Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

Comprehensive and Detailed Explanation:

Option C offers a scalable and low-overhead solution for managing custom controls across multiple AWS accounts:

AWS Control Tower provides a pre-configured environment to set up and govern a secure, multi-account AWS environment based on AWS best practices.

Customizations for AWS Control Tower (CfCT) allows for the deployment of custom configurations and resources, such as AWS Config rules and IAM policies, across accounts and organizational units using AWS CloudFormation templates.

Amazon EventBridge integrates with AWS Control Tower to automate the deployment of customizations during account provisioning events, ensuring that all new accounts adhere to the defined controls without manual intervention.

This approach ensures consistent enforcement of custom controls across all accounts with minimal operational overhead.

Lambda has a maximum timeout of 900 seconds, or 15 minutes. Since the function is already configured with the maximum timeout and still fails, the workload should move to a containerized compute model that can run longer. The least operational overhead option is Amazon ECS with AWS Fargate. The application code should be packaged as a Docker container image and stored in Amazon ECR, which ECS task definitions can reference. EventBridge can invoke ECS tasks directly and supports ECS parameters, including the Fargate launch type. This avoids keeping Lambda in the execution path and removes the need to manage EC2 container instances. Storing container images in S3 is not the standard ECS deployment model, and Step Functions does not directly “use” a Docker image as described. (AWS Documentation)

===============

The company requires two different types of security analysis: vulnerability scanning for CVEs and code-level scanning for sensitive data exposure. Amazon Inspector provides both Lambda Standard Scanning and Lambda Code Scanning. These capabilities allow Inspector to examine Lambda deployment packages and Lambda layers for software vulnerabilities, and also perform static code analysis to detect insecure coding patterns. To meet the requirement that only certain Lambda functions receive deeper code scanning, Inspector allows enabling or disabling code scanning at the individual Lambda function level through the function ' s Monitor settings. Inspector additionally supports resource exclusion based on tagging, allowing administrators to prevent specific Lambda functions from participating in code scans. Tag-based exclusion satisfies the requirement to scan only a subset of Lambda functions.

Option B is required because enabling both Lambda standard scanning and Lambda code scanning activates the functionality necessary for CVE detection and code security analysis.

Option D is required because enabling scanning at the function level ensures that code scanning runs only for selected Lambda functions.

Option E is required because resource exclusion using tags allows the administrator to exclude non-target Lambda functions from code scanning automatically.

Options A and C do not satisfy the requirement because simply activating Amazon Inspector does not configure per-function scanning behavior, and GuardDuty Lambda Protection does not scan for CVEs or code vulnerabilities. Option F is not valid because Amazon Inspector does not perform scans directly against objects stored in Amazon S3; scanning occurs against the deployed Lambda function versions themselves.