AWS SAP-C02 Intermediate - Free Practice Quiz

Question 1 of 60

A company is designing a multi-account AWS landing zone. New accounts should receive a baseline configuration including a CloudTrail organization trail, AWS Config, Security Hub enrollment, and a standard VPC layoutâ€”automatically, without manual intervention. Which AWS service orchestrates this automated account baseline? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS CloudFormation StackSets deployed from the management account, targeted at the organization root OU. B An AWS Lambda function triggered by the CreateManagedAccount CloudTrail event in the management account. C AWS Service Catalog with a portfolio containing the baseline CloudFormation product, triggered by an Account Factory enrollment workflow. D AWS Control Tower Account Factory, which automatically applies a pre-configured account baseline (including CloudTrail organization trail, Config, Security Hub, and VPC) when vending a new account.

1 / 60

Question 2 of 60

A company has an AWS Transit Gateway connecting 15 spoke VPCs and on-premises networks via Direct Connect. The network team discovers that spoke VPCs can communicate with each other directly (east-west traffic) and wants to restrict this so spokes only communicate with the shared services VPC and on-premises. What Transit Gateway configuration enforces this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Transit Gateway route table propagation from all attachments to a single shared route table, then delete spoke-to-spoke route entries manually. B Configure security groups on all EC2 instances in each spoke VPC to deny inbound traffic from other spoke VPCs' CIDR ranges. C Enable VPC peering between the shared services VPC and each spoke VPC; remove Transit Gateway spoke-to-spoke peering to enforce isolation. D Create separate route tables on the Transit Gateway: a 'spoke' route table with routes to the shared services VPC and on-premises only, and a 'services' route table with routes to all spokes; associate spoke VPC attachments with the spoke route table and shared services/on-premises with the services route table.

2 / 60

Question 3 of 60

An organization runs workloads in both AWS and a private on-premises data center. They want to monitor all logs (AWS CloudTrail, VPC Flow Logs, on-premises syslog) in a centralized SIEM. The SIEM solution is hosted on-premises. How should they route AWS logs to the on-premises SIEM efficiently? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Security Hub to aggregate all findings and export them to the on-premises SIEM using the Security Hub findings export API on a 15-minute poll interval. B Enable CloudTrail and VPC Flow Logs to publish to Amazon CloudWatch Logs; use a CloudWatch Logs subscription filter to stream events to Amazon Kinesis Data Firehose; configure Firehose to deliver to an HTTP endpoint on the on-premises SIEM. C Configure all AWS accounts to ship CloudTrail events directly to the on-premises SIEM using the CloudTrail CloudWatch integration and a cross-premises firewall rule. D Deliver CloudTrail and VPC Flow Logs to an Amazon S3 bucket; configure an S3 Event Notification to trigger a Lambda function that reads the log objects and forwards them to the on-premises SIEM via Direct Connect using the SIEM's syslog API.

3 / 60

Question 4 of 60

A company uses AWS Lambda extensively. A security review finds that several Lambda functions share the same IAM execution role, which has broad S3 and DynamoDB permissions. The security team wants to apply least privilege per function without disrupting operations. What is the correct approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Attach IAM permission boundaries to the shared execution role that restrict the effective permissions to the minimum needed by any single function. B Create an SCP that denies broad S3 and DynamoDB actions for Lambda functions in the development OU. C Enable Lambda resource-based policies on S3 buckets and DynamoDB tables to restrict which Lambda functions can access which resources. D Create individual IAM execution roles for each Lambda function with permissions scoped to only the specific resources and actions that function requires; update each function's execution role configuration.

4 / 60

Question 5 of 60

A company is running a critical application on a fleet of EC2 instances. They need to implement a blue/green deployment strategy where the new version (green) is launched and tested before traffic is shifted from the old version (blue). Traffic shifting must happen gradually (10% per hour) with automatic rollback on elevated error rates. Which AWS solution implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create two separate Auto Scaling groups (blue and green); manually adjust Route 53 weighted routing records to shift traffic 10% per hour; monitor CloudWatch alarms and manually rollback if needed. B Use AWS Elastic Beanstalk with a rolling update deployment policy; Beanstalk updates instances in batches of 10% per hour and monitors application health metrics. C Use AWS CloudFormation with a separate stack for the green environment; use Route 53 weighted routing with a custom Lambda function that adjusts weights 10% per hour and monitors for errors. D Use AWS CodeDeploy with an EC2/On-Premises deployment group in a blue/green configuration; configure a linear traffic shifting deployment configuration (e.g., CodeDeployDefault.Linear10PercentEvery1Hour) with a CloudWatch alarm-based automatic rollback trigger.

5 / 60

Question 6 of 60

A company's solution architect is designing a data lake on Amazon S3. Raw data lands in a 'raw' prefix, is transformed by AWS Glue ETL jobs, and lands in a 'processed' prefix. The data science team needs access to 'processed' data only, while the data engineering team needs access to both. Which IAM strategy enforces this using AWS Lake Formation? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create separate S3 bucket policies for the raw and processed prefixes, granting the data science IAM group access to the processed prefix bucket policy and the data engineering group access to both. B Create two IAM roles with inline policies using S3 condition keys (s3:prefix) to restrict data science access to the processed prefix and allow data engineering access to all prefixes. C Configure two S3 access points on the bucket: one exposing only the processed prefix for the data science team and one exposing both prefixes for data engineering. D Use AWS Lake Formation to register the S3 data lake locations; create two Lake Formation data permissions: grant the data science team SELECT on the 'processed' Glue database only, and grant the data engineering team SELECT on both 'raw' and 'processed' Glue databases.

6 / 60

Question 7 of 60

A financial services firm uses AWS and must ensure that no data leaves the cloud environment. All S3 API calls must go through VPC endpoints, and any call that routes through the public internet must be blocked. Additionally, the bucket policy must only allow access from the specific VPC endpoint. How is this enforced? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure a network ACL on the VPC subnet to block outbound traffic to S3 public IP ranges, forcing all S3 traffic through the VPC gateway endpoint. B Configure an S3 interface endpoint (AWS PrivateLink) and a bucket policy with a Deny on s3:* unless the aws:VpcSourceIp condition matches the endpoint's private IP. C Enable S3 Block Public Access on the bucket and configure a VPC endpoint policy to allow only the specific bucket ARN, preventing public internet access. D Create an S3 VPC gateway endpoint in the VPC and add a bucket policy with a Deny on s3:* unless the aws:sourceVpce condition key matches the endpoint ID; configure route tables to direct S3 traffic through the endpoint.

