Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSAP-C02TopicsDesign Solutions for Organizational Complexity
Free · No Signup RequiredAmazon Web Services · SAP-C02

SAP-C02 Design Solutions for Organizational Complexity Practice Questions

20+ practice questions focused on Design Solutions for Organizational Complexity — one of the most tested topics on the AWS Certified Solutions Architect Professional SAP-C02 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Design Solutions for Organizational Complexity Practice

Exam Domains

Design Solutions for Organizational ComplexityDesign for New SolutionsContinuous Improvement for Existing SolutionsAccelerate Workload Migration and ModernizationAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Design Solutions for Organizational Complexity Questions

Practice all 20+ →
1.

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

A.Use an SCP to enforce a specific password policy and require MFA across all accounts.
B.Use AWS Config rules to automatically set the password policy and enable MFA for all users.
C.Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
D.Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.

Explanation: Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), allowing the security team to trigger remediation or alerts. SCPs alone cannot enforce a specific password policy or enable MFA; they only block actions, so Config rules are needed for detection and enforcement.

2.

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

A.Use a VPN connection from each application VPC to the shared VPC.
B.Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
C.Use VPC peering between the shared VPC and each application VPC.
D.Create IAM roles in each application account that allow the networking team to create VPC attachments.

Explanation: AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource-based policies to grant access only to designated accounts, and scalable because it avoids the administrative overhead of managing individual VPNs or VPC peering connections as the number of application VPCs grows.

3.

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

A.Use an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.
B.Create an AWS Config rule in each account to enable CloudTrail if it is disabled.
C.Use an SCP to require CloudTrail to be enabled in each account.
D.Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.

Explanation: AWS Control Tower provides an integrated CloudTrail setup that automatically creates and manages a central trail for all accounts in the organization. This trail is deployed using AWS CloudFormation StackSets and delivers logs to a centralized S3 bucket, ensuring compliance without manual intervention or custom automation. This is the best approach because it is native, fully managed, and aligns with Control Tower's governance model.

4.

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

A.The S3 bucket has a lifecycle policy that deletes logs after a short period.
B.The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
C.The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
D.The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.

Explanation: Option C is correct because the S3 bucket policy likely includes a condition that restricts access to only AWS service principals (e.g., the logging account's own services) rather than individual IAM users or roles from other accounts. Even with read-only access granted to the analyst's IAM user or role, the bucket policy's explicit deny for non-service principals overrides any allow, preventing the analyst from accessing the logs. This is a common cross-account access issue where bucket policies must explicitly allow principals from other accounts.

5.

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

A.An SCP that allows only read-only billing actions.
B.An SCP that denies all billing-related actions except read-only.
C.An IAM policy attached to the root OU that denies billing modifications.
D.An SCP that denies the effect of actions that modify billing preferences.

Explanation: Option D is correct because a Service Control Policy (SCP) attached to the root OU can deny the effect of actions that modify billing preferences across all accounts in the organization. SCPs are the only mechanism that can restrict permissions for all principals (including the root user) in member accounts, and by using a Deny effect on specific billing modification actions, the security team ensures no IAM user or role can alter billing settings. This approach does not require enumerating every allowed read-only action, which avoids the risk of missing future read-only actions.

+15 more Design Solutions for Organizational Complexity questions available

Practice all Design Solutions for Organizational Complexity questions

How to master Design Solutions for Organizational Complexity for SAP-C02

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Design Solutions for Organizational Complexity. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Design Solutions for Organizational Complexity questions on the SAP-C02 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SAP-C02 Design Solutions for Organizational Complexity questions are on the real exam?

The exact number varies per candidate. Design Solutions for Organizational Complexity is tested as part of the AWS Certified Solutions Architect Professional SAP-C02 blueprint. Practicing with targeted Design Solutions for Organizational Complexity questions ensures you can handle any format or difficulty that appears.

Are these SAP-C02 Design Solutions for Organizational Complexity practice questions free?

Yes. Courseiva provides free SAP-C02 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Design Solutions for Organizational Complexity one of the harder SAP-C02 topics?

Difficulty is subjective, but Design Solutions for Organizational Complexity is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Design Solutions for Organizational Complexity practice session with instant scoring and detailed explanations.

Start Design Solutions for Organizational Complexity Practice →

Topic Info

Topic

Design Solutions for Organizational Complexity

Exam

SAP-C02

Questions available

20+