SAP-C02 Amazon Web Services AWS Certified Solutions Architect - Professional Free Practice Exam Questions (2026 Updated)

The requirements call for an event-driven redesign that uses serverless services and provides near real-time analytics updates. The current architecture relies on weekly ETL jobs, which is incompatible with near real-time analytics.

A serverless, event-driven architecture on AWS typically uses a managed event bus for decoupling producers and consumers and enabling routing/filtering to multiple targets. The analytics requirement suggests that events (orders, returns, updates) should be streamed to an analytics store continuously rather than copied on a weekly schedule.

Option C aligns with these goals. It modernizes the application components into microservices on a serverless compute substrate (AWS Fargate) and modernizes the databases to managed serverless offerings where possible. Aurora Serverless for MySQL provides an on-demand relational database option that reduces operational overhead for the transactional store. Redshift Serverless provides a managed data warehousing service suitable for analytics without provisioning clusters. Using Amazon EventBridge provides a serverless event routing layer that can deliver events from multiple sources to multiple targets, which supports near real-time propagation of business events from the applications into analytics ingestion and processing.

Option A is not fully aligned: it retains the transactional MySQL database on EC2 (not serverless/managed for the database layer) and moves analytics to Amazon Neptune, which is a graph database, not the typical replacement for an OLAP analytics database. SQS is a queue suited for point-to-point message processing, not a flexible event bus for fan-out to multiple analytics consumers and routing based on event patterns.

Option B is not serverless because it uses EC2 Auto Scaling groups for application compute. Although SNS can distribute messages, this option keeps compute server-based and does not directly provide a near real-time analytics warehouse pattern; it also uses Aurora MySQL for analytics, which is not a typical OLAP warehouse replacement compared to Redshift.

Option D is not appropriate: Amazon AppStream 2.0 is a service for streaming desktop applications to users, not for hosting microservices. AWS IoT Core is optimized for IoT device messaging and telemetry and is not the standard integration backbone for business application event routing across microservices and analytics.

Therefore, option C best satisfies the requirement for an event-driven, serverless architecture with near real-time analytics.

" The AWS WAF API supports security automation such as blacklisting IP addresses thatexceed request limits, which can be useful for mitigating HTTP flood attacks. " > https://aws.amazon.com/blogs/security/how-to-protect-dynamic-web-applications-against-ddos-attacks-by-using-amazon-cloudfront-and-amazon-route-53/

The company wants three things: minimize client-to-broker latency within the same Availability Zone, increase available bandwidth, and increase the scaling speed of the MSK cluster. The current brokers are Standard brokers (two per AZ). Clients use default settings, which means they are not explicitly configured for rack awareness or AZ affinity.

A common way to reduce latency in multi-AZ Kafka deployments is to enable rack awareness on clients and brokers so clients prefer brokers in the same “rack,” which can map to an Availability Zone. In Kafka, the client.rack setting allows the client to include rack information so the broker can return metadata that helps the client select replicas that are closest, reducing cross-AZ traffic and improving latency.

To increase bandwidth and improve scaling speed, the most direct approach in the choices is to move from Standard brokers to Express brokers. Express brokers are designed to provide higher throughput and faster scaling characteristics compared to standard broker types. Since the question explicitly calls out increasing available bandwidth and scaling speed, the broker type change is the key lever, and it can be combined with client.rack configuration to minimize cross-AZ latency.

Option C matches these requirements: it replaces Standard brokers with Express brokers (to improve throughput/bandwidth and scaling speed) and sets client.rack to the Availability Zone identifier (az_id) to improve locality and reduce latency between clients and brokers in the same AZ.

Option A is not appropriate because MSK does not use EC2 Auto Scaling predictive scaling in that manner, and Kafka clients/brokers are not “associated” with an EC2 placement group as a primary latency solution in MSK. Placement groups are for EC2 instance placement; MSK broker placement is managed by the service.

Option B introduces a proxy layer and MSK Connect in a way that increases complexity and does not directly guarantee lower latency or higher bandwidth. MSK Connect is for Kafka Connect workloads, not as a general-purpose low-latency routing proxy for Kafka clients. Cruise Control is used for partition rebalancing and cluster optimization, but it does not replace the benefits of higher-throughput broker types and client rack awareness for AZ locality.

Option D increases broker size and introduces PrivateLink endpoints. PrivateLink is about private connectivity from VPCs to services and does not inherently ensure AZ-local broker selection or reduce latency between clients and brokers in the same AZ. Also, resizing to xlarge increases capacity but does not address scaling speed and locality as directly as express brokers plus rack configuration.

Therefore, option C best meets all requirements.

Configuring the Aurora MySQL DB cluster to publish slow query and error logs to AmazonCloudWatch Logs will allow the solutions architect to monitor and troubleshoot the database performance by identifying slow or problematic queries1. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Implementing the AWS X-Ray SDK to trace incoming HTTP requests on the EC2 instances and implement tracing of SQL queries with the X-Ray SDK for Java will allow the solutions architect to measure and map the end-to-end latency and performance of the web application3. X-Ray traces show how requests travel through the application components, such as web servers, load balancers, microservices, and databases4. X-Ray also provides features such as service maps, annotations, histograms, and error rates to analyze and optimize the application performance.

Installing and configuring an Amazon CloudWatch Logs agent on the EC2 instances to send the Apache logs to CloudWatch Logs will allow the solutions architect to monitor and troubleshoot the web server performance by collecting and storing the Apache access and error logs. CloudWatch Logs also provides features such as metric filters, alarms, and dashboards to analyze and visualize the log data2.

Publishing Aurora MySQL logs to Amazon CloudWatch Logs

Working with log data in CloudWatch Logs

Instrumenting your application with the X-Ray SDK for Java

Tracing requests with AWS X-Ray

[Analyzing application performance with AWS X-Ray]

[Using CloudWatch Logs with your Apache web server]

Amazon Kinesis Data Streams is a service that enables real-time data ingestion and processing. Amazon DynamoDB is a NoSQL database that does not require fixed schemas for storage. By using Kinesis Data Streams and DynamoDB, the company can send the JSON data to a database that can handle schemaless data in real time. References:

https://docs.aws.amazon.com/streams/latest/dev/introduction.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server toannounce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

For an EC2 instance to appear as a managed instance in AWS Systems Manager, several prerequisites must be met. Two of the most fundamental requirements are that the Systems Manager Agent (SSM Agent) is installed and running on the instance, and that the instance has an IAM role attached that grants the necessary permissions for Systems Manager to communicate with the service.

When importing a VM from an on-premises environment, the resulting AMI might not include the SSM Agent by default, or the agent might not be enabled to start automatically. If the agent is missing or not running, the instance cannot register with Systems Manager, and it will not appear in the Systems Manager console as a managed instance. Therefore, verifying that the SSM Agent is installed and running is a primary troubleshooting step.

Additionally, the EC2 instance must have an IAM instance profile (role) attached that includes the permissions required by Systems Manager. Typically, this is achieved by attaching a role that includes the AmazonSSMManagedInstanceCore managed policy. Without the appropriate IAM role, even a correctly installed and running agent will not be able to register the instance or perform Systems Manager operations.

Option C (VPC endpoint existence) is not required in this scenario because the instance is in a public subnet and has a public IP address. In this case, the instance can communicate with the Systems Manager endpoints over the internet. VPC endpoints are required when instances do not have internet access (for example, in private subnets without NAT or public IPs), which is not the case here.

Option D (Application Discovery Agent) is unrelated. The AWS Application Discovery Agent is used for migration assessment and discovery of on-premises workloads, not for Systems Manager managed instance registration.

Option E (service-linked roles) is generally not a common cause for a single instance failing to appear as managed, especially when other Systems Manager functionality is working in the account. Service-linked roles for Systems Manager are usually created automatically when needed and do not typically prevent an individual instance from registering if the agent and instance role are correctly configured.

Therefore, the correct troubleshooting steps are to verify the presence and operation of the Systems Manager Agent and to ensure the EC2 instance has the correct IAM role attached.

The company’s goal is to modernize the application while minimizing operational overhead. The current architecture relies heavily on self-managed EC2 instances for web serving, APIs, search, and relational data storage. This increases operational burden related to patching, scaling, availability, and troubleshooting.

Option B replaces self-managed components with fully managed AWS services that are purpose-built for each workload type. Hosting the static web application on Amazon S3 with Amazon CloudFront removes the need to manage web servers such as NGINX and provides global content delivery with built-in scalability and high availability. Migrating the search data to Amazon OpenSearch Service eliminates the need to manage an EC2-based OpenSearch node, providing a managed search service with built-in scaling, patching, and monitoring. Migrating PostgreSQL to Amazon Aurora PostgreSQL removes the operational overhead of managing database instances on EC2 and provides managed backups, high availability, and performance optimizations. Running APIs on AWS App Runner further reduces operational effort by abstracting infrastructure management, scaling, and deployment, allowing the team to focus on application code.

Option A still requires running and operating containerized databases and search engines, which is not recommended and does not significantly reduce operational overhead compared to EC2-based deployments. Databases and OpenSearch are better consumed as managed services rather than as containers.

Option C introduces Amazon EKS, which adds significant operational complexity. Even with managed node groups, Kubernetes requires cluster management, networking configuration, upgrades, and ongoing operational expertise. This contradicts the requirement for the least operational overhead.

Option D attempts to run databases and OpenSearch on AWS App Runner. App Runner is designed for stateless web services and APIs, not for stateful services such as databases or search engines. This architecture is not aligned with AWS best practices and would introduce reliability and operational challenges.

Therefore, using managed services such as Amazon CloudFront, Amazon S3, Amazon OpenSearch Service, Amazon Aurora PostgreSQL, and AWS App Runner provides the most modern architecture with the least operational overhead.

Option A is correct because using an Elastic Load Balancer and an Auto Scaling group with a minimum capacity of two instances can improve the availability and scalability of the EC2 instances that host the application. The load balancer can distribute traffic across multiple instances and the Auto Scaling group can replace any unhealthy instances automatically1

Option D is correct because modifying the DB instance to create a Multi-AZ deployment that extends across two Availability Zones can improve the availability and durability of the RDS for MariaDB database. Multi-AZ deployments provide enhanceddata protection and minimize downtime by automatically failing over to astandby replica in another Availability Zone in case of a planned or unplanned outage4

Option F is correct because creating a replication group for the ElastiCache for Redis cluster and enabling Multi-AZ on the cluster can improve the availability and fault tolerance of the in-memory data store. A replication group consists of a primary node and up to five read-only replica nodes that are synchronized with the primary node using asynchronous replication. Multi-AZ allows automatic failover to one of the replicas if the primary node fails or becomes unreachable6

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-manage-auto-deployment.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/placement-groups.html#placement- groups-cluster

This option allows the company to use a single VPC to host multiple test environments that are isolated from each other by using different subnets and security groups1. By including a transit gateway attachment and related routing configurations, the company can enable the test environmentsto communicate with the central server in the on-premises data center through a VPN connection2. By using AWS CloudFormation to deploy all test environments into the VPC, the company can automate the creation and deletion of test environments without any manual intervention3. This option also minimizes the operational overhead by reducing the number of VPCs, accounts, and resources that need to be managed.

Working with VPCs and subnets

Working with transit gateways

Working with AWS CloudFormation stacks

This solution will meet the requirements with the least operational overhead because it allows the company to modify the existing environment ' s capacity configuration, so it becomes a load-balanced environment type. By selecting all availability zones, the company can ensure that the application is running in multiple availability zones, which can help to improve the availability and scalability of the application. The company can also add a scale-out rule that will run if the average CPU utilization is over 85% for 5 minutes, which can help to mitigate the performance issues. This solution does not require creating new Elastic Beanstalk environments or rebuilding the existing one, which reduces the operational overhead.

You can refer to the AWS Elastic Beanstalk documentation for more information on how to use this service:https://aws.amazon.com/elasticbeanstalk/You can refer to the AWS documentation for more information on how to use autoscaling:https://aws.amazon.com/autoscaling/

On-demand capacity mode is the function of Dynamodb.https://aws.amazon.com/blogs/news/running-spiky-workloads-and-optimizing-costs-by-more-than-90-using-amazon-dynamodb-on-demand-capacity-mode/

Amazon DocumentDB Elastic Clustershttps://aws.amazon.com/blogs/news/announcing-amazon-documentdb-elastic-clusters/

Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application. This will provide high availability and scalability, while allowing the company to retain the same database structure as the original application.

Deploying the application on Amazon EKS with managed node groups simplifies the operational overhead of managing the Kubernetes cluster. Running the web servers and application as Kubernetes deployments ensures that the desired number of pods are always running and can scale up or down as needed. Storing the frontend web server session data in an Amazon DynamoDB table provides a fast, scalable, and durable storage option that can be accessed across multiple Availability Zones. Creating an Amazon EFS volume that all applications will mount at the time of deployment allows the application to share data that is frequently accessed between the web and application tiers. References:

https://docs.aws.amazon.com/eks/latest/userguide/managed-node-groups.html

https://docs.aws.amazon.com/eks/latest/userguide/deployments.html

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

https://docs.aws.amazon.com/efs/latest/ug/mounting-fs.html

https://docs.aws.amazon.com/firehose/latest/dev/creating-the-stream-to-splunk.html

A is correct:Quota request templates must be created in us-east-1, the only region that supports them. You specify the desired quotain the correct target Region(ap-southeast-2) for SageMaker training and endpoint usage. This enablesautomatic quota increasesfor newly created accounts in the org.

B, C, and D misconfigure either region or quota type.

The best solution is to upload files from the mobile software directly to Amazon S3, use S3 event notifications to create a message in an Amazon Simple Queue Service (Amazon SQS) standard queue, and invoke an AWS Lambda function to perform image processing when a message is available in the queue. This solution will ensure that image processing can scale to handle the load, as Amazon S3 can store any amount of data and handle concurrent uploads, Amazon SQS can buffer the messages and deliver them reliably, and AWS Lambda can run code without provisioning or managing servers and scale automatically based on the demand. This solution will also notify the user when processing is complete by sending a push notification to the mobile app using Amazon Simple Notification Service (Amazon SNS), which is a web service that enables applications to send and receive notifications from the cloud. This solution is more cost-effective than using Amazon MQ, which is a managed message broker service for Apache ActiveMQ that requires a dedicated broker instance, or S3 Batch Operations, which is a feature that allows users to perform bulk actions on S3 objects, such as copying or tagging, but does not support custom code execution. This solution is also more suitable than using Amazon Simple Email Service (Amazon SES), which is a web service that enables applications to send and receive email messages, but does not support push notifications for mobile devices. References: Amazon S3 Documentation, Amazon SQS Documentation, AWS Lambda Documentation, Amazon SNS Documentation

B is correct because the requirement is to allocate shared EC2 infrastructure costs (ECS on EC2, shared cluster) down to the business groups with the least operational effort. With shared compute, the EC2 line-item charges are not naturally per “task,” so you need a cost allocation feature that can split shared costs using workload metadata. Split cost allocation data combined with the AWS Cost and Usage Report (CUR) and resource tags provides the standard AWS mechanism to distribute (“split”) shared resource costs across consumers for chargeback/showback reporting. This avoids operationally heavy changes (like redesigning clusters) and supports automated reporting.

Why the other options are incorrect:

A: Tagging the Auto Scaling group can only attribute costs at the ASG level, not split costs between multiple business groups sharing the same cluster capacity. It does not solve per-business-group allocation when capacity is shared.

C: Separate clusters per group would work but is higher operational overhead (more clusters to manage, scaling policies, capacity planning, governance), which violates the “least operational overhead” requirement.

D: Cost Categories are useful for mapping and organizing costs, but by themselves they do not solve the underlying need to split shared EC2 costs among multiple consumers unless you already have an accurate split basis. Option B directly targets split allocation of shared costs with tagging and CUR.

Comprehensive and Detailed Explanation:

Option C is the most comprehensive and aligns with AWS best practices for cost optimization without compromising availability or performance:

AWS Compute Optimizer provides recommendations to rightsize EC2 instances, EBS volumes, and Lambda functions based on utilization metrics. By opting in, the company can receive tailored suggestions for optimizing resource configurations.

AWS Trusted Advisor offers cost optimization checks, including identifying idle or underutilized resources, which can be rightsized or terminated to reduce costs.

Implementing recommendations from Compute Optimizer and Trusted Advisor ensures that resources are appropriately sized, leading to cost savings without affecting performance.

Auto Scaling groups help maintain application availability and allow automatic scaling of EC2 instances based on demand, ensuring that compute capacity aligns with workload requirements.

Compute Savings Plans provide flexible pricing for EC2, AWS Lambda, and AWS Fargate usage, offering significant savings over On-Demand pricing in exchange for a commitment to a consistent amount of usage.

This approach ensures cost optimization while maintaining the necessary compute capacity and availability for production workloads.

The most effortless way to ensure that all new Amazon Elastic Block Store (EBS) volumes are encrypted at rest is to enable EBS encryption by default in all AWS Regions. This setting automatically encrypts all new EBS volumes and snapshots created in the account, thereby ensuring compliance with encryption policies without the need for manual intervention or additional monitoring.

AWS Documentation on Amazon EBS encryption provides guidance on enabling EBS encryption by default. This approach aligns with AWS best practices for data protection and compliance, ensuring that all new EBS volumes adhere to encryption requirements with minimal operational effort.

Deploy DataSync Agent:

Install the AWS DataSync agent as a VM in your Hyper-V environment. This agent facilitates the data transfer between your on-premises storage and AWS.

Configure Source and Destination:

Set up the source location to point to your on-premises NFS server where the image batches are stored.

Configure the destination location to be an Amazon S3 bucket with the Glacier Deep Archive storage class. This storage class is cost-effective for long-term storage with retrieval times of up to 12 hours.

Create DataSync Tasks:

Create and configure DataSync tasks to manage the data transfer. Schedule these tasks to run during non-business hours to minimize bandwidth usage during peak times. The tasks will handle the copying of data batches from the NFS server to the S3 bucket.

Set Bandwidth Limits:

In the DataSync configuration, set bandwidth limits to control the amount of data being transferred at any given time. This ensures that your network ' s performance is not adversely affected during business hours.

Delete On-Premises Data:

After successfully copying the data to S3 Glacier Deep Archive, configure the DataSync task to delete the data from your on-premises NFS server. This helps manage storage capacity on-premises and ensures data is securely archived on AWS.

This approach leverages AWS DataSync for efficient, secure, and automated data transfer, and S3 Glacier Deep Archive for cost-effective long-term storage.

References

AWS DataSync Overview【41】.

AWS Storage Blog on DataSync Migration【40】.

Amazon S3 Transfer Acceleration Documentation【42】.

IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment.https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html

By reducing the number of data nodes in the cluster to 2 and adding UltraWarm nodes to handle the expected capacity, the company can reduce the cost of running the cluster. Additionally, configuring the indexes to transition to UltraWarm when OpenSearch Service ingests the data will ensure that the data is stored in the most cost-effective manner. Finally, transitioning the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy will ensure that the data is retained for compliance purposes, while also reducing the ongoing costs.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual