Practice SAP-C02 Design Solutions for Organizational Complexity questions with full explanations on every answer.
Start practicing
Design Solutions for Organizational Complexity — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
2A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?
3A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?
4A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?
5A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?
6A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?
7A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?
8Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?
9Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?
10A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?
11A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)
12A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?
13A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?
14A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?
15A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?
16A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?
17A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?
18A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?
19A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?
20A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)
21A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?
22A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?
23A large enterprise has a multi-account AWS environment managed through AWS Organizations. The central networking team uses a transit gateway in a shared services VPC to connect all VPCs. The security team requires that all traffic between VPCs be inspected by a third-party firewall appliance that is deployed in an auto-scaling group in the shared services VPC. The firewall appliance is configured as a Gateway Load Balancer (GWLB) endpoint. The transit gateway has a route table that sends all inter-VPC traffic to the GWLB endpoint. Recently, the operations team noticed that some applications are experiencing high latency and packet loss when communicating across VPCs. Upon investigation, they found that the firewall appliance is not scaling properly. Which solution should be implemented to ensure that the firewall can handle the traffic load and maintain low latency?
24A company has a centralized logging solution using Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) in a central logging account. Application logs from hundreds of EC2 instances across multiple accounts are shipped to the OpenSearch cluster via Amazon Kinesis Data Firehose. The security team requires that all log data be encrypted at rest and in transit. The logging account has a KMS key used to encrypt the OpenSearch cluster and the Firehose delivery stream. Recently, the security team noticed that some log deliveries are failing with 'AccessDenied' errors. The CloudWatch Logs delivery to Firehose is configured correctly. What is the most likely cause of the failure?
25A global e-commerce company is migrating its on-premises application to AWS. The application uses Active Directory for authentication and requires integration with AWS Managed Microsoft AD. The company has a multi-account strategy using AWS Organizations. Which TWO steps should the solutions architect take to ensure seamless authentication across the organization?
26A financial services company is migrating its trading platform to AWS. The platform consists of hundreds of microservices deployed in containers using Amazon ECS with Fargate launch type. Each service has its own IAM role for fine-grained permissions. The security team requires that all ECS tasks use a specific VPC (vpc-12345) and cannot run in any other VPC. During a recent audit, it was discovered that some tasks are running in a different VPC (vpc-67890). The solutions architect must implement a preventive control to ensure that ECS tasks only run in the approved VPC. The company uses AWS Organizations and has Service Control Policies (SCPs) in place. What should the solutions architect do?
27Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.
28Drag and drop the steps to restore an Amazon RDS DB instance from a snapshot in the correct order.
29Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.
30Match each AWS service to its primary use case.
31Match each AWS migration service to its function.
32Match each AWS disaster recovery strategy to its description.
33A company wants to implement a multi-account strategy using AWS Organizations. The security team requires that all new accounts added to the organization automatically inherit a baseline set of security controls, such as AWS CloudTrail and AWS Config rules. Which approach should the company use?
34A company uses AWS Organizations with multiple OUs. The security team wants to prevent all accounts in the 'Production' OU from using non-compliant EC2 instance types, but allow exceptions for specific accounts. Which combination of controls should be used?
35A company has a central IT team that manages networking resources for multiple application teams. Each application team needs to manage its own EC2 instances and RDS databases. Which AWS architecture best supports this separation of duties?
36A company has multiple AWS accounts and wants to centralize logging from all accounts to a single S3 bucket in a logging account. The logs must be encrypted with a KMS key managed by the logging account. What is the MOST secure way to allow cross-account S3 server access logs?
37A company uses AWS Organizations and wants to delegate administration of a specific service to a member account. The service must be able to perform actions across all accounts in the organization. Which steps should the company take?
38A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts. The company has an existing identity source in an on-premises Active Directory. Which integration method should the company use?
39A company uses a centralized logging account with an S3 bucket that receives VPC Flow Logs from multiple accounts. The logs must be encrypted at rest using a KMS key in the logging account. Which configuration is required to allow cross-account delivery of VPC Flow Logs?
40A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances launched in any account must have a specific tag key 'CostCenter'. Which approach should be used?
41A company wants to allow developers to manage their own resources in individual AWS accounts while the central IT team manages networking and security. Which AWS service can help enforce that developers cannot modify networking resources?
42A company is implementing a multi-account strategy using AWS Organizations. They want to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which TWO steps are required to achieve this? (Choose two.)
43A company has a production AWS account that contains sensitive data. The security team wants to ensure that no one can disable AWS CloudTrail or delete the CloudTrail S3 bucket. Which THREE actions should be taken to protect these resources? (Choose three.)
44A company wants to implement AWS Organizations with multiple OUs to isolate development, testing, and production workloads. The company needs to ensure that production workloads are not impacted by changes in other OUs. Which TWO practices should the company follow? (Choose two.)
45An administrator attached the above IAM policy to a group of developers. A developer tries to launch a t3.medium EC2 instance and receives an 'AccessDenied' error. What is the MOST likely reason?
46A company uses a cross-account IAM role 'LogDelivery' in account 111122223333 to write logs to an S3 bucket 'my-company-logs' in a logging account. The bucket policy is shown above. Logs are not being delivered. What is the MOST likely issue?
47An administrator runs the above command and sees that the 'Prod' account is suspended. What is the MOST likely cause?
48A company has multiple AWS accounts managed under AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account are automatically tagged with a 'CostCenter' tag. Which solution is the MOST operationally efficient?
49A company is designing a multi-account strategy for its development, testing, and production environments. The security team requires that all accounts share a centralized logging solution. Which approach meets this requirement with the LEAST administrative overhead?
50A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?
51A company is implementing a data lake on Amazon S3. The data lake must be accessible from multiple accounts within the same AWS Organization. Objects must be encrypted at rest, and the company wants to use a single AWS KMS key for simplicity. Which solution meets these requirements?
52A company has a management account in AWS Organizations. It wants to delegate administration of AWS IAM Identity Center to a member account for user management. What is the correct way to achieve this?
53A company has a multi-account environment with over 500 accounts. They need to enforce that all EC2 instances are launched only in approved instance families (e.g., t3, m5, c5). Which combination of AWS services provides the MOST scalable and effective enforcement?
54A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs across different accounts that need to authenticate against the same directory. What is the MOST scalable and secure way to provide this access?
55A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by department. Each department has its own AWS account. Which feature should be used to map costs to departments?
