AWS Certified Solutions Architect - Professional Practice Exam 2025: Latest Questions

A company uses AWS Organizations with multiple accounts. The security team needs to ensure that no account (including newly created accounts) can disable or delete AWS CloudTrail trails, and that CloudTrail logs are centrally collected in a dedicated security account. Which solution meets these requirements with the LEAST ongoing operational overhead?

A company is designing a new serverless ingestion API. Requests must be authenticated, throttled per client, and validated before being processed asynchronously. The company wants minimal infrastructure management. Which architecture best meets these requirements?

A company wants to migrate a large MySQL database from an on-premises data center to AWS with minimal downtime. The company needs to continuously replicate changes until cutover. Which approach should a solutions architect recommend?

A company wants to improve the resilience of an existing application running on Amazon EC2 in an Auto Scaling group behind an Application Load Balancer. The company wants to ensure the application can survive an Availability Zone failure with minimal changes. Which action is MOST appropriate?

A company has multiple AWS accounts and wants to standardize VPC architecture. The network team requires centralized control of egress and inspection while allowing application teams to deploy workloads in their own accounts and VPCs. Which design best meets these goals?

A company is building a new event-driven architecture. Producers and consumers are in different AWS accounts. The company needs a central event bus with fine-grained permissions for who can publish and who can subscribe, and it must support event filtering and multiple targets. Which solution should be used?

An existing workload uses Amazon S3 to store customer documents. A recent audit found that some objects are being uploaded without server-side encryption and without required object tags. The company needs to enforce these requirements for all future uploads while minimizing application changes. Which solution meets these requirements?

A company is migrating hundreds of virtual machines from VMware to AWS. The company wants an automated lift-and-shift approach that preserves VM configurations and minimizes manual steps. Which AWS service should the company use?

A global company runs a multi-Region active-active application. The application writes to a single logical data store and requires low-latency reads and writes from multiple Regions. Data conflicts must be handled with a predictable resolution model, and the solution must remain highly available during a Regional outage. Which design best meets these requirements?

A company has a centralized logging account and receives logs from 200+ AWS accounts. Some application teams must be able to search their own logs but must not see other teams’ logs. The company also needs to detect suspicious activity across all accounts and retain raw logs immutably. Which solution best satisfies these requirements?

A company operates 20 AWS accounts in an AWS Organizations structure. The security team wants to prevent any account from disabling AWS CloudTrail or modifying the central S3 bucket used for organization trail logs. The solution must be enforceable even if an account administrator has full IAM permissions. Which approach meets these requirements?

A SaaS provider hosts an application in multiple AWS accounts. The provider needs to share a VPC interface endpoint for an internal service (AWS PrivateLink endpoint service) with consumer accounts, but only specific AWS accounts should be allowed to create endpoints. What should the provider do?

A company uses AWS Control Tower and wants to enforce that all new accounts must deploy mandatory security tooling (an IAM role, AWS Config recorder, and a set of CloudWatch alarms) immediately after account creation. The security tooling must be version-controlled and automatically applied to all accounts in an organizational unit (OU). Which solution is most appropriate?

A media company needs to process large video files uploaded by users. Uploads must be durable and immediately trigger a multi-step workflow: validate file type, extract metadata, transcode into multiple formats, and update a database. The workflow must handle retries, parallel steps, and visual monitoring of state transitions. Which architecture best meets these requirements?

A financial services application stores sensitive documents in Amazon S3. The company must enforce that documents are encrypted with customer managed keys and that access is only permitted through a specific VPC endpoint. The company also needs to prevent any user from uploading unencrypted objects. Which solution meets these requirements?

A company runs a microservices application on Amazon EKS across three Availability Zones. A sudden spike in traffic causes frequent pod evictions and node pressure. The company wants to improve resiliency and ensure critical services remain available during cluster scaling events. Which set of changes is MOST appropriate?

A company uses Amazon RDS for PostgreSQL with a Multi-AZ deployment. During a recent incident, the database failed over successfully, but the application experienced elevated error rates for several minutes due to stale DNS caching. The company wants to reduce failover impact without redesigning the database layer. Which action is recommended?

A company is migrating a legacy application to AWS. The application currently uses on-premises NFS shared storage with low latency requirements and POSIX semantics. The application will run on Linux EC2 instances in a single VPC and must scale to thousands of concurrent connections. Which storage service should a solutions architect recommend?

A company is migrating hundreds of VMware VMs to AWS. The migration tool must support agentless replication, orchestrated cutovers, testing before cutover, and minimal downtime. The company also wants centralized progress tracking. Which solution best fits these requirements?

A global enterprise runs a multi-account AWS environment with centralized security monitoring. The company wants to automatically quarantine EC2 instances that show signs of credential compromise (for example, anomalous API calls from the instance role). The quarantine must remove the instance from production traffic, block outbound internet access, and preserve forensic access for the security team. Which design is MOST appropriate?

A large enterprise is adopting AWS Organizations with a Control Tower landing zone. Multiple application teams want to deploy resources, but the security team requires that no resources can be created outside approved regions and that all data at rest in Amazon S3 must be encrypted. Teams must still be able to provision new accounts quickly with minimal manual review. Which approach best meets these requirements?

A company runs a containerized web application on Amazon ECS with AWS Fargate in two Regions. The application uses Amazon Aurora PostgreSQL. The company needs a disaster recovery design that provides an RTO of minutes and an RPO of near zero across Regions, while minimizing application changes. Which solution best meets these requirements?

A company has a single VPC with multiple private subnets across three Availability Zones. Instances in private subnets intermittently fail to pull container images from Amazon ECR and to access AWS Systems Manager (SSM). The VPC uses a single NAT gateway in one Availability Zone. The failures correlate with increased traffic and an Availability Zone impairment event. What is the BEST architectural change to improve resiliency and reduce these failures?

A company is migrating a legacy on-premises application to AWS. The application uses a single NFS file share that must be accessed concurrently by hundreds of Linux instances. The company will keep a portion of the workload on premises for several months and needs low-latency access from both on premises and AWS during the transition. Which solution should a solutions architect recommend?

A SaaS provider runs workloads in multiple AWS accounts under AWS Organizations. Each workload account contains VPC endpoints and private hosted zones for internal services. The provider must enable a centralized security account to query and correlate VPC Flow Logs and DNS query logs across all accounts in near real time, while ensuring workload teams cannot modify the centralized log archive. Which architecture BEST meets these requirements?