Amazon Web Services SAP-C02 Study & Exam Dumps 2025

AWS Certified Solutions Architect - Professional Questions and Answers

Question 1

A large company is migrating ils entire IT portfolio to AWS. Each business unit in the company has a standalone AWS account that supports both development and test environments. New accounts to support production workloads will be needed soon.

The finance department requires a centralized method for payment but must maintain visibility into each group ' s spending to allocate costs.

The security team requires a centralized mechanism to control 1AM usage in all the company ' s accounts.

What combination of the following options meet the company ' s needs with the LEAST effort? (Select TWO.)

Options:

Use a collection of parameterized AWS CloudFormation templates defining common 1AM permissions that are launched into each account. Require all new and existing accounts to launch the appropriate stacks to enforce the least privilege model.

Use AWS Organizations to create a new organization from a chosen payer account and define an organizational unit hierarchy. Invite the existing accounts to join the organization and create new accounts using Organizations.

Require each business unit to use its own AWS accounts. Tag each AWS account appropriately and enable Cost Explorer to administer chargebacks.

Enable all features of AWS Organizations and establish appropriate service control policies that filter 1AM permissions for sub-accounts.

Consolidate all of the company ' s AWS accounts into a single AWS account. Use tags for billing purposes and the lAM ' s Access Advisor feature to enforce the least privilege model.

Buy Now

Answer:

B, D

Explanation:

Option B is correct because AWS Organizations allows a company to create a new organization from a chosen payer account and define an organizational unit hierarchy. This way, the finance department can have a centralized method for payment but also maintain visibility into each group’s spending to allocate costs. The company can also invite the existing accounts to join the organization and create new accounts using Organizations, which simplifies the account management process.

Option D is correct because enabling all features of AWS Organizations and establishing appropriate service control policies (SCPs) that filter IAM permissions for sub-accounts allows the security team to have a centralized mechanism to control IAM usage in all the company’s accounts. SCPs are policies that specify the maximum permissions for an organization or organizational unit (OU), and they can be used to restrict access to certain services or actions across all accounts in an organization.

Option A is incorrect because using a collection of parameterized AWS CloudFormation templates defining common IAM permissions that are launched into each account requires more effort than using SCPs. Moreover, it does not provide a centralized mechanism to control IAM usage, as each account would have to launch the appropriate stacks to enforce the least privilege model.

Option C is incorrect because requiring each business unit to use its own AWS accounts does not provide a centralized method for payment or a centralized mechanism to control IAM usage. Tagging each AWS account appropriately and enabling Cost Explorer to administer chargebacks may help with cost allocation, but it is not as efficient as using AWS Organizations.

Option E is incorrect because consolidating all of the company’s AWS accounts into a single AWS account does not provide visibility into each group’s spending or a way to control IAM usage for different business units. Using tags for billing purposes and the IAM’s Access Advisor feature to enforce the least privilege model may help with cost optimization and security, but it is not as scalable or flexible as using AWS Organizations.

AWS Organizations

Service Control Policies

AWS CloudFormation

Cost Explorer

IAM Access Advisor

Question 2

A research company conducts mathematical simulations in the AWS Cloud. The simulations run on several hundred Amazon EC2 Linux instances. If a simulation encounters an issue, an engineer establishes an SSH connection to the affected EC2 instance.

Company policy requires that each EC2 instance session is established with a unique SSH key and that all SSH connections are logged in AWS CloudTrail. CloudTrail is enabled for the company’s account and the AWS Regions that the company uses.

Which solution will meet these requirements?

Options:

Answer:

Launch new EC2 instances. Generate an individual SSH key for each new EC2 instance. Store the SSH key in AWS Secrets Manager. Create a new IAM policy. Attach the IAM policy to the engineers ' IAM role with an Allow statement for the GetSecretValue action. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

Create an AWS Systems Manager document to run commands on EC2 instances to set a new unique SSH key. Create a new IAM policy. Attach the IAM policy to the engineers ' IAM role with an Allow statement to run Systems Manager documents. Instruct the engineers to run the document to set an SSH key and to connect through any SSH client.

Answer:

Launch new EC2 instances without setting up any SSH key for the new EC2 instances. Set up EC2 Instance Connect on each new EC2 instance. Create a new IAM policy. Attach the IAM policy to the engineers ' IAM role with an Allow statement for the SendSSHPublicKey action. Instruct the engineers to connect to the EC2 instances by using Instance Connect from the AWS CLI.

Answer:

Set up AWS Secrets Manager to store the EC2 SSH key. Create an AWS Lambda function to create a new SSH key and to call AWS Systems Manager Session Manager to set the SSH key on the EC2 instance. Configure Secrets Manager to use the Lambda function to automatically rotate the SSH key once daily. Instruct the engineers to retrieve the SSH key from Secrets Manager when the engineers connect through any SSH client.

Answer:

C is correct because EC2 Instance Connect pushes a temporary SSH public key to the instance for a short connection window instead of relying on long-lived shared key pairs. This satisfies the requirement that each SSH session use a unique key. AWS documentation states that the SendSSHPublicKey API pushes an SSH public key to the specified instance and that the key remains for 60 seconds. EC2 API calls, including SendSSHPublicKey, are recorded in CloudTrail, which gives the company auditable connection records. Secrets Manager key storage does not inherently log actual SSH connection attempts and still leaves operational complexity around key retrieval and rotation. Systems Manager documents also do not provide the clean session-specific SSH key behavior that EC2 Instance Connect provides.

Question 3

A company migrated to AWS and uses AWS Business Support. The company wants to monitor thecost-effectiveness of Amazon EC2 instances. The EC2 instances have tags for department, business unit, and environment. Development EC2 instances have high cost but low utilization.

The company needs to detect and stop any underutilized development EC2 instances. Instances are underutilized if they had 10% or less average CPU utilization and 5 MB or less network I/O for at least 4 of the past 14 days.

Which solution will meet these requirements with the LEAST operational overhead?

Options:

Configure Amazon CloudWatch dashboards to monitor EC2 instance utilization based on tags for department, business unit, and environment. Create an Amazon EventBridge rule that invokes an AWS Lambda function to stop underutilized development EC2 instances.

Configure AWS Systems Manager to track EC2 instance utilization and report underutilized instances to Amazon CloudWatch. Filter the CloudWatch data by tags for department, business unit, and environment. Create an Amazon EventBridge rule that invokes an AWS Lambda function to stop underutilized EC2 instances.

Create an Amazon EventBridge rule to detect low utilization of EC2 instances reported by AWS Trusted Advisor. Configure the rule to invoke a Lambda function that filters the data by tags for department, business unit, and environment and stops underutilized development EC2 instances.

Create an AWS Lambda function to run daily to retrieve utilization data for all EC2 instances. Save the data to an Amazon DynamoDB table. Create a QuickSight dashboard that uses the DynamoDB table as a data source to identify and stop underutilized development EC2 instances.

Get Free SAP-C02 Questions and Answers

Summer Certification Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Amazon Web Services SAP-C02 Exam With Confidence Using Practice Dumps

SAP-C02: AWS Certified Professional Exam 2025 Study Guide Pdf and Test Engine

Related Amazon Web Services Exams

AWS Certified Solutions Architect - Professional Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

CompTIA

Fortinet

Microsoft

Salesforce