Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSAP-C02DomainsDesign Solutions for Organizational Complexity
SAP-C02Free — No Signup

Design Solutions for Organizational Complexity

Practice SAP-C02 Design Solutions for Organizational Complexity questions with full explanations on every answer.

455questions

Start practicing

Design Solutions for Organizational Complexity — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SAP-C02 Domains

Design Solutions for Organizational ComplexityDesign for New SolutionsContinuous Improvement for Existing SolutionsAccelerate Workload Migration and Modernization

Practice Design Solutions for Organizational Complexity questions

10Q20Q30Q50Q

SAP-C02 Design Solutions for Organizational Complexity questions (showing 300 of 455)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

2

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

3

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

4

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

5

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

6

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

7

A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?

8

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

9

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

10

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

11

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

12

A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?

13

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

14

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?

15

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

16

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

17

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

18

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

19

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

20

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

21

A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?

22

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

23

A large enterprise has a multi-account AWS environment managed through AWS Organizations. The central networking team uses a transit gateway in a shared services VPC to connect all VPCs. The security team requires that all traffic between VPCs be inspected by a third-party firewall appliance that is deployed in an auto-scaling group in the shared services VPC. The firewall appliance is configured as a Gateway Load Balancer (GWLB) endpoint. The transit gateway has a route table that sends all inter-VPC traffic to the GWLB endpoint. Recently, the operations team noticed that some applications are experiencing high latency and packet loss when communicating across VPCs. Upon investigation, they found that the firewall appliance is not scaling properly. Which solution should be implemented to ensure that the firewall can handle the traffic load and maintain low latency?

24

A company has a centralized logging solution using Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) in a central logging account. Application logs from hundreds of EC2 instances across multiple accounts are shipped to the OpenSearch cluster via Amazon Kinesis Data Firehose. The security team requires that all log data be encrypted at rest and in transit. The logging account has a KMS key used to encrypt the OpenSearch cluster and the Firehose delivery stream. Recently, the security team noticed that some log deliveries are failing with 'AccessDenied' errors. The CloudWatch Logs delivery to Firehose is configured correctly. What is the most likely cause of the failure?

25

A global e-commerce company is migrating its on-premises application to AWS. The application uses Active Directory for authentication and requires integration with AWS Managed Microsoft AD. The company has a multi-account strategy using AWS Organizations. Which TWO steps should the solutions architect take to ensure seamless authentication across the organization?

26

A financial services company is migrating its trading platform to AWS. The platform consists of hundreds of microservices deployed in containers using Amazon ECS with Fargate launch type. Each service has its own IAM role for fine-grained permissions. The security team requires that all ECS tasks use a specific VPC (vpc-12345) and cannot run in any other VPC. During a recent audit, it was discovered that some tasks are running in a different VPC (vpc-67890). The solutions architect must implement a preventive control to ensure that ECS tasks only run in the approved VPC. The company uses AWS Organizations and has Service Control Policies (SCPs) in place. What should the solutions architect do?

27

Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.

28

Drag and drop the steps to restore an Amazon RDS DB instance from a snapshot in the correct order.

29

Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.

30

Match each AWS service to its primary use case.

31

Match each AWS migration service to its function.

32

Match each AWS disaster recovery strategy to its description.

33

A company wants to implement a multi-account strategy using AWS Organizations. The security team requires that all new accounts added to the organization automatically inherit a baseline set of security controls, such as AWS CloudTrail and AWS Config rules. Which approach should the company use?

34

A company uses AWS Organizations with multiple OUs. The security team wants to prevent all accounts in the 'Production' OU from using non-compliant EC2 instance types, but allow exceptions for specific accounts. Which combination of controls should be used?

35

A company has a central IT team that manages networking resources for multiple application teams. Each application team needs to manage its own EC2 instances and RDS databases. Which AWS architecture best supports this separation of duties?

36

A company has multiple AWS accounts and wants to centralize logging from all accounts to a single S3 bucket in a logging account. The logs must be encrypted with a KMS key managed by the logging account. What is the MOST secure way to allow cross-account S3 server access logs?

37

A company uses AWS Organizations and wants to delegate administration of a specific service to a member account. The service must be able to perform actions across all accounts in the organization. Which steps should the company take?

38

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts. The company has an existing identity source in an on-premises Active Directory. Which integration method should the company use?

39

A company uses a centralized logging account with an S3 bucket that receives VPC Flow Logs from multiple accounts. The logs must be encrypted at rest using a KMS key in the logging account. Which configuration is required to allow cross-account delivery of VPC Flow Logs?

40

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances launched in any account must have a specific tag key 'CostCenter'. Which approach should be used?

41

A company wants to allow developers to manage their own resources in individual AWS accounts while the central IT team manages networking and security. Which AWS service can help enforce that developers cannot modify networking resources?

42

A company is implementing a multi-account strategy using AWS Organizations. They want to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which TWO steps are required to achieve this? (Choose two.)

43

A company has a production AWS account that contains sensitive data. The security team wants to ensure that no one can disable AWS CloudTrail or delete the CloudTrail S3 bucket. Which THREE actions should be taken to protect these resources? (Choose three.)

44

A company wants to implement AWS Organizations with multiple OUs to isolate development, testing, and production workloads. The company needs to ensure that production workloads are not impacted by changes in other OUs. Which TWO practices should the company follow? (Choose two.)

45

An administrator attached the above IAM policy to a group of developers. A developer tries to launch a t3.medium EC2 instance and receives an 'AccessDenied' error. What is the MOST likely reason?

46

A company uses a cross-account IAM role 'LogDelivery' in account 111122223333 to write logs to an S3 bucket 'my-company-logs' in a logging account. The bucket policy is shown above. Logs are not being delivered. What is the MOST likely issue?

47

An administrator runs the above command and sees that the 'Prod' account is suspended. What is the MOST likely cause?

48

A company has multiple AWS accounts managed under AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account are automatically tagged with a 'CostCenter' tag. Which solution is the MOST operationally efficient?

49

A company is designing a multi-account strategy for its development, testing, and production environments. The security team requires that all accounts share a centralized logging solution. Which approach meets this requirement with the LEAST administrative overhead?

50

A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?

51

A company is implementing a data lake on Amazon S3. The data lake must be accessible from multiple accounts within the same AWS Organization. Objects must be encrypted at rest, and the company wants to use a single AWS KMS key for simplicity. Which solution meets these requirements?

52

A company has a management account in AWS Organizations. It wants to delegate administration of AWS IAM Identity Center to a member account for user management. What is the correct way to achieve this?

53

A company has a multi-account environment with over 500 accounts. They need to enforce that all EC2 instances are launched only in approved instance families (e.g., t3, m5, c5). Which combination of AWS services provides the MOST scalable and effective enforcement?

54

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs across different accounts that need to authenticate against the same directory. What is the MOST scalable and secure way to provide this access?

55

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by department. Each department has its own AWS account. Which feature should be used to map costs to departments?

56

A company has a centralized logging solution where all VPC Flow Logs from member accounts are delivered to a central S3 bucket in the logging account. The logs contain sensitive IP addresses that must be redacted before analysis. What is the MOST scalable approach?

57

A company is designing a cross-account backup strategy using AWS Backup. The backup policy must be centrally managed from the management account. Which TWO steps are required to implement this?

58

A company has a multi-account architecture with a shared services account that hosts a central Amazon RDS instance. Member accounts need to access this database. Which TWO actions should the company take to enable secure access?

59

A company uses AWS Organizations and wants to implement a least-privilege model for IAM roles. The security team needs to ensure that no IAM role can be created without an approval workflow. Which THREE steps should the company take?

60

A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?

61

Refer to the exhibit. This bucket policy is applied to a central logging bucket in account 111111111111. Account 222222222222 wants to deliver CloudTrail logs to this bucket. However, log delivery fails. What is the MOST likely cause?

62

Refer to the exhibit. A company has the above AWS Organization with a management account (111111111111) and a production account (222222222222). The security administrator in the management account creates an SCP that denies s3:DeleteBucket. The SCP is attached to the root. The production account's administrator tries to delete an S3 bucket and fails. What is the MOST likely reason?

63

A company is implementing a multi-account strategy using AWS Organizations. They need to centralize logging of all API calls across accounts. Which solution meets this requirement with the least operational overhead?

64

A company has multiple business units, each with its own AWS account. They want to enforce that all EC2 instances launched across accounts use only approved AMIs. The AMIs are stored in a central account. What is the MOST scalable and secure way to enforce this?

65

A company has a centralized IT team that manages AWS accounts for multiple departments. They need to grant the team permissions to create and manage IAM roles in all accounts, but without giving them full administrator access. What should they use?

66

A company uses AWS Organizations with multiple accounts. They want to centralize VPC flow logs for all VPCs across accounts. The logs should be stored in a central S3 bucket in the management account. What is the MOST efficient way to achieve this?

67

A company is using AWS Organizations with hundreds of accounts. They need to ensure that no account can modify the VPC default security group. Which SCP should they apply to the root OU?

68

A company wants to allow developers to launch EC2 instances only if they include a specific tag 'CostCenter'. The tag must be provided at launch. Which IAM policy should be used?

69

A company has multiple AWS accounts and wants to use AWS CloudFormation StackSets to deploy a common set of resources across all accounts. The StackSet should be managed from the management account. What permissions are required?

70

A company uses AWS Organizations with a policy that denies access to services unless they are explicitly allowed. The security team wants to allow only approved services. What type of policy should they use?

71

A company wants to centralize management of AWS resources across multiple accounts using AWS Control Tower. What is a prerequisite for setting up Control Tower?

72

A company is using AWS Organizations and wants to delegate administration of Amazon GuardDuty to a member account. Which of the following are required? (Choose TWO.)

73

A company wants to use AWS Resource Access Manager (RAM) to share a subnet in a VPC with other accounts in the organization. Which of the following are required? (Choose THREE.)

74

A company wants to centrally manage IAM users across multiple AWS accounts using AWS IAM Identity Center (successor to AWS Single Sign-On). Which of the following are true? (Choose TWO.)

75

A company is using AWS Organizations to manage multiple accounts. The security team requires that all newly created member accounts automatically have an AWS Config rule enabled that checks whether S3 buckets have default encryption enabled. Which solution should be used?

76

A company has multiple AWS accounts and wants to centralize CloudTrail logs in a single S3 bucket in the security account. Which policy should be applied to the S3 bucket to allow cross-account delivery from all member accounts?

77

A company uses AWS Organizations with a hierarchical OU structure. The security OU has an SCP that denies all actions except those explicitly allowed. The development OU has an SCP that allows all actions. A developer account in the development OU tries to launch an EC2 instance but receives an access denied error. The IAM user in the developer account has full administrator permissions. What is the most likely cause?

78

A company is using AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have a specific AWS Config rule enabled and that any drift is automatically remediated. Which approach should be used?

79

A company has a centralized logging account and multiple application accounts. Each application account sends CloudWatch Logs to a cross-account log group in the logging account. The security team wants to ensure that logs are encrypted at rest using a KMS key that only the logging account can manage. Which configuration is required?

80

A company is using AWS Organizations and wants to allow certain member accounts to create VPCs with specific CIDR ranges. Which mechanism should be used to enforce this restriction?

81

A company has a multi-account environment with a centralized network account that hosts a transit gateway. Application accounts need to connect to the transit gateway. The network team wants to ensure that only authorized accounts can create attachments. Which method should be used?

82

A company uses AWS SSO with an external identity provider. The security team needs to enforce that users in the finance department can only access the finance OU accounts. Which configuration is required?

83

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by project, but projects span multiple accounts. Which approach should be used to tag resources consistently across accounts?

84

A company is designing a multi-account strategy using AWS Organizations. The security team requires that all API calls to create or modify IAM roles are logged and alerted. Which TWO steps should be taken to meet this requirement?

85

A company has a centralized logging account and multiple member accounts. The member accounts generate VPC Flow Logs that need to be sent to a central S3 bucket in the logging account. Which TWO steps must be taken to enable this cross-account delivery?

86

A company is using AWS Organizations with multiple OUs. The security team wants to ensure that no account can delete CloudTrail trails or S3 bucket policies. Which THREE SCP strategies should be combined?

87

Refer to the exhibit. A company applies this S3 bucket policy to a central logging bucket. CloudTrail trails in multiple accounts are configured to deliver logs to this bucket. Recently, logs stopped being delivered. What is the most likely cause?

88

Refer to the exhibit. A company runs this CLI command and sees the output. Which account is the management account?

89

Refer to the exhibit. A company attaches this SCP to the root of an AWS Organization. What is the effect?

90

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all new member accounts automatically have AWS Config enabled with a specific set of rules. Which solution is the MOST efficient?

91

A global company is using AWS Organizations with hundreds of accounts. The IT team needs to centrally manage DNS records for all accounts using Amazon Route 53 private hosted zones. The solution must be highly available and support cross-account DNS resolution. What should the team do?

92

A company wants to implement a centralized logging solution for all AWS accounts in AWS Organizations. The logs include CloudTrail, VPC Flow Logs, and AWS Config configuration items. Which approach provides the MOST scalable and cost-effective solution?

93

A company uses AWS Organizations with a multi-account strategy. The security team wants to restrict the use of specific instance types across all accounts. What is the MOST effective way to enforce this policy?

94

A company has a production AWS account that is part of an AWS Organization. The account has a VPC with a NAT gateway for internet access. The security team wants to ensure that all outbound traffic to the internet flows through a centralized inspection VPC in the security account for traffic inspection. Which architecture should be used?

95

A company is migrating to AWS and plans to use a multi-account strategy. The management account will be used solely for administrative purposes. Which best practice should be followed when setting up AWS Organizations?

96

A company has multiple AWS accounts and wants to share a centrally managed Amazon VPC subnet for workloads that require low latency. The VPC is in the networking account. Which solution meets these requirements with the LEAST operational overhead?

97

A company uses AWS Organizations and wants to implement a policy that prevents any account from disabling AWS CloudTrail or deleting CloudTrail log files. The solution must be enforceable across all accounts. Which combination of actions should be taken?

98

A company is using AWS Organizations with a multi-account strategy. The finance team wants to centrally manage and enforce cost allocation tags across all accounts. Which solution is MOST effective?

99

A company is setting up a new AWS Organization and wants to implement a data perimeter to ensure that data can only be accessed from approved network locations. Which TWO actions should the company take?

100

A company has a multi-account AWS environment with a central security account for AWS GuardDuty, AWS Security Hub, and AWS IAM Access Analyzer. The security team wants to aggregate findings from all member accounts into the security account. Which THREE steps should be taken?

101

A company is using AWS Organizations with multiple accounts. The IT team wants to centrally manage AWS Systems Manager Patch Manager to patch EC2 instances across all accounts. Which TWO actions are required?

102

A company attaches the above SCP to the root organizational unit. The development team in a member account wants to launch an EC2 instance in the ap-southeast-1 region. What will happen?

103

A company uses AWS Organizations and has shared a subnet from the VPC shown in the exhibit using AWS Resource Access Manager (RAM). A workload account launches an EC2 instance in the shared subnet. The instance needs to communicate with an RDS database in a different private subnet within the same VPC. What additional configuration is required?

104

A company has a central S3 bucket for logs (central-logs-bucket) in account 123456789012. The bucket policy is shown in the exhibit. A developer in account 111111111111 tries to access an object in the bucket using the AWS CLI without the --no-sign-request option. The request fails. What is the MOST likely cause?

105

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts have server-side encryption with AWS KMS (SSE-KMS) enabled, and any new bucket that does not comply must be automatically remediated. Which design should be used?

106

A company uses AWS Organizations with 50 accounts. The central IT team wants to deploy a CloudFormation stack set to create a VPC with a CIDR of 10.0.0.0/16 in each account, but the VPC CIDR must not overlap with existing VPCs in each account. What is the most scalable and automated approach?

107

A company has a centralized logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all member accounts in AWS Organizations. The logs are stored in an S3 bucket in the logging account. Security analysts need to query these logs using Amazon Athena. What is the MOST efficient way to set up the table partitions?

108

A company is using AWS Organizations with a single OU for all production accounts. The security team wants to restrict the use of specific instance types across all accounts in the OU. They create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the allowed list. However, some accounts still launch disallowed instance types. What is the most likely cause?

109

A company has a multi-account architecture with a central networking account that hosts a Transit Gateway. Each workload account has VPCs attached to the Transit Gateway. The company wants to centrally manage DNS resolution across all VPCs using Route 53 Resolver. They create a Route 53 Resolver outbound endpoint in the networking account and associate it with the workload VPCs via RAM. However, workload accounts cannot resolve on-premises hostnames. What is the missing configuration?

110

A company has an AWS Organization with a management account and several member accounts. The management account hosts a central S3 bucket that stores CloudTrail logs from all accounts. The company wants to ensure that only the management account can delete objects from this bucket. Which policy should be applied to the bucket?

111

A company has a multi-account AWS environment with a central logging account. All VPC Flow Logs are published to a central S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena, but they want to minimize costs by reducing the amount of data scanned. Which partitioning strategy is MOST effective?

112

A company uses AWS Organizations with 100 accounts. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if MFA is not present. However, some users report that they cannot access the console even with MFA. What is the most likely reason?

113

A company has an AWS Organization with multiple accounts. The central IT team wants to deploy a common set of AWS Config rules across all accounts in the production OU. Which approach is the MOST scalable and maintainable?

114

A company is using AWS Organizations with a centralized logging account. They want to collect VPC Flow Logs from all member accounts into a single S3 bucket in the logging account. Which TWO steps are required to achieve this?

115

A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?

116

A company uses AWS Organizations to manage multiple accounts. The central team wants to deploy a CloudFormation template that creates an S3 bucket with default encryption in every member account. Which THREE steps are required to accomplish this?

117

A security engineer attaches this SCP to the root organizational unit. What is the result?

118

A solutions architect sees this output from the AWS CLI. The management account (111111111111) has a service control policy (SCP) attached that denies all actions unless the request originates from a specific IP range. Which account(s) are affected by this SCP?

119

An SCP is attached to a production OU. An IAM user in a member account under that OU attempts to launch an m5.large EC2 instance. What happens?

120

A multinational corporation is deploying a multi-account AWS environment using AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with a specific AWS KMS key managed by the security account. Which solution should the company implement to enforce this policy across the organization?

121

A company has a centralized logging solution using Amazon OpenSearch Service (Elasticsearch) and wants to ensure logs from all AWS accounts are shipped to a central account. Which AWS service can be used to collect and forward logs from multiple accounts to a single destination?

122

A company uses AWS Organizations with 50 accounts. The network team wants to centrally manage VPC flow logs for all accounts, storing them in a central S3 bucket in the security account. The flow logs must be encrypted with a KMS key managed by the security account. What is the MOST efficient way to configure this?

123

A company is implementing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS and that access must be logged. The data lake has millions of objects, and the security team wants to detect any changes to bucket policies or encryption settings. Which combination of services should be used?

124

A company has a multi-account AWS environment with a centralized security account. The security team wants to ensure that any IAM role created in any account with a trust policy allowing access from another AWS account must be approved by the security team. Which approach should be used?

125

A company wants to centralize management of Amazon EC2 instances across multiple accounts using AWS Systems Manager. The company uses AWS Organizations. What is the simplest way to enable Systems Manager to manage instances in all accounts?

126

A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?

127

A company uses AWS Organizations with 200 accounts. The security team wants to enforce that all EC2 instances launched in any account must use a specific Amazon Machine Image (AMI) ID that is approved by the security team. Which approach should be used?

128

A company wants to provide its developers with access to a shared development environment in AWS. The developers are in different AWS accounts, and they need to assume an IAM role in the development account. What is the secure way to allow cross-account access?

129

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts use AWS CloudTrail with logs delivered to a central S3 bucket. Which TWO actions should be taken to enforce this?

130

A company has a multi-account AWS environment with a central security account. The security team wants to implement a solution that allows them to centrally manage and audit IAM permissions across all accounts. Which THREE services should be combined to achieve this?

131

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts and business applications. Which TWO components are required for this setup?

132

Refer to the exhibit. A company attached the above SCP to an OU in AWS Organizations. The SCP is intended to allow only t3.micro and t3.small EC2 instances. However, users in accounts within that OU are still able to launch other instance types. What is the most likely reason?

133

Refer to the exhibit. A company has a trust policy on an IAM role in account 222222222222. The trust policy allows the root user of account 111111111111 to assume the role. However, a user in account 111111111111 is unable to assume the role. What is the most likely cause?

134

Refer to the exhibit. A company has created a CloudTrail trail named 'my-trail' in the management account of AWS Organizations. The trail is configured to deliver logs to a central S3 bucket. The security team wants to capture all management events from all accounts in the organization. Based on the exhibit, what is the most likely issue?

135

A company wants to centralize access control for multiple AWS accounts using AWS Organizations. They need to allow developers in a specific account to launch EC2 instances only in certain regions. What is the most scalable solution?

136

A multinational corporation uses AWS Organizations with hundreds of accounts. The security team requires that all Amazon S3 buckets across the organization be encrypted with a specific AWS KMS key from the security account. Which combination of controls should be implemented to enforce this requirement?

137

A company is migrating to AWS and wants to use AWS CloudFormation to manage infrastructure as code. The DevOps team needs to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

138

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. What is the most efficient way to enforce this?

139

A company is designing a multi-account AWS environment for different business units. They need to share a central Amazon RDS database with read replicas in each account for disaster recovery. What architecture minimizes cross-region data transfer costs while maintaining high availability?

140

A company uses AWS Organizations with a large number of accounts. The networking team wants to centrally manage VPCs and subnets using AWS Resource Access Manager (RAM) and share subnets to member accounts. What must be done in the member accounts to use shared subnets?

141

A company wants to use AWS Systems Manager to automate patching of EC2 instances across multiple AWS accounts. What is the most efficient way to manage this centrally?

142

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs to ensure that all accounts use a specific set of IAM roles for cross-account access. What is the most scalable way to enforce this?

143

A company uses AWS Organizations and wants to enable cost allocation across business units using tags. They require that all resources are tagged with a 'CostCenter' tag. What is the most effective way to enforce this?

144

A company is designing a multi-account AWS environment with a centralized logging account. Which TWO services should be used to aggregate logs from all accounts?

145

A company wants to implement a data lake strategy using Amazon S3 across multiple AWS accounts. They need to ensure that data is encrypted at rest using a centralized AWS KMS key from a security account. Which THREE steps should they take?

146

A company uses AWS Organizations and wants to centrally manage VPC flow logs for all VPCs across all accounts. Which TWO steps are required to achieve this?

147

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with AWS KMS and that bucket policies enforce HTTPS. What is the MOST efficient way to enforce these policies across all accounts?

148

A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has strict latency requirements and must be deployed across multiple Availability Zones. Which design strategy BEST meets these requirements while minimizing operational overhead?

149

A solutions architect needs to design a network architecture for a multi-account AWS environment using AWS Transit Gateway. The company requires that all traffic between VPCs be inspected by a central security appliance. What is the MOST efficient way to achieve this?

150

A company uses AWS Organizations with several OUs. The security team wants to restrict the use of specific instance types (e.g., all instances except t2.micro) across all accounts. Which SCP should be applied?

151

A global company has a multi-region AWS deployment. They need to share a single Amazon RDS for MySQL database across multiple AWS Regions for disaster recovery. The database must have minimal data loss and RTO of less than 1 minute. Which solution meets these requirements?

152

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail. They want to ensure that logs are immutable and cannot be deleted or modified by any user, including the root user. Which S3 feature should be enabled?

153

A company uses AWS Organizations with multiple accounts. The finance team needs to track costs by department, where each department uses resources across several accounts. What is the BEST way to allocate costs accurately?

154

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The architecture must handle sudden spikes in traffic without losing events. Which configuration ensures the highest reliability?

155

A company wants to allow developers to assume a role in a production account from their development account using AWS IAM. What is needed for this cross-account access?

156

Which TWO actions improve the security of an S3 bucket that stores sensitive data?

157

Which THREE design patterns are recommended for decoupling components in a microservices architecture on AWS?

158

Which TWO AWS services can be used to implement a centralized logging solution across multiple AWS accounts?

159

A multinational company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization block public access. What is the MOST efficient way to enforce this requirement?

160

A company has multiple AWS accounts managed through AWS Organizations. The central IT team wants to allow developers to launch EC2 instances only in specific Regions, but allow full access to all other services. What is the BEST approach?

161

A company uses AWS Organizations with a single OU for all accounts. The security team wants to prevent any account from leaving the organization without approval. What should they do?

162

A company has a multi-account AWS environment. The security team wants to centrally manage VPC flow logs for all accounts. They already have a centralized logging account. What is the MOST scalable solution?

163

A company uses AWS Organizations with multiple OUs. The finance team needs visibility into costs across all accounts. They want to tag resources with a 'CostCenter' tag. What is the BEST way to enforce tag propagation?

164

A company wants to allow developers to launch EC2 instances only in the us-east-1 Region. They have a single AWS account. What is the simplest way to enforce this?

165

A company uses AWS Organizations with 500 accounts. They want to enforce that all accounts use a specific set of allowed AMIs for EC2. What is the MOST scalable solution?

166

A company has a centralized security account and wants to enable AWS Config in all accounts. They want to centrally manage Config rules and view compliance. What should they do?

167

A company needs to share a VPC subnet with multiple accounts in the same AWS Organization. What is the MOST secure way to achieve this?

168

Which TWO actions should a company take to implement a least-privilege access model across multiple AWS accounts? (Choose TWO.)

169

Which THREE components are required to set up a centralized logging solution for multiple AWS accounts using Amazon S3? (Choose THREE.)

170

Which TWO AWS services can be used to automate the enforcement of compliance policies across multiple AWS accounts? (Choose TWO.)

171

A company applied the above SCP to an OU. A developer in an account under that OU tries to launch a t2.medium EC2 instance. What will happen?

172

A company ran the command above. The management account (111111111111) has an SCP attached that denies all actions. The DevAccount (222222222222) has no SCP. What can the root user of the DevAccount do?

173

A security engineer created the above bucket policy on the central-logging-bucket in account 111111111111. They want account 222222222222 to deliver CloudTrail logs to this bucket. What is missing?

174

A multinational company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled. The company wants to enforce this policy centrally without modifying each bucket individually. Which solution is MOST effective?

175

A company uses AWS Organizations with multiple accounts. The central IT team wants to restrict the use of specific EC2 instance types across all accounts to control costs. Which approach should the team use?

176

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles that grant cross-account access to a central security account. The solution must scale as new accounts are added. What should the team do?

177

A company uses AWS Organizations with consolidated billing. The finance team needs to track costs by department, which are tagged with 'department' tags. However, some resources are not tagged. The team wants to ensure that all new resources are tagged, and existing untagged resources are identified. What should they do?

178

A company is migrating to AWS and wants to set up a multi-account structure using AWS Organizations. The security team requires that all accounts be part of an organization and that any attempt to leave the organization be blocked. Additionally, the company wants to prevent the use of the root user in member accounts for daily operations. What should they do?

179

A company has a central IT team that manages multiple AWS accounts. The team wants to allow developers to create resources in their own accounts but wants to restrict the use of certain expensive services like Amazon Redshift. The developers should not be able to launch Redshift clusters in any account. What is the MOST efficient way to achieve this?

180

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for all accounts. The flow logs should be sent to a central S3 bucket in the logging account. The solution must be automated for new accounts added to the organization. What should the team do?

181

A company with multiple AWS accounts wants to centralize CloudTrail logging. They create a CloudTrail trail in the management account that logs all events across all accounts and regions. However, the security team notices that some management events from member accounts are not being logged. What is the most likely cause?

182

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users are created in member accounts. All access must be through federated roles. Which approach should they use?

183

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances must use a specific AMI ID that is approved by the security team. Which two actions should the team take to achieve this? (Choose two.)

184

A company is using AWS Organizations with hundreds of accounts. The central IT team needs to deploy a common set of AWS resources (e.g., VPCs, subnets, security groups) to all accounts in a specific organizational unit (OU). The solution must be automated and ensure that new accounts added to the OU automatically receive the resources. Which three steps should the team take? (Choose three.)

185

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally manage CloudWatch Logs from all accounts. The logs should be sent to a central S3 bucket in the management account. Which two actions should the team take? (Choose two.)

186

Refer to the exhibit. An IAM policy is attached to a user in the management account of AWS Organizations. The user wants to assume the OrganizationAccountAccessRole in a member account. However, the user receives an access denied error. What is the most likely reason?

187

Refer to the exhibit. A company has an SCP named 'DenyOutsideRegions' attached to the root OU. The SCP is intended to deny all actions outside us-east-1 and eu-west-1. However, users in a member account are still able to launch EC2 instances in ap-southeast-1. What is the most likely reason?

188

Refer to the exhibit. A company applies this SCP to an OU. However, users in the OU are still able to upload objects to S3 without encryption. What is the most likely reason?

189

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce that all newly created accounts automatically have a specific set of security controls, including AWS Config rules and an AWS CloudTrail trail. Which solution meets these requirements with the LEAST operational overhead?

190

A global company uses AWS Organizations with multiple organizational units (OUs) for different business units. The networking team wants to ensure that all VPCs across all accounts can communicate through a central transit gateway. However, the security team requires that specific accounts cannot access each other's resources. Which combination of actions should the company take to meet these requirements?

191

A company uses AWS Organizations with a single member account for its development environment. The IT team wants to allow developers to launch EC2 instances only if they use a specific AMI ID. Which policy type should the company use to enforce this requirement?

192

A company has a multi-account AWS environment with hundreds of accounts. The central IT team needs to audit all API calls made in the organization. The solution must be cost-effective and capture events from all regions and accounts, including future accounts. Which solution should the company use?

193

A company uses AWS Organizations with several OUs. The security team wants to enforce that EC2 instances in production accounts cannot have public IP addresses. The solution must be preventive and should not rely on developers remembering to follow guidelines. What should the security team do?

194

A company has multiple AWS accounts for different departments. The finance team wants to centrally manage and optimize EC2 Reserved Instance purchases across all accounts. Which solution should the company implement?

195

A company uses AWS Organizations with multiple OUs. The DevOps team wants to allow developers in a specific OU to create and manage their own VPCs but restrict them from deleting VPCs created by the central networking team. How can this be achieved?

196

A multinational corporation uses AWS Organizations to manage multiple accounts across different geographic regions. The company needs to ensure that all data residing in AWS accounts for a specific country remains within that country's boundaries. Which combination of AWS services and features should the company use to enforce this data residency requirement?

197

A company uses AWS Organizations with a management account and several member accounts. The security team needs to centrally manage IAM users and roles across all accounts. Which AWS service should the company use?

198

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in the organization are encrypted at rest. Which TWO approaches can the company use to achieve this? (Choose TWO.)

199

A company uses AWS Organizations with hundreds of accounts. The central IT team needs to ensure that all accounts use a standard set of network configurations, including VPC CIDR blocks and subnets. Which THREE steps should the team take to enforce this standard? (Choose THREE.)

200

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all root user activities are monitored and alerted. Which TWO actions should the team take? (Choose TWO.)

201

A company has a multi-account AWS environment using AWS Organizations with 50 accounts. The accounts are organized into OUs based on environment: Production, Staging, and Development. The central IT team uses AWS CloudFormation StackSets to deploy a baseline network configuration (VPC, subnets, security groups) to all accounts. Recently, the network team updated the stack set to add a new subnet to the VPC. After the update, they noticed that the stack set operation failed for 10 accounts. The error message indicates that the stack set cannot update because a resource already exists. What is the MOST LIKELY cause of this failure?

202

A large enterprise uses AWS Organizations with 200 accounts. The central security team has implemented a service control policy (SCP) that denies all actions unless the request comes from a specific set of allowed AWS services. The SCP is attached to the root OU. Recently, the DevOps team reported that they cannot launch Amazon EC2 instances in any account, even though they have full administrator access via IAM roles. The security team verifies that the SCP is correctly configured and that allowed services include EC2. However, the error message states 'Action 'ec2:RunInstances' is not authorized.' The DevOps team is using the AWS Management Console. What is the MOST LIKELY cause?

203

A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?

204

A company uses AWS Organizations with hundreds of accounts. The central IT team wants to manage IP address ranges for VPCs across all accounts using a custom AWS Resource Access Manager (RAM) resource share. They have created a resource share containing the IP address CIDR blocks (as managed prefix lists) and shared it with the organization. However, some accounts cannot see the shared prefix lists. What is the MOST likely cause?

205

A company has a multi-account AWS environment with a centralized logging account. They want to collect VPC Flow Logs from all accounts and store them in a centralized S3 bucket in the logging account. What is the MOST scalable and cost-effective solution?

206

Refer to the exhibit. A solutions architect applies this IAM policy to a user. The user tries to upload an object to my-bucket using an unencrypted HTTP connection with SSE-S3 encryption. Will the upload succeed?

207

A company is using AWS Organizations with a hierarchical OU structure. The security team wants to enforce that any new account created in the organization automatically inherits a baseline set of AWS Config rules and a VPC with a default CIDR block. What is the MOST efficient way to achieve this?

208

A company has a central IT team that manages AWS resources for multiple business units using AWS Organizations. Each business unit has its own OU. The central team needs to allow each OU's administrators to manage their own IAM roles and policies, but prevent them from modifying the OU structure or creating new accounts. Which IAM policy should be attached to the administrators in the management account?

209

A company wants to implement a centralized logging solution for its multi-account AWS environment. The solution must be resilient to AWS Regional failures and provide near real-time log delivery. Which combination of services should the company use?

210

A company uses AWS Organizations with multiple OUs. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID from a central list. The list changes frequently. What is the MOST scalable way to enforce this?

211

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The directory will be used for authentication across multiple VPCs in different accounts. The company needs to ensure that resources in all VPCs can resolve DNS names from the directory. What is the MOST scalable and secure solution?

212

A company is implementing a new multi-account strategy using AWS Organizations. The central IT team wants to delegate management of certain AWS services to individual account administrators while maintaining centralized governance. Which TWO actions should the team take? (Choose TWO.)

213

A company has a multi-account AWS environment with a centralized logging account. The security team needs to analyze VPC Flow Logs from all accounts using Amazon Athena. Which THREE steps are required to enable this analysis? (Choose THREE.)

214

A company is designing a multi-account strategy for development, testing, and production environments. They want to ensure that developers can deploy resources in development and testing accounts but not in production. Which TWO methods should the company use to achieve this? (Choose TWO.)

215

A large enterprise has a multi-account AWS environment with over 200 accounts organized under AWS Organizations. The central platform team uses AWS CloudFormation StackSets to deploy a standard VPC with a CIDR of 10.0.0.0/16 into each account. Recently, a business unit created a new account that was not included in the StackSet deployment, and the team manually deployed the VPC using a CloudFormation template. Now, the central team wants to ensure that all accounts have exactly the same VPC configuration and that any drift is automatically corrected. The team also wants to prevent unauthorized changes to the VPC configuration. What is the MOST efficient and secure solution?

216

A company is centralizing its logging across multiple AWS accounts using a central logging account. Each application account delivers its CloudTrail logs and VPC Flow Logs to an S3 bucket in the logging account. The security team needs to query these logs using Amazon Athena. The logs are currently in separate S3 prefixes per account. The team wants to create a single Athena table that can query logs from all accounts without having to modify the table definition every time a new account is added. The logs are in CSV format for VPC Flow Logs and JSON format for CloudTrail. What is the MOST efficient solution?

217

A startup is launching a new multi-account AWS environment using AWS Organizations. They want to ensure that only the central security team has access to the root user of each member account. Additionally, they want to enable multi-factor authentication (MFA) for the root user of each account. The security team has access to the management account. What is the MOST secure and efficient way to meet these requirements?

218

A multinational company wants to implement a multi-account AWS environment using AWS Organizations. The security team requires that all new accounts automatically have AWS CloudTrail and AWS Config enabled with specific rules. Which solution should the company use to enforce these settings across all accounts?

219

A company plans to migrate on-premises workloads to AWS. They have 500 VMs and need to ensure consistent network segmentation and security group rules across multiple VPCs in different AWS accounts. The network team uses a centralized hub-and-spoke model with AWS Transit Gateway. Which approach minimizes operational overhead while maintaining security compliance?

220

A startup is using a single AWS account for development, testing, and production. They want to isolate environments and improve security. What is the most aligned AWS best practice?

221

A company uses AWS Control Tower to manage a multi-account environment. They need to deploy a custom CloudFormation template to all accounts in a specific organizational unit (OU) whenever a new account is added. What should they use?

222

A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?

223

A company uses AWS Organizations with consolidated billing. The finance team needs to allocate costs to different departments based on resource tags. However, some resources are not tagged. What is the most effective solution?

224

A company is designing a cross-account backup strategy using AWS Backup. They have a central backup account that needs to manage backups for multiple member accounts. What is the minimal set of permissions required?

225

A company runs a global application on AWS spanning multiple regions. They need to enforce that IAM users in specific accounts can only launch EC2 instances in approved regions. The company uses AWS Organizations. What is the most effective way to enforce this?

226

A company needs to share a central Amazon S3 bucket containing common data files with multiple accounts in AWS Organizations. Which approach is most secure and scalable?

227

A company is designing a multi-account strategy using AWS Organizations. They want to enforce that no one can disable AWS CloudTrail in any account. Which TWO methods can achieve this?

228

A company has multiple AWS accounts and wants to centralize logging of all API calls. Which TWO services should be used together to achieve this?

229

A company uses AWS Organizations with 50 accounts. They need to manage EC2 instance inventory across all accounts. Which THREE steps are necessary to achieve this?

230

A financial services company uses AWS Organizations with a multi-account structure: a central security account, a shared services account, and multiple workload accounts. The security team needs to centrally manage and audit all changes to security groups across all accounts. They have implemented AWS Config with an aggregator in the security account. However, they notice that changes to security groups in workload accounts are not appearing in the aggregator. The workload accounts have AWS Config enabled and are recording security group changes. The security account has the necessary cross-account permissions. What is the most likely cause and solution?

231

A company has a production AWS account and a development AWS account under AWS Organizations. The development team wants to deploy a CloudFormation stack that creates an S3 bucket with a bucket policy that grants access to the production account's IAM roles. The development account has an SCP that denies all s3:PutBucketPolicy actions. The development team has full administrator access in their account. When they try to create the stack, it fails. What is the most likely reason and how should they proceed?

232

A company has a single AWS account that hosts multiple applications for different business units. Each business unit wants to have its own set of IAM users and permissions. The company wants to minimize administrative overhead while maintaining separation. They are considering using AWS Organizations with multiple accounts. However, the CFO is concerned about increased costs due to separate accounts. What is the best solution to address the business units' needs while managing costs?

233

A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?

234

A company has a multi-account AWS environment with 50 accounts. They need to implement a centralized logging solution for VPC Flow Logs, CloudTrail, and AWS Config logs. The logs must be stored in a central S3 bucket and encrypted with a customer-managed KMS key. Which THREE steps should be taken to meet these requirements?

235

A company manages 200 AWS accounts using AWS Organizations. The security team wants to prevent developers from creating resources outside of a set of approved AWS Regions. Additionally, they want to restrict the creation of resources that are not tagged with a cost center tag. Which THREE actions should be taken to enforce these requirements?

236

A company has a AWS Organizations setup with 100 accounts. The security team requires that all IAM users across all accounts must have multi-factor authentication (MFA) enabled. Currently, there is no central enforcement. The company wants to implement a solution that automatically detects IAM users without MFA and disables their access keys. The solution must be centrally managed from the management account. Which solution meets these requirements?

237

A company has a multi-account AWS environment with a central logging account and multiple workload accounts. The security team requires that all VPC Flow Logs be delivered to a central S3 bucket in the logging account. The VPC Flow Logs are encrypted with a customer-managed KMS key in the logging account. The workload accounts have created VPC Flow Logs, but the logs are not appearing in the central S3 bucket. The IAM role used by VPC Flow Logs in the workload accounts has the necessary permissions to deliver logs to the central S3 bucket. What is the most likely cause of the issue?

238

A company uses AWS Organizations with a management account and multiple member accounts. The management account has a trail in AWS CloudTrail that logs all management events for all accounts. The security team wants to also log data events for S3 buckets across all accounts. They create a new trail in the management account with data events enabled for all S3 buckets in all accounts. However, data events from member accounts are not appearing in the CloudTrail logs. What is the most likely cause?

239

A company has a multi-account AWS environment with 50 accounts. They use AWS Organizations and want to centrally manage EC2 instances across all accounts. The operations team needs to run a script on all EC2 instances that are tagged with Environment=Production. The script must be executed once immediately and requires access to a shared S3 bucket in the management account. Which solution meets these requirements with the least operational overhead?

240

A company has a centralized AWS account for security tools and multiple member accounts. They want to use AWS GuardDuty to detect threats across all accounts. They have enabled GuardDuty in the management account and invited all member accounts. GuardDuty is set to send findings to a central S3 bucket in the security account. However, findings from member accounts are not appearing in the central S3 bucket. The security account has a bucket policy that allows the GuardDuty service principal to write findings. What is the most likely cause?

241

A company uses AWS Organizations and wants to centrally manage backups for EC2 instances across multiple accounts. They want to create a backup plan that backs up all EC2 instances tagged with Backup=Weekly. The backup must be stored in a central backup vault in the management account. Which solution meets these requirements?

242

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to share a VPC subnet in the network account with the workload accounts so that they can launch EC2 instances directly into the shared subnet. The network team has created a VPC with a subnet and shared it using AWS Resource Access Manager (RAM) with the workload accounts. However, the workload accounts cannot see the shared subnet when launching EC2 instances. What is the most likely cause?

243

A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?

244

A company has a multi-account AWS environment. They want to use AWS CloudTrail to log all API calls across all accounts and deliver the logs to a central S3 bucket in the logging account. They have configured a trail in the management account that logs management events for all accounts. However, they notice that the logs from member accounts are not being delivered to the central S3 bucket. What is the most likely cause?

245

A company uses AWS Organizations and has a central security account. They want to use AWS Security Hub to aggregate findings from all member accounts. They have enabled Security Hub in the security account and invited all member accounts. However, findings from member accounts are not appearing in the Security Hub console of the security account. What is the most likely cause?

246

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to use AWS Transit Gateway to connect VPCs across accounts. The network team has created a Transit Gateway in the network account and shared it using AWS Resource Access Manager (RAM) with the workload accounts. The workload accounts have created VPC attachments to the Transit Gateway. However, traffic is not flowing between the VPCs. The route tables in the workload VPCs have routes pointing to the Transit Gateway. What is the most likely cause?

247

A company uses AWS Organizations and wants to centrally manage AWS Config rules across all member accounts. They have enabled AWS Config in the management account and used AWS Config aggregator to view compliance status across accounts. However, they want to enforce a specific Config rule in all accounts automatically. Which solution should they use?

248

A multinational corporation is migrating its on-premises Active Directory to AWS. The company requires a solution that supports multi-region authentication for thousands of users and integrates with existing on-premises Active Directory for seamless SSO. The solution must be highly available and provide low-latency authentication. Which TWO AWS services should be combined to meet these requirements? (Choose two.)

249

A startup is deploying a multi-account AWS environment using AWS Organizations. They have a central logging account where all VPC Flow Logs and CloudTrail logs are stored in an S3 bucket. The security team requires that all accounts in the organization, including future accounts, automatically send logs to this central bucket. They also want to prevent any account from disabling logging. Which solution meets these requirements?

250

A large enterprise with multiple business units (BUs) uses AWS Organizations with a shared services account and BU-specific accounts. Each BU account has a VPC with multiple subnets. The shared services account hosts a central NAT gateway that provides outbound internet access to all BU private subnets via VPC peering. Recently, the network team noticed that traffic from one BU's private subnet is being blocked by the security group in the shared services account. They verified that the route tables are correctly configured. What is the most likely cause and solution?

251

A global e-commerce company uses AWS Organizations with over 500 accounts. They have a central security account that aggregates CloudTrail logs and VPC Flow Logs from all accounts. The security team needs to analyze these logs using Amazon Athena and visualize the results in Amazon QuickSight. The logs are stored in an S3 bucket in the security account, and each member account writes its own prefix. The current setup uses a bucket policy to allow member accounts to write logs. Recently, the security team has been unable to query logs for the past week. They suspect the issue is related to a new SCP that was applied to the root. The SCP denies s3:PutObject unless the request includes a specific tag. Which action should the security team take to restore log delivery without compromising security?

252

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must block public access. How can this be enforced centrally with minimal operational overhead?

253

A global company uses a multi-account AWS Organizations structure with hundreds of accounts. The network team wants to centrally manage VPC flow logs for all accounts and send them to a centralized S3 bucket in the security account. Which solution is MOST scalable and operationally efficient?

254

A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?

255

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. They need to ensure that users can authenticate to AWS resources using their existing corporate credentials. What is the MOST secure and scalable solution?

256

An organization uses AWS Organizations with a multi-account strategy. The security team needs to ensure that all accounts must use AWS CloudTrail with logs delivered to a centralized S3 bucket. They also want to receive notifications if any account disables CloudTrail. What is the MOST efficient solution?

257

A company uses a central IT team to manage multiple AWS accounts. The team wants to provide developers with the ability to launch EC2 instances but restrict them to using only specific instance types. How should this be enforced?

258

A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?

259

A company uses AWS Organizations with a multi-account strategy. They want to allow a centralized DevOps team to manage EC2 instances across all accounts using AWS Systems Manager. The DevOps team should not have direct IAM access to the target accounts. How can this be achieved?

260

A company wants to implement a data lake on AWS with data from multiple sources. They need to store data in its raw format and allow multiple teams to query it using different tools. Which service should be used as the central storage layer?

261

A company is designing a multi-account AWS Organizations architecture. Which TWO considerations should be taken into account when designing the organizational structure?

262

A company uses AWS Organizations with a multi-account setup. The security team needs to ensure that all users in all accounts use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should be taken to enforce this?

263

A company wants to implement a cost allocation strategy using tags across multiple accounts in AWS Organizations. Which TWO practices should be followed?

264

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to centrally enforce that all S3 buckets across all accounts have server-side encryption enabled. Which solution should be used?

265

A multinational corporation is using AWS Organizations with hundreds of accounts. The finance team needs to track costs by cost center, which is stored as a tag on each resource. However, some resources are missing the tag. What is the most efficient way to ensure that all resources are tagged correctly going forward?

266

A company uses AWS Organizations and wants to allow a development account to assume a role in the production account for deployment purposes. Which component is necessary for this cross-account access?

267

A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?

268

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a specific member account. What must be done?

269

A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?

270

A company has a multi-account AWS environment with a shared services account that hosts Active Directory for authentication. Developers need to launch EC2 instances in development accounts and join them to the domain. What is the most secure way to allow this?

271

A company uses AWS Organizations and wants to allow certain accounts to use AWS Service Catalog for self-service provisioning. The IT team needs to control which products are available. Where should the product portfolio be shared?

272

A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?

273

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all new member accounts automatically have a specific AWS Config rule enabled. Which solution should be used?

274

A company uses AWS Organizations with a single OU for all production accounts. The central security team wants to prevent any user from disabling Amazon GuardDuty in any production account. What is the MOST effective way to enforce this?

275

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?

276

A company has a centralized network account that hosts a transit gateway with attachments to multiple VPCs in different accounts. The security team needs to ensure that all traffic between VPCs is inspected by a centralized NGFW appliance in the network account. What is the MOST efficient solution?

277

A company uses AWS Organizations with a single OU. The management account has a service control policy (SCP) that denies all actions on EC2 instances with a specific tag. However, users in a member account can still terminate tagged instances. What is the most likely cause?

278

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

279

A company uses AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required to set this up?

280

A company has a single AWS account and wants to implement a multi-account strategy for better isolation. Which AWS service is designed to help centrally manage multiple accounts?

281

A company uses AWS Organizations and has a member account that needs to access a shared S3 bucket in another member account. The bucket policy allows access from the account's root user. What is the simplest way to grant an IAM user in the member account access?

282

A company has a multi-account AWS environment with hundreds of accounts. They need to enforce that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. Which TWO actions should be taken to ensure compliance across the organization?

283

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet compliance requirements that logs be immutable and stored for 7 years. Which THREE services should be combined to achieve this?

284

A company uses AWS Organizations and wants to centralize Amazon VPC IP Address Manager (IPAM) across multiple accounts. Which TWO steps are required to enable cross-account IPAM?

285

A company has multiple AWS accounts managed through AWS Organizations. The security team requires that all VPC flow logs be enabled in every account and region. What is the MOST efficient way to enforce this requirement?

286

A global company is using a multi-account AWS Organizations setup with a centralized logging account. They want to aggregate CloudTrail logs from all accounts into a single S3 bucket in the logging account. Which combination of steps will meet this requirement?

287

A company uses AWS Organizations with hundreds of accounts. The security team needs to ensure that no IAM user in any account can create a new IAM user or access key. What is the most scalable way to enforce this?

288

A company is managing multiple AWS accounts using AWS Organizations. They want to centralize the management of EC2 instances and enforce tagging standards across all accounts. Which TWO approaches should they use?

289

A company uses AWS Organizations with a central security account. They need to ensure that any S3 bucket created in any account is configured with encryption and versioning enabled. Which THREE steps should they take?

290

A company wants to centrally manage IAM permissions across multiple AWS accounts using AWS Organizations. They need to allow developers to launch EC2 instances but restrict the instance types to approved families (e.g., t3 and m5). Which TWO solutions meet this requirement?

291

A company uses AWS Organizations with a management account and several member accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. What should they do?

292

A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?

293

A company manages multiple AWS accounts using AWS Organizations. They want to enforce that any EC2 instance launched with a public IP address must have a specific security group attached. What is the MOST effective way to enforce this?

294

A company uses AWS Organizations with a dedicated security account. They want to centralize the management of AWS Config rules and ensure that all accounts are compliant with the same set of rules. Which THREE steps should they take?

295

A company has a management account and several member accounts in AWS Organizations. They want to allow a developer in a member account to create an organization trail. What should they do?

296

A company uses AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization have server-side encryption enabled. Which is the MOST efficient way to enforce this policy?

297

A company has a multi-account AWS environment with centralized logging. The security team wants to ensure that all VPC Flow Logs are published to a central S3 bucket in the logging account. Which combination of steps should be taken to achieve this?

298

A company has a production AWS account and a development AWS account. The development team needs to assume an IAM role in the production account to deploy resources. What is the correct way to set up this cross-account access?

299

A company uses AWS Config to evaluate resource compliance across multiple accounts. The security team wants to automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Which solution is MOST scalable and secure?

300

A company manages multiple AWS accounts and wants to centralize billing and cost tracking. They have enabled AWS Organizations and consolidated billing. Which additional step should they take to gain granular visibility into costs per department?

Practice all 300 Design Solutions for Organizational Complexity questions

Other SAP-C02 exam domains

Design for New SolutionsContinuous Improvement for Existing SolutionsAccelerate Workload Migration and Modernization

Frequently asked questions

What does the Design Solutions for Organizational Complexity domain cover on the SAP-C02 exam?

The Design Solutions for Organizational Complexity domain covers the key concepts tested in this area of the SAP-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SAP-C02 domains — no account required.

How many Design Solutions for Organizational Complexity questions are in the SAP-C02 question bank?

The Courseiva SAP-C02 question bank contains 300 questions in the Design Solutions for Organizational Complexity domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Design Solutions for Organizational Complexity for SAP-C02?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Design Solutions for Organizational Complexity questions for SAP-C02?

Yes — the session launcher on this page draws questions exclusively from the Design Solutions for Organizational Complexity domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SAP-C02 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

SAA-C03DOP-C02