AWS Certified Solutions Architect Professional SAP-C02 (SAP-C02) — Questions 17261746

1746 questions total · 24pages · All types, answers revealed

Page 23

Page 24 of 24

1726
MCQmedium

A company is designing a data lake solution on Amazon S3. Data is ingested from multiple sources and stored in a raw bucket. The data must be processed and transformed before being moved to a curated bucket. The processing logic is complex and includes conditional transformations. Which service should be used to orchestrate the transformation pipeline?

A.AWS Data Pipeline
B.AWS Step Functions
C.AWS Lambda functions
D.AWS Glue ETL jobs
AnswerB

Step Functions can orchestrate complex workflows with conditional branching.

Why this answer

AWS Step Functions is the correct choice because it is designed to orchestrate complex, multi-step workflows with conditional branching, retries, and error handling. It can coordinate AWS Lambda functions, AWS Glue jobs, and other services to process and transform data from a raw S3 bucket to a curated bucket, making it ideal for a transformation pipeline with complex logic.

Exam trap

The trap here is that candidates often confuse AWS Glue ETL jobs as an orchestration tool because it can transform data, but Glue is a processing engine, not a workflow orchestrator; Step Functions is the correct service for coordinating complex, conditional pipelines.

How to eliminate wrong answers

Option A is wrong because AWS Data Pipeline is a legacy service for moving data between sources and destinations, but it lacks native support for complex conditional transformations and is not as flexible as Step Functions for orchestrating custom processing logic. Option C is wrong because AWS Lambda functions are stateless and have a maximum execution timeout of 15 minutes, making them unsuitable for orchestrating long-running or multi-step transformation pipelines; they are better suited for individual processing tasks within the workflow. Option D is wrong because AWS Glue ETL jobs are designed for batch data transformation using Apache Spark, but they are not an orchestration service; they would be a component orchestrated by Step Functions, not the orchestrator itself.

1727
MCQhard

A company has a multi-account architecture with a central networking account that hosts a Transit Gateway. Each workload account has VPCs attached to the Transit Gateway. The company wants to centrally manage DNS resolution across all VPCs using Route 53 Resolver. They create a Route 53 Resolver outbound endpoint in the networking account and associate it with the workload VPCs via RAM. However, workload accounts cannot resolve on-premises hostnames. What is the missing configuration?

A.Establish VPC peering between the workload VPCs and the networking account VPC.
B.Create a Route 53 private hosted zone in the networking account and associate it with the workload VPCs.
C.Create a Route 53 Resolver inbound endpoint in the networking account.
D.Create a Route 53 Resolver rule in each workload account that forwards queries for the on-premises domain to the outbound endpoint.
AnswerD

Resolver rules determine how DNS queries are forwarded.

Why this answer

Option A is correct because the workload VPCs need to forward DNS queries to the outbound endpoint via a rule. Option B is wrong because the inbound endpoint is for on-premises to resolve AWS resources. Option C is wrong because a private hosted zone is not directly related to forwarding.

Option D is wrong because VPC peering is not required when using Transit Gateway.

1728
Multi-Selecthard

A company has a multi-account AWS environment and wants to enforce that all IAM roles in member accounts must include a specific tag (e.g., CostCenter). Which THREE steps should be taken to enforce this policy using AWS Organizations?

Select 3 answers
A.Create an IAM policy in each account that requires tags on role creation
B.Set up AWS Budgets to alert on untagged roles
C.Attach the SCP to the root organizational unit to apply it to all accounts
D.Create a service control policy (SCP) that denies iam:CreateRole if the request does not include the required tag
E.Use AWS Config rules to detect roles missing the tag and trigger automatic remediation
AnswersC, D, E

Attaching to root ensures all accounts are covered.

Why this answer

Option C is correct because AWS Organizations allows you to attach a service control policy (SCP) to the root organizational unit (OU), which applies the policy to all member accounts in the organization. This ensures that the tag enforcement is centrally managed and cannot be bypassed by individual account administrators, as SCPs set permission boundaries that override IAM policies.

Exam trap

The trap here is that candidates often confuse AWS Budgets (a cost alerting tool) with a governance enforcement mechanism, or think that per-account IAM policies are sufficient for centralized control, missing the fact that SCPs are the only way to enforce organization-wide guardrails that cannot be overridden by account administrators.

1729
MCQhard

A company is migrating a legacy on-premises web application to AWS. The application consists of a stateless web tier and a stateful application tier that stores session data in memory. The company wants to achieve high availability and elasticity. The migration must minimize code changes. The solutions architect proposes using an Application Load Balancer (ALB) with sticky sessions and an Auto Scaling group for the web tier. For the application tier, they plan to use an ALB with sticky sessions and an Auto Scaling group. During testing, users report that they are unexpectedly logged out and lose session data. The application logs show that requests from the same user are being sent to different instances. Which change should the solutions architect make to resolve this issue?

A.Disable sticky sessions and use a Network Load Balancer instead.
B.Migrate session state to Amazon ElastiCache for Redis.
C.Verify that the ALB stickiness configuration is enabled and the cookie duration is appropriate.
D.Disable cross-zone load balancing on the ALB.
AnswerC

Ensures sticky sessions work correctly.

Why this answer

Sticky sessions rely on the ALB cookie. If the cookie is not set or is not being sent back, the load balancer cannot maintain session affinity. Checking the ALB stickiness configuration ensures that the duration and cookie settings are correct.

Option A is wrong because moving sessions to ElastiCache requires code changes, which the company wants to minimize. Option B is wrong because cross-zone load balancing distributes traffic evenly but does not affect stickiness. Option D is wrong because disabling stickiness would worsen the problem.

1730
MCQeasy

A company is planning to migrate a web application to AWS. The application currently runs on a single on-premises server with a few thousand users. The company wants to use a managed container service and minimize operational overhead. Which AWS service should the company use to run the application?

A.Amazon EKS
B.AWS Lambda
C.Amazon EC2
D.Amazon ECS with AWS Fargate
AnswerD

Fargate is serverless, reduces operational overhead.

Why this answer

Option B is correct because Amazon ECS with Fargate is serverless and managed. Option A is wrong because EC2 requires manual management. Option C is wrong because EKS is Kubernetes-based and more complex.

Option D is wrong because Lambda is for short-running functions.

1731
MCQhard

A company is migrating a 10 TB Oracle database to Amazon Aurora PostgreSQL. The database is business-critical and must have minimal downtime. The company has set up AWS DMS with ongoing replication from the source. During the migration, the company notices that DMS is failing with an error indicating insufficient memory. What should the company do to resolve this issue and complete the migration?

A.Increase the memory on the source Oracle database
B.Increase the instance class of the DMS replication instance
C.Change the DMS task to use change data capture (CDC) only and skip the full load
D.Split the migration into multiple smaller tasks
AnswerB

DMS replication instance memory is insufficient; upgrading the instance class resolves the issue.

Why this answer

AWS DMS replication instances have finite memory allocated to cache changes during ongoing replication (CDC). When the volume of cached changes exceeds the instance's memory, DMS fails with an insufficient memory error. Increasing the instance class of the DMS replication instance (Option B) provides more memory to handle the cache, resolving the error without disrupting the migration.

Exam trap

The trap here is that candidates may think the error is on the source database (Option A) or that splitting tasks (Option D) solves memory issues, but DMS's memory error is specific to the replication instance's capacity, not the source or task granularity.

How to eliminate wrong answers

Option A is wrong because the source Oracle database's memory is unrelated to DMS's internal caching; DMS runs on its own replication instance, not on the source. Option C is wrong because skipping the full load would leave the target database empty, defeating the purpose of migration; CDC alone cannot populate the initial schema and data. Option D is wrong because splitting into multiple tasks does not increase the memory available to any single task; each task still runs on the same replication instance and would encounter the same memory limit.

1732
MCQhard

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

A.Use AWS Service Catalog to provide a password policy product and require account owners to launch it.
B.Use an SCP to deny the iam:UpdateAccountPasswordPolicy action and deploy a password policy using CloudFormation StackSets.
C.Use an SCP to deny the iam:CreateUser action unless the request includes a condition that the password policy meets the requirement.
D.Use AWS Config rules to detect accounts without the required password policy and auto-remediate with a Lambda function.
AnswerB

Correct: Prevents changes and enforces policy.

Why this answer

Option B is correct because an SCP can deny the iam:UpdateAccountPasswordPolicy action, preventing member accounts from altering the password policy, while CloudFormation StackSets can deploy a compliant password policy across all member accounts automatically. This combination provides a preventive control that enforces the minimum 14-character requirement without relying on user action or reactive detection.

Exam trap

The trap here is that candidates often choose a detective/reactive solution (like AWS Config with auto-remediation) because it seems automated, but the question explicitly asks for a preventive control that is enforced automatically, which requires blocking the ability to change the policy (SCP) and proactively applying the correct policy (StackSets).

How to eliminate wrong answers

Option A is wrong because AWS Service Catalog requires account owners to manually launch the product, which is not automatic and does not prevent non-compliance if they skip it. Option C is wrong because SCPs cannot conditionally deny iam:CreateUser based on password policy requirements; password policy is an account-level setting, not a per-user request parameter, and the iam:CreateUser action does not support such a condition key. Option D is wrong because AWS Config rules are detective and reactive, not preventive; they detect non-compliance after the fact and auto-remediation via Lambda is still a corrective action, not an automatic preventive enforcement.

1733
MCQhard

Refer to the exhibit. A company attached the above SCP to an OU in AWS Organizations. The SCP is intended to allow only t3.micro and t3.small EC2 instances. However, users in accounts within that OU are still able to launch other instance types. What is the most likely reason?

A.The SCP syntax is invalid because it uses StringNotEquals
B.The SCP must also allow the allowed instance types in a separate statement
C.The SCP does not include an Allow statement for the allowed instance types
D.The SCP is not attached to the correct OU or root
AnswerD

If the SCP is not attached to the OU containing the accounts, it will not take effect.

Why this answer

Option B is correct because the SCP denies RunInstances only when the instance type is not t3.micro or t3.small, but it applies only to the instance resource (arn:aws:ec2:*:*:instance/*). The RunInstances action also requires permissions on other resources like images, network interfaces, etc. If the SCP does not cover those resources, the condition may not be evaluated fully, or the SCP might not deny the action if other resources are not specified.

Alternatively, the SCP might not be attached to the correct OU, or there might be an allow SCP overriding it. The most common issue is that the SCP is not attached to the correct path. Option A is wrong because SCPs do not need to allow actions explicitly; they are deny-only.

Option C is wrong because the syntax is correct. Option D is wrong because SCPs do not require an Allow statement to work.

1734
MCQmedium

A company uses AWS Control Tower to manage a multi-account environment. They need to deploy a custom CloudFormation template to all accounts in a specific organizational unit (OU) whenever a new account is added. What should they use?

A.Use AWS Service Catalog portfolio to share templates.
B.Use AWS Lambda with lifecycle hooks in AWS CloudFormation.
C.Use AWS CloudFormation StackSets and manually trigger them for new accounts.
D.Use AWS Control Tower Account Factory Customization (AFC).
AnswerD

AFC automatically deploys custom templates to new accounts.

Why this answer

Option B is correct because Account Factory Customization (AFC) in Control Tower allows automatic deployment of custom templates when new accounts are provisioned. Option A is wrong because StackSets require manual invocation. Option C is wrong because Service Catalog does not automate deployment.

Option D is wrong because Lifecycle hooks are not part of Control Tower.

1735
MCQhard

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The architecture must handle sudden spikes in traffic without losing events. Which configuration ensures the highest reliability?

A.Increase the SQS visibility timeout to 30 minutes.
B.Use DynamoDB on-demand capacity mode.
C.Configure an SQS dead-letter queue for failed messages.
D.Set Lambda reserved concurrency to a low value to control costs.
AnswerC

DLQ captures messages that cannot be processed, ensuring no data loss.

