Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Design Solutions for Organizational Complexity practice sets

SAP-C02 Design Solutions for Organizational Complexity • Complete Question Bank

SAP-C02 Design Solutions for Organizational Complexity — All Questions With Answers

Complete SAP-C02 Design Solutions for Organizational Complexity question bank — all 0 questions with answers and detailed explanations.

455
Questions
Free
No signup
Certifications/SAP-C02/Practice Test/Design Solutions for Organizational Complexity/All Questions
Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

Question 2mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

Question 3easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

Question 4hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

Question 5mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

Question 6hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

Question 7easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?

Question 8mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 9easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

Network Topology
$ aws organizations list-accountsquery 'Accounts[?Status==`ACTIVE`].[Idoutput table+Refer to the exhibit.| ListAccounts |
Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

Question 11hardmulti select
Read the full NAT/PAT explanation →

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Question 12easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?

Question 13mediummultiple choice
Review the full routing breakdown →

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

Question 14easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?

Question 15hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

Question 16mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

Question 18easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

Question 19hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

Question 20easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

Question 21mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?

Question 22mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

Question 23hardmultiple choice
Review the full routing breakdown →

A large enterprise has a multi-account AWS environment managed through AWS Organizations. The central networking team uses a transit gateway in a shared services VPC to connect all VPCs. The security team requires that all traffic between VPCs be inspected by a third-party firewall appliance that is deployed in an auto-scaling group in the shared services VPC. The firewall appliance is configured as a Gateway Load Balancer (GWLB) endpoint. The transit gateway has a route table that sends all inter-VPC traffic to the GWLB endpoint. Recently, the operations team noticed that some applications are experiencing high latency and packet loss when communicating across VPCs. Upon investigation, they found that the firewall appliance is not scaling properly. Which solution should be implemented to ensure that the firewall can handle the traffic load and maintain low latency?

Question 24mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging solution using Amazon OpenSearch Service (successor to Amazon Elasticsearch Service) in a central logging account. Application logs from hundreds of EC2 instances across multiple accounts are shipped to the OpenSearch cluster via Amazon Kinesis Data Firehose. The security team requires that all log data be encrypted at rest and in transit. The logging account has a KMS key used to encrypt the OpenSearch cluster and the Firehose delivery stream. Recently, the security team noticed that some log deliveries are failing with 'AccessDenied' errors. The CloudWatch Logs delivery to Firehose is configured correctly. What is the most likely cause of the failure?

Question 25easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A global e-commerce company is migrating its on-premises application to AWS. The application uses Active Directory for authentication and requires integration with AWS Managed Microsoft AD. The company has a multi-account strategy using AWS Organizations. Which TWO steps should the solutions architect take to ensure seamless authentication across the organization?

Question 26mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A financial services company is migrating its trading platform to AWS. The platform consists of hundreds of microservices deployed in containers using Amazon ECS with Fargate launch type. Each service has its own IAM role for fine-grained permissions. The security team requires that all ECS tasks use a specific VPC (vpc-12345) and cannot run in any other VPC. During a recent audit, it was discovered that some tasks are running in a different VPC (vpc-67890). The solutions architect must implement a preventive control to ensure that ECS tasks only run in the approved VPC. The company uses AWS Organizations and has Service Control Policies (SCPs) in place. What should the solutions architect do?

Question 27mediumdrag order
Read the full Design Solutions for Organizational Complexity explanation →

Drag and drop the steps to set up a Direct Connect private virtual interface in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 28mediumdrag order
Read the full Design Solutions for Organizational Complexity explanation →

Drag and drop the steps to restore an Amazon RDS DB instance from a snapshot in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 29mediumdrag order
Read the full Design Solutions for Organizational Complexity explanation →

Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 30mediummatching
Read the full Design Solutions for Organizational Complexity explanation →

Match each AWS service to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Centrally manage multiple AWS accounts

Connect VPCs and on-premises networks

Dedicated private network connection to AWS

Secure connection over the internet to AWS

Privately access services across VPCs

Question 31mediummatching
Read the full Design Solutions for Organizational Complexity explanation →

Match each AWS migration service to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Track migration progress across multiple tools

Automate migration of on-premises servers to AWS

Migrate databases to AWS with minimal downtime

Rehost applications from physical or virtual servers

Simplify, automate, and accelerate moving data to AWS

Question 32mediummatching
Read the full Design Solutions for Organizational Complexity explanation →

Match each AWS disaster recovery strategy to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lowest cost, RPO in hours, RTO in hours to days

Core services run in standby, ready to scale

Scaled-down production environment, ready to scale up

Both sites serve traffic, failover is immediate

One site active, other on standby

Question 33mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a multi-account strategy using AWS Organizations. The security team requires that all new accounts added to the organization automatically inherit a baseline set of security controls, such as AWS CloudTrail and AWS Config rules. Which approach should the company use?

Question 34hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to prevent all accounts in the 'Production' OU from using non-compliant EC2 instance types, but allow exceptions for specific accounts. Which combination of controls should be used?

Question 35easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central IT team that manages networking resources for multiple application teams. Each application team needs to manage its own EC2 instances and RDS databases. Which AWS architecture best supports this separation of duties?

Question 36mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize logging from all accounts to a single S3 bucket in a logging account. The logs must be encrypted with a KMS key managed by the logging account. What is the MOST secure way to allow cross-account S3 server access logs?

Question 37hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to delegate administration of a specific service to a member account. The service must be able to perform actions across all accounts in the organization. Which steps should the company take?

Question 38easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts. The company has an existing identity source in an on-premises Active Directory. Which integration method should the company use?

Question 39mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses a centralized logging account with an S3 bucket that receives VPC Flow Logs from multiple accounts. The logs must be encrypted at rest using a KMS key in the logging account. Which configuration is required to allow cross-account delivery of VPC Flow Logs?

Question 40hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances launched in any account must have a specific tag key 'CostCenter'. Which approach should be used?

Question 41easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to allow developers to manage their own resources in individual AWS accounts while the central IT team manages networking and security. Which AWS service can help enforce that developers cannot modify networking resources?

Question 42mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a multi-account strategy using AWS Organizations. They want to centralize CloudTrail logs from all accounts into a single S3 bucket in the management account. Which TWO steps are required to achieve this? (Choose two.)

Question 43hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a production AWS account that contains sensitive data. The security team wants to ensure that no one can disable AWS CloudTrail or delete the CloudTrail S3 bucket. Which THREE actions should be taken to protect these resources? (Choose three.)

Question 44mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement AWS Organizations with multiple OUs to isolate development, testing, and production workloads. The company needs to ensure that production workloads are not impacted by changes in other OUs. Which TWO practices should the company follow? (Choose two.)

Question 45mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

An administrator attached the above IAM policy to a group of developers. A developer tries to launch a t3.medium EC2 instance and receives an 'AccessDenied' error. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": ["t3.micro", "t3.small"]
        }
      }
    }
  ]
}
Question 46hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses a cross-account IAM role 'LogDelivery' in account 111122223333 to write logs to an S3 bucket 'my-company-logs' in a logging account. The bucket policy is shown above. Logs are not being delivered. What is the MOST likely issue?

Network Topology
$ aws s3api get-bucket-policybucket my-company-logsoutput jsonRefer to the exhibit."Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::111122223333:role/LogDelivery\"},\"Action\":[\"s3:PutObject\"],\"Resource\":\"arn:aws:s3:::my-company-logs/AWSLogs/111122223333/*\"}]}"
Question 47mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

An administrator runs the above command and sees that the 'Prod' account is suspended. What is the MOST likely cause?

Network Topology
$ aws organizations list-accountsoutput jsonRefer to the exhibit."Accounts": ["Id": "111111111111","Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/111111111111","Email": "admin@example.com","Name": "Management","Status": "ACTIVE","JoinedMethod": "INVITED","JoinedTimestamp": "2023-01-01T00:00:00Z"},"Id": "222222222222","Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/222222222222","Email": "dev@example.com","Name": "Dev","JoinedMethod": "CREATED","JoinedTimestamp": "2023-01-02T00:00:00Z""Id": "333333333333","Arn": "arn:aws:organizations::111111111111:account/o-exampleorgid/333333333333","Email": "prod@example.com","Name": "Prod","Status": "SUSPENDED","JoinedTimestamp": "2023-01-03T00:00:00Z"
Question 48mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed under AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account are automatically tagged with a 'CostCenter' tag. Which solution is the MOST operationally efficient?

Question 49easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy for its development, testing, and production environments. The security team requires that all accounts share a centralized logging solution. Which approach meets this requirement with the LEAST administrative overhead?

Question 50hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company uses AWS Organizations with hundreds of accounts. The networking team needs to allow VPCs in different accounts to communicate privately using AWS Transit Gateway. The company wants to centralize management while allowing individual account owners to create and attach VPCs. Which solution meets these requirements?

Question 51mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a data lake on Amazon S3. The data lake must be accessible from multiple accounts within the same AWS Organization. Objects must be encrypted at rest, and the company wants to use a single AWS KMS key for simplicity. Which solution meets these requirements?

Question 52easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a management account in AWS Organizations. It wants to delegate administration of AWS IAM Identity Center to a member account for user management. What is the correct way to achieve this?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account environment with over 500 accounts. They need to enforce that all EC2 instances are launched only in approved instance families (e.g., t3, m5, c5). Which combination of AWS services provides the MOST scalable and effective enforcement?

Question 54mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs across different accounts that need to authenticate against the same directory. What is the MOST scalable and secure way to provide this access?

Question 55easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by department. Each department has its own AWS account. Which feature should be used to map costs to departments?

Question 56hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging solution where all VPC Flow Logs from member accounts are delivered to a central S3 bucket in the logging account. The logs contain sensitive IP addresses that must be redacted before analysis. What is the MOST scalable approach?

Question 57mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a cross-account backup strategy using AWS Backup. The backup policy must be centrally managed from the management account. Which TWO steps are required to implement this?

Question 58hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account architecture with a shared services account that hosts a central Amazon RDS instance. Member accounts need to access this database. Which TWO actions should the company take to enable secure access?

Question 59mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to implement a least-privilege model for IAM roles. The security team needs to ensure that no IAM role can be created without an approval workflow. Which THREE steps should the company take?

Question 60hardmulti select
Read the full DNS explanation →

A company is migrating to a multi-account structure and needs to manage DNS resolution across accounts. The company uses Amazon Route 53 private hosted zones. They want a central resolver in the shared services VPC. Which THREE components are required?

Question 61mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. This bucket policy is applied to a central logging bucket in account 111111111111. Account 222222222222 wants to deliver CloudTrail logs to this bucket. However, log delivery fails. What is the MOST likely cause?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::central-logging-bucket/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 62hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company has the above AWS Organization with a management account (111111111111) and a production account (222222222222). The security administrator in the management account creates an SCP that denies s3:DeleteBucket. The SCP is attached to the root. The production account's administrator tries to delete an S3 bucket and fails. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
$ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "111111111111",
            "Arn": "arn:aws:organizations::123456789012:account/o-exampleorgid/111111111111",
            "Email": "admin@example.com",
            "Name": "Management",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2023-01-01T00:00:00Z"
        },
        {
            "Id": "222222222222",
            "Arn": "arn:aws:organizations::123456789012:account/o-exampleorgid/222222222222",
            "Email": "prod@example.com",
            "Name": "Production",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": "2023-01-01T00:00:00Z"
        }
    ]
}
Question 63mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a multi-account strategy using AWS Organizations. They need to centralize logging of all API calls across accounts. Which solution meets this requirement with the least operational overhead?

Question 64hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple business units, each with its own AWS account. They want to enforce that all EC2 instances launched across accounts use only approved AMIs. The AMIs are stored in a central account. What is the MOST scalable and secure way to enforce this?

Question 65easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized IT team that manages AWS accounts for multiple departments. They need to grant the team permissions to create and manage IAM roles in all accounts, but without giving them full administrator access. What should they use?

Question 66mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple accounts. They want to centralize VPC flow logs for all VPCs across accounts. The logs should be stored in a central S3 bucket in the management account. What is the MOST efficient way to achieve this?

Question 67hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with hundreds of accounts. They need to ensure that no account can modify the VPC default security group. Which SCP should they apply to the root OU?

Question 68easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to allow developers to launch EC2 instances only if they include a specific tag 'CostCenter'. The tag must be provided at launch. Which IAM policy should be used?

Question 69mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to use AWS CloudFormation StackSets to deploy a common set of resources across all accounts. The StackSet should be managed from the management account. What permissions are required?

Question 70hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a policy that denies access to services unless they are explicitly allowed. The security team wants to allow only approved services. What type of policy should they use?

Question 71easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize management of AWS resources across multiple accounts using AWS Control Tower. What is a prerequisite for setting up Control Tower?

Question 72mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to delegate administration of Amazon GuardDuty to a member account. Which of the following are required? (Choose TWO.)

Question 73hardmulti select
Review the full subnetting walkthrough →

A company wants to use AWS Resource Access Manager (RAM) to share a subnet in a VPC with other accounts in the organization. Which of the following are required? (Choose THREE.)

Question 74easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centrally manage IAM users across multiple AWS accounts using AWS IAM Identity Center (successor to AWS Single Sign-On). Which of the following are true? (Choose TWO.)

Question 75mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations to manage multiple accounts. The security team requires that all newly created member accounts automatically have an AWS Config rule enabled that checks whether S3 buckets have default encryption enabled. Which solution should be used?

Question 76easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize CloudTrail logs in a single S3 bucket in the security account. Which policy should be applied to the S3 bucket to allow cross-account delivery from all member accounts?

Question 77hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a hierarchical OU structure. The security OU has an SCP that denies all actions except those explicitly allowed. The development OU has an SCP that allows all actions. A developer account in the development OU tries to launch an EC2 instance but receives an access denied error. The IAM user in the developer account has full administrator permissions. What is the most likely cause?

Question 78mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have a specific AWS Config rule enabled and that any drift is automatically remediated. Which approach should be used?

Question 79hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account and multiple application accounts. Each application account sends CloudWatch Logs to a cross-account log group in the logging account. The security team wants to ensure that logs are encrypted at rest using a KMS key that only the logging account can manage. Which configuration is required?

Question 80easymultiple choice
Review the full subnetting walkthrough →

A company is using AWS Organizations and wants to allow certain member accounts to create VPCs with specific CIDR ranges. Which mechanism should be used to enforce this restriction?

Question 81mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account environment with a centralized network account that hosts a transit gateway. Application accounts need to connect to the transit gateway. The network team wants to ensure that only authorized accounts can create attachments. Which method should be used?

Question 82hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS SSO with an external identity provider. The security team needs to enforce that users in the finance department can only access the finance OU accounts. Which configuration is required?

Question 83mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by project, but projects span multiple accounts. Which approach should be used to tag resources consistently across accounts?

Question 84mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy using AWS Organizations. The security team requires that all API calls to create or modify IAM roles are logged and alerted. Which TWO steps should be taken to meet this requirement?

Question 85hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account and multiple member accounts. The member accounts generate VPC Flow Logs that need to be sent to a central S3 bucket in the logging account. Which TWO steps must be taken to enable this cross-account delivery?

Question 86mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple OUs. The security team wants to ensure that no account can delete CloudTrail trails or S3 bucket policies. Which THREE SCP strategies should be combined?

Question 87hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company applies this S3 bucket policy to a central logging bucket. CloudTrail trails in multiple accounts are configured to deliver logs to this bucket. Recently, logs stopped being delivered. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "cloudtrail.amazonaws.com"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-company-logs/AWSLogs/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-company-logs/AWSLogs/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-acl": "bucket-owner-full-control"
        }
      }
    }
  ]
}
Question 88easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company runs this CLI command and sees the output. Which account is the management account?

Exhibit

Refer to the exhibit.

$ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "111111111111",
            "Arn": "arn:aws:organizations::222222222222:account/o-example1/111111111111",
            "Email": "admin@example.com",
            "Name": "ManagementAccount",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2023-01-01T00:00:00Z"
        },
        {
            "Id": "333333333333",
            "Arn": "arn:aws:organizations::222222222222:account/o-example1/333333333333",
            "Email": "dev@example.com",
            "Name": "DevAccount",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": "2023-01-02T00:00:00Z"
        }
    ]
}
Question 89mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company attaches this SCP to the root of an AWS Organization. What is the effect?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "aws:PrincipalOrgID": "o-exampleorgid"
                }
            }
        }
    ]
}
Question 90mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all new member accounts automatically have AWS Config enabled with a specific set of rules. Which solution is the MOST efficient?

Question 91hardmultiple choice
Read the full DNS explanation →

A global company is using AWS Organizations with hundreds of accounts. The IT team needs to centrally manage DNS records for all accounts using Amazon Route 53 private hosted zones. The solution must be highly available and support cross-account DNS resolution. What should the team do?

Question 92easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a centralized logging solution for all AWS accounts in AWS Organizations. The logs include CloudTrail, VPC Flow Logs, and AWS Config configuration items. Which approach provides the MOST scalable and cost-effective solution?

Question 93mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a multi-account strategy. The security team wants to restrict the use of specific instance types across all accounts. What is the MOST effective way to enforce this policy?

Question 94hardmultiple choice
Read the full NAT/PAT explanation →

A company has a production AWS account that is part of an AWS Organization. The account has a VPC with a NAT gateway for internet access. The security team wants to ensure that all outbound traffic to the internet flows through a centralized inspection VPC in the security account for traffic inspection. Which architecture should be used?

Question 95easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating to AWS and plans to use a multi-account strategy. The management account will be used solely for administrative purposes. Which best practice should be followed when setting up AWS Organizations?

Question 96mediummultiple choice
Review the full subnetting walkthrough →

A company has multiple AWS accounts and wants to share a centrally managed Amazon VPC subnet for workloads that require low latency. The VPC is in the networking account. Which solution meets these requirements with the LEAST operational overhead?

Question 97hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and wants to implement a policy that prevents any account from disabling AWS CloudTrail or deleting CloudTrail log files. The solution must be enforceable across all accounts. Which combination of actions should be taken?

Question 98easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with a multi-account strategy. The finance team wants to centrally manage and enforce cost allocation tags across all accounts. Which solution is MOST effective?

Question 99mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is setting up a new AWS Organization and wants to implement a data perimeter to ensure that data can only be accessed from approved network locations. Which TWO actions should the company take?

Question 100hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central security account for AWS GuardDuty, AWS Security Hub, and AWS IAM Access Analyzer. The security team wants to aggregate findings from all member accounts into the security account. Which THREE steps should be taken?

Question 101easymulti select
Read the full NAT/PAT explanation →

A company is using AWS Organizations with multiple accounts. The IT team wants to centrally manage AWS Systems Manager Patch Manager to patch EC2 instances across all accounts. Which TWO actions are required?

Question 102mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company attaches the above SCP to the root organizational unit. The development team in a member account wants to launch an EC2 instance in the ap-southeast-1 region. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:*",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "aws:RequestedRegion": ["us-east-1", "eu-west-1"]
        }
      }
    }
  ]
}
Question 103hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations and has shared a subnet from the VPC shown in the exhibit using AWS Resource Access Manager (RAM). A workload account launches an EC2 instance in the shared subnet. The instance needs to communicate with an RDS database in a different private subnet within the same VPC. What additional configuration is required?

Network Topology
$ aws ec2 describe-vpcsvpc-ids vpc-12345678region us-east-1Refer to the exhibit."Vpcs": ["VpcId": "vpc-12345678","InstanceTenancy": "default","Tags": ["Key": "Name","Value": "SharedVPC"],"CidrBlockAssociationSet": ["CidrBlock": "10.0.0.0/16","CidrBlockState": {"State": "associated""IsDefault": false
Question 104mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central S3 bucket for logs (central-logs-bucket) in account 123456789012. The bucket policy is shown in the exhibit. A developer in account 111111111111 tries to access an object in the bucket using the AWS CLI without the --no-sign-request option. The request fails. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::central-logs-bucket/*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "true"
        }
      }
    }
  ]
}
Question 105mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all S3 buckets across all accounts have server-side encryption with AWS KMS (SSE-KMS) enabled, and any new bucket that does not comply must be automatically remediated. Which design should be used?

Question 106hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations with 50 accounts. The central IT team wants to deploy a CloudFormation stack set to create a VPC with a CIDR of 10.0.0.0/16 in each account, but the VPC CIDR must not overlap with existing VPCs in each account. What is the most scalable and automated approach?

Question 107easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all member accounts in AWS Organizations. The logs are stored in an S3 bucket in the logging account. Security analysts need to query these logs using Amazon Athena. What is the MOST efficient way to set up the table partitions?

Question 108mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with a single OU for all production accounts. The security team wants to restrict the use of specific instance types across all accounts in the OU. They create a Service Control Policy (SCP) that denies ec2:RunInstances if the instance type is not in the allowed list. However, some accounts still launch disallowed instance types. What is the most likely cause?

Question 109hardmultiple choice
Read the full DNS explanation →

A company has a multi-account architecture with a central networking account that hosts a Transit Gateway. Each workload account has VPCs attached to the Transit Gateway. The company wants to centrally manage DNS resolution across all VPCs using Route 53 Resolver. They create a Route 53 Resolver outbound endpoint in the networking account and associate it with the workload VPCs via RAM. However, workload accounts cannot resolve on-premises hostnames. What is the missing configuration?

Question 110easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has an AWS Organization with a management account and several member accounts. The management account hosts a central S3 bucket that stores CloudTrail logs from all accounts. The company wants to ensure that only the management account can delete objects from this bucket. Which policy should be applied to the bucket?

Question 111mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central logging account. All VPC Flow Logs are published to a central S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena, but they want to minimize costs by reducing the amount of data scanned. Which partitioning strategy is MOST effective?

Question 112hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 100 accounts. The security team wants to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. They create an SCP that denies all actions if MFA is not present. However, some users report that they cannot access the console even with MFA. What is the most likely reason?

Question 113easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has an AWS Organization with multiple accounts. The central IT team wants to deploy a common set of AWS Config rules across all accounts in the production OU. Which approach is the MOST scalable and maintainable?

Question 114mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with a centralized logging account. They want to collect VPC Flow Logs from all member accounts into a single S3 bucket in the logging account. Which TWO steps are required to achieve this?

Question 115hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. The security team wants to enforce that all IAM roles in the production accounts can only be assumed from a specific IP range (the corporate network). Which TWO approaches can achieve this?

Question 116easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations to manage multiple accounts. The central team wants to deploy a CloudFormation template that creates an S3 bucket with default encryption in every member account. Which THREE steps are required to accomplish this?

Question 117easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A security engineer attaches this SCP to the root organizational unit. What is the result?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}
Question 118mediummultiple choice
Read the full NAT/PAT explanation →

A solutions architect sees this output from the AWS CLI. The management account (111111111111) has a service control policy (SCP) attached that denies all actions unless the request originates from a specific IP range. Which account(s) are affected by this SCP?

Network Topology
$ aws organizations list-accountsoutput jsonRefer to the exhibit."Accounts": ["Id": "111111111111","Arn": "arn:aws:organizations::123456789012:account/o-exampleorgid/111111111111","Email": "admin@company.com","Name": "ManagementAccount","Status": "ACTIVE","JoinedMethod": "CREATED","JoinedTimestamp": "2023-01-01T00:00:00Z"},"Id": "222222222222","Arn": "arn:aws:organizations::123456789012:account/o-exampleorgid/222222222222","Email": "prod@company.com","Name": "ProductionAccount","JoinedMethod": "INVITED","JoinedTimestamp": "2023-01-02T00:00:00Z"
Question 119hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

An SCP is attached to a production OU. An IAM user in a member account under that OU attempts to launch an m5.large EC2 instance. What happens?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances",
        "ec2:StartInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": "t3.micro"
        }
      }
    }
  ]
}
Question 120mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is deploying a multi-account AWS environment using AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with a specific AWS KMS key managed by the security account. Which solution should the company implement to enforce this policy across the organization?

Question 121easymultiple choice
Read the full NAT/PAT explanation →

A company has a centralized logging solution using Amazon OpenSearch Service (Elasticsearch) and wants to ensure logs from all AWS accounts are shipped to a central account. Which AWS service can be used to collect and forward logs from multiple accounts to a single destination?

Question 122hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 50 accounts. The network team wants to centrally manage VPC flow logs for all accounts, storing them in a central S3 bucket in the security account. The flow logs must be encrypted with a KMS key managed by the security account. What is the MOST efficient way to configure this?

Question 123mediummultiple choice
Read the full NAT/PAT explanation →

A company is implementing a data lake on Amazon S3. The security policy requires that all data be encrypted at rest using AWS KMS and that access must be logged. The data lake has millions of objects, and the security team wants to detect any changes to bucket policies or encryption settings. Which combination of services should be used?

