SAP-C02 Exam Dumps : AWS Certified Solutions Architect - Professional

The best solution is to create a tag policy that contains the allowed project tag values in the organization’s management account and create an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added. A tag policy is a type of policy that can help standardize tags across resources in the organization’s accounts. A tag policy can specify the allowed tag keys, values, and case treatment for compliance. A service control policy (SCP) is a type of policy that can restrict the actions that users and roles can perform in the organization’s accounts. An SCP can deny access to specific API operations unless certain conditions are met, such as having a specific tag. By creating a tag policy in the management account and attaching it to each OU, the organization can enforce consistent tagging across all accounts. By creating an SCP that denies the cloudformation:CreateStack API operation unless a project tag is added, the organization can prevent users from creating new resources without proper tagging. This solution will meet the requirements with the least effort, as it does not involve creating additional resources or modifying existing ones. References: Tag policies - AWS Organizations, Service control policies - AWS Organizations, AWS CloudFormation User Guide

The best solution is to deploy an AWS Lambda function to add capacity to the Amazon Redshift cluster by using an elastic resize operation when the cluster’s CPU metrics in Amazon CloudWatch reach 80%. This solution will enable the cluster to scale up or down quickly by adding or removing nodes within minutes. This will improve the performance of the complex read queries and also reduce the cost by scaling down when the demand decreases. This solution is more cost-effective than using a classic resize operation, which takes longer and requires more downtime. It is also more suitable than using Amazon EMR, which is designed for big data processing rather than data warehousing. References: Amazon Redshift Documentation, Resizing clusters in Amazon Redshift, [Amazon EMR Documentation]

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company needs two things:

To serve static content from the AWS Region geographically closest to each customer.

To send data from on premises to Amazon S3 with minimal latency and without traversing the public internet, while keeping operational overhead low.

S3 Multi-Region Access Points provide a single global endpoint that fronts multiple S3 buckets in different Regions. Multi-Region Access Points use latency-based routing and failover capabilities to direct client requests automatically to the closest healthy Regional S3 bucket that is part of the Multi-Region Access Point. This directly addresses the requirement to serve content from the closest Region with high performance and reliability, and it avoids the need to build and maintain custom routing logic.

Behind the scenes, S3 Multi-Region Access Points rely on S3 Replication between the Regional buckets that participate in the Multi-Region Access Point. When you configure a Multi-Region Access Point, you set up the participating buckets and replication configuration once; AWS then manages routing and failover, reducing operational overhead compared to manually configuring and managing multiple S3 endpoints and application logic.

For the on-premises environment, the company wants to send data to S3 with minimal latency and without using the public internet. AWS Direct Connect provides a dedicated network connection from the on-premises network into AWS, avoiding the public internet and generally providing lower and more consistent latency. AWS PrivateLink allows private connectivity to supported AWS services (such as S3 Multi-Region Access Points via interface endpoints) from within a VPC using private IP addresses. When you combine Direct Connect with PrivateLink, traffic flows from on-premises over a private dedicated connection into a VPC and then privately to the Multi-Region Access Point through an interface VPC endpoint, satisfying the requirement for no public internet exposure.

Therefore, implementing S3 Multi-Region Access Points (option A) addresses the global content serving and Regional routing, and using AWS PrivateLink together with AWS Direct Connect (option E) provides low-latency, private network connectivity from on premises to the Multi-Region Access Point with minimal operational overhead.

Option B, S3 Cross-Region Replication alone, would replicate data across Regions but would not automatically route customers to the closest Region; application changes and manual routing would be required, increasing operational overhead.

Option C would require building and maintaining a custom Lambda-based routing system, which is unnecessary when S3 Multi-Region Access Points provide managed routing and failover.

Option D, AWS Site-to-Site VPN, encrypts traffic over the public internet; it does not satisfy the explicit requirement to avoid public internet exposure and typically has less predictable latency than Direct Connect.