AWS (Amazon Web Services) Certification
124 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The AWS (Amazon Web Services) AWS Certified Solutions Architect – Professional (SAP-C02) certification validates professional expertise in AWS (Amazon Web Services) technologies. This study guide covers all 124 practice questions from our SAP-C02 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
A company is designing a multi-region disaster recovery solution for a mission-critical application. They need RPO of 1 hour and RTO of 15 minutes. Which combination of services best meets these requirements?
Aurora Global Database provides sub-second replication for RPO and automatic failover achieving the 15-minute RTO requirement, making it ideal for mission-critical applications with strict recovery requirements.
An organization needs to implement a tagging strategy for cost allocation across 50+ AWS accounts in an AWS Organization. What is the most scalable approach?
Tag policies in AWS Organizations provide centralized enforcement of tagging standards across all accounts, while Cost Allocation Tags enable billing and cost center tracking at scale without manual intervention.
A financial services company must maintain strict data residency requirements for customer PII. Which architectural approach best ensures compliance?
This multi-layered approach combines data classification, S3 bucket policies for data residency control, and Service Control Policies (SCPs) to enforce regional restrictions at the AWS account level, providing the strongest compliance assurance.
A company is experiencing unpredictable traffic spikes to their web application hosted on EC2 instances behind an Application Load Balancer. Which strategy minimizes costs while maintaining performance?
Combining Spot instances (for cost savings) with On-Demand instances and Auto Scaling with target tracking policies provides flexibility, cost optimization, and automatic scaling to handle unpredictable spikes.
You are designing a hybrid cloud solution where on-premises systems must access AWS resources with minimal latency. Which AWS service provides the lowest latency connection?
AWS Direct Connect provides a dedicated physical connection between your on-premises infrastructure and AWS, eliminating internet variability and offering the lowest and most consistent latency.
A startup is building a serverless microservices architecture with Lambda functions that must process 100,000 events per second during peak load. What is the primary architectural concern?
AWS Lambda has default concurrent execution limits (1,000 per account/region), and processing 100,000 events/second would require a significantly higher limit via AWS Support quota increase, making this the primary architectural concern.
Your organization uses AWS Organizations with multiple member accounts. You need to implement a centralized logging solution that captures CloudTrail, VPC Flow Logs, and application logs. What is the most efficient approach?
CloudTrail's native cross-account, cross-region S3 bucket logging capability is the most efficient for centralized logging at organization scale, requiring minimal configuration compared to other solutions.
A company has a legacy monolithic application that processes large XML files and generates reports. The application runs on EC2 and has unpredictable compute requirements. Which refactoring approach provides the best cost optimization?
Breaking the monolith into Lambda functions triggered by S3 events (serverless, event-driven) with Step Functions for orchestration provides automatic scaling, pay-per-invocation pricing, and eliminates idle compute costs for unpredictable workloads.
You are designing a solution for a healthcare organization that must encrypt patient data both at rest and in transit, and maintain audit trails. Which combination of services is most appropriate?
RDS with KMS encryption provides encryption at rest with customer-managed keys, SSL/TLS ensures encrypted transport, CloudTrail tracks API calls, and enhanced monitoring/database activity monitoring provides detailed audit trails for compliance.
A distributed application processes IoT sensor data from millions of devices worldwide. Latency must be minimized for each regional deployment. What architectural pattern is most suitable?
Deploying regional microservices (ECS) in multiple AWS regions with Route 53 latency-based routing ensures requests are served from the geographically nearest region, minimizing latency while keeping data processing local.
An enterprise must implement a compliance solution where all data modifications to critical databases are tracked and immutable. Which AWS service should be the primary component?
Amazon QLDB provides a cryptographically verifiable, immutable ledger with complete history of all transactions, making it ideal for compliance requirements where data modification tracking and immutability are mandatory.
A company wants to implement automated remediation for non-compliant resources detected by AWS Config. What is the most efficient approach?
AWS Config's native remediation actions feature allows automatic, immediate remediation using Systems Manager (SSM) documents when violations are detected, eliminating manual intervention and reducing compliance risk.
You are designing a database solution for a SaaS application serving multiple tenants with data isolation requirements. Which approach best balances isolation, performance, and operational overhead?
A single Aurora cluster with separate schemas per tenant and row-level security (RLS) provides strong data isolation, better resource utilization, simplified operations, and cost efficiency compared to dedicated instances per tenant.
A company's application experiences variable traffic with peak loads requiring 10x normal capacity. Which instance purchasing strategy minimizes overall costs?
This tiered approach optimizes cost by using cheaper Reserved Instances for predictable baseline (30%), Spot instances for the majority of variable load (cost-effective), and On-Demand for the remaining guaranteed capacity, minimizing overall expenditure.
You need to implement a solution where on-premises applications can securely access secrets stored in AWS Secrets Manager. What is the most appropriate method?
Using AWS Direct Connect provides a dedicated, secure network connection to Secrets Manager, and IAM roles with resource-based policies enforce principle of least privilege without requiring long-term credentials on-premises.
A global company must ensure that customer data never leaves specific geographic regions due to regulatory requirements. Which service combination enforces this at the architecture level?
Combining S3 bucket policies that deny cross-region operations with AWS Service Control Policies (SCPs) that restrict regional service usage provides enforcement at both the resource and account levels for regulatory compliance.
An application requires real-time analytics on streaming data with complex windowing and aggregations. Which service is most appropriate?
Amazon Kinesis Data Analytics is purpose-built for real-time streaming analytics with native support for windowing, aggregations, and continuous SQL queries without infrastructure management.
You are designing a disaster recovery solution for a critical application with a 4-hour RTO and 1-hour RPO. The primary region has an RDS database with 500 GB of data. What is the most cost-effective approach?
Given the 4-hour RTO (not critical like minutes) and 1-hour RPO, RDS automated backups with periodic snapshots provides cost-effective DR that meets requirements without the premium of Global Database or DMS.
A company processes sensitive documents using an ML pipeline that requires GPU compute. How should they architect this for security and compliance?
Private subnets with VPC endpoints eliminate internet exposure, EBS encryption protects data at rest, instance store encryption secures temporary processing, and VPC Flow Logs provide audit trails for compliance requirements.
An organization wants to implement fine-grained access control for AWS resources across 100+ accounts. What is the most scalable solution?
AWS Identity Center (successor to AWS SSO) with permission sets provides centralized identity and access management across multiple accounts at scale without maintaining separate IAM configurations per account.
A financial services company needs to implement multi-factor authentication (MFA) for all AWS API calls while maintaining programmatic access for applications. Which approach is most secure?
Using AWS STS (Security Token Service) to generate temporary credentials with MFA validation allows both secure programmatic access (without requiring physical devices) and strong authentication for human users.
You are designing an architecture for a machine learning pipeline that must process 10 terabytes of training data monthly with auto-scaling. What service orchestrates this most efficiently?
Step Functions orchestrates the entire ML pipeline, integrating Glue for distributed data preprocessing and SageMaker for training with automatic resource scaling, providing the most managed and efficient approach.
A company must implement zero-trust security for accessing on-premises applications from AWS. Which architectural approach best implements this principle?
Systems Manager Session Manager enforces zero-trust by verifying identity through IAM, encrypting sessions, disabling direct SSH/RDP access, and logging all activity for audit compliance without network-level trust.
You need to design a solution where developers can deploy applications to production without direct AWS console access. What is the most secure approach?
Using AWS CodePipeline with CI/CD services removes need for direct console access, applies principle of least privilege through IAM roles, maintains audit trails, and enables approval gates for production deployments.
A startup wants to migrate a legacy on-premises application to AWS with minimal code changes. The application uses traditional file systems and requires POSIX compliance. Which storage solution is most appropriate?
Amazon EFS provides fully managed, POSIX-compliant shared file system that mounts to EC2 instances with NFS, supporting traditional file-based applications with minimal code changes required.
An organization processes confidential customer data and must ensure that data is deleted securely when requested (right to be forgotten). Which service combination best implements this?
RDS with encryption provides data protection, setting automated backup retention to 0 days ensures backups are immediately deleted, and encrypted snapshots can be deleted on request, fully supporting GDPR right-to-be-forgotten requirements.
A company has a monolithic application running on EC2 with weekly deployments causing 30 minutes of downtime. How should they architect for zero-downtime deployments?
ALB with Auto Scaling groups and CodeDeploy's blue-green deployment strategy enables zero-downtime deployments by gradually shifting traffic between old and new instances while monitoring health.
A company runs a multi-tier application across three AWS regions. They need to ensure that if one region fails completely, traffic automatically routes to another region within 60 seconds. Which combination of services would BEST support this requirement?
Route 53 health checks can detect region failures and redirect traffic within seconds, while Auto Scaling groups ensure capacity in standby regions. CloudFront is for content distribution, not application failover, and ALB/VPC peering don't provide automated regional failover.
Your organization needs to migrate a legacy on-premises database with strict compliance requirements to AWS. The database must remain encrypted at rest, support cross-region replication, and integrate with AWS Secrets Manager for credential rotation. Which RDS configuration meets all requirements?
Multi-AZ provides high availability, KMS encryption satisfies encryption requirements, and cross-region read replicas enable disaster recovery. Single-AZ lacks HA, Aurora requires specific licensing considerations, and DMS is a migration tool rather than an operational configuration.
A financial services company processes real-time streaming data that must be analyzed with sub-second latency. Data comes from multiple sources and must be deduplicated before analysis. Which architecture would be MOST suitable?
Kinesis Data Streams provides sub-second latency for streaming data, Kinesis Data Analytics enables real-time SQL processing, and Lambda can implement deduplication logic. SQS/SNS introduces latency, EventBridge is event-driven not streaming-optimized, and S3/Athena is for batch analysis.
An organization implements a hub-and-spoke VPC architecture with centralized security appliances in the hub. They need to ensure all traffic between spoke VPCs routes through the hub without manual route updates. What is the BEST approach?
AWS Transit Gateway automatically propagates routes and handles traffic between multiple VPCs without manual route management, while appliance routes ensure traffic flows through security controls. VPC peering requires manual route updates, static routes don't scale, and SSH tunneling is not a production network solution.
A company wants to implement a serverless solution for processing uploaded documents. Documents must be scanned for sensitive data before storage, and results must be queryable. Which combination of services provides this capability?
Macie automatically detects sensitive data in S3, Lambda processes the uploads, and Athena enables SQL queries on scan results. Rekognition handles image/video analysis, Textract is for document extraction, and Redshift is for data warehouse queries rather than serverless compliance scanning.
Your organization has strict requirements that all data must be encrypted with customer-managed keys and audit logging must be immutable. Which services combination would satisfy these compliance requirements?
KMS allows customer-managed keys with audit trails, and S3 Object Lock with CloudTrail ensures immutable audit logging for compliance. S3 default encryption doesn't use customer keys, CloudWatch Logs can be deleted, and other services don't provide immutable audit trails.
A startup experiences unpredictable traffic spikes and wants to minimize operational overhead while maintaining cost efficiency. Which auto-scaling strategy is BEST?
Target tracking automatically adjusts capacity based on real-time metrics, and Spot Instances provide cost savings. Scheduled scaling doesn't handle unpredictable spikes, manual scaling lacks automation, and step scaling is less efficient than target tracking for variable workloads.
A company needs to provide secure cross-account access to specific S3 buckets for a partner organization. The partner has their own AWS account and should have time-limited access. Which approach is MOST secure and scalable?
Cross-account roles with external ID and trust relationships provide secure, auditable access without sharing credentials. Creating IAM users in the partner account violates account separation, sharing credentials is insecure, and pre-signed URLs are for temporary access rather than account-level integration.
A global retail company wants to minimize latency for their API endpoints served across multiple regions. They need to route users to the nearest region and handle failover automatically. What is the RECOMMENDED solution?
Global Accelerator optimizes routing to nearby regions, provides automatic failover via health checks, and uses anycast for consistent routing. Route 53 geolocation is DNS-based with slower updates, CloudFront is primarily for content delivery, and Lambda-based solutions require manual failover logic.
An organization must implement a disaster recovery strategy for a critical application with an RTO of 15 minutes and RPO of 1 minute. The application uses a database and file storage. Which approach BEST meets these requirements?
RDS continuous replication achieves sub-minute RPO, warm standby compute enables 15-minute RTO activation, and combined S3 replication meets file storage requirements. Backups have longer RPO, DynamoDB applies only to NoSQL, and daily snapshots can't achieve 1-minute RPO.
A company processes sensitive customer data and must ensure that encryption keys never leave a hardware security module. Which AWS service provides this capability?
CloudHSM gives customers exclusive control over HSM hardware and keys that never leave the device. KMS Standard key store uses AWS-managed infrastructure, Secrets Manager manages credentials not cryptographic keys, and Certificate Manager manages certificates not HSM operations.
Your application requires a distributed cache with sub-millisecond latency and automatic failover. Which ElastiCache configuration is MOST appropriate?
Redis cluster mode provides sharding for scalability, automatic failover for HA, and sub-millisecond latency. Cluster mode disabled limits to single-shard failover, Memcached lacks automatic failover, and manual failover introduces unacceptable downtime.
A healthcare provider must implement HIPAA-compliant infrastructure with end-to-end encryption and detailed audit trails. Which architectural decision supports these requirements?
CloudHSM and KMS provide cryptographic controls, CloudTrail enables audit trails, and HIPAA-eligible services ensure compliance. Custom encryption introduces gaps, local logging violates cloud requirements, and S3 default encryption alone is insufficient for HIPAA.
A company wants to migrate a monolithic application to microservices and needs service discovery that automatically registers/deregisters instances. Which solution is BEST?
Cloud Map automatically registers/deregisters services based on health, integrates with ECS, and provides DNS and SRV record discovery. Route 53 requires manual updates, ALB doesn't provide service discovery, and Consul requires operational overhead.
A financial institution needs to implement a data governance solution that enforces column-level access control across multiple data lakes in different AWS accounts. Which approach is MOST suitable?
Lake Formation provides fine-grained column and row-level access control, supports cross-account access, and centralizes governance. S3 bucket policies don't support column-level control, Athena row-level security requires application logic, and IAM alone can't enforce column-level permissions.
An e-commerce platform experiences variable load and wants to optimize costs while maintaining performance. They already use EC2 instances with predictable baseline usage. Which strategy provides the BEST cost optimization?
Combining Reserved Instances for baseline (predictable) with Spot for variable load optimizes cost and maintains performance. Only Spot doesn't cover baseline needs, Savings Plans are less cost-effective than RI+Spot combo, and Dedicated Hosts are for licensing, not cost optimization.
A company must ensure all S3 buckets remain private and cannot be modified to become public, even by accident. Which solution provides this enforcement?
Service Control Policies (SCPs) at the organization level prevent any account from changing bucket public access settings. Block Public Access prevents access but allows policy changes, Object Lock is for data retention, and Config Rules only report non-compliance.
An organization wants to implement least-privilege access for temporary credentials used by applications running on EC2. Which approach is MOST secure?
Instance profiles automatically provide temporary STS credentials with defined expiration, removing the need for permanent credentials. Long-term keys are security risks, embedding credentials violates best practices, and security groups don't provide credential management.
A data engineering team needs to build a pipeline that processes petabyte-scale data with complex transformations and conditional logic. Which service provides the BEST balance of flexibility and managed infrastructure?
Glue provides managed infrastructure for petabyte-scale processing, PySpark for complex transformations, and Workflows for orchestration without managing clusters. EMR requires cluster management, Data Pipeline is legacy, and Lambda has memory/timeout limitations for big data.
A company operates a multi-region application and wants to ensure consistent application behavior across regions using infrastructure as code. Which tool set provides the BEST governance?
CloudFormation StackSets deploy consistent templates across regions, Config rules enforce compliance, and Systems Manager enables governance at scale. Terraform lacks native AWS governance, SAM is Lambda-focused, and CDK requires custom validation logic.
A machine learning team needs to train models on sensitive healthcare data without exposing raw data to data scientists. Which approach provides secure access?
SageMaker with VPC isolation prevents internet exposure, Secrets Manager manages credentials, and encryption protects data at rest. Public access violates healthcare compliance, VPN adds operational complexity, and QuickSight doesn't enable model training.
An organization needs to consolidate logs from multiple AWS accounts into a central account for analysis. Which solution provides centralized logging with minimal operational overhead?
CloudTrail's multi-account aggregation feature automatically consolidates API logs to a central bucket with minimal configuration. CloudWatch subscription filters require manual setup per log group, manual aggregation scales poorly, and Session Manager logs aren't comprehensive for audit trails.
A company runs containerized applications on ECS Fargate and needs persistent storage that supports simultaneous access from multiple tasks. Which storage option is MOST appropriate?
EFS provides shared persistent storage directly compatible with Fargate without requiring EC2 instances. Instance store is not persistent, S3 FUSE mounts have performance limitations, and FSx for Windows requires Windows-based tasks.
Your organization requires that all database backups be immutable and retained for 7 years for compliance. Which combination of services meets this requirement?
AWS Backup provides centralized backup management, Object Lock enforces immutability, and retention policies ensure 7-year retention across services. RDS backups to S3 requires manual copy management, versioning allows deletion, and DynamoDB recovery doesn't support long-term compliance retention.
A company uses multiple AWS accounts for different business units and needs to enforce consistent tagging across all resources. Which approach provides automated enforcement?
Service Control Policies can prevent resource creation without required tags across all accounts. Config rules only report non-compliance, CloudFormation applies only to stack resources, and manual audits lack enforcement. SCPs provide preventive controls at the organization level.
An application requires consistent sub-100ms latency globally for API requests. The application cannot tolerate cold starts. Which architecture is MOST appropriate?
Global Accelerator optimizes routing, EC2 instances eliminate cold starts, and ElastiCache provides sub-100ms latency. Lambda@Edge has cold start issues, regional endpoints lack global optimization, and Route 53 routing doesn't guarantee latency SLAs.
A company is running a multi-tier application across multiple AWS regions. They need to ensure that database writes are synchronized across regions while maintaining high availability. Which approach provides the lowest RPO and RTO?
Aurora Global Database provides RPO of typically <1 second and RTO measured in seconds, as it maintains fully synchronized read-only replicas across regions with automatic detection and failover capabilities built-in.
An organization wants to minimize data transfer costs when moving large datasets between an on-premises data center and AWS. Which solution provides the most cost-effective approach for recurring monthly transfers of 500 GB?
For 500 GB monthly transfers, AWS Direct Connect provides dedicated network connectivity that eliminates per-GB data transfer charges and offers consistent throughput, making it more cost-effective than internet-based transfer options.
A solutions architect is designing a system that requires strong consistency guarantees for financial transactions while also needing to scale to handle millions of requests per second. What is the primary trade-off consideration?
This reflects the CAP theorem principle: achieving strong consistency across distributed systems typically requires coordination that limits horizontal scalability. Financial systems often accept this limitation by using sharding strategies or accepting weaker consistency models for certain operations.
A company uses AWS Lambda functions to process images uploaded to S3. They observe that Lambda cold starts are causing unacceptable latency spikes during traffic surges. Which combination of strategies would best address this issue?
Provisioned Concurrency pre-initializes Lambda functions to eliminate cold starts, while increasing memory improves execution speed. CloudFront caching reduces origin requests. Lambda execution quota is managed automatically and doesn't prevent cold starts.
An organization is implementing a hub-and-spoke network architecture across AWS regions using AWS Transit Gateway. They want to enforce consistent security policies across all spokes. Which approach provides the most centralized control?
AWS Firewall Manager provides centralized policy management across organizations and regions, allowing you to define security policies once and automatically apply them to Transit Gateway and Network Firewall resources consistently.
A company migrates a legacy application that uses local file system operations to AWS. The application frequently performs small random read/write operations on large files. Which storage solution minimizes latency and cost?
For local file system operations with random I/O patterns, EBS gp3 volumes provide consistent sub-millisecond latency and configurable IOPS/throughput that exceeds S3 latency and is more cost-effective than FSx for this workload pattern.
A financial services company requires audit trails showing who accessed what data and when, with immutable records. They need to query audit logs efficiently across 5 years of historical data. Which AWS service combination best meets these requirements?
CloudTrail provides comprehensive API audit trails with S3 Object Lock ensuring immutability, while CloudTrail Lake enables SQL-based querying of audit data at scale, making it purpose-built for compliance audit requirements.
A development team wants to implement infrastructure as code for a complex multi-account AWS environment with dependencies across stacks. They need to manage cross-account resources. Which tool provides the best native support for this scenario?
CloudFormation StackSets specifically enables deploying and managing stacks across multiple AWS accounts and regions with a single template, including service-managed permissions that automatically handle cross-account access.
An organization experiences performance degradation when running analytical queries on their production RDS MySQL database. They need to isolate read traffic without modifying application code. What is the best architectural approach?
RDS Proxy can automatically route read queries to read replicas without application changes, while managing connection pooling and reducing latency. This requires no code modifications unlike Route 53 routing or connection string updates.
