Amazon Web Services SAP-C02 Free Certification Exam Questions Answer Apr 2026 update

Question # 106

An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client's allow list.

The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.

How should a solutions architect ensure that the web application can continue to call the third-parly API after the migration?

Associate a block of customer-owned public IP addresses to the VPC. Enable public IP addressing for public subnets in the VPC.

Register a block of customer-owned public IP addresses in the AWS account. Create Elastic IP addresses from the address block and assign them lo the NAT gateways in the VPC.

Create Elastic IP addresses from the block of customer-owned IP addresses. Assign the static Elastic IP addresses to the ALB.

Register a block of customer-owned public IP addresses in the AWS account. Set up AWS Global Accelerator to use Elastic IP addresses from the address block. Set the ALB as the accelerator endpoint.

Question # 107

A company uses AWS Organizations to manage its AWS accounts. The company needs a list of all its Amazon EC2 instances that have underutilized CPU or memory usage. The company also needs recommendations for how to downsize these underutilized instances.

Which solution will meet these requirements with the LEAST effort?

Install a CPU and memory monitoring tool from AWS Marketplace on all the EC2 Instances. Store the findings in Amazon S3. Implement a Python script to identify underutilized instances. Reference EC2 instance pricing information for recommendations about downsizing options.

Install the Amazon CloudWatch agent on all the EC2 instances by using AWS Systems Manager. Retrieve the resource op! nization recommendations from AWS Cost Explorer in the organization's management account. Use the recommendations to downsize underutilized instances in all accounts of the organization.

Install the Amazon CloudWatch agent on all the EC2 instances by using AWS Systems Manager. Retrieve the resource optimization recommendations from AWS Cost Explorer in each account of the organization. Use the recommendations to downsize underutilized instances in all accounts of the organization.

Install the Amazon CloudWatch agent on all the EC2 instances by using AWS Systems Manager Create an AWS Lambda function to extract CPU and memory usage from all the EC2 instances. Store the findings as files in Amazon S3. Use Amazon Athena to find underutilized instances. Reference EC2 instance pricing information for recommendations about downsizing options.

Question # 108

A company has an on-premises website application that provides real estate information for potential renters and buyers. The website uses a Java backend and a NOSQL MongoDB database to store subscriber data.

The company needs to migrate the entire application to AWS with a similar structure. The application must be deployed for high availability, and the company cannot make changes to the application

Which solution will meet these requirements?

use an Amazon Aurora DB cluster as the database for the subscriber data. Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application.

Use MongoDB on Amazon EC2 instances as the database for the subscriber data. Deploy EC2 instances in an Auto Scaling group in a single Availability Zone for the Java backend application.

Configure Amazon DocumentD3 (with MongoDB compatibility) with appropriately sized instances in multiple Availability Zones as the database for the subscriber data. Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application.

Configure Amazon DocumentDB (with MongoDB compatibility) in on-demand capacity mode in multiple Availability Zones as the database for the subscriber data. Deploy Amazon EC2 instances in an Auto Scaling group across multiple Availability Zones for the Java backend application.

Question # 109

A company has 50 AWS accounts that are members of an organization in AWS Organizations Each account contains multiple VPCs The company wants to use AWS Transit Gateway to establishconnectivity between the VPCs in each member account Each time a new member account is created, the company wants to automate the process of creating a new VPC and a transit gateway attachment.

Which combination of steps will meet these requirements? (Select TWO)

From the management account, share the transit gateway with member accounts by using AWS Resource Access Manager

Prom the management account, share the transit gateway with member accounts by using an AWS Organizations SCP

Launch an AWS CloudFormation stack set from the management account that automatical^/ creates a new VPC and a VPC transit gateway attachment in a member account. Associate the attachment with the transit gateway in the management account by using the transit gateway ID.

Launch an AWS CloudFormation stack set from the management account that automatical^ creates a new VPC and a peering transit gateway attachment in a member account. Share the attachment with the transit gateway in the management account by using a transit gateway service-linked role.

From the management account, share the transit gateway with member accounts by using AWS Service Catalog

Question # 110

A company is planning a migration from an on-premises data center to the AWS cloud. The company plans to use multiple AWS accounts that are managed in an organization in AWS organizations. The company will cost a small number of accounts initially and will add accounts as needed. A solution architect must design a solution that turns on AWS accounts.

