource configuration changes.

Trusted Advisor provides best-practice checks. CloudTrail is the primary service for API activity auditing.

44
MCQmedium

An SAP system fails to send emails via SAPconnect using SMTP. The EC2 instance has a public IP and the security group allows outbound traffic on port 25. The SMTP server is an on-premises relay. What is the most likely reason for the failure?

A.The security group does not allow outbound traffic on port 25.
B.AWS blocks outbound traffic on port 25 by default for EC2 instances.
C.The EC2 instance does not have a public IP address associated.
D.The route table does not have a default route to an internet gateway.
AnswerB

AWS restricts port 25 outbound; you need to request removal or use a different port.

Why this answer

Option A is correct because AWS blocks outbound traffic on port 25 by default for EC2 instances to prevent spam. Option B is wrong because the instance has a public IP. Option C is wrong because the security group allows outbound traffic.

Option D is wrong because the route table does not affect outbound traffic to the internet if the instance has a public IP.

45
MCQmedium

An SAP system uses a Multi-AZ RDS for Oracle instance. During a recent failover, the application experienced a long outage because the SAP application server did not automatically reconnect to the new database endpoint. What is the most efficient way to resolve this issue?

A.Reduce the DNS TTL for the RDS endpoint and ensure the application re-resolves DNS on connection failure.
B.Reboot the application server after every failover.
C.Deploy an Application Load Balancer in front of the RDS instance.
D.Modify the application connection string to use the standby instance IP directly.
AnswerA

Low TTL and re-resolution enable fast failover recovery.

Why this answer

Option A is correct because the RDS endpoint remains the same after failover; the issue is DNS caching. Reducing the TTL ensures the application picks up the new IP quickly. Option B (rebooting) is disruptive and not a fix.

Option C (modifying the connection string) is not needed. Option D (using a load balancer) adds complexity and latency.

46
MCQhard

An SAP system uses a large Amazon RDS for Oracle instance. The operations team wants to minimize downtime during a major version upgrade. Which strategy should they use?

A.Take a snapshot of the database and restore it as a new instance with the upgraded version
B.Create a read replica, upgrade it, and then promote it to the primary
C.Modify the DB instance and apply the upgrade immediately
D.Use AWS Database Migration Service (DMS) to migrate to a new instance
AnswerB

Minimizes downtime by failing over to the upgraded replica.

Why this answer

Option B is correct because using a read replica allows you to upgrade the replica and then promote it, minimizing downtime. Option A (taking a snapshot and restoring) has downtime. Option C (modifying the DB instance) causes downtime.

Option D (using AWS DMS) requires complex setup and may introduce latency.

47
MCQeasy

A company runs an SAP HANA database on AWS. The operations team wants to automate the monitoring of HANA alert logs and send notifications when critical alerts occur. Which AWS service should they use to collect and analyze the logs?

A.AWS CloudTrail
B.Amazon S3 Event Notifications
C.AWS Lambda scheduled functions
D.Amazon CloudWatch Logs with metric filters and alarms
AnswerD

CloudWatch Logs can ingest and monitor log files, triggering alarms on specific patterns.

Why this answer

Amazon CloudWatch Logs can ingest HANA alert logs via the CloudWatch agent and trigger alarms based on metric filters. CloudTrail records API activity, not application logs. S3 Event Notifications do not analyze log content.

Lambda alone does not provide log collection.

48
MCQeasy

A SAP administrator wants to monitor the CPU utilization of an SAP application server running on an EC2 instance. Which AWS service should be used to set up an alarm when CPU utilization exceeds 90% for 5 minutes?

A.AWS CloudTrail
B.AWS Trusted Advisor
C.Amazon CloudWatch
D.AWS Config
AnswerC

CloudWatch Alarms can monitor metrics and trigger actions based on thresholds.

Why this answer

Option B is correct because CloudWatch Alarms can trigger based on metrics like CPUUtilization. Option A is wrong because CloudTrail tracks API calls, not metrics. Option C is wrong because Config records resource configuration changes.

Option D is wrong because Trusted Advisor provides best practice checks, not real-time monitoring.

49
MCQeasy

A company is running SAP on AWS and needs to automate OS-level patching for their SAP application servers. Which AWS service should they use to schedule and apply patches?

A.Amazon CloudWatch Events
B.AWS OpsWorks
C.AWS Systems Manager Patch Manager
D.Amazon EC2 Auto Scaling
AnswerC

Patch Manager automates OS patching across EC2 instances.

Why this answer

Option A is correct because AWS Systems Manager Patch Manager is designed for automated patching of EC2 instances. Option B is wrong because CloudWatch is for monitoring, not patching. Option C is wrong because OpsWorks is for configuration management but not primarily for patching.

Option D is wrong because EC2 Auto Scaling does not handle patching.

50
MCQeasy

An operations team receives an alert that an SAP application server EC2 instance is unreachable. The team checks the AWS Management Console and sees that the instance status check shows "Instance reachability check failed". What is the most likely cause?

A.The operating system on the instance is not responding.
B.The security group associated with the instance is blocking all traffic.
C.The EBS root volume is detached from the instance.
D.The instance was stopped by an Auto Scaling group.
AnswerA

Status checks test the health of the OS and instance.

Why this answer

Option B is correct. An instance reachability check failure typically indicates OS-level issues such as a crashed OS or kernel panic. Option A is wrong because security group issues would cause network connectivity failure but not necessarily a status check failure.

Option C is wrong while a stopped instance would show a different status. Option D is wrong because EBS volume issues would be reported as a volume status check failure.

51
Drag & Dropmedium

Drag and drop the steps to troubleshoot an SAP HANA database connection failure from an SAP application in AWS into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting should start with logs, then check database status, network, security groups, and authentication.

52
Matchingmedium

Match the AWS service to its function in SAP disaster recovery.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Replicates servers to another AWS Region

Replicates backups to secondary Region

Traffic routing to standby region

Point-in-time backups for HANA data volumes

Why these pairings

DR strategies for SAP use these AWS capabilities.

53
MCQeasy

A company is running SAP on AWS and needs to ensure high availability for their SAP Central Services (ASCS) instance. They plan to use a multi-AZ deployment with a floating IP. Which AWS service should they use to manage the floating IP and failover?

A.Elastic Load Balancer
B.Amazon Route 53
C.AWS Global Accelerator
D.Amazon CloudFront
AnswerB

Route 53 can provide DNS failover with health checks, acting as a floating IP.

Why this answer

Option B is correct because Amazon Route 53 can be used to associate a DNS name with a health check and failover to a secondary IP in another AZ. Option A is wrong because Elastic Load Balancer (ELB) is for distributing traffic, not for floating IPs. Option C is wrong because AWS Global Accelerator improves performance, not floating IP failover.

Option D is wrong because Amazon CloudFront is a CDN.

54
Multi-Selectmedium

A company runs SAP on AWS and needs to implement a disaster recovery (DR) strategy with a Recovery Point Objective (RPO) of 15 minutes and Recovery Time Objective (RTO) of 2 hours. Which TWO actions should they take?

Select 2 answers
A.Set up SAP HANA System Replication to another AWS region.
B.Implement a Pilot Light strategy using EC2 instances in standby.
C.Use AWS CloudFormation to automate infrastructure deployment in the DR region.
D.Use AWS Backup to schedule backups every 15 minutes.
E.Take EBS snapshots every 15 minutes.
AnswersA, C

HANA System Replication provides near-real-time data replication.

Why this answer

Options A and D are correct. A: Replicate data to another region using HANA System Replication meets RPO. D: Use CloudFormation to provision DR infrastructure quickly.

B is incorrect because EBS snapshots every 15 minutes may not be feasible and slower. C is incorrect because AWS Backup may not meet RPO/RTO. E is incorrect because Pilot Light alone may not meet RTO.

55
MCQhard

An SAP system running on AWS experiences periodic performance degradation. Analysis shows that the issue occurs when an on-premises monitoring system polls the SAP application server. Which AWS service can help mitigate this by caching or throttling requests?

A.Amazon Route 53
B.AWS WAF
C.Amazon CloudFront
D.Elastic Load Balancing
AnswerB

WAF can create rules to rate-limit or block excessive requests.

Why this answer

Option C is correct because AWS WAF can rate-limit incoming requests from a specific IP, reducing load. Option A (CloudFront) caches content but is not designed for application-level throttling. Option B (ELB) distributes traffic but does not throttle.

Option D (Route 53) is DNS and not suitable for throttling.

56
MCQeasy

An SAP administrator needs to automate the daily backup of an SAP HANA database running on EC2. Which AWS service should be used to schedule and manage the backup process?

A.Amazon S3 Lifecycle policies
B.AWS Backup
C.AWS Data Pipeline
D.Amazon CloudWatch Events
AnswerB

AWS Backup automates backup scheduling and retention.

Why this answer

Option A is correct because AWS Backup provides a centralized backup service that can schedule and manage backups for EC2 instances and EBS volumes. Option B is wrong as CloudWatch Events triggers actions but isn't a backup manager. Option C is wrong because Data Pipeline is for data transformation, not backups.

Option D is wrong because S3 Lifecycle policies manage object retention, not backups.

57
MCQmedium

A company is running an SAP application on an SAP HANA database in a multi-AZ deployment on AWS. The operations team notices that the system is experiencing high latency during peak hours. Upon investigation, they find that the EBS volumes attached to the HANA instances are frequently exceeding the provisioned IOPS limit. Which of the following is the MOST effective action to resolve this issue?

A.Increase the volume size of the EBS volumes to increase the baseline IOPS.
B.Switch from Provisioned IOPS SSD (io2) to General Purpose SSD (gp3) volumes.
C.Enable EBS optimization on the EC2 instances.
D.Reduce the number of concurrent connections to the SAP HANA database.
AnswerA

Increasing volume size directly increases the baseline IOPS for gp3 volumes or allows higher provisioned IOPS for io2 volumes, resolving the IOPS limit issue.

Why this answer

Option B is correct because increasing the volume size also increases the baseline IOPS for gp3 volumes or allows higher provisioned IOPS for io2 volumes, directly addressing the IOPS limit. Option A is wrong because switching to General Purpose SSD (gp3) can provide higher IOPS at lower cost but does not guarantee the needed IOPS if the burst credits are exhausted. Option C is wrong because reducing the number of concurrent connections does not address the IOPS limit of the EBS volumes.

Option D is wrong because enabling EBS optimization is already enabled for current generation instances and does not increase IOPS limits.

58
MCQmedium

The operations team uses the IAM policy above for a group of administrators. An administrator tries to terminate an EC2 instance that is tagged with Environment=Production. What will happen?

A.The termination will be denied because the Deny condition applies to all instances
B.The termination will be allowed because the Deny condition is not met
C.The termination will be allowed because the Deny does not apply to Production instances
D.The termination will be denied because there is no explicit Allow for TerminateInstances
AnswerD

Without an explicit Allow, the action is implicitly denied.

Why this answer

The Deny statement has a condition that denies termination only when the tag is NOT Production. Since the instance is tagged Production, the condition is not met, so the Deny does not apply. The Allow statement does not include TerminateInstances, so there is no explicit Allow for termination.

The default is implicit Deny, so the action is denied.

59
Multi-Selecthard

An SAP environment on AWS includes multiple EC2 instances running SAP application servers. The operations team needs to capture and analyze all API calls made to AWS services by these instances. Which THREE services should be used together?

