Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Amazon
  3. SAP-C02

Amazon SAP-C02 Exam (page: 4)
Amazon AWS Certified Solutions Architect - Professional SAP-C02
Updated on: 07-Feb-2026

Viewing Page 4 of 68
SAP-C02 PDF 533 Questions

A security engineer determined that an existing application retrieves credentials to an Amazon RDS for MySQL database from an encrypted file in Amazon S3. For the next version of the application, the security engineer wants to implement the following application design changes to improve security:

-The database must use strong, randomly generated passwords stored in a secure AWS managed service.
-The application resources must be deployed through AWS CloudFormation.
-The application must rotate credentials for the database every 90 days.

A solutions architect will generate a CloudFormation template to deploy the application.

Which resources specified in the CloudFormation template will meet the security engineer’s requirements with the LEAST amount of operational overhead?

  1. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days.
  2. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Create an AWS Lambda function resource to rotate the database password. Specify a Parameter Store RotationSchedule resource to rotate the database password every 90 days.
  3. Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Create an Amazon EventBridge scheduled rule resource to trigger the Lambda function password rotation every 90 days.
  4. Generate the database password as a SecureString parameter type using AWS Systems Manager Parameter Store. Specify an AWS AppSync DataSource resource to automatically rotate the database password every 90 days.

Answer(s): A

Explanation:

A) Generate the database password as a secret resource using AWS Secrets Manager. Create an AWS Lambda function resource to rotate the database password. Specify a Secrets Manager RotationSchedule resource to rotate the database password every 90 days is the correct answer because AWS Secrets Manager is specifically designed to manage and rotate credentials securely. It integrates easily with AWS Lambda to automate password rotation and allows for a RotationSchedule to ensure the credentials are updated every 90 days. This approach minimizes operational overhead and aligns with the security engineer’s requirements for strong, randomly generated passwords and automatic rotation.



A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.

Which solutions meet these requirements? (Choose two.)

  1. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.
  2. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway’s AWS integration type.
  3. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
  4. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.
  5. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions.

Answer(s): A,C

Explanation:

A) Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type and
C) Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables are the correct answers because they both meet the requirements of making data accessible publicly through a simple API over HTTPS.

Amazon API Gateway is a serverless option that automatically scales in response to demand, making it suitable for this architecture.
API Gateway's AWS integration type allows direct interaction with DynamoDB without needing intermediary Lambda functions in the case of the REST API.
Using AWS Lambda for the HTTP API option adds flexibility in handling requests and returning data from DynamoDB tables.
Both options allow for a scalable, serverless architecture that integrates with DynamoDB and responds to HTTPS requests.



A company has registered 10 new domain names. The company uses the domains for online marketing. The company needs a solution that will redirect online visitors to a specific URL for each domain. All domains and target URLs are defined in a JSON document. All DNS records are managed by Amazon Route 53.

A solutions architect must implement a redirect service that accepts HTTP and HTTPS requests.
Which combination of steps should the solutions architect take to meet these requirements with the LEAST amount of operational effort? (Choose three.)

  1. Create a dynamic webpage that runs on an Amazon EC2 instance. Configure the webpage to use the JSON document in combination with the event message to look up and respond with a redirect URL.
  2. Create an Application Load Balancer that includes HTTP and HTTPS listeners.
  3. Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL.
  4. Use an Amazon API Gateway API with a custom domain to publish an AWS Lambda function.
  5. Create an Amazon CloudFront distribution. Deploy a Lambda@Edge function.
  6. Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names.

Answer(s): B,C,F

Explanation:

B) Create an Application Load Balancer that includes HTTP and HTTPS listeners,
C) Create an AWS Lambda function that uses the JSON document in combination with the event message to look up and respond with a redirect URL, and
F) Create an SSL certificate by using AWS Certificate Manager (ACM). Include the domains as Subject Alternative Names are the correct answers because they provide a low operational effort solution for setting up domain redirection.

Application Load Balancer (ALB) allows handling both HTTP and HTTPS requests, ensuring the redirect service can accept traffic over both protocols.
AWS Lambda provides a serverless way to handle the redirects based on the JSON document, ensuring that the appropriate URL is returned.
AWS Certificate Manager (ACM) provides SSL certificates for secure HTTPS connections with minimal operational overhead, allowing you to include multiple domain names with Subject Alternative Names (SANs) in a single certificate.
This combination creates a cost-efficient, scalable, and secure solution with minimal operational effort.



A company that has multiple AWS accounts is using AWS Organizations. The company’s AWS accounts host VPCs, Amazon EC2 instances, and containers.

The company’s compliance team has deployed a security tool in each VPC where the company has deployments. The security tools run on EC2 instances and send information to the AWS account that is dedicated for the compliance team. The company has tagged all the compliance-related resources with a key of “costCenter” and a value or “compliance”.

The company wants to identify the cost of the security tools that are running on the EC2 instances so that the company can charge the compliance team’s AWS account. The cost calculation must be as accurate as possible.

What should a solutions architect do to meet these requirements?

  1. In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources.
  2. In the member accounts of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Schedule a monthly AWS Lambda function to retrieve the reports and calculate the total cost for the costCenter tagged resources.
  3. In the member accounts of the organization activate the costCenter user-defined tag. From the management account, schedule a monthly AWS Cost and Usage Report. Use the tag breakdown in the report to calculate the total cost for the costCenter tagged resources.
  4. Create a custom report in the organization view in AWS Trusted Advisor. Configure the report to generate a monthly billing summary for the costCenter tagged resources in the compliance team’s AWS account.

Answer(s): A

Explanation:

A) In the management account of the organization, activate the costCenter user-defined tag. Configure monthly AWS Cost and Usage Reports to save to an Amazon S3 bucket in the management account. Use the tag breakdown in the report to obtain the total cost for the costCenter tagged resources is the correct answer because the AWS Cost and Usage Report (CUR) provides detailed cost allocation data, including custom tags like costCenter. By enabling the tag in the management account and configuring the Cost and Usage Reports to be stored in an S3 bucket, the company can get a detailed breakdown of costs associated with the tagged resources, making it possible to accurately charge the compliance team's account.



A company has 50 AWS accounts that are members of an organization in AWS Organizations. Each account contains multiple VPCs. The company wants to use AWS Transit Gateway to establish connectivity between the VPCs in each member account. Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.

Which combination of steps will meet these requirements? (Choose two.)

  1. From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager.
  2. From the management account, share the transit gateway with member accounts by using an AWS Organizations SCP.
  3. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.
  4. Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.
  5. From the management account, share the transit gateway with member accounts by using AWS Service Catalog.

Answer(s): A,C

Explanation:

A) From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager and
C) Launch an AWS CloudFormation stack set from the management account that automatically creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID are the correct answers.

AWS Resource Access Manager (RAM) allows the sharing of resources such as transit gateways across AWS accounts within an organization, which is crucial for setting up the connectivity between VPCs across multiple accounts.
AWS CloudFormation stack sets automate the creation of new VPCs and transit gateway attachments in member accounts, ensuring that the process is streamlined whenever new accounts are added. This automation ensures consistency and reduces manual configuration errors.
This combination ensures the connectivity and automation needed to manage the multi-account VPC setup using AWS Transit Gateway.



An enterprise company wants to allow its developers to purchase third-party software through AWS Marketplace. The company uses an AWS Organizations account structure with full features enabled, and has a shared services account in each organizational unit (OU) that will be used by procurement managers. The procurement team’s policy indicates that developers should be able to obtain third-party software from an approved list only and use Private Marketplace in AWS Marketplace to achieve this requirement. The procurement team wants administration of Private Marketplace to be restricted to a role named procurement-manager-role, which could be assumed by procurement managers. Other IAM users, groups, roles, and account administrators in the company should be denied Private Marketplace administrative access.

What is the MOST efficient way to design an architecture to meet these requirements?

  1. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the PowerUserAccess managed policy to the role. Apply an inline policy to all IAM users and roles in every AWS account to deny permissions on the AWSPrivateMarketplaceAdminFullAccess managed policy.
  2. Create an IAM role named procurement-manager-role in all AWS accounts in the organization. Add the AdministratorAccess managed policy to the role. Define a permissions boundary with the AWSPrivateMarketplaceAdminFullAccess managed policy and attach it to all the developer roles.
  3. Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization.
  4. Create an IAM role named procurement-manager-role in all AWS accounts that will be used by developers. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an SCP in Organizations to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Apply the SCP to all the shared services accounts in the organization.

Answer(s): C

Explanation:

C) Create an IAM role named procurement-manager-role in all the shared services accounts in the organization. Add the AWSPrivateMarketplaceAdminFullAccess managed policy to the role. Create an organization root-level SCP to deny permissions to administer Private Marketplace to everyone except the role named procurement-manager-role. Create another organization root-level SCP to deny permissions to create an IAM role named procurement-manager-role to everyone in the organization is the correct answer.

This solution efficiently restricts administrative access to Private Marketplace while allowing only the procurement managers to manage it through the procurement-manager-role in shared services accounts. The Service Control Policies (SCPs) at the organization root level enforce these restrictions across the entire AWS Organization, preventing unauthorized access to manage Private Marketplace or to create an impersonating role. This ensures compliance with the procurement team's policy while minimizing operational overhead.

This design meets the company’s requirements for security and control over the management of AWS Marketplace, ensuring that only approved software is available for developers through Private Marketplace.



A company is in the process of implementing AWS Organizations to constrain its developers to use only Amazon EC2, Amazon S3, and Amazon DynamoDB. The developers account resides in a dedicated organizational unit (OU). The solutions architect has implemented the following SCP on the developers account:



When this policy is deployed, IAM users in the developers account are still able to use AWS services that are not listed in the policy.

What should the solutions architect do to eliminate the developers’ ability to use services outside the scope of this policy?

  1. Create an explicit deny statement for each AWS service that should be constrained.
  2. Remove the FullAWSAccess SCP from the developers account’s OU.
  3. Modify the FullAWSAccess SCP to explicitly deny all services.
  4. Add an explicit deny statement using a wildcard to the end of the SCP.

Answer(s): B

Explanation:

B) Remove the FullAWSAccess SCP from the developers account’s OU is the correct answer.

In AWS Organizations, Service Control Policies (SCPs) act as a permission boundary that can limit the use of AWS services. When a FullAWSAccess SCP is applied, it allows all AWS services unless explicitly constrained. Even though the solutions architect has created a restrictive SCP, the FullAWSAccess SCP would still allow the use of all services unless it is removed.

To enforce the limitation to only Amazon EC2, Amazon S3, and Amazon DynamoDB, the FullAWSAccess SCP must be removed, ensuring that only the restrictive SCP with the allowed services is applied. This eliminates the developers' ability to access services outside of the defined scope in the SCP.

Adding explicit deny statements (option A) is not necessary because the restrictive SCP should already limit access, and keeping the FullAWSAccess SCP overrides those restrictions.



A company is hosting a monolithic REST-based API for a mobile app on five Amazon EC2 instances in public subnets of a VPC. Mobile clients connect to the API by using a domain name that is hosted on Amazon Route 53. The company has created a Route 53 multivalue answer routing policy with the IP addresses of all the EC2 instances. Recently, the app has been overwhelmed by large and sudden increases to traffic. The app has not been able to keep up with the traffic.

A solutions architect needs to implement a solution so that the app can handle the new and varying load. Which solution will meet these requirements with the LEAST operational overhead?

  1. Separate the API into individual AWS Lambda functions. Configure an Amazon API Gateway REST API with Lambda integration for the backend. Update the Route 53 record to point to the API Gateway API.
  2. Containerize the API logic. Create an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. Run the containers in the cluster by using Amazon EC2. Create a Kubernetes ingress. Update the Route 53 record to point to the Kubernetes ingress.
  3. Create an Auto Scaling group. Place all the EC2 instances in the Auto Scaling group. Configure the Auto Scaling group to perform scaling actions that are based on CPU utilization. Create an AWS Lambda function that reacts to Auto Scaling group changes and updates the Route 53 record.
  4. Create an Application Load Balancer (ALB) in front of the API. Move the EC2 instances to private subnets in the VPC. Add the EC2 instances as targets for the ALB. Update the Route 53 record to point to the ALB.

Answer(s): D

Explanation:

D) Create an Application Load Balancer (ALB) in front of the API. Move the EC2 instances to private subnets in the VPC. Add the EC2 instances as targets for the ALB. Update the Route 53 record to point to the ALB is the correct answer because it provides a scalable and efficient solution with low operational overhead. An ALB distributes incoming traffic across multiple targets (EC2 instances) automatically, ensuring better load balancing and handling of traffic spikes. Moving the EC2 instances to private subnets enhances security while the ALB manages external traffic. This solution allows the infrastructure to scale efficiently with traffic changes while reducing manual intervention.



Viewing Page 4 of 68



Share your comments for Amazon SAP-C02 exam with other users:

Andrew 8/23/2023 6:02:00 PM

very helpful
Anonymous


Mukesh 7/10/2023 4:14:00 PM

good questions
UNITED KINGDOM