Free · No account needed · No credit card

AWS Certified Solutions Architect Professional SAP-C02 Practice Test

1,746 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 170 min
Pass mark: 750%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Design Solutions for Organizational Complexityhard
Full explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

AUse an SCP to enforce a specific password policy and require MFA across all accounts.
BUse AWS Config rules to automatically set the password policy and enable MFA for all users.
Use an SCP to deny changes to the password policy and to deny deactivation of MFA devices. Use AWS Config rules to detect non-compliant users.Correct
DUse AWS CloudTrail to monitor password policy changes and MFA status, and trigger an automatic remediation.

Option C is correct because SCPs can deny changes to the password policy and deny deactivation of MFA devices, preventing users from weakening security controls. AWS Config rules then detect non-compliant users (e.g., those without MFA or with a non-compliant password policy), al…Read full explanation

Q2Design Solutions for Organizational Complexitymedium
Full explanation →

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

AUse a VPN connection from each application VPC to the shared VPC.
Use AWS Resource Access Manager to share the Transit Gateway with the application accounts.Correct
CUse VPC peering between the shared VPC and each application VPC.
DCreate IAM roles in each application account that allow the networking team to create VPC attachments.

AWS Resource Access Manager (RAM) allows the centralized networking team to share the Transit Gateway with specific application accounts, enabling authorized VPCs to create attachments without exposing the resource to all accounts. This approach is secure because it uses resource…Read full explanation

Q3Design Solutions for Organizational Complexityeasy
Full explanation →

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

AUse an AWS Lambda function that runs periodically to enable CloudTrail in accounts where it is disabled.
BCreate an AWS Config rule in each account to enable CloudTrail if it is disabled.
CUse an SCP to require CloudTrail to be enabled in each account.
Use the AWS CloudTrail setup provided by Control Tower, which automatically enables a trail for all accounts in the organization.Correct

AWS Control Tower provides an integrated CloudTrail setup that automatically creates and manages a central trail for all accounts in the organization. This trail is deployed using AWS CloudFormation StackSets and delivers logs to a centralized S3 bucket, ensuring compliance witho…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All SAP-C02 questionsSAP-C02 exam guideStudy guidePractice by domain