Amazon Web Services SAP-C02 Study & Exam Dumps 2025

AWS Certified Solutions Architect - Professional Questions and Answers

Question 1

A company has multiple AWS accounts and manages these accounts with AWS Organizations. A developer was given IAM user credentials to access AWS resources. The developer should have read-only access to all Amazon S3 buckets in the account. However, when the developer tries to access the S3 buckets from the console, they receive an access denied error message with no buckets listed.

A solutions architect reviews the permissions and finds that the developer ' s IAM user is listed as having read-only access to all S3 buckets in the account.

Which additional steps should the solutions architect take to troubleshoot the issue? (Select TWO.)

Options:

Check the bucket policies for all S3 buckets.

Check the ACLs for all S3 buckets.

Check the SCPs set at the organizational units (OUs).

Check for the permissions boundaries set for the IAM user.

Check if an appropriate IAM role is attached to the IAM user.

Buy Now

Answer:

C, D

Explanation:

When an IAM user appears to have the correct permissions but still receives Access Denied errors, especially in an AWS Organizations environment, the effective permissions must be evaluated across all permission layers. In AWS, permissions are the intersection of all applicable controls, and an explicit deny at any layer overrides any allow.

First, because the company uses AWS Organizations, service control policies (SCPs) must be evaluated. SCPs define the maximum permissions that accounts or organizational units can have. Even if an IAM user or IAM policy allows an action, an SCP attached to the account or OU can explicitly or implicitly deny that action. If an SCP does not allow s3:ListAllMyBuckets or related S3 read actions, the IAM user will not be able to list buckets in the S3 console and will see no buckets at all. Therefore, checking the SCPs applied to the OU or account is a required troubleshooting step.

Second, IAM permissions boundaries can further restrict the effective permissions of an IAM user. A permissions boundary defines the maximum permissions that an IAM user can exercise, regardless of what their attached policies allow. If the permissions boundary does not include the required Amazon S3 read-only permissions (such as s3:ListAllMyBuckets or s3:GetBucketLocation), the user will receive access denied errors even though the user’s IAM policy appears to allow read-only access. Reviewing whether a permissions boundary is attached, and whether it allows the necessary S3 actions, is essential.

Option A (checking bucket policies) can be relevant for access to specific buckets or objects, but a user seeing no buckets at all in the S3 console is more commonly caused by missing or denied account-level list permissions rather than individual bucket policies. Bucket policies generally do not control the ability to list all buckets in an account unless they contain explicit denies, which is less common as a first troubleshooting step in an Organizations setup.

Option B (checking ACLs) is less relevant because ACLs primarily control object-level and bucket-level access and are not typically used to manage console-level visibility of all buckets in an account. ACLs also do not commonly block the ListAllMyBuckets action.

Option E is incorrect because IAM users do not require IAM roles to access AWS services. Roles are assumed by users or services, but the presence or absence of a role attached to an IAM user does not affect the user’s direct permissions.

Therefore, the most appropriate troubleshooting steps are to check the SCPs applied through AWS Organizations and to verify whether an IAM permissions boundary is restricting the user’s effective permissions.

[References:AWS documentation on AWS Organizations service control policies and how SCPs define the maximum available permissions for accounts and OUs.AWS documentation on IAM permissions boundaries and how they limit the effective permissions of IAM users and roles, regardless of attached IAM policies., , , , ]

Question 2

A company is using Amazon OpenSearch Service to analyze data. The company loads data into an OpenSearch Service cluster with 10 data nodes from an Amazon S3 bucket that uses S3 Standard storage. The data resides in the cluster for 1 month for read-only analysis. After 1 month, the company deletes the index that contains the data from the cluster. For compliance purposes, the company must retain a copy of all input data.

The company is concerned about ongoing costs and asks a solutions architect to recommend a new solution.

Which solution will meet these requirements MOST cost-effectively?

Options:

Replace all the data nodes with UltraWarm nodes to handle the expected capacity. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.

Reduce the number of data nodes in the cluster to 2 Add UltraWarm nodes to handle the expected capacity. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the data. Transition the input data to S3 Glacier Deep Archive after 1 month by using an S3 Lifecycle policy.

Reduce the number of data nodes in the cluster to 2. Add UltraWarm nodes to handle the expected capacity. Configure the indexes to transition to UltraWarm when OpenSearch Service ingests the data. Add cold storage nodes to the cluster Transition the indexes from UltraWarm to cold storage. Delete the input data from the S3 bucket after 1 month by using an S3 Lifecycle policy.

Reduce the number of data nodes in the cluster to 2. Add instance-backed data nodes to handle the expected capacity. Transition the input data from S3 Standard to S3 Glacier Deep Archive when the company loads the data into the cluster.

Question 3

A company runs a new application as a static website in Amazon S3. The company has deployed the application to a production AWS account and uses Amazon CloudFront to deliver the website. The website calls an Amazon API Gateway REST API. An AWS Lambda function backs each API method.

The company wants to create a CSV report every 2 weeks to show each API Lambda function’s recommended configured memory, recommended cost, and the price difference between current configurations and the recommendations. The company will store the reports in an S3 bucket.

Which solution will meet these requirements with the LEAST development time?

Options:

Create a Lambda function that extracts metrics data for each API Lambda function from Amazon CloudWatch Logs for the 2-week penod_ Collate the data into tabular format. Store the data as a _csvfile in an S3 bucket. Create an Amazon Eventaridge rule to schedulethe Lambda function to run every 2 weeks.

Opt in to AWS Compute Optimizer. Create a Lambda function that calls the ExportLambdaFunctionRecommendatlons operation. Export the _csv file to an S3 bucket. Create an Amazon Eventaridge rule to schedule the Lambda function to run every 2 weeks.

Opt in to AWS Compute Optimizer. Set up enhanced infrastructure metrics. Within the Compute Optimizer console, schedule a job to export the Lambda recommendations to a _csvfile_ Store the file in an S3 bucket every 2 weeks.

Purchase the AWS Business Support plan for the production account. Opt in to AWS Compute Optimizer for AWS Trusted Advisor checks. In the Trusted Advisor console, schedule a job to export the cost optimization checks to a _csvfile_ Store the file in an S3 bucket every 2 weeks.

Get Free SAP-C02 Questions and Answers

Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

SAP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified Solutions Architect - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

CompTIA

Fortinet

Microsoft

Salesforce