A company processes sensitive health data on AWS and must comply with HIPAA regulations. They need to ensure encryption in transit and at rest, with key management fully under their control. Which encryption strategy is most appropriate?
For HIPAA compliance requiring full key control, AWS KMS with CloudHSM provides customer-managed encryption keys stored in a hardware security module you control, meeting regulatory requirements for key custody and operational control.
Your organization requires that all data stored in Amazon S3 must be encrypted using customer-managed keys. You need to implement a solution that enforces this requirement across all S3 buckets in multiple AWS accounts. Which approach best meets this requirement?
Service Control Policies (SCPs) at the organization level can enforce encryption requirements across accounts by denying actions that don't meet the criteria. Combined with AWS Config for monitoring, this provides both preventive and detective controls for multi-account environments.
A company is designing a disaster recovery strategy for a critical application that requires an RTO of 15 minutes and RPO of 5 minutes. The application uses Amazon RDS Multi-AZ with synchronous replication. What additional capability should be implemented to meet the RPO requirement?
Aurora's synchronous replication across availability zones with binary logging provides near-continuous data protection with RPO measured in seconds. The read replicas can be promoted quickly to meet the 15-minute RTO requirement.
You are tasked with optimizing costs for a workload that runs batch processing jobs 8 hours per day, 5 days per week. The compute instances are currently On-Demand. Which combination of purchasing options would provide the most cost savings?
Compute Savings Plans provide flexibility across instance families and regions (approximately 30% discount), while Spot Instances offer up to 90% discount for interruptible workloads. Combining both optimizes cost for predictable baseline load with variable overflow.
An organization needs to implement cross-region disaster recovery for a multi-tier application. The primary region is us-east-1 and the DR region is us-west-2. What is the most appropriate solution for achieving sub-second replication latency for the database layer?
Aurora Global Database provides sub-100ms replication latency across regions with RPO near zero and enables fast failover (typically 1-2 minutes). This is purpose-built for multi-region disaster recovery with minimal replication lag.
A financial services company requires that sensitive data be encrypted both in transit and at rest, with encryption keys never leaving AWS regions. Which encryption approach violates these requirements?
Exporting encrypted data to external systems means encryption keys leave AWS regions, violating the requirement that keys never leave AWS regions. AWS KMS and CloudHSM both maintain keys within AWS infrastructure.
You are designing a solution for a SaaS application that needs to support multi-tenancy with strict data isolation. Each tenant's data must be isolated at the database level. Which architecture best achieves this requirement?
Database-level isolation with separate RDS instances per tenant provides the strongest isolation guarantee and prevents accidental cross-tenant data leakage. While more costly, this meets strict data isolation requirements in regulated industries.
A company is migrating a legacy application to AWS that requires consistent IP addresses for firewall rules. The application is deployed across multiple availability zones using Auto Scaling groups. What solution best addresses this requirement?
A Network Load Balancer can be assigned Elastic IPs that remain constant, and the instances behind it can be managed by Auto Scaling without needing individual IPs. The firewall rules reference the NLB's fixed IPs, not instance IPs.
An organization is implementing AWS Control Tower for multi-account management. A requirement exists to prevent users from deleting CloudTrail logs. Where should this preventive control be implemented?
Service Control Policies provide preventive controls that deny actions before they occur, making them ideal for compliance requirements. This prevents deletion at the source rather than detecting violations after the fact.
A solutions architect is designing a hybrid network architecture connecting on-premises data centers to AWS. The company has two on-premises locations that need to communicate through AWS. Which AWS service provides the most cost-effective and operationally simple solution?
AWS Transit Gateway acts as a central hub that simplifies multi-site connectivity. VPN attachments provide cost-effective connectivity compared to Direct Connect, while the Transit Gateway handles routing between all sites automatically.
You need to implement a solution that provides real-time insights into API usage patterns across a large microservices architecture. The solution must support complex analytics queries on billions of events. Which service combination is most appropriate?
OpenSearch provides powerful full-text and analytics capabilities for billions of events, while Kinesis Data Firehose handles real-time data ingestion and transformation at scale. This combination supports both real-time insights and complex analytics queries.
A company is deploying a containerized application on Amazon EKS that requires persistent storage shared across pods in multiple AZs. The storage must support concurrent read-write access. Which solution is most appropriate?
Amazon EFS provides NFS-based file sharing accessible from multiple pods across different AZs with native EKS integration through storage classes. It supports concurrent read-write access without the complexity of multi-attach or snapshot management.
An organization needs to implement automated remediation for non-compliant EC2 instances that lack required security group rules. The solution must scale to thousands of instances across multiple accounts. What is the most efficient approach?
AWS Config with aggregators allows you to create rules and remediation actions across multiple accounts and regions. Custom Lambda remediation functions can automatically correct security group configurations based on compliance rules.
A financial institution requires compliance with regulations that mandate encryption key rotation every 90 days. The institution uses AWS KMS for key management. How should automatic key rotation be configured?
KMS automatic key rotation (when enabled) rotates the key material annually by default and can be customized, but the key ID remains constant. This maintains backward compatibility while meeting rotation requirements. Note: KMS annual rotation may need to be supplemented with manual rotation for stricter 90-day requirements.
A company is designing a global application that serves customers in multiple regions. The application uses Amazon CloudFront with origin failover. What is the primary benefit of using origin failover in this architecture?
CloudFront origin failover automatically switches to a secondary origin group when health checks fail on the primary origin, ensuring high availability without manual intervention.
You are architecting a solution for processing streaming data from IoT devices. The data must be persisted, analyzed in real-time, and made available for batch processing. Which service combination best addresses all requirements with minimal operational overhead?
Kinesis Data Streams handles streaming ingestion, Kinesis Data Analytics provides real-time SQL analytics without infrastructure management, and automatic S3 export through Firehose enables batch processing. This minimizes operational complexity compared to managing Kafka or Lambda-based solutions.
A company operates a multi-region active-active application with databases in multiple regions. When a regional failure occurs, the application must automatically switch to the other region without data loss. Which database solution best supports this requirement?
DynamoDB Global Tables provide fully managed, active-active multi-region replication with automatic conflict resolution. All regions can handle reads and writes, eliminating the need for application-level failover logic and ensuring no data loss.
An organization is implementing AWS Organizations to manage multiple accounts. A specific organizational unit (OU) contains development accounts where developers need broad permissions. What is the recommended approach to grant these permissions safely?
Permission boundaries provide guardrails that prevent privilege escalation by limiting the maximum permissions a developer can grant themselves. This allows broad development permissions while protecting critical AWS infrastructure from accidental or malicious changes.
A company needs to implement a solution for automatically scaling an RDS database based on query performance metrics. The database occasionally experiences spikes in CPU utilization above 80%. What is the most appropriate AWS service to address this requirement?
Aurora Serverless automatically scales compute capacity based on actual workload without manual intervention. For traditional RDS, this would require application changes or manual scaling, but Aurora Serverless manages this automatically with predictable performance and cost.
An organization is designing a solution for real-time collaboration where users upload files that must be processed by a backend service and made immediately available to other users. Latency must be under 500ms. Which architecture best meets these requirements?
AppSync provides real-time subscriptions through WebSockets, enabling instant updates when files are uploaded. DynamoDB stores metadata with millisecond latency, S3 stores file content, and GraphQL subscriptions notify other users immediately of changes.
A solutions architect is designing a backup and recovery solution for a critical database workload. The solution must support point-in-time recovery (PITR) for 35 days. Which RDS configuration best meets this requirement?
RDS automated backups with retention set to 35 days combined with transaction logs automatically provide point-in-time recovery throughout the entire retention period. This is the native RDS feature designed for this purpose.
A company is migrating a monolithic application to microservices on Amazon ECS. Each microservice needs to communicate securely with other services and requires service discovery. What is the most appropriate AWS-native solution?
AWS App Mesh provides service mesh capabilities including automatic service discovery, traffic management, security policies, and observability across microservices without requiring application code changes or external tools.
An organization requires that all AWS API calls be logged and analyzed for compliance purposes. The logs must be immutable and queryable. Which service combination best addresses this requirement?
CloudTrail logs all AWS API calls, S3 with MFA delete prevents tampering (immutability requirement), and Athena enables complex SQL queries on the logs. This combination provides compliance-grade audit logging with strong integrity controls.
A startup is building a mobile application with occasional spikes in traffic. The backend processes user requests through a REST API. Which serverless architecture minimizes operational overhead and costs?
API Gateway and Lambda scale automatically to handle traffic spikes with pay-per-request pricing. DynamoDB on-demand mode eliminates capacity planning, and SQS decouples components. This combination minimizes operational overhead and optimizes costs for variable workloads.
An organization needs to implement cost allocation and chargeback across multiple business units using AWS. Each business unit operates in separate AWS accounts. What is the most effective approach?
Consolidated billing in AWS Organizations combined with consistent cost allocation tagging enables automated cost tracking and chargeback across accounts. This provides accurate cost attribution and enables detailed analysis through Cost Explorer.
A company is running a mission-critical application on Amazon EC2 instances across three Availability Zones. The application requires sub-millisecond latency for database operations. Which database solution would best meet these requirements while maintaining high availability?
DynamoDB with DAX provides sub-millisecond latency through in-memory caching while maintaining high availability across AZs. Global tables ensure replication without application complexity.
Your organization needs to migrate a large on-premises data warehouse to AWS while minimizing disruption. The warehouse contains 500 TB of data and receives constant updates. What approach should you recommend?
AWS Snowball efficiently handles 500 TB transfers, while AWS DMS provides continuous replication of updates, minimizing downtime and data loss during the migration.
An organization requires encryption at rest for all S3 objects, with the ability to manage keys centrally and audit key usage across the entire AWS account. Which encryption approach best satisfies these requirements?
AWS KMS with customer-managed keys provides centralized key management and enables full audit trails through CloudTrail, meeting both control and compliance requirements.
A startup is designing a multi-tenant SaaS application where each customer's data must be completely isolated. The application needs to scale to thousands of customers with minimal operational overhead. Which architecture should be recommended?
DynamoDB with partition key-based isolation provides automatic scaling, minimal operational overhead, and cost-effective isolation for thousands of tenants compared to per-customer infrastructure.
Your company has a Windows Server 2019 application that requires persistent state and runs on EC2 instances in an Auto Scaling group. How should you ensure data persistence across instance replacements?
Amazon FSx for Windows File Server provides persistent, highly available file storage optimized for Windows applications, automatically handling failover without manual reattachment of volumes.
An organization processes sensitive healthcare data and must comply with HIPAA. The company wants to establish a hybrid cloud architecture connecting on-premises servers to AWS. Which network solution provides the required encryption and compliance controls?
AWS Direct Connect with MACsec provides dedicated, encrypted connectivity meeting HIPAA's strict encryption and audit requirements better than internet-based VPN solutions.
A company runs a web application that experiences unpredictable traffic spikes. The application uses RDS MySQL, and database performance degrades significantly during peaks. What solution addresses the root cause?
ElastiCache caching layer reduces database queries by caching frequently accessed data, providing the most cost-effective solution for handling traffic spikes without overprovisioning the database.
An organization has established AWS Control Tower for multi-account governance. They need to enforce a policy requiring all EC2 instances to have monitoring enabled. What is the most scalable approach?
Control Tower controls provide automated, preventive enforcement across all accounts in the organization, preventing non-compliant resources from being created rather than detecting violations after the fact.
A media company streams video content globally and needs to optimize delivery while reducing bandwidth costs. The content is accessed from multiple geographic regions with varying popularity patterns. Which combination of services is most suitable?
CloudFront with S3 origin and origin access identity provides cost-effective global content delivery with caching benefits, while the origin access identity restricts direct S3 access.
A solutions architect is designing a disaster recovery strategy for a critical database. The RTO is 15 minutes and RPO is 1 minute. Current daily backup takes 4 hours. Which approach best meets these requirements?
RDS Multi-AZ with automated failover provides RTO of 1-2 minutes and RPO near zero through synchronous replication, easily meeting the 15-minute RTO and 1-minute RPO requirements.
A company uses AWS Lambda functions that process files from S3. During peak usage, Lambda functions frequently timeout. The processing logic cannot be modified, but execution time must be improved. What solution should be recommended?
Increasing Lambda memory proportionally increases CPU allocation, which directly improves execution performance without modifying the code, addressing the timeout issue.
An organization must implement cross-account access for developers to assume roles in sandbox accounts. The solution must support single sign-on and enforce multi-factor authentication. Which implementation best addresses these requirements?
AWS IAM Identity Center provides centralized single sign-on management with native MFA support and simplified cross-account role assumption for developers.
A solutions architect is designing an application that must achieve RPO of 5 seconds for a critical database. What technical limitation makes this difficult to achieve with traditional RDS?
RDS backup frequency is limited by automated backup intervals; achieving 5-second RPO requires continuous backup mechanisms like Aurora with backtrack or external replication solutions.
A company stores confidential documents in S3 and must ensure only specific corporate IP addresses can access the bucket. The company also needs to allow access from a partner company through their VPN. Which S3 bucket policy approach is most appropriate?
An S3 bucket policy with an IpAddress condition using an array of allowed IP CIDR blocks efficiently restricts access to both corporate and partner networks in a single policy statement.
An application requires a distributed cache with automatic failover and persistence. The application needs strong consistency guarantees and the ability to scale horizontally with multiple read replicas. Which ElastiCache engine is most suitable?
Redis cluster mode enabled provides horizontal scaling with automatic sharding, persistence, strong consistency, and built-in replication with failover capabilities that Memcached cannot match.
A company uses AWS Elastic Beanstalk to deploy a Java web application across multiple environments (dev, staging, production). They need to ensure configuration differences between environments are easily manageable. What is the recommended approach?
A single Elastic Beanstalk application with multiple environments allows configuration management through environment-specific .ebextensions files and environment properties, reducing duplication and maintenance overhead.
An organization implements AWS Config to monitor compliance across its AWS account. They want to receive notifications whenever a non-compliant resource is detected and automatically remediate it. Which service combination achieves this?
AWS Config supports automated remediation through Systems Manager documents, providing built-in compliance monitoring and automatic remediation without custom code.
A company migrates a legacy application to microservices on Amazon ECS. Different microservices require different resource allocations and scaling patterns. What is the most flexible and cost-effective architecture?
ECS with Fargate eliminates infrastructure management, allows fine-grained service auto scaling with custom metrics, and provides cost efficiency through per-task billing.
An organization needs to establish a network connectivity between AWS and on-premises data center for hybrid workloads. The connection must support failover and be highly available. Traffic includes both sensitive data and non-sensitive applications. Which design provides the best balance of redundancy and cost?
Two Direct Connect connections provide high-bandwidth redundancy for critical traffic, while VPN serves as a cost-effective failover option, ensuring business continuity with optimal cost management.
A developer accidentally deletes a critical DynamoDB table. The table contains real-time transaction data from the past 7 days. Which recovery option is most likely to succeed?
DynamoDB point-in-time recovery retains backups for up to 35 days, allowing recovery of the deleted table to any point in time within the past 7 days.
A company implements AWS Organizations with multiple member accounts and requires that all member accounts use specific VPC configurations. They want to enforce this requirement programmatically across new and existing accounts. Which solution is most appropriate?
CloudFormation StackSets with organization permissions automatically deploy and manage consistent VPC configurations across all accounts, scaling as new accounts are added.
A solutions architect is designing a highly available API that processes real-time stock market data. The API must serve requests with sub-second latency from global locations. Which architecture component is essential?
AWS Global Accelerator provides optimized routing paths and automatic failover for real-time applications, ensuring sub-second latency from global locations better than standard Route 53 geolocation routing.
An organization runs batch processing jobs on EC2 instances that consume large CSV files from S3. Job execution time varies from 30 minutes to 4 hours. The company wants to minimize costs while maintaining reasonable completion times. Which approach is most cost-effective?
AWS Batch with Spot instances automatically manages instance lifecycle and cost optimization for variable-duration workloads, while on-demand fallback ensures reliability.
A company uses Amazon Redshift for data warehousing and experiences slow query performance during peak business hours. The cluster is sized for average load and queries compete for resources. What architectural change best resolves this issue?
Increasing cluster nodes directly improves query throughput and resource availability, addressing peak load issues, though query optimization (option B) should also be pursued as a complementary measure.
An organization must prevent developers from launching expensive instance types in development accounts while allowing team leads full control. The solution must be dynamic and adjustable as business needs change. Which approach is most flexible?
SCPs applied to OUs or accounts prevent expensive instance launches at the API level regardless of IAM permissions, providing flexible enforcement that can be adjusted centrally without modifying multiple policies.
A startup is building a serverless application using Lambda, API Gateway, and DynamoDB. The application experiences database throttling errors during traffic spikes despite on-demand DynamoDB billing. What is the likely root cause?
DynamoDB on-demand mode provides unlimited throughput but with burst capacity limits based on account history; sustained high traffic exceeding burst capacity causes throttling.
A company implements AWS Secrets Manager to store database credentials for a production RDS instance. The database team needs read-only access to view secrets but cannot retrieve values. How should this be configured?
An IAM policy denying GetSecretValue while allowing DescribeSecret and ListSecrets allows viewing metadata and secret existence without exposing actual credential values.
A company is migrating a legacy monolithic application to AWS. The application currently uses a shared file system that stores documents accessed by multiple servers. Which solution provides the best scalability and fault tolerance while minimizing refactoring?
Amazon EFS is purpose-built for shared file access across multiple EC2 instances with automatic scaling, built-in redundancy across AZs, and minimal application changes required compared to S3 or RAID solutions.
An organization needs to implement cross-account access for a Lambda function in Account A to read objects from an S3 bucket in Account B. Which combination of configurations is required?
The Lambda execution role in Account A needs S3 permissions, and the S3 bucket policy in Account B must explicitly allow the principal (Lambda role ARN) from Account A to access the bucket resources.
A financial services company requires that all data at rest be encrypted with customer-managed keys and that encryption keys be rotated automatically every 90 days. Which AWS service combination best meets these requirements?
AWS KMS customer master keys support automatic annual key rotation, and while the company specifies 90 days, KMS is the primary AWS service for managing customer-controlled encryption keys with rotation policies for compliance requirements.
An enterprise application experiences variable traffic patterns with peak loads occurring during business hours. The application uses a Network Load Balancer (NLB) distributing traffic to Auto Scaling groups across three AZs. Network performance degrades during peak hours despite sufficient EC2 capacity. What is the most likely cause?
NLBs can experience performance degradation when clients reuse connections intensively, causing the connection tracking table to become a bottleneck even with sufficient EC2 capacity, as the NLB connection state must be maintained for each flow.
A healthcare organization must comply with HIPAA regulations and needs to ensure that PHI (Protected Health Information) stored in Amazon RDS is encrypted both in transit and at rest. Which configuration satisfies this requirement?
HIPAA compliance requires both encryption at rest (RDS KMS encryption) and encryption in transit (enforcing SSL/TLS via DB parameter groups and client certificate requirements), making this the comprehensive solution.
A SaaS provider deploys containerized microservices on Amazon ECS using Fargate. They require the ability to store sensitive credentials for database access that can be rotated without redeploying containers. What is the recommended approach?
AWS Secrets Manager is purpose-built for this use case, integrating with ECS task definitions through IAM roles, enabling automatic rotation without container redeployment, and providing audit logging for compliance.
An organization operates a multi-region disaster recovery strategy with a standby RDS database in a secondary region. The primary database experiences a catastrophic failure. Recovery time objective (RTO) is 15 minutes. Which approach provides the fastest recovery?
Promoting a cross-region read replica is the fastest recovery method, typically completing within minutes, which aligns with the 15-minute RTO, whereas restoring from backups adds significant overhead.
A company uses AWS CloudFormation to manage infrastructure as code. During a stack update, a critical parameter requires changing, but the change would force replacement of a database instance containing production data. How should the architect prevent accidental data loss?
The 'UpdateReplacePolicy' attribute (available in newer CloudFormation versions) automatically creates a snapshot before replacement, combined with change set review procedures that prevent accidental destructive updates.
A media streaming company processes large video files using a batch processing pipeline. Jobs are submitted to an SQS queue and processed by EC2 instances. During off-peak hours, no jobs run. Which optimization reduces costs without sacrificing service availability?
AWS Batch is purpose-built for batch processing workloads, automatically provisioning and scaling compute resources based on job demand, eliminating idle capacity during off-peak hours while maintaining high availability.
An architect is designing a solution for a global application requiring low-latency data access across multiple regions. The data is frequently read but infrequently updated. Current design uses multi-master RDS with high replication lag causing consistency issues. What is the recommended alternative?
Aurora Global Database provides the best balance for read-heavy, infrequently-updated data with automatic replication to read-only secondaries across regions and RPO of approximately 1 second, superior to DynamoDB for relational data patterns.
You've reviewed all 124 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free