CertGrid
AWS Certification

AWS SAP-C02: Solutions Architect Professional Practice Exam

Validates advanced skills designing complex, cost-optimized, resilient multi-account AWS architectures and migrations.

Practice 300 exam-style AWS SAP-C02 questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
300
Practice questions
75
On the real exam
750
Passing score
180 min
Exam length

What the AWS SAP-C02 exam covers

Free AWS SAP-C02 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 300.

  1. Question 1Design Solutions for Organizational Complexity

    Which AWS service lets you centrally govern many accounts and apply guardrails that RESTRICT the maximum permissions in member accounts?

    • AAmazon Inspector
    • BIAM groups in a single account
    • CSecurity groups
    • DAWS Organizations with Service Control Policies (SCPs)Correct
    ✓ Correct answer: D

    Option D is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • AAmazon Inspector is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • BIAM groups in a single account is incorrect because it lacks the scalability or resilience required for production workloads.
    • CSecurity groups is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  2. Question 2Design Solutions for Organizational ComplexitySelect all that apply

    Which TWO are appropriate for org-wide guardrails and resource sharing? (Choose TWO)

    • AAWS Resource Access Manager (RAM)Correct
    • BDisabling Organizations
    • CService Control Policies (SCPs)Correct
    • DHard-coding IAM users per account
    ✓ Correct answer: A, C

    Options A, C are the correct choices because they together address the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • BDisabling Organizations is incorrect because it removes or negates critical functionality required for the scenario.
    • DHard-coding IAM users per account is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  3. Question 3Design Solutions for Organizational Complexity

    An SCP attached to an OU denies the s3:DeleteBucket action. An IAM administrator in a member account has an identity policy that explicitly allows s3:DeleteBucket. What is the effective result?

    • AThe action is denied because an SCP explicit Deny cannot be overridden by any identity-based AllowCorrect
    • BThe action is allowed only if the user is in the management account
    • CThe action is allowed because SCPs do not apply to administrators
    • DThe action is allowed because an explicit Allow in an identity policy overrides an SCP Deny
    ✓ Correct answer: A

    Option A is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • BThe action is allowed only if the user is in the management account is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • CThe action is allowed because SCPs do not apply to administrators is incorrect because it removes or negates critical functionality required for the scenario.
    • DThe action is allowed because an explicit Allow in an identity policy overrides an SCP Deny is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  4. Question 4Design Solutions for Organizational Complexity

    A central security account must automatically receive and aggregate GuardDuty, Inspector, and other findings from all member accounts and provide a single prioritized view, configured org-wide with minimal manual onboarding. Which approach is correct?

    • AHave each account email its findings to the security team
    • BUse Amazon Athena to query each account's logs individually
    • CDesignate a delegated administrator account and enable AWS Security Hub with organization-wide aggregation and auto-enable for new accountsCorrect
    • DEnable Security Hub only in the management account
    ✓ Correct answer: C

    Option C is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • AHave each account email its findings to the security team is incorrect because it lacks automation and scalability for multi-account or production environments.
    • BUse Amazon Athena to query each account's logs individually is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • DEnable Security Hub only in the management account is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  5. Question 5Design for New Solutions

    You need to create an SQS FIFO queue with content-based deduplication enabled using the CLI. Which command is correct?

    • Aaws sqs create-queue --queue-name orders --type fifo --dedup content
    • Baws sqs create-queue --queue-name orders.fifo --attributes FifoQueue=true,ContentBasedDeduplication=trueCorrect
    • Caws sqs create-queue --queue-name orders.fifo --fifo true --dedup true
    • Daws sqs create-fifo-queue --queue-name orders --content-dedup true
    ✓ Correct answer: B

    Option B is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • Aaws sqs create-queue --queue-name orders --type fifo --dedup content is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • Caws sqs create-queue --queue-name orders.fifo --fifo true --dedup true is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • Daws sqs create-fifo-queue --queue-name orders --content-dedup true is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  6. Question 6Design for New Solutions

    A team needs a shared, POSIX-compliant file system that many EC2 instances and containers across multiple Availability Zones can mount concurrently with automatic scaling and high availability. Which storage service is appropriate?

    • AInstance store volumes
    • BAmazon S3 mounted as a block device
    • CAmazon EFS (Elastic File System)Correct
    • DAmazon EBS attached to a single instance
    ✓ Correct answer: C

    Option C is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • AInstance store volumes is incorrect because the storage is not persistent and will be lost when the instance terminates.
    • BAmazon S3 mounted as a block device is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • DAmazon EBS attached to a single instance is incorrect because it lacks the scalability or resilience required for production workloads.
  7. Question 7Design for New Solutions

    A serverless order-processing system must guarantee that each message is processed exactly once and in the order it was sent per customer. Which integration choice is correct?

    • AAmazon Kinesis Data Firehose delivery stream
    • BAmazon SNS standard topic with multiple subscribers
    • CAmazon SQS FIFO queue using the customer ID as the MessageGroupIdCorrect
    • DAmazon SQS standard queue with long polling
    ✓ Correct answer: C

    Option C is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • AAmazon Kinesis Data Firehose delivery stream is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • BAmazon SNS standard topic with multiple subscribers is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • DAmazon SQS standard queue with long polling is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  8. Question 8Continuous Improvement for Existing Solutions

    Which DR strategy has the lowest cost but the longest recovery time?

    • AWarm standby
    • BMulti-site active-active
    • CPilot light
    • DBackup and restoreCorrect
    ✓ Correct answer: D

    Option D is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • AWarm standby is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • BMulti-site active-active is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • CPilot light is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
  9. Question 9Continuous Improvement for Existing Solutions

    A company runs a steady, year-round mix of EC2, Fargate, and Lambda compute and wants maximum savings with flexibility to change instance families and Regions. Which commitment offers the best tradeoff?

    • ACompute Savings Plans covering EC2, Fargate, and Lambda usageCorrect
    • BStandard Reserved Instances locked to one instance family and Region
    • CSpot Instances for all steady production capacity
    • DOn-Demand pricing with no commitment
    ✓ Correct answer: A

    Option A is the correct choice because it directly addresses the scenario. This service or feature provides the required functionality and aligns with AWS best practices. Understanding when to use this service versus alternatives is essential for architectural decisions. The implementation and configuration follow AWS recommended patterns for this use case.

    Why the other options are wrong
    • BStandard Reserved Instances locked to one instance family and Region is incorrect because it lacks the scalability or resilience required for production workloads.
    • CSpot Instances for all steady production capacity is incorrect because it does not provide the required functionality or proper architectural pattern for the scenario.
    • DOn-Demand pricing with no commitment is incorrect because it removes or negates critical functionality required for the scenario.
  10. Question 10Continuous Improvement for Existing SolutionsSelect all that apply

    You need to retain different log data for different periods to balance compliance and cost. Which TWO actions are appropriate for CloudWatch Logs cost/retention management? (Choose TWO)

    • ADisable logging entirely to eliminate storage cost
    • BSet a retention period on each log group so old events expire automaticallyCorrect
    • CKeep every log group at the default 'Never expire' to be safe
    • DExport or stream older logs to S3 (and on to Glacier tiers) for cheaper long-term storageCorrect
    ✓ Correct answer: B, D

    Option B is correct because setting a retention period on log groups ensures old log events automatically expire and are deleted, preventing unbounded storage growth and costs. Option D is correct because exporting logs to S3 and transitioning to cheaper Glacier tiers enables long-term retention at minimal cost. Together these strategies balance compliance retention needs with cost optimization.

    Why the other options are wrong
    • ADisable logging entirely to eliminate storage cost is incorrect because disabling logging entirely eliminates observability and audit trails, violating compliance and operational visibility requirements.
    • CKeep every log group at the default 'Never expire' to be safe is incorrect because keeping every log group at the default 'Never expire' setting causes unbounded storage growth and continuously rising costs.
Unlock all 300 AWS SAP-C02 questions

AWS SAP-C02 practice exam FAQ

How many questions are in the AWS SAP-C02 practice exam on CertGrid?

CertGrid has 300 practice questions for AWS SAP-C02: Solutions Architect Professional, covering 4 exam domains. The real AWS SAP-C02 exam has about 75 questions.

What is the passing score for AWS SAP-C02?

The AWS SAP-C02 exam passing score is 750, and you have about 180 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official AWS SAP-C02 exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of AWS SAP-C02: Solutions Architect Professional, with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice AWS SAP-C02 for free?

Yes. You can start practicing AWS SAP-C02: Solutions Architect Professional for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.