Amazon Web Services SAP-C02 Study & Exam Dumps 2025

AWS Certified Solutions Architect - Professional Questions and Answers

Question 1

A company has multiple AWS accounts and manages these accounts with AWS Organizations. A developer was given IAM user credentials to access AWS resources. The developer should have read-only access to all Amazon S3 buckets in the account. However, when the developer tries to access the S3 buckets from the console, they receive an access denied error message with no buckets listed.

A solutions architect reviews the permissions and finds that the developer's IAM user is listed as having read-only access to all S3 buckets in the account.

Which additional steps should the solutions architect take to troubleshoot the issue? (Select TWO.)

Options:

Check the bucket policies for all S3 buckets.

Check the ACLs for all S3 buckets.

Check the SCPs set at the organizational units (OUs).

Check for the permissions boundaries set for the IAM user.

Check if an appropriate IAM role is attached to the IAM user.

Buy Now

Answer:

C, D

Explanation:

When an IAM user appears to have the correct permissions but still receives Access Denied errors, especially in an AWS Organizations environment, the effective permissions must be evaluated across all permission layers. In AWS, permissions are the intersection of all applicable controls, and an explicit deny at any layer overrides any allow.

First, because the company uses AWS Organizations, service control policies (SCPs) must be evaluated. SCPs define the maximum permissions that accounts or organizational units can have. Even if an IAM user or IAM policy allows an action, an SCP attached to the account or OU can explicitly or implicitly deny that action. If an SCP does not allow s3:ListAllMyBuckets or related S3 read actions, the IAM user will not be able to list buckets in the S3 console and will see no buckets at all. Therefore, checking the SCPs applied to the OU or account is a required troubleshooting step.

Second, IAM permissions boundaries can further restrict the effective permissions of an IAM user. A permissions boundary defines the maximum permissions that an IAM user can exercise, regardless of what their attached policies allow. If the permissions boundary does not include the required Amazon S3 read-only permissions (such as s3:ListAllMyBuckets or s3:GetBucketLocation), the user will receive access denied errors even though the user’s IAM policy appears to allow read-only access. Reviewing whether a permissions boundary is attached, and whether it allows the necessary S3 actions, is essential.

Option A (checking bucket policies) can be relevant for access to specific buckets or objects, but a user seeing no buckets at all in the S3 console is more commonly caused by missing or denied account-level list permissions rather than individual bucket policies. Bucket policies generally do not control the ability to list all buckets in an account unless they contain explicit denies, which is less common as a first troubleshooting step in an Organizations setup.

Option B (checking ACLs) is less relevant because ACLs primarily control object-level and bucket-level access and are not typically used to manage console-level visibility of all buckets in an account. ACLs also do not commonly block the ListAllMyBuckets action.

Option E is incorrect because IAM users do not require IAM roles to access AWS services. Roles are assumed by users or services, but the presence or absence of a role attached to an IAM user does not affect the user’s direct permissions.

Therefore, the most appropriate troubleshooting steps are to check the SCPs applied through AWS Organizations and to verify whether an IAM permissions boundary is restricting the user’s effective permissions.

[References:AWS documentation on AWS Organizations service control policies and how SCPs define the maximum available permissions for accounts and OUs.AWS documentation on IAM permissions boundaries and how they limit the effective permissions of IAM users and roles, regardless of attached IAM policies., , ]

Question 2

A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN The company Is hosting Internal applications with VPCs in multiple AWS accounts Currently the applications are accessible from the company's on-premises office network through an AWS Site-to-Site VPN connection The VPC in the company's main AWS account has peering connections established with VPCs in other AWS accounts.

A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home

What is the MOST cost-effective solution that meets these requirements?

Options:

Create a Client VPN endpoint in each AWS account Configure required routing that allows access to internal applications

Create a Client VPN endpoint in the mam AWS account Configure required routing that allows access to internal applications

Create a Client VPN endpoint in the main AWS account Provision a transit gateway that is connected to each AWS account Configure required routing that allows access to internal applications

Create a Client VPN endpoint in the mam AWS account Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN

Question 3

A company has AWS accounts that are in an organization in AWS rganizations. The company wants to track Amazon EC2 usage as a metric.

The company's architecture team must receive a daily alert if the EC2 usage is more than 10% higher than the average EC2 usage from the last 30 days.

Which solution will meet these requirements?

Options:

Configure AWS Budgets in the organization's management account. Specify a usage type of EC2 running hours. Specify a daily period. Set the budget amount to be 10% more than the reported average usage for the last 30 days from AWS Cost Explorer.

Configure an alert to notify the architecture team if the usage threshold is met. Configure AWS Cost Anomaly Detection in the organization's management account. Configure a monitor type of AWS Service. Apply a filter of Amazon EC2. Configure an alert subscription to notify the architecture team if the usage is 10% more than the average usage for the last 30 days.

Enable AWS Trusted Advisor in the organization's management account. Configure a cost optimization advisory alert to notify the architecture team if the EC2 usage is 10% more than the reported average usage for the last 30 days.

Configure Amazon Detective in the organization's management account. Configure an EC2 usage anomaly alert to notify the architecture team if Detective identifies a usage anomaly of more than 10%.

Answer:

Explanation:

The correct answer is B.

B. This solution meets the requirements because it uses AWS Cost Anomaly Detection, which is a feature of AWS Cost Management that uses machine learning to identify and alert on anomalous spend and usage patterns. By configuring a monitor type of AWS Service and applying a filter of Amazon EC2, the solution can track the EC2 usage as a metric across the organization’s accounts.By configuring an alert subscription with a threshold of 10%, the solution can notify the architecture team via email or AmazonSNS if the EC2 usage is more than 10% higher than the average usage for the last 30 days12

A. This solution is incorrect because it uses AWS Budgets, which is a feature of AWS Cost Management that helps to plan and track costs and usage. However, AWS Budgets does not support usage type of EC2 running hours as a budget type. The only supported usage types are Amazon S3 storage, Amazon EC2 RI utilization, and Amazon EC2 RI coverage. Moreover, AWS Budgets does not support setting the budget amount based on the reported average usage from AWS Cost Explorer.The budget amount has to be a fixed or variable value34

C. This solution is incorrect because it uses AWS Trusted Advisor, which is a feature of AWS Premium Support that provides recommendations to follow best practices for cost optimization, security, performance, and fault tolerance. However, AWS Trusted Advisor does not support configuring custom alerts based on EC2 usage or average usage for the last 30 days.The only supported alerts are based on predefined checks and thresholds that are applied to all services and resources in the account56

D. This solution is incorrect because it uses Amazon Detective, which is a service that helps to analyze and visualize security data to investigate potential security issues. However, Amazon Detective does not support configuring EC2 usage anomaly alerts basedon average usage for the last 30 days.The only supported alerts are based on GuardDuty findings and other security-related events that are detected by machine learning models78

[References:, 1:AWS Cost Anomaly Detection - Amazon Web Services2:Getting started with AWS Cost Anomaly Detection3:Set Custom Cost and Usage Budgets – AWS Budgets – Amazon Web Services4:Creating a budget - AWS Cost Management5:AWS Trusted Advisor6:AWS Trusted Advisor - AWS Support7:Security Investigation Visualization - Amazon Detective - AWS8:What is Amazon Detective? - Amazon Detective, , , , , ]

Get Free SAP-C02 Questions and Answers

Spring Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

SAP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified Solutions Architect - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce