SAP-C02 Amazon Web Services AWS Certified Solutions Architect - Professional Free Practice Exam Questions (2026 Updated)

https://aws.amazon.com/about-aws/whats-new/2022/02/amazon-cloudfront-managed-prefix-list/

The correct answer is A, C, and F. The company wants to host a private DNS namespace, myvpc.example.com, inside AWS and allow on-premises devices to resolve records in that namespace. A Route 53 private hosted zone is the correct hosted zone type because the domain is intended for private VPC resolution, not public internet DNS. To allow DNS queries from the on-premises network into AWS, Route 53 Resolver inbound endpoints are required. The on-premises DNS resolvers then need conditional forwarding rules that forward queries for myvpc.example.com to the IP addresses of the inbound Resolver endpoint. An outbound endpoint is used when AWS resources need to resolve DNS names hosted on premises. That is not the stated requirement here. A public hosted zone would expose records publicly and is not appropriate for private VPC DNS.

===============

The performance symptom is classic Lambda cold-start variability. The API is used sporadically, so Lambda execution environments may be recycled between requests. The first request takes longer because Lambda must initialize an execution environment; subsequent identical requests are faster because the environment is already warm. Provisioned concurrency keeps execution environments initialized and ready to respond, producing more consistent latency. AWS Application Auto Scaling can manage provisioned concurrency with target tracking, which helps align provisioned capacity with usage patterns. DynamoDB on-demand mode already scales automatically for table throughput, and DAX would mainly help read-heavy caching scenarios, not Lambda initialization delay. CloudFront may reduce network latency for cacheable content, but it does not remove Lambda cold starts for dynamic API calls. (AWS Documentation)

===============

This option allows the solutions architect to use Aurora global database to replicate data across multiple AWS Regions with low latency and high availability1. By launching the solution in the target Region, the solutions architect can ensure that the API Gateway, Lambda functions, and other resources are ready to serve traffic in case of a disaster in the source Region. By configuring the two Regional solutions to work in an active-passive configuration, the solutions architect can minimize costs and avoid data conflicts by having only one primary Region that accepts write operations and one secondary Region that serves as a standby2. The RTO and RPO requirements can be met by using Aurora global database, which supports sub-second failover times and near real-time replication1.

Working with Amazon Aurora global database

Active-passive failover

The company should use AWS IoT Greengrass to deploy the ML model to the local server and provide local feedback to the factory workers. AWS IoT Greengrass is a service that extends AWS cloud capabilities to local devices, allowing them to collect and analyze data closer to the source of information,react autonomously to local events, and communicate securely with each other on local networks1. AWS IoT Greengrass also supports MLinference at the edge, enabling devices to run ML models locally without requiring internet connectivity2.

The other options are not correct because:

Setting up an Amazon Kinesis video stream from each IP camera to AWS would not work if the factory’s internet connectivity is down. It would also incur unnecessary costs and latency to stream video data to the cloud and back.

Ordering an AWS Snowball device would not be a scalable or cost-effective solution for deploying the ML model. AWS Snowball is a service that provides physical devices for data transfer and edge computing, but it is not designed for continuous operation or frequent updates3.

Deploying Amazon Monitron devices on each IP camera would not work because Amazon Monitron is a service that monitors the condition and performance of industrial equipment using sensors and machine learning, not cameras4.

This solution requires the least amount of effort as it only requires to update the API endpoint to private in API Gateway and create an interface VPC endpoint. Then create a resource policy and attach it to the API. This will make the API only accessible from the VPC and still keep the authentication mechanism intact. Reference:

https://aws.amazon.com/premiumsupport/knowledge-center/private-api-gateway-vpc-endpoint/

https://aws.amazon.com/api-gateway/features/

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

This option will meet the requirements of preventing any new or existing EC2 instances in the OU’s accounts from gaining a public IP address. An SCP is a policy that you can attach to an OU or an account in AWS Organizations to define the maximum permissions for the entities in that OU or account. By creating an SCP that denies the ec2:RunInstances and ec2:AssociateAddress actions when the value of the aws:RequestTag/aws:PublicIp condition key is true, you can prevent any user or role in the OU from launching instances that have a public IP address or attaching a public IP address to existing instances. This will effectively enforce a security best practice and reduce the risk of unauthorized access to your EC2 instances.

The company needs centralized traffic inspection and centralized internet access for multiple workload VPCs connected by a transit gateway. The standard AWS hub-and-spoke pattern for centralized inspection is to use an inspection VPC that hosts network virtual appliances behind a Gateway Load Balancer, and to steer traffic from spoke VPCs through the transit gateway to the inspection VPC. Gateway Load Balancer endpoints are used to privately connect VPCs to the GWLB, allowing traffic to be transparently redirected to the appliances for inspection without changing application configurations.

