Sample questions
AWS Certified Solutions Architect Professional SAP-C02 practice questions
Match each AWS compute service to its use case.
Drag a concept onto its matching description — or click a concept then click the description.
Serverless compute for event-driven applications
Run Docker containers without managing servers
Managed Kubernetes for container orchestration
Serverless compute for containers
Virtual servers for full control over the environment
A company is designing a new microservices architecture on AWS. They need a solution for service discovery that allows services to register themselves and discover other services dynamically. The solution must be highly available and integrated with AWS-native services. Which AWS service should they use?
Trap 1: Amazon ECS Service Discovery
ECS Service Discovery is built on AWS Cloud Map; Cloud Map is the recommended service for this use case.
Trap 2: Application Load Balancer (ALB)
ALB distributes traffic but does not provide service discovery for multiple service types.
Trap 3: Amazon Route 53 private hosted zones
Route 53 private hosted zones provide DNS resolution but not automatic service registration or health-based deregistration.
- A
Amazon ECS Service Discovery
Why wrong: ECS Service Discovery is built on AWS Cloud Map; Cloud Map is the recommended service for this use case.
- B
Application Load Balancer (ALB)
Why wrong: ALB distributes traffic but does not provide service discovery for multiple service types.
- C
AWS Cloud Map
Cloud Map is a service discovery service that allows resources to register and discover each other, with health checks.
- D
Amazon Route 53 private hosted zones
Why wrong: Route 53 private hosted zones provide DNS resolution but not automatic service registration or health-based deregistration.
A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?
Trap 1: Convert the logs to Parquet format using AWS Glue and store them in…
Parquet is good but partitioning is more impactful for recent data.
Trap 2: Use S3 lifecycle policies to transition logs to S3 Glacier after 7…
Glacier is not directly queryable by Athena.
Trap 3: Use Athena with federated query to scan logs directly from the…
Cross-account queries add complexity and latency.
- A
Convert the logs to Parquet format using AWS Glue and store them in the same bucket.
Why wrong: Parquet is good but partitioning is more impactful for recent data.
- B
Use S3 lifecycle policies to transition logs to S3 Glacier after 7 days and query with Athena.
Why wrong: Glacier is not directly queryable by Athena.
- C
Partition the S3 bucket by date (e.g., year/month/day) and use Athena partition projection.
Correct: Partitioning reduces data scanned.
- D
Use Athena with federated query to scan logs directly from the application accounts.
Why wrong: Cross-account queries add complexity and latency.
A company is implementing AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts in the organization follow the principle of least privilege for IAM roles. Which TWO actions should the team take?
Trap 1: Use AWS CloudTrail to monitor IAM role creation and alert when…
This is detective, not preventive.
Trap 2: Use AWS IAM Roles Anywhere to manage temporary credentials for…
This is for external workloads, not least privilege.
Trap 3: Enable AWS Resource Access Manager to share resources only with…
RAM is for resource sharing, not IAM roles.
- A
Apply service control policies (SCPs) to deny the creation of IAM roles with overly broad permissions, such as 'Action: *' and 'Resource: *'.
SCPs enforce preventive controls at the organization level.
- B
Use AWS CloudTrail to monitor IAM role creation and alert when roles with broad permissions are created.
Why wrong: This is detective, not preventive.
- C
Enable IAM Access Analyzer to review and identify IAM roles that grant permissions to external principals or have unused permissions.
Access Analyzer helps identify overly permissive roles.
- D
Use AWS IAM Roles Anywhere to manage temporary credentials for workloads outside AWS.
Why wrong: This is for external workloads, not least privilege.
- E
Enable AWS Resource Access Manager to share resources only with trusted accounts.
Why wrong: RAM is for resource sharing, not IAM roles.
A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?
Trap 1: Use AWS PrivateLink to connect each VPC to the security VPC via…
PrivateLink is for services, not for routing all traffic.
Trap 2: Set up AWS Direct Connect gateway and route all traffic through the…
Direct Connect is for on-premises, not inter-VPC.
Trap 3: Create VPC peering connections between each VPC and the security…
Complex and scalable poorly.
- A
Use AWS PrivateLink to connect each VPC to the security VPC via interface endpoints.
Why wrong: PrivateLink is for services, not for routing all traffic.
- B
Set up AWS Direct Connect gateway and route all traffic through the security account.
Why wrong: Direct Connect is for on-premises, not inter-VPC.
- C
Create VPC peering connections between each VPC and the security VPC, then configure route tables to route traffic through the firewall.
Why wrong: Complex and scalable poorly.
- D
Use AWS Transit Gateway with a central appliance VPC, and configure route tables to send traffic to the firewall for inspection.
Correct: Centrally managed and scales well.
A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?
Trap 1: The management account must have an AWS Organizations SCP that…
SCPs are not required for StackSets; the necessary permissions are handled by IAM.
Trap 2: Each member account must have a self-managed IAM role named…
Self-managed roles are not required; StackSets can use service-managed permissions with automatic role creation.
- A
The management account must have an IAM role (StackSetsAdminRole) with permissions to create stack instances in member accounts.
This is the admin role that assumes the execution role in member accounts.
- B
The management account must have an AWS Organizations SCP that allows CloudFormation StackSets operations.
Why wrong: SCPs are not required for StackSets; the necessary permissions are handled by IAM.
- C
The execution role in member accounts must have permissions to create the resources defined in the CloudFormation template (e.g., VPC, subnets).
The execution role needs permissions to actually create the resources.
- D
Each member account must have a self-managed IAM role named 'AWSCloudFormationStackSetExecutionRole' with a trust policy allowing the management account to assume it.
Why wrong: Self-managed roles are not required; StackSets can use service-managed permissions with automatic role creation.
- E
The management account must have permission to assume the execution role in member accounts (via IAM trust policy).
The admin role must be trusted by the execution role.
A company is designing a new microservices architecture on AWS. Each microservice must be independently deployable and scalable. The company expects unpredictable traffic patterns with sudden spikes. Which combination of AWS services should be used to build a decoupled, resilient system?
Trap 1: Use Application Load Balancer, Amazon EC2 Auto Scaling, Amazon SQS,…
EC2 Auto Scaling has slower response to sudden spikes compared to serverless options.
Trap 2: Use Amazon API Gateway, AWS Lambda, Amazon Kinesis Data Streams,…
Kinesis is for streaming, not request-response; adding unnecessary complexity.
Trap 3: Use Application Load Balancer, Amazon ECS with Fargate, Amazon SQS,…
RDS may become a bottleneck under unpredictable spikes; DynamoDB is more suitable.
- A
Use Amazon API Gateway, AWS Lambda, Amazon SQS, Amazon DynamoDB, and Amazon CloudWatch.
This option provides serverless, decoupled, and scalable components ideal for unpredictable spikes.
- B
Use Application Load Balancer, Amazon EC2 Auto Scaling, Amazon SQS, and Amazon RDS.
Why wrong: EC2 Auto Scaling has slower response to sudden spikes compared to serverless options.
- C
Use Amazon API Gateway, AWS Lambda, Amazon Kinesis Data Streams, and Amazon DynamoDB.
Why wrong: Kinesis is for streaming, not request-response; adding unnecessary complexity.
- D
Use Application Load Balancer, Amazon ECS with Fargate, Amazon SQS, and Amazon RDS with read replicas.
Why wrong: RDS may become a bottleneck under unpredictable spikes; DynamoDB is more suitable.
A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The company wants to reduce operational overhead and achieve high availability. Which database strategy should the company adopt for the microservices?
Trap 1: Use Amazon RDS Proxy with a single database
RDS Proxy does not address the shared database coupling.
Trap 2: Use Amazon DynamoDB for all microservices
DynamoDB may not support complex relational queries.
Trap 3: Use a single Amazon RDS instance shared across all microservices
Shared database creates tight coupling and scaling issues.
- A
Use Amazon RDS Proxy with a single database
Why wrong: RDS Proxy does not address the shared database coupling.
- B
Use a separate Amazon RDS instance for each microservice
Database-per-service pattern ensures loose coupling.
- C
Use Amazon DynamoDB for all microservices
Why wrong: DynamoDB may not support complex relational queries.
- D
Use a single Amazon RDS instance shared across all microservices
Why wrong: Shared database creates tight coupling and scaling issues.
A company is designing a microservices architecture on Amazon ECS with AWS Fargate. The services need to communicate with each other using HTTP APIs. The company wants to minimize operational overhead and enable canary deployments. Which solution should the company use for service discovery and traffic routing?
Trap 1: Use Amazon API Gateway with VPC Link
API Gateway is for external APIs, not internal service-to-service communication.
Trap 2: Use an Application Load Balancer with target groups per service
ALB does not natively support canary deployments between services.
Trap 3: Use Amazon Route 53 with weighted routing policies
Route 53 is DNS-level, not suitable for fine-grained traffic splitting.
- A
Use Amazon API Gateway with VPC Link
Why wrong: API Gateway is for external APIs, not internal service-to-service communication.
- B
Use an Application Load Balancer with target groups per service
Why wrong: ALB does not natively support canary deployments between services.
- C
Use Amazon Route 53 with weighted routing policies
Why wrong: Route 53 is DNS-level, not suitable for fine-grained traffic splitting.
- D
Use AWS App Mesh with Envoy sidecars
App Mesh provides traffic splitting and observability for canary deployments.
A company is designing a new application that will process sensitive financial data. They need to ensure encryption at rest and in transit. Which of the following should they use? (Select TWO.)
Trap 1: AWS Certificate Manager (ACM) for all encryption
ACM provides certificates, not encryption at rest.
Trap 2: SSL certificates for all connections
TLS is the modern standard, SSL is deprecated.
Trap 3: AWS Identity and Access Management (IAM) for data encryption
IAM controls access, not encryption.
- A
TLS for all data in transit
TLS encrypts data in transit.
- B
AWS Certificate Manager (ACM) for all encryption
Why wrong: ACM provides certificates, not encryption at rest.
- C
SSL certificates for all connections
Why wrong: TLS is the modern standard, SSL is deprecated.
- D
AWS Key Management Service (KMS) for encryption at rest
KMS manages encryption keys for at-rest encryption.
- E
AWS Identity and Access Management (IAM) for data encryption
Why wrong: IAM controls access, not encryption.
A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?
Trap 1: Migrate the application to use Amazon DynamoDB with global tables.
This requires significant application changes.
Trap 2: Use Amazon RDS Multi-AZ with a standby instance for read traffic.
Multi-AZ standby is not used for read traffic.
Trap 3: Implement Amazon ElastiCache in front of the database to cache read…
ElastiCache requires application changes to implement caching logic.
- A
Create a read replica of the RDS instance and modify the application connection string to use the reader endpoint.
Read replicas offload read traffic and the reader endpoint distributes reads.
- B
Migrate the application to use Amazon DynamoDB with global tables.
Why wrong: This requires significant application changes.
- C
Use Amazon RDS Multi-AZ with a standby instance for read traffic.
Why wrong: Multi-AZ standby is not used for read traffic.
- D
Implement Amazon ElastiCache in front of the database to cache read queries.
Why wrong: ElastiCache requires application changes to implement caching logic.
A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all Amazon S3 buckets across the organization are encrypted at rest. Which TWO steps should the security team take to enforce this requirement?
Trap 1: Use Amazon GuardDuty to monitor S3 data access patterns.
GuardDuty is for threat detection, not encryption enforcement.
Trap 2: Create an IAM role with permissions to encrypt S3 buckets and…
This does not enforce encryption; users can still choose not to use the role.
Trap 3: Enable AWS CloudTrail to log all S3 API calls.
Logging does not enforce encryption.
- A
Create an AWS Config rule that checks for S3 bucket default encryption and auto-remediates using SSM Automation.
Config rules can enforce and remediate non-compliant resources.
- B
Create a service control policy (SCP) that denies s3:PutObject unless the x-amz-server-side-encryption header is present.
SCPs can deny actions that do not meet conditions.
- C
Use Amazon GuardDuty to monitor S3 data access patterns.
Why wrong: GuardDuty is for threat detection, not encryption enforcement.
- D
Create an IAM role with permissions to encrypt S3 buckets and assign it to all users.
Why wrong: This does not enforce encryption; users can still choose not to use the role.
- E
Enable AWS CloudTrail to log all S3 API calls.
Why wrong: Logging does not enforce encryption.
A company is using an AWS Lambda function to process records from an Amazon Kinesis stream. The function stores results in an Amazon DynamoDB table. The team notices that the Lambda function sometimes fails due to throttling from DynamoDB. Which TWO actions should the team take to improve the continuous processing of records? (Choose TWO.)
Trap 1: Increase the number of shards in the Kinesis stream to reduce data…
This does not address DynamoDB throttling.
Trap 2: Configure reserved concurrency for the Lambda function to limit its…
Reserved concurrency limits Lambda, not DynamoDB throttling.
Trap 3: Increase the concurrency limit for the Lambda function to allow…
More concurrency may increase throttling.
- A
Increase the number of shards in the Kinesis stream to reduce data per Lambda invocation.
Why wrong: This does not address DynamoDB throttling.
- B
Configure reserved concurrency for the Lambda function to limit its maximum concurrency.
Why wrong: Reserved concurrency limits Lambda, not DynamoDB throttling.
- C
Increase the concurrency limit for the Lambda function to allow more parallel executions.
Why wrong: More concurrency may increase throttling.
- D
Switch the DynamoDB table to on-demand capacity mode.
On-demand mode eliminates throttling by scaling automatically.
- E
Enable DynamoDB auto scaling for the table to adjust read/write capacity automatically.
Auto scaling adjusts capacity to handle load, reducing throttling.
A company is migrating a multi-tier application to AWS and wants to modernize by using containers and serverless technologies. The application consists of a Node.js frontend, a Java backend, and a PostgreSQL database. The company wants to reduce operational overhead and improve scalability. Which TWO strategies should the company use? (Choose two.)
Trap 1: Refactor the Node.js frontend to run on AWS Lambda with Amazon API…
Lambda is suitable for Node.js, but the question asks for TWO strategies; the Java backend and database are better candidates for modernization.
Trap 2: Migrate the database to Amazon DynamoDB
DynamoDB is NoSQL and would require application changes.
Trap 3: Deploy the Java backend on Amazon EC2 with Auto Scaling
EC2 requires managing servers; not as modernized as Fargate.
- A
Refactor the Node.js frontend to run on AWS Lambda with Amazon API Gateway
Why wrong: Lambda is suitable for Node.js, but the question asks for TWO strategies; the Java backend and database are better candidates for modernization.
- B
Migrate the database to Amazon RDS for PostgreSQL
RDS reduces operational overhead compared to managing PostgreSQL on EC2.
- C
Migrate the database to Amazon DynamoDB
Why wrong: DynamoDB is NoSQL and would require application changes.
- D
Deploy the Java backend on Amazon ECS with AWS Fargate
Fargate eliminates server management for containers.
- E
Deploy the Java backend on Amazon EC2 with Auto Scaling
Why wrong: EC2 requires managing servers; not as modernized as Fargate.
A company is migrating a monolithic .NET application to AWS. The application uses a SQL Server database with complex stored procedures and tightly coupled components. The migration team wants to minimize refactoring and reduce licensing costs. Which migration strategy should the team use?
Trap 1: Refactor the application to .NET Core and use Amazon RDS for MySQL…
Refactoring is significant and MySQL may not support all stored procedures.
Trap 2: Rearchitect the application to microservices and use Amazon…
Rearchitecting is too disruptive for minimizing refactoring.
Trap 3: Replatform the database to Amazon Aurora with PostgreSQL…
Aurora PostgreSQL would require rewriting stored procedures and may not be compatible.
- A
Refactor the application to .NET Core and use Amazon RDS for MySQL to eliminate Windows licensing.
Why wrong: Refactoring is significant and MySQL may not support all stored procedures.
- B
Rehost the application on Amazon EC2 and the database on EC2 with SQL Server using Bring Your Own License (BYOL).
This minimizes changes and leverages existing licenses.
- C
Rearchitect the application to microservices and use Amazon DynamoDB for the database.
Why wrong: Rearchitecting is too disruptive for minimizing refactoring.
- D
Replatform the database to Amazon Aurora with PostgreSQL compatibility to reduce licensing costs.
Why wrong: Aurora PostgreSQL would require rewriting stored procedures and may not be compatible.
A company is migrating a critical application to AWS and wants to ensure business continuity during the cutover. The migration plan includes a pilot light strategy. Which of the following BEST describes the pilot light pattern?
Trap 1: Take regular backups and restore them in AWS during cutover.
This is backup and restore, not pilot light.
Trap 2: Run a scaled-down but fully functional version of the environment…
This describes warm standby.
Trap 3: Run the application simultaneously in both environments and route…
This describes multi-site active-active.
- A
Take regular backups and restore them in AWS during cutover.
Why wrong: This is backup and restore, not pilot light.
- B
Run a scaled-down but fully functional version of the environment in AWS at all times.
Why wrong: This describes warm standby.
- C
Replicate data to AWS and run a minimal version of the application that can be scaled up during cutover.
Correct definition of pilot light.
- D
Run the application simultaneously in both environments and route traffic to both.
Why wrong: This describes multi-site active-active.
A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?
Trap 1: The S3 bucket has a lifecycle policy that deletes logs after a…
Lifecycle policies do not affect access permissions.
Trap 2: The S3 bucket has a bucket policy that requires the analyst to…
The analyst already has read-only access; assuming a role may not be necessary.
Trap 3: The S3 bucket is encrypted with an AWS KMS key, and the analyst…
The question does not mention encryption; this is not the most likely cause.
- A
The S3 bucket has a lifecycle policy that deletes logs after a short period.
Why wrong: Lifecycle policies do not affect access permissions.
- B
The S3 bucket has a bucket policy that requires the analyst to assume a role in the logging account.
Why wrong: The analyst already has read-only access; assuming a role may not be necessary.
- C
The S3 bucket policy includes a condition that only allows access from the logging account's AWS service principals, not from individual IAM users.
The bucket policy likely restricts access to the logging account's role, so the analyst's direct access is denied.
- D
The S3 bucket is encrypted with an AWS KMS key, and the analyst does not have permissions to decrypt.
Why wrong: The question does not mention encryption; this is not the most likely cause.
A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?
Trap 1: Use a VPN connection from each application VPC to the shared VPC.
VPN is more complex and has bandwidth limitations.
Trap 2: Use VPC peering between the shared VPC and each application VPC.
VPC peering is not transitive and does not scale to many VPCs.
Trap 3: Create IAM roles in each application account that allow the…
This would give the networking team excessive privileges and is not scalable.
- A
Use a VPN connection from each application VPC to the shared VPC.
Why wrong: VPN is more complex and has bandwidth limitations.
- B
Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.
RAM allows sharing the Transit Gateway, and the networking team can accept or reject attachments via RAM.
- C
Use VPC peering between the shared VPC and each application VPC.
Why wrong: VPC peering is not transitive and does not scale to many VPCs.
- D
Create IAM roles in each application account that allow the networking team to create VPC attachments.
Why wrong: This would give the networking team excessive privileges and is not scalable.
A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?
Trap 1: Use an SCP to enforce a specific password policy and require MFA…
SCPs cannot enforce a password policy or require MFA; they only deny or allow actions.
Trap 2: Use AWS Config rules to automatically set the password policy and…
AWS Config rules can detect but not remediate automatically unless combined with custom automation.
Trap 3: Use AWS CloudTrail to monitor password policy changes and MFA…
CloudTrail logs but does not enforce or remediate.
- A
Use an SCP to enforce a specific password policy and require MFA across all accounts.
Why wrong: SCPs cannot enforce a password policy or require MFA; they only deny or allow actions.
- B
Use AWS Config rules to automatically set the password policy and enable MFA for all users.
Why wrong: AWS Config rules can detect but not remediate automatically unless combined with custom automation.
- C
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.
SCPs can block actions that modify the password policy or deactivate MFA, and AWS Config can detect non-compliant users.
- D
Use AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.
Why wrong: CloudTrail logs but does not enforce or remediate.
A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?
Trap 1: Use AWS CloudTrail to monitor launches of prohibited instance types…
CloudTrail logs but does not enforce.
Trap 2: Use Service Quotas to restrict the number of instances of specific…
Service Quotas limit the count, not the type.
Trap 3: Create an IAM policy in each account that denies the specified…
IAM policies are not automatically inherited; would require per-account setup.
- A
Create an SCP that denies the ec2:RunInstances action for specific instance types.
SCPs can deny actions based on condition keys like ec2:InstanceType.
- B
Use AWS Config rules to detect non-compliant instance types and automatically terminate them using AWS Systems Manager Automation.
AWS Config can detect and auto-remediate.
- C
Use AWS CloudTrail to monitor launches of prohibited instance types and automatically terminate them.
Why wrong: CloudTrail logs but does not enforce.
- D
Use Service Quotas to restrict the number of instances of specific types.
Why wrong: Service Quotas limit the count, not the type.
- E
Create an IAM policy in each account that denies the specified instance types.
Why wrong: IAM policies are not automatically inherited; would require per-account setup.
A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?
Trap 1: Use an AWS Lambda function that runs periodically to enable…
Lambda is possible but not the best practice; Control Tower already provides this.
Trap 2: Create an AWS Config rule in each account to enable CloudTrail if…
Config rules can detect but not automatically enable; custom remediation is needed.
Trap 3: Use an SCP to require CloudTrail to be enabled in each account.
SCPs can only deny or allow actions, not enable services.
- A
Use an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.
Why wrong: Lambda is possible but not the best practice; Control Tower already provides this.
- B
Create an AWS Config rule in each account to enable CloudTrail if it is disabled.
Why wrong: Config rules can detect but not automatically enable; custom remediation is needed.
- C
Use an SCP to require CloudTrail to be enabled in each account.
Why wrong: SCPs can only deny or allow actions, not enable services.
- D
Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.
Control Tower automatically sets up a CloudTrail trail in the management account that logs all accounts.
Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?
Exhibit
Refer to the exhibit.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}Trap 1: The condition uses 'BoolIfExists' instead of 'Bool' which causes…
BoolIfExists works correctly; it returns true if the key exists and is true.
Trap 2: The role requires MFA, but the user's MFA device is not configured…
The question states MFA is enabled and token is passed.
Trap 3: The principal is set to the root account, which does not allow IAM…
The root account principal allows any IAM user from that account.
- A
The condition uses 'BoolIfExists' instead of 'Bool' which causes the policy to fail when the key is present.
Why wrong: BoolIfExists works correctly; it returns true if the key exists and is true.
- B
The role requires MFA, but the user's MFA device is not configured correctly.
Why wrong: The question states MFA is enabled and token is passed.
- C
The user is not passing the MFA serial number and token code in the assume-role API call.
Even if MFA is enabled, the user must provide serial number and token code in the STS AssumeRole call.
- D
The principal is set to the root account, which does not allow IAM users to assume the role.
Why wrong: The root account principal allows any IAM user from that account.
A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?
Trap 1: An SCP that allows only read-only billing actions.
SCPs cannot allow actions; they only deny or allow by default.
Trap 2: An SCP that denies all billing-related actions except read-only.
This would deny read access as well.
Trap 3: An IAM policy attached to the root OU that denies billing…
IAM policies cannot be attached to OUs; they are attached to users/groups/roles.
- A
An SCP that allows only read-only billing actions.
Why wrong: SCPs cannot allow actions; they only deny or allow by default.
- B
An SCP that denies all billing-related actions except read-only.
Why wrong: This would deny read access as well.
- C
An IAM policy attached to the root OU that denies billing modifications.
Why wrong: IAM policies cannot be attached to OUs; they are attached to users/groups/roles.
- D
An SCP that denies the effect of actions that modify billing preferences.
An SCP can deny actions like 'aws-portal:ModifyAccount' and 'aws-portal:ModifyBilling'.
A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?
Trap 1: Use AWS Service Catalog to publish a GuardDuty product and require…
Requires manual action per account.
Trap 2: Use an SCP that denies guardduty:DeleteDetector and…
Manual step is not automated.
Trap 3: Use AWS Config rules to detect accounts without GuardDuty enabled…
Reactive, not proactive.
- A
Use AWS CloudFormation StackSets with a stack that includes an AWS::GuardDuty::Detector resource, and apply it to the organization root OU.
Correct: StackSets automate deployment across accounts; the resource creates the detector.
- B
Use AWS Service Catalog to publish a GuardDuty product and require account owners to launch it.
Why wrong: Requires manual action per account.
- C
Use an SCP that denies guardduty:DeleteDetector and guardduty:UpdateDetector actions, then have each account administrator manually enable GuardDuty.
Why wrong: Manual step is not automated.
- D
Use AWS Config rules to detect accounts without GuardDuty enabled and trigger a Lambda function to enable it.
Why wrong: Reactive, not proactive.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.