100% Free Amazon SAP-C02 Practice Test Questions

Question 1

A large company has multiple AWS accounts with multiple IAM Users that launch different types of Amazon EC2 instances and EBS volumes every day. As a result, most accounts quickly hit the service limit and IAM users can no longer create any new instances. When cleaning up the AWS accounts, the solutions architect noticed that the majority of the instances and volumes are untagged. Therefore, it is difficult to pinpoint the owner of these resources and verify if they are safe to terminate. Because of this, the management had issued a new protocol that requires adding a predefined set of tags before anyone can launch their EC2 instances.

Which of the following options is the simplest way to enforce this new requirement?

A : Configure AWS Organizations to group different accounts into separate Organizational Units (OU) depending on the business function. Create a rule in AWS Config requiring users to tag specific resources and raise an alert whenever the rule is violated. The Config Rule should allow a user to launch EC2 instances only if the user adds all the tags defined in the rule. If the user applies any other tag then the action is denied

B : Configure AWS Organizations to group different accounts into separate Organizational Units (OU) depending on the business function. Create a rule using AWS Systems Manager requiring users to tag specific resources and raise an alert whenever the rule is violated. This will allow a user to launch EC2 instances only if certain tags were defined. If the user applies any other tag then the action is denied.

C : Apply an IAM policy to the individual member accounts of the OU that includes a Condition element in the policy containing the ForAllValues qualifier and the aws:TagKeys condition. This policy will require its principals to attach specific tags to their resources during creation.

D : Configure AWS Organizations to group different accounts into separate Organizational Units (OU) depending on the business function. Create a Service Control Policy that restricts launching any AWS resources without a tag by including the Condition element in the policy which uses the ForAllValues qualifier and the aws:TagKeys condition. This policy will require its principals to tag resources during creation. Apply the SCP to the OU which will automatically cascade the policy to individual member accounts.

Answer: D

Question 2

A leading commercial bank has multiple AWS accounts that are consolidated using AWS Organizations. They are building an online portal for foreclosed real estate properties that they own. The online portal is designed to use SSL for better security. The bank would like to implement a separation of responsibilities between the DevOps team and their cybersecurity team. The DevOps team is entitled to manage and log in to the EC2 instances while the cybersecurity team has exclusive access to the application's X.509 certificate, which contains the private key and is stored in AWS Certificate Manager (ACM).

Which of the following options would satisfy the company requirements?

A : Configure an IAM policy that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB

B : Upload the X.509 certificate to an S3 bucket owned by the cybersecurity team and accessible only by the IAM role of the EC2 instances. Use the Systems Manager Session Manager as the HTTPS session manager for the application.

C : Set up a Service Control Policy (SCP) that authorizes access to the certificate store only for the cybersecurity team and then add a configuration to terminate the SSL on the ELB.

D : Use the AWS Config service to configure the EC2 instances to retrieve the X.509 certificate upon boot from a CloudHSM that is managed by the cybersecurity team

Answer: A

Question 3

A leading fast-food chain has recently adopted a hybrid cloud infrastructure that extends its data centers into AWS Cloud. The solutions architect has been tasked to allow on-premises users, who are already signed in using their corporate accounts, to manage AWS resources without creating separate IAM users for each of them. This is to avoid having two separate login accounts and memorizing multiple credentials.

Which of the following is the best way to handle user authentication in this hybrid architecture?

A : Authenticate using your on-premises SAML 2.0-compliant identity provider (IDP), retrieve temporary credentials using STS, and grant federated access to the AWS console via the AWS single sign-on (SSO) endpoint using a browser.

B : Retrieve AWS temporary security credentials with Web Identity Federation using STS and AssumeRoleWithWebIdentity to enable users to log in to the AWS console.

C : Authenticate through your on-premises SAML 2.0-compliant identity provider (IDP) using STS and AssumeRoleWithWebIdentity to retrieve temporary security credentials, which enables your users to log in to the AWS console using a browser.

D : Integrate the company’s authentication process with Amazon AppFlow and allow Amazon STS to retrieve temporary AWS credentials using OAuth 2.0 to enable your members to log in to the AWS Console.

Answer: A

Question 4

A finance company hosts an online banking portal in AWS. The application is recently deployed in an Auto Scaling group of Amazon EC2 instances inside a VPC. However, after several days, the solutions architect found out that there is an unusually high amount of inbound HTTP traffic coming from a set of 15 specific IP addresses from a certain country where your company has absolutely no customers. The EC2 instances are flooded with incoming requests that the system administrators cannot even establish an SSH connection to the instances.

What should the Solutions Architect do to address this security vulnerability in the MOST cost-effective way?

A : Use AWS WAF to protect your VPC against web attacks. Place the online banking portal behind a CloudFront RTMP distribution.

B : Set up deny rules on your inbound Network Access control list associated with the web application tier subnet to block access to the group of attacking IP addresses.

C : Use AWS Shield Advanced to protect your VPC from common, most frequently occurring network and transport layer DDoS attacks.

D : Create inbound rules in the Security Group of your EC2 instances to block the attacking IP addresses.

Answer: B

Question 5

A company recently adopted a modern design for its legacy application. The new application is now suitable for native cloud deployments so the CI/CD pipelines need to be updated as well. The following deployment requirements are needed to support the new application:

- The pipeline should support deployments of new versions several times every hour.

- The pipeline should be able to quickly rollback to the previous application version if any problems are encountered on the new version.

Which of the following options is the recommended solution to meet the company requirements?

A : Package the newer application version on AMIs including the needed configurations. Update the Launch Template of the Auto Scaling group and trigger a scale-out to use this new AMI. Ensure that the configured termination policy is to delete the old instances using the previous AMI

B : Use Amazon Lightsail to handle the deployment of new Amazon EC2 instances and the needed load balancers. Add an Amazon EC2 user data script to download the latest application artifact from an Amazon S3 bucket. Use a weighted routing policy on Amazon Route 53 to slowly shift traffic to the newer version.

C : Reconfigure the pipeline to create a Staging environment on AWS Elastic Beanstalk. Deploy the newer version on the Staging environment. Swap the Staging and Production environment URLs to shift traffic to the newer version.

D : Package the newer application version on AMIs including the needed configurations. Reconfigure the CI/CD pipeline to deploy this AMI by replacing the current Amazon EC2 instances.

Answer: C

Free Practice Amazon SAP-C02 Exam Questions 2025