Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSAP-C02Exam Questions

Amazon Web Services · Free Practice Questions · Last reviewed May 2026

SAP-C02 Exam Questions and Answers

24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

75 exam questions
170 min time limit
Pass: 750/1000 / 1000
4 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Design Solutions for Organizational Complexity2. Design for New Solutions3. Continuous Improvement for Existing Solutions4. Accelerate Workload Migration and Modernization
1

Domain 1: Design Solutions for Organizational Complexity

All Design Solutions for Organizational Complexity questions
Q1
hardFull explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

A

Use an SCP to enforce a specific password policy and require MFA across all accounts.

B

Use AWS Config rules to automatically set the password policy and enable MFA for all users.

C

Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.

SCPs can block actions that modify the password policy or deactivate MFA, and AWS Config can detect non-compliant users.

D

Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.

Why: Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), allowing the security team to trigger remediation or alerts. SCPs alone cannot enforce a specific password policy or enable MFA; they only block actions, so Config rules are needed for detection and enforcement.
Q2
mediumFull explanation →

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

A

Use a VPN connection from each application VPC to the shared VPC.

B

Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.

RAM allows sharing the Transit Gateway, and the networking team can accept or reject attachments via RAM.

C

Use VPC peering between the shared VPC and each application VPC.

D

Create IAM roles in each application account that allow the networking team to create VPC attachments.

Why: AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource-based policies to grant access only to designated accounts, and scalable because it avoids the administrative overhead of managing individual VPNs or VPC peering connections as the number of application VPCs grows.
Q3
easyFull explanation →

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

A

Use an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.

B

Create an AWS Config rule in each account to enable CloudTrail if it is disabled.

C

Use an SCP to require CloudTrail to be enabled in each account.

D

Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.

Control Tower automatically sets up a CloudTrail trail in the management account that logs all accounts.

Why: AWS Control Tower provides an integrated CloudTrail setup that automatically creates and manages a central trail for all accounts in the organization. This trail is deployed using AWS CloudFormation StackSets and delivers logs to a centralized S3 bucket, ensuring compliance without manual intervention or custom automation. This is the best approach because it is native, fully managed, and aligns with Control Tower's governance model.
Q4
hardFull explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

A

The S3 bucket has a lifecycle policy that deletes logs after a short period.

B

The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.

C

The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.

The bucket policy likely restricts access to the logging account's role, so the analyst's direct access is denied.

D

The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.

Why: Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.
Q5
mediumFull explanation →

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

A

An SCP that allows only read-only billing actions.

B

An SCP that denies all billing-related actions except read-only.

C

An IAM policy attached to the root OU that denies billing modifications.

D

An SCP that denies the effect of actions that modify billing preferences.

An SCP can deny actions like 'aws-portal:ModifyAccount' and 'aws-portal:ModifyBilling'.

Why: Option D is correct because a Service Control Policy (SCP) attached to the root OU can deny the effect of actions that modify billing preferences across all accounts in the organization. SCPs are the only mechanism that can restrict permissions for all principals (including the root user) in member accounts, and by using a Deny effect on specific billing modification actions, the security team ensures no IAM user or role can alter billing settings. This approach does not require enumerating every allowed read-only action, which avoids the risk of missing future read-only actions.
Q6
hardFull explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

A

Create an SCP that denies the ec2:RunInstances action for specific instance types.

SCPs can deny actions based on condition keys like ec2:InstanceType.

B

Use AWS Config rules to detect non-compliant instance types and automatically terminate them using AWS Systems Manager Automation.

AWS Config can detect and auto-remediate.

C

Use AWS CloudTrail to monitor launches of prohibited instance types and automatically terminate them.

D

Use Service Quotas to restrict the number of instances of specific types.

E

Create an IAM policy in each account that denies the specified instance types.

Why: Option A is correct because Service Control Policies (SCPs) in AWS Organizations allow you to centrally restrict permissions across all accounts in the organization. By creating an SCP that denies the ec2:RunInstances action with a condition key like ec2:InstanceType matching specific prohibited instance types, you can enforce this restriction at the organization, OU, or account level, preventing any user or role from launching those instance types regardless of their IAM permissions.

Want more Design Solutions for Organizational Complexity practice?

Practice this domain
2

Domain 2: Design for New Solutions

All Design for New Solutions questions
Q1
easyFull explanation →

A company wants to migrate a monolithic application to AWS and redesign it using microservices. The application uses a MySQL database. The company wants to minimize operational overhead and enable each microservice to have its own database. Which AWS service should the company use to implement the database layer?

A

Amazon DynamoDB

B

Amazon RDS for MySQL

Amazon RDS is a managed relational database service that supports MySQL, reducing operational overhead.

C

Amazon Redshift

D

Amazon Aurora

Why: Amazon RDS for MySQL is the correct choice because it provides a managed MySQL database service that minimizes operational overhead through automated backups, patching, and scaling. Each microservice can have its own RDS instance, enabling database-per-service isolation while offloading administrative tasks like replication and failover to AWS.
Q2
mediumFull explanation →

A company is designing a serverless application using AWS Lambda functions. The application processes events from an Amazon SQS queue. The company wants to ensure that the Lambda function can scale to handle a sudden increase in messages without losing any messages. The Lambda function must process each message at least once. Which configuration should the company use?

A

Configure the SQS queue as a Lambda event source with a reserved concurrency of 1000 for the Lambda function.

Reserved concurrency ensures the function can scale, and SQS event source mapping provides at-least-once processing.

B

Configure the SQS queue to invoke the Lambda function asynchronously and set the Lambda function timeout to 5 minutes.

C

Set the SQS queue visibility timeout to 30 seconds and the Lambda batch size to 100. Configure a dead-letter queue for failed messages.

D

Use an SQS FIFO queue with a Lambda function that has a reserved concurrency of 1.

Why: Option A is correct because configuring the SQS queue as a Lambda event source with a reserved concurrency of 1000 ensures that Lambda can scale up to 1000 concurrent executions to handle a sudden burst of messages. The SQS event source uses long polling and synchronously invokes Lambda, which processes messages in batches and automatically deletes them from the queue only upon successful completion, guaranteeing at-least-once processing. Reserved concurrency prevents throttling and ensures that the function has sufficient capacity to scale without losing messages.
Q3
hardFull explanation →

A company is designing a multi-account AWS environment using AWS Organizations. The company has several business units that each require their own VPC in shared accounts managed centrally. The company wants to enable VPC sharing to allow business units to create resources in shared subnets while maintaining network isolation. Which combination of steps should the company take to achieve this? (Choose TWO.)

A

Create a resource share in AWS Resource Access Manager (RAM) for the shared VPC subnets.

AWS RAM allows sharing subnets with other accounts in the organization.

B

Attach a transit gateway to the shared VPC and to each business unit's VPC.

A transit gateway enables transitive routing between VPCs while maintaining isolation.

C

Configure VPC endpoints in each business unit VPC to access the shared VPC.

D

Create VPC peering connections between the shared VPC and each business unit's VPC.

E

Use AWS PrivateLink to connect the business unit VPCs to the shared VPC.

Why: Option A is correct because AWS Resource Access Manager (RAM) allows you to share subnets from a centrally owned VPC with other AWS accounts within your AWS Organization. This enables business units to launch resources directly into the shared subnets while the VPC and its networking configuration remain managed centrally, ensuring network isolation through separate security groups and network ACLs.
Q4
mediumFull explanation →

A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application uses an Amazon RDS for MySQL database. The recovery time objective (RTO) is 1 hour and the recovery point objective (RPO) is 15 minutes. Which combination of steps should the company take to meet these requirements? (Choose THREE.)

A

Use Amazon Route 53 health checks to monitor the primary application and configure DNS failover to the secondary Region.

Route 53 health checks and failover route traffic to the secondary Region when the primary fails.

B

Configure a Multi-AZ deployment for the RDS database in the primary Region.

C

Deploy the application on Amazon Aurora Global Database.

D

Create an Amazon Machine Image (AMI) of the EC2 instances and copy it to the secondary Region. Use an Auto Scaling group to launch instances from the AMI.

Copying AMIs to another Region allows recovery of EC2 instances.

E

Create a cross-Region read replica of the RDS MySQL database in the secondary Region.

Cross-Region read replicas provide asynchronous replication with low RPO.

Why: Option A is correct because Route 53 health checks can monitor the primary application's endpoint, and DNS failover to a secondary Region enables automatic traffic redirection within minutes, aligning with the 1-hour RTO. This approach provides a simple, stateless failover mechanism without requiring complex routing changes.
Q5
hardFull explanation →

A company is designing a serverless data processing pipeline using AWS Step Functions, AWS Lambda, and Amazon DynamoDB. The pipeline must process incoming JSON records from an Amazon Kinesis Data Stream. Each record must be processed exactly once and in order. The company expects a throughput of up to 1,000 records per second. Which combination of services and configurations should the company use to meet these requirements? (Choose TWO.)

A

Use DynamoDB Streams to trigger the Lambda function for each record.

B

Use an Amazon SQS FIFO queue as the event source for the Lambda function to maintain order.

C

Configure the Kinesis Data Stream with 10 shards.

10 shards provide sufficient throughput and each shard maintains record order.

D

Use AWS Step Functions to coordinate processing of records and ensure exactly-once delivery.

E

Configure the Lambda function to process records from each shard sequentially by setting the batch size to 1.

Processing one record at a time ensures exactly-once processing and order.

Why: Option C is correct because with a throughput of 1,000 records per second, a Kinesis Data Stream with 10 shards provides the necessary capacity (each shard supports up to 1,000 records/second for ingestion and 2 MB/s for reads). This shard count ensures the stream can handle the peak load without throttling, while maintaining the ordering guarantee within each shard.
Q6
mediumFull explanation →

A company is designing a new application that will be deployed on Amazon ECS with Fargate launch type. The application needs to store configuration data, including database connection strings, that must be encrypted at rest. The company wants to follow best practices for managing secrets. Which solution should the company use?

A

Store the secrets in AWS Secrets Manager and reference them in the ECS task definition.

Secrets Manager provides encryption, rotation, and ECS integration.

B

Store the configuration data in an S3 bucket with server-side encryption (SSE-S3) and download it at container startup.

C

Store the secrets in AWS Systems Manager Parameter Store (SecureString) and reference them in the ECS task definition.

D

Store the configuration data in environment variables in the ECS task definition.

Why: AWS Secrets Manager is the recommended service for storing sensitive configuration data like database connection strings because it provides built-in encryption at rest using AWS KMS, automatic secret rotation, and fine-grained access control. ECS task definitions can reference Secrets Manager secrets directly using the 'secrets' parameter, which injects the secret value into the container at runtime without exposing it in plaintext. This approach follows AWS best practices for managing secrets by avoiding hard-coded values and leveraging a dedicated secrets management service.

Want more Design for New Solutions practice?

Practice this domain
3

Domain 3: Continuous Improvement for Existing Solutions

All Continuous Improvement for Existing Solutions questions
Q1
mediumFull explanation →

A company is running a web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes that cause increased latency. The company wants to implement a solution to automatically adjust capacity in anticipation of traffic changes. What should a solutions architect do?

A

Configure a simple scaling policy based on CPU utilization.

B

Configure a scheduled scaling policy to add instances during known peak hours.

C

Configure a target tracking scaling policy based on average CPU utilization.

D

Configure a predictive scaling policy using historical traffic patterns.

Predictive scaling uses machine learning to forecast traffic and proactively scale.

Why: Predictive scaling uses historical traffic patterns to forecast future demand and proactively adjust capacity before traffic spikes occur, which directly addresses the requirement to anticipate changes. This approach reduces latency by ensuring sufficient resources are available ahead of time, unlike reactive policies that only respond after utilization increases.
Q2
hardFull explanation →

A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?

A

Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.

Read replicas offload read traffic and the reader endpoint distributes reads.

B

Migrate the application to use Amazon DynamoDB with global tables.

C

Use Amazon RDS Multi-AZ with a standby instance for read traffic.

D

Implement Amazon ElastiCache in front of the database to cache read queries.

Why: Creating a read replica of the RDS for MySQL DB instance and modifying the application connection string to use the reader endpoint offloads read traffic from the primary instance with minimal application changes. The reader endpoint automatically distributes connections across all read replicas, reducing the load on the primary instance without requiring code changes beyond updating the connection string.
Q3
easyFull explanation →

A company is using AWS CloudFormation to deploy infrastructure. The security team requires that all Amazon S3 buckets created by CloudFormation must be encrypted at rest. What should a solutions architect do to enforce this requirement?

A

Enable default encryption on each bucket using SSE-S3.

B

Add an S3 bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.

The bucket policy rejects unencrypted uploads.

C

Require that all buckets use AWS KMS managed keys for encryption.

D

Use a CloudFormation stack policy to prevent modification of bucket encryption settings.

Why: Option B is correct because an S3 bucket policy that denies s3:PutObject unless the request includes the x-amz-server-side-encryption header enforces encryption at rest for all objects uploaded to the bucket. This policy condition works regardless of how the bucket is created, including via CloudFormation, and ensures that any PutObject operation without the required encryption header is rejected, meeting the security team's requirement.
Q4
hardFull explanation →

A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?

A

Define an IAM task role with S3 access policies and reference it in the ECS task definition.

The task role grants permissions to the container application.

B

Attach an IAM role to the underlying EC2 instance.

