AWS SAP-C02 Exam Questions 2025

A. A standard CloudTrail trail created in the management account will only log API calls for that single account, not for all member accounts in the organization.

B. Creating and managing a separate CloudTrail trail and S3 bucket in each member account creates maximum operational overhead, directly contradicting a key requirement of the question.

D. This option introduces unnecessary complexity with Amazon SNS and an external system. S3 Versioning is a simpler, built-in mechanism to track changes, resulting in lower operational overhead.

1. AWS CloudTrail User Guide, "Creating a trail for an organization": This document states, "You can create a trail in the management account that logs events for all AWS accounts in that organization. This is sometimes called an organization trail." This supports creating a single trail in the management account for minimal overhead.

2. AWS Organizations User Guide, "Enabling AWS CloudTrail in your organization": "When you create an organization trail, a trail with the name that you choose is created in every AWS account that belongs to your organization. This trail logs the activity from each account and delivers the log files to the Amazon S3 bucket that you specify." This confirms the centralized management and logging for all accounts.

3. Amazon S3 User Guide, "Using versioning in S3 buckets": "Versioning is a means of keeping multiple variants of an object in the same bucket. You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets." This directly addresses the requirement to track changes.

4. Amazon S3 User Guide, "Configuring MFA delete": "To provide an additional layer of security, you can configure a bucket to require multi-factor authentication (MFA) for any request to permanently delete an object version or change the versioning state of the bucket." This supports the security requirement.

A. This option introduces unnecessary complexity and operational overhead by requiring a multi-step process (NFS -> S3 -> EFS) and custom logic (Lambda function) instead of a single, managed service.

B. AWS Storage Gateway (File Gateway) primarily provides on-premises applications with file-based access to Amazon S3. It does not directly replicate data to EFS, making it an indirect and inefficient solution for this use case.

C. While this option uses DataSync, it directs the data to S3 first, requiring a second step with a Lambda function to move it to EFS. A direct DataSync transfer to EFS is far more operationally efficient.

1. AWS DataSync User Guide, "What is AWS DataSync?": This document explicitly states that DataSync is an online data transfer service that automates moving data between on-premises storage systems (like NFS) and AWS Storage services (like Amazon EFS). It highlights features like end-to-end security and data integrity, which contribute to operational efficiency.

Source: AWS Documentation, https://docs.aws.amazon.com/datasync/latest/userguide/what-is-datasync.html, Section: "What is AWS DataSync?".

2. AWS DataSync User Guide, "Creating a location for Amazon EFS": This guide provides instructions for configuring an Amazon EFS file system as a destination location for a DataSync task, confirming the direct transfer capability from a source like NFS.

Source: AWS Documentation, https://docs.aws.amazon.com/datasync/latest/userguide/create-efs-location.html, Introduction section.

3. AWS DataSync User Guide, "Using AWS DataSync with AWS Direct Connect": This section details how to use DataSync over a Direct Connect connection. It recommends using a private virtual interface (VIF) and VPC endpoints for private, secure data transfer, which aligns with the most efficient and secure architecture.

Source: AWS Documentation, https://docs.aws.amazon.com/datasync/latest/userguide/datasync-direct-connect.html, Introduction section.

4. AWS Storage Blog, "Migrating storage with AWS DataSync": This official blog post describes common migration patterns and explicitly mentions the capability of DataSync to copy data between NFS shares and Amazon EFS file systems as a primary use case, reinforcing its suitability and efficiency for this scenario.

Source: AWS Blogs, https://aws.amazon.com/blogs/storage/migrating-storage-with-aws-datasync/, Paragraph 2.

B: Lambda reserved concurrency is a feature for guaranteeing execution environments and preventing throttling; it is not a cost-saving mechanism and does not provide a discount on usage.

C: Compute Savings Plans do not apply to Amazon MemoryDB for Redis. MemoryDB has its own pricing model using reserved nodes for discounts, separate from the Savings Plans for compute services.

D: This option is incorrect for two reasons: Compute Savings Plans do not cover MemoryDB cache nodes, and Lambda reserved concurrency is not a cost-saving feature.