Why this answer

Option D is correct because enabling a dead-letter queue (DLQ) on SQS captures messages that fail processing, preventing loss. Option A is wrong because reserved concurrency limits throughput. Option B is wrong because maxBatchingWindow increases latency.

Option C is wrong because provisioned capacity may not handle spikes efficiently.

1736
MCQhard

A global e-commerce company uses AWS Organizations with over 500 accounts. They have a central security account that aggregates CloudTrail logs and VPC Flow Logs from all accounts. The security team needs to analyze these logs using Amazon Athena and visualize the results in Amazon QuickSight. The logs are stored in an S3 bucket in the security account, and each member account writes its own prefix. The current setup uses a bucket policy to allow member accounts to write logs. Recently, the security team has been unable to query logs for the past week. They suspect the issue is related to a new SCP that was applied to the root. The SCP denies s3:PutObject unless the request includes a specific tag. Which action should the security team take to restore log delivery without compromising security?

A.Remove the SCP from the root.
B.Modify the bucket policy to allow s3:PutObject without tags.
C.Modify the SCP to allow s3:PutObject for the CloudTrail and VPC Flow Logs service principals without requiring the tag.
D.Create a new S3 bucket without the tag requirement and reconfigure logging to use that bucket.
AnswerC

This allows the logging services to write logs while still requiring tags for other PutObject calls.

Why this answer

The SCP denies s3:PutObject unless the request includes a specific tag. CloudTrail and VPC Flow Logs do not automatically include tags. The solution is to modify the SCP to allow the necessary services even without the tag.

Option C allows the services to bypass the tag requirement.

1737
MCQhard

A company wants to implement a least-privilege permission model across all AWS accounts. The security team needs to ensure that no IAM user has full administrator access. However, the operations team occasionally needs emergency access. Which solution meets these requirements?

A.Configure AWS IAM Identity Center with permission sets that grant temporary elevated access, and require approval for emergency access.
B.Use an SCP that denies all IAM actions except those from a specific admin account.
C.Use an IAM password policy that requires multi-factor authentication for all users.
D.Create an IAM role in each account with full administrator access and use a break-glass process to assume it.
AnswerA

IAM Identity Center allows time-limited, auditable access elevation.

Why this answer

AWS IAM Identity Center (formerly AWS SSO) allows you to define permission sets that grant temporary, scoped access to AWS accounts. By requiring approval for emergency access, you enforce a least-privilege model while still providing a controlled break-glass mechanism. This avoids permanent admin rights and ensures all elevated access is auditable and time-limited.

Exam trap

The trap here is that candidates often confuse a static IAM role with a break-glass process (Option D) as sufficient for least privilege, but they overlook that without temporary credentials and approval workflows, the role grants persistent full admin access to anyone who can assume it, violating the least-privilege principle.

How to eliminate wrong answers

Option B is wrong because an SCP that denies all IAM actions except from a specific admin account would block the operations team from assuming any role or performing IAM operations, including the emergency access they need, and does not provide a temporary elevation mechanism. Option C is wrong because an IAM password policy requiring MFA only controls password-based authentication for IAM users; it does not prevent a user from having full administrator access or provide a way to grant temporary elevated permissions. Option D is wrong because creating an IAM role with full administrator access in each account and using a break-glass process to assume it does not enforce least privilege—it grants permanent full admin access to anyone who can assume the role, and the 'break-glass' process is not inherently controlled or audited without additional mechanisms like approval workflows.

1738
MCQeasy

A company uses AWS CloudFormation to manage infrastructure as code. They have a production stack that includes an EC2 instance, an RDS database, and an S3 bucket. Recently, an engineer manually terminated the EC2 instance from the console. The CloudFormation stack status shows UPDATE_ROLLBACK_FAILED. The company wants to recover the stack to a consistent state. What should they do?

A.Manually recreate the EC2 instance with the same configuration, then tell CloudFormation to continue the update rollback.
B.Create a change set to update the stack to ignore the EC2 instance.
C.Update the stack with a new template that removes the EC2 instance.
D.Delete the stack and recreate it using a new template.
AnswerA

Fixing the drift allows CloudFormation to continue the rollback and reach a consistent state.

