SAP-C02 · topic practice

Design Solutions for Organizational Complexity practice questions

Practise AWS Certified Solutions Architect Professional SAP-C02 Design Solutions for Organizational Complexity practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Design Solutions for Organizational Complexity

What the exam tests

What to know about Design Solutions for Organizational Complexity

Design Solutions for Organizational Complexity questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Design Solutions for Organizational Complexity exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Design Solutions for Organizational Complexity questions

20 questions · select your answer, then reveal the explanation

Question 1hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

A company has multiple AWS accounts managed via AWS Organizations. The security team wants to restrict the use of specific instance types across all accounts. Which TWO methods can be used to enforce this restriction?

A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

Refer to the exhibit. A company runs the AWS CLI command to list accounts in AWS Organizations. The company wants to remove the account '444444444444' from the organization. What must the company do first before it can remove this account?

Network Topology
$ aws organizations list-accountsquery 'Accounts[?Status==`ACTIVE`].[Idoutput table+Refer to the exhibit.| ListAccounts |
Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

Question 11hardmulti select
Read the full NAT/PAT explanation →

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

A company uses AWS Organizations with a multi-account strategy. The DevOps team wants to allow developers to launch EC2 instances only in specific Regions and only with approved AMIs. Which AWS service should be used to enforce these controls across all accounts?

Question 13mediummultiple choice
Review the full routing breakdown →

A company is designing a cross-account network architecture. The security team requires that all traffic between VPCs in different accounts must be inspected by a centralized firewall appliance in the security account. The network team wants to minimize complexity and avoid route table manipulation. Which solution meets these requirements?

A company is using AWS Organizations with consolidated billing. The finance team wants to track costs by business unit. Each business unit has its own AWS account. The team needs a solution that allows them to generate cost reports filtered by business unit without additional overhead. Which action should be taken?

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

A financial services company is designing a multi-account strategy using AWS Control Tower. The company has strict data residency requirements: customer data must remain in the country of origin. The company operates in three countries: US, UK, and Germany. Each country has a set of accounts for production, development, and testing. The company needs to ensure that IAM roles in UK accounts cannot access resources in German accounts, and vice versa. Which architecture should be used?

Question 20easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Design Solutions for Organizational Complexity sessions

Start a Design Solutions for Organizational Complexity only practice session

Every question in these sessions is drawn from the Design Solutions for Organizational Complexity domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about Design Solutions for Organizational Complexity?
Design Solutions for Organizational Complexity questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Design Solutions for Organizational Complexity questions in a focused session?
Yes — the session launcher on this page draws every question from the Design Solutions for Organizational Complexity domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.