Back to AWS Certified Solutions Architect Professional SAP-C02 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise AWS Certified Solutions Architect Professional SAP-C02 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SAP-C02
exam code
Amazon Web Services
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SAP-C02 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}
Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

Question 3hardmultiple choice
Full question →

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
    }
  ]
}
Question 4easymultiple choice
Full question →

A solutions architect runs the command shown in the exhibit. Which statement is true about the output?

Network Topology
$ aws ec2 describe-instancesfilters Name=tag:Environmentquery 'Reservations[].Instances[?State.Name==`running`].[InstanceIdoutput table+Refer to the exhibit.Output:| DescribeInstances |
Question 5hardmultiple choice
Full question →

Refer to the exhibit. A company uses this IAM policy to allow an automation script to manage Amazon EBS snapshots. The script runs on an EC2 instance with this attached IAM role. The script is failing when trying to create a snapshot from a volume and tag it. The error message indicates an authorization failure. What is the root cause?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:DescribeVolumes"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateSnapshot",
        "ec2:CreateTags"
      ],
      "Resource": "arn:aws:ec2:us-west-2::snapshot/*"
    }
  ]
}
```
Question 6easymultiple choice
Full question →

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

Network Topology
$ aws organizations list-accountsquery 'Accounts[?Status==`ACTIVE`].[Idoutput table+Refer to the exhibit.| ListAccounts |
Question 7hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpcsregion us-east-1query 'Vpcs[0].VpcId'$ aws ec2 describe-subnetsfilters Name=vpc-idRefer to the exhibit."vpc-0abcd1234""Subnets": ["SubnetId": "subnet-11111111","CidrBlock": "10.0.1.0/24","MapPublicIpOnLaunch": false},"SubnetId": "subnet-22222222","CidrBlock": "10.0.2.0/24",
Question 8easymultiple choice
Full question →

Refer to the exhibit. A solutions architect is reviewing this SCP. What is the effect of this SCP when attached to an organizational unit (OU)?

Exhibit

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:SecureTransport": "false"
        }
      }
    }
  ]
}
Question 9mediummultiple choice
Full question →

A Solutions Architect runs the AWS CLI command shown in the exhibit. Which statement accurately describes the output?

Network Topology
aws ec2 describe-instancesquery "Reservations[*].Instances[*].[InstanceIdoutput table+Refer to the exhibit.```| DescribeInstances || i-0123456789abcdef0 | running || i-023456789abcdef01 | stopped || i-03456789abcdef012 | terminated |
Question 10easymultiple choice
Full question →

A Solutions Architect is reviewing the CloudFormation template snippet shown in the exhibit. What will happen when this template is deployed?

Exhibit

Refer to the exhibit.

```
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "MyBucket": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "my-unique-bucket-name-12345",
        "VersioningConfiguration": {
          "Status": "Enabled"
        }
      }
    }
  }
}
```
Question 11mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A CloudFormation stack has been deployed with the VPCId and SubnetIds outputs. A developer wants to use these outputs as parameters in another CloudFormation stack. Which AWS service can be used to pass these values to the new stack?

Network Topology
aws cloudformation describe-stacksstack-name my-stackquery "Stacks[0].Outputs"Refer to the exhibit."OutputKey": "VPCId","OutputValue": "vpc-12345678"},"OutputKey": "SubnetIds","OutputValue": "subnet-11111111,subnet-22222222"
Question 12easymultiple choice
Full question →

Refer to the exhibit. An IAM policy allows ec2:Describe* actions on all resources. A developer wants to also allow describing RDS instances. Which action must be added to the policy?

Exhibit

Refer to the exhibit.
# IAM policy snippet
{
    "Effect": "Allow",
    "Action": "ec2:Describe*",
    "Resource": "*"
}
Question 13mediummultiple choice
Full question →

A solutions architect is troubleshooting an EC2 instance that is not sending metrics to CloudWatch. The instance is running and has internet connectivity. Based on the exhibit, what is the MOST likely reason?

Network Topology
$ aws ec2 describe-instancesinstance-ids i-1234567890abcdef0Refer to the exhibit.```# AWS CLI command output"Reservations": ["Groups": [],"Instances": ["InstanceId": "i-1234567890abcdef0","InstanceType": "t2.micro","State": {"Name": "running"},"Monitoring": {"State": "disabled""NetworkInterfaces": ["Association": {"IpOwnerId": "amazon","PublicIp": "54.123.45.67""Attachment": {"DeviceIndex": 0,"Status": "attached"],"Tags": ["Key": "Name","Value": "WebServer"
Question 14hardmultiple choice
Full question →

Refer to the exhibit. A company has an S3 bucket policy that requires server-side encryption with AES256 for all objects uploaded. However, users can still upload objects without encryption. What is the MOST likely reason?

Exhibit

Refer to the exhibit.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringNotEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:x-amz-server-side-encryption": "AES256"
        }
      }
    }
  ]
}
Question 15hardmultiple choice
Full question →

Refer to the exhibit. A CloudFormation template creates an S3 bucket with versioning and a public bucket policy. After deployment, users can access objects in the bucket via the internet. However, the security team requires that all access be logged. What is missing from this configuration?

Exhibit

Refer to the exhibit.

```
Resources:
  MyBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-mybucket"
      VersioningConfiguration:
        Status: Enabled
  MyBucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref MyBucket
      PolicyDocument:
        Statement:
          - Effect: Allow
            Principal: "*"
            Action: "s3:GetObject"
            Resource: !Sub "${MyBucket.Arn}/*"
```

These SAP-C02 practice questions are part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style SAP-C02 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.