Amazon Web Services SAP-C02 Study & Exam Dumps 2025

AWS Certified Solutions Architect - Professional Questions and Answers

Question 1

A research company conducts mathematical simulations in the AWS Cloud. The simulations run on several hundred Amazon EC2 Linux instances. If a simulation encounters an issue, an engineer establishes an SSH connection to the affected EC2 instance.

Company policy requires that each EC2 instance session is established with a unique SSH key and that all SSH connections are logged in AWS CloudTrail. CloudTrail is enabled for the company’s account and the AWS Regions that the company uses.

Which solution will meet these requirements?

Options:

Buy Now

Answer:

Launch new EC2 instances. Generate an individual SSH key for each new EC2 instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.

Answer:

Launch new EC2 instances without setting up any SSH key for the new EC2 instances. Set up EC2 Instance Connect on each new EC2 instance. Create a new IAM policy. Attach the IAM policy to the engineers' IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the EC2 instances by using Instance Connect from the AWS CLI.

Answer:

Set up AWS Secrets Manager to store the EC2 SSH key. Create an AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function to automatically rotate the SSH key once daily. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

CC is correct because EC2 Instance Connect is designed to provide per-connection, short-lived SSH access without long-lived shared private keys, and it integrates with IAM so access is controlled and auditable. With EC2 Instance Connect, engineers push a public key for a short time window to the target instance using the SendSSHPublicKey API action. This meets the “unique SSH key per session” intent because the key can be generated per session and injected temporarily instead of being a persistent static key. Additionally, the key injection is performed through an AWS API call, which is recorded in AWS CloudTrail, satisfying the logging requirement for SSH access activity.Why the other options are incorrect:

Answer:

B: Running a Systems Manager document to set keys creates operational overhead and still does not inherently ensure CloudTrail logs of each SSH connection (the SSM Run Command API calls are logged, but the subsequent SSH login over the network is not an AWS API event). It also risks key persistence beyond a single session.

Answer:

D: Daily rotation is not “unique per session,” and it is complex/operationally heavy. Like A, the SSH login itself is not automatically a CloudTrail event; CloudTrail would capture Secrets Manager and SSM API calls, not the network SSH authentication event.

Explanation:

[References:, Amazon EC2 Instance Connect Documentation: SendSSHPublicKey workflow, temporary key injection, IAM-based access control, AWS CloudTrail Documentation: logging of AWS API calls (including EC2 Instance Connect API actions) across Regions, Amazon EC2 Documentation: Linux instance access patterns and key-based authentication options, AWS Certified Solutions Architect – Professional (SAP-C02) Exam Guide: centralized access control, auditability, and scalable operational patterns for large fleets, , , , ]

Question 2

A large company is migrating ils entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.

The finance department requires a centralized method for payment but must maintain visibility into each group ' s spending to allocate costs.

The security team requires a centralized mechanism to control 1AM usage in all the company ' s accounts.

What combination of the following options meet the company ' s needs with the LEAST effort? (Select TWO.)

Options:

Use a collection of parameterized AWS CloudFormation templates defining common 1AM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.

Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.

Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.

Enable all features of AWS Organizations and establish appropriate service control policies that filter 1AM permissions for sub-accounts.

Consolidate all of the company ' s AWS accounts into a single AWS account. Use tags for billing purposes and the lAM ' s Access Advisor feature to enforce the least privilege model.

Answer:

B, D

Explanation:

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

Question 3

A company is collecting a large amount of data from a fleet of loT devices Data is stored as Optimized Row Columnar (ORC) files in the Hadoop Distributed File System (HDFS) on a persistent Amazon EMR cluster. The company ' s data analytics team queries the data by using SQL in Apache Presto deployed on the same EMR cluster Queries scan large amounts of data, always run for less than 15 minutes, and run only between 5 PM and 10 PM.

The company is concerned about the high cost associated with the current solution A solutions architect must propose the most cost-effective solution that will allow SQL data queries

Which solution will meet these requirements?

Options:

Store data in Amazon S3 Use Amazon Redshift Spectrum to query data.

Store data in Amazon S3 Use the AWS Glue Data Catalog and Amazon Athena to query data

Store data in EMR File System (EMRFS) Use Presto in Amazon EMR to query data

Store data in Amazon Redshift. Use Amazon Redshift to query data.

Get Free SAP-C02 Questions and Answers

Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

SAP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified Solutions Architect - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce