AWS SAP-C02 Beginner Quiz - Free Practice Quiz

Question 1 of 60

A company is beginning its cloud adoption journey on AWS. The cloud architect needs to understand the shared responsibility model. Which of the following is the customer's responsibility, not AWS's? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Physical security of the AWS data centers that host the company's EC2 instances. B Patching the hypervisor software that runs underneath customer EC2 instances. C Configuring security groups and network ACLs to control traffic to EC2 instances. D Managing the global fiber network infrastructure connecting AWS Availability Zones.

1 / 60

Question 2 of 60

A company with an AWS Organizations structure wants to prevent any member account from creating resources in AWS Regions outside of us-east-1 and eu-west-1. Which control enforces this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS Config rules in each member account to detect resource creation outside approved regions and trigger automatic deletion via SSM Automation. B Create IAM permission boundaries on all IAM roles in every member account restricting actions to us-east-1 and eu-west-1. C Apply a Service Control Policy (SCP) with a Deny effect on all actions where the aws:RequestedRegion condition key does not match us-east-1 or eu-west-1. D Configure AWS CloudTrail to log all API calls and use EventBridge to send alerts when resources are created outside approved regions.

2 / 60

Question 3 of 60

An enterprise is designing its multi-account AWS strategy. It needs centralized billing, consolidated security posture, and the ability to apply governance policies across all accounts. Which AWS service is the foundation of this strategy? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Control Tower, which provides automated account vending and pre-built guardrails only. B AWS IAM Identity Center, which provides centralized access management for all AWS accounts and applications. C AWS Organizations, which groups accounts into a hierarchy, enables consolidated billing, and allows applying SCPs for governance across the entire account structure. D AWS Security Hub, which aggregates security findings from all accounts into a single dashboard.

3 / 60

Question 4 of 60

A company uses AWS Direct Connect with a dedicated connection to their on-premises data center. The connection has 1 Gbps of bandwidth. The team wants to use the connection for both public AWS services (S3, STS) and private VPC resources. Which Direct Connect configuration enables both? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create two separate dedicated Direct Connect connections: one for public services and one for the VPC private resources. B Use a Transit VIF attached to an AWS Transit Gateway; Transit Gateway can route traffic to both public AWS services and VPC resources simultaneously. C Create a single dedicated Direct Connect connection and configure two Virtual Interfaces (VIFs): a Public VIF for public AWS service endpoints and a Private VIF attached to a Virtual Private Gateway for VPC access. D Configure the Direct Connect connection with a hosted VIF that accesses both public and private endpoints through a single BGP session.

4 / 60

Question 5 of 60

A company's workload requires an EC2 instance to be available 24/7 for 3 years with predictable usage. What purchasing option provides the greatest cost savings? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A On-Demand Instances, which provide flexibility with no commitment and can be stopped to save costs during off-hours. B Spot Instances, which can save up to 90% compared to On-Demand when interrupted workloads are acceptable. C Reserved Instances with a 3-year, All Upfront payment term, which provides up to 72% savings compared to On-Demand pricing for a committed 24/7 workload. D Dedicated Hosts with a 1-year commitment, which provides physical server isolation and license optimization benefits.

5 / 60

Question 6 of 60

A company needs to migrate 200 TB of on-premises data to Amazon S3 within 5 days. The company's internet connection is 1 Gbps, shared with production traffic. Which AWS service accomplishes the migration within the time constraint? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Storage Gateway File Gateway to expose an NFS mount point; copy 200 TB from on-premises to the File Gateway, which uploads to S3 over the internet connection. B AWS DataSync over the existing 1 Gbps internet connection with bandwidth throttling to 500 Mbps to avoid impacting production traffic, completing the migration in approximately 9 days. C AWS Snowball Edge Storage Optimized, which provides 80 TB of usable storage per device; order 3 devices to hold 200 TB, ship to AWS, and AWS transfers the data to S3 within 5 days of receipt. D AWS Direct Connect 10 Gbps dedicated connection ordered and provisioned within 2 days; transfer 200 TB at full bandwidth over the remaining 3 days.

6 / 60

Question 7 of 60

A company stores customer data in Amazon S3 and must comply with GDPR data residency requirements. All data for EU customers must stay in the eu-west-1 region and must never be replicated to other regions. Which S3 configuration enforces this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 Cross-Region Replication (CRR) to a second EU region (eu-central-1) for redundancy; GDPR allows replication within the EU. B Use Amazon Macie to monitor S3 buckets and trigger an alert if any EU customer data is found in non-EU buckets. C Store EU customer data in an S3 bucket in eu-west-1 with no replication configured; apply an SCP to the AWS account that denies s3:PutBucketReplication and creation of CRR rules targeting non-EU regions, and enable S3 Block Public Access. D Configure an S3 bucket policy that explicitly denies s3:ReplicateObject actions to prevent any replication from occurring.

7 / 60

Question 8 of 60

A company is evaluating moving from a monolithic on-premises application to AWS. As a first step, they want to 'lift and shift' the application to EC2 without refactoring. Which AWS service or tool helps assess the existing on-premises environment and generates a migration plan? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Schema Conversion Tool (SCT), which analyzes on-premises application code and suggests equivalent AWS services. B AWS DataSync, which scans on-premises servers, identifies applications, and generates a lift-and-shift migration plan to EC2. C AWS Application Discovery Service, which collects inventory and performance data from on-premises servers using an agent or agentless approach, feeding into AWS Migration Hub for migration planning. D AWS Server Migration Service (SMS), which assesses on-premises VMware or Hyper-V VMs and automatically generates an EC2-compatible migration plan.

8 / 60

Question 9 of 60

A company has multiple AWS accounts and wants all accounts to use the same corporate identity provider (IdP) for AWS Management Console access. Users should not have separate IAM users in each account. Which AWS service provides centralized SSO across multiple accounts? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create IAM users in every account and sync them from the corporate IdP using an AWS Lambda function triggered by an EventBridge schedule. B Configure SAML 2.0 federation in each account's IAM settings, pointing to the corporate IdP; users use the IdP-initiated login flow to access each account separately. C Use AWS IAM Identity Center (formerly AWS SSO), which federates with the corporate IdP via SAML 2.0 or OIDC and provides a unified portal for users to access assigned accounts with temporary, role-based credentials. D Use Amazon Cognito User Pools with the corporate IdP as a federated identity source; Cognito issues JWT tokens that users present to each AWS account for console access.

9 / 60

Question 10 of 60

A company needs to ensure that all Amazon EBS volumes attached to EC2 instances are encrypted. New volumes must be encrypted by default, and existing unencrypted volumes must be identified. Which combination of AWS features implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS Macie to scan all EBS volumes for unencrypted data and automatically trigger AWS KMS to re-encrypt them. B Apply an SCP that denies ec2:CreateVolume unless the Encrypted parameter is set to true; this enforces encryption for all new volumes organization-wide. C Enable EBS encryption by default in the EC2 console (per account, per region); new volumes and snapshots are automatically encrypted with the default KMS key. Use AWS Config's encrypted-volumes managed rule to detect existing unencrypted volumes. D Use Amazon Inspector to scan EC2 instances for unencrypted EBS volumes and generate findings for remediation.

10 / 60

Question 11 of 60

A company's application requires low-latency database queries and uses Amazon RDS for MySQL. The database experiences heavy read traffic from a reporting dashboard. What is the simplest architectural change to offload read traffic and improve performance? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable RDS Multi-AZ deployment, which creates a synchronous standby that can serve read queries alongside the primary. B Migrate the database to Amazon Aurora MySQL, which provides higher throughput through its distributed storage architecture. C Create one or more RDS Read Replicas and update the reporting dashboard's connection string to point to the Read Replica endpoint, distributing read load away from the primary instance. D Deploy Amazon ElastiCache for Redis in front of RDS; cache all database query results and invalidate the cache whenever the underlying data changes.

11 / 60

Question 12 of 60

A company wants to implement infrastructure as code (IaC) for all AWS resources. The team is familiar with Python and wants to use a programming language rather than declarative templates. Which AWS IaC tool allows defining infrastructure in Python? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS CloudFormation using JSON templates, which supports Python-like syntax for resource definitions. B AWS Elastic Beanstalk configuration files (.ebextensions), which support Python scripting for resource customization. C AWS Cloud Development Kit (CDK) with Python constructs, which compiles to CloudFormation templates and allows defining AWS infrastructure using Python classes and objects. D AWS OpsWorks with Chef recipes written in Python to define and provision infrastructure components.

12 / 60

Question 13 of 60

A company currently stores data in an on-premises Oracle database. The team wants to migrate to AWS with minimal downtime and without application-level changes during migration. Which AWS service performs live database migration with continuous replication? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS DataSync, which migrates data from the on-premises Oracle database to Amazon RDS Oracle using NFS protocol with minimal downtime. B AWS Snowball Edge, which enables offline migration of the Oracle database to Amazon RDS by loading data onto a physical device and shipping it to AWS. C AWS Database Migration Service (DMS), which performs a full-load migration followed by ongoing Change Data Capture (CDC) replication to keep the target database current until cutover. D AWS Application Migration Service (MGN), which replicates the Oracle database server VM to EC2 with continuous block-level replication for minimal downtime.

13 / 60

Question 14 of 60

A startup is building a serverless REST API using Amazon API Gateway and AWS Lambda. The Lambda functions need to read from and write to a database. Which database service is best suited for a serverless architecture with automatic scaling and no connection management overhead? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Amazon Redshift Serverless, which provides auto-scaling SQL analytics capabilities that Lambda functions can query directly using the Redshift Data API. B Amazon RDS for PostgreSQL, which provides a fully managed relational database with automatic minor version updates and Multi-AZ HA for the Lambda functions. C Amazon DynamoDB, which is a fully managed NoSQL database that scales automatically, requires no connection pooling, and integrates natively with Lambda via the AWS SDK. D Amazon Aurora MySQL with Aurora Serverless v2, which auto-scales capacity and supports connection management through RDS Proxy for Lambda integration.

14 / 60

Question 15 of 60

A company needs to process thousands of batch jobs daily. Each job runs for 5â€“30 minutes and requires different compute resources (CPU, memory). The team wants a managed service that handles job scheduling, retry on failure, and scales compute resources dynamically. Which AWS service is designed for this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Lambda with SQS triggers, using Lambda's automatic scaling and a DLQ for failed jobs. B Amazon ECS with a custom job scheduler running as a Fargate service that reads from SQS and launches job containers. C AWS Batch, which manages job queues, compute environments, and job scheduling; automatically provisions EC2 or Fargate compute resources based on job requirements and retries failed jobs. D AWS Step Functions with a Map state that parallelizes job execution across multiple Lambda invocations.

15 / 60

Question 16 of 60

A company uses Amazon CloudFront to serve a global web application. The security team wants to restrict content delivery to only users located in specific countries and block all others. Which CloudFront feature implements geographic restrictions? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable CloudFront geographic restrictions (geo-restriction) by configuring an allowlist or blocklist of countries in the CloudFront distribution settings. B Configure CloudFront origin failover to route non-allowed countries to an error origin that returns a 403 page. C Create a Lambda@Edge function on the Viewer Request event that reads the CloudFront-Viewer-Country header and returns a 403 response for blocked countries. D Use AWS WAF with an IP set rule that contains all IP CIDR ranges for blocked countries, associated with the CloudFront distribution.

16 / 60

Question 17 of 60

A company runs a web application on EC2 behind an Application Load Balancer. To improve security, the team wants to ensure the application is accessible only via the ALB and cannot be reached directly by IP address. What is the simplest way to enforce this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the EC2 instances' security group to allow inbound HTTP/HTTPS only from the ALB's security group ID, not from any internet IP addresses. B Enable AWS WAF on the ALB and configure a rule that blocks requests not originating from the ALB's own IP range. C Deploy the EC2 instances in a public subnet but configure the OS-level firewall (iptables) to accept traffic only from the ALB's IP addresses. D Place the ALB in a public subnet and the EC2 instances in the same subnet; use a network ACL to allow traffic only from the ALB subnet CIDR.

17 / 60

Question 18 of 60

A company stores sensitive encryption keys in AWS Key Management Service (KMS). The security team wants to ensure that the keys can never be used by anyone outside the company's AWS accounts, even if a key policy is misconfigured to allow external access. Which KMS configuration enforces this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Apply an SCP with a Deny effect on kms:Decrypt, kms:GenerateDataKey, and kms:DescribeKey when the aws:PrincipalOrgID condition key does not match the company's Organization ID, ensuring KMS operations are only available to organization principals. B Enable KMS key rotation so that older key versions become inaccessible to external principals automatically. C Configure the KMS key policy to deny all external IAM principals by explicitly listing the company's account IDs in a Deny block. D Enable KMS key grants and restrict key usage to IAM roles within the company's accounts only, preventing external principals from using the key.

18 / 60

Question 19 of 60

A company wants to monitor costs and receive an alert when monthly AWS spend exceeds $10,000. Which AWS service provides this capability? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an AWS Budget of type 'Cost' with a monthly $10,000 threshold and configure email or SNS alerts at 80% and 100% of the budget amount. B Create an AWS CloudWatch billing alarm on the EstimatedCharges metric with a threshold of $10,000 and an SNS notification action. C Configure AWS Trusted Advisor Cost Optimization checks to alert when monthly spend approaches $10,000. D Enable AWS Cost Explorer anomaly detection, which notifies the team when spending deviates significantly from historical baseline patterns.

19 / 60

Question 20 of 60

A company is designing a multi-tier web application on AWS. The architecture includes a public-facing ALB, web tier EC2 instances, an application tier, and an RDS database. Which architectural principle should guide the placement of the RDS database? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Place the RDS database in a private subnet with no route to the internet gateway; allow inbound access only from the application tier's security group on the database port. B Place the RDS database in a public subnet for maximum availability and performance, protected only by security groups. C Place the RDS database in the same subnet as the application tier EC2 instances to minimize network latency. D Place the RDS database in an isolated VPC peered with the application VPC for maximum security isolation.

20 / 60

Question 21 of 60

A company uses Amazon S3 for object storage. They need to ensure that all objects uploaded to a specific S3 bucket are scanned for malware within 5 minutes of upload. Infected objects must be moved to a quarantine bucket automatically. What is the recommended architecture? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure an S3 Event Notification on the PutObject event to trigger a Lambda function; the Lambda function submits the object to a third-party malware scanning service or a custom scanning container, and on detection, copies the object to a quarantine bucket and deletes the original. B Configure Amazon GuardDuty with S3 Protection enabled; GuardDuty scans all S3 objects for malware in real time and triggers an EventBridge event to quarantine infected objects. C Enable Amazon Macie on the S3 bucket; Macie scans all objects for malware and automatically moves infected objects to a separate quarantine bucket configured in Macie settings. D Use Amazon Inspector V2 with S3 integration enabled; Inspector scans objects immediately after upload and generates findings that trigger a Lambda-based quarantine workflow.

21 / 60

Question 22 of 60

A company's application runs on Amazon ECS Fargate and needs to retrieve database credentials securely at task startup. The credentials are stored in AWS Secrets Manager. What is the recommended approach for injecting the credentials into the Fargate task? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Reference the Secrets Manager secret ARN in the 'secrets' section of the ECS task definition container definition; ECS retrieves and injects the secret value as an environment variable at task launch using the task execution role's permissions. B Embed the Secrets Manager secret ARN as a plaintext environment variable in the ECS task definition; the application reads the ARN and calls the Secrets Manager API at runtime. C Mount an EFS volume to the Fargate task containing a file with the credentials; the application reads the credentials file from the EFS mount at startup. D Store the credentials in an S3 object; configure a lifecycle rule to delete them after 24 hours; the Fargate task downloads the credentials from S3 at startup using the task role.

22 / 60

Question 23 of 60

A company wants to enforce that all EC2 instances across their AWS Organization are tagged with at minimum a 'CostCenter' and 'Environment' tag. New instances without these tags should be blocked from launch. Which mechanism enforces mandatory tagging at instance launch? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Apply an SCP at the organization root OU with a Deny on ec2:RunInstances unless the aws:RequestTag/CostCenter and aws:RequestTag/Environment condition keys are present in the request. B Enable AWS Cost Allocation Tags and require all users to manually add CostCenter and Environment tags in the AWS console before launching instances. C Apply an IAM permission boundary to all IAM roles that denies ec2:RunInstances unless the request includes both the CostCenter and Environment tags. D Use AWS Config's required-tags managed rule to detect untagged instances and automatically terminate them via SSM Automation remediation.

23 / 60

Question 24 of 60

An architect is designing a disaster recovery solution for a critical application. The RTO is 4 hours and the RPO is 1 hour. The application runs on EC2 instances and uses an RDS database. Which DR strategy meets these requirements at the lowest cost? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Warm standby in a secondary region: maintain a minimal RDS read replica and a scaled-down EC2 Auto Scaling group in the DR region; scale up EC2 during a DR event and promote the RDS replica within the 4-hour RTO. B Multi-site active-active deployment with EC2 Auto Scaling and RDS Global Database in two regions, with Route 53 failover routing providing near-zero RTO/RPO. C Hot standby in a secondary region with EC2 instances and RDS read replica fully running, with Route 53 failover and immediate traffic switch providing RTO < 15 minutes. D Backup and restore: take hourly RDS snapshots and AMI backups; in a disaster, restore the RDS snapshot and launch EC2 from the AMI, targeting a 4-hour RTO.

24 / 60

Question 25 of 60

A company's developers need temporary, limited-privilege access to specific S3 buckets in a production account. They work in a separate development account. What is the secure, recommended way to grant this cross-account access? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an IAM role in the production account with a trust policy allowing the development account's IAM principals to assume it; define the role's permissions to allow only the required S3 actions on the specific buckets. B Configure the S3 bucket policy in the production account to allow all IAM principals from the development account's AWS account ID without requiring role assumption. C Create IAM users in the production account with the required S3 permissions and share the access keys with the developers in the development account. D Enable Amazon Cognito Identity Pools to vend temporary credentials to developers in the development account, allowing them to access the production S3 buckets.

25 / 60

Question 26 of 60

A company uses Amazon SQS to buffer messages between microservices. The processing service occasionally fails to process messages, which remain visible in the queue and are reprocessed indefinitely, causing the queue to grow. What SQS configuration prevents infinite reprocessing? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure a Dead-Letter Queue (DLQ) with a maxReceiveCount (e.g., 3â€“5); after the specified number of failed receives, SQS automatically moves the message to the DLQ for isolation and investigation. B Set the SQS message visibility timeout to 0 seconds so that failed messages are immediately re-visible and can be reprocessed by a different consumer instance. C Enable SQS Long Polling on the queue to reduce empty receives; this also ensures failed messages are detected and requeued faster. D Configure SQS message retention to 1 minute; messages that cannot be processed within 1 minute are automatically deleted by SQS.

26 / 60

Question 27 of 60

A company needs to implement a hub-and-spoke network topology connecting 20 VPCs. Each spoke VPC must communicate with the central hub VPC but not directly with each other. Which AWS service implements this topology most efficiently? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Transit Gateway to connect all VPCs; create a custom route table on the Transit Gateway that routes traffic from spoke VPCs only to the hub VPC attachment, preventing spoke-to-spoke communication. B Use AWS PrivateLink to expose services from the hub VPC to each spoke VPC using VPC endpoint services, creating a service-oriented hub-and-spoke without full L3 routing. C Deploy an EC2-based router in the hub VPC and configure static routes in all spoke VPCs to direct inter-spoke traffic through the hub VPC router. D Create VPC Peering connections between each spoke VPC and the hub VPC; configure route tables to route spoke-to-hub traffic through the peering connections.

27 / 60

Question 28 of 60

A company's web application is experiencing DDoS attacks that generate large volumes of UDP reflection traffic. The company needs protection without any configuration changes to the application. Which AWS service provides automatic DDoS protection at no additional cost? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Shield Standard, which is automatically enabled for all AWS accounts and provides protection against common L3/L4 DDoS attacks including UDP reflection and SYN floods for ELB, CloudFront, and Route 53. B AWS WAF, which analyzes web traffic at the application layer and automatically blocks DDoS traffic matching known attack patterns. C Amazon GuardDuty, which detects DDoS activity in VPC Flow Logs and automatically triggers IP blocking via security group automation. D AWS Shield Advanced, which provides enhanced DDoS detection, mitigation, and the AWS DDoS Response Team (DRT) for complex attacks.

28 / 60

Question 29 of 60

A company's application stores user-uploaded files in Amazon S3. Files older than 30 days are rarely accessed and files older than 1 year should be deleted. What is the most cost-effective way to implement this lifecycle? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an S3 Lifecycle policy that transitions objects to S3 Standard-IA after 30 days and permanently deletes objects after 365 days. B Enable S3 Intelligent-Tiering on the bucket, which automatically moves objects between tiers; add an S3 Lifecycle rule to delete objects older than 365 days. C Write a Lambda function triggered by EventBridge on a daily schedule that lists all objects, checks their LastModified date, transitions old objects to S3 Standard-IA via the S3 API, and deletes objects older than 365 days. D Configure versioning on the S3 bucket and use MFA Delete to protect objects from being deleted before 365 days, then set an expiration rule at 365 days.

29 / 60

Question 30 of 60

A company is evaluating AWS Well-Architected Framework principles for their existing architecture. They discover that all their EC2 instances are in a single Availability Zone. Which pillar of the Well-Architected Framework does this primarily violate? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Reliability, because a single AZ is a single point of failure; an AZ-level outage would cause complete application unavailability. B Performance Efficiency, because using a single AZ limits the ability to use instance types available only in multiple AZs. C Cost Optimization, because using a single AZ means the company is paying for underutilized Availability Zones. D Operational Excellence, because a single-AZ architecture makes operational procedures more complex.

30 / 60

Question 31 of 60

A company uses AWS CloudFormation to manage infrastructure. A developer accidentally updates the template and changes the deletion policy on a production S3 bucket, causing it to be deleted on the next stack update. How can the architect prevent this in the future? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable CloudFormation drift detection on the stack; drift detection alerts the team when the live resource configuration deviates from the template. B Use CloudFormation Change Sets to preview every stack update before applying it; require manual review and approval of all production stack changes. C Configure CloudFormation termination protection on the stack, which prevents the entire stack from being deleted but does not protect individual resources from modification. D Apply a CloudFormation Stack Policy to the production stack with an explicit Deny on Update and Replace actions for the S3 bucket resource; this prevents any stack update from modifying or deleting the protected resource.

31 / 60

Question 32 of 60

A company has a static website hosted on Amazon S3 with CloudFront as the CDN. Users are reporting that after a content update, they still see old content for up to 24 hours. CloudFront's default TTL is set to 86,400 seconds (24 hours). What is the best way to immediately serve updated content to all users? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Reduce the CloudFront default TTL from 86,400 seconds to 300 seconds for all objects, ensuring that content is refreshed from S3 every 5 minutes. B Configure CloudFront to use the S3 ETag header for cache validation; CloudFront checks the ETag on every request and serves fresh content if the ETag changes. C Enable S3 versioning on the website bucket; CloudFront automatically detects version changes and invalidates its cache for versioned objects. D Create a CloudFront invalidation for the paths that were updated (e.g., /index.html or /*); this clears the cached version at all CloudFront edge locations, forcing the next request to fetch the updated content from S3.

32 / 60

Question 33 of 60

A company's application generates structured log data that must be searchable in near-real time for operational monitoring and analyzed in aggregate for weekly reports. Which AWS solution satisfies both requirements efficiently? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Write logs to Amazon S3; use Amazon Athena for both real-time and batch queries directly against S3 objects. B Write logs to Amazon DynamoDB with a TTL of 7 days for real-time lookups; export to Amazon Redshift for weekly analytics reports. C Use Amazon CloudWatch Logs Insights for real-time log analysis and CloudWatch Metrics for weekly aggregate data without any additional data stores. D Stream logs to Amazon OpenSearch Service (managed Elasticsearch) for near-real-time search and dashboards; export logs to Amazon S3 and query with Athena for weekly aggregate reports.

33 / 60

Question 34 of 60

A company uses AWS Systems Manager Parameter Store to store application configuration values. Some parameters contain sensitive data (database passwords). The team wants to prevent sensitive parameters from being accidentally logged or exposed in CloudTrail. Which Parameter Store configuration achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Secrets Manager instead of Parameter Store for sensitive values; Secrets Manager automatically redacts secret values from CloudTrail logs. B Store all parameters as Standard type and enable CloudTrail data events on Parameter Store to track access while preventing parameter values from appearing in logs. C Enable encryption on all Standard parameters using the AWS-managed SSM key; CloudTrail masks encrypted parameter values automatically. D Store sensitive parameters as SecureString type in Parameter Store; SecureString values are encrypted with KMS and the plaintext value is never returned in CloudTrail API callsâ€”only the parameter name and metadata are logged.

34 / 60

Question 35 of 60

A company needs to provide its application with temporary AWS credentials to access S3 without storing long-term access keys on the EC2 instance. What is the recommended approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Generate temporary credentials using the AWS STS AssumeRole API in the application code and store them in the application's configuration file with a 12-hour expiry. B Attach an IAM user's access keys as environment variables to the EC2 instance, scoped to only S3 read/write permissions. C Embed the IAM role ARN in the application's AWS SDK configuration; the SDK automatically retrieves credentials from the role without requiring an instance profile. D Attach an IAM instance profile with an appropriate IAM role to the EC2 instance; the EC2 metadata service (IMDS) automatically provides rotating temporary credentials to the application via the instance profile.

35 / 60

Question 36 of 60

A company's EC2-based application experiences sudden traffic spikes. The Auto Scaling group's scale-out policy is based on average CPU utilization. During a spike, it takes 8 minutes for new instances to launch, pass health checks, and receive traffic. Users experience slowdowns during this period. How can the architect reduce this lag? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Switch to a launch configuration that uses the smallest available instance type (t3.nano) to reduce boot time from 8 minutes to under 1 minute. B Configure an ALB target group with a 0-second health check grace period so new instances receive traffic immediately after launch. C Enable Elastic Load Balancing pre-warming by submitting a support ticket to AWS before each expected traffic spike. D Use EC2 Auto Scaling with a predictive scaling policy alongside the reactive CPU-based policy; predictive scaling uses ML to forecast traffic patterns and pre-launches instances before the spike occurs.

36 / 60

Question 37 of 60

A company uses Amazon RDS Aurora MySQL and needs to perform zero-downtime schema changes (e.g., adding an index to a 500 GB table). Adding the index with a standard ALTER TABLE statement locks the table for hours. What is the recommended approach to avoid downtime? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Take an Aurora cluster snapshot, restore it to a new cluster, add the index on the restored cluster, then promote it to production using blue/green DNS switching. B Enable Aurora Parallel Query before running the ALTER TABLE statement; Parallel Query distributes the index build across storage nodes, completing it faster without locking. C Use Aurora Fast DDL to add the index; Fast DDL performs the operation without rebuilding the table, completing instantly. D Use the Percona pt-online-schema-change or AWS Schema Conversion Tool to perform the index addition online, building the new index on a shadow table and atomically switching with minimal locking, or use Aurora's blue/green deployment feature to apply the schema change on the green cluster before cutover.

37 / 60

Question 38 of 60

A company wants to implement centralized logging for all VPC traffic metadata across 30 AWS accounts. The logs should be stored in a central S3 bucket and queryable using SQL. Which architecture achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS Config to record VPC Flow Log configuration changes across all accounts; use Config aggregator to view VPC network configuration in the central account. B Enable CloudWatch Logs in each account to capture VPC Flow Logs; use CloudWatch Cross-Account Observability to aggregate logs in the central account's CloudWatch Log Group; export to S3 using a subscription filter. C Deploy a Kinesis Data Firehose delivery stream in each account that captures VPC Flow Logs from CloudWatch and delivers them to a central S3 bucket; use Athena for SQL querying. D Enable VPC Flow Logs in each account to publish directly to a central S3 bucket in the logging account using cross-account bucket policies; use Amazon Athena with a Glue Data Catalog table partitioned by account/region/date to query the logs with SQL.

38 / 60

Question 39 of 60

A company's Lambda function needs to access a database in a private subnet. The function is not deployed in a VPC. What must the architect configure to allow the Lambda function to reach the database? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Add an internet-facing ALB in front of the database and configure the Lambda function to call the ALB's public DNS name. B Create a VPC endpoint for Lambda in the private subnet so that the Lambda function can route to the private subnet without being in the VPC. C Configure a site-to-site VPN between AWS Lambda's service VPC and the company's application VPC to provide private network access to the database. D Configure the Lambda function to run inside the VPC by attaching VPC configuration (VPC ID, subnet IDs, security group) to the function; ensure the private subnet has a route to the database and the Lambda security group allows the database port.

39 / 60

Question 40 of 60

An enterprise migrating to AWS wants to maintain a single source of truth for DNS while using AWS-hosted services. The company uses an on-premises DNS server for all corporate domain resolution. AWS resources (EC2, RDS) should be resolvable from on-premises using the same corporate domain namespace. Which AWS feature enables this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Amazon Route 53 public hosted zones for the corporate domain and update on-premises DNS servers to forward all corporate domain queries to Route 53 public resolvers. B Create a Route 53 public hosted zone for the corporate domain and configure AWS-to-on-premises forwarding rules; DNS resolution works bidirectionally over the public internet. C Deploy EC2 instances running BIND DNS servers in the VPC; configure on-premises DNS to forward corporate domain queries to the BIND servers, which resolve AWS-hosted resources. D Create a Route 53 private hosted zone associated with the VPC; configure Route 53 Resolver inbound endpoints in the VPC and configure on-premises DNS servers to forward queries for the corporate domain to the inbound endpoint IP addresses.

40 / 60

Question 41 of 60

A company's application writes to Amazon DynamoDB and reads much more frequently than it writes. The team is seeing high read capacity consumption. What is the most effective way to reduce DynamoDB read costs without changing the application's data model? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Switch the DynamoDB table from provisioned capacity mode to on-demand capacity mode, which automatically reduces read costs for variable access patterns. B Create a Global Secondary Index (GSI) on the most frequently queried attributes so that reads are distributed across the GSI and the base table, reducing per-query cost. C Enable DynamoDB Streams and use a Lambda function to pre-compute and cache common read results in S3, serving reads from S3 instead of DynamoDB. D Enable DynamoDB Accelerator (DAX), a fully managed in-memory caching layer that serves read requests from cache with sub-millisecond latency, dramatically reducing the number of read requests reaching DynamoDB.

41 / 60

Question 42 of 60

A company uses AWS Config to track configuration changes across all AWS accounts in their organization. They want to view compliance status and configuration history for all accounts from a single dashboard. Which AWS Config feature provides this aggregated view? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS Config in each account and use Amazon QuickSight with the Config data in S3 to build a custom compliance dashboard. B Enable AWS Config cross-account delivery by configuring all member accounts to send Config data to a central S3 bucket; use Athena to query the aggregated configuration history. C Use AWS Security Hub with Config integration to view all Config rule findings across accounts in a single Security Hub dashboard. D Create an AWS Config Aggregator in the management account that sources configuration and compliance data from all member accounts; the aggregator provides an organization-wide compliance dashboard and configuration history across all accounts.

42 / 60

Question 43 of 60

A company needs to run a containerized application that requires 2 vCPUs and 4 GB RAM. The application should start within 30 seconds, run for approximately 1 hour, then stop. The company wants no server management and wants to pay only for the duration the container runs. Which AWS service fits this requirement? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Amazon EC2 with a t3.medium instance, launched from a pre-built AMI for fast startup; terminate the instance after the 1-hour job completes. B AWS Lambda with a 15-minute timeout, splitting the 1-hour job into four 15-minute segments orchestrated by Step Functions. C Amazon EKS with Fargate profiles; define a pod with 2 vCPU and 4 GB RAM; schedule the pod and it runs to completion with no server management. D Amazon ECS with Fargate launch type; define a task with 2 vCPU and 4 GB memory; run the task using ECS RunTask API; Fargate provisions compute automatically and charges only for the task's runtime.

43 / 60

Question 44 of 60

A company's architecture uses an Amazon API Gateway REST API fronting Lambda functions. The Lambda functions take 3â€“5 seconds to complete. Clients are reporting timeout errors during peak load. The API Gateway integration timeout is set to 29 seconds (the maximum). What is the most likely root cause? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A API Gateway's default throttle limit of 10,000 requests/second is being exceeded; throttled requests receive 429 errors that clients interpret as timeouts. B The CloudFront distribution in front of API Gateway is caching Lambda responses, causing stale cached responses to time out for clients expecting fresh data. C Lambda's maximum execution timeout is set to 3 seconds; increase the Lambda timeout to 30 seconds to accommodate the full execution time. D Lambda cold starts combined with peak concurrency are causing some invocations to exceed 29 seconds; the API Gateway integration timeout is reached before Lambda completes its response.

44 / 60

Question 45 of 60

A company stores all application logs in Amazon CloudWatch Logs. They need to analyze these logs for specific error patterns and generate a daily summary report. The report should be stored in S3 and sent via email. Which AWS-native approach accomplishes this with the least custom code? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon CloudWatch Logs Insights to run queries manually each day and export results to S3 using the Export to Amazon S3 button in the console. B Create an Amazon Kinesis Data Firehose delivery stream subscribed to the CloudWatch Logs group; use Firehose's built-in data transformation Lambda to analyze error patterns and deliver reports to S3. C Use Amazon Athena to query CloudWatch Logs directly via CloudWatch Logs to Athena federation; schedule the query using EventBridge and store results in S3. D Create an EventBridge Scheduler rule that triggers a Lambda function daily; the Lambda function runs a CloudWatch Logs Insights query for error patterns using the StartQuery/GetQueryResults API, writes the summary to S3, and sends it via Amazon SES or SNS.

45 / 60

Question 46 of 60

A company uses AWS Organizations with separate accounts for development, staging, and production. They want to ensure that resources created in development accounts are never accessible from production accounts and that developers cannot accidentally create cross-account access. Which control enforces this isolation? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure VPC peering between development and production VPCs but restrict route tables to allow only approved traffic flows. B Apply an SCP to the development OU that denies iam:CreateRole and iam:AttachRolePolicy with a Condition that allows assuming roles in production account ARNs, preventing trust relationships pointing to production. C Configure AWS Config rules in development accounts to detect cross-account IAM policies and trigger automatic deletion of non-compliant policies. D Use AWS Security Hub with cross-account findings aggregation to detect and alert on any cross-account resource access from development to production.

46 / 60

Question 47 of 60

A company plans to use AWS for running sensitive government workloads that require FedRAMP High authorization. Which AWS offering provides the controls necessary for FedRAMP High compliance? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS GovCloud (US) with AWS Nitro System-based EC2 instances running custom kernel modules with FedRAMP-compliant security configurations. B AWS GovCloud (US) regions (us-gov-west-1 and us-gov-east-1), which are purpose-built for US government data, operated by US citizens, and hold FedRAMP High authorization for numerous services. C AWS Dedicated Hosts in commercial regions with AWS Artifact-provided FedRAMP documentation used to complete the customer's own FedRAMP authorization package. D Standard AWS commercial regions with AWS Config conformance packs implementing NIST SP 800-53 High baseline controls.

47 / 60

Question 48 of 60

A company has an existing application that uses LDAP for user authentication. The team wants to migrate authentication to AWS Cognito while maintaining LDAP as the identity source during a transition period. Which Cognito feature supports federated authentication with an on-premises LDAP directory? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Amazon Cognito with an LDAP connector plugin that queries the on-premises LDAP server directly for credential validation. B Use Amazon Cognito User Pools with a SAML 2.0 federation configuration pointing to an AD FS (or compatible SAML IdP) that authenticates against the LDAP directory; Cognito acts as the SP and LDAP/AD FS acts as the IdP. C Use Amazon Cognito Identity Pools to federate with the LDAP server using an LDAP-to-JWT translation Lambda function. D Enable Amazon Cognito's built-in LDAP integration mode, which connects to any LDAP v3 server for user authentication.

48 / 60

Question 49 of 60

A company's microservices architecture on Amazon EKS has a requirement that all inter-service communication be encrypted in transit and mutually authenticated. The services use gRPC. Which approach provides encryption and mutual authentication with the least application code changes? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure TLS on each gRPC service individually by adding TLS certificates to the gRPC server code and requiring client certificate presentation in the gRPC client code. B Deploy a service mesh (AWS App Mesh or Istio) with Envoy sidecars injected alongside each service; the sidecar intercepts all gRPC traffic and handles mTLS automatically using certificates from ACM Private CA, requiring no application code changes. C Deploy an AWS Network Load Balancer with TLS termination in front of each EKS service; NLB provides mutual TLS (mTLS) authentication between services. D Use AWS Certificate Manager (ACM) to issue certificates for each service and mount them as Kubernetes Secrets; configure gRPC server and client code to use the ACM certificates for mTLS.

49 / 60

Question 50 of 60

A company uses Amazon EBS gp2 volumes for its database workloads. Performance benchmarks show inconsistent IOPSâ€”sometimes meeting the 3,000 IOPS baseline but frequently dropping to 1,500 IOPS. What is the recommended storage change to ensure consistent high performance? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Increase the gp2 volume size to 3 TB, which provides 9,000 IOPS (3 IOPS/GB Ã— 3,000 GB), ensuring consistent performance. B Migrate to io2 Block Express volumes, which provide consistent provisioned IOPS (up to 256,000 IOPS per volume) independent of volume size, with 99.999% volume durability. C Enable Multi-Attach on the gp2 volume and attach it to two EC2 instances to distribute IOPS across multiple consumers. D Add more gp2 volumes in a RAID 0 configuration to aggregate IOPS across multiple volumes.

50 / 60

Question 51 of 60

A company is designing a web application that processes payment transactions. PCI DSS compliance requires that cardholder data (CHD) be isolated from other application components and that all access to CHD be logged. Which AWS architecture approach best achieves this isolation? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Store cardholder data in an encrypted Amazon S3 bucket with server-side encryption; use bucket policies to restrict access to payment processing Lambda functions only. B Place cardholder data processing components in a separate AWS account (CDE account) with strict SCPs; use VPC with no internet gateway for CHD workloads; enable CloudTrail, VPC Flow Logs, and Config in the CDE account; use AWS PrivateLink for controlled access from other application components. C Deploy a dedicated EC2 instance for payment processing with an EBS-encrypted volume; restrict access using security groups and enable CloudTrail for API logging. D Use Amazon DynamoDB with encryption at rest and VPC endpoints to store cardholder data; audit access using DynamoDB Streams and Lambda.

51 / 60

Question 52 of 60

A company's application uses an ALB and EC2 Auto Scaling. During a traffic surge, new EC2 instances are launched and registered with the ALB. However, the first few requests to each new instance return errors because the application hasn't finished initializing. What configuration prevents this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the ALB to use round-robin load balancing instead of least outstanding requests to distribute traffic more evenly during scale-out. B Configure the ALB target group's health check to require a successful response (HTTP 200) on the /health endpoint before marking the instance healthy and routing traffic to it; set an appropriate health check grace period in the Auto Scaling group. C Increase the EC2 instance type to a larger size so that application initialization completes faster, reducing the window of time when the instance serves errors. D Configure the Auto Scaling group's instance warmup period so that new instances are not counted toward the group's metrics during initialization.

52 / 60

Question 53 of 60

A company stores research data in Amazon S3 and provides access to external research partners via pre-signed URLs. The pre-signed URLs currently have no expiry, which is a security concern. The security team wants URLs to expire after 24 hours and wants to audit who generated each URL. Which changes address both requirements? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 Intelligent-Tiering on the bucket; intelligent-tiering automatically expires pre-signed URLs after 24 hours and logs URL generation to CloudTrail. B Generate pre-signed URLs with an expiry duration of 86,400 seconds (24 hours) using the IAM role that has S3 read access; enable CloudTrail data events on the S3 bucket to log GetObject API calls and identify the IAM role that generated each URL. C Generate pre-signed URLs using short-lived STS credentials with a maximum duration of 24 hours; store URL generation metadata (URL, recipient, expiry) in a DynamoDB audit table. D Use S3 presigned URL notifications in CloudWatch to expire URLs after 24 hours and trigger an SNS alert when a URL is generated.

53 / 60

Question 54 of 60

A company's network team needs to monitor all traffic between their on-premises network and AWS to detect anomalies and compliance violations. The traffic flows over AWS Direct Connect. Which AWS tool provides visibility into network traffic patterns for Direct Connect? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS CloudTrail with data events for Direct Connect to capture all network-layer traffic metadata flowing between on-premises and AWS. B Enable VPC Flow Logs on the VPC attached to the Direct Connect Virtual Private Gateway; Flow Logs capture traffic metadata (source/destination IP, port, bytes, packets) for all network flows in the VPC, including Direct Connect traffic. C Deploy AWS Network Firewall in the VPC connected to Direct Connect; Network Firewall provides deep packet inspection and traffic flow logs. D Use AWS Transit Gateway Network Manager to monitor Direct Connect traffic with topology views and global route analytics.

54 / 60

Question 55 of 60

An architect is designing a solution where application code deployed on Lambda must securely access a third-party API using an API key. The key must be stored securely, not visible in the Lambda environment variables in plaintext, and must be retrievable by authorized Lambda functions only. Which approach is correct? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Embed the API key in the Lambda deployment package as a constant in the source code; the key is protected by Lambda's code encryption at rest. B Store the API key as an encrypted SecureString in AWS Systems Manager Parameter Store using a KMS CMK; grant the Lambda execution role ssm:GetParameter and kms:Decrypt permissions; retrieve the key in the Lambda function code at runtime. C Use Amazon Cognito to issue an OAuth 2.0 token for the Lambda function; exchange the token for the third-party API key at each Lambda invocation. D Store the API key in an S3 object with SSE-KMS encryption; the Lambda function downloads the key file from S3 at startup using the execution role's S3 permissions.

55 / 60

Question 56 of 60

A company wants to validate that their AWS architecture complies with the AWS Well-Architected Framework. They have 50 workloads and want a systematic, self-service evaluation process. Which AWS tool provides this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Trusted Advisor, which runs automated checks against AWS best practices and provides recommendations for all 50 workloads. B AWS Well-Architected Tool, which provides a questionnaire-based framework review for each workload and generates a report with identified risks and improvement recommendations across all five pillars. C AWS Security Hub, which evaluates all 50 workloads against NIST CSF, PCI DSS, and CIS benchmark controls. D AWS Config with the Well-Architected conformance pack, which deploys managed Config rules aligned with Well-Architected pillars.

56 / 60

Question 57 of 60

A company uses Amazon ECS on EC2 with Auto Scaling. After deploying a new task definition version, some tasks continue running the old version. The team wants to force all tasks to update to the new version immediately during the next deployment. What deployment configuration achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Set the ECS service's deployment minimum healthy percent to 100% and maximum percent to 100%, which replaces all tasks simultaneously without maintaining availability. B Configure an ECS service rolling update with minimum healthy percent set to 0% and maximum percent set to 100%; ECS can terminate all old tasks first, then launch new tasks with the updated task definition, ensuring all tasks run the new version. C Use AWS CodeDeploy blue/green deployment with an instant traffic shift (AllAtOnce deployment configuration) to replace all running ECS tasks simultaneously. D Enable ECS Service Auto Scaling with a scale-in policy that terminates old task instances; the scale-out policy then launches new tasks using the updated task definition.

57 / 60

Question 58 of 60

A company's application architecture has multiple independent microservices that need to react to a common business event (e.g., 'order placed'). Each microservice has different processing speeds and must handle the event independently without being coupled to other services. Which AWS messaging pattern decouples the event producer from all consumers? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A The producer writes events to a shared Amazon SQS Standard queue; all consumer microservices poll the same queue, and each consumer processes one unique message. B The producer publishes the event to an Amazon SNS topic; each consumer microservice has a dedicated SQS queue subscribed to the SNS topic; each consumer processes events independently from its own queue. C The producer calls each consumer microservice's REST API endpoint synchronously, waiting for all consumers to acknowledge before completing the 'order placed' flow. D The producer writes events to an Amazon Kinesis Data Stream; all consumer microservices use the same consumer group to read from the stream, sharing the processing load.

58 / 60

Question 59 of 60

A company's multi-tier application runs on EC2 instances across three AZs. The web tier is public-facing; the app tier and database tier are private. The team discovers that traffic from one AZ's app tier is crossing to another AZ's database, incurring inter-AZ data transfer costs. How should the architect redesign the routing to minimize inter-AZ traffic? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable ALB Cross-Zone Load Balancing, which ensures traffic is distributed evenly across all AZs, indirectly reducing per-AZ cross-AZ traffic by balancing loads. B Create AZ-local subnets for each tier and configure application routing (or ALB routing with zone-aware load balancing disabled) to prefer database connections to instances in the same AZ, using AZ affinity in the application or service mesh configuration. C Use AWS Transit Gateway with AZ-specific route tables to force inter-tier traffic within the same AZ without crossing AZ boundaries. D Deploy a separate VPC in each AZ and use VPC peering to connect the web, app, and database tiers, keeping traffic within each AZ's VPC.

59 / 60

Question 60 of 60

A company is planning to move their disaster recovery strategy to AWS. They currently have an on-premises warm standby site. The team wants to replicate the warm standby approach on AWS: maintain a minimal footprint in a secondary region that can be scaled up in 30 minutes during a disaster. What describes a warm standby DR strategy on AWS? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Fully mirrored deployment in the DR region running at full production capacity 24/7, with Route 53 failover routing providing near-instant failover. B A scaled-down version of the production environment running in the DR region (e.g., minimal EC2 ASG with 1 instance, RDS read replica); during a disaster event, scale the ASG to full capacity, promote the RDS replica, and update Route 53 to direct traffic to the DR region. C No pre-deployed resources in the DR region; restore from S3 backups and CloudFormation templates to provision the entire environment in the DR region when disaster is declared. D Manual snapshots of EBS volumes taken weekly and stored in S3; in a disaster, restore the snapshots to EC2 instances in the DR region using a runbook.

60 / 60