7 / 60

Question 8 of 60

A company has 500 GB of data in Amazon DynamoDB that must be queried by a data analytics team using SQL. The team is familiar with SQL but not DynamoDB's API. What is the least-effort solution to enable SQL analytics on DynamoDB data? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable DynamoDB Streams and use a Lambda function to replicate all changes to Amazon Redshift in near-real time; the analytics team queries Redshift using SQL. B Use AWS Glue to crawl the DynamoDB table, create a Glue Data Catalog table, and query with Amazon Athena using DynamoDB connector SQL. C Export the DynamoDB table to Amazon S3 using DynamoDB's point-in-time export feature; import the data into Amazon RDS PostgreSQL for SQL querying. D Use the Amazon Athena DynamoDB connector, which enables Athena to directly query DynamoDB tables using SQL without data movement.

8 / 60

Question 9 of 60

A company uses AWS Organizations and has strict requirements that production accounts must never have public S3 buckets. Development accounts may have public buckets for static website hosting. How can the architect enforce this selectively across OUs? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 Block Public Access in all accounts via AWS Config auto-remediation, then exclude development accounts using a Config rule scope filter. B Apply an SCP to the management account that denies s3:PutBucketPublicAccessBlock for all accounts except those in the development OU. C Configure S3 Block Public Access at the bucket level manually in all production accounts and document a policy requiring developers to follow the same process. D Organize accounts into a Production OU and a Development OU; apply an SCP to the Production OU only that denies s3:PutBucketPublicAccessBlock with a False value and s3:PutPublicAccessBlock; also enable account-level S3 Block Public Access via an SCP condition that prevents disabling it in production accounts.

9 / 60

Question 10 of 60

A company's application runs in three AWS regions (us-east-1, eu-west-1, ap-southeast-1) for global availability. Each region has its own Amazon RDS Aurora PostgreSQL cluster. The application needs to read and write locally to minimize latency. When a regional failure occurs, traffic must automatically shift to a healthy region within 1 minute. Which architecture achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon Route 53 with weighted routing records (equal weights across three regions) and CloudWatch health checks; configure S3 replication to sync user data across regions on a 5-minute schedule. B Deploy each Aurora cluster in Multi-AZ mode within its region; use Route 53 geolocation routing to pin each geographic area to its nearest region; manually update DNS during a regional failure. C Create cross-region read replicas for each Aurora cluster and configure application connection pooling to failover across replica endpoints when the primary region fails. D Deploy Aurora Global Database spanning all three regions; Route 53 latency-based routing directs read/write traffic to the nearest region; CloudWatch health checks trigger Route 53 failover records to reroute traffic within 60 seconds when a regional endpoint becomes unhealthy.

10 / 60

Question 11 of 60

A company uses AWS CloudFormation and has a large monolithic template with 500+ resources. Stack updates take 45 minutes and any failure requires a full rollback. The architect wants to reduce update time and blast radius. What is the recommended refactoring approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable CloudFormation drift detection before each update to identify out-of-drift resources and skip updating them, reducing the number of resources processed per update. B Enable CloudFormation stack notifications via SNS and configure automatic remediation to retry failed resources, reducing rollback frequency. C Use CloudFormation StackSets to deploy the monolithic template across multiple accounts and regions in parallel, reducing per-region update time. D Decompose the monolithic template into nested stacks organized by functional tier (network, compute, data); each nested stack can update independently, reducing the scope of changes per update and enabling targeted rollback.

11 / 60

Question 12 of 60

A company needs to analyze S3 access logs to identify which IAM principals accessed sensitive buckets in the last 90 days. The log data is stored as JSON in S3 partitioned by date. What is the most efficient approach to query this data? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Write an AWS Lambda function that downloads all S3 access log files for the past 90 days, parses them in memory, and generates a report saved to S3. B Use Amazon EMR with a Spark job to process all 90 days of S3 log files, filter by sensitive bucket names and IAM principal, and output the results to S3. C Enable Amazon Macie on the S3 log bucket; Macie automatically identifies IAM principal access patterns for sensitive buckets and generates a 90-day access report. D Create an AWS Glue Data Catalog table pointing to the S3 log prefix with date-based partitions; run an Amazon Athena query filtering on the date partition and sensitive bucket columns to identify IAM principals, returning results in seconds.

12 / 60

Question 13 of 60

A company is implementing AWS Config in all accounts across their organization. They want a single view of compliance across all accounts and automatic remediation of non-compliant resources. Which AWS Config feature enables organization-wide deployment and aggregated compliance view? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an AWS Config Aggregator in the management account to collect compliance data from all member accounts; use Config rules in each account for evaluation. B Use AWS Security Hub with Config integration to view all Config compliance findings in a single Security Hub dashboard aggregated by organization. C Deploy AWS Config rules in each account using CloudFormation StackSets; collect compliance data using a custom Lambda aggregation function. D Use AWS Config Conformance Packs deployed as an organization-level pack from the management account; this deploys the pack to all accounts in the organization and enables aggregated compliance reporting via a Config aggregator.

13 / 60

Question 14 of 60

A company's event-driven pipeline uses Amazon EventBridge to route events from multiple SaaS applications to different downstream processors. One processor (Lambda function) fails 30% of the time due to a bug. Failed events must not be lost and must be retried automatically up to 3 times before being moved to a dead-letter destination. Which EventBridge feature handles this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the EventBridge rule's target to use an SQS queue as an intermediary with a maxReceiveCount of 3 and a DLQ for the Lambda function. B Add a Lambda DLQ configuration in the Lambda function's event source mapping to capture failed invocations after 3 retry attempts. C Configure EventBridge to invoke the Lambda function synchronously; if Lambda returns an error, EventBridge retries 3 times using the synchronous retry built into EventBridge. D Configure the EventBridge rule target with retry policy: set MaximumRetryAttempts to 3 and DlqArn pointing to an SQS queue or SNS topic as a dead-letter destination; EventBridge retries failed Lambda invocations up to 3 times then routes to the DLQ.

14 / 60

Question 15 of 60

A company's hybrid architecture connects an on-premises data center to AWS via AWS Direct Connect. The link fails intermittently due to carrier issues. The company requires the connection to fail over to a VPN within 60 seconds. How should the architect design this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Transit Gateway with both Direct Connect and VPN attachments; configure TGW route tables with Direct Connect as the primary route and VPN as the backup; TGW automatically fails over within 60 seconds. B Set up a second Direct Connect connection from a different carrier as primary failover; configure BGP to prefer the second Direct Connect over VPN. C Configure an AWS Site-to-Site VPN connection and set it as the primary connection; use Direct Connect as a backup with higher BGP MED values. D Configure an AWS Site-to-Site VPN using the same Virtual Private Gateway (VGW) as the Direct Connect private VIF; configure BGP so that Direct Connect advertises lower MED (preferred) and the VPN advertises higher MED (backup); BGP failover occurs automatically when the Direct Connect path becomes unreachable.

15 / 60

Question 16 of 60

A company is deploying a containerized microservices application on Amazon EKS. The DevOps team wants to ensure that no Docker images with known critical CVEs are ever deployed to the production cluster. What is the most preventative control? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Amazon Inspector V2 enhanced scanning for ECR; configure an EventBridge rule to send an SNS notification to the security team when a critical CVE is detected. B Use Amazon ECR with Inspector V2 enhanced scanning enabled; configure a Kubernetes admission webhook (using OPA Gatekeeper or Kyverno) that queries ECR image scan results and denies pod admission if the image has unresolved critical findings. C Configure a Kubernetes admission controller (OPA/Gatekeeper or Kyverno) policy that denies pod creation if the image was pushed more than 24 hours ago, ensuring only recently scanned images are deployed. D Implement a CI/CD pipeline stage that runs Trivy image scanning before pushing to ECR; fail the pipeline if any critical CVE is found, preventing vulnerable images from reaching ECR.

16 / 60

Question 17 of 60

A company's AWS environment spans 20 accounts. The security team needs a centralized place to view all security findings (GuardDuty, Inspector, Macie, IAM Access Analyzer) across all accounts, prioritized by severity, with automated remediation for common findings. What AWS service provides this aggregation and automation capability? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Amazon GuardDuty with an administrator account; GuardDuty aggregates threat findings from all 20 accounts and provides a centralized threat severity dashboard. B AWS Security Hub with an administrator account enrolled with all 20 member accounts; Security Hub aggregates findings from GuardDuty, Inspector, Macie, and IAM Access Analyzer; configure automated response using Security Hub custom actions or EventBridge rules that trigger Lambda-based remediation. C Amazon Detective with an administrator account; Detective aggregates security findings and provides graph-based investigation of all events across 20 accounts. D AWS Config with an organization aggregator; Config collects compliance findings from all accounts and provides a unified compliance dashboard.

17 / 60

Question 18 of 60

A company runs a microservices application using Amazon API Gateway HTTP API and AWS Lambda. One Lambda function calls a downstream service that occasionally takes 20â€“25 seconds to respond. The API Gateway HTTP API's integration timeout is 30 seconds. Clients time out waiting for a response and retry, causing duplicate calls to the downstream service. What redesign resolves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Switch from HTTP API to REST API in API Gateway, which has a configurable integration timeout up to 29 seconds, providing better handling of slow integrations. B Implement an asynchronous API pattern: the initial API call returns a 202 Accepted with a job ID; a Lambda function processes the downstream call asynchronously; clients poll a status endpoint (or receive a webhook callback) for the result, eliminating the timeout problem. C Enable API Gateway caching to serve cached responses for repeated requests during the 20â€“25 second wait, preventing duplicate downstream calls. D Increase the Lambda function's reserved concurrency to handle the increased load from client retries, and configure the downstream service with a 30-second timeout to match API Gateway.

18 / 60

Question 19 of 60

A company uses AWS Secrets Manager to store database credentials. The rotation Lambda function has been failing for 3 days. The on-call team needs to immediately understand which applications are affected by the stale credentials and which Lambda invocations failed. What combination of AWS observability tools provides this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Check AWS Config for recent configuration changes to the Secrets Manager secret and IAM roles associated with the rotation Lambda. B Check Amazon CloudWatch Logs for the rotation Lambda function's log group to find error messages; review CloudWatch Metrics for Lambda errors (Errors metric) and Secrets Manager rotation events; use AWS CloudTrail to identify which applications' GetSecretValue calls succeeded or failed during the rotation window. C Review VPC Flow Logs to identify network connections from Lambda to the database that failed during the rotation window. D Enable Amazon X-Ray tracing on the rotation Lambda to trace all invocations; query the X-Ray service map to identify downstream services affected by rotation failure.

19 / 60

Question 20 of 60

A company is building a SaaS platform where each customer tenant has their own isolated Aurora PostgreSQL database cluster. With 200 tenants and growing, the DBA team is overwhelmed managing individual clusters. What AWS service reduces the operational overhead of managing 200+ Aurora clusters? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Consolidate all tenants into a single Aurora cluster with a separate schema per tenant; use database-level access controls to enforce isolation. B Use Amazon Aurora Serverless v2 for each tenant cluster; serverless v2 auto-scales capacity and pauses when idle, reducing the operational overhead of provisioning and managing 200+ clusters. C Use Amazon RDS Custom with an automated golden AMI pipeline to standardize instance management; deploy one RDS Custom instance per tenant from the golden AMI. D Migrate all tenants to Amazon DynamoDB using a single-table design with tenant_id as the partition key; eliminate database cluster management entirely.

20 / 60

Question 21 of 60

A company needs to implement a solution where users upload large video files (up to 5 GB) directly to Amazon S3 without routing through the application backend. The upload must be authenticated and authorized but the backend should not handle the actual file bytes. Which approach achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure an API Gateway binary payload proxy integration that streams the video upload directly through API Gateway to S3, avoiding backend processing of the file bytes. B Generate an S3 pre-signed POST URL (or pre-signed PUT URL) in the application backend using the AWS SDK with the user's scoped IAM role credentials; the client uploads directly to S3 using the pre-signed URL without routing through the backend. C Deploy a presigned URL Lambda function that generates a temporary IAM user for each upload, providing the temporary user's credentials to the client for direct S3 PutObject. D Use Amazon CloudFront with S3 as the origin and configure PUT request passthrough; users upload to the CloudFront distribution URL, which forwards the PUT directly to S3.

21 / 60

Question 22 of 60

A company runs Amazon Elastic MapReduce (EMR) clusters for batch analytics on data stored in Amazon S3. The clusters run 8 hours per day and the data is never persisted on HDFS beyond the EMR job. Cluster startup takes 12 minutes. The team wants to minimize cost without changing the Spark job code. What is the optimal EMR configuration? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use EMR Reserved Instances for the master and core nodes with Spot Instances for task nodes; this balances stability with Spot cost savings. B Use EMR on EC2 transient clusters with instance fleets combining Spot and On-Demand instances; configure the cluster to store all data in S3 (not HDFS); terminate the cluster after each job; use EMR managed scaling to right-size the fleet. C Use EMR on EC2 with a persistent cluster running 24/7 to eliminate the 12-minute startup overhead; instance costs are offset by eliminating startup delays. D Migrate the Spark jobs to AWS Glue, which provides a serverless Spark environment; Glue eliminates cluster management and charges per DPU-second.

22 / 60

Question 23 of 60

A company has a strict requirement that all Amazon EC2 instances must communicate with the internet through a centralized inspection VPC that runs third-party firewall appliances. All 30 VPCs must route outbound internet traffic through the inspection VPC. Which network topology achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create VPC peering between each spoke VPC and the inspection VPC; configure spoke VPC route tables with a default route (0.0.0.0/0) pointing to the peering connection to the inspection VPC. B Use AWS Transit Gateway to connect all spoke VPCs and the inspection VPC; configure the Transit Gateway with an appliance mode route table for the inspection VPC attachment; spoke route tables send the default route (0.0.0.0/0) to the TGW; the TGW routes traffic to the inspection VPC's firewall appliances before it exits to the internet. C Deploy AWS Network Firewall in each spoke VPC and configure centralized logging to the inspection VPC's S3 bucket. D Attach all spoke VPCs to an Application Load Balancer in the inspection VPC using VPC endpoints; route all outbound traffic through the ALB to the firewall appliances.

23 / 60

Question 24 of 60

A company uses AWS CodePipeline for CI/CD. A recent deployment introduced a bug that wasn't caught by unit tests. The team wants to add automated integration tests that run against a staging environment before any production deployment, with the ability to automatically roll back if tests fail. Which CodePipeline configuration implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Add a CodeBuild stage after the Deploy-to-Production stage that runs integration tests; configure an EventBridge rule to detect test failures and trigger a Lambda rollback function. B Add an integration test stage using AWS CodeBuild between the staging deploy stage and the production deploy stage; configure the CodeBuild project to fail the pipeline (non-zero exit code) if any integration test fails, preventing promotion to production; use CodeDeploy with automatic rollback enabled for the production deployment. C Enable CodePipeline parallel stages so that integration tests run simultaneously with production deployment; if tests fail, a manual approval action allows the team to decide whether to rollback. D Use AWS Lambda invoke actions in CodePipeline to run integration tests against the staging environment; configure the Lambda to update an S3 flag file; a subsequent CodePipeline stage reads the flag and conditionally deploys to production.

24 / 60

Question 25 of 60

A company processes financial transactions in Amazon SQS. Each transaction must be processed exactly once. The current implementation uses SQS Standard queues and occasionally processes the same transaction twice due to at-least-once delivery. The application cannot implement deduplication logic. What SQS configuration change eliminates duplicate processing? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable SQS message retention to 1 minute; messages that are delivered twice would be expired before the second delivery occurs. B Migrate to SQS FIFO queues with content-based deduplication enabled; FIFO queues provide exactly-once processing within a 5-minute deduplication window using a SHA-256 hash of the message body. C Add a Dead-Letter Queue to the SQS Standard queue with maxReceiveCount of 1; this ensures each message is delivered only once before being moved to the DLQ. D Configure the SQS visibility timeout to 24 hours; this prevents the message from becoming visible to a second consumer while the first consumer is processing it.

25 / 60

Question 26 of 60

A company stores 10 PB of archival genomics data in Amazon S3 Glacier Deep Archive. Regulatory requirements mandate that data can be retrieved within 12 hours on demand, but retrievals happen very infrequently (once every 2 years on average). How should the architect configure retrieval to ensure compliance with the 12-hour SLA? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use S3 Glacier Flexible Retrieval Standard tier (3â€“5 hours), which provides retrieval well within 12 hours at lower cost than Expedited retrieval. B Use S3 Glacier Deep Archive Standard retrieval, which provides data within 12 hours; configure an AWS Step Functions workflow to initiate retrieval automatically when a retrieval request is submitted, monitoring for completion within the SLA. C Pre-emptively restore all 10 PB from Glacier Deep Archive to S3 Standard-IA every year to ensure data is available within 12 hours when needed. D Use S3 Intelligent-Tiering for archival data, which automatically moves to the Deep Archive Access Tier; Intelligent-Tiering Expedited retrieval provides data within 1â€“5 minutes.

26 / 60

Question 27 of 60

A company wants to enable developers to self-service deploy applications to Amazon ECS using a standardized template without granting direct IAM permissions to create ECS services, task definitions, or IAM roles. Which AWS service enables governed self-service deployment? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create a shared IAM role with ECS permissions and allow developers to assume it via the AWS console to deploy their applications. B Publish the ECS deployment template as an AWS Service Catalog product in a developer portfolio; grant developers the sc:ProvisionProduct permission only; Service Catalog uses a launch constraint role (with ECS/IAM permissions) to provision resources on behalf of developers without exposing those permissions directly. C Publish a CloudFormation template in an internal wiki; developers clone the template and deploy it using the AWS CLI with their personal IAM credentials. D Use AWS CodePipeline with a developer-facing approval stage; developers trigger the pipeline, which uses a service account to deploy to ECS.

27 / 60

Question 28 of 60

A company's application tier consists of EC2 instances in an Auto Scaling group behind an ALB. During scale-in events, some in-flight requests are dropped when instances are terminated before request processing completes. What configuration prevents request drops during scale-in? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Increase the EC2 instance termination wait time by configuring a longer health check grace period in the ALB target group. B Enable ALB connection draining (deregistration delay) with a sufficient timeout (e.g., 300 seconds) on the target group; configure an Auto Scaling lifecycle hook on the EC2_INSTANCE_TERMINATING transition that pauses termination until the deregistration delay completes. C Configure the Auto Scaling group's default cooldown period to 600 seconds to prevent rapid scale-in events from terminating instances while requests are in-flight. D Enable instance protection on the Auto Scaling group to prevent EC2 instances from being terminated while they are serving requests above a threshold CPU utilization.

28 / 60

Question 29 of 60

A company's security team requires that all API calls to AWS are made over private network paths onlyâ€”no public internet. This includes CLI, SDK calls, and console API calls from within the corporate network connected via Direct Connect. Which AWS service and configuration achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 and DynamoDB gateway endpoints in the VPC; configure on-premises DNS to resolve all AWS API endpoints to the gateway endpoint virtual IP addresses. B Create AWS PrivateLink interface endpoints for each AWS service (ec2, s3, sts, etc.) in the VPC connected to Direct Connect; configure on-premises DNS to resolve aws.amazonaws.com service endpoints to the interface endpoint private IPs; all API calls route over Direct Connect to the interface endpoints. C Use AWS PrivateLink with a Transit Gateway attachment to forward on-premises API calls through the Transit Gateway to AWS service endpoints without using the public internet. D Configure a SOCKS proxy on an EC2 instance in the VPC; route all corporate network API calls through the SOCKS proxy, which proxies requests to AWS services over the VPC's internet gateway.

29 / 60

Question 30 of 60

A company's architecture uses multiple Lambda functions that all write logs to the same CloudWatch Log Group. During a security incident, the IR team needs to search logs for a specific string across all Lambda invocations in the last 6 hours. Which tool enables this in minutes? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Download all CloudWatch Logs to S3 using an export task and use Amazon Athena to search the exported logs. B Use CloudWatch Logs Insights to run a query with a filter command (e.g., filter @message like /specific string/) against the Log Group, scoped to the last 6 hours, returning matching events in seconds. C Use the CloudWatch Logs console Filter and Pattern Syntax to search the Log Group using a filter expression and the 6-hour time range. D Enable CloudWatch Logs subscription to Amazon OpenSearch Service; use the OpenSearch Dashboards full-text search to find the specific string.

30 / 60

Question 31 of 60

A company runs Amazon Kinesis Data Streams with 50 shards ingesting clickstream data at 45,000 records/second. The data science team adds a new consumer application that must receive each record within 70 ms of ingestion. Currently all three consumer applications share read throughput (2 MB/s per shard shared across consumers). How can the architect ensure the new consumer meets its latency requirement? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Register the new consumer application as an Enhanced Fan-Out (EFO) consumer using the SubscribeToShard API; EFO provides dedicated 2 MB/s throughput per shard to this consumer, pushing records to it via HTTP/2 with sub-70 ms latency. B Increase the number of shards from 50 to 150 to triple the available throughput, providing each consumer dedicated shard capacity. C Configure the new consumer application to use the GetRecords API with the LATEST iterator and reduce the polling interval to 50 ms. D Use SQS as a buffer: publish all Kinesis records to SQS via a Kinesis Firehose delivery stream; the new consumer reads from SQS for dedicated throughput.

31 / 60

Question 32 of 60

A company has a microservices application on Amazon EKS. Service-to-service calls frequently fail with connection refused errors when a target service pod restarts. The application does not implement retry logic. Which Kubernetes/AWS feature resolves this transparently at the infrastructure layer? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Deploy AWS App Mesh with Envoy sidecar proxies configured with retry policies; App Mesh automatically retries failed service-to-service requests transparently without application code changes. B Increase the EKS pod readiness probe timeout so that pods are not marked ready until the service is fully initialized, preventing premature traffic. C Configure AWS ALB Ingress Controller with slow_start and connection draining to prevent connection refused errors during pod restarts. D Configure the Kubernetes Service resource with a sessionAffinity: ClientIP setting to ensure all requests from one client always go to the same pod, avoiding pods that are restarting.

32 / 60

Question 33 of 60

A company has a complex data pipeline with 15 AWS Glue ETL jobs that have dependencies on each other (Job B can only start after Job A completes). Managing job dependencies with EventBridge rules and Lambda functions has become unwieldy. Which AWS service provides visual workflow orchestration with dependency management for Glue jobs? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Step Functions with a state machine that chains Glue job invocations using GlueStartJobRun and GlueGetJobRun states; Step Functions natively integrates with Glue, manages dependencies, handles errors, and retries automatically. B Amazon Managed Workflows for Apache Airflow (MWAA), which provides a fully managed Airflow environment for complex Glue job DAGs with dependency management. C AWS CodePipeline with Glue job invoke actions in sequential pipeline stages; each stage depends on the success of the previous stage. D AWS Glue Workflows, which provide a dependency-aware orchestration layer natively within AWS Glue; create a workflow with triggers defining job dependencies and monitor execution from the Glue console.

33 / 60

Question 34 of 60

A company's web application uses Amazon ElastiCache for Redis to store session data. The Redis cluster is a single-node deployment. During the weekly maintenance window, ElastiCache applies updates and the Redis node is restarted, causing all user sessions to be lost. What architecture change prevents session loss during maintenance? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Migrate from a single-node Redis deployment to a Redis replication group with at least one read replica and Multi-AZ automatic failover; during maintenance, ElastiCache performs a failover to the replica before restarting the primary, maintaining session availability. B Enable Redis persistence (AOF) on the single-node cluster so that session data is written to disk and restored after the maintenance window restart. C Increase the ElastiCache node size to a larger instance type to reduce the restart duration and minimize session loss. D Enable ElastiCache snapshot backups before the maintenance window and restore the snapshot immediately after the restart to re-populate session data.

34 / 60

Question 35 of 60

A company runs a critical OLTP application on Amazon Aurora MySQL. The database has a 1 TB dataset that is queried intensively by both the application (transactional queries) and a BI team (complex analytical reports). Analytical queries are degrading OLTP performance. What architecture change isolates analytical workloads without data duplication? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Aurora MySQL zero-ETL integration with Amazon Redshift; transactional data is continuously replicated to Redshift without ETL code; the BI team queries Redshift for analytical workloads, completely offloading analytics from Aurora. B Enable Aurora Parallel Query on the writer instance; Parallel Query pushes analytical query processing to the storage layer, eliminating resource competition with OLTP queries on the writer. C Create Aurora read replicas and direct BI queries to a dedicated read replica; add more replicas during BI reporting peaks. D Export Aurora data to Amazon S3 on a nightly basis using S3 export; have the BI team query S3 data with Amazon Athena.

35 / 60

Question 36 of 60

A company is designing a zero-trust architecture for AWS. Every API call must be verified against a central policy engine before being executed, regardless of the caller's IAM identity. How can an architect implement attribute-based access control (ABAC) across all AWS services at the organizational level? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use IAM Identity Center with attribute-based access control: define permission sets that use session tags mapped from the IdP's user attributes; SCPs enforce tag-based conditions across the organization; IAM policies use aws:PrincipalTag conditions to scope permissions based on user attributes dynamically. B Deploy a custom Lambda authorizer for all API Gateway endpoints and use AWS Verified Permissions (Cedar policy engine) to evaluate each API call against the central policy. C Deploy Amazon Verified Access as the central policy engine; configure all AWS API calls to route through Verified Access for policy evaluation before execution. D Configure AWS CloudTrail with real-time EventBridge rules to evaluate all API calls and deny unauthorized calls by invoking a Lambda function that calls IAM to revoke the caller's credentials.

36 / 60

Question 37 of 60

A company's AWS environment has hundreds of EC2 instances across 20 accounts. The operations team needs to apply a software patch to all running EC2 instances within 4 hours, including instances in private subnets without internet access. Which AWS Systems Manager capability enables this at scale without SSH? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Systems Manager Run Command with the AWS-RunPatchBaseline document from the delegated Systems Manager administrator account, targeting all instances using the organization-wide resource data sync; instances communicate with SSM via interface VPC endpoints, eliminating internet access requirements. B Use AWS Systems Manager Patch Manager to define a patch baseline and manually trigger patching in each of the 20 accounts during the 4-hour window. C Deploy a custom Lambda function in each account that uses the SSM RunCommand API to trigger patch installation on all instances in that account; coordinate from the management account. D Use AWS Config with a managed rule that detects unpatched instances and triggers SSM Automation to apply the patch baseline, running across all 20 accounts simultaneously.

37 / 60

Question 38 of 60

A company uses Amazon SageMaker for ML model training and deployment. Models are trained weekly, and the best model is deployed to a SageMaker endpoint. The deployment team wants to ensure that the new model performs better than the current model in production before routing 100% of traffic to it. Which SageMaker feature enables gradual traffic shifting with comparison? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use SageMaker endpoint production variants; configure the endpoint with two variants (current and new) with a low initial weight for the new variant (e.g., 10%); monitor CloudWatch metrics per variant; adjust weights using UpdateEndpointWeightsAndCapacities as the new model proves itself. B Use SageMaker Model Monitor to compare incoming prediction distributions; automatically shift traffic when the new model's distribution matches the production model. C Deploy the new model to a separate SageMaker endpoint and use Amazon Route 53 weighted routing to gradually shift API calls from the old endpoint to the new endpoint. D Enable SageMaker automatic model tuning (hyperparameter optimization) to continuously compare model versions and deploy the best-performing model automatically.

38 / 60

Question 39 of 60

A company's AWS Organization has a strict SCP that denies iam:CreateUser across all member accounts (no IAM users allowed). A third-party SaaS tool requires AWS IAM user credentials (access key and secret) for integration. How can the company provide the SaaS tool with AWS access without violating the SCP? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Identity Federation with an OIDC or SAML IdP to generate temporary credentials via sts:AssumeRoleWithWebIdentity or sts:AssumeRoleWithSAML for the SaaS tool; if the SaaS tool supports OAuth/OIDC, use Workload Identity Federation; if it requires long-term credentials, request an SCP exception for a specific, isolated account. B Create an IAM user in the AWS Organizations management account (SCPs do not apply to the management account) and use those credentials for the SaaS tool. C Use AWS Secrets Manager to generate synthetic IAM access key material for the SaaS tool without actually creating an IAM user. D Create an IAM user in a sandboxed account not enrolled in the organization, maintaining the credentials outside the SCP-governed accounts.

39 / 60

Question 40 of 60

A company runs a high-traffic e-commerce application during holiday seasons. They use Amazon RDS Aurora MySQL with provisioned capacity. During peak Black Friday traffic, the database CPU hits 95% and response times degrade. The team has already added read replicas and offloaded reads. The bottleneck is write throughput to the Aurora writer. What architectural change addresses write throughput limitations? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Implement application-level write sharding: partition the dataset by a shard key (e.g., customer_id % N) across N independent Aurora clusters; each cluster handles 1/N of the write traffic. B Enable Aurora Multi-Master (available for Aurora MySQL 5.6 only) to distribute write traffic across multiple writer nodes. C Enable Aurora Parallel Query on the writer instance to distribute write operations across multiple storage nodes. D Upgrade the Aurora writer instance from db.r5.4xlarge to db.r5.16xlarge to provide more CPU and memory for handling higher write throughput.

40 / 60

Question 41 of 60

A company needs to grant a contractor temporary access to specific AWS resources for a 2-week project. The contractor uses their own AWS account. Access must expire automatically without any manual revocation. What IAM mechanism enables time-limited cross-account access? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an IAM role in the company's account with a trust policy condition using DateLessThan set to the end of the 2-week period; grant the contractor's account permission to assume the role; after the expiry date, the condition blocks all assume-role requests automatically. B Use AWS Secrets Manager to issue temporary AWS access keys for the contractor with a 14-day TTL; Secrets Manager automatically rotates and expires the keys after the TTL. C Create an IAM role and attach a permission boundary that includes a DenyAll policy starting on day 15; the boundary limits effective permissions to zero after the 2-week period. D Create an IAM user for the contractor in the company's account; set the user's password expiry to 14 days; configure an EventBridge-scheduled Lambda function to delete the user after 14 days.

41 / 60

Question 42 of 60

A company uses AWS CloudTrail for audit logging. The security team wants to ensure that CloudTrail log files stored in S3 have not been tampered with since they were written. Which CloudTrail feature detects tampering? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable CloudTrail log file integrity validation when configuring the trail; CloudTrail creates a signed digest file every hour containing SHA-256 hashes of the log files delivered during that hour; the aws cloudtrail validate-logs CLI command verifies the hashes to detect any tampering or deletion. B Enable CloudTrail event versioning, which creates a new version of each log file whenever it is modified, making tampering detectable through version history. C Configure S3 Object Lock Compliance mode on the CloudTrail bucket, which prevents modification or deletion and implicitly validates log integrity. D Enable S3 versioning on the CloudTrail bucket; compare current object ETags with original ETags stored in a separate DynamoDB table to detect modifications.

42 / 60

Question 43 of 60

A company's application has a complex authentication flow: users authenticate with the corporate IdP (SAML 2.0), which issues a SAML assertion. The application then needs temporary AWS credentials scoped to the specific user's department to access department-specific S3 prefixes. Which AWS mechanism maps IdP attributes to scoped AWS credentials? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS STS AssumeRoleWithSAML with the corporate IdP's SAML assertion; pass session tags from SAML attribute statements (e.g., department=finance); the IAM role's policy uses aws:PrincipalTag/department in a StringEquals condition on the S3 key prefix, scoping credentials to the user's department. B Configure a Lambda authorizer in API Gateway that validates the SAML assertion and issues pre-signed S3 URLs scoped to the user's department prefix. C Store the SAML assertion in DynamoDB keyed by user ID; a Lambda function reads the assertion and calls STS AssumeRoleWithWebIdentity to issue scoped credentials. D Use AWS IAM Identity Center with SAML federation; configure permission sets that reference the SAML attribute for department; users receive temporary credentials for the permission set matching their department.

43 / 60

Question 44 of 60

A company migrates a legacy Oracle database to Amazon Aurora PostgreSQL using AWS DMS. After migration, the team discovers that several stored procedures use Oracle-specific PL/SQL syntax that is incompatible with PostgreSQL's PL/pgSQL. What AWS tool helps identify and convert these incompatible objects? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Schema Conversion Tool (SCT), which analyzes the Oracle database schema and stored procedures, provides an action report with conversion complexity ratings, and attempts automatic conversion of compatible objects; complex PL/SQL that cannot be auto-converted is flagged for manual remediation. B Amazon CodeGuru Reviewer, which analyzes Oracle PL/SQL code and suggests PostgreSQL-compatible rewrites using ML-based code recommendations. C AWS DMS Schema Conversion, which automatically converts all Oracle PL/SQL stored procedures to equivalent PostgreSQL PL/pgSQL during the DMS migration task. D AWS Database Migration Assessment, which generates a compatibility report between Oracle and PostgreSQL and automatically rewrites all stored procedures without manual intervention.

44 / 60

Question 45 of 60

A company runs Amazon EKS and uses AWS Fargate profiles for serverless pod execution. The security team wants to enforce that no pod can be scheduled with privileged security context (privileged: true). What is the most Kubernetes-native approach to enforce this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Deploy OPA Gatekeeper with a ConstraintTemplate that defines a policy denying pod admission if any container in the pod spec has securityContext.privileged: true; the admission webhook enforces this at pod creation time. B Apply an AWS SCP that denies EKS API calls for creating privileged pods, preventing privileged pod specifications from reaching the Kubernetes API server. C Configure the EKS cluster's Kubernetes RBAC to deny ClusterRoles with permission to create privileged pods. D Configure AWS Fargate's managed node group to reject privileged containers using a Fargate profile selector that excludes pods with privileged security contexts.

45 / 60

Question 46 of 60

A company stores 50 TB of research data in Amazon S3. The data must be made available to an academic partner in Europe through a secure, governed data sharing mechanism without physically transferring data to the partner's infrastructure. The partner uses their own AWS account. Which AWS solution enables this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an S3 bucket in eu-west-1, replicate the data using S3 Cross-Region Replication from the source bucket, and share the eu-west-1 bucket ARN with the academic partner. B Generate pre-signed URLs for all 50 TB of S3 objects with 30-day expiry and share them securely via email with the academic partner. C Use AWS Lake Formation cross-account data sharing: register the S3 data lake in Lake Formation, create a data share granting the academic partner's AWS account access to specific Glue Data Catalog databases/tables; the partner queries the data via Athena in their account against the shared catalog, and the data never leaves the source S3 bucket. D Package the 50 TB dataset on an AWS Snowball Edge device and ship it to the academic partner's data center in Europe for analysis.

46 / 60

Question 47 of 60

A company's application uses AWS Lambda and must retry failed operations with exponential backoff. The Lambda function is triggered by Amazon SQS. When the function throws an exception, the message becomes visible again after the visibility timeout and is retried by SQS. The team wants a maximum of 5 retries before the message is moved to a DLQ. What configuration achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the SQS queue's visibility timeout to 5 minutes; after 5 visibility timeout expirations, SQS automatically moves the message to the DLQ. B Set the Lambda function's retry behavior in the Lambda console to 5 retries with exponential backoff; failed messages are automatically moved to DLQ after 5 failures. C Configure the SQS queue's maxReceiveCount in the Redrive Policy to 5 and specify the DLQ ARN; after the message is received 5 times without being deleted (indicating processing failure), SQS automatically moves it to the DLQ. D Enable Lambda Destinations with an OnFailure destination pointing to an SQS DLQ; configure the Lambda event source mapping to stop invoking after 5 consecutive failures.

47 / 60

Question 48 of 60

A company has a real-time fraud detection system that must evaluate each financial transaction within 200 ms. The system uses a custom ML model. The model is updated weekly. What AWS architecture supports real-time inference at low latency with weekly model updates? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Store the ML model in S3 and have a Lambda function load it at each invocation, running the inference inline within the 200 ms budget. B Package the ML model in a Docker container and run it as an Amazon ECS Fargate task; use API Gateway as the inference API and auto-scale the Fargate service for low latency. C Deploy the ML model to an Amazon SageMaker real-time inference endpoint using a GPU-optimized instance; update the endpoint to use the new model version each week using SageMaker endpoint production variants with a gradual traffic shift, achieving near-zero downtime updates. D Use Amazon Rekognition Custom Labels to train the fraud detection model; Rekognition provides real-time inference with sub-200 ms latency and automatic model updates.

48 / 60

Question 49 of 60

A company is migrating from an on-premises VMware vSphere environment to AWS. They have 200 VMs running various workloads and want to minimize application refactoring while reducing migration time. Which AWS service is designed for automated VM migration with near-continuous replication? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Server Migration Service (SMS), which replicates VMware VMs to AMIs on a scheduled basis (up to every 12 hours) and provides lifecycle management for the migration. B AWS DataSync, which synchronizes data between on-premises VMware datastore NFS mounts and Amazon EFS, reconstructing VMs from the synchronized files. C AWS Application Migration Service (MGN), which installs a lightweight agent on source VMs that continuously replicates block-level changes to AWS; test instances can be launched for validation, and the cutover creates production EC2 instances from the latest replicated data with minimal downtime. D AWS Database Migration Service (DMS), which performs block-level replication of VMware VMs to EC2 instances with near-zero downtime.

49 / 60

Question 50 of 60

A company needs a solution to run thousands of short-duration (1â€“5 minute) containerized jobs triggered by S3 file uploads. The jobs process the uploaded files and write results to DynamoDB. Each job requires 0.5 vCPU and 1 GB RAM. The team wants no cluster management and cost proportional to job execution time. Which service combination meets these requirements? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A S3 Event Notification â†’ SQS â†’ AWS Lambda with container image (10 GB max, 15-min timeout) â€” Lambda runs the container logic, scales automatically, and charges per ms of execution. B S3 Event Notification â†’ SQS â†’ Amazon ECS on EC2 with auto-scaling based on queue depth â€” ECS manages the container cluster but requires EC2 instance management. C S3 Event Notification â†’ Amazon EventBridge â†’ AWS Step Functions Express Workflow â†’ Amazon ECS RunTask with Fargate launch type â€” Fargate provides serverless container execution per task with CPU/memory allocation; charges are per vCPU-second and GB-second. D S3 Event Notification â†’ SQS â†’ Amazon EMR Serverless â€” EMR Serverless runs containerized Spark jobs per file upload with no cluster management.

50 / 60

Question 51 of 60

A company's architecture uses a mix of public and private hosted zones in Amazon Route 53. The company recently split their VPC into two separate VPCs and the private hosted zone is only associated with the original VPC. Resources in the new VPC cannot resolve private DNS names. What is the correct fix? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Route 53 Resolver endpoints in the new VPC that forward private DNS queries to the original VPC's Route 53 private hosted zone. B Create a VPC peering connection between the original and new VPCs; private hosted zone DNS resolution is automatically extended to peered VPCs. C Associate the Route 53 private hosted zone with the new VPC using the Route 53 console or CLI (associate-vpc-with-hosted-zone); once associated, resources in the new VPC can resolve all records in the private hosted zone. D Migrate all private hosted zone records to a public hosted zone so that the new VPC can resolve the DNS names using Route 53 public resolvers.

51 / 60

Question 52 of 60

A company runs Amazon EC2 instances and wants to reduce costs by identifying underutilized instances and purchasing Reserved Instances or Savings Plans for the right workloads. Which AWS tool provides recommendations for both Reserved Instances and Savings Plans based on historical usage? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A AWS Trusted Advisor Cost Optimization checks identify underutilized EC2 instances and suggest instance type downsizing but do not recommend Reserved Instances or Savings Plans. B AWS Compute Optimizer analyzes EC2 utilization and recommends optimal instance types but does not provide Reserved Instance or Savings Plans purchasing recommendations. C AWS Cost Explorer with RI and Savings Plans recommendations analyzes the last 7, 30, or 60 days of usage and recommends specific Reserved Instance types (EC2, RDS, ElastiCache) and Savings Plans (Compute, EC2 Instance, SageMaker) with estimated savings. D AWS Budgets with Savings Plans budget type tracks Savings Plans utilization but does not generate new recommendations for what to purchase.

52 / 60

Question 53 of 60

A company uses AWS CloudFormation with a monolithic template. The ops team reports that updating the VPC CIDR in the template results in the VPC being replaced (new resource), causing all dependent resources to be recreatedâ€”causing a multi-hour outage. How should the architect prevent this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use CloudFormation Change Sets to preview the VPC CIDR update before applying; if the change set shows a resource replacement, cancel it. B Configure the CloudFormation VPC resource with a DeletionPolicy of Retain; the old VPC is retained but a new VPC is still created and all dependent resources are still recreated. C Use a CloudFormation Stack Policy to explicitly Deny Updates with ReplaceAfterCreate behavior on the VPC resource; the update will fail rather than replace the VPC, preventing the outage. D Modularize the VPC into a separate nested stack with StackPolicy protecting the VPC resource; nested stacks update independently of the compute stack.

53 / 60

Question 54 of 60

A company's production ECS application is experiencing memory leaks. The containers use increasing amounts of RAM over time until they are OOM-killed and restarted. The team needs to monitor memory usage per container in real time. Amazon ECS Fargate does not expose container memory metrics by default in CloudWatch. What is the correct approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Install the CloudWatch agent as a sidecar container in the ECS task definition; the CloudWatch agent reports per-container memory metrics to CloudWatch. B Enable ECS container insights on the ECS cluster; Container Insights automatically collects task-level CPU and memory metrics at the task definition resource limits without per-container granularity. C Enable ECS Container Insights at the cluster level and use CloudWatch Container Insights metrics (MemoryUtilized, MemoryReserved per task); for per-container granularity, install the AWS FireLens log router with a custom plugin that reports container-level metrics. D Configure Prometheus scraping on the ECS task with the ECS-managed Prometheus metrics endpoint; send metrics to Amazon Managed Prometheus and visualize in Grafana.

54 / 60

Question 55 of 60

A company has 1,000 microservices deployed on Amazon EKS. The services expose REST APIs. The API team wants a unified, managed entry point for all external API consumers with features including authentication, rate limiting, request transformation, and API versioning. Which AWS service provides these API management capabilities? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon CloudFront with Lambda@Edge for authentication and rate limiting; create a CloudFront behavior per microservice endpoint for routing. B Deploy an AWS Application Load Balancer with listener rules for each microservice path; use Lambda@Edge for authentication and rate limiting at the edge. C Deploy AWS API Gateway REST API as a proxy for all EKS microservices; use API Gateway features for authentication (Cognito, Lambda authorizer), throttling, usage plans, request/response transformation, and stage-based versioning. D Deploy Kong or another open-source API gateway on EKS as a managed ingress controller; AWS Marketplace provides AMIs for API gateway appliances.

55 / 60

Question 56 of 60

A company's AWS CloudTrail is configured to log to a central S3 bucket in the logging account. A security analyst discovers that a threat actor accessed the logging account and deleted 2 weeks of CloudTrail logs. What architectural change prevents future log deletion, including by a compromised logging account administrator? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS Config in the logging account to detect S3 object deletion events and trigger a Lambda function to re-download logs from CloudTrail's internal storage. B Enable S3 Versioning and MFA Delete on the CloudTrail log bucket so that any delete operation requires multi-factor authentication, preventing unauthorized deletion. C Enable S3 Object Lock in Compliance mode with a 90-day retention period on the CloudTrail log bucket; also enable CloudTrail log file integrity validation. Even a compromised account administrator cannot delete Compliance-mode locked objects before the retention period expires. D Configure an SCP on the logging account's OU that denies s3:DeleteObject and s3:DeleteObjectVersion for the CloudTrail log bucket, preventing even the account root user from deleting logs.

56 / 60

Question 57 of 60

A company runs 3,000 EC2 instances across 15 AWS accounts. They need to track which instances have no business owner tag and automatically notify the owner (based on who launched the instance) to add the tag within 7 days, then terminate untagged instances after 7 days. What AWS-native automation achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Trusted Advisor to identify untagged instances; export the list to S3; use a Lambda function to email owners and set a DynamoDB expiry TTL for 7-day termination. B Deploy a custom Lambda function in each account that runs daily, queries EC2 for untagged instances, looks up the CloudTrail creator, sends SES emails, and terminates instances after 7 days. C Use AWS Config with the required-tags managed rule across all accounts via a conformance pack; configure remediation with an SSM Automation document that: (1) identifies the IAM principal that created the instance using CloudTrail, (2) sends an SNS notification, (3) after 7 days, if still untagged, terminates the instance using ec2:TerminateInstances. D Use AWS Service Catalog TagOptions to enforce tagging at instance launch; instances launched without required tags are automatically rejected by Service Catalog constraints.

57 / 60

Question 58 of 60

A company uses AWS Direct Connect for production traffic between on-premises and AWS. They want to test failover to a backup VPN connection without disrupting production traffic. What is the safest approach to test the VPN failover path? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Temporarily bring down the Direct Connect Virtual Interface from the on-premises router to trigger BGP failover to the VPN; monitor production traffic on the VPN path and restore Direct Connect after the test. B Use AWS Direct Connect connection testing by scheduling a maintenance window through the AWS console, which briefly disrupts the connection to test failover. C Create a new BGP community on the VPN connection with a lower MED than Direct Connect to make VPN the preferred path temporarily; validate production traffic flows correctly over VPN; revert the BGP community to restore Direct Connect preference. D Configure a test-only subnet in the VPC with a route table that prefers the VPN path; send test traffic from an EC2 instance in this subnet to validate VPN connectivity without affecting production routing.

58 / 60

Question 59 of 60

A company's application generates 500 MB of structured JSON data every hour. This data must be analyzed by data scientists using SQL within 1 hour of generation. The team does not want to manage any infrastructure. Which AWS serverless pipeline achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Kinesis Data Streams â†’ Lambda â†’ S3 â†’ manual Athena query; data scientists run ad-hoc Athena queries against S3 within 1 hour. B Lambda function â†’ Amazon RDS PostgreSQL (managed) â†’ Amazon QuickSight for SQL analytics; RDS provides SQL querying with no server management. C Application â†’ Amazon Kinesis Data Firehose â†’ S3 (Parquet format with inline transformation) â†’ AWS Glue Data Catalog (via Glue Crawler triggered on schedule) â†’ Amazon Athena; data is queryable within 1 hour of generation with no infrastructure to manage. D Amazon EventBridge scheduled rule â†’ Lambda â†’ S3 JSON â†’ AWS Glue Crawler â†’ Amazon Athena; Glue Crawler runs every hour to update the schema, and data scientists query via Athena.

59 / 60

Question 60 of 60

A company's multi-region application experiences split-brain scenarios when two regions lose connectivity but both think they're primary. The application uses Route 53 failover routing with health checks. What additional safeguard prevents both regions from simultaneously acting as primary? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Route 53 with geolocation routing instead of failover routing; geolocation routing ensures only one region serves each geographic area at any time. B Enable Route 53 DNSSEC to sign all DNS records; DNSSEC prevents DNS-level split-brain by ensuring only signed responses are accepted. C Implement a distributed consensus mechanism using Amazon DynamoDB Global Tables (strongly consistent reads) as a leader election store; each region checks and sets a 'primary' flag using conditional writes before accepting write traffic; a TTL-based heartbeat invalidates stale leadership without renewal. D Configure Route 53 health checks with a shorter evaluation period (10 seconds) and TTL (10 seconds) to ensure faster failover detection and DNS propagation.

60 / 60

AWS SAP-C02 Intermediate Quiz