Select 3 answers
A.Amazon Athena
B.AWS CloudTrail
C.Amazon S3
D.AWS Config
E.Amazon GuardDuty
AnswersA, B, C

Athena can query CloudTrail logs directly in S3 using SQL.

Why this answer

AWS CloudTrail captures API calls, Amazon S3 stores the logs, and Amazon Athena allows querying the logs. Alternatively, CloudWatch Logs can be used, but Athena is more cost-effective for ad-hoc analysis. The three correct services are CloudTrail, S3, and Athena.

60
MCQeasy

A company is running SAP on AWS and wants to send alerts when the CPU utilization of an EC2 instance exceeds 90% for 5 minutes. Which AWS service should be used to create this alarm?

A.AWS Lambda
B.AWS Config
C.Amazon Simple Notification Service (SNS)
D.Amazon CloudWatch Alarms
AnswerD

CloudWatch Alarms monitor metrics and send notifications when thresholds are breached.

Why this answer

Option A is correct because Amazon CloudWatch Alarms can trigger based on metrics. Option B (AWS Lambda) can be a target, not the alarm service. Option C (Amazon SNS) is a notification service.

Option D (AWS Config) is for configuration rules.

61
MCQmedium

A company is running an SAP HANA database on an EC2 instance. The operations team notices that the SAP application is responding slowly during peak hours. CloudWatch metrics show high CPU utilization and increased swap usage. Which combination of actions should the team take to resolve the performance issue?

A.Enable Auto Scaling for the EC2 instance to automatically add more instances.
B.Resize the EC2 instance to a larger instance type with more vCPUs and memory.
C.Change the instance type to a compute-optimized instance to improve CPU performance.
D.Add more EBS volumes and increase the number of read replicas.
AnswerB

Vertical scaling addresses both high CPU and memory pressure, reducing swap usage.

Why this answer

Option C is correct because increasing memory reduces swap usage, and increasing CPU capacity addresses high CPU utilization. Option A is wrong because vertical scaling is often the simplest approach for a single HANA instance. Option B is wrong because adding more EBS volumes does not address CPU or memory.

Option D is wrong because changing instance type to memory-optimized is the correct approach, not compute-optimized.

62
MCQmedium

An SAP system on AWS experiences intermittent performance degradation during peak hours. CloudWatch metrics show high CPU utilization on the application server but normal on the database server. The application server is an m5.2xlarge instance. Which action should the operations team take FIRST to diagnose the issue?

A.Change the application server instance type to a compute-optimized instance like c5.4xlarge.
B.Increase the provisioned IOPS on the database server's EBS volumes.
C.Increase the network bandwidth of the application server.
D.Scale out the application tier by adding more application servers behind a load balancer.
AnswerA

Compute-optimized instances provide higher CPU performance.

Why this answer

Option B is correct because the issue is likely related to CPU contention on the application server, and upgrading to a compute-optimized instance provides more CPU resources. Option A is wrong because the problem is not network-related. Option C is wrong because the database is not the bottleneck.

Option D is wrong because increasing disk IOPS does not address CPU issues.

63
MCQeasy

An SAP administrator needs to back up the SAP HANA database daily. The backups must be stored securely and retained for 30 days. Which storage option is the most cost-effective?

A.Amazon S3 Standard
B.Amazon S3 Glacier
C.Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
D.Amazon EBS Snapshots
AnswerC

S3 Standard-IA is cost-effective for infrequent access with immediate retrieval.

Why this answer

Option C is correct. S3 Standard-IA is for infrequently accessed data with lower cost. Option A is incorrect because S3 Standard is more expensive.

Option B is incorrect because Glacier is for long-term archival, not 30-day retention. Option D is incorrect because EBS snapshots are for volumes, not database backups directly.

64
MCQeasy

A company has an SAP system running on AWS that uses an Application Load Balancer (ALB) to distribute traffic to multiple EC2 instances. The operations team notices that the ALB is returning 503 errors intermittently. Which of the following is the MOST likely cause?

