AWS Solutions Architect Professional Practice Test

Answer choices

1. A. Migration strategy begins by deleting discovery data.
2. B. Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.
3. C. Modernization means every workload must become a single virtual machine.
4. D. Application dependencies never affect migration order.

Wrong-answer review

• A. Migration strategy begins by deleting discovery data.: This distractor describes the idea that Migration strategy begins by deleting discovery data. In "When practicing AWS Solutions Architect Professional, which option belongs under Migration and Modernization?", that misses the required action because the correct response is "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.". On the job, mixing up that distractor with "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations." can lead to the wrong migration and modernization action or troubleshooting path.
• C. Modernization means every workload must become a single virtual machine.: This distractor describes the idea that Modernization means every workload must become a single virtual machine. In "When practicing AWS Solutions Architect Professional, which option belongs under Migration and Modernization?", that misses the required action because the correct response is "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.". On the job, mixing up that distractor with "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations." can lead to the wrong migration and modernization action or troubleshooting path.

Answer choices

1. A. Storage tiering is unrelated to cost or access patterns.
2. B. Cost optimization removes monitoring and budgets.
3. C. Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.
4. D. Cost optimization always selects the most expensive service.

Wrong-answer review

• A. Storage tiering is unrelated to cost or access patterns.: This distractor describes the idea that Storage tiering is unrelated to cost or access patterns. In "When practicing AWS Solutions Architect Professional, which option belongs under Cost Optimization?", that misses the required action because the correct response is "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.". On the job, mixing up that distractor with "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility." can lead to the wrong cost optimization action or troubleshooting path.
• B. Cost optimization removes monitoring and budgets.: This distractor describes the idea that Cost optimization removes monitoring and budgets. In "When practicing AWS Solutions Architect Professional, which option belongs under Cost Optimization?", that misses the required action because the correct response is "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.". On the job, mixing up that distractor with "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility." can lead to the wrong cost optimization action or troubleshooting path.

Answer choices

1. A. Deploy an Internet Gateway in the VPC, assign elastic IPs to the database servers, and connect using basic SSL over the public internet.
2. B. Use AWS Client VPN to establish individual connections from each EC2 instance directly to the on-premises firewall.
3. C. Establish an AWS Direct Connect connection with a Private Virtual Interface (VIF) to the VPC. Configure AWS Site-to-Site VPN over Direct Connect (using public VIF or transit VIF) to encrypt the traffic using IPsec.
4. D. Build a VPC Peering connection between the AWS VPC and the on-premises network router using custom routing tables.

Wrong-answer review

• A. Deploy an Internet Gateway in the VPC, assign elastic IPs to the database servers, and connect using basic SSL over the public internet.: Using an Internet Gateway and public IPs exposes the database to the public internet, violates the privacy requirement, and is highly insecure.
• B. Use AWS Client VPN to establish individual connections from each EC2 instance directly to the on-premises firewall.: This distractor describes the idea that Use AWS Client VPN to establish individual connections from each EC2 instance directly to the on-premises firewall. In "An enterprise wants to establish a secure database connection from an application running in a private subnet on AWS VPC to a database running in their on-premises data center. All network traffic must be encrypted, must not traverse the public internet, and must support high bandwidth (up to 10 Gbps) with consistent network latency. Which solution meets these requirements?", that misses the required action because the correct response is "Establish an AWS Direct Connect connection with a Private Virtual Interface (VIF) to the VPC. Configure AWS Site-to-Site VPN over Direct Connect (using public VIF or transit VIF) to encrypt the traffic using IPsec.". On the job, mixing up that distractor with "Establish an AWS Direct Connect connection with a Private Virtual Interface (VIF) to the VPC. Configure AWS Site-to-Site VPN over Direct Connect (using public VIF or transit VIF) to encrypt the traffic using IPsec." can lead to the wrong security design action or troubleshooting path.
• D. Build a VPC Peering connection between the AWS VPC and the on-premises network router using custom routing tables.: This distractor describes the idea that Build a VPC Peering connection between the AWS VPC and the on-premises network router using custom routing tables. In "An enterprise wants to establish a secure database connection from an application running in a private subnet on AWS VPC to a database running in their on-premises data center. All network traffic must be encrypted, must not traverse the public internet, and must support high bandwidth (up to 10 Gbps) with consistent network latency. Which solution meets these requirements?", that misses the required action because the correct response is "Establish an AWS Direct Connect connection with a Private Virtual Interface (VIF) to the VPC. Configure AWS Site-to-Site VPN over Direct Connect (using public VIF or transit VIF) to encrypt the traffic using IPsec.". On the job, mixing up that distractor with "Establish an AWS Direct Connect connection with a Private Virtual Interface (VIF) to the VPC. Configure AWS Site-to-Site VPN over Direct Connect (using public VIF or transit VIF) to encrypt the traffic using IPsec." can lead to the wrong security design action or troubleshooting path.

Answer choices

1. A. Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments.
2. B. Hybrid connectivity is only a naming standard for S3 buckets.
3. C. VPN and Direct Connect decisions have no impact on architecture.
4. D. Transit Gateway stores database rows instead of routing traffic.

Wrong-answer review

• B. Hybrid connectivity is only a naming standard for S3 buckets.: This distractor describes the idea that Hybrid connectivity is only a naming standard for S3 buckets. In "A learner is reviewing SAP-C02-networking. What should they remember?", that misses the required action because the correct response is "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments.". On the job, mixing up that distractor with "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments." can lead to the wrong hybrid and network design action or troubleshooting path.
• C. VPN and Direct Connect decisions have no impact on architecture.: This distractor describes the idea that VPN and Direct Connect decisions have no impact on architecture. In "A learner is reviewing SAP-C02-networking. What should they remember?", that misses the required action because the correct response is "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments.". On the job, mixing up that distractor with "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments." can lead to the wrong hybrid and network design action or troubleshooting path.

Answer choices

1. A. Resilience is only a cost allocation tag.
2. B. Resilient architecture removes recovery objectives from design.
3. C. Resilient AWS architectures use failure isolation, backups, multi-AZ or multi-Region patterns, and tested recovery plans.
4. D. Resilient architecture stores every backup in the failed resource.

Wrong-answer review

• A. Resilience is only a cost allocation tag.: This distractor describes the idea that Resilience is only a cost allocation tag. In "When practicing AWS Solutions Architect Professional, which option belongs under Resilient Architectures?", that misses the required action because the correct response is "Resilient AWS architectures use failure isolation, backups, multi-AZ or multi-Region patterns, and tested recovery plans.". On the job, mixing up that distractor with "Resilient AWS architectures use failure isolation, backups, multi-AZ or multi-Region patterns, and tested recovery plans." can lead to the wrong resilient architectures action or troubleshooting path.
• B. Resilient architecture removes recovery objectives from design.: This distractor describes the idea that Resilient architecture removes recovery objectives from design. In "When practicing AWS Solutions Architect Professional, which option belongs under Resilient Architectures?", that misses the required action because the correct response is "Resilient AWS architectures use failure isolation, backups, multi-AZ or multi-Region patterns, and tested recovery plans.". On the job, mixing up that distractor with "Resilient AWS architectures use failure isolation, backups, multi-AZ or multi-Region patterns, and tested recovery plans." can lead to the wrong resilient architectures action or troubleshooting path.

Answer choices

1. A. Deploy a custom Python script using AWS SDK (Boto3) on an EC2 instance in a master account that polls all accounts, enables CloudTrail, and checks for compliance every 5 minutes.
2. B. Enable AWS Organizations and instruct each department head to manually create their AWS account, configure local IAM users, and enable CloudTrail logging to a local S3 bucket.
3. C. Create a single AWS account, utilize complex IAM policies and resource tags to isolate different workloads, and use IAM boundaries to prevent deletion of CloudTrail.
4. D. Use AWS Control Tower to set up a Landing Zone, which automatically configures AWS Organizations, AWS IAM Identity Center, centralized logging, and deploys mandatory preventive and detective guardrails (using SCPs and AWS Config rules).

Wrong-answer review

• A. Deploy a custom Python script using AWS SDK (Boto3) on an EC2 instance in a master account that polls all accounts, enables CloudTrail, and checks for compliance every 5 minutes.: This distractor describes the idea that Deploy a custom Python script using AWS SDK (Boto3) on an EC2 instance in a master account that polls all accounts, enables CloudTrail, and checks for compliance every 5 minutes. In "A multi-national enterprise wants to establish a secure multi-account environment on AWS. They require centralized governance, logging, and security guardrails across 100+ accounts. Additionally, they must ensure that no member account can disable CloudTrail logging or alter the security configurations deployed by the central security team. Which solution meets these requirements?", that misses the required action because the correct response is "Use AWS Control Tower to set up a Landing Zone, which automatically configures AWS Organizations, AWS IAM Identity Center, centralized logging, and deploys mandatory preventive and detective guardrails (using SCPs and AWS Config rules).". On the job, mixing up that distractor with "Use AWS Control Tower to set up a Landing Zone, which automatically configures AWS Organizations, AWS IAM Identity Center, centralized logging, and deploys mandatory preventive and detective guardrails (using SCPs and AWS Config rules)." can lead to the wrong organizational complexity action or troubleshooting path.
• B. Enable AWS Organizations and instruct each department head to manually create their AWS account, configure local IAM users, and enable CloudTrail logging to a local S3 bucket.: Instructing department heads to manually create accounts and configure logging introduces severe administrative overhead and lacks centralized enforcement, meaning local administrators can easily disable or delete CloudTrail logs.
• C. Create a single AWS account, utilize complex IAM policies and resource tags to isolate different workloads, and use IAM boundaries to prevent deletion of CloudTrail.: A single AWS account strategy with IAM tags does not scale for large enterprises, lacks strong resource isolation, and can quickly hit API rate limits and administrative boundaries compared to a multi-account organization.

Answer choices

1. A. Migration strategy begins by deleting discovery data.
2. B. Modernization means every workload must become a single virtual machine.
3. C. Application dependencies never affect migration order.
4. D. Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.

Wrong-answer review

• A. Migration strategy begins by deleting discovery data.: This distractor describes the idea that Migration strategy begins by deleting discovery data. In "Which answer is the best source-backed summary of Migration and Modernization for this AWS Certified Solutions Architect - Professional topic?", that misses the required action because the correct response is "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.". On the job, mixing up that distractor with "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations." can lead to the wrong migration and modernization action or troubleshooting path.
• B. Modernization means every workload must become a single virtual machine.: This distractor describes the idea that Modernization means every workload must become a single virtual machine. In "Which answer is the best source-backed summary of Migration and Modernization for this AWS Certified Solutions Architect - Professional topic?", that misses the required action because the correct response is "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.". On the job, mixing up that distractor with "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations." can lead to the wrong migration and modernization action or troubleshooting path.
• C. Application dependencies never affect migration order.: This distractor describes the idea that Application dependencies never affect migration order. In "Which answer is the best source-backed summary of Migration and Modernization for this AWS Certified Solutions Architect - Professional topic?", that misses the required action because the correct response is "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations.". On the job, mixing up that distractor with "Migration strategy should assess dependencies, data movement, downtime, refactoring needs, and target-state operations." can lead to the wrong migration and modernization action or troubleshooting path.

Answer choices

1. A. Cost optimization always selects the most expensive service.
2. B. Cost optimization removes monitoring and budgets.
3. C. Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.
4. D. Storage tiering is unrelated to cost or access patterns.

Wrong-answer review

• A. Cost optimization always selects the most expensive service.: This distractor describes the idea that Cost optimization always selects the most expensive service. In "What is the safest study takeaway for Cost Optimization?", that misses the required action because the correct response is "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.". On the job, mixing up that distractor with "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility." can lead to the wrong cost optimization action or troubleshooting path.
• B. Cost optimization removes monitoring and budgets.: This distractor describes the idea that Cost optimization removes monitoring and budgets. In "What is the safest study takeaway for Cost Optimization?", that misses the required action because the correct response is "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility.". On the job, mixing up that distractor with "Cost-optimized architecture balances service fit, purchasing models, scaling, storage tiers, and operational visibility." can lead to the wrong cost optimization action or troubleshooting path.

Answer choices

1. A. Security architecture starts by sharing root credentials.
2. B. Least privilege means every role has administrator access.
3. C. Security architecture applies least privilege, identity boundaries, network controls, encryption, detection, and governance.
4. D. Encryption and detection are unrelated to workload design.

Wrong-answer review

• A. Security architecture starts by sharing root credentials.: This distractor describes the idea that Security architecture starts by sharing root credentials. In "When practicing AWS Solutions Architect Professional, which option belongs under Security Design?", that misses the required action because the correct response is "Security architecture applies least privilege, identity boundaries, network controls, encryption, detection, and governance.". On the job, mixing up that distractor with "Security architecture applies least privilege, identity boundaries, network controls, encryption, detection, and governance." can lead to the wrong security design action or troubleshooting path.
• B. Least privilege means every role has administrator access.: This distractor describes the idea that Least privilege means every role has administrator access. In "When practicing AWS Solutions Architect Professional, which option belongs under Security Design?", that misses the required action because the correct response is "Security architecture applies least privilege, identity boundaries, network controls, encryption, detection, and governance.". On the job, mixing up that distractor with "Security architecture applies least privilege, identity boundaries, network controls, encryption, detection, and governance." can lead to the wrong security design action or troubleshooting path.

Answer choices

1. A. Hybrid connectivity is only a naming standard for S3 buckets.
2. B. Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments.
3. C. Transit Gateway stores database rows instead of routing traffic.
4. D. VPN and Direct Connect decisions have no impact on architecture.

Wrong-answer review

• A. Hybrid connectivity is only a naming standard for S3 buckets.: This distractor describes the idea that Hybrid connectivity is only a naming standard for S3 buckets. In "When practicing AWS Solutions Architect Professional, which option belongs under Hybrid and Network Design?", that misses the required action because the correct response is "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments.". On the job, mixing up that distractor with "Hybrid connectivity can use services such as AWS Direct Connect, VPN, Transit Gateway, and route design to connect environments." can lead to the wrong hybrid and network design action or troubleshooting path.