Back to AWS Certified Solutions Architect Professional SAP-C02 questions

Scenario-based practice

Hard Difficulty Questions

Practise AWS Certified Solutions Architect Professional SAP-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SAP-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SAP-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

A company is migrating a monolithic application to a microservices architecture on AWS. The application uses a relational database with complex queries. The company wants to reduce operational overhead and achieve high availability. Which database strategy should the company adopt for the microservices?

Question 2hardmultiple choice
Full question →

A company has a monolithic application running on a single Amazon RDS for MySQL DB instance. The application is experiencing performance issues due to heavy read traffic. The company wants to implement a solution that offloads read traffic with minimal application changes. What should a solutions architect do?

Question 3hardmultiple choice
Full question →

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

Question 5hardmulti select
Full question →

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

Question 6hardmultiple choice
Full question →

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

Question 7hardmultiple choice
Full question →

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A company is migrating a monolithic application to microservices on Amazon ECS with Fargate. The application has variable traffic patterns, with high traffic during business hours and low traffic at night. They want to optimize costs while maintaining performance. Which scaling strategy should they implement?

Question 9hardmulti select
Read the full NAT/PAT explanation →

A company is designing a serverless data processing pipeline using AWS Step Functions, AWS Lambda, and Amazon DynamoDB. The pipeline must process incoming JSON records from an Amazon Kinesis Data Stream. Each record must be processed exactly once and in order. The company expects a throughput of up to 1,000 records per second. Which combination of services and configurations should the company use to meet these requirements? (Choose TWO.)

Question 10hardmulti select
Full question →

A company is designing a new containerized application on Amazon EKS. The application must be able to access secrets (e.g., database credentials) securely. The company requires that secrets be automatically rotated and audited. Which THREE actions should the company take to meet these requirements?

Question 11hardmultiple choice
Full question →

A company wants to design a highly available, stateless web application using Amazon ECS with Fargate. They need to distribute traffic across multiple AWS Regions for low latency. Which approach should they use?

Question 12hardmulti select
Read the full NAT/PAT explanation →

A company is deploying a microservices architecture on Amazon ECS with Fargate. They need to enable service-to-service communication with mutual TLS (mTLS) and service discovery. Which combination of services should they use? (Select THREE.)

Question 13hardmultiple choice
Full question →

A company is designing a serverless event-driven architecture using AWS Lambda, Amazon SQS, and Amazon DynamoDB. The Lambda function processes messages from an SQS queue and writes to DynamoDB. The company expects unpredictable traffic spikes and must ensure that messages are not lost. Which configuration should the company use to meet these requirements?

Question 14hardmultiple choice
Full question →

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
    }
  ]
}
Question 15hardmultiple choice
Full question →

A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?

Question 16hardmultiple choice
Full question →

A company is running a stateful web application on EC2 instances in an Auto Scaling group behind an ALB. The application stores session data locally on the instance. The company notices that users are frequently logged out and lose session data during scaling events. What is the MOST operationally efficient way to preserve session state?

Question 17hardmultiple choice
Full question →

A company has a legacy application that runs on a single EC2 instance. The application writes logs to a local file. The company wants to centralize log management without modifying the application code. Which solution is MOST operationally efficient?

Question 18hardmulti select
Full question →

A company is deploying a new application on AWS and wants to implement a least-privilege IAM policy for an EC2 instance that needs to read from an S3 bucket (my-bucket) and write logs to CloudWatch Logs. Which THREE statements should be included in the IAM policy? (Choose three.)

Question 19hardmultiple choice
Full question →

A company uses AWS CodePipeline to automate deployments of a microservices application to Amazon ECS. The pipeline builds a Docker image, pushes it to Amazon ECR, and updates the ECS service. Recently, deployments have failed because insufficient IAM permissions cause the pipeline to fail when updating the ECS service. The development team wants to implement least privilege permissions. Which IAM policy statement should be added to the CodePipeline service role to allow it to update the ECS service?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

An IAM policy is attached to a group. A user in the group tries to terminate an EC2 instance in us-east-1 using the AWS CLI. What will happen?

Exhibit

Refer to the exhibit.

iam-policy.json:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    },
    {
      "Effect": "Deny",
      "Action": "ec2:TerminateInstances",
      "Resource": "arn:aws:ec2:us-east-1:123456789012:instance/*"
    }
  ]
}

These SAP-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SAP-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.