AWS SAP-C02 Advanced Quiz - Free Practice Quiz

Question 1 of 60

A company operates a globally distributed SaaS platform across 6 AWS regions. Each region runs an independent Aurora PostgreSQL cluster. A new requirement mandates that fraud decisions made in one region must be visible to all other regions within 500 ms to prevent cross-region account abuse. The current inter-region latency is 120â€“180 ms. Which architectural approach satisfies the 500 ms visibility requirement with the least complexity? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon DynamoDB Global Tables for fraud decisions only; DynamoDB Global Tables provides sub-second active-active multi-region replication. B Migrate all 6 regional clusters to Amazon Aurora Global Database; fraud decision records written to the primary region are replicated to all secondaries typically within 1 second (typically < 500 ms); secondaries serve local reads with minimal latency. C Implement an event-driven fan-out: fraud decisions are published to an SNS topic that triggers Lambda functions in all 6 regions to write the decision locally within 500 ms. D Deploy a dedicated Redis cluster (ElastiCache) in each region and use Pub/Sub to broadcast fraud decisions across all regions within the 500 ms window.

1 / 60

Question 2 of 60

A company's AWS landing zone uses Control Tower. The security team needs to enforce that all new accounts created through Account Factory automatically have GuardDuty enabled with the management account as the GuardDuty delegated administrator, and that GuardDuty findings are aggregated centrally. An Account Factory customization pipeline must apply this without manual steps per account. Which approach implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Organizations to enable GuardDuty auto-enable for all accounts from the GuardDuty delegated administrator account; new accounts created in the organization automatically have GuardDuty enabled and findings are aggregated to the administrator account. B Use an EventBridge rule in the management account to detect the CreateManagedAccount event; trigger a Lambda function that assumes a role in the new account and calls guardduty:CreateDetector and enrolls the account with the delegated administrator. C Configure a CfCT (Customization for Control Tower) pipeline with a CloudFormation StackSet that deploys a GuardDuty detector in the new account; the StackSet is associated with the root OU and deploys automatically on account creation. D Configure a Control Tower mandatory guardrail that enables GuardDuty in all regions for all member accounts; guardrails are applied automatically on account enrollment.

2 / 60

Question 3 of 60

A financial services company needs to enforce that all production data in Amazon RDS is never queried directly by application developers, even those with DBA-level IAM permissions. All production queries must go through a controlled API that logs the query, the requester's identity, and the result set for compliance. Developers access staging databases directly. What architecture enforces this query intermediary? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Build a secure data access API layer (AWS API Gateway + Lambda) as the only path to production RDS; the RDS security group allows inbound port 5432 only from the Lambda's VPC security group; developer IAM permissions deny rds-db:connect to production DB; all queries go through the API, which logs to CloudWatch and S3. B Deploy production RDS instances in a separate AWS account; apply SCPs preventing developers from assuming roles in the production account. C Apply IAM policies to all developer roles that deny rds:Connect to production DB instances; developers can only connect to staging DB instances. D Enable RDS IAM database authentication for production; developers must use IAM-issued tokens; all token generation is logged in CloudTrail; direct password-based access is disabled.

3 / 60

Question 4 of 60

A company's data platform uses Amazon EMR for ETL and Amazon Redshift for analytics. They want to implement a delta lake architecture where S3 acts as the storage layer, transactional ACID operations on S3 data are supported (insert, update, delete, time travel), and both EMR and Redshift can query the same data without copying. Which open table format and AWS integration achieves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Apache Iceberg tables on S3: EMR with Iceberg runtime supports ACID operations (merge, delete, time travel) on S3 data; Redshift Spectrum and Athena can query Iceberg tables registered in the Glue Data Catalog without copying data. B Use Apache Hudi tables on S3 with EMR; export data to Redshift using the COPY command for Redshift queries. C Use AWS Lake Formation governed tables (built on Apache Hudi), which support transactions and are queryable by both EMR (via Spark connector) and Redshift Spectrum. D Use Delta Lake format on S3 with EMR; use a Redshift federated query via PrivateLink to read Delta Lake files directly from S3.

4 / 60

Question 5 of 60

A company runs a multi-tenant application where each tenant's data is stored in a separate DynamoDB table (100 tenants = 100 tables). Read traffic is heavily skewed: 5 tenants generate 80% of all read requests. The team deploys DAX but notices that cache hits are low because requests are distributed across 100 table-specific caches within the same DAX cluster. What is the most effective caching strategy? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Deploy separate DAX clusters for the top 5 high-traffic tenants; point their application connections to dedicated DAX clusters with properly sized node types and cache capacities; all other tenants share a single DAX cluster. B Increase the DAX cluster's node size to r5.8xlarge to provide sufficient memory to cache all 100 tenants' hot data within a single cluster. C Implement application-level caching using Amazon ElastiCache for Redis with consistent hashing by tenant_id, ensuring hot tenant data is co-located in specific Redis nodes. D Enable DAX write-through caching and reduce the DAX item TTL to 60 seconds; this increases the cache hit rate by refreshing tenant data more aggressively.

5 / 60

Question 6 of 60

A company uses AWS CodePipeline with multiple stages across 10 development teams. Each team's pipeline deploys to their own isolated AWS account. The security team must approve all production deployments across all teams, but cannot access each team's CodePipeline console in their account. What architecture gives the security team a single approval point across all production pipelines? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure each team's CodePipeline to send an approval notification to an SNS topic in the security account; the security team approves via the SNS notification URL which invokes a cross-account Lambda that calls codepipeline:PutApprovalResult in the correct team account. B Consolidate all team pipelines into a single shared CodePipeline in the security account; the security team owns the approval action in the shared pipeline. C Use AWS Service Catalog to publish each team's pipeline as a product; the security team approves pipeline products via Service Catalog before they are provisioned. D Grant the security team cross-account IAM roles with codepipeline:PutApprovalResult permissions in all 10 team accounts; the security team switches roles to each account to approve.

6 / 60

Question 7 of 60

A company's architecture uses Amazon SQS FIFO queues to process financial transactions in order. The FIFO queue has a throughput of 300 TPS (transactions per second), which is the standard FIFO limit. A new business requirement increases expected throughput to 3,000 TPS. The application cannot move to Standard queues (ordering required). What is the correct architectural approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable SQS FIFO High Throughput Mode (available via the console/API as a FIFO configuration), which increases per-API-action throughput from 300 to 3,000 TPS for the queue. B Deploy 10 SQS FIFO queues in parallel; use a consistent hash of the transaction's account_id to route each transaction to a specific queue, maintaining per-account ordering across queues. C Enable high throughput mode on the SQS FIFO queue, which increases throughput to 3,000 TPS without changing message ordering guarantees. D Migrate to Amazon Kinesis Data Streams with 100 shards; use the transaction ID as the partition key to maintain per-transaction ordering within each shard.

7 / 60

Question 8 of 60

A company is migrating from on-premises Active Directory to cloud identity, but must maintain backward compatibility for legacy applications that use Kerberos authentication during the 2-year transition. The company wants to use AWS Managed Microsoft AD as the cloud identity source while maintaining trust with on-premises AD. What is the minimum required configuration? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Deploy AWS Managed Microsoft AD in a VPC connected to on-premises via Direct Connect or VPN; establish a two-way forest trust between AWS Managed AD and on-premises AD; legacy Kerberos applications authenticate via the trust relationship to the appropriate domain. B Deploy AWS Managed Microsoft AD in a new AWS account and migrate all AD objects using ADSIEdit; disable on-premises AD after migration. C Use AWS Directory Service Simple AD as a Kerberos-compatible directory; configure a one-way trust from Simple AD to on-premises AD for legacy application compatibility. D Deploy AWS AD Connector to proxy all Kerberos authentication requests from cloud resources to on-premises AD without creating a cloud-based AD forest.

8 / 60

Question 9 of 60

A company deploys AWS CloudFormation stacks across 15 accounts via StackSets. Some stacks occasionally drift due to manual console changes. The governance team wants to automatically detect drift weekly and generate a consolidated report showing all drifted resources across all accounts. What implements this with the least custom code? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an EventBridge Scheduler rule (weekly) in the management account that calls cloudformation:DetectStackSetDrift for each StackSet; poll cloudformation:DescribeStackSetOperations until complete; use CloudFormation StackSet drift results across all accounts to generate a report stored in S3. B Deploy an AWS Config conformance pack with a cloudformation-stack-drift-detection-check rule across all accounts; Config automatically detects stack drift weekly and aggregates findings in the Config Aggregator. C Enable AWS Config in all accounts and use the managed rule cloudformation-stack-drift-detection-check; aggregate Config findings using an organization aggregator; export to S3 weekly using EventBridge. D Use AWS Systems Manager Automation with the AWS-DetectCloudFormationDrift document run via multi-account targeting from the management account; store results in S3 with cross-account bucket access.

9 / 60

Question 10 of 60

A company has a strict compliance requirement that all API requests to AWS must use multi-factor authentication (MFA). Currently, developers use IAM user access keys without MFA. The company wants to enforce MFA-authenticated API access for all IAM users in all accounts without replacing IAM users. What IAM policy mechanism enforces MFA for API calls? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Attach a permission boundary to all IAM users that includes a global Deny with a BoolIfExists condition on aws:MultiFactorAuthPresent: false; users must authenticate with MFA (using GetSessionToken) before making API callsâ€”without MFA, all their permissions are denied by the boundary. B Configure IAM Identity Center with MFA enforcement; all developers log in via Identity Center with MFA and receive temporary credentialsâ€”eliminating the need for long-term IAM user access keys. C Enable AWS CloudTrail MFA delete on all IAM users; this requires MFA for delete operations but not all API calls. D Apply an SCP that denies all API actions unless the request was made using the AWS console (console.aws.amazon.com), which requires MFA for all users.

10 / 60

Question 11 of 60

A company uses Amazon EKS with Kubernetes Cluster Autoscaler to scale EC2 node groups. During aggressive scale-out events, Cluster Autoscaler provisions new nodes but pods remain in Pending state for 4â€“7 minutes while nodes register and become ready. The engineering team needs pod startup time under 2 minutes. What architectural change reduces node provisioning time? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Replace Cluster Autoscaler with Karpenter; Karpenter directly launches EC2 instances (bypassing managed node group ASG delays) using the EC2 Fleet API, typically provisioning nodes in under 60 seconds. B Pre-create a pool of 10 EC2 instances in the node group (minimum size 10) that are always running; over-provisioning ensures pods are scheduled immediately without waiting for new node provisioning. C Increase the Cluster Autoscaler scan interval from 10 seconds to 1 second so it detects pending pods faster and triggers scale-out sooner. D Enable EC2 Instance Warm Pools for the EKS node group's Auto Scaling group; Warm Pools maintain pre-initialized instances in a stopped state, reducing launch time by ~2 minutes.

11 / 60

Question 12 of 60

A company's application uses AWS Cognito User Pools for authentication and DynamoDB for storing user data. They experience a dramatic increase in fraudulent account signups. The security team wants to add risk-based adaptive authentication that challenges suspicious sign-ins (unusual location, device) without blocking legitimate users. Which Cognito feature provides this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Cognito User Pool Advanced Security Features (adaptive authentication); Cognito uses ML to assess risk scores for each sign-in based on device fingerprint, IP reputation, and location; configure Cognito to require MFA for high-risk sign-ins and block very high-risk sign-ins automatically. B Configure Cognito Pre-Authentication Lambda triggers that call Amazon Fraud Detector for risk scoring on every sign-in; block high-risk sign-ins by returning an error from the Lambda function. C Integrate AWS WAF with the Cognito user pool endpoint; configure a WAF rate-based rule to block IP addresses that attempt more than 10 sign-ins per minute. D Enable Amazon GuardDuty for Cognito with the CognitoUserPool threat detection feature; GuardDuty automatically blocks compromised accounts and challenges suspicious sign-ins.

12 / 60

Question 13 of 60

A company uses AWS Organizations and needs to implement a hub-and-spoke architecture where a single central Transit Gateway in the network account connects all spoke VPCs across 50 member accounts. The solution must automatically share the Transit Gateway with all existing and future accounts without manual RAM resource share updates. What configuration automates this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an AWS RAM resource share for the Transit Gateway with the sharing principal set to the AWS Organization root ARN; this automatically shares the Transit Gateway with all current and future member accounts in the organization without manual updates. B Use CloudFormation StackSets to deploy a RAM resource share in each member account that accepts the Transit Gateway sharing invitation from the network account. C Configure Transit Gateway attachments directly from the network account by assuming cross-account roles in each spoke VPC account. D Use AWS Control Tower to deploy a Transit Gateway in each member account and create a TGW peering connection to the central network account's Transit Gateway.

13 / 60

Question 14 of 60

A company's microservices architecture uses Amazon API Gateway with Lambda integration. A single API Gateway endpoint handles 10 million requests per day. The team observes that Lambda cold starts for infrequently called functions cause P99 latency spikes to 3â€“5 seconds. They want P99 latency under 500 ms for all functions. The most cost-effective solution eliminates cold starts only for functions that need it. What is the recommended approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Analyze CloudWatch Lambda metrics (InitDuration, Invocations, ConcurrencyUsage) to identify the specific functions causing P99 spikes; enable Provisioned Concurrency only for those functions; for rarely called functions with cold starts, evaluate converting to Lambda SnapStart (Java) or optimizing runtime initialization. B Use Application Auto Scaling to schedule Provisioned Concurrency for all functions based on a 24-hour traffic pattern; scale provisioned concurrency up during business hours and down overnight. C Convert all Lambda functions to use container images and store images in ECR; container images reduce cold start time from seconds to milliseconds for all functions. D Enable Lambda Provisioned Concurrency for all functions with a fixed value of 10 concurrent environments each; this eliminates cold starts across all functions at a predictable cost.

14 / 60

Question 15 of 60

A company stores 5 PB of scientific simulation data in Amazon S3. The data is accessed annually for large-scale parallel analysis using thousands of EC2 instances. Each analysis job reads 100 TB of specific files. Query latency from S3 to EC2 must be minimized. The instances are in the same AWS region as the S3 bucket. What architecture maximizes data access throughput? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon FSx for Lustre linked to the S3 bucket; FSx for Lustre provides a POSIX-compliant parallel file system that automatically loads data from S3 on first access, providing up to 1 TB/s of aggregate read throughput for the 100 TB analysis. B Store data in S3 Standard and use S3 Select on each object to push computation to S3; this reduces the data transferred to EC2 instances by filtering data at S3. C Use S3 Transfer Acceleration to accelerate data transfer from S3 to the EC2 instances in the same region, reducing retrieval latency. D Place all 5 PB in Amazon S3 Express One Zone; Express One Zone provides single-digit millisecond access latency and higher throughput than standard S3.

15 / 60

Question 16 of 60

A company runs a PCI DSS-compliant application on AWS. A QSA (Qualified Security Assessor) audit requires evidence that all production EC2 instance operating systems are patched with all critical CVEs remediated within 30 days of disclosure. The company has 500 production instances across 10 accounts. What combination of AWS services provides both enforcement and audit evidence? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon Inspector V2 to scan all EC2 instances for CVEs; Inspector findings over 30 days old with critical severity are exported to S3 monthly as audit evidence. B Use AWS Config with the ec2-managed-instance-patch-compliance-status-check rule; Config compliance history provides audit evidence of patching status over time. C Use AWS Security Hub with the PCI DSS standard enabled; Security Hub checks for unpatched instances and generates findings as audit evidence for the QSA. D Use AWS Systems Manager Patch Manager with a patch baseline requiring critical patches; run patching via maintenance windows within 30 days of patch release; use SSM Compliance reports as audit evidence; aggregate patch compliance across all 10 accounts via Systems Manager Explorer with Organizations integration.

16 / 60

Question 17 of 60

A company uses AWS Step Functions to orchestrate a complex order processing workflow with 20 states, including parallel processing branches, retries, and error handling. The workflow runs 10 million times per day. Step Functions Standard Workflows charge per state transition (10 million Ã— 20 states Ã— $0.000025 = $5,000/day). How can the architect reduce cost without changing workflow logic? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Reduce the number of states in the workflow from 20 to 10 by combining adjacent states into single Lambda functions, halving state transition charges. B Use Step Functions Synchronous Express Workflows with API Gateway integration to batch multiple order processing requests per invocation, reducing execution count. C Switch from Step Functions to Amazon SQS with parallel consumer Lambda functions to replicate the workflow logic; SQS is cheaper than Step Functions at high volume. D Migrate the workflow to Step Functions Express Workflows, which charge per execution duration (GB-seconds) rather than per state transition, and are designed for high-volume, short-duration workflows; at 10M/day the Express pricing model is significantly cheaper for workflows completing under 5 minutes.

17 / 60

Question 18 of 60

A company deploys machine learning inference on Amazon SageMaker. Models are retrained weekly but the current production endpoint runs continuous inference. During retraining, a new model version is validated; if it passes A/B testing (better performance than current), the endpoint must update to the new model with zero downtime. What SageMaker feature implements zero-downtime model updates with A/B testing? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create a new SageMaker endpoint for each model version; use Route 53 weighted routing to gradually shift traffic from the old endpoint to the new endpoint. B Use SageMaker Pipelines to automate model training, evaluation, and conditional deployment; the pipeline deploys to a staging endpoint and promotes to production after evaluation. C Enable SageMaker Model Monitor on the production endpoint; Model Monitor automatically swaps the model variant when it detects that the new model has better performance metrics. D Use SageMaker endpoint production variants: add the new model as a variant with initial weight 10%; monitor per-variant metrics in CloudWatch; use UpdateEndpointWeightsAndCapacities to gradually shift traffic to 100% new model; then use UpdateEndpoint to make the new variant the sole variant. The endpoint remains online throughout.

18 / 60

Question 19 of 60

A company runs a multi-tenant SaaS application on AWS where each tenant's workload runs in its own EKS namespace. A tenant's runaway pod consumed all node CPU, causing other tenants' pods to be throttled. The team needs to enforce resource isolation between tenant namespaces. Which Kubernetes mechanism prevents one tenant's pods from monopolizing cluster resources? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Kubernetes PodDisruptionBudgets (PDBs) for each tenant namespace to prevent runaway pods from being evicted and restarted, limiting resource consumption spikes. B Use Kubernetes node affinity rules to pin each tenant's pods to dedicated node groups; isolate tenant compute at the node level. C Use Kubernetes HorizontalPodAutoscaler (HPA) for each tenant's deployment to scale pods automatically; HPA prevents resource monopolization by distributing load across replicas. D Apply Kubernetes ResourceQuotas per tenant namespace limiting aggregate CPU and memory requests; configure LimitRanges to enforce default requests and limits on each pod; pods that exceed the namespace quota are rejected at admission.

19 / 60

Question 20 of 60

A company's AWS environment has 300 EC2 instances and the billing team notices that 40% are idle (CPU < 5% for 14 days). The CTO wants a monthly optimization report showing idle instances, oversized instances, and Reserved Instance coverage gaps, with estimated savings. Which AWS tools provide this automatically without custom development? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon CloudWatch to create dashboards showing CPU utilization for all 300 instances; manually identify idle instances monthly. B Enable AWS Cost Anomaly Detection to identify unusual spending patterns on EC2; monthly anomaly reports highlight idle and oversized instances. C Use AWS Config with required-instance-type config rules to detect non-conformant instance types; export Config findings to S3 for monthly review. D Use AWS Compute Optimizer for instance right-sizing recommendations (idle and oversized instances with projected savings); use AWS Cost Explorer's RI coverage report for RI gap analysis; schedule monthly Cost Explorer reports to S3; use AWS Trusted Advisor for idle EC2 instance detection.

20 / 60

Question 21 of 60

A company's architecture requires that a Lambda function must only be invokable from within the company's VPC (not from the internet or other AWS accounts). The Lambda function processes sensitive financial data. What combination of controls enforces this network-level restriction? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS PrivateLink to expose the Lambda function as a VPC endpoint service; restrict the service to the company's VPC using endpoint policies. B Configure the Lambda function with a Reserved Concurrency of 0 by default; use an EventBridge rule that sets Reserved Concurrency to the required value only when triggered by a trusted internal service. C Place the Lambda function inside the VPC; Lambda functions inside a VPC can only be invoked from within the VPC automatically. D Configure the Lambda function as a VPC-attached function in the company's private subnet; add a Lambda resource-based policy that explicitly allows invocations only from principals with the aws:SourceVpc condition matching the company's VPC ID; invoke the function only via a VPC endpoint for Lambda (com.amazonaws.region.lambda) from within the VPC.

21 / 60

Question 22 of 60

A company uses Amazon RDS PostgreSQL with a 10 TB database. The DBA team needs to perform a major PostgreSQL version upgrade (from 13 to 16). In-place major version upgrades on RDS risk data corruption and extended downtime. The company's RTO is 30 minutes. Which approach minimizes risk and downtime? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Initiate the RDS ModifyDBInstance API call with EngineVersion=16; RDS performs the in-place upgrade with minimal downtime (typically 5â€“10 minutes for the DB restart). B Create an RDS PostgreSQL 16 read replica; upgrade the replica's engine version; promote the replica; update the application connection string; verify functionality; complete within 30 minutes. C Create an RDS snapshot of the PostgreSQL 13 instance; restore the snapshot to a new RDS PostgreSQL 16 instance; test the upgraded instance; perform a DNS-level cutover within the RTO. D Use Aurora Blue/Green Deployments for RDS: create a Blue/Green pair where the green environment runs PostgreSQL 16; apply the major version upgrade on the green DB; run pre-cutover tests; initiate the managed switchover (< 1 minute) to complete within the 30-minute RTO.

22 / 60

Question 23 of 60

A company needs to implement network segmentation within a single VPC where the application tier, database tier, and management tier must have strict network isolation with all traffic logged. The security team requires that even traffic between EC2 instances in the same subnet but different tiers must be inspected. Which approach enforces intra-VPC traffic inspection at the subnet level? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure security groups on each EC2 instance with tier-specific allow rules; security groups operate at the instance level and enforce isolation between tiers in the same subnet. B Create separate VPCs for each tier and use VPC Peering to allow required inter-tier communication; peer VPCs provide strong isolation. C Use VPC Network ACLs on each subnet with explicit deny rules for cross-tier traffic; NACLs operate at the subnet boundary and block tier-crossing traffic. D Deploy AWS Network Firewall in a dedicated inspection subnet within the VPC; use VPC routing tables to route inter-subnet traffic through the Network Firewall endpoint for deep packet inspection, stateful rule evaluation, and logging.

23 / 60

Question 24 of 60

A company's data science team uses Amazon SageMaker Studio notebooks. Each data scientist has their own Studio domain. They frequently run heavy preprocessing jobs that take 4â€“6 hours and should not block notebook interaction. The company wants to offload these jobs to managed compute without the data scientist managing infrastructure. Which SageMaker feature addresses this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use SageMaker Training Jobs launched from Studio notebooks; Training Jobs run on managed EC2 instances asynchronously, allowing the data scientist to continue working in the notebook. B Export the preprocessing notebook as a Python script and run it on an EC2 instance using SSM Run Command from within Studio. C Use SageMaker Autopilot to automatically preprocess data and train models without data scientist intervention. D Use SageMaker Processing Jobs launched from Studio notebooks; Processing Jobs run preprocessing code on managed ml.m5 or ml.c5 instances asynchronously; the notebook can submit the job and continue interactive work while the job runs independently.

24 / 60

Question 25 of 60

A company is designing its AWS network architecture. They have 30 VPCs across 5 regions that need to communicate with each other and with an on-premises data center over Direct Connect. They want centralized egress to the internet through a single NAT/firewall appliance per region. What is the recommended scalable architecture? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Deploy a Transit VPC with Cisco CSR appliances in each region; all spoke VPCs connect to the Transit VPC via VPN; the CSR appliances provide NAT, inspection, and on-premises connectivity. B Use VPC peering to connect all 30 VPCs within each region; deploy a single NAT Gateway in the hub VPC per region; configure spoke VPC route tables to route internet traffic through the hub VPC's NAT Gateway via peering. C Deploy AWS Cloud WAN with a core network policy that defines network segments and routing; connect all 30 VPCs and on-premises via Cloud WAN attachments; use Cloud WAN's network segment-based routing for centralized inspection. D Deploy AWS Transit Gateway in each region; connect all regional VPCs to the regional TGW; deploy a centralized inspection VPC in each region with NAT Gateway and Network Firewall; configure TGW route tables to route all egress traffic through the inspection VPC; connect regional TGWs to each other via TGW peering for inter-region traffic; connect each regional TGW to on-premises via Direct Connect Transit VIF.

25 / 60

Question 26 of 60

A company's DevOps team runs Jenkins CI/CD on-premises. They want to migrate Jenkins to AWS while maintaining the same Jenkins configuration and jobs. Workers must scale out automatically for parallel builds. Which AWS deployment meets these requirements with the least effort? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Migrate Jenkins to AWS CodePipeline and CodeBuild; CodeBuild provides auto-scaling build workers. B Deploy Jenkins master on Amazon EC2; use Jenkins EC2 Plugin to dynamically provision EC2 worker instances for each build job; terminate workers after job completion. C Containerize Jenkins master and deploy on Amazon EKS; use Kubernetes Jenkins agent (jnlp pods) for auto-scaling build workers. D Deploy Jenkins master on an EC2 instance (or ECS Fargate) using an AMI with the existing Jenkins configuration; use the Jenkins Kubernetes Plugin with Amazon EKS for auto-scaling Kubernetes-based Jenkins agents; jobs scale automatically using pod templates.

26 / 60

Question 27 of 60

A company processes medical imaging data and uses Amazon S3 for storage. HIPAA compliance requires that all data at rest is encrypted, all access is logged, access is restricted to authorized personnel only, and data cannot be deleted for 7 years. Which S3 configuration satisfies all four requirements? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 SSE-S3 encryption; enable S3 server access logging; configure S3 bucket policies restricting access to authorized IAM roles; enable S3 versioning. B Enable S3 SSE-KMS with a customer managed KMS key; enable S3 server access logging to a separate audit bucket; configure bucket policies restricting access to authorized IAM roles; enable S3 Object Lock Compliance mode with 7-year retention; enable MFA Delete. C Enable client-side encryption using the AWS Encryption SDK; configure S3 bucket policies with resource-based policies allowing authorized IAM roles; enable AWS Config to audit access; configure S3 lifecycle rules to retain objects for 7 years. D Enable S3 SSE-KMS with a customer managed KMS key; enable CloudTrail data events and S3 server access logging; configure bucket policies with explicit Allow for authorized IAM roles and explicit Deny for all others; enable S3 Object Lock Compliance mode with a 7-year retention period.

27 / 60

Question 28 of 60

A company's SaaS application uses Amazon Cognito User Pools for authentication. When a new user registers, the application must verify they are a corporate employee by checking their email domain (e.g., @company.com) and looking up their employee ID in an on-premises LDAP directory. Invalid registrations should be blocked. What Cognito configuration implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Cognito to federate with the on-premises Active Directory via AD Connector; only AD users can register, automatically enforcing employee verification. B Use Cognito Groups to restrict access; after registration, an admin manually adds verified employees to the 'Employees' Cognito Group; unverified users cannot access the application. C Configure Cognito User Pool email verification; set the allowed email domains in the Cognito user pool configuration to restrict registration to @company.com addresses only. D Use a Cognito Pre-Signup Lambda trigger that validates the email domain and calls the on-premises LDAP directory (via a Lambda deployed in a VPC with Direct Connect connectivity) to verify the employee ID; if validation fails, the Lambda throws an error that blocks the registration.

28 / 60

Question 29 of 60

A company uses Amazon Redshift for data warehousing. Concurrent query loads from 200 analysts cause query queueing and long wait times. The analytics team has both short queries (< 1 second, exploratory) and long queries (10â€“30 minutes, reporting). Short queries are being queued behind long queries. What Redshift configuration resolves the queue contention? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create two Redshift clusters: one for short queries (dc2.large nodes) and one for long-running reports (ra3.xlplus nodes); route queries via application-level logic. B Enable Redshift Concurrency Scaling to add transient compute capacity during peak query load, providing additional WLM queues for overflow queries. C Use Redshift AQUA (Advanced Query Accelerator) to offload short query processing to distributed hardware, eliminating contention with long-running queries. D Configure Redshift WLM (Workload Management) with Short Query Acceleration (SQA) enabled to automatically detect and prioritize short queries (< 20 seconds) in a dedicated fast lane, and create a separate WLM queue for long-running reports with defined memory allocation and concurrency slots.

29 / 60

Question 30 of 60

A company needs to implement a strategy to automatically prevent cost overruns when any AWS account in their organization exceeds $10,000 of unbudgeted spending. When the threshold is crossed, all non-essential API actions should be blocked automatically until a cloud admin reviews and manually releases the restriction. Which AWS mechanism implements this auto-remediation? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure AWS Budgets with an SNS action that emails the cloud admin; the admin manually applies a restrictive SCP when they receive the email. B Use AWS Cost Anomaly Detection with an SNS subscription; a Lambda function triggered by the SNS notification calls the Organizations API to apply a Deny-All SCP to the offending account. C Configure AWS Budgets with a budget action that directly applies an IAM policy to the affected account's IAM group, restricting permissions when the threshold is crossed. D Configure an AWS Budgets budget action that applies a pre-defined restrictive SCP to the account when the $10,000 threshold is crossed; configure a second budget action to send an SNS notification to the admin; the admin manually removes the restrictive SCP after review using AWS Organizations.

30 / 60

Question 31 of 60

A company's microservices on Amazon EKS use Helm charts for deployments. After a recent upgrade, several services started exhibiting memory leaks. The team wants to implement automatic detection of memory usage exceeding 90% of the pod's memory limit and automatic pod restart. Which Kubernetes mechanism implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Kubernetes Vertical Pod Autoscaler (VPA) in 'Recreate' mode; VPA automatically adjusts pod memory limits and restarts pods when they exceed their resource limits. B Configure Amazon CloudWatch Container Insights with a CloudWatch Alarm on the pod memory metric; trigger a Lambda function that calls the Kubernetes API to delete the affected pod (Kubernetes automatically restarts it). C Configure Kubernetes liveness probes on each pod that call a custom health endpoint; the health endpoint returns failure if memory usage > 90% of the limit; Kubernetes restarts the pod when the liveness probe fails repeatedly. D Configure Kubernetes resource limits with a memory limit of 90% of node capacity; Kubernetes OOM killer automatically terminates pods that exceed their memory limit.

31 / 60

Question 32 of 60

A company runs batch ML training jobs using Amazon SageMaker Training Jobs. Jobs take 6â€“8 hours and run 3 times per week. The team wants to reduce training cost by using Spot Instances but needs to ensure jobs complete despite Spot interruptions. What SageMaker configuration handles Spot interruptions without losing training progress? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use On-Demand instances for the first 4 hours of training to ensure stability; switch to Spot instances for the remaining 2â€“4 hours using a Lambda function that modifies the running SageMaker Training Job. B Configure SageMaker Training Jobs with Spot Instances and set a WaitTime of 3 hours in the StoppingCondition; if Spot capacity is unavailable for 3 hours, SageMaker automatically switches to On-Demand instances. C Enable SageMaker Managed Spot Training; configure the training job with a checkpoint S3 URI; the training script saves model checkpoints to S3 periodically; SageMaker restarts the job on a new Spot instance and resumes from the latest checkpoint. D Use Amazon EC2 Spot Fleet with SageMaker bring-your-own-container (BYOC); configure the Spot Fleet to use multiple instance pools and a MaxInterruptionRate to minimize interruptions.

32 / 60

Question 33 of 60

A company's application on EC2 uses long-lived HTTPS connections (HTTP/2) to downstream microservices. During EC2 scale-in events, the ALB deregisters instances but the long-lived connections are abruptly terminated by the OS when the EC2 instance is stopped, causing client errors. How does the architect configure graceful connection draining? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Increase the ALB idle timeout to 3600 seconds to keep connections alive longer during scale-in events. B Enable connection draining on the EC2 instance's security group; security group connection draining keeps long-lived connections alive during scale-in. C Configure the ALB target group's deregistration delay to 300 seconds; this prevents the ALB from sending new requests to the deregistering instance while the deregistration delay countdown runs, giving existing HTTP/2 connections time to drain naturally; also configure an Auto Scaling lifecycle hook on EC2_INSTANCE_TERMINATING to pause instance termination until the deregistration delay completes. D Configure the EC2 instance's OS TCP keepalive settings to detect connection draining and gracefully close connections.

33 / 60

Question 34 of 60

A company's AWS environment uses multiple VPCs with overlapping CIDR ranges (10.0.0.0/16 in each VPC) from different business units. They now need these VPCs to communicate with each other and with on-premises. VPC Peering and Transit Gateway are not viable due to overlapping CIDRs. What architecture resolves communication with overlapping CIDRs? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Re-IP all VPCs to use non-overlapping CIDRs; this is the only way to enable direct VPC-to-VPC communication. B Deploy NAT instances in each VPC to perform source NAT translation, resolving CIDR conflicts before routing traffic between VPCs. C Use AWS PrivateLink to expose specific services from each VPC as interface VPC endpoint services; consumers in other VPCs connect to the endpoint service using interface endpointsâ€”PrivateLink supports overlapping CIDRs because connections are service-oriented, not routed at the network layer. D Use AWS Transit Gateway with NAT on the Transit Gateway; TGW can be configured to SNAT traffic between VPCs with overlapping CIDRs.

34 / 60

Question 35 of 60

A company's solution architect discovers that an IAM role used by a Lambda function has broad permissions (s3:*, dynamodb:*) that far exceed what the function actually needs. The architect needs to determine the minimum permissions actually used by the function over the past 90 days without breaking the function. Which AWS feature provides this data? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable AWS CloudTrail for the Lambda function's IAM role; review the last 90 days of CloudTrail events to manually compile a list of API actions performed by the role. B Use Amazon GuardDuty to detect anomalous IAM activity for the Lambda role; GuardDuty generates findings for actions that are unusual, implying those actions are actually used. C Use AWS IAM Access Analyzer policy generation: provide the IAM role ARN and a 90-day date range; Access Analyzer analyzes CloudTrail events from the specified period and generates a least-privilege policy based on actions actually performed. D Enable AWS Config's iam-policy-check rule on the Lambda execution role; Config identifies overly permissive policies and suggests replacements.

35 / 60

Question 36 of 60

A company stores 10 years of financial audit records in Amazon S3. The data must be retained for exactly 10 years from the date of each record's creation, after which it must be automatically and permanently deleted. Different objects were created at different times. How does the architect implement per-object, date-aware retention and automatic deletion? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Apply an S3 Lifecycle rule that deletes all objects after 3,650 days from the bucket creation date. B Create an EventBridge Scheduler rule that runs daily; the Lambda function lists all S3 objects, checks their LastModified date, and deletes objects older than 10 years. C Enable S3 Object Lock in Compliance mode with a per-object retention date calculated as the object's creation date + 10 years; the retention date is set via the x-amz-object-lock-retain-until-date header when each object is uploaded; S3 automatically prevents deletion until the retention date and the lifecycle rule deletes the object when eligible. D Apply S3 Intelligent-Tiering with a lifecycle rule to Deep Archive after 1 year and auto-delete after 10 years.

36 / 60

Question 37 of 60

A company uses Amazon Kinesis Data Streams for real-time event processing. The stream has 100 shards. A new ML inference Lambda consumer needs to process every event but with dedicated throughput so it doesn't compete with the 5 existing standard consumers. The ML consumer needs sub-70 ms per-event processing latency. What is the correct configuration? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Set the ML Lambda's polling interval to 50 ms in the event source mapping so it reads new records faster than existing consumers. B Increase the shard count from 100 to 600 (1 shard per consumer per 100 original shards) to provide each consumer dedicated shard capacity. C Register the ML Lambda as an Enhanced Fan-Out (EFO) consumer using SubscribeToShard; EFO provides 2 MB/s per shard dedicated throughput pushed via HTTP/2, ensuring sub-70 ms delivery latency independent of other consumers. D Use a Kinesis Data Firehose delivery stream to duplicate events from the main Kinesis stream to a separate S3 bucket; the ML Lambda reads from S3 with sub-70 ms latency.

37 / 60

Question 38 of 60

A company runs a global CDN using Amazon CloudFront. The legal team requires that user access logs (showing IP addresses, request URLs, timestamps) for all regions be retained for 5 years with immutable storage and be queryable using SQL for compliance investigations. What architecture implements this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable CloudFront standard logs delivery to an S3 bucket; configure AWS Glue crawler to catalog the logs; use Athena for SQL queries; set S3 versioning for retention. B Enable CloudFront real-time logs to Kinesis Data Firehose; deliver to Amazon OpenSearch Service for SQL querying; retain logs for 5 years in OpenSearch cold storage. C Enable CloudFront standard logs delivery to a central S3 bucket in the logging account; enable S3 Object Lock Compliance mode with 5-year retention for immutability; create an AWS Glue Data Catalog table over the log prefix; use Amazon Athena for SQL-based compliance investigations. D Enable CloudFront standard logs to S3; export to Amazon RDS PostgreSQL for 5-year retention and SQL querying.

38 / 60

Question 39 of 60

A company's AWS account was compromised and an unauthorized IAM user was created with administrator access. The security team has revoked the unauthorized user's credentials and deleted the user. They now need to assess the full blast radius: what resources were created, modified, or deleted by the unauthorized user over the past 2 weeks. Which AWS service provides this forensic trail? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Review Amazon GuardDuty findings for the unauthorized user's activity; GuardDuty provides a comprehensive inventory of all API calls made by the user. B Enable VPC Flow Logs retroactively for the past 2 weeks to capture all network traffic from resources created by the unauthorized user. C Query AWS CloudTrail Lake (or the CloudTrail S3 bucket) using Athena to filter all API events by the unauthorized IAM user's ARN over the past 2 weeks; CloudTrail records every create, modify, and delete API call with the caller's identity. D Review AWS Config configuration history for all resources in the account; Config shows configuration changes over the past 2 weeks without needing to filter by caller identity.

39 / 60

Question 40 of 60

A company's EKS cluster has persistent volumes backed by Amazon EBS. When a node fails, pods with stateful EBS volumes cannot be rescheduled to another node in a different AZ because EBS volumes are AZ-specific. RTO for stateful pods is 30 minutes. What architectural change reduces RTO to under 5 minutes? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the EKS cluster with single-AZ node groups in a single AZ so all pods and EBS volumes are always co-located. B Use Amazon EBS io2 Multi-Attach volumes that can be attached to nodes in different AZs simultaneously. C Replace EBS-backed persistent volumes with Amazon EFS-backed persistent volumes; EFS is a multi-AZ file system that can be mounted simultaneously from pods in any AZ, allowing immediate pod rescheduling across AZ boundaries. D Enable EBS volume auto-copying via a DaemonSet that continuously syncs EBS snapshots across AZs; the pod recovery process restores from the latest snapshot in the new AZ.

40 / 60

Question 41 of 60

A company is building a data mesh architecture. Domain teams own their data products in S3 and expose them via the AWS Glue Data Catalog. The central data platform team must approve all data product registrations before consumers can discover them. How does the architect implement this approval workflow without building a custom portal? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Amazon Macie to scan newly created Glue Data Catalog entries for sensitive data; only Macie-approved entries are visible to consumers in the catalog. B Use AWS Lake Formation data lake administrator permissions; when a domain team creates a new Glue database, a Lake Formation admin must manually grant permissions to each consumer before discovery is possible. C Use Amazon DataZone as the data governance platform; DataZone provides a data catalog portal with built-in approval workflows where data producers publish data assets, the central team approves them, and consumers discover and subscribe to approved assets. D Configure AWS EventBridge to detect Glue Data Catalog database creation events; trigger a Lambda function that places the registration in a review SQS queue; the central team reviews the queue and manually approves using a CLI command.

41 / 60

Question 42 of 60

A company runs an ECS Fargate application that processes video transcoding jobs. Each job takes 20â€“40 minutes. The team uses Fargate Spot to reduce costs but experiences frequent Spot interruptions because the required CPU/memory combination (16 vCPU, 32 GB RAM) is in short supply in the chosen AZ. How does the architect reduce interruption frequency while maintaining Spot savings? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Switch to ECS on EC2 with Spot Instances using an instance fleet with multiple instance families (m5, m5a, m5n, m5zn, r5) targeting 16 vCPU + 32 GB combinations; larger instance pools reduce interruption frequency. B Use EC2 Spot Fleet with a capacity-rebalancing strategy and target a Spot Instance pool with availability zone capacity optimization across 3 AZs for the Fargate task. C Modify the Fargate Spot task placement to span all 3 AZs using the Fargate platformVersion and awsvpcConfiguration with multiple subnets; Fargate automatically selects the AZ with the most available Spot capacity for each task launch. D Enable ECS Service Auto Scaling for the Fargate Spot tasks to maintain a larger number of smaller tasks (4 vCPU, 8 GB each) running in parallel, providing more Spot pool options.

42 / 60

Question 43 of 60

A company uses Amazon S3 as a data lake with multiple data pipelines reading and writing simultaneously. A data engineering team discovers that concurrent writes to the same S3 prefix from multiple Glue jobs occasionally result in inconsistent data: readers see partial updates because S3's eventual consistency for overwrites in the same prefix. What architectural change resolves this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 versioning on the data lake bucket; versioning ensures readers always see the latest committed version of each object. B Use Amazon SQS to serialize writes from all Glue jobs to the same prefix through a single consumer, ensuring sequential access. C Adopt Apache Iceberg table format for the data lake; Iceberg provides ACID transactions on S3 data, supporting concurrent reads and writes with snapshot isolationâ€”readers see a consistent snapshot while writers commit new data atomically. D Configure S3 Requester Pays and use S3 conditional writes with ETags to implement optimistic locking on shared prefixes.

43 / 60

Question 44 of 60

A company's application uses Amazon SQS for asynchronous job processing. The SQS consumer (Lambda) occasionally fails to complete processing within the SQS visibility timeout, causing messages to reappear and be processed multiple times by concurrent consumers. The job processing logic is not idempotent. What is the most architecturally sound fix? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable SQS message deduplication by setting the MessageDeduplicationId on all messages; this prevents SQS from delivering the same message twice. B Switch to SQS FIFO queues; FIFO queues guarantee exactly-once delivery within a 5-minute deduplication window. C Increase the SQS visibility timeout to exceed the maximum possible Lambda processing time; additionally, have the Lambda function call ChangeMessageVisibility to extend the timeout dynamically if processing takes longer than expected. D Implement idempotent processing by recording processed message IDs in a DynamoDB table with conditional writes; Lambda checks before processing.

44 / 60

Question 45 of 60

A company is implementing AWS Organizations and wants to ensure that no VPC in any member account can communicate directly with the internet (no internet gateways, no NAT gateways) except through the centralized egress inspection VPC in the networking account. Which combination of controls enforces this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure the default VPC route tables in all member accounts to point 0.0.0.0/0 to the Transit Gateway attachment for the centralized egress inspection VPC. B Use AWS Config conformance packs to detect internet gateways and NAT gateways in member accounts; auto-remediate by deleting them. C Apply an SCP to the organization that denies ec2:AttachInternetGateway and ec2:CreateNatGateway in all accounts except the networking account; this prevents member accounts from creating internet-facing resources. D Deploy AWS Firewall Manager with a VPC security group policy that denies any security group rule allowing inbound or outbound traffic from/to 0.0.0.0/0 in all member accounts.