Question 124hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized security account. The security team wants to ensure that any IAM role created in any account with a trust policy allowing access from another AWS account must be approved by the security team. Which approach should be used?

Question 125easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize management of Amazon EC2 instances across multiple accounts using AWS Systems Manager. The company uses AWS Organizations. What is the simplest way to enable Systems Manager to manage instances in all accounts?

Question 126mediummultiple choice
Read the full DNS explanation →

A company has a centralized AWS account for managing Amazon Route 53 DNS. The company has 100 VPCs across multiple accounts, and each VPC needs to resolve private hosted zones in the central account. What is the most scalable solution to enable DNS resolution across accounts?

Question 127hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 200 accounts. The security team wants to enforce that all EC2 instances launched in any account must use a specific Amazon Machine Image (AMI) ID that is approved by the security team. Which approach should be used?

Question 128easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to provide its developers with access to a shared development environment in AWS. The developers are in different AWS accounts, and they need to assume an IAM role in the development account. What is the secure way to allow cross-account access?

Question 129mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all accounts use AWS CloudTrail with logs delivered to a central S3 bucket. Which TWO actions should be taken to enforce this?

Question 130hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central security account. The security team wants to implement a solution that allows them to centrally manage and audit IAM permissions across all accounts. Which THREE services should be combined to achieve this?

Question 131easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to use AWS Single Sign-On (SSO) to manage access to multiple AWS accounts and business applications. Which TWO components are required for this setup?

Question 132hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company attached the above SCP to an OU in AWS Organizations. The SCP is intended to allow only t3.micro and t3.small EC2 instances. However, users in accounts within that OU are still able to launch other instance types. What is the most likely reason?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": [
        "ec2:RunInstances"
      ],
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t3.micro",
            "t3.small"
          ]
        }
      }
    }
  ]
}
Question 133mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company has a trust policy on an IAM role in account 222222222222. The trust policy allows the root user of account 111111111111 to assume the role. However, a user in account 111111111111 is unable to assume the role. What is the most likely cause?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::111111111111:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
Question 134mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company has created a CloudTrail trail named 'my-trail' in the management account of AWS Organizations. The trail is configured to deliver logs to a central S3 bucket. The security team wants to capture all management events from all accounts in the organization. Based on the exhibit, what is the most likely issue?

Network Topology
aws cloudtrail describe-trailstrail-name-list my-trail"trailList": ["Name": "my-trail","S3BucketName": "central-logs-bucket","IncludeGlobalServiceEvents": true,"IsMultiRegionTrail": false,"HomeRegion": "us-east-1","TrailARN": "arn:aws:cloudtrail:us-east-1:123456789012:trail/my-trail","LogFileValidationEnabled": true,"IsOrganizationTrail": false
Question 135mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize access control for multiple AWS accounts using AWS Organizations. They need to allow developers in a specific account to launch EC2 instances only in certain regions. What is the most scalable solution?

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses AWS Organizations with hundreds of accounts. The security team requires that all Amazon S3 buckets across the organization be encrypted with a specific AWS KMS key from the security account. Which combination of controls should be implemented to enforce this requirement?

Question 137easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating to AWS and wants to use AWS CloudFormation to manage infrastructure as code. The DevOps team needs to ensure that stack updates are reviewed and approved before execution. Which feature should they use?

Question 138mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

An organization uses AWS Organizations with multiple accounts. The security team wants to ensure that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. What is the most efficient way to enforce this?

Question 139mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account AWS environment for different business units. They need to share a central Amazon RDS database with read replicas in each account for disaster recovery. What architecture minimizes cross-region data transfer costs while maintaining high availability?

Question 140hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations with a large number of accounts. The networking team wants to centrally manage VPCs and subnets using AWS Resource Access Manager (RAM) and share subnets to member accounts. What must be done in the member accounts to use shared subnets?

Question 141easymultiple choice
Read the full NAT/PAT explanation →

A company wants to use AWS Systems Manager to automate patching of EC2 instances across multiple AWS accounts. What is the most efficient way to manage this centrally?

Question 142hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs to ensure that all accounts use a specific set of IAM roles for cross-account access. What is the most scalable way to enforce this?

Question 143mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to enable cost allocation across business units using tags. They require that all resources are tagged with a 'CostCenter' tag. What is the most effective way to enforce this?

Question 144mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account AWS environment with a centralized logging account. Which TWO services should be used to aggregate logs from all accounts?

Question 145hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a data lake strategy using Amazon S3 across multiple AWS accounts. They need to ensure that data is encrypted at rest using a centralized AWS KMS key from a security account. Which THREE steps should they take?

Question 146mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centrally manage VPC flow logs for all VPCs across all accounts. Which TWO steps are required to achieve this?

Question 147mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts be encrypted with AWS KMS and that bucket policies enforce HTTPS. What is the MOST efficient way to enforce these policies across all accounts?

Question 148hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating a legacy monolithic application to a microservices architecture on AWS. The application has strict latency requirements and must be deployed across multiple Availability Zones. Which design strategy BEST meets these requirements while minimizing operational overhead?

Question 149easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A solutions architect needs to design a network architecture for a multi-account AWS environment using AWS Transit Gateway. The company requires that all traffic between VPCs be inspected by a central security appliance. What is the MOST efficient way to achieve this?

Question 150mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with several OUs. The security team wants to restrict the use of specific instance types (e.g., all instances except t2.micro) across all accounts. Which SCP should be applied?

Question 151hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company has a multi-region AWS deployment. They need to share a single Amazon RDS for MySQL database across multiple AWS Regions for disaster recovery. The database must have minimal data loss and RTO of less than 1 minute. Which solution meets these requirements?

Question 152easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail. They want to ensure that logs are immutable and cannot be deleted or modified by any user, including the root user. Which S3 feature should be enabled?

Question 153mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple accounts. The finance team needs to track costs by department, where each department uses resources across several accounts. What is the BEST way to allocate costs accurately?

Question 154hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The architecture must handle sudden spikes in traffic without losing events. Which configuration ensures the highest reliability?

Question 155easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to allow developers to assume a role in a production account from their development account using AWS IAM. What is needed for this cross-account access?

Question 156mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

Which TWO actions improve the security of an S3 bucket that stores sensitive data?

Question 157hardmulti select
Read the full NAT/PAT explanation →

Which THREE design patterns are recommended for decoupling components in a microservices architecture on AWS?

Question 158mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

Which TWO AWS services can be used to implement a centralized logging solution across multiple AWS accounts?

Question 159mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization block public access. What is the MOST efficient way to enforce this requirement?

Question 160hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed through AWS Organizations. The central IT team wants to allow developers to launch EC2 instances only in specific Regions, but allow full access to all other services. What is the BEST approach?

Question 161easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a single OU for all accounts. The security team wants to prevent any account from leaving the organization without approval. What should they do?

Question 162hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. The security team wants to centrally manage VPC flow logs for all accounts. They already have a centralized logging account. What is the MOST scalable solution?

Question 163mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The finance team needs visibility into costs across all accounts. They want to tag resources with a 'CostCenter' tag. What is the BEST way to enforce tag propagation?

Question 164easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to allow developers to launch EC2 instances only in the us-east-1 Region. They have a single AWS account. What is the simplest way to enforce this?

Question 165hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 500 accounts. They want to enforce that all accounts use a specific set of allowed AMIs for EC2. What is the MOST scalable solution?

Question 166mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized security account and wants to enable AWS Config in all accounts. They want to centrally manage Config rules and view compliance. What should they do?

Question 167easymultiple choice
Review the full subnetting walkthrough →

A company needs to share a VPC subnet with multiple accounts in the same AWS Organization. What is the MOST secure way to achieve this?

Question 168mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

Which TWO actions should a company take to implement a least-privilege access model across multiple AWS accounts? (Choose TWO.)

Question 169hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

Which THREE components are required to set up a centralized logging solution for multiple AWS accounts using Amazon S3? (Choose THREE.)

Question 170easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

Which TWO AWS services can be used to automate the enforcement of compliance policies across multiple AWS accounts? (Choose TWO.)

Question 171mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company applied the above SCP to an OU. A developer in an account under that OU tries to launch a t2.medium EC2 instance. What will happen?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": ["t2.micro", "t2.small"]
        }
      }
    }
  ]
}
Question 172hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company ran the command above. The management account (111111111111) has an SCP attached that denies all actions. The DevAccount (222222222222) has no SCP. What can the root user of the DevAccount do?

Exhibit

Refer to the exhibit.

$ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "111111111111",
            "Arn": "arn:aws:organizations::123456789012:account/o-example/111111111111",
            "Email": "admin@example.com",
            "Name": "ManagementAccount",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2024-01-01T00:00:00Z"
        },
        {
            "Id": "222222222222",
            "Arn": "arn:aws:organizations::123456789012:account/o-example/222222222222",
            "Email": "dev@example.com",
            "Name": "DevAccount",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": "2024-01-02T00:00:00Z"
        }
    ]
}
Question 173mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A security engineer created the above bucket policy on the central-logging-bucket in account 111111111111. They want account 222222222222 to deliver CloudTrail logs to this bucket. What is missing?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:role/CrossAccountRole"
      },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::central-logging-bucket/AWSLogs/111111111111/*"
    }
  ]
}
Question 174mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled. The company wants to enforce this policy centrally without modifying each bucket individually. Which solution is MOST effective?

Question 175easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple accounts. The central IT team wants to restrict the use of specific EC2 instance types across all accounts to control costs. Which approach should the team use?

Question 176hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles that grant cross-account access to a central security account. The solution must scale as new accounts are added. What should the team do?

Question 177mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with consolidated billing. The finance team needs to track costs by department, which are tagged with 'department' tags. However, some resources are not tagged. The team wants to ensure that all new resources are tagged, and existing untagged resources are identified. What should they do?

Question 178hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating to AWS and wants to set up a multi-account structure using AWS Organizations. The security team requires that all accounts be part of an organization and that any attempt to leave the organization be blocked. Additionally, the company wants to prevent the use of the root user in member accounts for daily operations. What should they do?

Question 179easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central IT team that manages multiple AWS accounts. The team wants to allow developers to create resources in their own accounts but wants to restrict the use of certain expensive services like Amazon Redshift. The developers should not be able to launch Redshift clusters in any account. What is the MOST efficient way to achieve this?

Question 180mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centrally manage VPC flow logs for all accounts. The flow logs should be sent to a central S3 bucket in the logging account. The solution must be automated for new accounts added to the organization. What should the team do?

Question 181hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company with multiple AWS accounts wants to centralize CloudTrail logging. They create a CloudTrail trail in the management account that logs all events across all accounts and regions. However, the security team notices that some management events from member accounts are not being logged. What is the most likely cause?

Question 182easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that no IAM users are created in member accounts. All access must be through federated roles. Which approach should they use?

Question 183mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account environment with AWS Organizations. The security team wants to enforce that all EC2 instances must use a specific AMI ID that is approved by the security team. Which two actions should the team take to achieve this? (Choose two.)

Question 184hardmulti select
Review the full subnetting walkthrough →

A company is using AWS Organizations with hundreds of accounts. The central IT team needs to deploy a common set of AWS resources (e.g., VPCs, subnets, security groups) to all accounts in a specific organizational unit (OU). The solution must be automated and ensure that new accounts added to the OU automatically receive the resources. Which three steps should the team take? (Choose three.)

Question 185easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally manage CloudWatch Logs from all accounts. The logs should be sent to a central S3 bucket in the management account. Which two actions should the team take? (Choose two.)

Question 186mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. An IAM policy is attached to a user in the management account of AWS Organizations. The user wants to assume the OrganizationAccountAccessRole in a member account. However, the user receives an access denied error. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
    }
  ]
}
Question 187hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company has an SCP named 'DenyOutsideRegions' attached to the root OU. The SCP is intended to deny all actions outside us-east-1 and eu-west-1. However, users in a member account are still able to launch EC2 instances in ap-southeast-1. What is the most likely reason?

Network Topology
aws organizations list-policiesfilter SERVICE_CONTROL_POLICYoutput jsonRefer to the exhibit."Policies": ["Id": "p-abc123","Arn": "arn:aws:organizations::123456789012:policy/o-abc123/service_control_policy/p-abc123","Name": "DenyOutsideRegions","Type": "SERVICE_CONTROL_POLICY","AwsManaged": false
Question 188mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company applies this SCP to an OU. However, users in the OU are still able to upload objects to S3 without encryption. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DenyNonEncryptedS3",
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
}
Question 189mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company manages multiple AWS accounts using AWS Organizations. The security team needs to enforce that all newly created accounts automatically have a specific set of security controls, including AWS Config rules and an AWS CloudTrail trail. Which solution meets these requirements with the LEAST operational overhead?

Question 190hardmultiple choice
Read the full NAT/PAT explanation →

A global company uses AWS Organizations with multiple organizational units (OUs) for different business units. The networking team wants to ensure that all VPCs across all accounts can communicate through a central transit gateway. However, the security team requires that specific accounts cannot access each other's resources. Which combination of actions should the company take to meet these requirements?

Question 191easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a single member account for its development environment. The IT team wants to allow developers to launch EC2 instances only if they use a specific AMI ID. Which policy type should the company use to enforce this requirement?

Question 192mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with hundreds of accounts. The central IT team needs to audit all API calls made in the organization. The solution must be cost-effective and capture events from all regions and accounts, including future accounts. Which solution should the company use?

Question 193hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with several OUs. The security team wants to enforce that EC2 instances in production accounts cannot have public IP addresses. The solution must be preventive and should not rely on developers remembering to follow guidelines. What should the security team do?

Question 194easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts for different departments. The finance team wants to centrally manage and optimize EC2 Reserved Instance purchases across all accounts. Which solution should the company implement?

Question 195mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The DevOps team wants to allow developers in a specific OU to create and manage their own VPCs but restrict them from deleting VPCs created by the central networking team. How can this be achieved?

Question 196hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation uses AWS Organizations to manage multiple accounts across different geographic regions. The company needs to ensure that all data residing in AWS accounts for a specific country remains within that country's boundaries. Which combination of AWS services and features should the company use to enforce this data residency requirement?

Question 197easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a management account and several member accounts. The security team needs to centrally manage IAM users and roles across all accounts. Which AWS service should the company use?

Question 198mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment using AWS Organizations. The security team wants to enforce that all S3 buckets in the organization are encrypted at rest. Which TWO approaches can the company use to achieve this? (Choose TWO.)

Question 199hardmulti select
Review the full subnetting walkthrough →

A company uses AWS Organizations with hundreds of accounts. The central IT team needs to ensure that all accounts use a standard set of network configurations, including VPC CIDR blocks and subnets. Which THREE steps should the team take to enforce this standard? (Choose THREE.)

Question 200mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations to manage multiple accounts. The security team wants to ensure that all root user activities are monitored and alerted. Which TWO actions should the team take? (Choose TWO.)

Question 201mediummultiple choice
Review the full subnetting walkthrough →

A company has a multi-account AWS environment using AWS Organizations with 50 accounts. The accounts are organized into OUs based on environment: Production, Staging, and Development. The central IT team uses AWS CloudFormation StackSets to deploy a baseline network configuration (VPC, subnets, security groups) to all accounts. Recently, the network team updated the stack set to add a new subnet to the VPC. After the update, they noticed that the stack set operation failed for 10 accounts. The error message indicates that the stack set cannot update because a resource already exists. What is the MOST LIKELY cause of this failure?

Question 202hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large enterprise uses AWS Organizations with 200 accounts. The central security team has implemented a service control policy (SCP) that denies all actions unless the request comes from a specific set of allowed AWS services. The SCP is attached to the root OU. Recently, the DevOps team reported that they cannot launch Amazon EC2 instances in any account, even though they have full administrator access via IAM roles. The security team verifies that the SCP is correctly configured and that allowed services include EC2. However, the error message states 'Action 'ec2:RunInstances' is not authorized.' The DevOps team is using the AWS Management Console. What is the MOST LIKELY cause?

Question 203mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company operates a multi-account AWS environment using AWS Organizations. The security team needs to enforce that all Amazon S3 buckets are encrypted at rest using AWS KMS customer managed keys (CMKs) and that no bucket policies allow anonymous access. What is the MOST efficient way to achieve this across all accounts?

Question 204hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations with hundreds of accounts. The central IT team wants to manage IP address ranges for VPCs across all accounts using a custom AWS Resource Access Manager (RAM) resource share. They have created a resource share containing the IP address CIDR blocks (as managed prefix lists) and shared it with the organization. However, some accounts cannot see the shared prefix lists. What is the MOST likely cause?

Question 205easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized logging account. They want to collect VPC Flow Logs from all accounts and store them in a centralized S3 bucket in the logging account. What is the MOST scalable and cost-effective solution?

Question 206hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A solutions architect applies this IAM policy to a user. The user tries to upload an object to my-bucket using an unencrypted HTTP connection with SSE-S3 encryption. Will the upload succeed?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "Bool": {"aws:SecureTransport": "false"}
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {"s3:x-amz-server-side-encryption": "AES256"}
      }
    }
  ]
}
Question 207mediummultiple choice
Review the full subnetting walkthrough →

A company is using AWS Organizations with a hierarchical OU structure. The security team wants to enforce that any new account created in the organization automatically inherits a baseline set of AWS Config rules and a VPC with a default CIDR block. What is the MOST efficient way to achieve this?

Question 208hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central IT team that manages AWS resources for multiple business units using AWS Organizations. Each business unit has its own OU. The central team needs to allow each OU's administrators to manage their own IAM roles and policies, but prevent them from modifying the OU structure or creating new accounts. Which IAM policy should be attached to the administrators in the management account?

Question 209easymultiple choice
Read the full NAT/PAT explanation →

A company wants to implement a centralized logging solution for its multi-account AWS environment. The solution must be resilient to AWS Regional failures and provide near real-time log delivery. Which combination of services should the company use?

Question 210mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The security team needs to ensure that no EC2 instances are launched without an approved Amazon Machine Image (AMI) ID from a central list. The list changes frequently. What is the MOST scalable way to enforce this?

Question 211hardmultiple choice
Read the full DNS explanation →

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The directory will be used for authentication across multiple VPCs in different accounts. The company needs to ensure that resources in all VPCs can resolve DNS names from the directory. What is the MOST scalable and secure solution?

Question 212mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a new multi-account strategy using AWS Organizations. The central IT team wants to delegate management of certain AWS services to individual account administrators while maintaining centralized governance. Which TWO actions should the team take? (Choose TWO.)

Question 213hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized logging account. The security team needs to analyze VPC Flow Logs from all accounts using Amazon Athena. Which THREE steps are required to enable this analysis? (Choose THREE.)

Question 214easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy for development, testing, and production environments. They want to ensure that developers can deploy resources in development and testing accounts but not in production. Which TWO methods should the company use to achieve this? (Choose TWO.)

Question 215hardmultiple choice
Review the full subnetting walkthrough →

A large enterprise has a multi-account AWS environment with over 200 accounts organized under AWS Organizations. The central platform team uses AWS CloudFormation StackSets to deploy a standard VPC with a CIDR of 10.0.0.0/16 into each account. Recently, a business unit created a new account that was not included in the StackSet deployment, and the team manually deployed the VPC using a CloudFormation template. Now, the central team wants to ensure that all accounts have exactly the same VPC configuration and that any drift is automatically corrected. The team also wants to prevent unauthorized changes to the VPC configuration. What is the MOST efficient and secure solution?

Question 216mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is centralizing its logging across multiple AWS accounts using a central logging account. Each application account delivers its CloudTrail logs and VPC Flow Logs to an S3 bucket in the logging account. The security team needs to query these logs using Amazon Athena. The logs are currently in separate S3 prefixes per account. The team wants to create a single Athena table that can query logs from all accounts without having to modify the table definition every time a new account is added. The logs are in CSV format for VPC Flow Logs and JSON format for CloudTrail. What is the MOST efficient solution?

Question 217easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A startup is launching a new multi-account AWS environment using AWS Organizations. They want to ensure that only the central security team has access to the root user of each member account. Additionally, they want to enable multi-factor authentication (MFA) for the root user of each account. The security team has access to the management account. What is the MOST secure and efficient way to meet these requirements?

Question 218mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company wants to implement a multi-account AWS environment using AWS Organizations. The security team requires that all new accounts automatically have AWS CloudTrail and AWS Config enabled with specific rules. Which solution should the company use to enforce these settings across all accounts?

Question 219hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company plans to migrate on-premises workloads to AWS. They have 500 VMs and need to ensure consistent network segmentation and security group rules across multiple VPCs in different AWS accounts. The network team uses a centralized hub-and-spoke model with AWS Transit Gateway. Which approach minimizes operational overhead while maintaining security compliance?

Question 220easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A startup is using a single AWS account for development, testing, and production. They want to isolate environments and improve security. What is the most aligned AWS best practice?

Question 221mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Control Tower to manage a multi-account environment. They need to deploy a custom CloudFormation template to all accounts in a specific organizational unit (OU) whenever a new account is added. What should they use?

Question 222hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large enterprise has 200 AWS accounts organized under AWS Organizations. The central security team needs to audit all IAM role trust policies across accounts to ensure no cross-account roles allow external principals. Which approach is most efficient and scalable?

Question 223easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with consolidated billing. The finance team needs to allocate costs to different departments based on resource tags. However, some resources are not tagged. What is the most effective solution?

Question 224mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a cross-account backup strategy using AWS Backup. They have a central backup account that needs to manage backups for multiple member accounts. What is the minimal set of permissions required?

Question 225hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company runs a global application on AWS spanning multiple regions. They need to enforce that IAM users in specific accounts can only launch EC2 instances in approved regions. The company uses AWS Organizations. What is the most effective way to enforce this?

Question 226easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company needs to share a central Amazon S3 bucket containing common data files with multiple accounts in AWS Organizations. Which approach is most secure and scalable?

Question 227mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy using AWS Organizations. They want to enforce that no one can disable AWS CloudTrail in any account. Which TWO methods can achieve this?

Question 228hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize logging of all API calls. Which TWO services should be used together to achieve this?

Question 229mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 50 accounts. They need to manage EC2 instance inventory across all accounts. Which THREE steps are necessary to achieve this?

Question 230hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A financial services company uses AWS Organizations with a multi-account structure: a central security account, a shared services account, and multiple workload accounts. The security team needs to centrally manage and audit all changes to security groups across all accounts. They have implemented AWS Config with an aggregator in the security account. However, they notice that changes to security groups in workload accounts are not appearing in the aggregator. The workload accounts have AWS Config enabled and are recording security group changes. The security account has the necessary cross-account permissions. What is the most likely cause and solution?

Question 231mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a production AWS account and a development AWS account under AWS Organizations. The development team wants to deploy a CloudFormation stack that creates an S3 bucket with a bucket policy that grants access to the production account's IAM roles. The development account has an SCP that denies all s3:PutBucketPolicy actions. The development team has full administrator access in their account. When they try to create the stack, it fails. What is the most likely reason and how should they proceed?

Question 232easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a single AWS account that hosts multiple applications for different business units. Each business unit wants to have its own set of IAM users and permissions. The company wants to minimize administrative overhead while maintaining separation. They are considering using AWS Organizations with multiple accounts. However, the CFO is concerned about increased costs due to separate accounts. What is the best solution to address the business units' needs while managing costs?

Question 233easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple accounts. The security team requires that all S3 buckets across all accounts must have server-side encryption enabled and block public access. Which TWO actions should be taken to enforce these requirements centrally?

Question 234mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with 50 accounts. They need to implement a centralized logging solution for VPC Flow Logs, CloudTrail, and AWS Config logs. The logs must be stored in a central S3 bucket and encrypted with a customer-managed KMS key. Which THREE steps should be taken to meet these requirements?

Question 235hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company manages 200 AWS accounts using AWS Organizations. The security team wants to prevent developers from creating resources outside of a set of approved AWS Regions. Additionally, they want to restrict the creation of resources that are not tagged with a cost center tag. Which THREE actions should be taken to enforce these requirements?

Question 236mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a AWS Organizations setup with 100 accounts. The security team requires that all IAM users across all accounts must have multi-factor authentication (MFA) enabled. Currently, there is no central enforcement. The company wants to implement a solution that automatically detects IAM users without MFA and disables their access keys. The solution must be centrally managed from the management account. Which solution meets these requirements?

Question 237hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central logging account and multiple workload accounts. The security team requires that all VPC Flow Logs be delivered to a central S3 bucket in the logging account. The VPC Flow Logs are encrypted with a customer-managed KMS key in the logging account. The workload accounts have created VPC Flow Logs, but the logs are not appearing in the central S3 bucket. The IAM role used by VPC Flow Logs in the workload accounts has the necessary permissions to deliver logs to the central S3 bucket. What is the most likely cause of the issue?

Question 238easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a management account and multiple member accounts. The management account has a trail in AWS CloudTrail that logs all management events for all accounts. The security team wants to also log data events for S3 buckets across all accounts. They create a new trail in the management account with data events enabled for all S3 buckets in all accounts. However, data events from member accounts are not appearing in the CloudTrail logs. What is the most likely cause?

Question 239mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with 50 accounts. They use AWS Organizations and want to centrally manage EC2 instances across all accounts. The operations team needs to run a script on all EC2 instances that are tagged with Environment=Production. The script must be executed once immediately and requires access to a shared S3 bucket in the management account. Which solution meets these requirements with the least operational overhead?

Question 240hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized AWS account for security tools and multiple member accounts. They want to use AWS GuardDuty to detect threats across all accounts. They have enabled GuardDuty in the management account and invited all member accounts. GuardDuty is set to send findings to a central S3 bucket in the security account. However, findings from member accounts are not appearing in the central S3 bucket. The security account has a bucket policy that allows the GuardDuty service principal to write findings. What is the most likely cause?

Question 241easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centrally manage backups for EC2 instances across multiple accounts. They want to create a backup plan that backs up all EC2 instances tagged with Backup=Weekly. The backup must be stored in a central backup vault in the management account. Which solution meets these requirements?

Question 242mediummultiple choice
Review the full subnetting walkthrough →

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to share a VPC subnet in the network account with the workload accounts so that they can launch EC2 instances directly into the shared subnet. The network team has created a VPC with a subnet and shared it using AWS Resource Access Manager (RAM) with the workload accounts. However, the workload accounts cannot see the shared subnet when launching EC2 instances. What is the most likely cause?

Question 243hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has deployed a multi-account strategy. The security team wants to enforce that all S3 buckets have versioning enabled. They create an SCP that denies the PutBucketVersioning action if versioning is not enabled. However, they find that the SCP is not preventing users in member accounts from disabling versioning on existing buckets. What is the most likely reason?

Question 244easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. They want to use AWS CloudTrail to log all API calls across all accounts and deliver the logs to a central S3 bucket in the logging account. They have configured a trail in the management account that logs management events for all accounts. However, they notice that the logs from member accounts are not being delivered to the central S3 bucket. What is the most likely cause?

Question 245mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has a central security account. They want to use AWS Security Hub to aggregate findings from all member accounts. They have enabled Security Hub in the security account and invited all member accounts. However, findings from member accounts are not appearing in the Security Hub console of the security account. What is the most likely cause?

Question 246hardmultiple choice
Review the full routing breakdown →

A company has a multi-account AWS environment with a central network account and multiple workload accounts. They want to use AWS Transit Gateway to connect VPCs across accounts. The network team has created a Transit Gateway in the network account and shared it using AWS Resource Access Manager (RAM) with the workload accounts. The workload accounts have created VPC attachments to the Transit Gateway. However, traffic is not flowing between the VPCs. The route tables in the workload VPCs have routes pointing to the Transit Gateway. What is the most likely cause?

Question 247mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centrally manage AWS Config rules across all member accounts. They have enabled AWS Config in the management account and used AWS Config aggregator to view compliance status across accounts. However, they want to enforce a specific Config rule in all accounts automatically. Which solution should they use?

Question 248hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory to AWS. The company requires a solution that supports multi-region authentication for thousands of users and integrates with existing on-premises Active Directory for seamless SSO. The solution must be highly available and provide low-latency authentication. Which TWO AWS services should be combined to meet these requirements? (Choose two.)

Question 249easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A startup is deploying a multi-account AWS environment using AWS Organizations. They have a central logging account where all VPC Flow Logs and CloudTrail logs are stored in an S3 bucket. The security team requires that all accounts in the organization, including future accounts, automatically send logs to this central bucket. They also want to prevent any account from disabling logging. Which solution meets these requirements?

Question 250mediummultiple choice
Read the full NAT/PAT explanation →

A large enterprise with multiple business units (BUs) uses AWS Organizations with a shared services account and BU-specific accounts. Each BU account has a VPC with multiple subnets. The shared services account hosts a central NAT gateway that provides outbound internet access to all BU private subnets via VPC peering. Recently, the network team noticed that traffic from one BU's private subnet is being blocked by the security group in the shared services account. They verified that the route tables are correctly configured. What is the most likely cause and solution?

Question 251hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global e-commerce company uses AWS Organizations with over 500 accounts. They have a central security account that aggregates CloudTrail logs and VPC Flow Logs from all accounts. The security team needs to analyze these logs using Amazon Athena and visualize the results in Amazon QuickSight. The logs are stored in an S3 bucket in the security account, and each member account writes its own prefix. The current setup uses a bucket policy to allow member accounts to write logs. Recently, the security team has been unable to query logs for the past week. They suspect the issue is related to a new SCP that was applied to the root. The SCP denies s3:PutObject unless the request includes a specific tag. Which action should the security team take to restore log delivery without compromising security?

Question 252mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team requires that all S3 buckets across all accounts must block public access. How can this be enforced centrally with minimal operational overhead?

Question 253hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company uses a multi-account AWS Organizations structure with hundreds of accounts. The network team wants to centrally manage VPC flow logs for all accounts and send them to a centralized S3 bucket in the security account. Which solution is MOST scalable and operationally efficient?

Question 254easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company's IT team uses AWS CloudFormation to deploy infrastructure. They want to enforce tagging standards across all stacks. Which approach should they use?

Question 255mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is migrating its on-premises Active Directory to AWS Managed Microsoft AD. They need to ensure that users can authenticate to AWS resources using their existing corporate credentials. What is the MOST secure and scalable solution?

Question 256hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

An organization uses AWS Organizations with a multi-account strategy. The security team needs to ensure that all accounts must use AWS CloudTrail with logs delivered to a centralized S3 bucket. They also want to receive notifications if any account disables CloudTrail. What is the MOST efficient solution?

Question 257easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses a central IT team to manage multiple AWS accounts. The team wants to provide developers with the ability to launch EC2 instances but restrict them to using only specific instance types. How should this be enforced?

Question 258mediummultiple choice
Read the full NAT/PAT explanation →

A company has a centralized logging account that receives VPC flow logs from all accounts. The logs are stored in an S3 bucket. The security team needs to analyze these logs to detect anomalous traffic patterns. Which solution provides the most cost-effective and scalable analysis?

Question 259hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a multi-account strategy. They want to allow a centralized DevOps team to manage EC2 instances across all accounts using AWS Systems Manager. The DevOps team should not have direct IAM access to the target accounts. How can this be achieved?

Question 260easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a data lake on AWS with data from multiple sources. They need to store data in its raw format and allow multiple teams to query it using different tools. Which service should be used as the central storage layer?

Question 261mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account AWS Organizations architecture. Which TWO considerations should be taken into account when designing the organizational structure?

Question 262hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a multi-account setup. The security team needs to ensure that all users in all accounts use multi-factor authentication (MFA) to access the AWS Management Console. Which THREE steps should be taken to enforce this?

Question 263mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a cost allocation strategy using tags across multiple accounts in AWS Organizations. Which TWO practices should be followed?

Question 264mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to centrally enforce that all S3 buckets across all accounts have server-side encryption enabled. Which solution should be used?

Question 265hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is using AWS Organizations with hundreds of accounts. The finance team needs to track costs by cost center, which is stored as a tag on each resource. However, some resources are missing the tag. What is the most efficient way to ensure that all resources are tagged correctly going forward?

Question 266easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to allow a development account to assume a role in the production account for deployment purposes. Which component is necessary for this cross-account access?

Question 267hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account and wants all VPC Flow Logs from all accounts to be delivered to a central S3 bucket in the logging account. Each account has a VPC Flow Log configured to deliver to a bucket in the same account. What is the most efficient way to centralize these logs?

Question 268mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a specific member account. What must be done?

Question 269easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to ensure that no IAM user in any account can create access keys. The company uses AWS Organizations. Which approach should be used?

Question 270hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a shared services account that hosts Active Directory for authentication. Developers need to launch EC2 instances in development accounts and join them to the domain. What is the most secure way to allow this?

Question 271mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to allow certain accounts to use AWS Service Catalog for self-service provisioning. The IT team needs to control which products are available. Where should the product portfolio be shared?

Question 272hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a data lake in AWS using S3 and Glue. The security team requires that all data in the data lake be encrypted at rest using a customer-managed KMS key. However, some users are able to upload data without encryption. What is the most effective way to enforce encryption?

Question 273mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company runs a multi-account AWS environment using AWS Organizations. The security team wants to ensure that all new member accounts automatically have a specific AWS Config rule enabled. Which solution should be used?

Question 274easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a single OU for all production accounts. The central security team wants to prevent any user from disabling Amazon GuardDuty in any production account. What is the MOST effective way to enforce this?

Question 275hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and AWS Config logs from all accounts in the organization. The logs are stored in S3 buckets. The security team wants to analyze these logs using Amazon Athena. What is the MOST cost-effective way to ensure that the Athena queries only scan the necessary data?

Question 276mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized network account that hosts a transit gateway with attachments to multiple VPCs in different accounts. The security team needs to ensure that all traffic between VPCs is inspected by a centralized NGFW appliance in the network account. What is the MOST efficient solution?

Question 277easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations with a single OU. The management account has a service control policy (SCP) that denies all actions on EC2 instances with a specific tag. However, users in a member account can still terminate tagged instances. What is the most likely cause?

Question 278hardmultiple choice
Review the full subnetting walkthrough →

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

Question 279mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required to set this up?

Question 280easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a single AWS account and wants to implement a multi-account strategy for better isolation. Which AWS service is designed to help centrally manage multiple accounts?

Question 281mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has a member account that needs to access a shared S3 bucket in another member account. The bucket policy allows access from the account's root user. What is the simplest way to grant an IAM user in the member account access?

Question 282hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with hundreds of accounts. They need to enforce that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. Which TWO actions should be taken to ensure compliance across the organization?

Question 283mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a centralized logging solution for multiple AWS accounts. The solution must meet compliance requirements that logs be immutable and stored for 7 years. Which THREE services should be combined to achieve this?

Question 284mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centralize Amazon VPC IP Address Manager (IPAM) across multiple accounts. Which TWO steps are required to enable cross-account IPAM?

Question 285easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed through AWS Organizations. The security team requires that all VPC flow logs be enabled in every account and region. What is the MOST efficient way to enforce this requirement?

Question 286mediummultiple choice
Read the full NAT/PAT explanation →

A global company is using a multi-account AWS Organizations setup with a centralized logging account. They want to aggregate CloudTrail logs from all accounts into a single S3 bucket in the logging account. Which combination of steps will meet this requirement?

Question 287hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with hundreds of accounts. The security team needs to ensure that no IAM user in any account can create a new IAM user or access key. What is the most scalable way to enforce this?

Question 288mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is managing multiple AWS accounts using AWS Organizations. They want to centralize the management of EC2 instances and enforce tagging standards across all accounts. Which TWO approaches should they use?

Question 289hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a central security account. They need to ensure that any S3 bucket created in any account is configured with encryption and versioning enabled. Which THREE steps should they take?

Question 290mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centrally manage IAM permissions across multiple AWS accounts using AWS Organizations. They need to allow developers to launch EC2 instances but restrict the instance types to approved families (e.g., t3 and m5). Which TWO solutions meet this requirement?

Question 291easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a management account and several member accounts. The security team wants to ensure that all member accounts have AWS CloudTrail enabled and that logs are delivered to a centralized S3 bucket in the management account. What should they do?

Question 292mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company's AWS environment includes multiple VPCs across several accounts that are connected via a transit gateway. The network team wants to monitor all network traffic between VPCs for security analysis. Which solution is the most scalable and cost-effective?

Question 293hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company manages multiple AWS accounts using AWS Organizations. They want to enforce that any EC2 instance launched with a public IP address must have a specific security group attached. What is the MOST effective way to enforce this?

Question 294hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a dedicated security account. They want to centralize the management of AWS Config rules and ensure that all accounts are compliant with the same set of rules. Which THREE steps should they take?

Question 295easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a management account and several member accounts in AWS Organizations. They want to allow a developer in a member account to create an organization trail. What should they do?

Question 296mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple accounts. The security team requires that all S3 buckets across the organization have server-side encryption enabled. Which is the MOST efficient way to enforce this policy?

Question 297hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment with centralized logging. The security team wants to ensure that all VPC Flow Logs are published to a central S3 bucket in the logging account. Which combination of steps should be taken to achieve this?

Question 298easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a production AWS account and a development AWS account. The development team needs to assume an IAM role in the production account to deploy resources. What is the correct way to set up this cross-account access?

Question 299hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Config to evaluate resource compliance across multiple accounts. The security team wants to automatically remediate non-compliant resources using AWS Systems Manager Automation documents. Which solution is MOST scalable and secure?

Question 300mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company manages multiple AWS accounts and wants to centralize billing and cost tracking. They have enabled AWS Organizations and consolidated billing. Which additional step should they take to gain granular visibility into costs per department?

Question 301easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to delegate administrative tasks for specific AWS services to a member account. Which AWS feature should be used?

Question 302mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment and wants to enforce that all EC2 instances are launched with a specific AMI ID. The AMI ID is maintained by the security team in a central account. What is the MOST effective way to enforce this across all accounts?

Question 303hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple VPCs across different AWS accounts and wants to establish private connectivity between them. They also need to centrally manage network traffic for security inspection. Which architecture should they use?

Question 304easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize AWS CloudTrail logs from all accounts in AWS Organizations into a single S3 bucket. Which configuration is required?

Question 305mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment and wants to implement a secure, scalable cross-account network architecture using AWS Transit Gateway. Which TWO steps should be taken?

Question 306hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment and wants to enforce that all IAM roles in member accounts must include a specific tag (e.g., CostCenter). Which THREE steps should be taken to enforce this policy using AWS Organizations?

Question 307mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centrally manage Amazon GuardDuty across all accounts. Which TWO steps are required to enable GuardDuty in all accounts from a single management account?

Question 308mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A solutions architect is reviewing an IAM trust policy for a Lambda function's execution role. The function needs to access an S3 bucket in the same account. The trust policy is as shown. What is missing for the Lambda function to successfully assume the role?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Question 309hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpcsregion us-east-1query 'Vpcs[0].VpcId'$ aws ec2 describe-subnetsfilters Name=vpc-idRefer to the exhibit."vpc-0abcd1234""Subnets": ["SubnetId": "subnet-11111111","CidrBlock": "10.0.1.0/24","MapPublicIpOnLaunch": false},"SubnetId": "subnet-22222222","CidrBlock": "10.0.2.0/24",
Question 310hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A CloudFormation template is used to create an IAM role for EC2. The stack creation fails with the error: "Resource creation cancelled". The IAM role is not created. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

Resource: AWS::IAM::Role
Properties:
  RoleName: MyRole
  AssumeRolePolicyDocument:
    Version: 2012-10-17
    Statement:
      - Effect: Allow
        Principal:
          Service: ec2.amazonaws.com
        Action: sts:AssumeRole
  Policies:
    - PolicyName: S3Access
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Action: s3:GetObject
            Resource: arn:aws:s3:::my-bucket/*
  Tags:
    - Key: Environment
      Value: Production
Question 311mediummultiple choice
Read the full NAT/PAT explanation →

A multinational company is adopting AWS Organizations to manage multiple accounts across business units. The security team requires that specific IAM roles be automatically deployed to all existing and future member accounts. Which solution should the company use?

Question 312hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a multi-account strategy. The central IT team needs to enforce that all Amazon S3 buckets across the organization are encrypted with AWS KMS using a specific customer managed key. The security policy must be applied without modifying individual bucket policies. Which approach meets these requirements?

Question 313easymultiple choice
Read the full DNS explanation →

A company is designing a centralized logging solution for multiple AWS accounts. They need to aggregate VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts into a single S3 bucket. Which AWS service should be used to centralize the log collection?

Question 314mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company operates multiple AWS accounts using AWS Organizations. They want to centrally manage Amazon EC2 Auto Scaling groups across all accounts. The operations team needs to view and modify scaling policies from a single pane of glass. Which solution should they implement?

Question 315hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with hundreds of accounts. The security team wants to ensure that no account can disable AWS CloudTrail or delete CloudTrail log files. Which preventive control should be implemented?

Question 316easymultiple choice
Review the full routing breakdown →

A company is designing a network architecture for a multi-account AWS environment. They need to establish a central inspection VPC through which all traffic between VPCs in different accounts must pass. Which AWS service should be used to route traffic between VPCs through the inspection VPC?

Question 317mediummultiple choice
Review the full subnetting walkthrough →

A company has a management account in AWS Organizations and wants to share a central Amazon VPC subnet with multiple member accounts for a shared services VPC. Which AWS service should be used to share the subnet?

Question 318hardmultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and wants to implement a data perimeter across all accounts to ensure that data can only be accessed from approved networks. Which combination of controls should be used to enforce this perimeter?

Question 319easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centrally manage backups for Amazon EBS volumes across multiple AWS accounts. They need a solution that can automatically back up volumes based on tags, retain backups according to a policy, and send notifications on failures. Which AWS service should they use?

Question 320hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy using AWS Organizations. They need to enforce that all IAM users in member accounts must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO approaches should they combine to enforce this requirement?

Question 321mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a hybrid network architecture with multiple VPCs in different AWS accounts. They need to ensure private connectivity between the VPCs and their on-premises data center. Which TWO services should they use together to meet this requirement?

Question 322mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to establish a central logging solution. They need to collect CloudTrail logs from all accounts and store them in a central S3 bucket in the management account. Which THREE steps are required to achieve this?

Question 323hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A company applies this SCP to all accounts in an AWS Organization. What is the effect of this policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": [
            "t3.micro",
            "t3.small"
          ]
        }
      }
    }
  ]
}
Question 324mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. An administrator runs this command and sees the output. Which statement about the accounts is correct?

Exhibit

Refer to the exhibit.

$ aws organizations list-accounts
{
    "Accounts": [
        {
            "Id": "111111111111",
            "Arn": "arn:aws:organizations::123456789012:account/o-xxxxxxxxxx/111111111111",
            "Email": "admin@company.com",
            "Name": "Management",
            "Status": "ACTIVE",
            "JoinedMethod": "INVITED",
            "JoinedTimestamp": "2023-01-01T00:00:00Z"
        },
        {
            "Id": "222222222222",
            "Arn": "arn:aws:organizations::123456789012:account/o-xxxxxxxxxx/222222222222",
            "Email": "prod@company.com",
            "Name": "Production",
            "Status": "ACTIVE",
            "JoinedMethod": "CREATED",
            "JoinedTimestamp": "2023-01-02T00:00:00Z"
        },
        {
            "Id": "333333333333",
            "Arn": "arn:aws:organizations::123456789012:account/o-xxxxxxxxxx/333333333333",
            "Email": "suspended@company.com",
            "Name": "Suspended",
            "Status": "SUSPENDED",
            "JoinedTimestamp": "2023-01-03T00:00:00Z"
        }
    ]
}
Question 325hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A trust policy is attached to an IAM role named AuditRole in account 111111111111. The IAM role Admin in account 222222222222 attempts to assume AuditRole. The session is launched with source identity 'admin'. Will the assumption succeed?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::222222222222:role/Admin"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceIdentity": "central-admin"
        }
      }
    }
  ]
}
Question 326mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed using AWS Organizations. The security team wants to enforce that all new accounts automatically have a specific AWS Config rule enabled to prohibit public S3 bucket access. Which solution requires the least operational overhead?

Question 327hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating to AWS and needs to manage permissions across multiple accounts using AWS IAM Identity Center (successor to AWS SSO). The company has a central identity source in Microsoft Active Directory. They need to grant different levels of access to users based on their job function. Which combination of AWS services will provide the most scalable and maintainable solution?

Question 328easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations to manage multiple accounts. The security team wants to ensure that no one can disable AWS CloudTrail or delete CloudTrail log files across any account. What is the most effective way to enforce this?

Question 329mediummultiple choice
Read the full NAT/PAT explanation →

A company has a centralized logging solution using Amazon S3 and AWS CloudTrail across multiple accounts. The logs are delivered to a central S3 bucket. The security team needs to ensure that logs are encrypted at rest and access is limited to only authorized security personnel. Which combination of actions should be taken?

Question 330hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a complex AWS environment with hundreds of accounts. They want to implement a tagging strategy that allows them to track costs by department and project. The tags must be propagated from resources to cost reports automatically. Which approach meets these requirements with minimal ongoing maintenance?

Question 331mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to allow only specific AWS services to be used in member accounts. The security team needs to block the use of Amazon EC2 and Amazon RDS, but allow all other services. Which SCP configuration should be used?

Question 332easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize logging from multiple AWS accounts into a single Amazon S3 bucket. The logging accounts are part of an AWS Organization. Which approach should be used to allow CloudTrail to deliver logs from all accounts to the central bucket?

Question 333mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. They want to ensure that any new account created in the organization automatically gets a specific set of IAM roles and AWS Config rules deployed. Which solution requires the least manual effort?

Question 334hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a centralized networking account that hosts a VPC with a transit gateway. Other accounts need to connect to this transit gateway. The company wants to ensure that only approved VPCs can attach to the transit gateway, and that the attachments are automatically approved when a VPC is created in a member account. Which solution meets these requirements?

Question 335mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts. They want to enforce that all IAM users must use multi-factor authentication (MFA) to access the AWS Management Console. Which TWO steps should be taken to enforce this across all accounts?

Question 336hardmulti select
Read the full DNS explanation →

A company is migrating to a multi-account AWS environment. They want to centralize DNS management using Amazon Route 53 private hosted zones. The private zones must be accessible from all VPCs in the organization. Which THREE steps are required to achieve this?

Question 337mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to use AWS IAM Identity Center (successor to AWS SSO) to provide single sign-on access to multiple AWS accounts. They have an existing Microsoft Active Directory and want to synchronize users and groups. Which TWO actions should be taken to set this up?

Question 338mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A security engineer is reviewing this S3 bucket policy. The bucket is used to store sensitive logs from multiple accounts in an AWS Organization. What is the primary purpose of the condition element in this policy?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceOrgID": "o-xxxxxxxxxx"
        }
      }
    }
  ]
}
Question 339hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A security engineer ran this AWS CLI command to investigate who created a CloudTrail trail in January 2024. The command returned no results. However, the security team knows that a trail was created during that period. What is the most likely reason for the empty result?

Network Topology
aws cloudtrail lookup-eventslookup-attributes AttributeKey=EventNamestart-time 2024-01-01T00:00:00Zend-time 2024-01-31T23:59:59Zoutput json
Question 340easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A solutions architect is reviewing this SCP. What is the effect of this SCP when attached to an organizational unit (OU)?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 341mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team needs to enforce that all newly created S3 buckets in any account have server-side encryption (SSE-S3 or SSE-KMS) enabled. Which solution should the team implement?

Question 342hardmultiple choice
Review the full subnetting walkthrough →

A global company with a centralized IT team manages AWS resources across 50 accounts using AWS Control Tower. The team wants to deploy a new VPC with a specific CIDR block in each account in the same AWS Region. The VPC must have identical configuration across accounts. Which approach is the MOST efficient and meets the requirement?

Question 343easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses a single AWS account for development and production workloads. To improve security and cost allocation, the company decides to separate environments into multiple accounts. What is the PRIMARY benefit of using multiple accounts?

Question 344mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy using AWS Organizations. Which TWO benefits does this approach provide? (Choose TWO.)

Question 345hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized logging account. The security team needs to collect all Amazon S3 access logs and AWS CloudTrail logs from all accounts into a centralized Amazon S3 bucket in the logging account. Which THREE steps are required to meet this requirement? (Choose THREE.)

Question 346mediummulti select
Review the full subnetting walkthrough →

A company uses AWS Organizations with consolidated billing. The company wants to share a centrally managed Amazon VPC subnet across multiple accounts using AWS Resource Access Manager (RAM). Which THREE resources can be shared via RAM? (Choose THREE.)

Question 347mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized security account. The security team needs to have read-only access to all Amazon S3 buckets across all accounts for auditing purposes. Which solution is the MOST secure and scalable?

Question 348hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a single OU for all member accounts. The company wants to restrict the use of specific Amazon EC2 instance types across all member accounts. However, the management account should not be restricted. Which solution meets this requirement?

Question 349easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized network account that hosts a transit gateway. The company wants to share the transit gateway with multiple member accounts. Which AWS service should be used to share the transit gateway?

Question 350mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with consolidated billing. The company has a production account and a development account. The security team needs to ensure that developers cannot create IAM users in the development account. Which option is the MOST effective?

Question 351hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts in an organization. The security team needs to centrally manage Amazon GuardDuty findings from all accounts. Which THREE steps should the team take to meet this requirement? (Choose THREE.)

Question 352mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. The central IT team manages IAM roles in each account using AWS CloudFormation StackSets. The team needs to ensure that a specific IAM role exists in all member accounts. Which solution is the MOST efficient?

Question 353mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company with multiple AWS accounts wants to centrally manage network security policies. The security team needs to inspect all traffic between VPCs in different accounts and block malicious traffic. Which solution is MOST operationally efficient?

Question 354hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company uses AWS Organizations with hundreds of accounts. The security team requires that all S3 buckets across the organization block public access. They want to enforce this policy without modifying existing bucket policies. Which solution should they use?

Question 355easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with consolidated billing. The finance team wants to track costs by project, where each project may use resources across multiple accounts. What is the MOST scalable way to allocate costs?

Question 356mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment. The security team needs to centrally manage and audit IAM roles that allow cross-account access. Which solution meets these requirements?

Question 357hardmultiple choice
Read the full DNS explanation →

A company has a central logging account that receives VPC Flow Logs, CloudTrail logs, and DNS logs from all accounts in AWS Organizations. The logs are stored in Amazon S3. The security team needs to query these logs for specific IP addresses and time ranges. Which solution is MOST cost-effective and scalable?

Question 358easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to delegate administration of AWS IAM Identity Center (successor to AWS SSO) to a member account. Which step is required?

Question 359mediummultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations with 50 accounts. The networking team wants to deploy a shared VPC in the network account and share subnets with other accounts. The shared subnets will host EC2 instances from the consuming accounts. What is the MOST secure way to ensure that only authorized accounts can create resources in the shared subnets?

Question 360hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a least-privilege permission model across all AWS accounts. The security team needs to ensure that no IAM user has full administrator access. However, the operations team occasionally needs emergency access. Which solution meets these requirements?

Question 361easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to ensure that all member accounts have AWS CloudTrail enabled and logs are delivered to a central S3 bucket in the management account. Which approach is MOST efficient?

Question 362mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has 100 AWS accounts in AWS Organizations. The security team wants to enforce that all Amazon S3 buckets have encryption enabled. Which TWO actions should the team take to meet this requirement? (Choose TWO.)

Question 363hardmulti select
Review the full subnetting walkthrough →

A company is designing a multi-account strategy for its development teams. Each team needs to have its own isolated environment with VPCs, subnets, and security groups. The company wants to centralize network administration and ensure that all VPCs use a common set of security rules. Which THREE steps should the company take? (Choose THREE.)

Question 364easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a data perimeter across all AWS accounts to prevent data exfiltration. Which TWO strategies should the company use? (Choose TWO.)

Question 365mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with AWS KMS keys managed by the security team. What is the MOST scalable and maintainable solution?

Question 366hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company uses AWS Organizations with many OUs and accounts. The finance team needs to track costs by cost center, which is tagged on each resource. However, some resources are not tagged. Which solution will provide the MOST accurate cost allocation?

Question 367easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. The security team needs to allow a third-party SIEM tool to read these logs from the S3 bucket, but only from a specific VPCE (VPC Endpoint). Which policy should be applied to the S3 bucket?

Question 368mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Control Tower to manage a multi-account environment. They want to ensure that all accounts are enrolled in AWS Shield Advanced for DDoS protection. What is the MOST efficient way to achieve this?

Question 369hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central networking account that hosts a transit gateway (TGW). Multiple VPCs from various accounts are attached to the TGW. The security team wants to ensure that only specific VPCs can communicate with each other, but all VPCs need access to a shared services VPC. Which configuration should be used?

Question 370easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a decentralized IT structure where each business unit manages its own AWS account. The central security team needs visibility into all IAM user activities across accounts. What is the MOST scalable solution to aggregate CloudTrail logs?

Question 371mediummulti select
Read the full NAT/PAT explanation →

A company uses AWS Organizations with a large number of accounts. The security team needs to enforce that only approved AMIs from a central account can be used to launch EC2 instances in all accounts. Which combination of actions should be taken? (Choose TWO.)

Question 372hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account strategy with a dedicated audit account. The audit account needs to have read-only access to all resources in all other accounts. The security team wants to use IAM roles. What is the MOST scalable way to set up this cross-account access?

Question 373easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize management of Amazon EC2 instances across multiple AWS accounts. They need to be able to run commands on instances in any account from a central management account. Which service should be used?

Question 374mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no account in the 'Production' OU can disable AWS CloudTrail or delete CloudTrail log files. Which two steps should be taken? (Choose TWO.)

Question 375hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. An SCP is attached to an OU. A developer in an account under this OU tries to launch a t3.large EC2 instance. What will happen?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "ec2:RunInstances",
      "Resource": "arn:aws:ec2:*:*:instance/*",
      "Condition": {
        "StringNotEquals": {
          "ec2:InstanceType": ["t3.micro", "t3.small", "t3.medium"]
        }
      }
    }
  ]
}
Question 376mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account environment with a central security account. They want to use AWS Security Hub to aggregate findings from all accounts. What is the correct setup?

Question 377easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to allow developers to launch EC2 instances, but only with specific instance types and only if the instance has a tag 'CostCenter'. Which IAM policy statement should be applied to the developers' IAM group? (Choose TWO.)

Question 378hardmulti select
Read the full DNS explanation →

A company has a central IT account that manages DNS using Amazon Route 53 Private Hosted Zones. Multiple VPCs from different accounts are associated with the same private hosted zone. The company wants to ensure that only authorized VPCs can resolve records in the zone. Which three steps should be taken? (Choose THREE.)

Question 379mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. This S3 bucket policy is attached to a bucket in the security account (111111111111). The policy grants access to account 123456789012. A service in account 123456789012 tries to write a log file to s3://my-log-bucket/AWSLogs/123456789012/logfile.txt. What will happen?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-log-bucket/AWSLogs/*"
    }
  ]
}
Question 380mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centrally manage access to multiple AWS accounts using AWS Organizations. The security team requires that all IAM users and roles be created in a single master account and assume roles in member accounts. Which configuration ensures that cross-account role assumptions are auditable and enforced?

Question 381hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory to AWS Managed Microsoft AD. The company has multiple VPCs in different AWS Regions, and all VPCs must be able to authenticate against the same directory. The directory must be highly available and support automatic failover. What is the MOST operationally efficient solution?

Question 382easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to enforce that no resources can be created outside of approved AWS Regions. Which policy should be used, and how should it be attached?

Question 383mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed via AWS Control Tower. The DevOps team wants to deploy a shared CI/CD pipeline that can deploy applications across all accounts. The pipeline must use the same source repository and artifact store. What is the MOST secure and scalable approach?

Question 384hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with a set of member accounts that need to access a shared Amazon S3 bucket in the master account. The bucket policy allows access only from the member accounts' root user. However, developers in member accounts are unable to access the bucket even when they assume an IAM role. What is the most likely cause?

Question 385easymultiple choice
Read the full NAT/PAT explanation →

A company wants to automate the creation of new AWS accounts and apply baseline security configurations. Which combination of services should be used to achieve this?

Question 386hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account strategy with a centralized logging account. All VPC Flow Logs and CloudTrail logs are sent to an S3 bucket in the logging account. The security team needs to analyze these logs using Amazon Athena. Which configuration provides the MOST cost-effective and secure access?

Question 387mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The security team wants to ensure that no IAM role in any member account can be assumed by a user from outside the organization. Which policy should be used?

Question 388easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts. The company has an existing identity provider (IdP) that supports SAML 2.0. Which AWS service should be used to integrate with the IdP?

Question 389mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account architecture using AWS Organizations. The company wants to enforce that all Amazon S3 buckets across all accounts must have server-side encryption (SSE) enabled. Which TWO actions should be taken to enforce this requirement?

Question 390hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with a centralized networking account that hosts a transit gateway. The company wants to ensure that all traffic between VPCs in different accounts flows through the transit gateway. Which THREE steps are required to implement this architecture?

Question 391mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Control Tower to manage multiple accounts. The security team wants to enforce that all accounts use a specific AWS Region for data storage. Which TWO steps should be taken to enforce this requirement?

Question 392easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed through AWS Organizations. The security team wants to enforce that all S3 buckets across all accounts are encrypted with a specific KMS key. What is the MOST efficient way to achieve this?

Question 393mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A global company uses AWS Organizations with multiple business units. Each business unit has its own OU and VPCs that need to communicate with a central shared services VPC. The network team wants to minimize latency and maximize throughput. Which design should they use?

Question 394hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with hundreds of accounts. The security team needs to centrally manage IAM roles for cross-account access. They want to ensure that when a role is created in a member account, it automatically adheres to the principle of least privilege and is auditable. What solution should they implement?

Question 395easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with consolidated billing. They want to track costs by department, where each department has its own AWS account. Which service should they use to tag resources with department IDs and view cost breakdowns?

Question 396mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize CloudTrail logs from all accounts into a single S3 bucket in the audit account. Which configuration is required?

Question 397hardmultiple choice
Read the full NAT/PAT explanation →

A company has a multi-account AWS environment with a central logging account. They want to ensure that all VPC Flow Logs are enabled for every VPC in every account and that the logs are sent to a central S3 bucket. What combination of services should they use to automatically enforce this?

Question 398easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with several OUs for different environments (dev, test, prod). They want to restrict the use of specific EC2 instance types in the prod OU only. Which approach should they use?

Question 399mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a central IT team that manages AWS Organizations. The development team needs to create and manage their own AWS accounts for new projects. What is the BEST way to automate account creation while maintaining governance?

Question 400hardmultiple choice
Review the full subnetting walkthrough →

A company uses AWS Organizations with hundreds of accounts. They want to centrally manage VPC security group rules to ensure that only approved CIDR ranges are allowed for SSH access. Which solution is MOST scalable and auditable?

Question 401mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is designing a multi-account strategy for its AWS environment. Which TWO considerations are important when using AWS Organizations?

Question 402mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a least-privilege security model across multiple AWS accounts. Which TWO services can help enforce this?

Question 403hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to ensure that all resources are tagged with a cost center tag. Which THREE steps should they take to enforce this?

Question 404hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

Refer to the exhibit. A security engineer applied this bucket policy to an S3 bucket. A developer tries to upload an object using the AWS CLI without specifying any encryption. What is the outcome?

Exhibit

Refer to the exhibit.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "aws:kms"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::example-bucket/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption-aws-kms-key-id": "arn:aws:kms:us-east-1:123456789012:key/abc123"
                }
            }
        }
    ]
}
Question 405mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with over 500 accounts. The security team uses AWS Config to evaluate resource compliance across all accounts. They have set up an AWS Config aggregator in the security account to collect configuration snapshots from all member accounts. Recently, the team noticed that some member accounts are not showing up in the aggregator. The accounts are active and have AWS Config enabled. What should the security team do to troubleshoot this issue?

Question 406hardmultiple choice
Read the full VPN explanation →

A company uses AWS Organizations with a multi-account setup. The central IT team manages a shared services VPC in the network account, which hosts a NAT gateway, a VPN connection to the on-premises network, and a transit gateway. Several application accounts have VPCs attached to the transit gateway. Recently, the application teams report that they cannot reach the on-premises network through the VPN. The network team confirms that the VPN is up and routes are propagated in the transit gateway route tables. However, the application VPCs are not receiving the routes. What is the MOST likely cause?

Question 407hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing a multi-account strategy using AWS Organizations. The security team needs to ensure that all newly created accounts automatically have a specific baseline CloudTrail trail and a set of AWS Config rules applied. The company also wants to enforce that no account can disable these controls. Which solution should be used?

Question 408mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a centralized logging account and multiple member accounts. The security team wants to enable VPC Flow Logs for all VPCs across all accounts and centralize the logs in the logging account. The solution must be automated and ensure that new VPCs are automatically included. Which approach should be taken?

Question 409hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large enterprise is migrating to AWS and wants to implement a multi-account strategy with centralized network connectivity. The company has multiple VPCs in various accounts that need to communicate with each other and with on-premises resources. The solution must be scalable and minimize operational overhead. Which design should be used?

Question 410mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple accounts. The central IT team wants to enforce that all EC2 instances are launched with specific tags (e.g., CostCenter and Environment). The solution should prevent any untagged instances from being created. Which approach should be taken?

Question 411easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to centralize management of IAM users and groups across multiple AWS accounts. The solution should allow users to access resources in any account without needing separate credentials. Which AWS service should be used?

Question 412hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using a multi-account strategy with AWS Organizations. The security team discovers that an SCP intended to block access to non-compliant AWS regions is not working. The SCP is attached to the root OU. When a user in a member account attempts to launch an EC2 instance in a blocked region, the request succeeds. What is the most likely cause?

Question 413easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a single sign-on (SSO) solution for its employees to access multiple AWS accounts and business applications. The company uses Microsoft Active Directory on-premises. Which AWS service should be used to integrate with the existing directory?

Question 414mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize operational data such as cost reports, security findings, and resource inventory. The solution should provide a single pane of glass for the operations team. Which AWS service should be used?

Question 415hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to restrict the use of specific instance types across all accounts. The company wants to allow only T3 and M5 instances. Which SCP should be applied?

Question 416mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is planning to migrate its on-premises workload to AWS. The workload consists of a stateful web application that requires a static IP address for whitelisting by third-party services. The company will use a multi-AZ deployment. Which TWO services should be used together to meet these requirements?

Question 417hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to enforce encryption at rest for all Amazon S3 buckets across the organization. The solution must be automated and should not prevent existing compliant buckets from being used. Which TWO services should be combined to achieve this?

Question 418hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is implementing a data lake on AWS using Amazon S3 as the storage layer. The data lake must support multiple consumer accounts within the organization. The security team requires that data is encrypted at rest using AWS KMS with customer-managed keys (CMKs) and that access to the keys is strictly controlled. Which THREE steps should be taken to meet these requirements?

Question 419hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large e-commerce company uses a multi-account AWS Organizations setup with a central logging account. The company has enabled AWS CloudTrail in all accounts and configured it to deliver logs to a centralized Amazon S3 bucket in the logging account. Recently, the security team noticed that some log files are missing for a period of 2 hours. The CloudTrail console shows that trails are still enabled and delivering to the bucket, but no new log files were created during that time. The team verified that there were API calls made during that period. Which action is most likely to resolve the issue and prevent recurrence?

Question 420mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating a legacy application to AWS. The application requires a static IP address that can be used for whitelisting by third-party partners. The application will be deployed in multiple Availability Zones for high availability. The company wants to use a load balancer to distribute traffic. The solution must provide a single static IP address that does not change even if the underlying instances are replaced. Which combination of services should the company use?

Question 421easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centralize the management of security policies. The security team needs to enforce that all IAM users in all accounts must use multi-factor authentication (MFA) to access the AWS Management Console. The solution must be centrally managed and automatically applied to new accounts as they are added. Which approach should be taken?

Question 422mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts managed under AWS Organizations. The security team wants to enforce that all new S3 buckets created in any account are automatically tagged with the cost center and environment (e.g., dev, prod). Which solution should the team implement?

Question 423hardmultiple choice
Read the full NAT/PAT explanation →

A global company with 50 AWS accounts uses AWS Organizations and wants to centralize CloudTrail logs. The security team requires that all accounts send their CloudTrail logs to a central S3 bucket in the audit account. Which combination of steps will ensure this?

Question 424easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple OUs. The DevOps team needs to allow developers to launch EC2 instances only of type t3.micro in the dev OU. Which action should the team take?

Question 425mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has a central IT team that manages VPCs. The team wants to ensure that only authorized accounts can create VPCs, and that all VPCs must have a specific tag. Which solution enforces this?

Question 426hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account setup with AWS Organizations. The security team wants to enforce that all IAM users must have MFA enabled. Which approach is most effective?

Question 427easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and wants to centrally manage backups of EC2 instances across multiple accounts. Which service should they use?

Question 428mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a central logging account. They want to ensure that all VPC Flow Logs from member accounts are published to a central S3 bucket in the logging account. Which steps are required?

Question 429hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment and uses AWS Organizations. The security team wants to automatically remediate non-compliant resources, such as S3 buckets that are publicly accessible. Which design should they implement?

Question 430easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts and wants to centrally manage CloudWatch dashboards. Which solution should they use?

Question 431mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with 100 accounts. They want to restrict which AWS services can be used in the development OU. Which TWO steps should they take?

Question 432hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account environment and wants to centralize logging for all AWS API calls. Which TWO services should they use together to achieve this?

Question 433mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company wants to implement a data perimeter to ensure that only authorized accounts can access their S3 buckets. Which TWO steps should they take?

Question 434hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with over 500 accounts managed through AWS Organizations. The accounts are organized into OUs by business unit. The security team wants to enforce a policy that all S3 buckets must have server-side encryption enabled (SSE-S3 or SSE-KMS). They also want to automatically remediate any existing non-compliant buckets and prevent creation of new non-compliant buckets. Currently, there is no centralized logging or monitoring. The team has tried using AWS Config rules with auto-remediation, but they found that Config rules are not triggered for buckets created before the rule was enabled, and some teams are creating buckets via AWS CloudFormation that bypass the Config rule evaluation. The team needs a solution that covers all buckets, regardless of creation method or time. What should the team do?

Question 435mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central security account. They want to enable Amazon GuardDuty in all accounts and centrally view findings. The security team has already enabled GuardDuty in the security account and invited all member accounts. However, the security account is not receiving findings from all member accounts. Upon investigation, some member accounts show that GuardDuty is not enabled, and some show that they have not accepted the invitation. The team needs a scalable solution to enable GuardDuty across all accounts and ensure findings are sent to the security account. What should the team do?

Question 436easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a central networking account that hosts all VPCs and a shared services account that hosts common resources like directory services. The company wants to allow all accounts to use the same VPC for their workloads instead of creating separate VPCs. The security team requires that traffic between accounts is encrypted in transit and that accounts cannot directly access each other's resources without going through the central networking account. The network team proposes using AWS Transit Gateway with inter-region peering and VPC attachments. However, the security team is concerned about compliance with encryption requirements. What should the network team do to meet the requirements?

Question 437easymulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations with multiple accounts. The security team wants to enforce that all newly created S3 buckets have encryption enabled. Which TWO approaches can achieve this? (Choose TWO.)

Question 438mediummulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company has a consolidated billing setup with AWS Organizations. The finance team needs to track costs at the department level. Each department has its own AWS account. Which THREE steps should be taken to achieve detailed cost allocation? (Choose THREE.)

Question 439hardmulti select
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with a hierarchical structure of organizational units (OUs). The security team needs to restrict the use of specific AWS services in the development OU. However, the SCP applied at the root level allows all services. Which TWO SCP strategies can restrict services for the development OU without affecting other OUs? (Choose TWO.)

Question 440easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a decentralized IT structure where each business unit manages its own AWS accounts. The central IT team wants to enforce security policies across all accounts but allow business units to retain administrative control. Which solution should the central IT team implement?

Question 441easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has multiple AWS accounts that are centrally managed using AWS Organizations. The security team requires that all API activity be logged and retained for 7 years. The logs must be stored in a central Amazon S3 bucket that is in the management account. Which solution meets these requirements with the least operational overhead?

Question 442hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large enterprise uses AWS Organizations with hundreds of accounts. The central security team needs to enforce that no IAM users are created in any account; instead, all access must be through IAM roles federated with the corporate identity provider. The security team wants to detect any IAM user creation and automatically remediate it by deleting the user and notifying the security team. Which solution should be implemented?

Question 443hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized logging account. The security team wants to ensure that all VPC Flow Logs from all accounts are delivered to a central Amazon S3 bucket in the logging account. The logs must be encrypted at rest using AWS KMS. The company currently uses AWS Organizations. Which solution meets these requirements with the least operational overhead?

Question 444mediummultiple choice
Read the full DNS explanation →

A company has a complex AWS environment with multiple VPCs connected via a transit gateway. The company wants to centrally manage DNS resolution across all VPCs. Currently, each VPC has its own Amazon Route 53 private hosted zone. The company needs a solution that allows resources in any VPC to resolve DNS names from any other VPC's private hosted zone. Which solution should be implemented?

Question 445mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company is using AWS Organizations and wants to centralize the management of Amazon EC2 instance security groups. The security team needs to enforce that certain ports are not open to the internet across all accounts. The company currently uses AWS Firewall Manager. Which approach should the security team use to enforce this policy?

Question 446hardmultiple choice
Review the full routing breakdown →

A company has a global AWS environment with multiple VPCs in different regions. The company uses AWS Transit Gateway to connect VPCs in the same region, but they need to interconnect VPCs across regions. The network team wants a solution that provides transitive routing across regions with minimal latency and operational overhead. Which solution should be implemented?

Question 447easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has a requirement that all Amazon S3 buckets must have versioning enabled. The company wants to automatically enable versioning on any bucket that is created without it. Which solution should be implemented?

Question 448mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment and wants to centralize the management of IAM roles. The security team needs to ensure that all IAM roles across all accounts trust the same identity provider (IdP) for federated access. The company uses AWS IAM Identity Center (successor to AWS SSO) for user management. Which solution should be implemented?

Question 449mediummultiple choice
Read the full DNS explanation →

A company wants to implement a centralized logging solution for all VPCs in their AWS Organization. They need to capture VPC Flow Logs, AWS CloudTrail logs, and DNS logs, and store them in a central Amazon S3 bucket. The logs must be encrypted with a customer-managed KMS key. Which solution meets these requirements with the least operational overhead?

Question 450hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations and has a requirement that all API calls to AWS services must be logged and monitored. The security team wants to create a central CloudWatch dashboard that shows API activity across all accounts. Which solution should be implemented with the least operational overhead?

Question 451hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a complex AWS environment with multiple accounts and VPCs. The company wants to ensure that all outbound traffic from VPCs goes through a centralized inspection VPC for security monitoring. The company uses AWS Transit Gateway. Which solution should be implemented?

Question 452hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is using AWS Organizations with multiple accounts. The security team needs to enforce that all S3 buckets in the organization have server-side encryption enabled, and any new bucket created without encryption must be automatically remediated. Which TWO steps should the team take to achieve this? (Choose two.)

Question 453hardmultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A large financial services company uses AWS Organizations with over 200 accounts. The security team has implemented a Service Control Policy (SCP) that denies access to all services except a whitelist that includes Amazon S3, Amazon DynamoDB, AWS Lambda, and Amazon CloudWatch. Recently, the DevOps team reported that they cannot create new EC2 instances in their development account, even though the administrator explicitly attached an IAM policy allowing ec2:RunInstances. The SCP does not explicitly deny EC2. What is the most likely cause of this issue?

Question 454mediummultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company has a multi-account AWS environment with a centralized logging account. The security team wants to ensure that all CloudTrail logs from all accounts are delivered to a single S3 bucket in the logging account. The logging account's S3 bucket policy allows CloudTrail to write logs from other accounts. The CloudTrail trail in each account is configured to deliver to the centralized bucket. However, logs from some accounts are not appearing. The security team has verified that the IAM permissions for CloudTrail are correct. What is the most likely reason for the missing logs?

Question 455easymultiple choice
Read the full Design Solutions for Organizational Complexity explanation →

A company uses AWS Organizations with multiple accounts. The network team wants to centrally manage Amazon VPC IP addresses using Amazon VPC IP Address Manager (IPAM). They have enabled IPAM in the management account and delegated an administrator account. However, the delegated administrator account cannot create IPAM pools. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SAP-C02 Practice Test 1 — 10 Questions→SAP-C02 Practice Test 2 — 10 Questions→SAP-C02 Practice Test 3 — 10 Questions→SAP-C02 Practice Test 4 — 10 Questions→SAP-C02 Practice Test 5 — 10 Questions→SAP-C02 Practice Exam 1 — 20 Questions→SAP-C02 Practice Exam 2 — 20 Questions→SAP-C02 Practice Exam 3 — 20 Questions→SAP-C02 Practice Exam 4 — 20 Questions→Free SAP-C02 Practice Test 1 — 30 Questions→Free SAP-C02 Practice Test 2 — 30 Questions→Free SAP-C02 Practice Test 3 — 30 Questions→SAP-C02 Practice Questions 1 — 50 Questions→SAP-C02 Practice Questions 2 — 50 Questions→SAP-C02 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Design Solutions for Organizational ComplexityDesign for New SolutionsContinuous Improvement for Existing SolutionsAccelerate Workload Migration and Modernization

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Design Solutions for Organizational Complexity setsAll Design Solutions for Organizational Complexity questionsSAP-C02 Practice Hub