A.The security group attached to the ALB is blocking inbound traffic from the targets.
B.The target instances are failing health checks.
C.The ALB does not have enough capacity to handle the traffic.
D.The SSL certificate on the ALB has expired.
AnswerB

When targets fail health checks, the ALB cannot route traffic to them, resulting in 503 errors.

Why this answer

Option B is correct because 503 errors typically indicate that the target instances are unhealthy or not responding. Option A is wrong because SSL certificate expiration causes 502 errors, not 503. Option C is wrong because security group rules blocking traffic would cause timeout or 502 errors.

Option D is wrong because insufficient capacity would cause 502 errors if targets are overloaded, but 503 specifically indicates unhealthy targets.

65
MCQhard

A company is running SAP HANA on AWS and needs to perform an in-place upgrade from HANA 1.0 to 2.0. The database size is 2 TB and the team wants to minimize downtime. Which approach is most appropriate?

A.Stop the HANA database, take a full backup, launch a new EC2 instance with HANA 2.0, and restore the backup.
B.Set up HANA System Replication from the current HANA 1.0 instance to a new EC2 instance running HANA 2.0, then perform a takeover.
C.Use AWS Database Migration Service (DMS) to continuously replicate data to a new HANA 2.0 instance.
D.Create an EBS snapshot of the HANA data volume and attach it to a new EC2 instance with HANA 2.0.
AnswerB

This minimizes downtime as the target is pre-built and the takeover is fast.

Why this answer

Option D (Use HANA System Replication to replicate to a new instance running HANA 2.0, then perform a takeover) is correct because it minimizes downtime by having a pre-built target. Option A (Stop DB, perform backup, restore onto new instance) results in longer downtime. Option B (Use AWS DMS) is not designed for HANA version upgrades.

Option C (Create a snapshot and restore) also incurs downtime and does not handle the upgrade.

66
MCQmedium

Refer to the exhibit. An SAP administrator is creating an IAM policy for an automated backup script that creates EBS snapshots of SAP HANA volumes. The script also needs to tag the snapshots. However, when the script runs, it fails with an authorization error. What is the missing permission?

A.ec2:DescribeSnapshots
B.kms:Encrypt
C.ec2:ModifySnapshotAttribute
D.ec2:DeleteSnapshot
AnswerB

When creating a snapshot of an encrypted EBS volume, the snapshot is also encrypted, requiring kms:Encrypt permission.

Why this answer

Option B is correct because the policy includes ec2:CreateSnapshot but not ec2:CreateSnapshot (the specific permission for creating snapshots is ec2:CreateSnapshot, but the error suggests the action is not allowed on the volume resource; however, the policy already allows ec2:CreateSnapshot on all resources. The missing permission is likely ec2:DescribeVolumes to identify which volumes to snapshot, or ec2:ModifySnapshotAttribute. However, based on common scenarios, the script may need ec2:DescribeVolumes to list volumes.

But let's analyze: The policy allows ec2:CreateSnapshot on * but the action requires resource-level permissions. The error may be because the script is trying to create a snapshot from a volume that is encrypted with a KMS key, and the policy allows kms:Decrypt and kms:GenerateDataKey. A common missing permission is kms:Encrypt because when creating a snapshot of an encrypted volume, the snapshot is also encrypted and requires kms:Encrypt.

Option B is correct: kms:Encrypt is needed. Option A is wrong because ec2:DescribeSnapshots is not needed for creating. Option C is wrong because ec2:DeleteSnapshot is not needed.

Option D is wrong because ec2:ModifySnapshotAttribute is not needed.

67
Multi-Selecthard

A company runs SAP on AWS and wants to automate the patching of SAP application servers. The servers are in an Auto Scaling group. Which THREE steps should be included in the automation?

Select 3 answers
A.Update the Auto Scaling group's launch configuration or launch template to use the new AMI.
B.Create a new AMI with the patches applied.
C.Use AWS Systems Manager to apply patches to running instances.
D.Perform an instance refresh to gradually replace instances.
E.Terminate all existing instances at once.
AnswersA, B, D

This ensures new instances use the patched AMI.

Why this answer

Options A, C, and E are correct because creating a new AMI, updating the launch configuration, and gradually replacing instances is a standard rolling update. Option B is wrong because SSM can be used but introduces complexity and potential downtime. Option D is wrong because terminating instances before new ones are ready causes downtime.

68
MCQeasy

An SAP administrator needs to rotate the SSL/TLS certificate for the SAP Web Dispatcher running on an EC2 instance. The new certificate is stored in AWS Certificate Manager (ACM). How should the administrator deploy the certificate to the Web Dispatcher?

A.Export the certificate from ACM using the AWS CLI and install it on the EC2 instance.
B.Download the certificate from ACM and manually install it on the EC2 instance.
C.Configure ACM to automatically push the certificate to the EC2 instance.
D.Import the new certificate into ACM and associate it with an Application Load Balancer in front of the Web Dispatcher.
AnswerA

ACM supports exporting certificates for use on EC2 instances.

Why this answer

Option B is correct because ACM certificates cannot be directly downloaded; they must be exported or used via a load balancer or CloudFront. Option A (direct download) is not possible. Option C (ACM integration) is not supported natively.

Option D (import to ACM) is for bringing your own certificate.

69
MCQhard

A company runs SAP on AWS and wants to implement a disaster recovery solution with a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 15 minutes. The primary site is in us-east-1, and the DR site is in us-west-2. Which strategy meets these requirements for SAP HANA database?

A.Use AWS Database Migration Service (DMS) for ongoing replication
B.Take EBS snapshots every 15 minutes and copy them to us-west-2
C.Use Amazon S3 Cross-Region Replication for HANA data files
D.Configure SAP HANA System Replication across regions
AnswerD

HANA System Replication provides low RPO and meets RTO.

Why this answer

Option D is correct because HANA System Replication with log shipping can achieve RPO of minutes and RTO within hours. Option A is incorrect because EBS snapshots cannot achieve 15-minute RPO. Option B is incorrect because S3 cross-region replication is for files, not live HANA replication.

Option C is incorrect because DMS is for heterogeneous migrations, not real-time HANA replication.

70
MCQmedium

A company uses SAP NetWeaver with an Oracle database on EC2. The operations team wants to automate the patching of the operating system while ensuring minimal downtime. Which AWS Systems Manager capability should be used?

A.AWS Systems Manager Automation
B.AWS Systems Manager Run Command
C.AWS Systems Manager OpsCenter
D.AWS Systems Manager Patch Manager
AnswerD

Patch Manager automates the process of patching managed instances.

Why this answer

Option A is correct because Patch Manager automates OS patching. Option B is wrong because Run Command runs ad-hoc commands. Option C is wrong because Automation runs predefined workflows.

Option D is wrong because OpsCenter is for managing operational issues.

71
MCQeasy

A company runs its SAP landscape on AWS and uses an Application Load Balancer (ALB) to distribute traffic to multiple web dispatchers. The operations team notices that some requests are failing with 503 errors. What is the most likely cause?

A.The security groups for the ALB are blocking incoming traffic.
B.The SSL certificate on the ALB has expired.
C.The CloudFront distribution in front of the ALB is misconfigured.
D.The target group health checks are failing, causing the ALB to mark instances as unhealthy.
AnswerD

503 errors occur when no healthy targets are available.

Why this answer

Option C is correct because 503 errors typically indicate that the target instances are unhealthy or the ALB cannot route traffic to them. Option A is wrong because security groups blocking traffic would cause 504 or timeout errors. Option B is wrong because SSL certificate issues cause 502 errors.

Option D is wrong because CloudFront is not in the path.

72
MCQeasy

An SAP administrator needs to monitor the disk I/O performance of an Aurora PostgreSQL database used by SAP. Which Amazon CloudWatch metric should be used to track read and write operations per second?

A.FreeableMemory
B.CPUUtilization
C.ReadIOPS and WriteIOPS
D.DatabaseConnections
AnswerC

These metrics directly measure read and write operations per second.

Why this answer

Option C is correct because ReadIOPS and WriteIOPS metrics track the number of read and write operations per second. Option A (CPUUtilization) tracks CPU. Option B (DatabaseConnections) tracks connections.

Option D (FreeableMemory) tracks memory.

73
MCQhard

A company runs an SAP system on AWS and wants to implement a disaster recovery (DR) strategy that provides a Recovery Time Objective (RTO) of 2 hours and a Recovery Point Objective (RPO) of 15 minutes. The primary site is in us-east-1 and the DR site is in us-west-2. Which approach meets these requirements?

A.Use Amazon EBS cross-Region replication for all volumes
B.Use AWS Backup to copy snapshots to the DR region every 15 minutes
C.Configure SAP HANA system replication to the DR region and use automatic failover
D.Take daily backups of the SAP HANA database and store in S3, then restore in us-west-2
AnswerC

Provides low RTO and RPO.

Why this answer

Option B is correct because using SAP HANA system replication with automatic failover provides low RTO and RPO. Option A is wrong because daily backups to S3 have RPO of 24 hours. Option C is wrong because manual snapshots have higher RTO.

Option D is wrong because cross-Region replication of EBS snapshots does not provide automatic failover.

74
MCQhard

An SAP system administrator notices that nightly SAP HANA backups to Amazon S3 are failing intermittently with 'Access Denied' errors. The backups are initiated by an AWS Lambda function that uses an IAM role. The role has a policy that grants s3:PutObject on the backup bucket. Which additional IAM action is most likely required to resolve the issue?

A.s3:ListBucket
B.s3:PutObjectAcl
C.s3:DeleteObject
D.s3:GetObject
AnswerB

Required to set object ownership, especially when bucket policy enforces bucket owner full control.

Why this answer

Option C is correct because S3 bucket policies often require s3:PutObjectAcl for cross-account access or when the bucket owner is different from the uploader. Option A is wrong because s3:ListBucket is for listing objects, not uploading. Option B is wrong because s3:GetObject is for reading, not writing.

Option D is wrong because s3:DeleteObject is for removing objects, not uploading.

75
MCQeasy

A company is running SAP on AWS and needs to monitor the available memory on their SAP application servers. Which AWS service can be used to collect and visualize memory utilization metrics?

A.AWS Config
B.Amazon Inspector
C.Amazon CloudWatch with CloudWatch Agent
D.AWS CloudTrail
AnswerC

CloudWatch Agent collects memory metrics and sends them to CloudWatch.

Why this answer

Amazon CloudWatch with the CloudWatch Agent is the correct choice because the agent can be installed on EC2 instances to collect custom metrics, including memory utilization, which is not available by default from the hypervisor. The agent sends these metrics to CloudWatch, where you can visualize them using dashboards or set alarms. This directly addresses the need to monitor SAP application server memory on AWS.

Exam trap

The trap here is that candidates assume EC2 instance metrics in CloudWatch automatically include memory utilization, but they do not—only the CloudWatch Agent can collect and publish those OS-level metrics.

How to eliminate wrong answers

Option A is wrong because AWS Config is a service for evaluating and auditing resource configurations against desired policies, not for collecting or visualizing runtime performance metrics like memory utilization. Option B is wrong because Amazon Inspector is a vulnerability management service that scans for software vulnerabilities and unintended network exposure, not a monitoring tool for OS-level metrics such as memory usage. Option D is wrong because AWS CloudTrail records API activity and user actions for auditing and governance, not for collecting system-level performance metrics from EC2 instances.

Page 1 of 7 · 491 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Sap Operations questions.