To ensure symmetric routing for stateful inspection (so that return traffic traverses the same appliance path), appliance mode is enabled on the transit gateway attachment that connects to the inspection VPC. Appliance mode is specifically used with transit gateways and third-party appliances to preserve flow symmetry and avoid asymmetric routing issues.

Option D matches the centralized model: it creates a dedicated inspection VPC that contains the GWLB, endpoints, and the inspection appliance. It updates workload VPC routes to send traffic to the transit gateway and configures the transit gateway route tables to forward relevant traffic to the GWLB endpoints in the inspection VPC. Enabling appliance mode on the transit gateway is the key operational setting to maintain symmetric routing through the appliance fleet for inspected traffic.

Option A is incorrect because it places the inspection components inside an existing workload VPC rather than using a centralized inspection VPC. This increases coupling, makes the architecture harder to manage, and does not match the typical centralized inspection pattern. It also references enabling appliance mode on the GWLB, whereas appliance mode is a transit gateway attachment feature used for routing symmetry with appliances, not a setting “on the GWLB” itself.

Option B is incorrect because it splits the GWLB and endpoints/appliances across different workload VPCs, which complicates the design and is not the intended GWLB pattern. GWLB endpoints are created in VPCs that need to send traffic to the GWLB service; the appliances sit behind the GWLB in the provider/inspection VPC. The option also refers to enabling appliance mode on endpoints, but the appliance mode setting is associated with the transit gateway attachment.

Option C is incorrect because VPC flow logs are for logging and visibility; flow logs do not route traffic. Also, separating “inspection VPC” and “internet access VPC” with the appliances in the internet VPC does not align with the standard GWLB centralized inspection architecture and introduces unnecessary complexity.

Therefore, creating a dedicated inspection VPC with GWLB and endpoints and enabling appliance mode on the transit gateway attachment is the correct centralized approach.

Amazon AppStream 2.0 offers a streamlined solution for rehosting a Windows-based desktop application on AWS with minimal development effort. By creating an AppStream 2.0image that includes the application and using an On-Demand fleet for streaming, the application becomes accessible from any device, including Linux machines. AppStream 2.0 user pools can be used for authentication, simplifying access management without the need for extensive changes to the application or infrastructure.

AWS Documentation on Amazon AppStream 2.0 provides insights into setting up application streaming solutions. This approach is recommended for delivering desktop applications to diverse operating systems without the complexity of managing virtual desktops or extensive application refactoring.

A is the correct answer because it uses Amazon DocumentDB (with MongoDB compatibility) as a key-value database that can scale based on demand and supports encryption in transit and at rest. Amazon DocumentDB is a fully managed document database service that is designed to be compatible with the MongoDB API. It is a NoSQL database that is optimized for storing, indexing, and querying JSON data. Amazon DocumentDB supports encryption in transit using TLS and encryption at rest using AWS Key Management Service (AWS KMS). Amazon DocumentDB also supports provisioned IOPS volumes that can scale up to 64 TiB of storage and 256,000 IOPS per cluster. To connect to Amazon DocumentDB, you can use the instance endpoint, which connects to a specific instance in the cluster, or the cluster endpoint, which connects to the primary instance or one of the replicas in the cluster. Using the cluster endpoint is recommended for high availability and load balancing purposes. References:

https://docs.aws.amazon.com/documentdb/latest/developerguide/what-is.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/security.encryption.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/limits.html

https://docs.aws.amazon.com/documentdb/latest/developerguide/connecting.html

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

Automating the process of increasing service quotas for Amazon EC2 instances in new AWS accounts with minimal operational overhead can be effectively achieved by using Amazon EventBridge, Amazon SNS, and AWS Lambda. An EventBridge rule can detect the creation of a new account and trigger an SNS topic, which in turn invokes a Lambda function. This function can then programmatically request a service quota increase for EC2 instances using the AWS Service Quotas API. This approach streamlines the process, reduces manual intervention, and ensures that new accounts are automatically configured with the desired service quotas.

Amazon EventBridge Documentation: Provides guidance on setting up event rules for detecting AWS account creation.

AWS Lambda Documentation: Details how to create and configure Lambda functions to perform automated tasks, such as requesting service quota increases.

AWS Service Quotas Documentation: Offers information on managing and requesting increases for AWS service quotas programmatically.

The key requirements are: OpenSearch Service must be deployed within a VPC (VPC-only access), and developers must access OpenSearch from their local machines across multiple locations, including home networks. The most suitable low-overhead approach is to provide remote users with secure client-based connectivity into the VPC so they can reach private endpoints.

AWS Client VPN is a managed client-based VPN service that allows individual users to establish secure TLS VPN connections from their devices into a VPC. By associating a Client VPN endpoint with a subnet in the VPC and configuring authorization rules and routes, developers can access private resources (including VPC-only Amazon OpenSearch Service endpoints) as if they were on the corporate network. Client VPN is designed for distributed workforces and supports users connecting from anywhere without requiring each remote location to have dedicated network appliances.

Option A matches the need for remote developer access from home and multiple offices with the least operational overhead because it is a managed service for user-based VPN access and does not require running and maintaining bastion fleets or building site-to-site networks for each location.

Option B is not correct because AWS Site-to-Site VPN is designed to connect networks (for example, an office network or data center) to AWS, not to provide individual developers remote access from arbitrary home networks. Also, instructing developers to use an OpenVPN client does not align with how Site-to-Site VPN is typically used; Site-to-Site VPN terminates on a customer gateway device, not on individual laptops.

Option C is not correct because Direct Connect is designed for dedicated private connectivity between on-premises networks and AWS. It is not a solution for individual developers connecting from home. Additionally, using a public VIF is for reaching public AWS endpoints, whereas the requirement is to keep access within a VPC. A public VIF does not provide private VPC access to VPC-only service endpoints.

Option D is not the best choice because a bastion host provides SSH access to instances, not direct, secure network-level access to VPC-only managed service endpoints from developer tools. It also increases operational overhead (patching, hardening, monitoring, scaling) and introduces additional security considerations. Developers also typically need browser-based or tool-based access to OpenSearch Dashboards, which is better served by VPN access into the VPC than SSH tunneling through a bastion host as a primary access mechanism.

Therefore, configuring AWS Client VPN to provide developers with secure connectivity into the VPC is the correct solution.

Reference architecture -https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-saas.html

Note from documentation that Interface Endpoint is at client side

C is correct because:

AWS WAF integrates natively with API Gateway and protects against common web exploits (e.g., SQL injection, XSS).

Amazon Inspector can scan the legacy EC2 instance for known vulnerabilities.

Amazon GuardDuty is a continuous security monitoring service that detects threats butdoes not blocktraffic (B and D are incorrect because GuardDuty doesn’t block).

https://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-eventbridge.html " Activating an AWS Step Functions state machine " https://docs.aws.amazon.com/step-functions/latest/dg/tutorial-creating-lambda-state-machine.html

The correct answer is A because the control must prevent creation of new EC2 instances and EBS volumes unless the required Project tag is supplied in the launch request. The relevant API action is ec2:RunInstances, not ec2:StartInstances. AWS supports enforcing tags at resource creation by using request tag condition keys such as aws:RequestTag/Project. A deny statement with the Null condition set to true blocks the request when the tag is missing. aws:CostAllocationTag is not the correct condition key for authorization at launch time; cost allocation tags are for billing categorization after tags exist. AWS tagging guidance specifically shows deny policies for ec2:RunInstances when a required cost allocation-style tag is not present in the request. (AWS Documentation)

===============

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

The application is business-critical with an SLA requirement of 99.95% uptime and is currently limited by an on-premises data center. The architecture includes a PostgreSQL database and separate business logic and presentation layers. Remote users experience high latency when accessing the application, which is latency-sensitive.

To meet or exceed a 99.95% SLA for the database while minimizing operational burden, a managed database service with built-in high availability is preferred. Amazon Aurora PostgreSQL-compatible editions provide high availability and durability by automatically replicating data across multiple Availability Zones in a Region. Aurora can offer higher availability and faster failover compared to self-managed databases on EC2, and offloads patching, backups, and maintenance.

For the application and presentation layers, running them on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer preserves the basic architecture (stateless application servers behind a load balancer) while moving to a managed, highly available environment that can scale out and in automatically based on demand. This results in minimal changes to the application components and provides improved resilience compared to on-premises VMs.

Remote users experience slow load times because their desktop clients connect over higher-latency networks to the on-premises servers. By using Amazon AppStream 2.0, the application can be streamed from AWS to end users. AppStream 2.0 runs the desktop application close to the backend database and application servers within AWS, and streams only the display and input over the network. This significantly reduces the effect of latency between the user and the application backend, improving user experience, especially for latency-sensitive desktop applications, without requiring major changes to the application itself.

Option A uses a PostgreSQL database on EC2, which requires the customer to manage availability, backups, patching, and failover. This does not provide the same managed high-availability guarantees as Aurora or RDS Multi-AZ. It also suggests allocating a full Amazon WorkSpaces desktop per user, which can be more expensive and more complex than streaming only the application via AppStream 2.0.

Option C uses Amazon RDS for PostgreSQL with Multi-AZ configuration, which provides high availability and is a valid managed option. However, it runs the application and presentation layers on Fargate containers behind a Network Load Balancer. NLB is typically used for TCP-level load balancing and is better suited for protocols that require low-level handling, whereas HTTP/HTTPS web applications are commonly placed behind an Application Load Balancer, which provides advanced HTTP routing features. Also, ElastiCache can reduce database load and improve response times but does not directly solve the end-user network latency issue in a desktop client scenario.

Option D is incorrect because Amazon Redshift is a data warehouse service, not an operational PostgreSQL-compatible database for transaction processing. It is not appropriate for hosting the application’s primary relational database. CloudFront accelerates delivery of static and cached web content, not interactive desktop client-server traffic.

Therefore, migrating the database to Aurora PostgreSQL, running the application and presentation layers on EC2 Auto Scaling behind an Application Load Balancer, and using Amazon AppStream 2.0 to deliver the application to remote users (option B) meets the availability requirements, improves user experience, requires relatively little change to the application architecture, and minimizes operational costs compared to more complex or less-managed alternatives.

B is correct because the problem is caused by inconsistent query-string casing leading to CloudFront cache misses, and the best place to normalize the request is at the CloudFront edge before cache-key evaluation. CloudFront Functions run at the edge with very low latency and are intended for lightweight request manipulations (for example, normalizing URLs, headers, and query strings) on viewer request events. By sorting query parameters and converting them to lowercase on the viewer request, CloudFront will treat semantically equivalent requests as the same cache key, increasing cache hit ratio and reducing the number of origin calls to API Gateway and downstream Lambda invocations. This directly reduces latency for global users.

Why the other options are less suitable:

A (Lambda@Edge on origin request): Lambda@Edge can also modify requests, but it is heavier-weight than CloudFront Functions for simple normalization logic. Also, doing this on origin request occurs after CloudFront has already decided whether there is a cache hit. If the cache key is still based on the original mixed-case query string at the viewer side, you won’t consistently prevent cache misses. Normalization must happen before cache lookup to maximize cache hits.

C (API Gateway mapping templates): This normalizes the request only after it has already missed in CloudFront and reached the origin. It does not fix CloudFront cache fragmentation, so it does not meet the “minimal latency” goal as effectively.

D (Lambda authorizer): Lambda authorizers are for authorization/authentication decisions. Using an authorizer for query normalization adds unnecessary overhead and still happens at API Gateway (origin), not at CloudFront before cache evaluation.

Migrating the containers that run the application to AWS Fargate for Amazon Elastic Container Service (Amazon ECS) will meet the requirement of not administering the Docker hosting environment. AWS Fargate is a serverless compute engine that runs containerswithout requiring any infrastructure management3. Creating an Amazon Elastic File System (Amazon EFS) file system and adding a volume to the Fargate task definition to point to the EFS file system will meet the requirement of low-latency storage that will automatically scale throughput to meet increased demand. Amazon EFS is a fully managed file system service that provides shared access to data from multiple containers, supports NFSv4 protocol, and offers consistent performance and high availability4. Amazon EFS also supports automatic scaling of throughput based on the amount of data stored in the file system5.

The awsvpc network mode provides each task with its own elastic network interface (ENI) and a primary private IP address1. By using this network mode, the solutions architect can isolate the tasks from each other and apply security groups to the tasks directly2. This way, the solutions architect can control the inbound and outbound traffic at the task level and enforce the least privilege principle3. IAM roles for tasks allow the solutions architect to assign permissions to each task separately, so that they can access other AWS resources that they need4. By using IAM roles for tasks, the solutions architect can avoid passing IAM credentials into the container at launch time, which is less secure and more prone to errors5.

awsvpc network mode

Task networking with the awsvpc network mode

Security groups for your VPC

IAM roles for tasks

Best practices for managing AWS access keys

A. High performance computing (HPC) workload cluster should be in a single AZ.

C. Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instances to accelerate High Performance Computing (HPC)

F. Amazon FSx for Lustre - Use it for workloads where speed matters, such as machine learning, high performance computing (HPC), video processing, and financial modeling.

Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of HPC applications.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html

https://docs.aws.amazon.com/codedeploy/latest/userguide/integrations-aws-auto-scaling.html

Option A is correct because SageMaker AI Notebook Instances support Git repositories as SageMaker resources, and private repository credentials can be stored in AWS Secrets Manager. This satisfies the requirement with the least operational overhead because the notebook instances can remain isolated from direct internet access while SageMaker manages repository association and authentication. Placing credentials inside a URL is insecure and does not properly solve credential management. NAT gateway options introduce internet egress into the VPC, which conflicts with the isolation requirement and adds operational and security complexity. Network ACLs are not suitable for controlling access to a specific Git URL because they operate at the subnet and IP/port level, not at an application URL level. (AWS Documentation)

===============