Practice questions · IT & Cloud
AWS Solutions Architect Professional (SAP-C02): Practice Questions
Original concept-check questions for the AWS Solutions Architect Professional, spanning the exam domains. Each answer is explained, including why the others are wrong. Filter by domain or difficulty. These are concept checks, not real exam questions.
Answered 0 · Correct 0
-
AWS Organizations is used to:
Correct answer: D. Organizations centrally manages multiple AWS accounts (consolidated billing, policies). Storing objects is S3, running containers is ECS/EKS, and monitoring metrics is CloudWatch. -
A Service Control Policy (SCP) in AWS Organizations:
Correct answer: C. SCPs cap the maximum permissions in member accounts; they do not grant access by themselves. -
AWS Control Tower is used to:
Correct answer: C. Control Tower sets up and governs a secure multi-account landing zone. Building a CDN is CloudFront, running serverless code is Lambda, and managing DNS is Route 53. -
To connect many VPCs and on-premises networks through a single hub you use:
Correct answer: B. Transit Gateway is the hub-and-spoke connector for many VPCs and on-premises networks. A security group is an instance firewall, a NAT gateway gives outbound internet to private subnets, and an Internet gateway connects a VPC to the public internet. -
A dedicated, private physical network connection from on-premises to AWS is:
Correct answer: B. Direct Connect is a dedicated private link; a VPN runs over the public internet. -
Cross-account access in AWS is best granted by:
Correct answer: A. Assuming a cross-account IAM role from the other account is the secure pattern. A public S3 bucket exposes data, a NAT gateway is for outbound internet, and sharing root credentials is highly insecure. -
Consolidated billing in AWS Organizations:
Correct answer: D. Consolidated billing combines billing across accounts and can share volume discounts. It does not double fees, hide costs, or disable monitoring. -
To centralise logs from many accounts you typically:
Correct answer: C. The standard multi-account pattern aggregates logs to a central logging account (e.g., via CloudWatch or S3). Disabling logging, deleting logs, or keeping them only on each instance all lose visibility. -
To survive the failure of an entire Availability Zone, you should design for:
Correct answer: B. Spanning multiple Availability Zones with load balancing and Auto Scaling survives a single-AZ failure. A single large instance, one AZ only, or no redundancy each leave a single point of failure. -
The most cost-effective storage for rarely accessed, long-term archival data is:
Correct answer: C. S3 Glacier and Glacier Deep Archive minimise cost for rarely accessed archival data. Instance store is ephemeral, and EBS and S3 Standard cost more for cold data. -
To decouple a fast producer from a slower consumer you use:
Correct answer: A. An SQS queue buffers messages so producer and consumer scale independently. A direct call couples them tightly, a security group is a firewall, and a NAT gateway is for outbound internet. -
For a managed, low-latency NoSQL key-value store at scale you choose:
Correct answer: B. DynamoDB (with DAX for caching) is managed, low-latency NoSQL at scale. Redshift is a data warehouse, RDS is relational, and EBS is block storage. -
To run code without provisioning servers you use:
Correct answer: B. Lambda runs code serverlessly with no instances to manage. EC2 needs managed instances, while EBS is block storage and Direct Connect is a private network link. -
The Well-Architected pillar focused on running and monitoring systems and continuously improving operations is:
Correct answer: C. Operational Excellence covers running, monitoring and continuously improving workloads. Cost Optimization, Sustainability and Security are separate Well-Architected pillars. -
To reduce read load on a relational database you can add:
Correct answer: D. Read replicas or an ElastiCache caching layer offload read traffic from the primary database. More NAT gateways serve outbound internet, an SCP is a permissions guardrail, and a larger logo is irrelevant. -
To grant an application access following least privilege you:
Correct answer: A. Least privilege grants only the specific permissions the application needs. Administrator rights, the root account, or disabling IAM all over-grant access and are insecure. -
To get account-wide recommendations on cost, security and performance you use:
Correct answer: D. Trusted Advisor inspects the account and recommends improvements on cost, security and performance. CloudFront is a CDN, Route 53 is DNS, and SQS is a message queue. -
To improve the reliability of a single-instance web app you:
Correct answer: C. Adding Auto Scaling and a load balancer across multiple AZs removes the single point of failure. A bigger logo, leaving it as one instance, or removing backups do not improve reliability. -
To detect when resources drift from their desired configuration or compliance rules you use:
Correct answer: D. AWS Config tracks configuration and compliance over time and flags drift. Direct Connect is a network link, SQS is a queue, and CloudFront is a CDN. -
For managed threat detection across accounts you use:
Correct answer: C. GuardDuty analyses activity across accounts for threats. EBS is block storage, CloudFront is a CDN, and Route 53 is DNS. -
To find over-provisioned instances to right-size you use:
Correct answer: B. Compute Optimizer and Cost Explorer surface over-provisioned, right-sizing opportunities. A NAT gateway, an ingress, and an SCP do not analyse instance utilisation. -
The disaster-recovery strategy with the lowest RTO/RPO (and highest cost) is:
Correct answer: A. Active/active multi-site recovers almost instantly at the highest cost. Backup/restore and pilot light are cheaper but slower. -
'Rehost' (lift and shift) in a migration means:
Correct answer: D. Rehost moves the workload as-is without changes. Rewriting the application is refactor, repurchasing a SaaS product is repurchase, and retiring it is retire. -
'Replatform' in a migration means:
Correct answer: A. Replatform makes a few optimisations (e.g., moving to a managed database) without rewriting. A full rewrite is refactor, keeping it on-premises is retain, and deleting the app is retire. -
To migrate a database to AWS with minimal downtime you use:
Correct answer: A. Database Migration Service (DMS) replicates databases to AWS with minimal downtime. CloudFront is a CDN, Route 53 is DNS, and S3 Glacier is archival storage. -
To move very large data sets to AWS when network bandwidth is limited you use:
Correct answer: B. The Snow family (e.g., Snowball) ships data physically when network transfer is impractical. A NAT gateway gives private subnets outbound internet, an SCP is a permissions guardrail, and EventBridge is an event bus. -
To lift-and-shift many on-premises servers to AWS you use:
Correct answer: B. Application Migration Service rehosts many on-premises servers to AWS. Route 53 is DNS, CloudFront is a CDN, and Trusted Advisor gives account recommendations. -
Modernising a monolith toward managed and serverless services might involve:
Correct answer: A. Modernisation moves components to containers (Fargate) or Lambda to cut operational overhead. Disabling monitoring, keeping it unchanged on EC2, or deleting data are not modernisation. -
The migration '7 Rs' include rehost, replatform, repurchase, refactor, retire, retain and:
Correct answer: A. The seventh R is relocate (e.g., moving VMware workloads to the cloud). Reroute, rename and reboot are not migration strategies. -
Centralised, org-wide governance of security and billing across many accounts is an example of designing for:
Correct answer: D. Multi-account governance of security and billing is the organisational-complexity domain. A single workload, lower latency only, or no governance do not describe org-wide governance.
Practice questions FAQ
- Are these real SAP-C02 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.