AWS Solutions Architect Professional (SAP-C02) Exam Questions 2025

AWS Solutions Architect Professional (SAP - C02) Exam Questions 2025 AWS Solutions Architect Professional (SAP - C02) Questions 2025 Contains 7 0 0+ exam questions to pass the exam in first attempt. SkillCertPro offers real exam questions for practice for all major IT certifications.  For a full set of 73 0 questions. Go to  https://skillcertpro.com/product/aws - solutions - architect - professional - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Below are the free 10 sample questions. Question 1: You currently have developers who have access to your production AWS account? There is a concern raised that the developers could potentially delete the production - based EC2 resources. Which of the below options could help alleviate this concern? Choose two options from the below: A. Modify the IAM policy on the developers to require MFA before deleting EC2 instances and disable MFA access to the employee B. Tag the production instances with a production - identifying tag and add resource - level permissions to th e developers with an explicit deny on the terminate API call to instances with the production tag. C. Tag the instance with a production - identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate inst ance call. D. Modify the IAM policy on the developers to require MFA before deleting EC2 instances Answer: B and C Explanation: To stop the users from manipulating any AWS resources, you can either create the applicable (allow/deny) resource level per missions and apply them to those users, or create an individual or group policy which explicitly denies the action on that resource and apply it to the individual user or the group. Option A is CORRECT because it (a) identifies the instances with proper ta g, and (b) creates a resource level permission and explicitly denies the user the terminate option. Option B is CORRECT because it (a) identifies the instances with proper tag, and (b) creates a policy with explicit deny of terminating the instances and ap plies that policy to the group, which contains the employees (who are not supposed to have the access to terminate the instances). Option C and D are incorrect because MFA is an additional layer of security given to the users for logging into AWS and access ing the resources. However, either enabling or disabling MFA cannot prevent the users from performing resource level actions. More information on Tags Tags enable you to categorize your AWS resources in different ways, for example, by purpose, owner, or en vironment. This is useful when you have many resources of the same type you can quickly identify a specific resource based on the tags you have assigned to it. Each tag consists of a key and an optional value, both of which you define. For more information on tagging AWS resources please refer to the below URL http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html The correct answers are: Tag the production instances with a production - identifying tag and add resource - level permissions to the dev elopers with an explicit deny on the terminate API call to instances with the production tag., Tag the instance with a production - identifying tag and modify the employees group to allow only start, stop, and reboot API calls and not the terminate instance call. Question 2: There is a requirement to host a database server. This server should not be able to connect to the internet except in the case of downloading the required database patches. Which of the following solutions would be the best to satisf y all the above requirements? Choose the correct answer from the below options. A. Set up the database in a local data center and use a private gateway to connect the application to the database. B. Set up the database in a private subnet with a security group which only allows outbound traffic. C. S et up the database in a private subnet which connects to the Internet via a NAT instance. D. Set up the database in a public subnet with a security group which only allows inbound traffic. Answer: C Explanation: A. Set up the database in a local data center and use a private gate way to connect the application to the database. This option is not the best solution as it adds unnecessary complexity and cost by hosting the database outside of AWS and requiring a private gateway connection. The requirement is to host the database serve r within AWS. B. Set up the database in a private subnet with a security group which only allows outbound traffic. This is a valid option, but it does not fully meet the requirement of allowing the database server to download required patches from the internet. The security group would need to allow outbound traffic, which could potentially expose the database to unint ended internet access. C. Set up the database in a private subnet which connects to the Internet via a NAT instance. This is the correct solution. By placing the database server in a private subnet and routing its outbound internet traffic through a NAT i nstance in the public subnet, you can allow the database to download patches while keeping it isolated from direct internet access. The NAT instance provides the necessary controlled internet connectivity. D. Set up the database in a public subnet with a security group which only allows inbound traffic. This option is not correct as it places the database server in a public subnet, which exposes it to potential internet - based attacks, even with a restrictive security group. The requirement is to keep the d atabase isolated from the internet, except for necessary patch downloads. Question 3 : A legacy application is being migrated to AWS. It works on the TCP protocol. There is a requirement to ensure scalability of the application and also ensure that records of the client IP using the application are recorded. Which of the below - mentioned st eps would you implement to fulfill the above requirement? A. Use an ELB with a TCP Listener and Cross - Zone Load Balancing enabled, two application servers in different AZs. B. Use Route 53 Alias Resource Record to distribute load on two application servers in different AZs. C. Use an ELB with a TCP Listener and Proxy Protocol enabled to distribute load on two or more application servers in different AZs. D. Use Route 53 with Latency Based Routing enabled to distribute load on two or more application servers in different AZs. A nswer: C Explanation: Scalability: An Elastic Load Balancer (ELB) with a TCP listener distributes incoming traffic across multiple application servers in di fferent Availability Zones (AZs), enhancing scalability. Client IP Recording: Proxy Protocol, when enabled on the ELB, allows the application server to access the original client IP address even behind the load balancer. This is crucial for recording clien t IPs. Let’s analyze why other options fall short: A. ELB with TCP Listener and Cross - Zone Load Balancing: While this provides scalability, it doesn’t guarantee client IP capture without Proxy Protocol. B. Route 53 Alias Record: Route 53 is a DNS service and doesn’t handle load balancing or client IP capture. D. Route 53 with Latency Based Routing: This focuses on routing based on latency but doesn’t address load balancing or native client IP access within the application. Proxy Protocol Consideration: Le gacy applications might need modifications to interpret the Proxy Protocol information and extract the client IP. Additional Considerations for a Solutions Architect Professional: Security Groups: Configure appropriate security groups to restrict inbound traffic to the application servers only from the ELB. Health Checks: Implement health checks on the ELB to ensure it routes traffic only to healthy application servers. Auto Scaling: Consider integrating Auto Scaling with the ELB to automatically scale app lication se rvers based on traffic demands. Question 4 : A company has a requirement to host an application behind an AWS ELB. The application will be supporting multiple device platforms. Eac h device platform will need separate SSL certificates assigned to it. Which of the below options is the best setup in AWS to fulfill the above requirement? A. Set up one ELB for all device platforms to distribute load among multiple instance under it. Each EC2 instance implements will have different SSL certificates assigned to it. B. You just need to set single ELB. Since it supports multiple SSL certificates, it should be sufficient enough for the different device platforms C. Setup a hybrid architecture to h andle multiple SSL certificates by using separate EC2 Instance groups running web applications for different platform types running in a VPC. D. Create multiple ELB's for each type of certificate for each device platform. A nswer: D Explanation: “One ELB, EC2 instances with different SSL certificates” ❌ SSL termination happens at the ELB, not at the instance. EC2 cannot independently handle multiple SSL certs behind a single ELB listener. “Single ELB supports multiple SSL certificates” ❌ Only val id if using ALB with SNI, but the question implies that device platforms need completely separate certificates; exam answer prefers separate ELBs. “Hybrid architecture with separate EC2 groups for each platform” ❌ Overcomplicated and unnecessary; does not directly solve SSL handling. “Create multiple ELBs, one for each certificate/platform” ✅ Correct: each ELB terminates SSL for one certificate, then routes to the backend. Simple, compatible with classic ELB and ensures platform - specific SSL handling. Question 5 : Whic h of the below components is used by AWS Data Pipeline to poll for tasks and then performs those tasks? A. AWS OpsWork B. S3 C. Definition Syntax File D. Task Runner A nswer: D Explanation: Task Runner is a task agent application that polls AWS Data Pipeline for scheduled tasks and execu tes them on Amazon EC2 instances, Amazon EMR clusters, or other computational resources, reporting status as it does so. For more information on the Taskrunner in AWS pipeline, please refer to the below link http://docs.aws.amazon.com/datapipeline/latest/D eveloperGuide/dp - using - task - runner.html  For a full set of 73 0 questions. Go to  https://skillcertpro.com/product/aws - solutions - architect - professional - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt. Question 6 : An auditor has been called upon to carry out an audit of the configuration of your AWS accounts. The auditor has specified that they just want t o read only access to the AWS resources on all accounts. Which of the below options would help the auditor get the required access? A. Create a custom identity broker application that allows the auditor to use existing Amazon credentials to log into the AWS environments. B. Create an IAM role with read - only permissions to all AWS services in each AWS account. Create one auditor IAM account and add a permissions policy that allows the auditor to assume the ARN role for each AWS account that has an assigned role. C. Create an IAM user for each AWS account with read - only permission policies for the auditor, and disable each account when the audit is complete. D. Configure an on - premise AD server and enable SAML and identify federation for single sign - on to each AWS acc ount. A nswer: B Explanation: IAM Roles with Read - Only Permission s: Define roles in each AWS account with read - only access to specific services or all services depending on the audit requirements. Auditor IAM Account: Create a single IAM account for the auditor. AssumeRole Policy: Attach a policy to the auditor’s IAM ac count allowing it to assume the read - only roles in each AWS account using the AssumeRole action. This provides temporary access for the audit, enhancing security. Let’s explore why other options are less suitable: A. Custom Identity Broker: This is an ove rly complex solution for a simple audit scenario. It introduces additional security risks and management overhead. C. IAM User per Account: Creates unnecessary user management overhead. Disabling accounts after the audit disrupts future access and isn’t sc alable. D. On - Premise AD with SAML: While offering single sign - on, it’s a complex setup for temporary audit access. It might require significant infrastructure changes and wouldn’t be cost - effect ive for this specific scenario. Question 7 : There is a requirement to carry out the backup of an Oracle RAC cluster which is currently hosted on the AWS public cloud. How can this be achieved? A. Create a script that runs snapshots against the EBS volumes to create backups an d durability. B. Enable automated backups on the RDS RAC cluster; enable auto snapshot copy to a backup region to reduce RPO and RTO. C. Enable Multi - AZ failover on the RDS RAC cluster to reduce the RPO and RTO in the event of disaster or failure. D. Create manu al snapshots of the RDS backup and write a script that runs the manual snapshot Answer: A Explanation: Currently, Oracle Real Application Cluster (RAC) is not supported as per the AWS documentation. However, you can deploy scalable RAC on Amazon EC2 using the recently - published tutorial and Amazon Machine Images (AMI). So, in order to take the backups, you need to take the backup in the form of EBS volume snapshots of the EC2 that is deployed for RAC. Option A, B, and D are all incorrect because RDS does not support Oracle RAC. Option C is CORRECT because Oracle RAC is supported via the deployment using Amaz on EC2. Hence, for the data backup, you can create a script that takes the snapshots of the EBS volumes. For more information on Oracle RAC on AWS, please visit the below URL: https://aws.amazon.com/about - aws/whats - new/2015/11/self - managed - oracle - rac - on - ec 2/ https://aws.amazon.com/articles/oracle - rac - on - amazon - ec2/ https://aws.amazon.com/blogs/database/amazon - aurora - as - an - alternative - to - oracle - rac/ Question 8 : An internal auditor has been assigned to view your company ’ s internal AWS services. As an AWS administrator, what is the best solution to provide the auditor so that he can carry out the required au diting services? Choose the correct answer from the below options. A. Create an IAM user with full VPC access but set a condition that will not allow him to modify anything if the request is from any IP other than his own. B. Create an IAM user tied to an admi nistrator role. Also, provide an additional level of security with MFA C. Create an IAM Role with the read only permissions to access the AWS VPC infrastructure and assign that role to the auditor. D. Give the auditor root access to your AWS Infrastructure. A nswer: C Explanation: Generally, you should refrain from giving high - level permissions and give only the required permissions. In this case, option C fits well by just providing the r elevant access which is required. Option A is incorrect because you should create an IAM Role with the needed permissions. Option B is incorrect because you should not give the root access as it will give the user full access to all AWS resources. Option C is CORRECT because IAM Role gives just the minimum required permissions (read - only) to audit the VPC infrastructure to the auditor. Option D is incorrect because you should not give the auditor full access to the VPC. For more information on IAM please se e the below link https://aws.amazon.com/iam/ Question 9 : There is a requirement to have the read replica of a running MySQL RDS instance inside of AWS to an on - premise location. What is the securest way of performing this replication? Choose the correct answer from the below options. A. Configure the RDS instance as the master and enable replication over the o pen internet using a secure SSL endpoint to the on - premise server. B. Create a Data Pipeline that exports the MySQL data each night and securely downloads the data from an S3 HTTPS endpoint. C. Create an IPSec VPN connection using either OpenVPN or VPN/VGW thr ough the Virtual Private Cloud service. D. RDS cannot replicate to an on - premise database server. Instead, first configure the RDS instance to replicate to an EC2 instance with core MySQL, and then configure replication over a secure VPN/VPG connection. A nswer: D Explanation: Opti on A is incorrect because SSL endpoint cannot be used here as it is used for securely accessing the database. Option B is incorrect because replicating via EC2 instances is very time consuming and very expensive cost - wise. Option C is incorrect because Dat a Pipeline is for batch jobs and not suitable for this scenario. Option D is CORRECT because it is feasible to setup the secure IPSec VPN connection between the on premise server and AWS VPC using the VPN/Gateways. See the image below: For more information on VPN connections , please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html Question 10 : You created three S3 buckets “ mydomain.com ” , “ downloads.mydomain.com ” , and “ www.mydomain.com ” . You uploaded your files, enabled static website hosting, specified both of the default documents under the ‘ enable static website hosting ’ header, and s et the ‘Make Public ’ permission for the objects in each of the three buckets. All that is left for you to do is to create the Route 53 Aliases for the three buckets. You are going to have your end users test your websites by browsing to http://mydomain.com/ error.html, http://downloads.mydomain.com/index.html, and http://www.mydomain.com. What problems will your testers encounter? A. http://downloads.mydomain.com/index.html will not work because the “ downloads ” prefix is not a supported prefix for S3 websites u sing Route 53 aliases B. http://www.mydomain.com will not work because the URL does not include a file name at the end of it C. http://mydomain.com/error.html will not work because you did not set a value for the error.html file D. There will be no problems, all three sites should work A nswer: D Explanation: Previously only allowed domain prefix when we are creating AWS Route53 aliases for AWS S3 static websites was the “ www ” . However, this is no longer the case. You can now use other sub - domains. For more information on S3 web site hosting please visit the be low link: http://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html  For a full set of 73 0 questions. Go to  https://skillcertpro.com/product/aws - solutions - architect - professional - exam - questions/  SkillCertPro offers detailed explanations to each question which helps to understand the concepts better.  It is recommended to score above 85% in SkillCertPro exams before attempting a real exam.  SkillCertPro updates exam questions every 2 weeks.  You will get life time access and life time free updates  SkillCertPro assures 100% pass guarantee in first attempt.