Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

A is the correct answer because it uses AWS Directory Service for Microsoft Active Directory to join the Windows EC2 instances to an Active Directory domain on AWS and enable MFA. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, is a fully managed service that is powered by Windows Server 2019. It allows you to run directory-aware workloads in the AWS Cloud, including Microsoft SharePoint and custom .NET and SQL Server-based applications. You can also configure a trust relationship between AWS Managed Microsoft AD in the AWS Cloud and your existing on-premises Microsoft Active Directory. AWS Managed Microsoft AD supports MFA by integrating with your existing RADIUS-based MFA infrastructure. To join the Windows EC2 instances to an Active Directory domain on AWS, you can use an Amazon Workspace, which is a fully managed, secure desktop computing service that runs on AWS. You can connect to and use the Workspace for domain security configuration tasks. References:

The company wants logging that helps troubleshoot email delivery issues and also wants to search by recipient, subject, and time sent. Amazon SES provides event publishing for email sending and delivery events through configuration sets. With a configuration set, SES can publish sending events such as send, delivery, bounce, complaint, reject, and rendering failure to destinations such as Amazon CloudWatch, Amazon SNS, or Amazon Kinesis Data Firehose. For building a searchable log store, delivering these events into Amazon S3 through Kinesis Data Firehose is an effective approach because S3 provides durable storage and integrates well with query services.

Option A creates an SES configuration set with a Kinesis Data Firehose destination that delivers logs to an S3 bucket. This captures detailed SES event data that is directly useful for troubleshooting delivery issues and retaining historical records for analysis.

Once logs are stored in Amazon S3, Amazon Athena can query the data using SQL. Athena is designed to query data in S3 and is well suited for ad hoc searches. This meets the requirement to search based on recipient, subject, and time sent, assuming the event schema includes these fields (or they are included in the published event payload). Therefore, option C completes the solution by enabling searches over the stored log dataset.

Option B (CloudTrail) records API activity, such as calls made to SES APIs, but it is not designed to capture per-message delivery outcomes (deliveries, bounces, complaints) in a way that supports troubleshooting delivery behavior and detailed email event searching. CloudTrail is useful for auditing who called SES APIs, not for tracking message-level delivery events and outcomes.

Option D (CloudWatch log group) is another valid SES event publishing destination, but if the requirement is to perform flexible searches by multiple dimensions over a potentially large historical dataset, storing the logs in S3 and querying with Athena is a more direct and scalable pattern. Also, the provided option E is incorrect because Athena queries data in S3, not in CloudWatch Logs. CloudWatch Logs has its own query mechanism, but Athena is not used to query CloudWatch Logs directly in the way described.

Option E is incorrect because Amazon Athena does not query CloudWatch Logs as a log store. The typical searchable pattern for Athena is S3-backed datasets.

Therefore, the best combination to satisfy logging and searchable analysis requirements is to publish SES events to S3 via Kinesis Data Firehose (option A) and query those logs with Athena (option C).

The requirement is preventive enforcement during CloudFormation provisioning. AWS CloudFormation Hooks are designed to evaluate CloudFormation and Cloud Control API operations before resources are created or updated. If a resource is noncompliant, a Hook can fail the operation and prevent provisioning. Lambda Hooks allow custom logic, which fits predefined company-specific rules. Deploying and protecting Hooks centrally with StackSets, SCPs, and IAM policies gives consistent enforcement across the organization with low operational overhead. AWS Config custom rules are detective controls; they evaluate resources after deployment and cannot reliably prevent initial creation. CloudFormation macros require templates to explicitly use the macro and are not a universal enforcement layer. Manually invoking CloudFormation Guard through a Lambda function does not automatically block every CloudFormation deployment unless separately integrated.