200+ Free AWS Solutions Architect Professional Practice Questions

Pass your AWS Certified Solutions Architect – Professional (SAP-C02) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~55% Pass Rate

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

A company has multiple AWS accounts and wants to centrally manage billing while retaining visibility into each account's usage. Which AWS feature should they use?

AWS Organizations with Consolidated Billing

AWS Cost Explorer with custom budgets

AWS Billing Conductor

AWS Budgets with alerts

to track

2026 Statistics

Key Facts: AWS Solutions Architect Professional Exam

~55%

Estimated Pass Rate

Industry estimate

750/1000

Passing Score

AWS

120-180 hrs

Study Time

Recommended

$180,000

Avg SAP Salary

Global Knowledge

2+ years

AWS Experience

Recommended

$300

Exam Fee

AWS

The AWS Solutions Architect Professional (SAP-C02) requires a scaled score of 750/1000 (approximately 75%) to pass. The exam has 75 questions (65 scored + 10 unscored) in 180 minutes. Domain 2 (Design for New Solutions) is the largest at 29%, followed by Domain 1 (Organizational Complexity) at 26%, Domain 3 (Improve Existing Solutions) at 25%, and Domain 4 (Migration) at 20%. AWS recommends 2+ years of AWS experience and the SAA Associate certification as a prerequisite. The exam fee is $300.

Sample AWS Solutions Architect Professional Practice Questions

Try these sample questions to test your AWS Solutions Architect Professional exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1A company has multiple AWS accounts and wants to centrally manage billing while retaining visibility into each account's usage. Which AWS feature should they use?

A.AWS Organizations with Consolidated Billing

B.AWS Cost Explorer with custom budgets

C.AWS Billing Conductor

D.AWS Budgets with alerts

Explanation: AWS Organizations with Consolidated Billing allows you to combine usage from all accounts to share volume pricing discounts and centrally manage billing. While Cost Explorer, Billing Conductor, and Budgets provide cost visibility and management, only Organizations with Consolidated Billing enables centralized billing across multiple accounts.

2Which AWS service enables you to apply guardrails across multiple AWS accounts using Service Control Policies (SCPs)?

A.AWS IAM

B.AWS Organizations

C.AWS Config

D.AWS Control Tower

Explanation: AWS Organizations supports Service Control Policies (SCPs) that act as guardrails to enforce permissions boundaries across all accounts in an organization. While Control Tower uses SCPs, Organizations is the underlying service that directly enables SCPs. IAM manages permissions within accounts, and Config monitors compliance.

3What is the primary purpose of AWS Control Tower?

A.To monitor application performance

B.To set up and govern a secure, compliant multi-account AWS environment

C.To manage DNS records

D.To provide cost optimization recommendations

Explanation: AWS Control Tower provides the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations, SSO, and guardrails. It does not monitor application performance (CloudWatch), manage DNS (Route 53), or provide cost optimization (Cost Explorer/Trusted Advisor).

4Which AWS service provides a dedicated network connection from on-premises data centers to AWS?

A.AWS VPN

B.AWS Direct Connect

C.AWS Transit Gateway

D.AWS PrivateLink

Explanation: AWS Direct Connect provides a dedicated physical network connection from your on-premises data center to AWS, bypassing the public internet for improved security and performance. While VPN provides encrypted connections over the internet, Transit Gateway enables network transit between VPCs and on-premises, and PrivateLink provides private connectivity to AWS services.

5A company needs to implement a multi-account strategy where development, staging, and production environments are completely isolated. Each environment should have its own VPC with overlapping IP address ranges. What is the MOST cost-effective solution?

A.Use separate AWS accounts with VPC peering between environments

B.Use separate AWS accounts with AWS Transit Gateway and NAT gateways

C.Use a single AWS account with multiple VPCs and VPC peering

D.Use separate AWS accounts with isolated VPCs and no connectivity between them

Explanation: When environments need to be completely isolated with overlapping IP ranges, separate AWS accounts with isolated VPCs (no connectivity) is the most cost-effective solution. VPC peering and Transit Gateway cannot connect VPCs with overlapping CIDRs. Complete isolation also provides the strongest security boundary and eliminates costs associated with connectivity (peering, Transit Gateway, NAT gateways).

6An enterprise has deployed AWS Control Tower and wants to prevent any account from disabling CloudTrail logging. Which mechanism should they use?

A.AWS Config rule

B.Service Control Policy (SCP)

C.IAM policy on each account

D.AWS Lambda function triggered by CloudTrail events

Explanation: Service Control Policies (SCPs) are the correct mechanism because they establish guardrails that apply to all IAM entities in member accounts, including the root user. An SCP can explicitly deny the cloudtrail:StopLogging action, preventing anyone in the account from disabling CloudTrail. IAM policies can be bypassed by account administrators, Config rules only detect violations, and Lambda functions are reactive rather than preventive.

7A company with 500 AWS accounts needs to enforce that all EC2 instances are tagged with CostCenter and Environment tags. They want to prevent instance launch if these tags are missing. What is the MOST scalable solution?

A.Use AWS Config rules to detect non-compliant instances and terminate them

B.Use AWS Lambda to periodically scan and stop untagged instances

C.Use Service Control Policies (SCPs) to require tags on EC2 instances

D.Use IAM policies in each account to enforce tagging on EC2 launch

Explanation: Service Control Policies (SCPs) provide the most scalable solution because they can be applied at the organization level to all 500 accounts simultaneously. SCPs can enforce that EC2 instances cannot be launched without required tags by using the aws:RequestTag condition key. IAM policies in each account would require management across 500 accounts. Config rules and Lambda are reactive and do not prevent launch.

8A company needs to connect 50 VPCs across 10 AWS accounts to their on-premises data center. They require transitive routing between VPCs and on-premises, with centralized management. Which architecture meets these requirements with the LOWEST operational overhead?

A.Create VPN connections from each VPC to the on-premises data center

B.Use AWS Transit Gateway with attachments from each VPC and a VPN attachment to on-premises

C.Create VPC peering connections between all VPCs and use Direct Connect from one VPC

D.Use AWS PrivateLink endpoints in each VPC and route traffic through a central VPC

Explanation: AWS Transit Gateway is the correct solution because it provides transitive routing (allowing VPCs to communicate with each other and on-premises through a central hub) with centralized management. You attach each VPC to the Transit Gateway, and create a single VPN or Direct Connect attachment to on-premises. VPC peering does not support transitive routing (each VPC would need individual peering), and PrivateLink is for service connectivity, not network routing.

9A company wants to implement federated access to AWS using their existing Active Directory. They need to provide SSO access to multiple AWS accounts and enforce MFA. Which solution should they use?

A.AWS IAM with cross-account roles and MFA

B.AWS Directory Service (AD Connector) with IAM users

C.AWS IAM Identity Center (AWS SSO) with Active Directory integration

D.Amazon Cognito with Active Directory as an identity provider

Explanation: AWS IAM Identity Center (formerly AWS SSO) is the correct solution because it provides centralized single sign-on access to multiple AWS accounts, integrates with Active Directory, and supports MFA enforcement. While IAM with cross-account roles works, it lacks centralized SSO. AD Connector alone does not provide SSO to the AWS Console. Cognito is for application authentication, not AWS Console/CLI access.

10An organization needs to ensure that production accounts cannot be accessed from IP addresses outside their corporate network. Development accounts should remain accessible from anywhere. How can this be implemented?

A.Use NACLs in each VPC to restrict access by IP

B.Use Service Control Policies (SCPs) with aws:SourceIp condition on production OU

C.Configure security groups in all production VPCs to restrict by IP

D.Use AWS WAF to filter requests by IP address

Explanation: Service Control Policies (SCPs) with the aws:SourceIp condition can enforce IP-based restrictions at the organization level. By applying the SCP to the Production Organizational Unit (OU), you restrict access to production accounts while leaving development accounts unrestricted. NACLs and security groups protect resources within VPCs but do not control console/API access. WAF protects web applications, not AWS API access.

About the AWS Solutions Architect Professional Exam

The AWS Certified Solutions Architect – Professional (SAP-C02) validates advanced technical skills and experience in designing distributed systems and applications on the AWS platform. This professional-level certification is designed for Solutions Architects with 2+ years of hands-on experience designing and deploying cloud architecture on AWS. The exam covers complex multi-account strategies, hybrid connectivity, migration planning, cost optimization, and designing solutions across large organizations.

Questions

75 scored questions

Time Limit

3 hours

Passing Score

750/1000

Exam Fee

$300 (Amazon Web Services (AWS))

AWS Solutions Architect Professional Exam Content Outline

26%

Design for Organizational Complexity

Multi-account strategies, AWS Organizations, SCPs, hybrid networking, Transit Gateway, Direct Connect, security governance, compliance controls

29%

Design for New Solutions

Microservices, serverless patterns, event-driven architectures, multi-tier applications, data storage strategies, AI/ML integration

25%

Continuously Improve Existing Solutions

Workload optimization, cost optimization, performance tuning, reliability improvements, security enhancements, automation

20%

Accelerate Migration and Modernization

Migration strategies, database migration, containerization, application modernization, cutover strategies, rollback planning

How to Pass the AWS Solutions Architect Professional Exam

What You Need to Know

Passing score: 750/1000
Exam length: 75 questions
Time limit: 3 hours
Exam fee: $300

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

AWS Solutions Architect Professional Study Tips from Top Performers

1Focus on Domain 2 (New Solutions, 29%) and Domain 1 (Organizational Complexity, 26%) — together they make up 55% of the exam

2Master AWS Organizations concepts: OUs, SCPs, consolidated billing, cross-account roles, and the management account vs member accounts

3Know hybrid networking deeply: Direct Connect (dedicated connections, LAG, Gateway), Transit Gateway (attachments, route tables, peering), VPN (site-to-site, client), and PrivateLink

4Understand migration patterns: Rehost (lift-and-shift), Replatform (lift-and-optimize), Refactor (re-architect), and when to use each

5Learn multi-account security: SCPs vs IAM policies vs resource policies, permission boundaries, and cross-account access patterns

6Study cost optimization at scale: Savings Plans vs Reserved Instances, Spot Instances for workloads, S3 lifecycle policies, and Cost Explorer

7Know container orchestration: ECS vs EKS vs Fargate, service mesh with App Mesh, and container migration strategies

8Complete 200+ practice questions and score 80%+ consistently before scheduling the exam

Frequently Asked Questions

What is the AWS Solutions Architect Professional pass rate?

The AWS Solutions Architect Professional (SAP-C02) exam has an estimated pass rate of around 55%, which is lower than the Associate level (65%). AWS requires a scaled score of 750 out of 1000. The exam is significantly more difficult than the Associate level, with 75 questions in 180 minutes covering complex, real-world scenarios. Candidates typically have 2+ years of AWS experience and hold the SAA Associate certification before attempting the Professional exam.

How many questions are on the AWS Solutions Architect Professional exam?

The SAP-C02 exam has 75 total questions: 65 scored questions and 10 unscored pretest questions. You have 180 minutes (3 hours) to complete the exam. Questions are either multiple choice (one correct answer) or multiple response (two or more correct answers). Approximately 80% of questions are scenario-based, presenting complex, multi-service architecture challenges requiring deep knowledge of AWS services and best practices.

What are the four domains of the SAP-C02 exam?

The four exam domains are: Domain 1 – Design for Organizational Complexity (26%): Multi-account strategies with AWS Organizations, SCPs, hybrid networking with Transit Gateway and Direct Connect, security governance, and compliance controls; Domain 2 – Design for New Solutions (29%): Microservices architecture, serverless design patterns, event-driven architectures, data storage strategies, and AI/ML integration; Domain 3 – Continuously Improve Existing Solutions (25%): Workload optimization, cost optimization strategies, performance tuning, reliability improvements, and automation; Domain 4 – Accelerate Workload Migration and Modernization (20%): Migration strategies, database migration with DMS, containerization, application modernization, and cutover planning.

How long should I study for the AWS Solutions Architect Professional exam?

Most candidates study for 10-16 weeks, investing 120-180 hours total. AWS recommends 2+ years of hands-on experience designing and deploying AWS architectures. The Professional exam builds on Associate-level knowledge — most candidates hold the SAA certification before attempting SAP. Key study areas: 1) Deep understanding of AWS Organizations, SCPs, and multi-account strategies. 2) Hybrid connectivity (Direct Connect, Transit Gateway, VPN). 3) Migration patterns and strategies. 4) Cost optimization at enterprise scale. 5) Complete 200+ practice questions and score 80%+ before scheduling.

What is the difference between AWS Solutions Architect Associate and Professional?

The Associate (SAA-C03) validates ability to design solutions using AWS services with 65 questions in 130 minutes. The Professional (SAP-C02) validates ability to design complex, multi-service solutions across large organizations with 75 questions in 180 minutes. Professional scenarios are more complex, involving multiple accounts, hybrid connectivity, compliance requirements, and migration planning. Professional requires deeper knowledge of networking, security governance, and cost optimization at scale. Professional is designed for Solutions Architects with 2+ years of experience vs 1+ year for Associate.

What AWS services are most important for the SAP-C02 exam?

Core services tested heavily: Organizations & Governance (Organizations, SCPs, Control Tower, IAM Identity Center, Config); Networking (Transit Gateway, Direct Connect, PrivateLink, Cloud WAN, VPC peering); Migration (Application Migration Service, DMS, Snowball, Migration Hub); Containers (ECS, EKS, Fargate, App Mesh); Serverless (Lambda, Step Functions, EventBridge, API Gateway); Data & Analytics (Aurora Global Database, DynamoDB Global Tables, Kinesis, Glue); Security (KMS, Secrets Manager, WAF, Shield, GuardDuty, Security Hub).

How does AWS Organizations differ from AWS Control Tower?

AWS Organizations is the foundational service for multi-account management, providing consolidated billing, hierarchical grouping (OUs), and Service Control Policies (SCPs) for guardrails. AWS Control Tower is a higher-level service built on Organizations that automates the setup of a well-architected multi-account environment with pre-configured guardrails, landing zones, and account provisioning workflows. Organizations provides the primitives; Control Tower provides the opinionated implementation.