56A company has a centralized logging solution where all VPC Flow Logs from member accounts are delivered to a central S3 bucket in the logging account. The logs contain sensitive IP addresses that must be redacted before analysis. What is the MOST scalable approach?
57A company is designing a cross-account backup strategy using AWS Backup. The backup policy must be centrally managed from the management account. Which TWO steps are required to implement this?
58A company has a multi-account architecture with a shared services account that hosts a central Amazon RDS instance. Member accounts need to access this database. Which TWO actions should the company take to enable secure access?
59A company uses AWS Organizations and wants to implement a least-privilege model for IAM roles. The security team needs to ensure that no IAM role can be created without an approval workflow. Which THREE steps should the company take?
60A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?
61Refer to the exhibit. This bucket policy is applied to a central logging bucket in account 111111111111. Account 222222222222 wants to deliver CloudTrail logs to this bucket. However, log delivery fails. What is the MOST likely cause?
62Refer to the exhibit. A company has the above AWS Organization with a management account (111111111111) and a production account (222222222222). The security administrator in the management account creates an SCP that denies s3:DeleteBucket. The SCP is attached to the root. The production account's administrator tries to delete an S3 bucket and fails. What is the MOST likely reason?
63A company is implementing a multi-account strategy using AWS Organizations. They need to centralize logging of all API calls across accounts. Which solution meets this requirement with the least operational overhead?
64A company has multiple business units, each with its own AWS account. They want to enforce that all EC2 instances launched across accounts use only approved AMIs. The AMIs are stored in a central account. What is the MOST scalable and secure way to enforce this?
65A company has a centralized IT team that manages AWS accounts for multiple departments. They need to grant the team permissions to create and manage IAM roles in all accounts, but without giving them full administrator access. What should they use?
66A company uses AWS Organizations with multiple accounts. They want to centralize VPC flow logs for all VPCs across accounts. The logs should be stored in a central S3 bucket in the management account. What is the MOST efficient way to achieve this?
67A company is using AWS Organizations with hundreds of accounts. They need to ensure that no account can modify the VPC default security group. Which SCP should they apply to the root OU?
68A company wants to allow developers to launch EC2 instances only if they include a specific tag 'CostCenter'. The tag must be provided at launch. Which IAM policy should be used?
69A company has multiple AWS accounts and wants to use AWS CloudFormation StackSets to deploy a common set of resources across all accounts. The StackSet should be managed from the management account. What permissions are required?
70A company uses AWS Organizations with a policy that denies access to services unless they are explicitly allowed. The security team wants to allow only approved services. What type of policy should they use?
71A company wants to centralize management of AWS resources across multiple accounts using AWS Control Tower. What is a prerequisite for setting up Control Tower?
72A company is using AWS Organizations and wants to delegate administration of Amazon GuardDuty to a member account. Which of the following are required? (Choose TWO.)
73A company wants to use AWS Resource Access Manager (RAM) to share a subnet in a VPC with other accounts in the organization. Which of the following are required? (Choose THREE.)
74A company wants to centrally manage IAM users across multiple AWS accounts using AWS IAM Identity Center (successor to AWS Single Sign-On). Which of the following are true? (Choose TWO.)
75A company is using AWS Organizations to manage multiple accounts. The security team requires that all newly created member accounts automatically have an AWS Config rule enabled that checks whether S3 buckets have default encryption enabled. Which solution should be used?
76A company has multiple AWS accounts and wants to centralize CloudTrail logs in a single S3 bucket in the security account. Which policy should be applied to the S3 bucket to allow cross-account delivery from all member accounts?
77A company uses AWS Organizations with a hierarchical OU structure. The security OU has an SCP that denies all actions except those explicitly allowed. The development OU has an SCP that allows all actions. A developer account in the development OU tries to launch an EC2 instance but receives an access denied error. The IAM user in the developer account has full administrator permissions. What is the most likely cause?
78A company is using AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have a specific AWS Config rule enabled and that any drift is automatically remediated. Which approach should be used?
79A company has a centralized logging account and multiple application accounts. Each application account sends CloudWatch Logs to a cross-account log group in the logging account. The security team wants to ensure that logs are encrypted at rest using a KMS key that only the logging account can manage. Which configuration is required?
80A company is using AWS Organizations and wants to allow certain member accounts to create VPCs with specific CIDR ranges. Which mechanism should be used to enforce this restriction?
81A company has a multi-account environment with a centralized network account that hosts a transit gateway. Application accounts need to connect to the transit gateway. The network team wants to ensure that only authorized accounts can create attachments. Which method should be used?
82A company uses AWS SSO with an external identity provider. The security team needs to enforce that users in the finance department can only access the finance OU accounts. Which configuration is required?
83A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by project, but projects span multiple accounts. Which approach should be used to tag resources consistently across accounts?
84A company is designing a multi-account strategy using AWS Organizations. The security team requires that all API calls to create or modify IAM roles are logged and alerted. Which TWO steps should be taken to meet this requirement?
85A company has a centralized logging account and multiple member accounts. The member accounts generate VPC Flow Logs that need to be sent to a central S3 bucket in the logging account. Which TWO steps must be taken to enable this cross-account delivery?
86A company is using AWS Organizations with multiple OUs. The security team wants to ensure that no account can delete CloudTrail trails or S3 bucket policies. Which THREE SCP strategies should be combined?
87Refer to the exhibit. A company applies this S3 bucket policy to a central logging bucket. CloudTrail trails in multiple accounts are configured to deliver logs to this bucket. Recently, logs stopped being delivered. What is the most likely cause?
88Refer to the exhibit. A company runs this CLI command and sees the output. Which account is the management account?
89Refer to the exhibit. A company attaches this SCP to the root of an AWS Organization. What is the effect?
90A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all new member accounts automatically have AWS Config enabled with a specific set of rules. Which solution is the MOST efficient?
91A global company is using AWS Organizations with hundreds of accounts. The IT team needs to centrally manage DNS records for all accounts using Amazon Route 53 private hosted zones. The solution must be highly available and support cross-account DNS resolution. What should the team do?
92A company wants to implement a centralized logging solution for all AWS accounts in AWS Organizations. The logs include CloudTrail, VPC Flow Logs, and AWS Config configuration items. Which approach provides the MOST scalable and cost-effective solution?
93A company uses AWS Organizations with a multi-account strategy. The security team wants to restrict the use of specific instance types across all accounts. What is the MOST effective way to enforce this policy?
94A company has a production AWS account that is part of an AWS Organization. The account has a VPC with a NAT gateway for internet access. The security team wants to ensure that all outbound traffic to the internet flows through a centralized inspection VPC in the security account for traffic inspection. Which architecture should be used?
95A company is migrating to AWS and plans to use a multi-account strategy. The management account will be used solely for administrative purposes. Which best practice should be followed when setting up AWS Organizations?
96A company has multiple AWS accounts and wants to share a centrally managed Amazon VPC subnet for workloads that require low latency. The VPC is in the networking account. Which solution meets these requirements with the LEAST operational overhead?
97A company uses AWS Organizations and wants to implement a policy that prevents any account from disabling AWS CloudTrail or deleting CloudTrail log files. The solution must be enforceable across all accounts. Which combination of actions should be taken?
98A company is using AWS Organizations with a multi-account strategy. The finance team wants to centrally manage and enforce cost allocation tags across all accounts. Which solution is MOST effective?
99A company is setting up a new AWS Organization and wants to implement a data perimeter to ensure that data can only be accessed from approved network locations. Which TWO actions should the company take?
100A company has a multi-account AWS environment with a central security account for AWS GuardDuty, AWS Security Hub, and AWS IAM Access Analyzer. The security team wants to aggregate findings from all member accounts into the security account. Which THREE steps should be taken?
101A company is using AWS Organizations with multiple accounts. The IT team wants to centrally manage AWS Systems Manager Patch Manager to patch EC2 instances across all accounts. Which TWO actions are required?
102A company attaches the above SCP to the root organizational unit. The development team in a member account wants to launch an EC2 instance in the ap-southeast-1 region. What will happen?
103A company uses AWS Organizations and has shared a subnet from the VPC shown in the exhibit using AWS Resource Access Manager (RAM). A workload account launches an EC2 instance in the shared subnet. The instance needs to communicate with an RDS database in a different private subnet within the same VPC. What additional configuration is required?
104A company has a central S3 bucket for logs (central-logs-bucket) in account 123456789012. The bucket policy is shown in the exhibit. A developer in account 111111111111 tries to access an object in the bucket using the AWS CLI without the --no-sign-request option. The request fails. What is the MOST likely cause?
105A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts have server-side encryption with AWS KMS (SSE-KMS) enabled, and any new bucket that does not comply must be automatically remediated. Which design should be used?
106A company uses AWS Organizations with 50 accounts. The central IT team wants to deploy a CloudFormation stack set to create a VPC with a CIDR of 10.0.0.0/16 in each account, but the VPC CIDR must not overlap with existing VPCs in each account. What is the most scalable and automated approach?
107A company has a centralized logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all member accounts in AWS Organizations. The logs are stored in an S3 bucket in the logging account. Security analysts need to query these logs using Amazon Athena. What is the MOST efficient way to set up the table partitions?
108A company is using AWS Organizations with a single OU for all production accounts. The security team wants to restrict the use of specific instance types across all accounts in the OU. They create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the allowed list. However, some accounts still launch disallowed instance types. What is the most likely cause?
109A company has a multi-account architecture with a central networking account that hosts a Transit Gateway. Each workload account has VPCs attached to the Transit Gateway. The company wants to centrally manage DNS resolution across all VPCs using Route 53 Resolver. They create a Route 53 Resolver outbound endpoint in the networking account and associate it with the workload VPCs via RAM. However, workload accounts cannot resolve on-premises hostnames. What is the missing configuration?
110A company has an AWS Organization with a management account and several member accounts. The management account hosts a central S3 bucket that stores CloudTrail logs from all accounts. The company wants to ensure that only the management account can delete objects from this bucket. Which policy should be applied to the bucket?
111A company has a multi-account AWS environment with a central logging account. All VPC Flow Logs are published to a central S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena, but they want to minimize costs by reducing the amount of data scanned. Which partitioning strategy is MOST effective?
112A company uses AWS Organizations with 100 accounts. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if MFA is not present. However, some users report that they cannot access the console even with MFA. What is the most likely reason?
113A company has an AWS Organization with multiple accounts. The central IT team wants to deploy a common set of AWS Config rules across all accounts in the production OU. Which approach is the MOST scalable and maintainable?
114A company is using AWS Organizations with a centralized logging account. They want to collect VPC Flow Logs from all member accounts into a single S3 bucket in the logging account. Which TWO steps are required to achieve this?
115A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?
116A company uses AWS Organizations to manage multiple accounts. The central team wants to deploy a CloudFormation template that creates an S3 bucket with default encryption in every member account. Which THREE steps are required to accomplish this?
117A security engineer attaches this SCP to the root organizational unit. What is the result?
118A solutions architect sees this output from the AWS CLI. The management account (111111111111) has a service control policy (SCP) attached that denies all actions unless the request originates from a specific IP range. Which account(s) are affected by this SCP?
119An SCP is attached to a production OU. An IAM user in a member account under that OU attempts to launch an m5.large EC2 instance. What happens?
120A multinational corporation is deploying a multi-account AWS environment using AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with a specific AWS KMS key managed by the security account. Which solution should the company implement to enforce this policy across the organization?
121A company has a centralized logging solution using Amazon OpenSearch Service (Elasticsearch) and wants to ensure logs from all AWS accounts are shipped to a central account. Which AWS service can be used to collect and forward logs from multiple accounts to a single destination?
122A company uses AWS Organizations with 50 accounts. The network team wants to centrally manage VPC flow logs for all accounts, storing them in a central S3 bucket in the security account. The flow logs must be encrypted with a KMS key managed by the security account. What is the MOST efficient way to configure this?
123A company is implementing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS and that access must be logged. The data lake has millions of objects, and the security team wants to detect any changes to bucket policies or encryption settings. Which combination of services should be used?
124A company has a multi-account AWS environment with a centralized security account. The security team wants to ensure that any IAM role created in any account with a trust policy allowing access from another AWS account must be approved by the security team. Which approach should be used?
125A company wants to centralize management of Amazon EC2 instances across multiple accounts using AWS Systems Manager. The company uses AWS Organizations. What is the simplest way to enable Systems Manager to manage instances in all accounts?
126A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?
127A company uses AWS Organizations with 200 accounts. The security team wants to enforce that all EC2 instances launched in any account must use a specific Amazon Machine Image (AMI) ID that is approved by the security team. Which approach should be used?
128A company wants to provide its developers with access to a shared development environment in AWS. The developers are in different AWS accounts, and they need to assume an IAM role in the development account. What is the secure way to allow cross-account access?
129A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts use AWS CloudTrail with logs delivered to a central S3 bucket. Which TWO actions should be taken to enforce this?
130A company has a multi-account AWS environment with a central security account. The security team wants to implement a solution that allows them to centrally manage and audit IAM permissions across all accounts. Which THREE services should be combined to achieve this?
131A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts and business applications. Which TWO components are required for this setup?
132Refer to the exhibit. A company attached the above SCP to an OU in AWS Organizations. The SCP is intended to allow only t3.micro and t3.small EC2 instances. However, users in accounts within that OU are still able to launch other instance types. What is the most likely reason?
133Refer to the exhibit. A company has a trust policy on an IAM role in account 222222222222. The trust policy allows the root user of account 111111111111 to assume the role. However, a user in account 111111111111 is unable to assume the role. What is the most likely cause?
134Refer to the exhibit. A company has created a CloudTrail trail named 'my-trail' in the management account of AWS Organizations. The trail is configured to deliver logs to a central S3 bucket. The security team wants to capture all management events from all accounts in the organization. Based on the exhibit, what is the most likely issue?
135A company wants to centralize access control for multiple AWS accounts using AWS Organizations. They need to allow developers in a specific account to launch EC2 instances only in certain regions. What is the most scalable solution?
136A multinational corporation uses AWS Organizations with hundreds of accounts. The security team requires that all Amazon S3 buckets across the organization be encrypted with a specific AWS KMS key from the security account. Which combination of controls should be implemented to enforce this requirement?
137A company is migrating to AWS and wants to use AWS CloudFormation to manage infrastructure as code. The DevOps team needs to ensure that stack updates are reviewed and approved before execution. Which feature should they use?
138An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. What is the most efficient way to enforce this?
139A company is designing a multi-account AWS environment for different business units. They need to share a central Amazon RDS database with read replicas in each account for disaster recovery. What architecture minimizes cross-region data transfer costs while maintaining high availability?
140A company uses AWS Organizations with a large number of accounts. The networking team wants to centrally manage VPCs and subnets using AWS Resource Access Manager (RAM) and share subnets to member accounts. What must be done in the member accounts to use shared subnets?
141A company wants to use AWS Systems Manager to automate patching of EC2 instances across multiple AWS accounts. What is the most efficient way to manage this centrally?
142A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs to ensure that all accounts use a specific set of IAM roles for cross-account access. What is the most scalable way to enforce this?
143A company uses AWS Organizations and wants to enable cost allocation across business units using tags. They require that all resources are tagged with a 'CostCenter' tag. What is the most effective way to enforce this?
144A company is designing a multi-account AWS environment with a centralized logging account. Which TWO services should be used to aggregate logs from all accounts?
145A company wants to implement a data lake strategy using Amazon S3 across multiple AWS accounts. They need to ensure that data is encrypted at rest using a centralized AWS KMS key from a security account. Which THREE steps should they take?
146A company uses AWS Organizations and wants to centrally manage VPC flow logs for all VPCs across all accounts. Which TWO steps are required to achieve this?
147A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with AWS KMS and that bucket policies enforce HTTPS. What is the MOST efficient way to enforce these policies across all accounts?
148A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has strict latency requirements and must be deployed across multiple Availability Zones. Which design strategy BEST meets these requirements while minimizing operational overhead?
149A solutions architect needs to design a network architecture for a multi-account AWS environment using AWS Transit Gateway. The company requires that all traffic between VPCs be inspected by a central security appliance. What is the MOST efficient way to achieve this?
150A company uses AWS Organizations with several OUs. The security team wants to restrict the use of specific instance types (e.g., all instances except t2.micro) across all accounts. Which SCP should be applied?
151A global company has a multi-region AWS deployment. They need to share a single Amazon RDS for MySQL database across multiple AWS Regions for disaster recovery. The database must have minimal data loss and RTO of less than 1 minute. Which solution meets these requirements?
152A company has a centralized logging solution using Amazon S3 and AWS CloudTrail. They want to ensure that logs are immutable and cannot be deleted or modified by any user, including the root user. Which S3 feature should be enabled?
153A company uses AWS Organizations with multiple accounts. The finance team needs to track costs by department, where each department uses resources across several accounts. What is the BEST way to allocate costs accurately?
154A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The architecture must handle sudden spikes in traffic without losing events. Which configuration ensures the highest reliability?
155A company wants to allow developers to assume a role in a production account from their development account using AWS IAM. What is needed for this cross-account access?
156Which TWO actions improve the security of an S3 bucket that stores sensitive data?
157Which THREE design patterns are recommended for decoupling components in a microservices architecture on AWS?
158Which TWO AWS services can be used to implement a centralized logging solution across multiple AWS accounts?
159A multinational company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization block public access. What is the MOST efficient way to enforce this requirement?
160A company has multiple AWS accounts managed through AWS Organizations. The central IT team wants to allow developers to launch EC2 instances only in specific Regions, but allow full access to all other services. What is the BEST approach?
161A company uses AWS Organizations with a single OU for all accounts. The security team wants to prevent any account from leaving the organization without approval. What should they do?
162A company has a multi-account AWS environment. The security team wants to centrally manage VPC flow logs for all accounts. They already have a centralized logging account. What is the MOST scalable solution?
163A company uses AWS Organizations with multiple OUs. The finance team needs visibility into costs across all accounts. They want to tag resources with a 'CostCenter' tag. What is the BEST way to enforce tag propagation?
164A company wants to allow developers to launch EC2 instances only in the us-east-1 Region. They have a single AWS account. What is the simplest way to enforce this?
165A company uses AWS Organizations with 500 accounts. They want to enforce that all accounts use a specific set of allowed AMIs for EC2. What is the MOST scalable solution?
166A company has a centralized security account and wants to enable AWS Config in all accounts. They want to centrally manage Config rules and view compliance. What should they do?
167A company needs to share a VPC subnet with multiple accounts in the same AWS Organization. What is the MOST secure way to achieve this?
168Which TWO actions should a company take to implement a least-privilege access model across multiple AWS accounts? (Choose TWO.)
169Which THREE components are required to set up a centralized logging solution for multiple AWS accounts using Amazon S3? (Choose THREE.)
170Which TWO AWS services can be used to automate the enforcement of compliance policies across multiple AWS accounts? (Choose TWO.)
171A company applied the above SCP to an OU. A developer in an account under that OU tries to launch a t2.medium EC2 instance. What will happen?
172A company ran the command above. The management account (111111111111) has an SCP attached that denies all actions. The DevAccount (222222222222) has no SCP. What can the root user of the DevAccount do?
173A security engineer created the above bucket policy on the central-logging-bucket in account 111111111111. They want account 222222222222 to deliver CloudTrail logs to this bucket. What is missing?
174A multinational company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled. The company wants to enforce this policy centrally without modifying each bucket individually. Which solution is MOST effective?
175A company uses AWS Organizations with multiple accounts. The central IT team wants to restrict the use of specific EC2 instance types across all accounts to control costs. Which approach should the team use?
176A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles that grant cross-account access to a central security account. The solution must scale as new accounts are added. What should the team do?
177A company uses AWS Organizations with consolidated billing. The finance team needs to track costs by department, which are tagged with 'department' tags. However, some resources are not tagged. The team wants to ensure that all new resources are tagged, and existing untagged resources are identified. What should they do?
178A company is migrating to AWS and wants to set up a multi-account structure using AWS Organizations. The security team requires that all accounts be part of an organization and that any attempt to leave the organization be blocked. Additionally, the company wants to prevent the use of the root user in member accounts for daily operations. What should they do?
179A company has a central IT team that manages multiple AWS accounts. The team wants to allow developers to create resources in their own accounts but wants to restrict the use of certain expensive services like Amazon Redshift. The developers should not be able to launch Redshift clusters in any account. What is the MOST efficient way to achieve this?
180A company has multiple AWS accounts and wants to centrally manage VPC flow logs for all accounts. The flow logs should be sent to a central S3 bucket in the logging account. The solution must be automated for new accounts added to the organization. What should the team do?
181A company with multiple AWS accounts wants to centralize CloudTrail logging. They create a CloudTrail trail in the management account that logs all events across all accounts and regions. However, the security team notices that some management events from member accounts are not being logged. What is the most likely cause?
182A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users are created in member accounts. All access must be through federated roles. Which approach should they use?
183A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances must use a specific AMI ID that is approved by the security team. Which two actions should the team take to achieve this? (Choose two.)
184A company is using AWS Organizations with hundreds of accounts. The central IT team needs to deploy a common set of AWS resources (e.g., VPCs, subnets, security groups) to all accounts in a specific organizational unit (OU). The solution must be automated and ensure that new accounts added to the OU automatically receive the resources. Which three steps should the team take? (Choose three.)
185A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally manage CloudWatch Logs from all accounts. The logs should be sent to a central S3 bucket in the management account. Which two actions should the team take? (Choose two.)
186Refer to the exhibit. An IAM policy is attached to a user in the management account of AWS Organizations. The user wants to assume the OrganizationAccountAccessRole in a member account. However, the user receives an access denied error. What is the most likely reason?
187Refer to the exhibit. A company has an SCP named 'DenyOutsideRegions' attached to the root OU. The SCP is intended to deny all actions outside us-east-1 and eu-west-1. However, users in a member account are still able to launch EC2 instances in ap-southeast-1. What is the most likely reason?
188Refer to the exhibit. A company applies this SCP to an OU. However, users in the OU are still able to upload objects to S3 without encryption. What is the most likely reason?
189A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce that all newly created accounts automatically have a specific set of security controls, including AWS Config rules and an AWS CloudTrail trail. Which solution meets these requirements with the LEAST operational overhead?
190A global company uses AWS Organizations with multiple organizational units (OUs) for different business units. The networking team wants to ensure that all VPCs across all accounts can communicate through a central transit gateway. However, the security team requires that specific accounts cannot access each other's resources. Which combination of actions should the company take to meet these requirements?
191A company uses AWS Organizations with a single member account for its development environment. The IT team wants to allow developers to launch EC2 instances only if they use a specific AMI ID. Which policy type should the company use to enforce this requirement?
192A company has a multi-account AWS environment with hundreds of accounts. The central IT team needs to audit all API calls made in the organization. The solution must be cost-effective and capture events from all regions and accounts, including future accounts. Which solution should the company use?
193A company uses AWS Organizations with several OUs. The security team wants to enforce that EC2 instances in production accounts cannot have public IP addresses. The solution must be preventive and should not rely on developers remembering to follow guidelines. What should the security team do?
194A company has multiple AWS accounts for different departments. The finance team wants to centrally manage and optimize EC2 Reserved Instance purchases across all accounts. Which solution should the company implement?
195A company uses AWS Organizations with multiple OUs. The DevOps team wants to allow developers in a specific OU to create and manage their own VPCs but restrict them from deleting VPCs created by the central networking team. How can this be achieved?
196A multinational corporation uses AWS Organizations to manage multiple accounts across different geographic regions. The company needs to ensure that all data residing in AWS accounts for a specific country remains within that country's boundaries. Which combination of AWS services and features should the company use to enforce this data residency requirement?
197A company uses AWS Organizations with a management account and several member accounts. The security team needs to centrally manage IAM users and roles across all accounts. Which AWS service should the company use?
198A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in the organization are encrypted at rest. Which TWO approaches can the company use to achieve this? (Choose TWO.)
199A company uses AWS Organizations with hundreds of accounts. The central IT team needs to ensure that all accounts use a standard set of network configurations, including VPC CIDR blocks and subnets. Which THREE steps should the team take to enforce this standard? (Choose THREE.)
200A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all root user activities are monitored and alerted. Which TWO actions should the team take? (Choose TWO.)
201A company has a multi-account AWS environment using AWS Organizations with 50 accounts. The accounts are organized into OUs based on environment: Production, Staging, and Development. The central IT team uses AWS CloudFormation StackSets to deploy a baseline network configuration (VPC, subnets, security groups) to all accounts. Recently, the network team updated the stack set to add a new subnet to the VPC. After the update, they noticed that the stack set operation failed for 10 accounts. The error message indicates that the stack set cannot update because a resource already exists. What is the MOST LIKELY cause of this failure?
202A large enterprise uses AWS Organizations with 200 accounts. The central security team has implemented a service control policy (SCP) that denies all actions unless the request comes from a specific set of allowed AWS services. The SCP is attached to the root OU. Recently, the DevOps team reported that they cannot launch Amazon EC2 instances in any account, even though they have full administrator access via IAM roles. The security team verifies that the SCP is correctly configured and that allowed services include EC2. However, the error message states 'Action 'ec2:RunInstances' is not authorized.' The DevOps team is using the AWS Management Console. What is the MOST LIKELY cause?
203A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?
204A company uses AWS Organizations with hundreds of accounts. The central IT team wants to manage IP address ranges for VPCs across all accounts using a custom AWS Resource Access Manager (RAM) resource share. They have created a resource share containing the IP address CIDR blocks (as managed prefix lists) and shared it with the organization. However, some accounts cannot see the shared prefix lists. What is the MOST likely cause?
205A company has a multi-account AWS environment with a centralized logging account. They want to collect VPC Flow Logs from all accounts and store them in a centralized S3 bucket in the logging account. What is the MOST scalable and cost-effective solution?
206Refer to the exhibit. A solutions architect applies this IAM policy to a user. The user tries to upload an object to my-bucket using an unencrypted HTTP connection with SSE-S3 encryption. Will the upload succeed?
207A company is using AWS Organizations with a hierarchical OU structure. The security team wants to enforce that any new account created in the organization automatically inherits a baseline set of AWS Config rules and a VPC with a default CIDR block. What is the MOST efficient way to achieve this?
208A company has a central IT team that manages AWS resources for multiple business units using AWS Organizations. Each business unit has its own OU. The central team needs to allow each OU's administrators to manage their own IAM roles and policies, but prevent them from modifying the OU structure or creating new accounts. Which IAM policy should be attached to the administrators in the management account?
209A company wants to implement a centralized logging solution for its multi-account AWS environment. The solution must be resilient to AWS Regional failures and provide near real-time log delivery. Which combination of services should the company use?
210A company uses AWS Organizations with multiple OUs. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID from a central list. The list changes frequently. What is the MOST scalable way to enforce this?
211A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The directory will be used for authentication across multiple VPCs in different accounts. The company needs to ensure that resources in all VPCs can resolve DNS names from the directory. What is the MOST scalable and secure solution?
212A company is implementing a new multi-account strategy using AWS Organizations. The central IT team wants to delegate management of certain AWS services to individual account administrators while maintaining centralized governance. Which TWO actions should the team take? (Choose TWO.)
213A company has a multi-account AWS environment with a centralized logging account. The security team needs to analyze VPC Flow Logs from all accounts using Amazon Athena. Which THREE steps are required to enable this analysis? (Choose THREE.)
214A company is designing a multi-account strategy for development, testing, and production environments. They want to ensure that developers can deploy resources in development and testing accounts but not in production. Which TWO methods should the company use to achieve this? (Choose TWO.)
215A large enterprise has a multi-account AWS environment with over 200 accounts organized under AWS Organizations. The central platform team uses AWS CloudFormation StackSets to deploy a standard VPC with a CIDR of 10.0.0.0/16 into each account. Recently, a business unit created a new account that was not included in the StackSet deployment, and the team manually deployed the VPC using a CloudFormation template. Now, the central team wants to ensure that all accounts have exactly the same VPC configuration and that any drift is automatically corrected. The team also wants to prevent unauthorized changes to the VPC configuration. What is the MOST efficient and secure solution?
216A company is centralizing its logging across multiple AWS accounts using a central logging account. Each application account delivers its CloudTrail logs and VPC Flow Logs to an S3 bucket in the logging account. The security team needs to query these logs using Amazon Athena. The logs are currently in separate S3 prefixes per account. The team wants to create a single Athena table that can query logs from all accounts without having to modify the table definition every time a new account is added. The logs are in CSV format for VPC Flow Logs and JSON format for CloudTrail. What is the MOST efficient solution?
217A startup is launching a new multi-account AWS environment using AWS Organizations. They want to ensure that only the central security team has access to the root user of each member account. Additionally, they want to enable multi-factor authentication (MFA) for the root user of each account. The security team has access to the management account. What is the MOST secure and efficient way to meet these requirements?
218A multinational company wants to implement a multi-account AWS environment using AWS Organizations. The security team requires that all new accounts automatically have AWS CloudTrail and AWS Config enabled with specific rules. Which solution should the company use to enforce these settings across all accounts?
219A company plans to migrate on-premises workloads to AWS. They have 500 VMs and need to ensure consistent network segmentation and security group rules across multiple VPCs in different AWS accounts. The network team uses a centralized hub-and-spoke model with AWS Transit Gateway. Which approach minimizes operational overhead while maintaining security compliance?
220A startup is using a single AWS account for development, testing, and production. They want to isolate environments and improve security. What is the most aligned AWS best practice?
221A company uses AWS Control Tower to manage a multi-account environment. They need to deploy a custom CloudFormation template to all accounts in a specific organizational unit (OU) whenever a new account is added. What should they use?
222A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?
223A company uses AWS Organizations with consolidated billing. The finance team needs to allocate costs to different departments based on resource tags. However, some resources are not tagged. What is the most effective solution?
224A company is designing a cross-account backup strategy using AWS Backup. They have a central backup account that needs to manage backups for multiple member accounts. What is the minimal set of permissions required?
225A company runs a global application on AWS spanning multiple regions. They need to enforce that IAM users in specific accounts can only launch EC2 instances in approved regions. The company uses AWS Organizations. What is the most effective way to enforce this?
226A company needs to share a central Amazon S3 bucket containing common data files with multiple accounts in AWS Organizations. Which approach is most secure and scalable?
227A company is designing a multi-account strategy using AWS Organizations. They want to enforce that no one can disable AWS CloudTrail in any account. Which TWO methods can achieve this?
228A company has multiple AWS accounts and wants to centralize logging of all API calls. Which TWO services should be used together to achieve this?
229A company uses AWS Organizations with 50 accounts. They need to manage EC2 instance inventory across all accounts. Which THREE steps are necessary to achieve this?
230A financial services company uses AWS Organizations with a multi-account structure: a central security account, a shared services account, and multiple workload accounts. The security team needs to centrally manage and audit all changes to security groups across all accounts. They have implemented AWS Config with an aggregator in the security account. However, they notice that changes to security groups in workload accounts are not appearing in the aggregator. The workload accounts have AWS Config enabled and are recording security group changes. The security account has the necessary cross-account permissions. What is the most likely cause and solution?
231A company has a production AWS account and a development AWS account under AWS Organizations. The development team wants to deploy a CloudFormation stack that creates an S3 bucket with a bucket policy that grants access to the production account's IAM roles. The development account has an SCP that denies all s3:PutBucketPolicy actions. The development team has full administrator access in their account. When they try to create the stack, it fails. What is the most likely reason and how should they proceed?
232A company has a single AWS account that hosts multiple applications for different business units. Each business unit wants to have its own set of IAM users and permissions. The company wants to minimize administrative overhead while maintaining separation. They are considering using AWS Organizations with multiple accounts. However, the CFO is concerned about increased costs due to separate accounts. What is the best solution to address the business units' needs while managing costs?
233A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?
234A company has a multi-account AWS environment with 50 accounts. They need to implement a centralized logging solution for VPC Flow Logs, CloudTrail, and AWS Config logs. The logs must be stored in a central S3 bucket and encrypted with a customer-managed KMS key. Which THREE steps should be taken to meet these requirements?
235A company manages 200 AWS accounts using AWS Organizations. The security team wants to prevent developers from creating resources outside of a set of approved AWS Regions. Additionally, they want to restrict the creation of resources that are not tagged with a cost center tag. Which THREE actions should be taken to enforce these requirements?
236A company has a AWS Organizations setup with 100 accounts. The security team requires that all IAM users across all accounts must have multi-factor authentication (MFA) enabled. Currently, there is no central enforcement. The company wants to implement a solution that automatically detects IAM users without MFA and disables their access keys. The solution must be centrally managed from the management account. Which solution meets these requirements?
237A company has a multi-account AWS environment with a central logging account and multiple workload accounts. The security team requires that all VPC Flow Logs be delivered to a central S3 bucket in the logging account. The VPC Flow Logs are encrypted with a customer-managed KMS key in the logging account. The workload accounts have created VPC Flow Logs, but the logs are not appearing in the central S3 bucket. The IAM role used by VPC Flow Logs in the workload accounts has the necessary permissions to deliver logs to the central S3 bucket. What is the most likely cause of the issue?
238A company uses AWS Organizations with a management account and multiple member accounts. The management account has a trail in AWS CloudTrail that logs all management events for all accounts. The security team wants to also log data events for S3 buckets across all accounts. They create a new trail in the management account with data events enabled for all S3 buckets in all accounts. However, data events from member accounts are not appearing in the CloudTrail logs. What is the most likely cause?
239A company has a multi-account AWS environment with 50 accounts. They use AWS Organizations and want to centrally manage EC2 instances across all accounts. The operations team needs to run a script on all EC2 instances that are tagged with Environment=Production. The script must be executed once immediately and requires access to a shared S3 bucket in the management account. Which solution meets these requirements with the least operational overhead?
240A company has a centralized AWS account for security tools and multiple member accounts. They want to use AWS GuardDuty to detect threats across all accounts. They have enabled GuardDuty in the management account and invited all member accounts. GuardDuty is set to send findings to a central S3 bucket in the security account. However, findings from member accounts are not appearing in the central S3 bucket. The security account has a bucket policy that allows the GuardDuty service principal to write findings. What is the most likely cause?
241A company uses AWS Organizations and wants to centrally manage backups for EC2 instances across multiple accounts. They want to create a backup plan that backs up all EC2 instances tagged with Backup=Weekly. The backup must be stored in a central backup vault in the management account. Which solution meets these requirements?
242A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to share a VPC subnet in the network account with the workload accounts so that they can launch EC2 instances directly into the shared subnet. The network team has created a VPC with a subnet and shared it using AWS Resource Access Manager (RAM) with the workload accounts. However, the workload accounts cannot see the shared subnet when launching EC2 instances. What is the most likely cause?
243A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?
244A company has a multi-account AWS environment. They want to use AWS CloudTrail to log all API calls across all accounts and deliver the logs to a central S3 bucket in the logging account. They have configured a trail in the management account that logs management events for all accounts. However, they notice that the logs from member accounts are not being delivered to the central S3 bucket. What is the most likely cause?
245A company uses AWS Organizations and has a central security account. They want to use AWS Security Hub to aggregate findings from all member accounts. They have enabled Security Hub in the security account and invited all member accounts. However, findings from member accounts are not appearing in the Security Hub console of the security account. What is the most likely cause?
246A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to use AWS Transit Gateway to connect VPCs across accounts. The network team has created a Transit Gateway in the network account and shared it using AWS Resource Access Manager (RAM) with the workload accounts. The workload accounts have created VPC attachments to the Transit Gateway. However, traffic is not flowing between the VPCs. The route tables in the workload VPCs have routes pointing to the Transit Gateway. What is the most likely cause?
247A company uses AWS Organizations and wants to centrally manage AWS Config rules across all member accounts. They have enabled AWS Config in the management account and used AWS Config aggregator to view compliance status across accounts. However, they want to enforce a specific Config rule in all accounts automatically. Which solution should they use?
248A multinational corporation is migrating its on-premises Active Directory to AWS. The company requires a solution that supports multi-region authentication for thousands of users and integrates with existing on-premises Active Directory for seamless SSO. The solution must be highly available and provide low-latency authentication. Which TWO AWS services should be combined to meet these requirements? (Choose two.)
249A startup is deploying a multi-account AWS environment using AWS Organizations. They have a central logging account where all VPC Flow Logs and CloudTrail logs are stored in an S3 bucket. The security team requires that all accounts in the organization, including future accounts, automatically send logs to this central bucket. They also want to prevent any account from disabling logging. Which solution meets these requirements?
250A large enterprise with multiple business units (BUs) uses AWS Organizations with a shared services account and BU-specific accounts. Each BU account has a VPC with multiple subnets. The shared services account hosts a central NAT gateway that provides outbound internet access to all BU private subnets via VPC peering. Recently, the network team noticed that traffic from one BU's private subnet is being blocked by the security group in the shared services account. They verified that the route tables are correctly configured. What is the most likely cause and solution?
251A global e-commerce company uses AWS Organizations with over 500 accounts. They have a central security account that aggregates CloudTrail logs and VPC Flow Logs from all accounts. The security team needs to analyze these logs using Amazon Athena and visualize the results in Amazon QuickSight. The logs are stored in an S3 bucket in the security account, and each member account writes its own prefix. The current setup uses a bucket policy to allow member accounts to write logs. Recently, the security team has been unable to query logs for the past week. They suspect the issue is related to a new SCP that was applied to the root. The SCP denies s3:PutObject unless the request includes a specific tag. Which action should the security team take to restore log delivery without compromising security?
252A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must block public access. How can this be enforced centrally with minimal operational overhead?
253A global company uses a multi-account AWS Organizations structure with hundreds of accounts. The network team wants to centrally manage VPC flow logs for all accounts and send them to a centralized S3 bucket in the security account. Which solution is MOST scalable and operationally efficient?
254A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?
255A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. They need to ensure that users can authenticate to AWS resources using their existing corporate credentials. What is the MOST secure and scalable solution?
256An organization uses AWS Organizations with a multi-account strategy. The security team needs to ensure that all accounts must use AWS CloudTrail with logs delivered to a centralized S3 bucket. They also want to receive notifications if any account disables CloudTrail. What is the MOST efficient solution?
257A company uses a central IT team to manage multiple AWS accounts. The team wants to provide developers with the ability to launch EC2 instances but restrict them to using only specific instance types. How should this be enforced?
258A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?
259A company uses AWS Organizations with a multi-account strategy. They want to allow a centralized DevOps team to manage EC2 instances across all accounts using AWS Systems Manager. The DevOps team should not have direct IAM access to the target accounts. How can this be achieved?
260A company wants to implement a data lake on AWS with data from multiple sources. They need to store data in its raw format and allow multiple teams to query it using different tools. Which service should be used as the central storage layer?
261A company is designing a multi-account AWS Organizations architecture. Which TWO considerations should be taken into account when designing the organizational structure?
262A company uses AWS Organizations with a multi-account setup. The security team needs to ensure that all users in all accounts use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should be taken to enforce this?
263A company wants to implement a cost allocation strategy using tags across multiple accounts in AWS Organizations. Which TWO practices should be followed?
264A company has multiple AWS accounts managed via AWS Organizations. The security team wants to centrally enforce that all S3 buckets across all accounts have server-side encryption enabled. Which solution should be used?
265A multinational corporation is using AWS Organizations with hundreds of accounts. The finance team needs to track costs by cost center, which is stored as a tag on each resource. However, some resources are missing the tag. What is the most efficient way to ensure that all resources are tagged correctly going forward?
266A company uses AWS Organizations and wants to allow a development account to assume a role in the production account for deployment purposes. Which component is necessary for this cross-account access?
267A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?
268A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a specific member account. What must be done?
269A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?
270A company has a multi-account AWS environment with a shared services account that hosts Active Directory for authentication. Developers need to launch EC2 instances in development accounts and join them to the domain. What is the most secure way to allow this?
271A company uses AWS Organizations and wants to allow certain accounts to use AWS Service Catalog for self-service provisioning. The IT team needs to control which products are available. Where should the product portfolio be shared?
272A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?
273A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all new member accounts automatically have a specific AWS Config rule enabled. Which solution should be used?
274A company uses AWS Organizations with a single OU for all production accounts. The central security team wants to prevent any user from disabling Amazon GuardDuty in any production account. What is the MOST effective way to enforce this?
275A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?
276A company has a centralized network account that hosts a transit gateway with attachments to multiple VPCs in different accounts. The security team needs to ensure that all traffic between VPCs is inspected by a centralized NGFW appliance in the network account. What is the MOST efficient solution?
277A company uses AWS Organizations with a single OU. The management account has a service control policy (SCP) that denies all actions on EC2 instances with a specific tag. However, users in a member account can still terminate tagged instances. What is the most likely cause?
278A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?
279A company uses AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required to set this up?
280A company has a single AWS account and wants to implement a multi-account strategy for better isolation. Which AWS service is designed to help centrally manage multiple accounts?
281A company uses AWS Organizations and has a member account that needs to access a shared S3 bucket in another member account. The bucket policy allows access from the account's root user. What is the simplest way to grant an IAM user in the member account access?
282A company has a multi-account AWS environment with hundreds of accounts. They need to enforce that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. Which TWO actions should be taken to ensure compliance across the organization?
283A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet compliance requirements that logs be immutable and stored for 7 years. Which THREE services should be combined to achieve this?
284A company uses AWS Organizations and wants to centralize Amazon VPC IP Address Manager (IPAM) across multiple accounts. Which TWO steps are required to enable cross-account IPAM?
285A company has multiple AWS accounts managed through AWS Organizations. The security team requires that all VPC flow logs be enabled in every account and region. What is the MOST efficient way to enforce this requirement?
286A global company is using a multi-account AWS Organizations setup with a centralized logging account. They want to aggregate CloudTrail logs from all accounts into a single S3 bucket in the logging account. Which combination of steps will meet this requirement?
287A company uses AWS Organizations with hundreds of accounts. The security team needs to ensure that no IAM user in any account can create a new IAM user or access key. What is the most scalable way to enforce this?
288A company is managing multiple AWS accounts using AWS Organizations. They want to centralize the management of EC2 instances and enforce tagging standards across all accounts. Which TWO approaches should they use?
289A company uses AWS Organizations with a central security account. They need to ensure that any S3 bucket created in any account is configured with encryption and versioning enabled. Which THREE steps should they take?
290A company wants to centrally manage IAM permissions across multiple AWS accounts using AWS Organizations. They need to allow developers to launch EC2 instances but restrict the instance types to approved families (e.g., t3 and m5). Which TWO solutions meet this requirement?
291A company uses AWS Organizations with a management account and several member accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. What should they do?
292A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?
293A company manages multiple AWS accounts using AWS Organizations. They want to enforce that any EC2 instance launched with a public IP address must have a specific security group attached. What is the MOST effective way to enforce this?
294A company uses AWS Organizations with a dedicated security account. They want to centralize the management of AWS Config rules and ensure that all accounts are compliant with the same set of rules. Which THREE steps should they take?
295A company has a management account and several member accounts in AWS Organizations. They want to allow a developer in a member account to create an organization trail. What should they do?
296A company uses AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization have server-side encryption enabled. Which is the MOST efficient way to enforce this policy?
297A company has a multi-account AWS environment with centralized logging. The security team wants to ensure that all VPC Flow Logs are published to a central S3 bucket in the logging account. Which combination of steps should be taken to achieve this?
298A company has a production AWS account and a development AWS account. The development team needs to assume an IAM role in the production account to deploy resources. What is the correct way to set up this cross-account access?
299A company uses AWS Config to evaluate resource compliance across multiple accounts. The security team wants to automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Which solution is MOST scalable and secure?
300A company manages multiple AWS accounts and wants to centralize billing and cost tracking. They have enabled AWS Organizations and consolidated billing. Which additional step should they take to gain granular visibility into costs per department?
The Design Solutions for Organizational Complexity domain covers the key concepts tested in this area of the SAP-C02 exam blueprint published by Amazon Web Services. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SAP-C02 domains — no account required.
The Courseiva SAP-C02 question bank contains 300 questions in the Design Solutions for Organizational Complexity domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Design Solutions for Organizational Complexity domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included