Hard SAP-C02 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 43 hard questions available — no sign-up, always free.
A company is migrating a 40 TB self-managed MySQL 8.0 database from an on-premises data center to Amazon Aurora MySQL-Compatible Edition. The data center has a 500 Mbps internet connection that is shared with production traffic, and the business requires that ongoing changes be captured and applied so that final cutover downtime is under 15 minutes. The migration team wants to minimize impact on the shared network link during the initial bulk load while still meeting the low-downtime requirement. Which approach best meets these requirements?
A financial services company runs a customer-facing API on Amazon ECS behind an Application Load Balancer. The API calls a downstream third-party payment provider that occasionally becomes slow or unresponsive during peak periods. When the payment provider degrades, threads in the API tier become blocked waiting for responses, cascading failures consume all available connections, and the entire API becomes unavailable — even for endpoints that do not depend on payments. The architecture team must improve resilience so that a slow downstream dependency cannot take down the whole service. Which approach BEST addresses this requirement?
A financial services company must implement a centralized backup strategy across dozens of AWS accounts for EBS volumes, RDS databases, and DynamoDB tables. Regulatory auditors require that backups be immutable and cannot be deleted or have their retention shortened by anyone — including account administrators and the root user — for a mandatory 7-year retention period. The solution must minimize custom operational tooling and enforce this centrally. Which approach best meets these requirements?
A retail company runs a self-managed Apache Cassandra cluster on 12 EC2 instances backing its product catalog service. Operations staff spend significant time patching nodes, managing repairs, and scaling the ring during seasonal peaks. Leadership wants to eliminate this operational burden while keeping the existing CQL-based application code changes to an absolute minimum, and they require the migration cutover to complete with less than 5 minutes of write downtime. Which approach best meets these requirements?
A large enterprise runs 120 AWS accounts under AWS Organizations with all features enabled and consolidated billing. The finance team needs to: allocate costs to individual business units (each mapped to a set of accounts), enforce a hard organization-wide spending ceiling that automatically prevents new resource creation when exceeded, and receive proactive alerts before any single account crosses its monthly forecast. The team also wants to maximize Reserved Instance and Savings Plans discount sharing across the organization. Which combination of actions BEST meets these requirements?
A company runs a multi-account AWS Organizations environment with dozens of VPCs connected through a central AWS Transit Gateway. An on-premises data center is connected via AWS Direct Connect. The company needs bidirectional DNS resolution: EC2 instances in any VPC must resolve on-premises private hostnames, and on-premises servers must resolve private Route 53 hosted zone records used across the organization. The solution must be centrally managed in a shared networking account and minimize the number of resolver endpoints deployed. Which approach meets these requirements?
A SaaS company runs a high-traffic order-processing service on ECS Fargate. The operations team wants per-customer and per-API-endpoint latency and error metrics so they can build dashboards and alarms broken down by both dimensions. There are roughly 8,000 active customers and 40 API endpoints. The team initially implemented this by calling the CloudWatch PutMetricData API from the application on every request with custom dimensions, but the monthly CloudWatch bill has grown dramatically and the API is being throttled during peak load. Which approach improves cost and reliability while preserving the ability to query metrics by customer and endpoint?
A financial services company deploys infrastructure to 40 accounts using AWS CloudFormation StackSets triggered from a central AWS CodePipeline. Recently, engineers have been manually modifying deployed resources in the console during incidents, causing configuration drift that later breaks automated deployments. The platform team wants to continuously detect drift, automatically alert the owning team, and block the pipeline from promoting new changes to any account currently in a drifted state — without manually inspecting each account. Which approach best meets these requirements with the least operational overhead?
A large enterprise recently acquired a smaller company. The acquired company operates 12 standalone AWS accounts that were each created independently with separate root credentials and their own consolidated billing was never enabled. The enterprise already runs a mature AWS Organizations setup managed by AWS Control Tower with several OUs and SCPs. The security team wants these 12 accounts brought under the enterprise Organization so that governance guardrails and centralized billing apply, while minimizing disruption to running production workloads. What is the correct approach to bring these existing accounts under central management?
A large enterprise deployed AWS Control Tower to establish its multi-account landing zone. A platform engineering team, wanting to add a custom deny policy, manually attached a new Service Control Policy directly to a Control Tower-managed Organizational Unit using the AWS Organizations console. Weeks later, the Control Tower dashboard reports the OU and its accounts as 'Not compliant' / drifted, and the team is concerned that a future landing zone update could break their custom guardrail. What is the recommended approach to maintain the custom SCP while keeping Control Tower governance intact?
A company runs a data analytics platform in a dedicated 'analytics' account in the us-east-1 Region. A newly acquired subsidiary operates a customer-facing application in a separate 'subsidiary' account in the eu-west-1 Region. Both accounts belong to the same AWS Organization. The analytics team needs the subsidiary application to send periodic batch uploads (a few gigabytes daily) to an internal service running behind an internal Network Load Balancer in the analytics VPC. Both VPCs use overlapping CIDR ranges (10.0.0.0/16). The solution must be private (no traffic over the public internet), minimize ongoing operational overhead, and avoid re-addressing either VPC. Which approach best meets these requirements?
A logistics company is migrating a 90 TB on-premises PostgreSQL database to Amazon RDS for PostgreSQL. The company's WAN link to AWS is a 500 Mbps connection that is also used for production traffic during business hours, leaving only about 200 Mbps of usable bandwidth for migration. Business rules require the application to remain read-write until a hard 6-hour cutover window on a weekend, during which only minimal downtime is acceptable. The solutions architect must move the bulk data and then apply ongoing changes so the cutover fits within the window. Which approach best meets these requirements?
A company is migrating a 12 TB on-premises PostgreSQL database to Amazon Aurora PostgreSQL using AWS DMS. The source contains several very large tables with columns storing multi-megabyte binary documents (BYTEA / LOB data). The initial full-load task is running extremely slowly and occasionally fails, and the team observes that the LOB-heavy tables are the primary bottleneck. Downtime must be minimized, and the migration must complete reliably. Which approach BEST improves full-load performance and reliability for this workload?
A payments company is building a new order-settlement platform. Each account's transactions must be processed in strict chronological order, and duplicate transaction submissions from retrying upstream systems must not be double-processed. Throughput is expected to reach roughly 2,000 transactions per second at peak, spread across hundreds of thousands of distinct account IDs. Multiple independent downstream services (fraud scoring, ledger update, notification) must each receive every transaction. Which architecture best meets ordering, deduplication, and fan-out requirements while scaling elastically?
A gaming company is launching a new mobile leaderboard service expected to reach 50 million users across North America, Europe, and Asia. Player scores must be readable with single-digit millisecond latency from any region, and score writes made in one region should become visible in other regions within a couple of seconds. The workload is highly spiky, with traffic surging 20x during tournaments. The team wants a fully managed solution that minimizes operational overhead and scales automatically without pre-provisioning capacity for peak. Which design best meets these requirements?
A retail company runs a self-managed Elasticsearch cluster on EC2 that indexes product catalog data. They are migrating to Amazon OpenSearch Service. The catalog is updated continuously by an application that writes to a relational database, and downstream search queries must never return stale results for more than a few minutes during the migration. The migration team wants the lowest-risk cutover with the ability to roll back if the new domain underperforms. Which approach best meets these requirements?
A retail company runs a monolithic Java order-management application on 40 on-premises VMs. Leadership wants to reduce total cost of ownership over the next 3 years and improve deployment agility, but only has a small team with limited AWS experience and a hard 6-month deadline to exit the data center. The application has tightly coupled modules and a large Oracle database. Which migration approach best balances the deadline, team capacity, and long-term modernization goals?
A media company is designing a new content-processing platform. Every night at 2 AM, a scheduled job must trigger the processing of up to 50,000 newly uploaded articles. Each article requires an independent enrichment task that calls a third-party API with strict rate limits, and processing may take anywhere from 30 seconds to 8 minutes per article. The solution must gracefully handle third-party throttling, automatically retry failed tasks, and be fully managed with minimal operational overhead. The company wants to avoid maintaining any always-on compute. Which architecture best meets these requirements?
A gaming company is launching a new mobile title expected to reach millions of concurrent players globally. The backend must record a continuous stream of player score updates and serve near-real-time leaderboard rankings. Write volume is extremely spiky and unpredictable, spiking 20x during tournaments. The team wants a fully managed data store that scales writes seamlessly without capacity planning, delivers single-digit millisecond latency, and minimizes operational overhead. Sorted top-N leaderboard reads must remain fast even at peak. Which design best meets these requirements?
A healthcare SaaS company is building a new patient-records platform on AWS. Regulatory requirements mandate that Protected Health Information (PHI) fields such as Social Security Numbers must be encrypted, but the application must still be able to perform exact-match lookups on these values (for example, to find a patient by SSN) without decrypting the entire dataset. The team wants to minimize the exposure of raw PHI in the primary application database, which runs on Amazon Aurora PostgreSQL. Which design best meets these requirements?
A large enterprise uses AWS IAM Identity Center federated with an external corporate identity provider. The company has 300 AWS accounts organized by business unit and project. As teams grow, the security team is overwhelmed by creating and maintaining separate permission sets for every combination of business unit and project. They want engineers to only access resources tagged with their own business unit, without creating hundreds of unique permission sets. Which approach best meets this requirement with the least ongoing administrative overhead?
A global enterprise uses AWS IAM Identity Center federated with an external corporate SAML identity provider. The finance team wants to allocate costs of engineer-driven activity in a shared workload account by cost center. Each engineer's IdP profile already contains a 'costCenter' attribute. The security team requires that AWS API calls made through federated sessions carry the engineer's cost center so it can be used both in IAM policy conditions and reflected in AWS CloudTrail for later cost analysis, without creating separate permission sets per cost center. What is the MOST appropriate way to achieve this?
A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with permission sets to give engineers console access across 40 accounts in AWS Organizations. A DevOps team now needs programmatic access from an on-premises Jenkins server to deploy into several member accounts. The security team mandates that no long-lived IAM access keys be stored on the Jenkins server, and that all access must be centrally auditable and time-bounded. Which approach best meets these requirements?
A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML identity provider to grant developers access across 40 accounts in AWS Organizations. Each developer receives a permission set that grants broad access to build resources, including full IAM privileges within their assigned workload accounts. A security audit discovers that developers can create new IAM roles and attach the AdministratorAccess policy, effectively escalating their own privileges beyond what the permission set intended. The security team wants to cap the maximum permissions any IAM entity created by developers can ever have, without removing developers' ability to create roles for their applications. Which approach best addresses this requirement?
A company uses AWS IAM Identity Center (federated to an external corporate IdP) to manage access across 60 accounts in AWS Organizations. Security requires a documented "break-glass" procedure that grants a small group of on-call engineers full administrative access to any account during a Sev-1 incident, even if the corporate IdP is unavailable. Normal daily access must continue to flow through the IdP. The solution must minimize the standing privileged footprint and provide a clear audit trail of when break-glass access is used. Which approach BEST meets these requirements?