AWS Certified Solutions Architect - Professional Advanced Practice Exam: Hard Questions 2025

A multinational enterprise runs workloads in 30 AWS accounts across 4 OUs in AWS Organizations. A central security team must enforce encryption at rest for all EBS volumes and prevent any principal from disabling CloudTrail logging in member accounts. Some teams use AWS Control Tower, others do not. The security team also needs near-real-time visibility of noncompliant resources across all accounts without deploying agents. Which solution best meets these requirements with the LEAST operational overhead?

A company has a hub-and-spoke network with a central AWS Transit Gateway (TGW) in a shared networking account. Multiple application accounts attach VPCs in three Regions. The company must ensure that only the shared inspection VPC (containing third-party firewalls) can egress to the internet, and all east-west traffic between spoke VPCs must pass through the inspection VPC. Teams frequently create new VPCs and attachments. Which design provides the MOST scalable and least error-prone way to enforce these routing requirements?

A financial services company uses Amazon S3 for a data lake across multiple accounts. Data producers write objects to an S3 bucket in their own accounts. A central analytics account must read objects from all producer buckets. Requirements: enforce least privilege, prevent data exfiltration, ensure objects are encrypted with KMS keys controlled by each producer, and allow producers to revoke analytics access quickly without changing IAM policies in the analytics account. Which approach best meets these requirements?

A new customer-facing application requires a global active-active architecture with single-digit millisecond read latency and the ability to perform multi-Region writes with automatic conflict resolution. The application stores user profiles and session state and must remain available even if an entire Region becomes unavailable. Which data layer design best fits these requirements?

A company is building an event-driven ingestion platform where producers publish events to an API endpoint. The system must validate and transform events, ensure at-least-once delivery to downstream consumers, and handle burst traffic up to 200,000 requests per second. Downstream systems include Lambda and an on-premises Kafka cluster over AWS Direct Connect. The company needs minimal operational overhead and must isolate failures so a slow consumer does not impact ingestion. Which architecture best meets these requirements?

A SaaS provider runs hundreds of microservices on Amazon EKS across multiple accounts and Regions. The company must implement zero-trust service-to-service connectivity with mutual TLS, fine-grained authorization (per service and per method), and consistent policy enforcement across clusters. The solution must minimize application code changes and support progressive delivery. Which approach best meets these requirements?

An existing three-tier application uses EC2 Auto Scaling groups behind an ALB and stores session state in an in-memory cache on each instance. During scaling events, users experience intermittent logouts and inconsistent cart contents. The company wants to improve availability and scaling behavior with minimal code changes and minimal operational burden. Which change is the BEST next step?

A production workload uses Amazon Aurora PostgreSQL with multiple read replicas. The team enabled RDS Performance Insights and observes periodic spikes in CPU and DB load correlated with a reporting job. The reporting queries are complex and cause lock contention that impacts OLTP latency. The company must keep the reporting capability but eliminate user-facing impact. Which solution is MOST appropriate?

A company runs a containerized batch processing pipeline on Amazon ECS with tasks that write intermediate artifacts to an S3 bucket. Failures occasionally leave partially written artifacts, causing downstream tasks to consume corrupted data. The company wants to improve reliability and traceability. Requirements: idempotent processing, ability to replay from a point in time, and clear lineage per batch run. Which design change best meets these requirements?

A company is migrating a legacy on-premises Oracle database (tens of TB) to AWS. The application cannot tolerate more than a few minutes of downtime during cutover. Some schema features are not supported by the target engine if converted. The company wants to modernize to a managed service to reduce operational effort, but must ensure functional correctness. Which migration approach best balances modernization with minimal downtime and manageable risk?