← Back to Hub
AWS Certified Solutions Architect — Professional

SAP-C02
Complete Study Guide

Master enterprise-scale AWS architecture: multi-account strategies, complex migrations, advanced networking, and cost-optimized designs. The most challenging general AWS certification.

75
Questions
180
Minutes
750
Passing Score
4
Domains
SAP-C02 Resources: 🃏 Flashcards ⬇ Cheat Sheet PDF 🏠 Back to Hub
Exam Blueprint

Domain Breakdown

The SAP-C02 exam is one of the hardest AWS certifications, requiring 2+ years of hands-on experience. It tests your ability to design complex, multi-account, multi-region enterprise solutions — not just recall facts.

DomainTopicWeightKey Themes
1Design Solutions for Organizational Complexity26%Multi-account, Control Tower, RAM, SCPs, networking at scale
2Design for New Solutions24%Well-Architected, serverless, event-driven, security by design
3Continuous Improvement for Existing Solutions26%Migration, modernization, 7Rs, database migration, DR
4Accelerate Workload Migration and Modernization24%Cost optimization, performance, hybrid, advanced networking
⚠️ Pro-Level Mindset
How SAP-C02 Differs From Associate Exams
SAP-C02 questions are scenario-heavy with no obviously wrong answers. You must choose between multiple plausible options based on trade-offs: cost vs. resilience, simplicity vs. flexibility, security vs. performance. Every question has enterprise-scale context. Master the Well-Architected Framework's 6 pillars — they underpin most correct answers.
Domain 1 · 26% — Organizational Complexity

Design Solutions for Organizational Complexity

The largest domain. Master multi-account architecture, AWS Organizations, Control Tower, and cross-account networking. These patterns form the backbone of enterprise AWS.

01

Organizational Complexity

AWS Organizations · Control Tower · RAM · Transit Gateway · IAM Identity Center · SCPs

26%
OF EXAM

AWS Organizations

  • Hierarchical: Root → OUs → Accounts
  • SCPs: max permissions for OUs/accounts (deny by default)
  • SCPs do NOT apply to management account
  • Tag Policies: enforce consistent tagging
  • Backup Policies: enforce backup plans org-wide
  • Delegated Admin: assign non-management accounts to manage services
  • CloudTrail org trail: central logging to one S3

AWS Control Tower

  • Landing zone: pre-configured multi-account setup
  • Guardrails: preventive (SCPs) and detective (Config rules)
  • Account Factory: automate new account provisioning
  • Account Factory for Terraform (AFT): IaC-based vending
  • Enroll existing accounts into Control Tower
  • Log Archive account + Audit account created automatically
  • Dashboard: drift detection, compliance overview

Resource Access Manager (RAM)

  • Share AWS resources across accounts/OUs
  • Shareable: Subnets, TGW, Route 53 Resolver, License Manager
  • VPC subnets via RAM: shared across accounts, centrally managed
  • No data transfer charges within same AZ (use AZ ID, not AZ name)
  • Better than VPC peering for many-to-one patterns

IAM Identity Center (SSO)

  • Central identity: connect to existing IdP (AD, Okta)
  • Permission Sets: define IAM permissions per account
  • ABAC: attribute-based access control with tags
  • Multi-account access with single sign-on
  • Recommended for new deployments over IAM users/roles

Transit Gateway (TGW)

  • Hub-and-spoke: connect thousands of VPCs + on-prem
  • Transitive routing — unlike VPC Peering
  • TGW Route Tables: segment traffic, isolate VPCs
  • Share TGW across accounts via RAM
  • Supports VPN + Direct Connect attachments
  • Inter-region peering: connect TGWs across regions
  • Multicast support for streaming workloads

Cross-Account Patterns

  • Assume role: both identity + resource policy must allow
  • External ID: prevent confused deputy attack
  • Resource-based policies: S3, KMS, Lambda (no role switch)
  • S3 bucket policy + IAM: both must allow for cross-account
  • KMS cross-region keys: replicate key material
  • Service Control Policy (SCP) can block access even with allow
🔑 Key Pattern
Centralized vs. Distributed Networking
Centralized (Hub VPC): Shared VPC subnets via RAM → workload accounts launch into shared subnets. Centralized egress via NAT GW in hub. Security appliances in hub VPC via GWLB.

