Amazon SAP-C02 Online Practice
Questions and Exam Preparation
SAP-C02 Exam Details
Exam Code
:SAP-C02
Exam Name
:AWS Certified Solutions Architect - Professional (SAP-C02)
Certification
:Amazon Certifications
Vendor
:Amazon
Total Questions
:874 Q&As
Last Updated
:Jul 12, 2026
Amazon SAP-C02 Online Questions &
Answers
Question 851:
A retail company has structured its AWS accounts to be part of an organization in AWS Organizations. The company has set up consolidated billing and has mapped its departments to the following OUs: Finance, Sales, Human Resources (HR), Marketing, and Operations. Each OU has multiple AWS accounts, one for each environment within a department. These environments are development, test, pre-production, and production.
The HR department is releasing a new system that will launch in 3 months. In preparation, the HR department has purchased several Reserved Instances (RIs) in its production AWS account. The HR department will install the new application on this account. The HR department wants to make sure that other departments cannot share the RI discounts.
Which solution will meet these requirements?
A. In the AWS Billing and Cost Management console for the HR department's production account turn off Rl sharing. B. Remove the HR department's production AWS account from the organization. Add the account 10 the consolidating billing configuration only. C. In the AWS Billing and Cost Management console, use the organization's management account 10 turn off Rl Sharing for the HR departments production AWS account. D. Create an SCP in the organization to restrict access to the RIs. Apply the SCP to the OUs of the other departments.
C. In the AWS Billing and Cost Management console, use the organization's management account 10 turn off Rl Sharing for the HR departments production AWS account.
Explanation
This solution will meet the HR department's requirements because it allows the company to turn off RI sharing for the specific production account of the HR department through the organization's management account. This will prevent the reserved instances from being shared across the organization, and other departments will not be able to access or use the RIs. This approach allows the organization to manage the sharing of RIs at a central level, which could be useful if there are multiple departments or accounts that need to be managed in this way.
Question 852:
A global healthcare analytics company runs a regulated workload on AWS across dozens of AWS accounts. The company uses an organization in AWS Organizations to manage the accounts. The company must regularly provide external auditors with evidence that specific security controls are implemented and continuously enforced. The security controls include encryption requirements for storage services, centralized logging configurations, and restrictions on public network access. The company wants an automated solution that continuously collects evidence that shows that the controls are implemented across accounts. The solution must preserve historical evidence for specified time periods.
The solution must also generate reports for the auditors that are mapped to specific regulatory frameworks. The company does not want to build custom evidence collection pipelines.
Which solution will meet these requirements with the LEAST operational overhead?
A. Enable AWS CloudTrail organization trails across all accounts and deliver the logs to a centralized Amazon S3 bucket in an audit account. Use Amazon Athena to query the centralized logs and build scheduled reports that auditors can review for evidence of the required security controls. B. Enable AWS Security Hub across all accounts. Designate a delegated administrator account to aggregate security findings across the organization. Export Security Hub findings and compliance check results to Amazon S3. Generate periodic compliance reports for auditors. C. Enable AWS Config rules in each account to evaluate the required security controls. Deliver configuration snapshots to a centralized Amazon S3 bucket. Use AWS Lambda functions in an audit account to periodically analyze the snapshots and generate compliance evidence reports for auditors. D. Enable AWS Config rules across all accounts to evaluate the required security controls. Use an AWS Config aggregator in an audit account to centralize configuration data. Deploy AWS Config conformance packs that are aligned to the required regulatory frameworks. Use AWS Audit Manager to collect evidence and generate audit reports.
D. Enable AWS Config rules across all accounts to evaluate the required security controls. Use an AWS Config aggregator in an audit account to centralize configuration data. Deploy AWS Config conformance packs that are aligned to the required regulatory frameworks. Use AWS Audit Manager to collect evidence and generate audit reports.
Explanation
AWS Audit Manager is the managed service built for continuous audit evidence collection and audit-ready reporting. It can automatically collect evidence from AWS accounts and services, map evidence to controls and frameworks, and help generate reports for auditors. AWS Config provides the technical compliance signal for resource configuration, and conformance packs package managed or custom AWS Config rules into repeatable compliance templates. An AWS Config aggregator centralizes visibility across accounts.
Option D therefore combines control evaluation, centralized aggregation, framework alignment, historical evidence, and audit reporting without custom pipelines. CloudTrail plus Athena or Config snapshots plus Lambda would require custom report generation. Security Hub is useful for security posture aggregation, but the question specifically requires evidence collection and auditor-ready reports mapped to regulatory frameworks.