Why this answer

Option B is correct. Manually terminating a resource causes drift. You can manually fix the drift (e.g., recreate the instance) and then continue the update rollback.

Option A: Deleting the stack loses all resources. Option C: Creating a change set doesn't fix the rollback failure. Option D: Updating the stack without fixing drift may fail.

1739
Multi-Selecthard

A company uses AWS Lambda to process messages from an Amazon SQS queue. The Lambda function is idempotent and processes each message in about 30 seconds. The SQS queue has a visibility timeout of 60 seconds. Recently, the team notices that the same messages are being processed multiple times. Which TWO actions should the team take to prevent duplicate processing?

Select 2 answers
A.Increase the SQS queue's visibility timeout to 6 minutes.
B.Set the Lambda function's reserved concurrency to 1.
C.Switch to a FIFO SQS queue and enable content-based deduplication.
D.Reduce the SQS batch size to 1.
E.Configure a dead-letter queue for the SQS queue.
AnswersA, C

Longer visibility timeout ensures messages are not reprocessed while being handled.

Why this answer

Options B and D are correct. Increasing the visibility timeout to 6 minutes prevents the message from becoming visible again before processing completes. Enabling FIFO queues with deduplication ensures exactly-once processing.

Option A is wrong because Lambda does not support reserved concurrency for SQS triggers in a way that prevents duplicates. Option C is wrong because a dead-letter queue handles failures, not duplicates. Option E is wrong because reducing batch size does not prevent duplicates.

1740
Multi-Selectmedium

A company wants to implement a least-privilege security model across multiple AWS accounts. Which TWO services can help enforce this?

Select 2 answers
A.AWS Key Management Service (KMS)
B.AWS Organizations Service Control Policies (SCPs)
C.AWS Config
D.AWS Identity and Access Management (IAM) Access Analyzer
E.AWS CloudTrail
AnswersB, D

SCPs can restrict permissions at the account level, enforcing least privilege.

Why this answer

AWS Organizations Service Control Policies (SCPs) are correct because they allow you to centrally control the maximum available permissions for all accounts in your organization, enabling a least-privilege model by restricting actions at the account level. SCPs act as a guardrail that applies to all IAM users, roles, and root users within an account, ensuring that even if a principal has broad IAM policies, the SCP can deny specific high-risk actions across the entire organization.

Exam trap

The trap here is that candidates often confuse AWS Config (which detects compliance) with a service that enforces policies, or they think KMS or CloudTrail can restrict permissions, when in fact only SCPs and IAM Access Analyzer (for validating policies against least-privilege) directly support enforcing or validating a least-privilege model across multiple accounts.

1741
MCQmedium

A company is implementing a data lake on Amazon S3. The data lake must be accessible from multiple accounts within the same AWS Organization. Objects must be encrypted at rest, and the company wants to use a single AWS KMS key for simplicity. Which solution meets these requirements?

A.Use SSE-S3 encryption. Grant cross-account access via bucket policy.
B.Use SSE-C encryption. Provide the same customer key to all accounts.
C.Use a customer managed AWS KMS key with a key policy that allows access from all accounts in the organization.
D.Use SSE-KMS with a key per account and use S3 bucket policy to allow cross-account access.
AnswerC

Allows centralized key management and cross-account access via key policy.

Why this answer

Option C is correct because a multi-region key is not needed, and cross-account access requires key policy. Option A is wrong because SSE-S3 does not allow cross-account access control. Option B is wrong because SSE-C requires managing keys externally.

Option D is wrong because S3 bucket policies cannot grant access to KMS keys.

1742
Multi-Selecthard

Which THREE components are required to set up a centralized logging solution for multiple AWS accounts using Amazon S3? (Choose THREE.)

Select 3 answers
A.Amazon CloudWatch Logs subscription filter in each account.
B.AWS CloudTrail in the central account only.
C.A central S3 bucket in the logging account.
D.A bucket policy on the central bucket that grants write access to the source accounts.
E.IAM roles in each source account with permissions to write to the central bucket.
AnswersC, D, E

Destination for logs.

Why this answer

A central S3 bucket (option B), a bucket policy that allows cross-account writes (option C), and IAM roles in each account to push logs (option D) are required. Option A is wrong because it's one way but not required if using S3. Option E is wrong because CloudWatch Logs is not required.

1743
MCQhard

A company has a multi-region architecture using DynamoDB global tables. They notice that write conflicts are occurring frequently between regions. What is the MOST likely cause and how should they resolve it?

A.The application is using strongly consistent reads.
B.The DynamoDB write capacity is insufficient.
C.The application is updating the same item in multiple regions concurrently, and the last-writer-wins conflict resolution is causing data loss.
D.The DynamoDB global tables are not properly configured with conflict resolution.
AnswerC

Concurrent updates cause conflicts; LWW may overwrite data.

Why this answer

Option B is correct because DynamoDB global tables use last-writer-wins (LWW) conflict resolution, and if the same item is updated in multiple regions concurrently, conflicts occur. Using conditional writes and application-level conflict resolution can help. Option A is wrong because strong consistency is not supported for global tables.

C is wrong because auto scaling does not affect conflicts. D is wrong because conflict resolution is automatic with LWW.

1744
Multi-Selecteasy

A company uses AWS Organizations to manage multiple accounts. The security team wants to centrally manage CloudWatch Logs from all accounts. The logs should be sent to a central S3 bucket in the management account. Which two actions should the team take? (Choose two.)

Select 2 answers
A.Create a subscription filter in each member account's log groups that sends logs to the central S3 bucket.
B.Configure the S3 bucket policy to allow the member accounts to write objects.
C.Create an IAM role in the management account that can read logs from member accounts.
D.Apply an SCP that requires all log groups to export logs to the central bucket.
E.Use AWS CloudTrail to deliver logs to the central bucket.
AnswersA, B

Subscription filters deliver logs to destinations like S3.

Why this answer

Options A and C are correct. The management account must create a subscription filter policy in each account (or use cross-account subscription), and the S3 bucket policy must allow cross-account writes. Option B is wrong because SCPs cannot create log delivery.

Option D is wrong because IAM roles in member accounts are needed for the subscription, not for the bucket. Option E is wrong because CloudWatch Logs does not natively send to S3 without subscription filters.

1745
MCQhard

A company is migrating a legacy on-premises application to AWS. The application requires a shared file system that can be mounted by multiple EC2 instances concurrently, with strong consistency and low-latency access. Which AWS storage solution should be used?

A.AWS Storage Gateway File Gateway
B.Amazon EFS
C.Amazon EBS with multi-attach enabled
D.Amazon S3
AnswerB

EFS provides a fully managed, scalable NFS file system that can be mounted by many instances with strong consistency.

Why this answer

Option B is correct because Amazon EFS provides a fully managed NFS file system that can be mounted by multiple EC2 instances concurrently with strong consistency. Option A is wrong because EBS volumes can only be attached to one instance at a time. Option C is wrong because S3 is object storage, not a file system.

Option D is wrong because Storage Gateway file gateway provides file access to S3 but adds latency and consistency trade-offs.

1746
MCQmedium

Refer to the exhibit. A company has attached this IAM policy to an IAM role used by an application running on an EC2 instance in a VPC with CIDR 10.0.0.0/16. The application is unable to read objects from the S3 bucket. What is the most likely cause?

A.The EC2 instance does not have an IAM instance profile.
B.The policy does not allow the s3:ListBucket action.
C.The condition key aws:SourceIp uses the private IP of the instance, but S3 sees the public IP.
D.The S3 bucket policy denies access.
AnswerC

The condition fails because traffic to S3 originates from the public IP.

Why this answer

Option D is correct because the condition checks the source IP of the request, but EC2 instances use public IPs when accessing S3, so the private IP condition fails. Option A is wrong because the policy allows GetObject. Option B is wrong because S3 does not require a role for bucket access.

Option C is wrong because the bucket policy is not shown.

Page 23

Page 24 of 24