1. AWS Documentation - Savings Plans User Guide: "Savings Plans offer a flexible pricing model that provides savings on AWS usage. You can save up to 72 percent on your AWS compute workloads... EC2 Instance Savings Plans provide the lowest prices, offering savings up to 72 percent in exchange for commitment to a specific instance family in a specific Region... Compute Savings Plans provide flexibility and help to reduce your costs by up to 66 percent... This automatically applies to EC2 instance usage regardless of instance family, size, AZ, Region, OS or tenancy, and also applies to Fargate or Lambda usage." This confirms EC2 Instance SP for highest EC2 savings and Compute SP for Lambda.

2. AWS Documentation - Amazon MemoryDB for Redis Pricing: The official pricing page states, "With MemoryDB reserved nodes, you can save up to 55 percent over On-Demand node prices in exchange for a commitment to a one- or three-year term." This identifies reserved nodes as the correct cost-saving model for MemoryDB.

3. AWS Documentation - Lambda Developer Guide, "Configuring reserved concurrency": "Reserved concurrency creates a pool of requests that only a specific function can use... Reserving concurrency has the following effects... It is not a cost-saving feature." This explicitly states that reserved concurrency is for performance and availability, not for reducing costs.

A. Creating new dashboards per region and aggregating in QuickSight is redundant and adds unnecessary operational overhead, as the default S3 Storage Lens dashboard already aggregates data across all regions.

B. This custom solution using Lambda, S3, and Athena requires significant development, deployment, and maintenance effort, which is the opposite of "least operational overhead" compared to a managed service.

D. An event-driven approach with CloudTrail, EventBridge, and Lambda is complex to set up and maintain. It primarily tracks new events, making it less suitable for a comprehensive, periodic overview of all existing objects.

1. AWS Documentation: Amazon S3 User Guide - Amazon S3 Storage Lens.

Section: "What is Amazon S3 Storage Lens?" states, "S3 Storage Lens aggregates your metrics and displays the information in the Dashboards section of the Amazon S3 console."

Section: "S3 Storage Lens dashboards" explains, "S3 Storage Lens provides a default dashboard that is named default-account-dashboard. This dashboard is preconfigured by S3 to help you visualize summarized storage usage and activity trends across your entire account." This confirms it is multi-region by default.

2. AWS Documentation: Amazon S3 User Guide - S3 Storage Lens metrics glossary.

Section: "Data protection metrics" lists UnencryptedObjectCount and TotalObjectCount, which are used to calculate the percentage of unencrypted objects displayed on the dashboard.

Section: "Storage summary metrics" lists BucketCount, confirming this metric is available.

3. AWS Documentation: Amazon S3 User Guide - Using the S3 Storage Lens default dashboard.

This section details that the default dashboard is available at no additional cost and is updated daily, reinforcing the low operational overhead. It states, "The default dashboard is automatically created for you when you first visit the S3 Storage Lens dashboards page in the Amazon S3 console."

B: Amazon FSx for Lustre is a high-performance file system designed for workloads like HPC and machine learning, not for general-purpose NFS applications. EFS is the more appropriate service.

C: This option uses the Amazon EC2 launch type for ECS, which violates the requirement to not provision or manage underlying infrastructure. The user is responsible for the EC2 container instances.

D: This uses the EC2 launch type, which is not serverless. Additionally, EBS Multi-Attach provides shared block storage, not a file system like NFS, and requires a cluster-aware file system to manage access.

1. AWS Fargate Documentation, "What is AWS Fargate?": "AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. AWS Fargate is compatible with both Amazon Elastic Container Service (ECS) and Amazon Elastic Kubernetes Service (EKS)." This supports the serverless compute requirement.

2. Amazon ECS Developer Guide, "Amazon EFS volumes": "With Amazon EFS, the storage capacity is elastic... Your Amazon ECS tasks running on both Fargate and Amazon EC2 instances can use EFS. ... To use Amazon EFS volumes with your containers, you must define the volume and mount point in your task definition." This confirms the integration method described in option A.

3. Amazon Elastic File System User Guide, "What is Amazon Elastic File System?": "Amazon Elastic File System (Amazon EFS) provides a simple, serverless, set-and-forget, elastic file system... It is built to scale on demand to petabytes without disrupting applications... It supports the Network File System version 4 (NFSv4.1 and NFSv4.0) protocol." This confirms EFS as the correct NFS-compatible storage solution.

4. Amazon FSx for Lustre User Guide, "What is Amazon FSx for Lustre?": "Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance, scalable storage for compute workloads. ... The high-performance file system is optimized for workloads such as machine learning, high performance computing (HPC)..." This distinguishes its use case from the general-purpose need in the question.

A. AWS DataSync is a data transfer service, not the native S3 replication feature already in use. Introducing it would be an unnecessary architectural change and is not the intended tool for this specific use case.

B. Replication rules are configured on the source bucket. Creating a new destination bucket does not simplify or solve the problem of monitoring a subset of objects from the single source bucket.

C. Amazon S3 Transfer Acceleration speeds up object uploads to an S3 bucket from clients over the public internet, not the replication process between S3 buckets within the AWS network.

1. Amazon S3 Developer Guide - Replicating objects using S3 Replication Time Control (S3 RTC): "S3 Replication Time Control (S3 RTC) helps you meet compliance or business requirements for data replication by providing a predictable replication time. S3 RTC replicates 99.99 percent of new objects stored in Amazon S3 within 15 minutes of upload." This document also details how to enable S3 RTC in a replication rule.

2. Amazon S3 Developer Guide - Replication configuration: This section explains how to create replication rules and specifies that a rule can apply to all objects or a subset. "To select a subset of objects, you can specify a key name prefix, one or more object tags, or both in the rule." This supports the use of a prefix-based filter.

3. Amazon S3 Developer Guide - Monitoring replication with Amazon S3 event notifications: "You can use Amazon S3 event notifications to receive notifications for S3 Replication Time Control (S3 RTC) events... For example, you can set up an event notification for the s3:Replication:OperationMissedThreshold event to be notified when an object eligible for S3 RTC replication doesn't replicate in 15 minutes." This confirms the monitoring and alerting capability via EventBridge.

4. Amazon S3 Developer Guide - Configuring fast, secure file transfers using Amazon S3 Transfer Acceleration: "Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket." This clarifies that its purpose is for client-to-bucket transfers, not inter-bucket replication.

B. VM Import/Export is an offline process. It requires exporting the entire 500 TB VM image and then uploading it, which would cause extensive downtime, violating the core requirement.

C. An AWS Snowball device is for offline data transfer. While suitable for large data volumes, it is not the optimal choice for minimizing downtime when a high-bandwidth (10 Gbps) network connection is available for online, incremental replication.

E. AWS Database Migration Service (DMS) migrates the database data, not the entire server VM. This would involve re-platforming to a service like Amazon RDS, which adds complexity and risk compared to a direct lift-and-shift of the existing server using SMS.

1. AWS Server Migration Service (SMS) User Guide: "AWS Server Migration Service (AWS SMS) is an agentless service which makes it easier and faster for you to migrate thousands of on-premises workloads to AWS. AWS SMS allows you to automate, schedule, and track incremental replications of live server volumes, making it easier for you to coordinate large-scale server migrations." (Source: AWS Server Migration Service User Guide, "What Is AWS Server Migration Service?")

2. AWS Server Migration Service (SMS) User Guide, "How AWS Server Migration Service Works": "AWS SMS incrementally replicates your server VMs as Amazon Machine Images (AMIs)... The incremental replication transfers only the delta changes to AWS, which results in faster replication times and minimum network bandwidth consumption." This directly supports the minimal downtime requirement.

3. AWS Documentation, "VM Import/Export, What Is VM Import/Export?": "VM Import/Export enables you to easily import virtual machine (VM) images from your existing virtualization environment to Amazon EC2..." The process described is a one-time import of a static image, not a continuous replication of a live server, making it unsuitable for minimal downtime scenarios.

4. AWS Database Migration Service (DMS) User Guide, "What is AWS Database Migration Service?": "AWS Database Migration Service (AWS DMS) helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime..." While DMS minimizes downtime for the database data, it does not migrate the server OS or configuration, making SMS a better fit for a complete server lift-and-shift.

D. Moving backups to a cold tier is a cost and lifecycle management strategy; it does not provide protection against deletion commands from a privileged user.

E. AWS Backup natively uses backup vaults for storage. While these vaults use Amazon S3, you don't configure Backup to write directly to a user-managed S3 bucket with Object Lock; you use the integrated AWS Backup Vault Lock feature.

F. Implementing least privilege for the backup role is a standard security best practice but is insufficient protection against an already compromised privileged user who can alter IAM roles and policies.

1. AWS Backup Developer Guide, "Security in AWS Backup": The section "Resilience" outlines best practices against ransomware, stating: "To protect your backups from inadvertent or malicious activity... we recommend that you copy your backups to accounts that are isolated from your production accounts... You can also use AWS Backup Vault Lock to make your backups immutable." This supports options A and C.

2. AWS Backup Developer Guide, "Protecting backups from manual deletion": This section details AWS Backup Vault Lock. It specifies, "In compliance mode, a vault lock can't be disabled or deleted by any user or by AWS. The retention period can't be shortened." This confirms the immutability provided by option C.

3. AWS Organizations User Guide, "Service control policies (SCPs)": The guide explains, "SCPs are a type of organization policy that you can use to manage permissions in your organization... SCPs offer central control over the maximum available permissions for all accounts in your organization," including restricting privileged users. This supports using an SCP (Option B) as a guardrail.

4. AWS Security Blog, "How to help protect your backups from ransomware with AWS Backup": This article explicitly recommends a three-pronged strategy: "1. Centralize and segregate your backups into a dedicated backup account. 2. Make your backups immutable by using Backup Vault Lock. 3. Secure your backup account with preventative controls [such as SCPs]." This directly validates the combination of A, B, and C.

A. Managing IAM roles and policies individually across hundreds of accounts is not scalable and lacks the strong, centralized enforcement provided by SCPs.

B. Attaching policies to individual IAM users across hundreds of accounts is operationally complex and does not scale effectively for an organization-wide requirement.

D. AWS Security Hub is a detective control service used for monitoring compliance and aggregating security findings; it does not prevent or deny actions.

1. AWS Organizations User Guide, "Service control policies (SCPs)": "SCPs are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization... SCPs are powerful because they affect all users, including the root user, for an account." This document also provides an example SCP to "Deny access to AWS based on the requested AWS Region".

2. AWS Control Tower User Guide, "How guardrails work": "Preventive guardrails are enforced using service control policies (SCPs)... A preventive guardrail ensures that your accounts maintain compliance, because it disallows actions that lead to policy violations. For example, the guardrail Disallow changes to AWS Config rules set up by AWS Control Tower prevents any IAM user or role from making changes to the AWS Config rules that are created by AWS Control Tower." This demonstrates the preventative nature of controls implemented via SCPs.

3. AWS Identity and Access Management User Guide, "AWS global condition context keys": The documentation for the aws:RequestedRegion key states, "Use this key to compare the Region that is specified in the request with the Region that is specified in the policy." This is the specific key used in an SCP to enforce regional restrictions.

4. AWS Security Hub User Guide, "What is AWS Security Hub?": "AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation." This confirms its role as a monitoring and detection service, not a preventative one.

A. Using AWS Fargate requires pulling the entire image, including the massive base layer, from Amazon ECR for every new task, which will result in very long startup times.

B. AWS App Runner is a fully managed service, often built on Fargate, and would face the same performance bottleneck of pulling the large image from the registry at startup.

D. This option is technically invalid. AWS Fargate is a serverless compute option where AWS manages the underlying infrastructure; you cannot specify a custom AMI for Fargate nodes.

1. AWS Compute Blog, "Speeding up container-based application launches with image pre-caching on Amazon ECS": This article discusses strategies for reducing container launch times. It explicitly states, "For EC2 launch type, you can create a custom AMI with container images pre-pulled on the instance. This is the most effective way to reduce image pull latency..." This directly validates the approach in option C.

2. AWS Documentation, "Amazon ECS-optimized AMIs": This documentation, while focusing on the standard AMIs, provides the basis for customization. It notes, "You can also create your own custom AMI that meets the Amazon ECS AMI specification." This confirms that creating a custom AMI with pre-loaded software (like a container base image) is a standard and supported practice for ECS on EC2.

3. AWS Documentation, "AWS Fargate": The official documentation describes Fargate as a technology that "removes the need to provision and manage servers." This serverless model means users do not have access to the underlying instances to customize the AMI, which invalidates option D and highlights the performance issue in options A and B.

4. AWS Documentation, "Amazon EKS on AWS Fargate": In the considerations section, the documentation states, "You don't need to... update AMIs." This confirms that for EKS on Fargate, custom AMIs are not a feature, making the solution proposed in option D impossible to implement.