Question 853:
An ecommerce website running on AWS uses an Amazon RDS for MySQL DB instance with General Purpose SSD storage. The developers chose an appropriate instance type based on demand, and configured 100 GB of storage with a sufficient amount of free space.
The website was running smoothly for a few weeks until a marketing campaign launched. On the second day of the campaign, users reported long wait times and time outs. Amazon CloudWatch metrics indicated that both reads and writes to the DB instance were experiencing long response times. The CloudWatch metrics show 40% to 50% CPU and memory utilization, and sufficient free storage space is still available.
The application server logs show no evidence of database connectivity issues.
What could be the root cause of the issue with the marketing campaign?
A. It exhausted the I/O credit balance due to provisioning low disk storage during the setup phase. B. It caused the data in the tables to change frequently, requiring indexes to be rebuilt to optimize queries. C. It exhausted the maximum number of allowed connections to the database instance. D. It exhausted the network bandwidth available to the RDS for MySQL DB instance.
A. It exhausted the I/O credit balance due to provisioning low disk storage during the setup phase.
Explanation
"When using General Purpose SSD storage, your DB instance receives an initial I/O credit balance of 5.4 million I/O credits. This initial credit balance is enough to sustain a burst performance of 3,000 IOPS for 30 minutes."
A company's AWS architecture currently uses access keys and secret access keys stored on each instance to access AWS services. Database credentials are hard-coded on each instance. SSH keys for command-tine remote access are stored in a secured Amazon S3 bucket. The company has asked its solutions architect to improve the security posture of the architecture without adding operational complexity.
Which combination of steps should the solutions architect take to accomplish this? (Select THREE.)
A. Use Amazon EC2 instance profiles with an IAM role. B. Use AWS Secrets Manager to store access keys and secret access keys. C. Use AWS Systems Manager Parameter Store to store database credentials. D. Use a secure fleet of Amazon EC2 bastion hosts (or remote access. E. Use AWS KMS to store database credentials. F. Use AWS Systems Manager Session Manager tor remote access
A. Use Amazon EC2 instance profiles with an IAM role. C. Use AWS Systems Manager Parameter Store to store database credentials. F. Use AWS Systems Manager Session Manager tor remote access
Explanation
Option A - roles and instance profiles attached to an instance defining who and what access is a best practice
Option B - not required if your using SSM session manager so you would not need access keys for instances
Option C - parameter store can be used to store secrets so we are green better option would be secrets manager which password rotation D - not wrong but why would you when you can use session manager?
A company is migrating a legacy application from an on-premises data center to AWS. The application uses MangeDB as a key-value database According to the company's technical guidelines, all Amazon EC2 instances must be hosted in a private subnet without an internet connection In addition, all connectivity between applications and databases must be encrypted. The database must be able to scale based on demand.
Which solution will meet these requirements?
A. Create new Amazon DocumentDB (with MangeDB compatibility) tables for the application with Provisioned IOPS volumes Use the instance endpoint to connect to Amazon DocumentDB B. Create new Amazon DynamoDB tables for the application with on-demand capacity Use a gateway VPC endpoint for DynamoDB to connect lo the DynamoDB tables C. Create new Amazon DynamoDB tables for the application with on-demand capacity Use an interface VPC endpoint for DynamoDB to connect to the DynamoDB tables D. Create new Amazon DocumentDB (with MangeDB compatibility) tables for the application with Provisioned IOPS volumes Use the cluster endpoint to connect to Amazon DocumentDB
B. Create new Amazon DynamoDB tables for the application with on-demand capacity Use a gateway VPC endpoint for DynamoDB to connect lo the DynamoDB tables
Question 856:
A company is modernizing a legacy.NET Framework application backed by SQL Server.
Requirements:
Containerize into microservices.
Control OS patches and storage.
Add load balancing.
Ensure high availability.
Which solution meets all of these with minimal refactoring?
A. Use App2Container to deploy on ECS EC2 with ALB and RDS for SQL Server. B. Use App2Container on ECS EC2 with NLB and Aurora MySQL. C. Use Porting Assistant and EKS with Fargate and Aurora MySQL. D. Use Porting Assistant and EKS with Fargate and RDS SQL Server.
A. Use App2Container to deploy on ECS EC2 with ALB and RDS for SQL Server.
Explanation
A is correct because: App2Container supports packaging .NET Framework apps into containers without porting to .NET Core.
ECS with EC2 gives full control over the OS and patching.
ALB handles micro service-level load balancing.
RDS for SQL Server with Multi-AZ ensures high availability. Options B, Option C, and Option D involve Aurora MySQL (incompatible with SQL Server features) or require .NET Core, which involves more significant application changes.
References:
App2Container Overview
ECS EC2 vs Fargate
Question 857:
A company has a website that runs on Amazon EC2 instances behind an Application Load Balancer (ALB).
The instances are in an Auto Scaling group. The ALB is associated with an AWS WAF web ACL.
The website often encounters attacks in the application layer. The attacks produce sudden and significant increases in traffic on the application server. The access logs show that each attack originates from different IP addresses. A solutions architect needs to implement a solution to mitigate these attacks.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create an Amazon CloudWatch alarm that monitors server access. Set a threshold based on access by IP address. Configure an alarm action that adds the IP address to the web ACL's deny list. B. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource. C. Create an Amazon CloudWatch alarm that monitors user IP addresses. Set a threshold based on access by IP address. Configure the alarm to invoke an AWS Lambda function to add a deny rule in the application server's subnet route table for any IP addresses that activate the alarm. D. Inspect access logs to find a pattern of IP addresses that launched the attacks. Use an Amazon Route 53 geolocation routing policy to deny traffic from the countries that host those IP addresses.
B. Deploy AWS Shield Advanced in addition to AWS WAF. Add the ALB as a protected resource.
Explanation
AWS Shield Advanced is focused on protecting against DDoS attacks, while AWS WAF is focused on protecting against web exploits. However, both services can be used together to provide comprehensive protection for your applications.
Question 858:
A company that has multiple AWS accounts is using AWS Organizations. The company's AWS accounts host VPCs, Amazon EC2 instances, and containers.
The company's compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2 instances and send information to the AWS account that is dedicated for the compliance team.
The company has tagged all the compliance-related resources with a key of "costCenter" and a value or "compliance".
The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the compliance team's AWS account. The cost calculation must be as accurate as possible.
What should a solutions architect do to meet these requirements?
A. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources. B. In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total cost for the costCenter tagged resources. C. In the member accounts of the organization activate the costCenter user-defined tag. From the management account, schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources. D. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the costCenter tagged resources in the compliance team's AWS account.
A. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources.
A company has an Amazon VPC that is divided into a public subnet and a pnvate subnet. A web application runs in Amazon VPC. and each subnet has its own NACL.
The public subnet has a CIDR of 10.0.0 0/24 An Application Load Balancer is deployed to the public subnet.
The private subnet has a CIDR of 10.0.1.0/24. Amazon EC2 instances that run a web server on port 80 are launched into the private subnet Onty network traffic that is required for the Application Load Balancer to access the web application can be allowed to travel between the public and private subnets.
What collection of rules should be written to ensure that the private subnet's NACL meets the requirement? (Select TWO.)
A. An inbound rule for port 80 from source 0.0 0.0/0 B. An inbound rule for port 80 from source 10.0 0 0/24 C. An outbound rule for port 80 to destination 0.0.0.0/0 D. An outbound rule for port 80 to destination 10.0.0.0/24 E. An outbound rule for ports 1024 through 65535 to destination 10.0.0.0/24
B. An inbound rule for port 80 from source 10.0 0 0/24 E. An outbound rule for ports 1024 through 65535 to destination 10.0.0.0/24
Explanation
Ephemeral ports are not covered in the syllabus so be careful that you don't confuse day to day best practise with what is required for the exam. Link to an on Ephemeral ports here.
A company hosts a Git repository in an on-premises data center. The company uses webhooks to invoke functionality that runs in the AWS Cloud. The company hosts the webhook logic on a set of Amazon EC2 instances in an Auto Scaling group that the company set as a target for an Application Load Balancer (ALB). The Git server calls the ALB for the configured webhooks. The company wants to move the solution to a serverless architecture.
Which solution will meet these requirements with the LEAST operational overhead?
A. For each webhook, create and configure an AWS Lambda function URL. Update the Git servers to call the individual Lambda function URLs. B. Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. Update the Git servers to call the API Gateway endpoint. C. Deploy the webhook logic to AWS App Runner. Create an ALB, and set App Runner as the target. Update the Git servers to call the ALB endpoint. D. Containerize the webhook logic. Create an Amazon Elastic Container Service (Amazon ECS) cluster, and run the webhook logic in AWS Fargate. Create an Amazon API Gateway REST API, and set Fargate as the target. Update the Git servers to call the API Gateway endpoint.
B. Create an Amazon API Gateway HTTP API. Implement each webhook logic in a separate AWS Lambda function. Update the Git servers to call the API Gateway endpoint.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Amazon exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your SAP-C02 exam preparations
and Amazon certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.