C

Assign an IAM role to the ECS service using the ECS service-linked role.

D

Store AWS credentials in the container environment variables.

Why: Option A is correct because an IAM task role is the recommended mechanism for granting least-privilege permissions to ECS tasks using the Fargate launch type. The task role is defined in the ECS task definition and assumed by the container runtime, allowing the application to securely access the S3 bucket without embedding credentials. This approach follows AWS best practices by scoping permissions to the specific task rather than the underlying infrastructure.
Q5
mediumFull explanation →

A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is invoked with a batch size of 10. Some messages are failing repeatedly, causing the function to retry them up to the maximum retry count and then they are sent to a dead-letter queue (DLQ). The company wants to improve the resilience of the application by handling partial batch failures more efficiently. What should a solutions architect do?

A

Move the messages to a DLQ immediately after the first failure.

B

Implement reportBatchItemFailures in the Lambda function and enable partial batch response for the SQS event source mapping.

This allows Lambda to report individual failures so only those messages are retried.

C

Decrease the batch size to 1 so that each invocation processes a single message.

D

Increase the batch size to 100 to process more messages per invocation.

Why: Option B is correct because implementing reportBatchItemFailures in the Lambda function and enabling partial batch response for the SQS event source mapping allows the function to signal which specific messages within a batch failed. This prevents the entire batch from being retried or sent to the DLQ, and only the failed messages are retried individually, improving resilience and efficiency.
Q6
easyFull explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all Amazon S3 buckets across the organization are encrypted at rest. Which TWO steps should the security team take to enforce this requirement?

A

Create an AWS Config rule that checks for S3 bucket default encryption and auto-remediates using SSM Automation.

Config rules can enforce and remediate non-compliant resources.

B

Create a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present.

SCPs can deny actions that do not meet conditions.

C

Use Amazon GuardDuty to monitor S3 data access patterns.

D

Create an IAM role with permissions to encrypt S3 buckets and assign it to all users.

E

Enable AWS CloudTrail to log all S3 API calls.

Why: Option A is correct because AWS Config can be configured with a managed rule (e.g., s3-bucket-server-side-encryption-enabled) to detect buckets without default encryption, and an automatic remediation action using AWS Systems Manager (SSM) Automation can enforce encryption by applying the bucket's default encryption settings. Option B is correct because a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present ensures that any object uploaded to S3 must include encryption headers, effectively enforcing encryption at the API level across all accounts in the organization.

Want more Continuous Improvement for Existing Solutions practice?

Practice this domain
4

Domain 4: Accelerate Workload Migration and Modernization

All Accelerate Workload Migration and Modernization questions
Q1
mediumFull explanation →

A company wants to migrate a legacy monolithic application to AWS with minimal changes. The application currently runs on a single on-premises server with a Microsoft SQL Server database. The company wants to use AWS managed services to reduce operational overhead. Which combination of services should the company use to meet these requirements?

A

AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon DynamoDB

B

AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server

MGN minimizes changes for server migration, DMS migrates the database to managed RDS.

C

AWS Server Migration Service (SMS) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server

D

AWS CloudFormation to provision EC2 instances, and AWS DMS to Amazon RDS for SQL Server

Why: Option B is correct because AWS Application Migration Service (MGN) enables lift-and-shift migration of the on-premises server to Amazon EC2 with minimal changes, while AWS DMS can migrate the Microsoft SQL Server database to Amazon RDS for SQL Server, a fully managed service that reduces operational overhead. This combination meets the requirement of minimal application changes and leverages AWS managed services for the database.
Q2
hardFull explanation →

A company is migrating a large-scale, stateful application to AWS. The application maintains session state in memory on the current on-premises servers. The company needs a solution that preserves session state during migration and minimizes latency for users worldwide. Which strategy should the company use?

A

Use AWS Global Accelerator to gradually shift traffic, and use Amazon ElastiCache for Redis to centralize session state

Global Accelerator provides anycast IP and traffic shifting; ElastiCache provides low-latency state sharing.

B

Use Amazon Route 53 weighted routing to shift traffic to new EC2 instances, and store session state in Amazon S3

C

Use AWS CloudFront to cache static content, and use Amazon DynamoDB for session state

D

Use AWS Global Accelerator to shift traffic, and deploy AWS WAF to protect the application

Why: Option A is correct because AWS Global Accelerator allows you to gradually shift traffic from on-premises to AWS using endpoint weights, minimizing disruption during migration. Amazon ElastiCache for Redis provides a centralized, in-memory session store that preserves session state across the migration, ensuring low-latency access for users worldwide by leveraging Global Accelerator's anycast IP and AWS edge locations.
Q3
easyFull explanation →

A company plans to modernize an existing .NET Framework 4.7 application running on Windows Server 2012 R2. The company wants to move to a containerized architecture on AWS with minimal code changes. Which service should the company use to meet these requirements?

A

AWS App2Container (A2C)

A2C analyzes and containerizes .NET applications with minimal code changes.

B

AWS Serverless Application Model (SAM)

C

AWS Copilot

D

AWS Migration Hub

Why: AWS App2Container (A2C) is specifically designed to containerize existing .NET Framework applications running on Windows Server with minimal code changes. It analyzes the application, generates Docker images, and produces CloudFormation templates for deployment on Amazon ECS or EKS, directly meeting the requirement to modernize a .NET Framework 4.7 application to a containerized architecture without significant refactoring.
Q4
hardFull explanation →

A company is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. The database is business-critical and must have minimal downtime. The company has set up AWS DMS with ongoing replication from the source. During the migration, the company notices that DMS is failing with an error indicating insufficient memory. What should the company do to resolve this issue and complete the migration?

A

Increase the memory on the source Oracle database

B

Increase the instance class of the DMS replication instance

DMS replication instance memory is insufficient; upgrading the instance class resolves the issue.

C

Change the DMS task to use change data capture (CDC) only and skip the full load

D

Split the migration into multiple smaller tasks

Why: AWS DMS replication instances have finite memory allocated to cache changes during ongoing replication (CDC). When the volume of cached changes exceeds the instance's memory, DMS fails with an insufficient memory error. Increasing the instance class of the DMS replication instance (Option B) provides more memory to handle the cache, resolving the error without disrupting the migration.
Q5
mediumFull explanation →

A company is using AWS Migration Hub to track a large-scale migration to AWS. The company wants to automate the replatforming of multiple Windows web servers to Amazon EC2 instances running Amazon Linux 2. The migration must be repeatable and minimize manual intervention. Which AWS service should the company use to achieve this?

A

AWS Application Migration Service (MGN)

MGN automates server migration and supports replatforming to different OS.

B

AWS OpsWorks for Chef Automate

C

AWS Server Migration Service (SMS)

D

AWS CloudFormation templates to provision new EC2 instances and migrate data manually

Why: AWS Application Migration Service (MGN) is the correct choice because it automates the replatforming of Windows web servers to Amazon Linux 2 by continuously replicating source servers, performing automated conversion of the OS and applications, and enabling cutover to target EC2 instances with minimal manual intervention. It supports heterogeneous OS migrations (e.g., Windows to Linux) and provides a repeatable, automated workflow that aligns with the company's requirement for a large-scale, repeatable migration.
Q6
mediumFull explanation →

A company is migrating a multi-tier application to AWS and wants to modernize by using containers and serverless technologies. The application consists of a Node.js frontend, a Java backend, and a PostgreSQL database. The company wants to reduce operational overhead and improve scalability. Which TWO strategies should the company use? (Choose two.)

A

Refactor the Node.js frontend to run on AWS Lambda with Amazon API Gateway

B

Migrate the database to Amazon RDS for PostgreSQL

RDS reduces operational overhead compared to managing PostgreSQL on EC2.

C

Migrate the database to Amazon DynamoDB

D

Deploy the Java backend on Amazon ECS with AWS Fargate

Fargate eliminates server management for containers.

E

Deploy the Java backend on Amazon EC2 with Auto Scaling

Why: Option B is correct because Amazon RDS for PostgreSQL reduces operational overhead by managing backups, patching, and replication, while providing scalability through read replicas and storage auto-scaling. This aligns with the goal of modernizing the database layer without changing the database engine, avoiding the need to refactor the application to use a NoSQL database like DynamoDB.

Want more Accelerate Workload Migration and Modernization practice?

Practice this domain

Frequently asked questions

How many questions are on the SAP-C02 exam?

The SAP-C02 exam has 75 questions and must be completed in 170 minutes. The passing score is 750/1000.

What types of questions appear on the SAP-C02 exam?

Scenario-based questions covering exam objectives with detailed answer explanations.

How are SAP-C02 questions organised by domain?

The exam covers 4 domains: Design Solutions for Organizational Complexity, Design for New Solutions, Continuous Improvement for Existing Solutions, Accelerate Workload Migration and Modernization. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SAP-C02 exam questions?

No. These are original exam-style practice questions written against the official Amazon Web Services SAP-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 75 SAP-C02 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SAP-C02 questionsTake a timed practice test