AWS SAP-C02 Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for AWS Certified Solutions Architect - Professional (SAP-C02) topics such as multi-account governance, hybrid connectivity, disaster recovery, migration strategy, modernization, security boundaries, cost visibility, and enterprise-scale operations. The prompts emphasize architectural trade-offs rather than single-service recall.

Where these questions fit in the SAP-C02 guide

The sample set below is part of the AWS SAP-C02 guide path:

• AWS certification hub
• SAP-C02 exam guide
• SAP-C02 cheat sheet
• SAP-C02 study plan
• SAP-C02 FAQ
• SAP-C02 resources
• SAP-C02 glossary

SAP-C02 professional architecture sample questions

Work through each prompt before opening the explanation. SAP-C02 questions usually reward answers that satisfy the enterprise constraint with the least operational drag and the strongest governance posture.

---

Question 1

Topic: Multi-account governance

A company is moving from several independently managed AWS accounts to a governed multi-account model. Security wants centralized logging, preventive guardrails, account vending, and separation between production, non-production, shared services, and security tooling. Which design is strongest?

• A. Keep all workloads in one account and use IAM groups to separate teams.
• B. Give every team a standalone account outside the organization so they cannot affect each other.
• C. Use AWS Organizations with an OU strategy, Control Tower or landing-zone automation, centralized log archive and security accounts, SCP guardrails, and account factory workflows.
• D. Use only tags for governance and avoid account boundaries.

Best answer: C

Explanation: SAP-C02 organization-scale questions reward account boundaries, OU design, centralized logging, guardrails, and repeatable account provisioning. This pattern reduces blast radius and gives central teams control without turning every workload into one account.

Why the other choices are weaker:

• A overloads IAM as the only boundary and weakens isolation.
• B loses centralized governance and visibility.
• D tags are useful for cost and policy conditions, but they do not replace account and OU design.

What this tests: AWS Organizations, Control Tower, OUs, SCPs, logging accounts, and landing-zone governance.

Related topics: Organizations; Control Tower; SCPs; Landing zone

---

Question 2

Topic: Disaster recovery pattern selection

A business-critical application must recover in another Region with a low recovery time objective and low recovery point objective. Cost matters, but the company cannot wait hours to provision all infrastructure from backups. Which DR pattern is strongest?

• A. Backup and restore only, because it is always the lowest-cost professional architecture answer.
• B. Store architecture diagrams in a wiki so engineers can rebuild manually after an outage.
• C. Warm standby with scaled-down infrastructure running in the recovery Region, continuous data replication, tested failover, and automation to scale up during an event.
• D. Use one Availability Zone in the primary Region and increase instance size.

Best answer: C

Explanation: Low RTO and RPO generally require more than backup-and-restore. Warm standby keeps a reduced version of the environment ready and can scale up after failover, balancing recovery speed and cost better than fully manual rebuilds.

Why the other choices are weaker:

• A is cheaper but usually too slow for low RTO.
• B is documentation, not a tested recovery architecture.
• D improves neither regional DR nor meaningful failure-domain coverage.

What this tests: RTO, RPO, warm standby, multi-Region readiness, data replication, and failover testing.

Related topics: Disaster recovery; RTO; RPO; Warm standby

---

Question 3

Topic: Private cross-account service consumption

A shared-services team runs an internal API that many workload accounts must consume. The API should not be exposed publicly, consumer VPC CIDR ranges may overlap, and the provider team wants to avoid opening broad routing between all VPCs. Which architecture is strongest?

• A. VPC peering from every consumer VPC to the provider VPC, even with overlapping CIDR ranges.
• B. A public internet-facing load balancer with IP allow lists for every consumer account.
• C. A single shared NAT gateway in the provider account for all consumers.
• D. AWS PrivateLink so consumers access the provider service through interface endpoints without broad network routing between VPCs.

Best answer: D

Explanation: PrivateLink is a strong fit for private cross-account service consumption, especially when consumers should not receive general network reachability to the provider VPC and CIDR overlap is a concern.

Why the other choices are weaker:

• A fails with overlapping CIDRs and creates broad routing relationships.
• B exposes the service publicly and shifts security to allow-list maintenance.
• C is not a cross-account private service-consumption model.

What this tests: PrivateLink, cross-account service architecture, overlapping CIDR constraints, and private connectivity.

Related topics: PrivateLink; Shared services; Cross-account; Networking

---

Question 4

Topic: Migration strategy trade-off

A legacy application must move to AWS within six months. The application is business-critical, has limited test coverage, and will be modernized later. Leadership wants the lowest migration risk now while preserving a path to reduce operational overhead after cutover. Which strategy is strongest?

• A. Use a phased migration such as rehost or targeted replatform for the first cutover, add observability and automation, then modernize components after the workload is stable on AWS.
• B. Rewrite the entire application into microservices before any migration starts.
• C. Move the application by copying production files manually during a long outage window and skip rollback planning.
• D. Retire the application immediately because all legacy systems should be removed before cloud adoption.

Best answer: A

Explanation: SAP-C02 migration questions often test sequencing. When time and risk are tight, a lower-risk migration path with automation, observability, and later modernization can be stronger than a high-risk rewrite before cutover.

Why the other choices are weaker:

• B may be a future modernization goal, but it increases near-term delivery and testing risk.
• C lacks automation, rollback, and controlled migration planning.
• D ignores the business-critical requirement.

What this tests: Migration waves, rehost versus replatform, modernization timing, operational risk, and rollback planning.

Related topics: Migration; Modernization; Rehost; Risk control

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by Amazon Web Services, AWS, or any certification body.