Amazon Web Services · Free Practice Questions · Last reviewed May 2026
24real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
Use an SCP to enforce a specific password policy and require MFA across all accounts.
Use AWS Config rules to automatically set the password policy and enable MFA for all users.
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
SCPs can block actions that modify the password policy or deactivate MFA, and AWS Config can detect non-compliant users.
Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.
A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?
Use a VPN connection from each application VPC to the shared VPC.
Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
RAM allows sharing the Transit Gateway, and the networking team can accept or reject attachments via RAM.
Use VPC peering between the shared VPC and each application VPC.
Create IAM roles in each application account that allow the networking team to create VPC attachments.
A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?
Use an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.
Create an AWS Config rule in each account to enable CloudTrail if it is disabled.
Use an SCP to require CloudTrail to be enabled in each account.
Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.
Control Tower automatically sets up a CloudTrail trail in the management account that logs all accounts.
A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?
The S3 bucket has a lifecycle policy that deletes logs after a short period.
The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
The bucket policy likely restricts access to the logging account's role, so the analyst's direct access is denied.
The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.
A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?
An SCP that allows only read-only billing actions.
An SCP that denies all billing-related actions except read-only.
An IAM policy attached to the root OU that denies billing modifications.
An SCP that denies the effect of actions that modify billing preferences.
An SCP can deny actions like 'aws-portal:ModifyAccount' and 'aws-portal:ModifyBilling'.
A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?
Create an SCP that denies the ec2:RunInstances action for specific instance types.
SCPs can deny actions based on condition keys like ec2:InstanceType.
Use AWS Config rules to detect non-compliant instance types and automatically terminate them using AWS Systems Manager Automation.
AWS Config can detect and auto-remediate.
Use AWS CloudTrail to monitor launches of prohibited instance types and automatically terminate them.
Use Service Quotas to restrict the number of instances of specific types.
Create an IAM policy in each account that denies the specified instance types.
Want more Design Solutions for Organizational Complexity practice?
Practice this domainA company wants to migrate a monolithic application to AWS and redesign it using microservices. The application uses a MySQL database. The company wants to minimize operational overhead and enable each microservice to have its own database. Which AWS service should the company use to implement the database layer?
Amazon DynamoDB
Amazon RDS for MySQL
Amazon RDS is a managed relational database service that supports MySQL, reducing operational overhead.
Amazon Redshift
Amazon Aurora
A company is designing a serverless application using AWS Lambda functions. The application processes events from an Amazon SQS queue. The company wants to ensure that the Lambda function can scale to handle a sudden increase in messages without losing any messages. The Lambda function must process each message at least once. Which configuration should the company use?
Configure the SQS queue as a Lambda event source with a reserved concurrency of 1000 for the Lambda function.
Reserved concurrency ensures the function can scale, and SQS event source mapping provides at-least-once processing.
Configure the SQS queue to invoke the Lambda function asynchronously and set the Lambda function timeout to 5 minutes.
Set the SQS queue visibility timeout to 30 seconds and the Lambda batch size to 100. Configure a dead-letter queue for failed messages.
Use an SQS FIFO queue with a Lambda function that has a reserved concurrency of 1.
A company is designing a multi-account AWS environment using AWS Organizations. The company has several business units that each require their own VPC in shared accounts managed centrally. The company wants to enable VPC sharing to allow business units to create resources in shared subnets while maintaining network isolation. Which combination of steps should the company take to achieve this? (Choose TWO.)
Create a resource share in AWS Resource Access Manager (RAM) for the shared VPC subnets.
AWS RAM allows sharing subnets with other accounts in the organization.
Attach a transit gateway to the shared VPC and to each business unit's VPC.
A transit gateway enables transitive routing between VPCs while maintaining isolation.
Configure VPC endpoints in each business unit VPC to access the shared VPC.
Create VPC peering connections between the shared VPC and each business unit's VPC.
Use AWS PrivateLink to connect the business unit VPCs to the shared VPC.
A company is designing a disaster recovery solution for a critical application that runs on Amazon EC2 instances in a single AWS Region. The application uses an Amazon RDS for MySQL database. The recovery time objective (RTO) is 1 hour and the recovery point objective (RPO) is 15 minutes. Which combination of steps should the company take to meet these requirements? (Choose THREE.)
Use Amazon Route 53 health checks to monitor the primary application and configure DNS failover to the secondary Region.
Route 53 health checks and failover route traffic to the secondary Region when the primary fails.
Configure a Multi-AZ deployment for the RDS database in the primary Region.
Deploy the application on Amazon Aurora Global Database.
Create an Amazon Machine Image (AMI) of the EC2 instances and copy it to the secondary Region. Use an Auto Scaling group to launch instances from the AMI.
Copying AMIs to another Region allows recovery of EC2 instances.
Create a cross-Region read replica of the RDS MySQL database in the secondary Region.
Cross-Region read replicas provide asynchronous replication with low RPO.
A company is designing a serverless data processing pipeline using AWS Step Functions, AWS Lambda, and Amazon DynamoDB. The pipeline must process incoming JSON records from an Amazon Kinesis Data Stream. Each record must be processed exactly once and in order. The company expects a throughput of up to 1,000 records per second. Which combination of services and configurations should the company use to meet these requirements? (Choose TWO.)
Use DynamoDB Streams to trigger the Lambda function for each record.
Use an Amazon SQS FIFO queue as the event source for the Lambda function to maintain order.
Configure the Kinesis Data Stream with 10 shards.
10 shards provide sufficient throughput and each shard maintains record order.
Use AWS Step Functions to coordinate processing of records and ensure exactly-once delivery.
Configure the Lambda function to process records from each shard sequentially by setting the batch size to 1.
Processing one record at a time ensures exactly-once processing and order.
A company is designing a new application that will be deployed on Amazon ECS with Fargate launch type. The application needs to store configuration data, including database connection strings, that must be encrypted at rest. The company wants to follow best practices for managing secrets. Which solution should the company use?
Store the secrets in AWS Secrets Manager and reference them in the ECS task definition.
Secrets Manager provides encryption, rotation, and ECS integration.
Store the configuration data in an S3 bucket with server-side encryption (SSE-S3) and download it at container startup.
Store the secrets in AWS Systems Manager Parameter Store (SecureString) and reference them in the ECS task definition.
Store the configuration data in environment variables in the ECS task definition.
Want more Design for New Solutions practice?
Practice this domainA company is running a web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes that cause increased latency. The company wants to implement a solution to automatically adjust capacity in anticipation of traffic changes. What should a solutions architect do?
Configure a simple scaling policy based on CPU utilization.
Configure a scheduled scaling policy to add instances during known peak hours.
Configure a target tracking scaling policy based on average CPU utilization.
Configure a predictive scaling policy using historical traffic patterns.
Predictive scaling uses machine learning to forecast traffic and proactively scale.
A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?
Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.
Read replicas offload read traffic and the reader endpoint distributes reads.
Migrate the application to use Amazon DynamoDB with global tables.
Use Amazon RDS Multi-AZ with a standby instance for read traffic.
Implement Amazon ElastiCache in front of the database to cache read queries.
A company is using AWS CloudFormation to deploy infrastructure. The security team requires that all Amazon S3 buckets created by CloudFormation must be encrypted at rest. What should a solutions architect do to enforce this requirement?
Enable default encryption on each bucket using SSE-S3.
Add an S3 bucket policy that denies s3:PutObject without the x-amz-server-side-encryption header.
The bucket policy rejects unencrypted uploads.
Require that all buckets use AWS KMS managed keys for encryption.
Use a CloudFormation stack policy to prevent modification of bucket encryption settings.
A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?
Define an IAM task role with S3 access policies and reference it in the ECS task definition.
The task role grants permissions to the container application.
Attach an IAM role to the underlying EC2 instance.
Assign an IAM role to the ECS service using the ECS service-linked role.
Store AWS credentials in the container environment variables.
A company has an AWS Lambda function that processes messages from an Amazon SQS queue. The function is invoked with a batch size of 10. Some messages are failing repeatedly, causing the function to retry them up to the maximum retry count and then they are sent to a dead-letter queue (DLQ). The company wants to improve the resilience of the application by handling partial batch failures more efficiently. What should a solutions architect do?
Move the messages to a DLQ immediately after the first failure.
Implement reportBatchItemFailures in the Lambda function and enable partial batch response for the SQS event source mapping.
This allows Lambda to report individual failures so only those messages are retried.
Decrease the batch size to 1 so that each invocation processes a single message.
Increase the batch size to 100 to process more messages per invocation.
A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all Amazon S3 buckets across the organization are encrypted at rest. Which TWO steps should the security team take to enforce this requirement?
Create an AWS Config rule that checks for S3 bucket default encryption and auto-remediates using SSM Automation.
Config rules can enforce and remediate non-compliant resources.
Create a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present.
SCPs can deny actions that do not meet conditions.
Use Amazon GuardDuty to monitor S3 data access patterns.
Create an IAM role with permissions to encrypt S3 buckets and assign it to all users.
Enable AWS CloudTrail to log all S3 API calls.
Want more Continuous Improvement for Existing Solutions practice?
Practice this domainA company wants to migrate a legacy monolithic application to AWS with minimal changes. The application currently runs on a single on-premises server with a Microsoft SQL Server database. The company wants to use AWS managed services to reduce operational overhead. Which combination of services should the company use to meet these requirements?
AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon DynamoDB
AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server
MGN minimizes changes for server migration, DMS migrates the database to managed RDS.
AWS Server Migration Service (SMS) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server
AWS CloudFormation to provision EC2 instances, and AWS DMS to Amazon RDS for SQL Server
A company is migrating a large-scale, stateful application to AWS. The application maintains session state in memory on the current on-premises servers. The company needs a solution that preserves session state during migration and minimizes latency for users worldwide. Which strategy should the company use?
Use AWS Global Accelerator to gradually shift traffic, and use Amazon ElastiCache for Redis to centralize session state
Global Accelerator provides anycast IP and traffic shifting; ElastiCache provides low-latency state sharing.
Use Amazon Route 53 weighted routing to shift traffic to new EC2 instances, and store session state in Amazon S3
Use AWS CloudFront to cache static content, and use Amazon DynamoDB for session state
Use AWS Global Accelerator to shift traffic, and deploy AWS WAF to protect the application
A company plans to modernize an existing .NET Framework 4.7 application running on Windows Server 2012 R2. The company wants to move to a containerized architecture on AWS with minimal code changes. Which service should the company use to meet these requirements?
AWS App2Container (A2C)
A2C analyzes and containerizes .NET applications with minimal code changes.
AWS Serverless Application Model (SAM)
AWS Copilot
AWS Migration Hub
A company is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. The database is business-critical and must have minimal downtime. The company has set up AWS DMS with ongoing replication from the source. During the migration, the company notices that DMS is failing with an error indicating insufficient memory. What should the company do to resolve this issue and complete the migration?
Increase the memory on the source Oracle database
Increase the instance class of the DMS replication instance
DMS replication instance memory is insufficient; upgrading the instance class resolves the issue.
Change the DMS task to use change data capture (CDC) only and skip the full load
Split the migration into multiple smaller tasks
A company is using AWS Migration Hub to track a large-scale migration to AWS. The company wants to automate the replatforming of multiple Windows web servers to Amazon EC2 instances running Amazon Linux 2. The migration must be repeatable and minimize manual intervention. Which AWS service should the company use to achieve this?
AWS Application Migration Service (MGN)
MGN automates server migration and supports replatforming to different OS.
AWS OpsWorks for Chef Automate
AWS Server Migration Service (SMS)
AWS CloudFormation templates to provision new EC2 instances and migrate data manually
A company is migrating a multi-tier application to AWS and wants to modernize by using containers and serverless technologies. The application consists of a Node.js frontend, a Java backend, and a PostgreSQL database. The company wants to reduce operational overhead and improve scalability. Which TWO strategies should the company use? (Choose two.)
Refactor the Node.js frontend to run on AWS Lambda with Amazon API Gateway
Migrate the database to Amazon RDS for PostgreSQL
RDS reduces operational overhead compared to managing PostgreSQL on EC2.
Migrate the database to Amazon DynamoDB
Deploy the Java backend on Amazon ECS with AWS Fargate
Fargate eliminates server management for containers.
Deploy the Java backend on Amazon EC2 with Auto Scaling
Want more Accelerate Workload Migration and Modernization practice?
Practice this domainThe SAP-C02 exam has 75 questions and must be completed in 170 minutes. The passing score is 750/1000.
Scenario-based questions covering exam objectives with detailed answer explanations.
The exam covers 4 domains: Design Solutions for Organizational Complexity, Design for New Solutions, Continuous Improvement for Existing Solutions, Accelerate Workload Migration and Modernization. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Amazon Web Services SAP-C02 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.