What is the MOST operationally efficient solution that meets these requirements.

Create an AWS Lambda function that creates a new cloudTrail trail in all AWS account in the organization. Invoke the Lambda function dally by using a scheduled action in Amazon EventBridge.

Create a new CloudTrail trail in the organizations management account. Configure the trail to log all events for all AYYS accounts in the organization.

Create a new CloudTrail trail in all AWS accounts in the organization. Create new trails whenever a new account is created.

Create an AWS systems Manager Automaton runbook that creates a cloud trail in all AWS accounts in the organization. Invoke the automation by using Systems Manager State Manager.

Question # 111

A company uses an AWS CloudFormation template to deploy an Amazon ECS service into a production environment. The template includes an Amazon S3 bucket that is named by using a common prefix with the CloudFormation stack name.

The company uses the same template to create temporary environments for development and continuous integration. Developers can create environments successfully, but they receive errors from CloudFormation when they attempt to delete the environments. The developers often need to delete and recreate stacks with the same names as part of the development and testing process.

Which combination of steps should a solutions architect take to modify the solution to resolve this issue? (Select TWO.)

Associate an AWS Lambda function with a CloudFormation custom resource to delete all keys that are present in a given S3 bucket. Implement this custom resource as part of the application's CloudFormation template.

Modify the S3 bucket resource in the CloudFormation template by specifying Delete for the DeletionPolicy attribute. Specify the CAPABILITY_DELETE_NONEMPTY capability to process CloudFormation delete operations.

Modify the S3 bucket resource in the CloudFormation template by specifying Retain for the DeletionPolicy attribute. Configure an AWS Config custom rule to run every 24 hours to identify, empty, and delete buckets that are no longer owned by a CloudFormation stack.

Ensure that CloudFormation operations are being invoked by a role that has s3:DeleteObject permissions on all objects in the bucket.

Modify the S3 bucket resource in the CloudFormation template to configure a bucket policy that grants s3:DeleteObject permissions on all objects in the bucket.

Explanation:

CloudFormation cannot delete an S3 bucket that contains objects. When the developers attempt to delete temporary stacks, the delete operation fails if the associated S3 bucket still has objects. Because the bucket name is derived from the stack name, failed deletions can also prevent re-creation of stacks with the same names until the bucket is manually emptied and deleted. This causes friction for development and continuous integration workflows.

To resolve this, the solution must ensure that, during stack deletion, all objects are removed from the S3 bucket so that CloudFormation can delete the bucket successfully. CloudFormation does not natively support automatic deletion of bucket contents. However, CloudFormation custom resources can be used to perform custom actions during stack lifecycle events.

Option A proposes associating a Lambda function with a CloudFormation custom resource. The custom resource can be invoked during stack deletion to list and delete all objects (and object versions if versioning is enabled) in the specified bucket. Once the bucket is emptied by the Lambda function, the standard CloudFormation deletion process can successfully delete the bucket resource.

In addition to emptying the bucket, the IAM role used by CloudFormation must have permissions to delete objects in the bucket. If CloudFormation uses an execution role that lacks s3:DeleteObject (and potentially s3:ListBucket) permissions, the bucket-cleanup Lambda function or CloudFormation itself would not be able to remove objects. Option D ensures that CloudFormation operations are invoked by a role that has s3:DeleteObject permissions on bucket objects, enabling the custom resource to perform the deletions.

Option B is incorrect because, although DeletionPolicy can be set to Delete, there is no such capability as CAPABILITY_DELETE_NONEMPTY in CloudFormation, and DeletionPolicy alone does not override the S3 service requirement that buckets must be empty before deletion.

Option C’s Retain DeletionPolicy leaves the bucket behind when the stack is deleted. While an external AWS Config rule could clean up stale buckets, it complicates the design and does not directly solve the problem of re-creating stacks with the same bucket name in a predictable, immediate way.

Option E configures a bucket policy to grant s3:DeleteObject permissions, but this is not sufficient alone. CloudFormation still must assume a role with the appropriate permissions. Bucket policy and IAM role permissions must both be considered, but the key action to resolve the deletion failure is to explicitly empty the bucket through a custom resource, as in option A, and ensure the execution role has delete permissions, as in option D.

