Design Solutions for Organizational Complexity
Drill 20 practice questions focused entirely on Design Solutions for Organizational Complexity for the AWS SAP-C02 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A large enterprise runs 120 AWS accounts under AWS Organizations with all features enabled and consolidated billing. The finance team needs to: allocate costs to individual business units (each mapped to a set of accounts), enforce a hard organization-wide spending ceiling that automatically prevents new resource creation when exceeded, and receive proactive alerts before any single account crosses its monthly forecast. The team also wants to maximize Reserved Instance and Savings Plans discount sharing across the organization. Which combination of actions BEST meets these requirements?
A large enterprise runs 40 AWS accounts under AWS Organizations. The security team wants employees to authenticate using the company's existing Microsoft Entra ID (Azure AD) as the identity provider and access assigned accounts through a single portal. Access to specific accounts must be governed by the employee's group membership in Entra ID, and permissions must be defined once and reused across many accounts. Which approach meets these requirements with the least ongoing operational overhead?
A company runs a multi-account AWS Organizations environment with dozens of VPCs connected through a central AWS Transit Gateway. An on-premises data center is connected via AWS Direct Connect. The company needs bidirectional DNS resolution: EC2 instances in any VPC must resolve on-premises private hostnames, and on-premises servers must resolve private Route 53 hosted zone records used across the organization. The solution must be centrally managed in a shared networking account and minimize the number of resolver endpoints deployed. Which approach meets these requirements?
A large enterprise recently acquired a smaller company. The acquired company operates 12 standalone AWS accounts that were each created independently with separate root credentials and their own consolidated billing was never enabled. The enterprise already runs a mature AWS Organizations setup managed by AWS Control Tower with several OUs and SCPs. The security team wants these 12 accounts brought under the enterprise Organization so that governance guardrails and centralized billing apply, while minimizing disruption to running production workloads. What is the correct approach to bring these existing accounts under central management?
A large enterprise is scaling from 15 to over 200 AWS accounts. They currently provision new accounts manually, which leads to inconsistent guardrails, missing centralized logging, and non-standard VPC configurations. The cloud platform team wants a repeatable, governed process that automatically applies preventive and detective controls, enrolls new accounts into the correct organizational units, and configures a standardized network baseline — while allowing application teams to request accounts through a self-service workflow. Which approach best meets these requirements with the least ongoing operational overhead?
A large enterprise deployed AWS Control Tower to establish its multi-account landing zone. A platform engineering team, wanting to add a custom deny policy, manually attached a new Service Control Policy directly to a Control Tower-managed Organizational Unit using the AWS Organizations console. Weeks later, the Control Tower dashboard reports the OU and its accounts as 'Not compliant' / drifted, and the team is concerned that a future landing zone update could break their custom guardrail. What is the recommended approach to maintain the custom SCP while keeping Control Tower governance intact?
A company runs a data analytics platform in a dedicated 'analytics' account in the us-east-1 Region. A newly acquired subsidiary operates a customer-facing application in a separate 'subsidiary' account in the eu-west-1 Region. Both accounts belong to the same AWS Organization. The analytics team needs the subsidiary application to send periodic batch uploads (a few gigabytes daily) to an internal service running behind an internal Network Load Balancer in the analytics VPC. Both VPCs use overlapping CIDR ranges (10.0.0.0/16). The solution must be private (no traffic over the public internet), minimize ongoing operational overhead, and avoid re-addressing either VPC. Which approach best meets these requirements?
A company runs a centralized fraud-detection microservice in a shared-services AWS account. Dozens of application accounts across multiple VPCs (some with overlapping CIDR ranges) need to consume this service over private connectivity. The security team requires that only the specific service be reachable — not the entire shared-services VPC — and that consumers cannot initiate connections back into the provider VPC. Which approach best meets these requirements with the least ongoing operational overhead?
A company runs a centralized CI/CD pipeline in a dedicated Tools account within its AWS Organization. The pipeline must deploy CloudFormation stacks into more than 50 workload accounts spread across multiple OUs. Security requires that the pipeline never use long-lived credentials, that each workload account explicitly control which principal can deploy, and that the solution scale as new accounts are added by the Account Factory without manual credential distribution. Which approach best meets these requirements?
A media company runs 12 AWS accounts, each with its own VPC in us-east-1. Currently every VPC is connected to every other VPC using VPC peering, creating a full-mesh topology that has become difficult to manage as new accounts are added. The networking team wants to reduce operational overhead, enable centralized route management, and allow new accounts to connect to all existing VPCs without creating dozens of new individual connections. The solution must keep all traffic on the AWS backbone and support transitive routing between VPCs. Which approach best meets these requirements?
A company operates a centralized networking account within AWS Organizations. The network team owns and manages a large VPC with carefully allocated subnets, NAT gateways, and route tables. Multiple application teams, each in their own AWS account, need to launch EC2 instances and RDS databases directly into these existing subnets so the network team can retain full control over IP addressing, routing, and network appliances. The solution must avoid duplicate networking infrastructure per account and must not require the application accounts to manage their own subnets or route tables. Which approach best meets these requirements?
A financial services company runs a multi-account AWS Organization with over 80 member accounts. The central security team currently operates entirely from the management (payer) account, where they manage GuardDuty, Security Hub, and IAM Access Analyzer findings for the whole organization. During an audit, the company is told that using the management account for daily operational tasks violates AWS security best practices and increases blast radius. The security team must retain organization-wide visibility and continue enrolling new accounts automatically, while minimizing the privileged actions performed from the management account. What should the solutions architect recommend?
A large enterprise uses AWS IAM Identity Center federated with an external corporate identity provider. The company has 300 AWS accounts organized by business unit and project. As teams grow, the security team is overwhelmed by creating and maintaining separate permission sets for every combination of business unit and project. They want engineers to only access resources tagged with their own business unit, without creating hundreds of unique permission sets. Which approach best meets this requirement with the least ongoing administrative overhead?
A financial services company uses AWS IAM Identity Center integrated with an external SAML identity provider. Auditors from a third-party firm require read-only console access to only the two AWS accounts in the 'Production-Regulated' OU during a 90-day engagement. Company policy mandates that no long-lived credentials be created, access must expire automatically at the end of the engagement, and auditors must never be able to reach any other account in the organization. Which approach best meets these requirements with the least ongoing administrative effort?
A global enterprise uses AWS IAM Identity Center federated with an external corporate SAML identity provider. The finance team wants to allocate costs of engineer-driven activity in a shared workload account by cost center. Each engineer's IdP profile already contains a 'costCenter' attribute. The security team requires that AWS API calls made through federated sessions carry the engineer's cost center so it can be used both in IAM policy conditions and reflected in AWS CloudTrail for later cost analysis, without creating separate permission sets per cost center. What is the MOST appropriate way to achieve this?
A large enterprise has adopted AWS Organizations with IAM Identity Center for workforce access across 40 member accounts. The company's HR system is the source of truth for employees and uses Okta as its corporate identity provider. Security requires that when an employee changes departments or leaves the company, their AWS access is automatically updated or revoked without any manual action by cloud administrators. Group memberships defined in Okta must drive which permission sets users receive. Which approach meets these requirements with the least ongoing operational overhead?
A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with permission sets to give engineers console access across 40 accounts in AWS Organizations. A DevOps team now needs programmatic access from an on-premises Jenkins server to deploy into several member accounts. The security team mandates that no long-lived IAM access keys be stored on the Jenkins server, and that all access must be centrally auditable and time-bounded. Which approach best meets these requirements?
A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML identity provider to grant developers access across 40 accounts in AWS Organizations. Each developer receives a permission set that grants broad access to build resources, including full IAM privileges within their assigned workload accounts. A security audit discovers that developers can create new IAM roles and attach the AdministratorAccess policy, effectively escalating their own privileges beyond what the permission set intended. The security team wants to cap the maximum permissions any IAM entity created by developers can ever have, without removing developers' ability to create roles for their applications. Which approach best addresses this requirement?
A company uses AWS IAM Identity Center (federated to an external corporate IdP) to manage access across 60 accounts in AWS Organizations. Security requires a documented "break-glass" procedure that grants a small group of on-call engineers full administrative access to any account during a Sev-1 incident, even if the corporate IdP is unavailable. Normal daily access must continue to flow through the IdP. The solution must minimize the standing privileged footprint and provide a clear audit trail of when break-glass access is used. Which approach BEST meets these requirements?
A financial services company uses AWS IAM Identity Center (successor to AWS SSO) with an external SAML identity provider to grant workforce access across 40 accounts in AWS Organizations. The security team defines permission sets that reference AWS managed policies. Developers report that when they attempt to attach a large custom inline policy plus several AWS managed policies to a single permission set, provisioning to member accounts fails. The team also needs the ability to constrain the maximum permissions any assigned user can ever receive through a permission set, regardless of the policies attached. Which combination of actions correctly addresses both the provisioning failure and the permission-ceiling requirement?
More SAP-C02 practice
Keep going with the other AWS Certified Solutions Architect - Professional domains, or take a full timed mock exam.
← Back to SAP-C02 overview