SAP-C02 · topic practice

S3 Lifecycle Policy practice questions

Practise AWS Certified Solutions Architect Professional SAP-C02 S3 Lifecycle Policy practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: S3 Lifecycle Policy

What the exam tests

What to know about S3 Lifecycle Policy

S3 Lifecycle Policy questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common S3 Lifecycle Policy exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

S3 Lifecycle Policy questions

20 questions · select your answer, then reveal the explanation

A company has a centralized logging account and multiple application accounts. All VPC Flow Logs are sent to a central S3 bucket in the logging account. The security team needs to analyze the logs using Amazon Athena. The team must ensure queries are cost-effective and return results quickly for recent logs. Which configuration should be used?

A company is using AWS Organizations with multiple accounts. The central IT team wants to deploy a set of common VPCs in each account using AWS CloudFormation StackSets. The StackSets must be managed from the management account. Which THREE permissions are required for the StackSets to successfully deploy stacks into member accounts?

A company is using AWS Organizations with multiple accounts. The security team wants to ensure that all Amazon S3 buckets across the organization are encrypted at rest. Which TWO steps should the security team take to enforce this requirement?

A company has a centralized logging account that receives VPC Flow Logs from all accounts in the organization. The logs are stored in an S3 bucket. A security analyst needs to query the logs to identify traffic to a specific IP address. The analyst has been granted read-only access to the S3 bucket. However, the analyst cannot access the logs. What is the MOST likely cause?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A multinational company is implementing AWS Organizations to manage multiple accounts across business units. The security team requires that all IAM users in member accounts must use a specific password policy and must have MFA enabled. Which combination of actions should the company take to enforce these requirements?

A company uses AWS Control Tower to manage a multi-account environment. The security team needs to ensure that all accounts have AWS CloudTrail enabled and that logs are delivered to a central S3 bucket. What is the BEST way to achieve this?

Refer to the exhibit. An IAM role trust policy is shown. A user from account 123456789012 tries to assume this role but receives an 'AccessDenied' error. The user has MFA enabled and is passing the MFA token. What is the MOST likely reason for the failure?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "BoolIfExists": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

A company uses AWS Organizations with multiple OUs. The finance team needs to have read-only access to billing data across all accounts. The security team wants to ensure that no IAM user can modify billing preferences. Which policy should be attached to the root OU to achieve this?

Question 9mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a multi-account AWS strategy using AWS Organizations. The security team requires that all newly created accounts in the organization automatically have an Amazon GuardDuty detector enabled in all enabled Regions. Which solution meets this requirement with the LEAST operational overhead?

A company is migrating to a multi-account AWS environment using AWS Control Tower. The security team must ensure that all accounts have AWS Config enabled and that logs are delivered to a central S3 bucket. Which THREE steps should the security team take?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

A company has a management account in AWS Organizations and several member accounts. The security team wants to ensure that any IAM user created in any member account must have a password policy that enforces a minimum length of 14 characters. The team wants a preventive control that is enforced automatically. Which approach should be used?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A company uses AWS Organizations and has a requirement that all root user activities in member accounts must be immediately reported to the security team. Which combination of actions should be taken to meet this requirement? (Choose the best answer.)

A company is using AWS Organizations with multiple organizational units (OUs). The security team needs to enforce that all newly created S3 buckets in the production OU have versioning enabled and are encrypted with AWS KMS. Which solution meets these requirements with minimal operational overhead?

Drag and drop the steps to set up AWS CloudTrail for logging API activity in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

A company is designing a data lake on Amazon S3 for analytics. The data is ingested from multiple sources and must be encrypted at rest. The company requires the ability to audit access to the data lake and enforce fine-grained access control based on tags. Which solution should the company choose?

A company is running a critical application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The application needs to process a large batch job that runs once per month and takes 2 hours. The company wants to optimize costs while ensuring the batch job has sufficient capacity. Which THREE steps should a solutions architect recommend?

A solutions architect is designing a new serverless application using AWS Lambda to process orders from an API Gateway endpoint and store them in DynamoDB. The architect creates the IAM role shown in the exhibit. When testing, the Lambda function fails to write to DynamoDB with an AccessDeniedException. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/Orders"
    }
  ]
}

A company is using AWS CloudFormation to deploy infrastructure. The security team requires that all Amazon S3 buckets created by CloudFormation must be encrypted at rest. What should a solutions architect do to enforce this requirement?

A company runs a containerized application on Amazon ECS with Fargate. The application needs to securely access an Amazon S3 bucket. The company wants to follow the principle of least privilege. What should a solutions architect recommend?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused S3 Lifecycle Policy sessions

Start a S3 Lifecycle Policy only practice session

Every question in these sessions is drawn from the S3 Lifecycle Policy domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about S3 Lifecycle Policy?
S3 Lifecycle Policy questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just S3 Lifecycle Policy questions in a focused session?
Yes — the session launcher on this page draws every question from the S3 Lifecycle Policy domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.