AWS Solutions Architect — Professional Practice Exam Questions

Are you ready to take the AWS Solutions Architect — Professional Certification? Test yourself with the following free questions!

Gonzalo Fernandez Plaza
10 min readAug 6, 2024

The AWS Certified Solutions Architect Professional certification (SAP-C02) is a highly prestigious credential that demonstrates an individual’s advanced knowledge and expertise in providing complex solutions within the Amazon Web Services (AWS).

The SAP-C02 exam has 65 questions in total and a 180-minute time frame, including multiple-choice, multiple-answer questions. To help you pass this certification, let’s practice with these free questions!

AWS Certified Solutions Architect — Professional Certification — Free Practice Questions
AWS Certified Solutions Architect — Professional Certification — Free Practice Questions

Remember that you can find 120 AWS Solutions Architect — Professional practice questions, and cheat sheets at FullCertified.

PRACTICE QUESTIONS:

An online e-commerce business is running an application on AWS. The application consists of three tiers within a single Region. The application tiers use Amazon EC2 instances and are stateless. The data tier consists of a 30TB Amazon Aurora database. A Solutions Architect is designing a disaster recovery strategy that includes an RTO of 30 minutes and an RPO of 5 minutes for the data tier.

Which combination of steps satisfies the RTO and RPO requirements while optimizing costs? (Select TWO.)

A) Deploy a hot standby of the application tiers to another Region.

B) Create daily snapshots of the EC2 instances and replicate them to another Region.

C) Create a cross-Region Aurora MySQL Replica of the database.

D) Use AWS DMS to replicate the Aurora DB to an RDS database in another Region.

E) Create snapshots of the Aurora database every 5 minutes.

Solution: A, C. As part of disaster recovery planning, you need to define an RTO and RPO for each application based on impact analysis and risk assessment.

The recovery time objective (RTO) is the maximum acceptable delay between an application’s interruption and its service restoration. Consider the time it takes to restore the service. In this example, an RTO of 30 minutes means the service must run again in 30 minutes.

RPO is the maximum acceptable gap between the data in the disaster recovery site and the latest data stored in the application when the disaster strikes. Think about the amount of data you are willing to lose because of a disaster. In this example, an RPO of 5 minutes means that no more than 5 minutes of data can be lost.

By implementing these solutions, you can perform a quick cross-region failover. In the case of Aurora, you can promote an Aurora Read Replica to a standalone DB cluster. The warm standby strategy deploys a functional stack but at a reduced capacity. It will handle traffic at reduced levels immediately, and you can scale out afterward.

In the following image, you can check the different recovery strategies along with its RTO and RPO:

RTO and RPO from different recovery strategies in AWS.
RTO and RPO from different recovery strategies in AWS.

A Solutions Architect developed a web application that includes an Amazon API Gateway Regional endpoint and an AWS Lambda function that queries an Amazon Aurora MySQL database. The web app users are close to the AWS Region where the application is deployed. The database is configured with three read replicas.

During periods of high demand, the application does not meet performance requirements. Under high load, the application opens many database connections, causing a degradation in the application’s performance.

Which actions should the solutions architect take to improve the performance? (Select TWO.)

A) Connect an RDS Proxy connection pool to the reader endpoint of the Aurora database.

B) Configure the application to use the cluster endpoint of the Aurora database.

C) Configure an Amazon Aurora serverless database cluster and use automatic scaling.

D) Move Lambda function code for opening the database connection outside of the event handler.

E) Create a Classic Load Balancer to distribute connections across the three Aurora Read Replicas.

Solution: A, D. In this question, we can see that the problem is caused by performance issues caused by the high number of database connections. We need to solve this.

RDS Proxy allows applications to pool and share connections established with the database. Instead of opening a connection per client, it will reuse them. The best thing is that it can be enabled for most applications with no code changes!

RDS Proxy for AWS Lambda.
RDS Proxy for AWS Lambda.

It is also a good idea to move the Lambda function code to open the database connection outside the event handler. This is necessary because subsequent invocations processed by the same instance of your function can reuse the connection. For example:

// Define connection configuration 
let connectionConfig = {
// Connection data
};

// Create the connection to the DB. Example with mysql.
const conn = await mysql.createConnection(connectionConfig);
export const handler = async (event) => {
conn.connect();
// Execute your queries
};

A company runs a customer service center that accepts calls and automatically sends all customers a managed, interactive, two-way experience survey by text message. The applications that support the customer service center run on machines that the company hosts in an on-premises data center. The hardware that the company uses is old, and the company is experiencing downtime with the system. The company wants to migrate the system to AWS to improve reliability. Which solution will meet these requirements with the LEAST ongoing operational overhead?

A) Use Amazon Pinpoint to replace the old call center hardware and to send text message surveys to customers.

B) Develop a custom call center software solution from scratch using AWS Lambda functions for serverless compute and Amazon DynamoDB for data storage. Use Amazon Simple Notification Service (Amazon SNS) to send text message surveys to customers.

C) Use Amazon Connect to replace the old call center hardware. Use Amazon Pinpoint to send text message surveys to customers.

D) Use Amazon Connect to replace the old call center hardware. Use Amazon Simple Notification Service (Amazon SNS) to send text message surveys to customers.

Solution: C. Amazon Pinpoint is a Scalable 2-way marketing communications service that you can use to engage with your customers across multiple messaging channels, including push notifications, in-app notifications, emails, text messages, voice messages, and more.

By integrating Amazon Pinpoint with Amazon Connect, a cloud-based virtual contact center, you can address the company’s requirements with the least ongoing operational overhead.

An application stores data in multiple Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple and cost-effective API over HTTPS. The solution must scale automatically in response to demand. Which solutions meet these requirements?

A) Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.

B) Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.

C) Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.

D) Create an Amazon API Gateway REST API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.

Solution: A. HTTP APIs are designed to build lightweight, HTTP-based APIs with simplicity and cost-effectiveness in mind.

REST APIs offer more advanced features and configurations, including custom domain names, request/response transformations, and fine-grained access control. This makes them suitable for complex API scenarios and use cases requiring versatility and flexibility.

You will normally use REST API; however, in this case, the requirement is for a simple and cost-effective API. Therefore, this is a good use case for an HTTP API.

Amazon API Gateway REST API has direct integration with DynamoDB, but this is not the case for Amazon API Gateway HTTP API, so you’ll have to use AWS Lambda functions to return data from the DynamoDB tables.

You can see the main differences between HTTP and REST APIs in the following image:

HTTP vs REST API in Amazon API Gateway.
HTTP vs REST API in Amazon API Gateway.

A company with a management account and several accounts in an AWS Organization wishes to restrict access to a specific set of AWS services in the existing member accounts.

What is the most efficient method to fulfill this requirement?

A) Utilize AWS Organizations’ tagging feature to tag the specific set of services in the member accounts, then configure IAM policies based on these tags to enforce access restrictions.

B) Create a custom AWS Config rule that monitors and enforces compliance with access restrictions for the specified set of services across all member accounts.

C) Create a service control policy (SCP) that denies access to the specific set of services and apply the policy to the root of the organization.

D) Add the member accounts to a single organizational unit (OU). Create a service control policy (SCP) that denies access to the specific set of services and attach it to the OU.

Solution: D. Adding member accounts to a single organizational unit (OU) allows you to easily apply consistent policies across all accounts.

Service Control Policies (SCPs) are a great tool for implementing control and governance across your AWS Organization. By creating an SCP that denies access to the specific set of services, you can effectively block access to those services for all accounts within the OU to which the SCP is attached.

For example, the following SCP denies access to S3:

{   
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "s3:*",
"Resource": "*"
}
]
}

A retail company runs a web application in a VPC. The web application runs on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is using AWS WAF. Due to new requirements, external companies need to connect to the web application. The retail company must provide IP addresses to all external companies.

Which solution will meet these requirements with the LEAST operational overhead?

A) Set up a VPN connection between the customer’s network and the VPC. Provide the customer’s network administrator with the private IP addresses of the EC2 instances behind the ALB.

B) Replace the ALB with a Network Load Balancer (NLB). Assign an Elastic IP address to the NLB.

C) Create an AWS Global Accelerator standard accelerator. Specify the ALB as the accelerator’s endpoint. Provide the accelerator’s IP addresses to the customer.

D) Create a Route 53 public hosted zone. Create an A record pointing to the ALB’s DNS name. Provide the hosted zone’s IP address to the customer.

Solution: C. AWS Global Accelerator provides a set of static IP addresses that external clients can use to connect to the web application.

By using Global Accelerator, you avoid the need to replace the existing Application Load Balancer (ALB) or modify the current setup significantly, and it also integrates with AWS WAF.

In the following image, you can see the primary targets for AWS Global Accelerator:

AWS Global Accelerator targets.
AWS Global Accelerator targets.

A new employee has just joined a new team. The employee initially requires access to manage Amazon S3, Amazon RDS, and Amazon EC2. All the other team members belong to an IAM group, which provides additional permissions to manage all other AWS services. The team manager initially wants to restrict the new employee’s permissions until the employee assumes additional responsibilities. As the employee’s role evolves, the manager needs to be able to easily expand their access, eventually providing the same permissions as the rest of the team.

How can the manager limit the permissions assigned to the new user account while minimizing complexity?

A) Create an IAM account for the new employee. Create a new IAM group for the employee and add a permissions policy that grants access to manage Amazon S3, Amazon RDS, and Amazon EC2. When the employee takes on new management responsibilities, add the additional services to the IAM policy.

B) Create an IAM account for the new employee and add the account to the security team IAM group. Set a permissions boundary that grants access to manage Amazon S3, Amazon RDS, and Amazon EC2. When the employee takes on new management responsibilities, add the additional services to the permissions boundary IAM policy.

C) Create an IAM account for the new employee and add the account to the security team IAM group. Use a Service Control Policy (SCP) to limit the maximum available permissions to Amazon S3, Amazon RDS, and Amazon EC2. When the employee takes on new management responsibilities, remove the SCP.

D) Create an IAM account for the new employee in a dedicated account. Use cross-account access to manage resources. Limit the permissions on the cross-account access role to only allow management of Amazon S3, Amazon RDS, and Amazon EC2. When the employee takes on new management responsibilities, add permissions to the cross-account access IAM role.

Solution: B. Permissions boundaries define the maximum permissions that an IAM user or role can have. It does not grant permissions itself. Instead, it limits the maximum permissions an IAM user or role can have.

Here you also have an example of permissions boundaries that can be assigned to a user or role:

{     
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:*",
"ec2:*",
"s3:*"
],
"Resource": "*"
}
]
}

More Questions?

That’s all for now! Do you want more questions? FullCertified is the perfect resource for you if you want more practice!

  • You can find more than 700 AWS practice exam questions, including detailed explanations.
  • Access to a real exam simulator to thoroughly prepare for the exam.
  • You can download all of them on PDF.
  • Download the ultimate cheat sheet for the AWS Sysops Administrator — Associate exam!

Visit FullCertified today and get the most out of your certification preparation!

--

--

Gonzalo Fernandez Plaza

Computer Science Engineer & Tech Lead 🖥️. Publishing AWS & Snowflake ❄️ courses & exams. https://www.fullcertified.com