Therefore, implementing a Lambda-backed custom resource to empty the S3 bucket during stack deletion (option A) and ensuring the CloudFormation execution role has s3:DeleteObject permissions (option D) resolves the deletion errors and allows developers to delete and recreate stacks freely.

[References:AWS documentation on CloudFormation behavior with S3 bucket deletion and the requirement that buckets must be empty before deletion.AWS documentation on CloudFormation custom resources and Lambda-backed custom resources for performing custom actions during stack operations.]

Question # 112

A company runs an loT application in the AWS Cloud. The company has millions of sensors that collect data from houses in the United States. The sensors use the MOTT protocol to connect and send data to a custom MQTT broker. The MQTT broker stores the data on a single Amazon EC2 instance. The sensors connect to the broker through the domain named iot.example.com. The company uses Amazon Route 53 as its DNS service. The company stores the data in Amazon DynamoDB.

On several occasions, the amount of data has overloaded the MOTT broker and has resulted in lost sensor data. The company must improve the reliability of the solution.

Which solution will meet these requirements?

Create an Application Load Balancer (ALB) and an Auto Scaling group for the MOTT broker. Use the Auto Scaling group as the target for the ALB. Update the DNS record in Route 53 to an alias record. Point the alias record to the ALB. Use the MQTT broker to store the data.

Set up AWS loT Core to receive the sensor data. Create and configure a custom domain to connect to AWS loT Core. Update the DNS record in Route 53 to point to the AWS loT Core Data-ATS endpoint. Configure an AWS loT rule to store the data.

Create a Network Load Balancer (NLB). Set the MQTT broker as the target. Create an AWS Global Accelerator accelerator. Set the NLB as the endpoint for the accelerator. Update the DNS record in Route 53 to a multivalue answer record. Set the Global Accelerator IP addresses as values. Use the MQTT broker to store the data.

Set up AWS loT Greengrass to receive the sensor data. Update the DNS record in Route 53 to point to the AWS loT Greengrass endpoint. Configure an AWS loT rule to invoke an AWS Lambda function to store the data.

Question # 113

A company is building a hybrid environment that includes servers in an on-premises data center and in the AWS Cloud. The company has deployed Amazon EC2 instances in three VPCs. Each VPC is in a different AWS Region. The company has established an AWS Direct Connect connection to the data center from the Region that is closest to the data center.

The company needs the servers in the on-premises data center to have access to the EC2 instances in all three VPCs. The servers in the on-premises data center also must have access to AWS public services.

Which combination of steps will meet these requirements with the LEAST cost? (Select TWO.)

Create a Direct Connect gateway in the Region that is closest to the data center. Attach the Direct Connect connection to the Direct Connect gateway. Use the

Direct Connect gateway to connect the VPCs in the other two Regions.

Set up additional Direct Connect connections from the on-premises data center to the other two Regions.

Create a private VIE.Establish an AWS Site-to-Site VPN connection over the private VIF to the VPCs in the other two Regions.

Create a public VIF. Establish an AWS Site-to-Site VPN connection over the public VIF to the VPCs in the other two Regions.

Use VPC peering to establish a connection between the VPCs across the Regions. Create a private VIF with the existing Direct Connect connection to connect to the peered VPCs.

Question # 114

A company wants to migrate an application to Amazon EC2 from VMware Infrastructure that runs in an on-premises data center. A solutions architect must preserve the software and configuration settings during the migration.

What should the solutions architect do to meet these requirements?

Configure the AWS DataSync agent to start replicating the data store to Amazon FSx for Windows File Server Use the SMB share to host the VMware data store. Use VM Import/Export to move the VMs to Amazon EC2.

Use the VMware vSphere client to export the application as an image in Open Virealization Format (OVF) format Create an Amazon S3 bucket to store the image in the destination AWS Region. Create and apply an IAM role for VM Import Use the AWS CLI to run the EC2 import command.

. Configure AWS Storage Gateway for files service to export a Common Internet File System(CIFSJ share. Create a backup copy to the shared folder. Sign in to the AWS Management Console and create an AMI from the backup copy Launch an EC2 instance that is based on the AMI.

Create a managed-instance activation for a hybrid environment in AWS Systems Manager. Download and install Systems Manager Agent on the on-premises VM Register the VM with Systems Manager to be a managed instance Use AWS Backup to create a snapshot of the VM and create an AMI. Launch an EC2 instance that is based on the AMI

Question # 115

A company that provisions job boards for a seasonal workforce is seeing an increase in traffic and usage. The backend services run on a pair of Amazon EC2 instances behind an Application Load Balancer with Amazon DynamoDB as the datastore. Application read and write traffic is slow during peak seasons.

Which option provides a scalable application architecture to handle peak seasons with the LEAST development effort?

Migrate the backend services to AWS Lambda. Increase the read and write capacity of DynamoDB.

Migrate the backend services to AWS Lambda. Configure DynamoDB to use global tables.

Use Auto Scaling groups for the backend services. Use DynamoDB auto scaling.

Use Auto Scaling groups for the backend services. Use Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB.

Explanation:

Option C is correct because using Auto Scaling groups for the backend services allows the company to scale up or down the number of EC2 instances based on the demand and traffic. This way, the backend services can handle more requests during peak seasons without compromising performance or availability. Using DynamoDB auto scaling allows the company to adjust the provisioned read and write capacity of the table or index automatically based on the actual traffic patterns. This way, the table or index can handle sudden increases or decreases in workload without throttling or overprovisioning1.

Option A is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, increasing the read and write capacity of DynamoDB manually may not be efficient or cost-effective, as it does not account for the variability of the workload. The company may end up paying for unused capacity or experiencing throttling if the workload exceeds the provisioned capacity1.

Option B is incorrect because migrating the backend services to AWS Lambda may require significant development effort to rewrite the code and test the functionality. Moreover, configuring DynamoDB to use global tables may not be necessary or beneficial for the company, as global tables are mainly used for replicating data across multiple AWS Regions for fast local access and disaster recovery. Global tables do not automatically scale the provisioned capacity of each replica table; they still require manual or auto scaling settings2.

Option D is incorrect because using Amazon Simple Queue Service (Amazon SQS) and an AWS Lambda function to write to DynamoDB may introduce additional complexity and latency to the application architecture. Amazon SQS is a message queue service that decouples and coordinates the components of a distributed system. AWS Lambda is a serverless compute service that runs code in response to events. Using these services may require significant development effort to integrate them with the backend services and DynamoDB. Moreover, they may not improve the read performance of DynamoDB, which may also be affected by high traffic3.

Auto Scaling groups

DynamoDB auto scaling

AWS Lambda

DynamoDB global tables

AWS Lambda vs EC2: Comparison of AWS Compute Resources - Simform

Managing throughput capacity automatically with DynamoDB auto scaling - Amazon DynamoDB

AWS Aurora Global Database vs. DynamoDB Global Tables

Amazon Simple Queue Service (SQS)

Question # 116

A company hosts a blog post application on AWS using Amazon API Gateway, Amazon DynamoDB, and AWS Lambda. The application currently does not use

API keys to authorize requests. The API model is as follows:

GET/posts/[postid] to get post details

GET/users[userid] to get user details

GET/comments/[commentid] to get comments details

The company has noticed users are actively discussing topics in the comments section, and the company wants to increase user engagement by marking the comments appears in real time.

Which design should be used to reduce comment latency and improve user experience?

Use edge-optimized API with Amazon CloudFront to cache API responses.

Modify the blog application code to request GET comment[commented] every 10 seconds.

Use AWS AppSync and leverage WebSockets to deliver comments.

Change the concurrency limit of the Lambda functions to lower the API response time.

Question # 117

A research company conducts mathematical simulations in the AWS Cloud. The simulations run on several hundred Amazon EC2 Linux instances. If a simulation encounters an issue, an engineer establishes an SSH connection to the affected EC2 instance.

Company policy requires that each EC2 instance session is established with a unique SSH key and that all SSH connections are logged in AWS CloudTrail. CloudTrail is enabled for the company’s account and the AWS Regions that the company uses.

Which solution will meet these requirements?

The Answer Is:

Answer:

Launch new EC2 instances. Generate an individual SSH key for each new EC2 instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.

Answer:

Launch new EC2 instances without setting up any SSH key for the new EC2 instances. Set up EC2 Instance Connect on each new EC2 instance. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the EC2 instances by using Instance Connect from the AWS CLI.

Answer:

Set up AWS Secrets Manager to store the EC2 SSH key. Create an AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function to automatically rotate the SSH key once daily. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

Comprehensive and Detailed Explanation From Exact Extract:

C is correct because EC2 Instance Connect is designed to provide per-connection, short-lived SSH access without long-lived shared private keys, and it integrates with IAM so access is controlled and auditable. With EC2 Instance Connect, engineers push a public key for a short time window to the target instance using the SendSSHPublicKey API action. This meets the “unique SSH key per session” intent because the key can be generated per session and injected temporarily instead of being a persistent static key. Additionally, the key injection is performed through an AWS API call, which is recorded in AWS CloudTrail, satisfying the logging requirement for SSH access activity.

Why the other options are incorrect:

Answer:

B: Running a Systems Manager document to set keys creates operational overhead and still does not inherently ensure CloudTrail logs of each SSH connection (the SSM Run Command API calls are logged, but the subsequent SSH login over the network is not an AWS API event). It also risks key persistence beyond a single session.

Answer:

D: Daily rotation is not “unique per session,” and it is complex/operationally heavy. Like A, the SSH login itself is not automatically a CloudTrail event; CloudTrail would capture Secrets Manager and SSM API calls, not the network SSH authentication event.

Want to know why?

Question # 118

A company is developing a new on-demand video application that is based on microservices. The application will have 5 million users at launch and will have 30 million users after 6 months. The company has deployed the application on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate. The company developed the application by using ECS services that use the HTTPS protocol.

A solutions architect needs to implement updates to the application by using blue/green deployments. The solution must distribute traffic to each ECS service through a load balancer. The application must automatically adjust the number of tasks in response to an Amazon CloudWatch alarm.

Which solution will meet these requirements?

Configure the ECS services to use the blue/green deployment type and a Network Load Balancer. Request increases to the service quota for tasks per service to meet the demand.

Configure the ECS services to use the blue/green deployment type and a Network Load Balancer. Implement an Auto Scaling group for each ECS service by using the Cluster Autoscaler.

Configure the ECS services to use the blue/green deployment type and an Application Load Balancer. Implement an Auto Seating group for each ECS service by using the Cluster Autoscaler.

Configure the ECS services to use the blue/green deployment type and an Application Load Balancer. Implement Service Auto Scaling for each ECS service.

Question # 119

A media storage application uploads user photos to Amazon S3 for processing by AWS Lambda functions. Application state is stored in Amazon DynamoOB tables. Users are reporting that some uploaded photos are not being processed properly. The application developers trace the logs and find that Lambda is experiencing photo processing issues when thousands of users upload photos simultaneously. The issues are the result of Lambda concurrency limits and the performance of DynamoDB when data is saved.

Which combination of actions should a solutions architect take to increase the performance and reliability of the application? (Select TWO.)

Evaluate and adjust the RCUs for the DynamoDB tables.

Evaluate and adjust the WCUs for the DynamoDB tables.

Add an Amazon ElastiCache layer to increase the performance of Lambda functions.

Add an Amazon Simple Queue Service (Amazon SQS) queue and reprocessing logic between Amazon S3 and the Lambda functions.

Use S3 Transfer Acceleration to provide lower latency to users.

Question # 120

A company has many AWS accounts in an organization in AWS Organizations. The accounts contain many Amazon EC2 instances that run different types of workloads. The workloads have different usage patterns.

The company needs recommendations for how to rightsize the EC2 instances based on CPU and memory usage during the last 90 days.

Which combination of steps will provide these recommendations? (Select THREE.)

Opt in to AWS Compute Optimizer and enable trusted access for Compute Optimizer for the organization.

Configure a delegated administrator account for AWS Systems Manager for the organization.

Use an AWS CloudFormation stack set to enable detailed monitoring for all the EC2 instances.

Install and configure the Amazon CloudWatch agent on all the EC2 instances to send memory utilization metrics to CloudWatch.

Activate enhanced metrics in AWS Compute Optimizer.

Configure AWS Systems Manager to pass metrics to AWS Trusted Advisor.

Spring Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

Free Practice Questions for Amazon Web Services SAP-C02 Exam

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is: