Reinforce SAP-C02 concepts with active-recall study cards covering all 4 blueprint domains. Each card shows the question on the front and the correct answer with a full explanation on the back.
Flashcards work through active recall — the process of retrieving information from memory rather than passively re-reading it. Research consistently shows that active recall produces stronger, longer-lasting memory than re-reading study guides. For SAP-C02 preparation, this means flashcards are one of the highest-return study tools available.
Attempt recall first
Read the SAP-C02 question on each card, pause, and attempt to formulate the answer in your own words before revealing. This retrieval attempt — even if wrong — dramatically strengthens memory compared to immediately reading the answer.
Review wrong cards again
When you get a card wrong, note it and add it back to your review pile. Spaced repetition — seeing difficult cards more frequently — is the mechanism that makes flashcard study far more efficient than linear reading.
Study by domain
Group your SAP-C02 flashcard sessions by domain for the first 3–4 weeks. Master one domain before moving to the next. In the final week, shuffle all cards together to test cross-domain recall — which is what the real SAP-C02 exam requires.
Short sessions beat marathon reviews
20–30 flashcard cards per session, done daily, produces better retention than a single 200-card marathon session. Five short daily sessions per week over 4 weeks gives you over 400 total card reviews — enough to reliably pass SAP-C02.
Sample cards from the SAP-C02 flashcard bank. Read the question, think of the answer, then read the explanation below.
A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), allowing the security team to trigger remediation or alerts. SCPs alone cannot enforce a specific password policy or enable MFA; they only block actions, so Config rules are needed for detection and enforcement.
A company wants to migrate a monolithic application to AWS and redesign it using microservices. The application uses a MySQL database. The company wants to minimize operational overhead and enable each microservice to have its own database. Which AWS service should the company use to implement the database layer?
Amazon RDS for MySQL
Amazon RDS for MySQL is the correct choice because it provides a managed MySQL database service that minimizes operational overhead through automated backups, patching, and scaling. Each microservice can have its own RDS instance, enabling database-per-service isolation while offloading administrative tasks like replication and failover to AWS.
A company is running a web application on AWS using an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances. The application experiences periodic traffic spikes that cause increased latency. The company wants to implement a solution to automatically adjust capacity in anticipation of traffic changes. What should a solutions architect do?
Configure a predictive scaling policy using historical traffic patterns.
Predictive scaling uses historical traffic patterns to forecast future demand and proactively adjust capacity before traffic spikes occur, which directly addresses the requirement to anticipate changes. This approach reduces latency by ensuring sufficient resources are available ahead of time, unlike reactive policies that only respond after utilization increases.
A company wants to migrate a legacy monolithic application to AWS with minimal changes. The application currently runs on a single on-premises server with a Microsoft SQL Server database. The company wants to use AWS managed services to reduce operational overhead. Which combination of services should the company use to meet these requirements?
AWS Application Migration Service (MGN) to Amazon EC2, and AWS DMS to Amazon RDS for SQL Server
Option B is correct because AWS Application Migration Service (MGN) enables lift-and-shift migration of the on-premises server to Amazon EC2 with minimal changes, while AWS DMS can migrate the Microsoft SQL Server database to Amazon RDS for SQL Server, a fully managed service that reduces operational overhead. This combination meets the requirement of minimal application changes and leverages AWS managed services for the database.
A company wants to automate the migration of on-premises servers to AWS. The migration plan includes discovery, assessment, and automated replication. Which AWS service should the company use?
AWS Migration Hub
Option B (AWS Migration Hub) is correct because it provides a centralized location to track the progress of migrations across multiple AWS and partner tools, including discovery, assessment, and replication. It integrates with AWS Application Discovery Service for discovery and assessment, and with AWS Server Migration Service (SMS) or AWS Application Migration Service (MGN) for automated replication. Option A (AWS CloudEndure Migration) is now part of AWS Application Migration Service (MGN) and focuses on replication, not end-to-end tracking. Option C (AWS Schema Conversion Tool) is used for converting database schemas, not for server migration. Option D (AWS Database Migration Service) is specifically for database migrations, not for general server migration management.
A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?
Create AWS Organizations service control policies (SCPs) that deny PutBucketPolicy with anonymous effects and PutObject without encryption.
AWS Organizations Service Control Policies (SCPs) can centrally enforce restrictions across all accounts in the organization without requiring per-account configuration. By creating SCPs that deny `s3:PutBucketPolicy` actions with an anonymous effect (using a condition key like `aws:SourceAccount` or inspecting the policy content) and deny `s3:PutObject` without the `x-amz-server-side-encryption-aws:kms` header, the security team ensures that no bucket can be made publicly accessible and no object can be uploaded without KMS encryption. This approach is the most efficient because it applies globally and proactively prevents non-compliant actions rather than detecting them after the fact.
Refer to the exhibit. A solutions architect runs this CLI command but receives an error: 'Unknown options: --query'. What is the most likely cause?
The --query parameter is used without specifying --output.
The '--query' parameter in AWS CLI requires the '--output' parameter to be explicitly specified because the CLI needs to know the output format to parse the query filter. Without '--output', the CLI returns an 'Unknown options: --query' error. This is a common syntax requirement in AWS CLI.
A company is migrating a monolithic application to AWS. The application currently runs on a single on-premises server with a MySQL database. The company wants to reduce operational overhead and improve scalability. Which combination of AWS services should the company use?
Use AWS Elastic Beanstalk to deploy the application and Amazon RDS for MySQL as the database.
Option D is correct because AWS Elastic Beanstalk automates application deployment, capacity provisioning, load balancing, and scaling, reducing operational overhead. Amazon RDS for MySQL manages the database, providing scalability and reducing administrative tasks. Option A is incorrect because while ECS with Fargate and Aurora Serverless can reduce overhead, containerizing a monolithic application requires refactoring and may not be straightforward; Elastic Beanstalk is more suitable for a lift-and-shift migration of a monolithic app. Option B is incorrect because DynamoDB is a NoSQL database and not compatible with the existing MySQL database without significant schema changes, and AWS Lambda is event-driven and not ideal for a monolithic application. Option C is incorrect because running the application on EC2 instances still requires manual management of operating system patches, scaling, and availability, which does not reduce operational overhead as much as Elastic Beanstalk.
A company is designing a new microservices architecture on AWS. They need a solution for service discovery that allows services to register themselves and discover other services dynamically. The solution must be highly available and integrated with AWS-native services. Which AWS service should they use?
AWS Cloud Map
AWS Cloud Map is the correct choice because it is a fully managed service discovery service that allows microservices to register themselves dynamically and discover other services via DNS or HTTP API calls. It integrates natively with AWS services like Amazon ECS, Amazon EKS, and AWS Lambda, and provides high availability through automatic health checking and resource synchronization across AWS Regions.
A company is designing a new system that will ingest and process real-time streaming data from thousands of IoT devices. Each device sends data every second. The data must be processed with low latency (under 1 second) and then stored in Amazon S3 for long-term analytics. The company also needs to be able to reprocess data in case of processing errors. Which solution should the architect recommend?
Use Amazon Kinesis Data Streams to ingest data, AWS Lambda to process, and store in S3
Amazon Kinesis Data Streams provides sub-second ingestion latency, which meets the under-1-second processing requirement. AWS Lambda can process each record with low latency and store the results directly in Amazon S3. Kinesis Data Streams also supports data replay for up to 365 days (default 24 hours), enabling reprocessing in case of errors.
A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?
Partition the S3 bucket by date (e.g., year/month/day) and use Athena partition projection.
Option C is correct because partitioning the S3 bucket by date (e.g., year/month/day) and using Athena partition projection allows Athena to automatically discover and prune partitions without manual metadata management. This reduces the amount of data scanned per query, lowering costs and improving query speed for recent logs. Partition projection is serverless and eliminates the need for Glue crawlers or Hive-style partition loading, making it ideal for time-series data like VPC Flow Logs.
A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?
Use AWS Transit Gateway with a central appliance VPC, and configure route tables to send traffic to the firewall for inspection.
Option D is correct because AWS Transit Gateway (TGW) allows you to centralize network traffic through a security appliance VPC. By attaching all VPCs to a single TGW and configuring route tables to route inter-VPC traffic to the firewall appliance in the security VPC, you meet the inspection requirement without manual route table manipulation in each spoke VPC. This design minimizes complexity by using a hub-and-spoke topology with centralized routing control.
A company is designing a new microservices architecture on AWS. Each microservice must be independently deployable and scalable. The company expects unpredictable traffic patterns with sudden spikes. Which combination of AWS services should be used to build a decoupled, resilient system?
Use Amazon API Gateway, AWS Lambda, Amazon SQS, Amazon DynamoDB, and Amazon CloudWatch.
Option A is correct because it combines API Gateway as a managed entry point, Lambda for stateless compute, SQS for decoupling and buffering sudden traffic spikes, DynamoDB for serverless NoSQL storage, and CloudWatch for observability. This serverless stack ensures each microservice is independently deployable and scales automatically without provisioning, handling unpredictable spikes via SQS queue depth and Lambda concurrency limits.
A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The company wants to reduce operational overhead and achieve high availability. Which database strategy should the company adopt for the microservices?
Use a separate Amazon RDS instance for each microservice
Option B is correct because a microservices architecture requires database isolation to ensure loose coupling, independent scaling, and fault isolation. Using a separate Amazon RDS instance for each microservice allows each team to manage its own schema, optimize queries independently, and avoid a single point of failure, which aligns with the goal of reducing operational overhead and achieving high availability.
A company is designing a microservices architecture on Amazon ECS with AWS Fargate. The services need to communicate with each other using HTTP APIs. The company wants to minimize operational overhead and enable canary deployments. Which solution should the company use for service discovery and traffic routing?
Use AWS App Mesh with Envoy sidecars
AWS App Mesh with Envoy sidecars provides a service mesh that handles service discovery, traffic routing, and canary deployments at the application layer. It integrates natively with ECS Fargate, offloading operational overhead by managing traffic splitting, retries, and observability without modifying application code. This makes it ideal for microservices requiring fine-grained control over HTTP traffic routing.
A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?
Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.
Creating a read replica of the RDS for MySQL DB instance and modifying the application connection string to use the reader endpoint offloads read traffic from the primary instance with minimal application changes. The reader endpoint automatically distributes connections across all read replicas, reducing the load on the primary instance without requiring code changes beyond updating the connection string.
A company is migrating a monolithic .NET application to AWS. The application uses a SQL Server database with complex stored procedures and tightly coupled components. The migration team wants to minimize refactoring and reduce licensing costs. Which migration strategy should the team use?
Rehost the application on Amazon EC2 and the database on EC2 with SQL Server using Bring Your Own License (BYOL).
Option B is correct because rehosting (lift-and-shift) the monolithic .NET application on Amazon EC2 and the SQL Server database on EC2 with BYOL minimizes refactoring effort and reduces licensing costs by leveraging existing SQL Server licenses. This strategy avoids the complexity of rewriting stored procedures or decoupling tightly coupled components, which is critical for a migration focused on speed and cost reduction.
A company is migrating a critical application to AWS and wants to ensure business continuity during the cutover. The migration plan includes a pilot light strategy. Which of the following BEST describes the pilot light pattern?
Replicate data to AWS and run a minimal version of the application that can be scaled up during cutover.
The pilot light pattern is a disaster recovery strategy where core data is continuously replicated to AWS, and a minimal version of the application (e.g., a small EC2 instance running the application stack) is kept running. During cutover, this minimal environment is rapidly scaled up to full production capacity. This matches option C, as it describes replicating data and running a minimal version that can be scaled up.
A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?
The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.
A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?
Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource-based policies to grant access only to designated accounts, and scalable because it avoids the administrative overhead of managing individual VPNs or VPC peering connections as the number of application VPCs grows.
A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), allowing the security team to trigger remediation or alerts. SCPs alone cannot enforce a specific password policy or enable MFA; they only block actions, so Config rules are needed for detection and enforcement.
A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?
Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.
AWS Control Tower provides an integrated CloudTrail setup that automatically creates and manages a central trail for all accounts in the organization. This trail is deployed using AWS CloudFormation StackSets and delivers logs to a centralized S3 bucket, ensuring compliance without manual intervention or custom automation. This is the best approach because it is native, fully managed, and aligns with Control Tower's governance model.
The SAP-C02 flashcard bank covers all 4 official blueprint domains published by Amazon Web Services. Cards are distributed proportionally, so domains with higher exam weight have more cards.
Domain Coverage
Design Solutions for Organizational Complexity
Design for New Solutions
Continuous Improvement for Existing Solutions
Accelerate Workload Migration and Modernization
Both flashcards and practice questions are evidence-based study tools. The difference is in what they train:
Flashcards — concept retention
Best for memorising definitions, acronyms, protocol behaviours, command syntax, and conceptual distinctions. Use flashcards to build the foundational vocabulary that SAP-C02 questions assume you know.
Best in: weeks 1–3
Practice tests — application
Best for applying concepts to realistic scenarios, eliminating distractors, and building exam stamina.SAP-C02 questions test scenario reasoning — not just recall — so practice tests are essential.
Best in: weeks 3–6
The most effective SAP-C02 study plan combines both: use flashcards for the first 2–3 weeks to build conceptual foundations, then shift to practice tests and mock exams in the final 2–3 weeks to apply and benchmark that knowledge. Most candidates who pass on their first attempt use both tools.
Yes. Courseiva provides free SAP-C02 flashcards across all official exam domains. Every card includes the correct answer and a full explanation of why it is right and why the distractors are wrong. The platform also includes topic-based practice, mock exams, and readiness tracking — no account required.
Courseiva has 1746+ original SAP-C02 flashcards across all 4 exam blueprint domains. New cards are added regularly as the question bank grows. All cards are written by certified engineers against the official Amazon Web Services exam objectives.
Courseiva flashcards are purpose-built for IT certification exams. Unlike generic flashcard platforms where content quality varies, every Courseiva card is mapped to the official SAP-C02 exam blueprint, written by engineers who hold the certification, and includes a full explanation of the correct answer and why the distractors are wrong. This explanation quality is what separates genuine learning from rote memorisation.
Courseiva is a web platform — an internet connection is required. For offline study, we recommend creating free Courseiva account, using the platform in your browser, and using your device's offline capabilities if your browser supports offline web apps.
Save your results, see which domains need more work, and get spaced repetition recommendations — all free.
Sign Up FreeFree forever · Every certification included