45 / 60

Question 46 of 60

A company runs an Amazon Aurora MySQL cluster in a single region (us-east-1). The business requires an RPO of 5 minutes and an RTO of 15 minutes for a region-level disaster. The database is 500 GB. The company has never tested the DR scenario. Which DR solution meets the requirements, and what is the recommended DR testing approach? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Configure Point-In-Time Recovery (PITR) with a 5-minute backup frequency; test DR by restoring to a specific time and measuring the restore duration. B Enable Aurora Global Database with the primary in us-east-1 and secondary in us-west-2; typically < 1 second RPO and < 1 minute RTO for managed failover; test DR by performing a planned managed crossover (detaches secondary, promotes it to primary) without data loss. C Use AWS Backup to take daily Aurora snapshots to us-west-2; restore the snapshot to a new Aurora cluster in us-west-2 during DR; test by measuring snapshot restore time for the 500 GB database. D Create an Aurora cross-region read replica in us-west-2; when disaster occurs, promote the replica (typically 5-10 minutes); for DR testing, promote the replica periodically and reconnect the application.

46 / 60

Question 47 of 60

A company has 100 AWS accounts and wants to centralize cost management. Business units must have visibility into only their own accounts' costs while the finance team sees costs across all accounts. Budgets and alerts must be configurable per business unit. What AWS cost management configuration satisfies these requirements? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Grant all IAM users in all accounts access to the AWS Cost Explorer in the management account; filter by account ID within Cost Explorer per business unit. B In the management account, enable Cost Explorer and configure linked account access; each business unit's IAM role in their own accounts has ce:GetCostAndUsage permission scoped to their account IDs using resource-based conditions; AWS Budgets is created per account or per OU for alerts. C Create an AWS Organizations OU per business unit; enable cross-account Cost Explorer access from business unit accounts to their OU-member accounts only; use AWS Budgets in each account for per-account alerts. D Use AWS Cost Allocation Tags to assign costs to business units; deploy a custom QuickSight dashboard per business unit showing only their tagged costs.

47 / 60

Question 48 of 60

A company uses Amazon Cognito User Pools to authenticate mobile app users. The app stores sensitive documents in S3 with each user having their own prefix (users/{sub}/documents/). Currently, the app calls an API Gateway backend to get pre-signed URLs for S3 access. The backend is a bottleneck. The architect wants users to access S3 directly without routing through the backend, while maintaining per-user prefix isolation. What IAM/Cognito mechanism enables this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Generate S3 pre-signed URLs server-side with a 24-hour expiry and cache them in API Gateway's response cache; mobile apps use cached URLs to access S3 directly. B Use Cognito Identity Pools to exchange the Cognito User Pool JWT for temporary AWS credentials; define the authenticated role's IAM policy to allow s3:GetObject and s3:PutObject on arn:aws:s3:::bucket/users/${cognito-identity.amazonaws.com:sub}/*, ensuring users can only access their own prefix. C Configure S3 bucket policies with a StringEquals condition on aws:PrincipalTag/sub matching each user's Cognito sub; Cognito automatically adds the sub as a principal tag to all user sessions. D Use Cognito User Pool Lambda triggers (Pre-Token Generation) to embed the user's S3 prefix in the JWT; the mobile app presents this JWT to S3 for direct access.

48 / 60

Question 49 of 60

A company runs a multi-region active-active application using DynamoDB Global Tables. Data engineers occasionally run analytical queries on DynamoDB that read millions of items for reporting. These queries consume substantial RCUs and degrade OLTP performance for end users. What is the most cost-effective way to offload analytical queries from DynamoDB without duplicating data? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Export DynamoDB table data to S3 once daily using DynamoDB Table Export; run analytical queries on the exported S3 data using Amazon Athena. B Use DynamoDB on-demand capacity mode for the table; DynamoDB scales RCU capacity automatically to accommodate both OLTP and analytical queries without throttling. C Enable DynamoDB Streams and use a Lambda function to replicate all DynamoDB items to Amazon Redshift in near-real time; run analytical queries on Redshift. D Create a separate DynamoDB table with Global Secondary Indexes (GSIs) optimized for analytical query patterns; replicate items from the main table to the analytical table via DynamoDB Streams.

49 / 60

Question 50 of 60

A company's microservices on AWS generate distributed traces. The team wants to visualize end-to-end request latency, identify performance bottlenecks across service boundaries, and get automated analysis of which services are causing 95th percentile latency increases. Which AWS service provides this distributed tracing and analytics capability? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable VPC Flow Logs and use CloudWatch Contributor Insights to identify the top services by network latency contribution. B Use AWS X-Ray with sampling rules configured for all services; the X-Ray Analytics console provides trace analysis, percentile filtering, and root cause identification for latency spikes across service boundaries. C Deploy the OpenTelemetry Collector on all EC2 instances to send traces to CloudWatch Container Insights; Container Insights provides per-service latency percentiles. D Use Amazon CloudWatch ServiceLens, which combines CloudWatch metrics, logs, and X-Ray traces to provide a service map of all microservices with latency and error rate visualizations.

50 / 60

Question 51 of 60

A company has 50 AWS accounts and wants to implement a data perimeter ensuring S3 data can only be accessed from within the organization's AWS accounts or from the company's known on-premises IP ranges, never from the public internet or other AWS accounts. What combination of controls implements this data perimeter? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable S3 Block Public Access organization-wide and configure VPC endpoints for S3 in all VPCs; these two controls together prevent all external access to S3. B Apply organization-level SCPs denying s3:GetObject unless aws:PrincipalOrgID matches the organization ID; add S3 bucket policies on all sensitive buckets adding a Deny condition for requests not from the organization OR from the known on-premises IP ranges (aws:SourceIp condition); enforce S3 VPC endpoint policies allowing only organization principals. C Use Amazon Macie to detect all public S3 buckets and auto-remediate by applying Block Public Access; this prevents data exfiltration from public buckets. D Configure AWS Network Firewall egress rules blocking outbound traffic to S3 public IP ranges; on-premises systems use AWS Direct Connect to access S3 privately.

51 / 60

Question 52 of 60

A company's CTO wants to reduce AWS operational toil across 80 accounts by enabling teams to self-service common operational tasks (e.g., start/stop EC2 instances, take snapshots, run patching) through a governance-approved catalog without granting direct IAM permissions for these operations. What AWS service enables governed self-service operations? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Create an AWS Service Catalog portfolio with operational products (CloudFormation stacks that trigger SSM Automation for operational tasks); teams provision products without direct IAM permissions. B Use AWS Systems Manager Automation with shared automation documents published via AWS RAM; teams run pre-approved automation documents using execution roles with the required permissions; teams only need ssm:StartAutomationExecution and the automation documents provide the actual capabilities. C Grant all teams IAM roles with EC2 start/stop permissions and enforce governance through AWS Config rules that detect policy violations. D Use AWS Step Functions with IAM PassRole; teams trigger Step Functions executions with their own role; Step Functions assumes an operational role to perform the governed actions.

52 / 60

Question 53 of 60

A company's solution architect is asked to reduce the cost of Amazon Redshift for a mixed query workload: some queries complete in under 1 second (exploratory), while others run for 20â€“30 minutes (complex aggregations). The current Redshift cluster is ra3.4xlarge with 4 nodes. The team cannot modify query patterns. Which cost optimization strategy reduces Redshift cost for this specific workload? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable Redshift Concurrency Scaling; short queries overflow to temporary concurrency scaling clusters, and the main cluster handles long queries; Concurrency Scaling charges only for scaled capacity used. B Enable Redshift Serverless for the exploratory workload and keep the provisioned cluster for long-running queries; route queries based on estimated duration to the appropriate compute environment. C Switch to Redshift RA3 with Managed Storage (RA3.xlplus) and reduce the node count from 4 to 2; AQUA (Advanced Query Accelerator) compensates for the reduced compute. D Implement Redshift WLM with Short Query Acceleration (SQA) and separate queues for exploratory and long-running queries; SQA processes short queries in a dedicated fast lane and reduces their impact on provisioned cluster capacity.

53 / 60

Question 54 of 60

A company's multi-tier application has a database tier using Amazon Aurora PostgreSQL with a large number of simultaneous Lambda connections causing Aurora to hit its max_connections limit (approximately 5,000 for db.r5.4xlarge). Lambda functions are throttled waiting for connections. What is the recommended solution? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Increase the Aurora instance size to db.r5.16xlarge; the larger instance size supports higher max_connections limits proportional to available memory. B Deploy Amazon RDS Proxy for Aurora PostgreSQL; RDS Proxy maintains a persistent pool of database connections (multiplexing thousands of Lambda connections through a smaller pool of database connections) and handles connection scaling transparently. C Switch from Aurora PostgreSQL to Aurora MySQL; MySQL handles higher connection counts than PostgreSQL. D Implement connection pooling using PgBouncer on EC2; Lambda functions connect to PgBouncer which multiplexes connections to Aurora.

54 / 60

Question 55 of 60

A company needs to implement a federated data lake where business units contribute data independently but the central data team enforces data quality standards before data becomes discoverable. Each business unit uses different data formats (Parquet, ORC, JSON). What architecture provides governed ingestion with data quality enforcement? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Business units upload data directly to the central S3 data lake bucket; AWS Glue crawlers run hourly to discover and catalog new data; data quality is enforced through manual review by the central team. B Business units upload data to landing zone S3 buckets in their own accounts; AWS Glue DataBrew (or Glue Data Quality rules) validate data quality in an ingestion pipeline; data passing validation is moved to the curated zone in the central data lake via S3 replication and registered in Lake Formation; failing data is quarantined. C Business units write directly to the central DynamoDB table; DynamoDB Streams trigger a Lambda function that enforces data quality; valid items are exported to S3 for the data lake. D Use Amazon Kinesis Data Firehose with Lambda transformation to validate data quality; valid records are delivered to S3; invalid records are delivered to an S3 error prefix.

55 / 60

Question 56 of 60

A company runs Amazon ECS tasks that write results to an SQS queue. Results must be delivered to three downstream services: one for billing, one for analytics, and one for customer notifications. Each service processes at its own rate and must not lose messages if it falls behind. What messaging architecture supports this? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A The ECS task publishes results to a single SQS FIFO queue; all three downstream services share the queue, each consuming a different message group ID. B The ECS task publishes results to an Amazon SNS topic; three SQS queues (billing, analytics, notifications) subscribe to the SNS topic; each downstream service consumes from its own queue independently; SQS provides durable storage for messages while services catch up. C The ECS task writes results directly to three separate SQS queues using the SQS batch send API; downstream services consume from their dedicated queues. D The ECS task publishes results to an Amazon Kinesis Data Stream with three enhanced fan-out consumers (billing, analytics, notifications), each receiving records independently.

56 / 60

Question 57 of 60

A company has a hybrid cloud architecture where critical applications run on-premises and use AWS for DR. The disaster recovery failover must complete within 30 minutes with no more than 15 minutes of data loss (RPO=15 min, RTO=30 min). The on-premises application uses an Oracle database. What AWS DR architecture meets these requirements? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use Oracle Data Guard with a physical standby on an RDS Oracle instance in AWS; Data Guard provides near-real-time replication (< 15 min RPO); fail over by promoting the standby (< 30 min RTO). B Use AWS DMS with CDC replication from on-premises Oracle to Amazon RDS Oracle in AWS; replicate changes every 15 minutes; fail over by redirecting the application to RDS Oracle. C Take hourly Oracle RMAN backups to Amazon S3; in a disaster, restore the last backup to an RDS Oracle instance within 30 minutes. D Use AWS Application Migration Service (MGN) to continuously replicate the Oracle database server VM to EC2; fail over by launching the EC2 instance from the latest replica.

57 / 60

Question 58 of 60

A company's production environment experiences intermittent network latency spikes between microservices running on EC2 in the same VPC. The network team suspects packet loss on specific EC2-to-EC2 communication paths. Which AWS tool provides network path analysis to identify packet loss between specific EC2 instances? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Enable VPC Flow Logs between the source and destination instances and calculate packet loss as the difference between accepted and rejected packets. B Use Amazon CloudWatch Network Monitor to define monitoring probes between source and destination EC2 endpoints; it measures round-trip latency and packet loss at 30-second intervals. C Use AWS Transit Gateway Network Manager's route analyzer to trace the network path between source and destination instances and identify any packet loss on transit links. D Use Amazon VPC Reachability Analyzer to test the network path between the two EC2 instances; Reachability Analyzer identifies any configuration blocking connectivity (security groups, NACLs, route tables) but does not measure packet loss for operational analysis.

58 / 60

Question 59 of 60

A company uses Amazon EKS and wants to implement GitOps-based continuous delivery where Kubernetes manifests stored in a Git repository are automatically synchronized to the cluster. Changes pushed to the Git repo should be reflected in the cluster within 5 minutes without CI pipeline intervention. Which tool implements GitOps continuous delivery for EKS? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS CodePipeline with a CodeCommit source stage and a kubectl apply deploy stage; the pipeline runs on every Git push and applies manifests within 5 minutes. B Deploy Flux CD or ArgoCD as a GitOps controller on the EKS cluster; the controller continuously reconciles the cluster state with the Git repository, automatically applying changes within seconds of a push. C Use Amazon EventBridge with a CodeCommit push rule triggering a Lambda function that runs kubectl apply for every commit to the repository. D Use AWS CodeBuild with a GitHub webhook trigger; CodeBuild applies manifests using EKS API within 5 minutes of each push.

59 / 60

Question 60 of 60

A company's finance team performs complex cost allocation analysis monthly. They need to attribute AWS costs to specific projects and environments across 40 accounts, correlate AWS cost data with internal billing systems, and produce a detailed report in CSV format. AWS Cost Explorer's download is limited to 30 data points. What AWS service provides detailed, raw cost data for custom analysis? (AWS Certified Solutions Architect â€” Professional, SAP-C02)

A Use AWS Cost Explorer's 'Download CSV' feature to export the maximum available data; combine multiple exports to build the complete cost dataset. B Enable AWS Cost and Usage Reports (CUR) 2.0 delivery to an S3 bucket; CUR contains line-item level cost data for every resource in all accounts; query with Amazon Athena using SQL for project/environment-level attribution; export results to CSV. C Use the AWS Cost Explorer API with pagination to retrieve all cost data programmatically; load the API responses into a Python script for processing and CSV generation. D Use AWS Budgets API to retrieve monthly cost data per account; aggregate the per-account data programmatically for the complete cost allocation report.

60 / 60