Distributed (Per-Account VPCs): Each account has own VPC → connect via TGW. More isolation but more complex routing. Use TGW Route Tables to segment prod/dev/shared services.
ServicePurposeKey Exam Point
AWS OrganizationsAccount hierarchy & billingSCPs don't apply to management account
Control TowerLanding zone automationGuardrails = SCPs (preventive) + Config (detective)
RAMShare resources cross-accountShare subnets to centralize networking
IAM Identity CenterMulti-account SSOReplaces cross-account IAM roles for humans
TGWMulti-VPC/on-prem routing hubTransitive; share via RAM cross-account
💡
Exam Pattern: When a question asks how to share a VPC or subnet across accounts without VPC peering, the answer is RAM (Resource Access Manager) with shared subnets. When asked about centralized network egress, think TGW + centralized NAT GW.
Domain 2 · 24% — Design for New Solutions

Design for New Solutions

Apply the Well-Architected Framework to design secure, resilient, high-performing, cost-optimized architectures. Master serverless patterns, event-driven design, and advanced data stores.

02

New Solutions Design

Well-Architected · Serverless · Event-Driven · Advanced Databases · Security Design · DR Strategies

24%
OF EXAM

Well-Architected Framework — 6 Pillars

  • Operational Excellence: IaC, small reversible changes, operations as code
  • Security: defense in depth, least privilege, encryption everywhere
  • Reliability: auto-recover, test DR, horizontal scaling
  • Performance Efficiency: right sizing, serverless, global distribution
  • Cost Optimization: right-size, reserved capacity, eliminate waste
  • Sustainability: maximize utilization, use managed services

Serverless Architecture

  • Lambda: 15-min max, up to 10GB memory, 6MB sync payload
  • Lambda@Edge: CloudFront-triggered, us-east-1 only for deployment
  • API Gateway: REST / HTTP / WebSocket; Lambda proxy or HTTP integrations
  • Step Functions: Standard (1yr, exactly-once) vs Express (5min, at-least-once)
  • EventBridge: event bus, routing rules, schema registry
  • SQS: decouple; SQS FIFO: ordering + exactly-once
  • SNS + SQS fan-out: pub/sub to multiple queues

Advanced Database Selection

  • DynamoDB: key-value/document, single-digit ms, global tables
  • Aurora: MySQL/PostgreSQL compatible, auto-storage, Global DB
  • Aurora Serverless v2: per-ACU billing, scale in 0.5 ACU increments
  • ElastiCache Redis: sub-ms latency, pub/sub, sorted sets
  • Redshift: OLAP columnar; Redshift Spectrum: query S3 in-place
  • Neptune: graph database (social, fraud detection)
  • QLDB: immutable ledger with cryptographic verification
  • Timestream: time-series IoT/metrics data

DR Strategies

  • Backup & Restore: RTO/RPO hours, cheapest
  • Pilot Light: core DB replicating; scale on failover
  • Warm Standby: scaled-down full copy; scale up on fail
  • Multi-Site Active/Active: ~0 RTO/RPO, most expensive
  • Route 53 health checks: failover routing between regions
  • Aurora Global DB failover: <1 min RPO, ~1 min RTO
  • S3 CRR: async cross-region object replication

Security Design Patterns

  • VPC Endpoints: private connectivity, no internet
  • PrivateLink: expose services to other VPCs privately
  • Macie: PII detection in S3
  • GuardDuty: threat detection (VPC Flow + CloudTrail + DNS)
  • Security Hub: aggregate findings + Config compliance
  • Detective: graph-based investigation of findings
  • Secrets Manager: auto-rotate DB passwords
  • KMS: envelope encryption for large data

Caching & Performance

  • CloudFront: CDN for static & dynamic content, global edge
  • ElastiCache Redis: app-level caching, session store
  • DAX: DynamoDB-specific in-memory cache (sub-ms reads)
  • Global Accelerator: static anycast IPs, TCP/UDP acceleration
  • S3 Transfer Acceleration: upload over CloudFront edge
  • EFS: shared NFS; use EFS Infrequent Access for cost
  • FSx: Lustre (HPC), Windows (SMB/NTFS), NetApp ONTAP
📐 Architecture Pattern
Event-Driven Decoupling
SNS → SQS (Fan-out): One event to multiple consumers. SNS publishes, each SQS queue processes independently. Resilient: if one consumer fails, others continue.

EventBridge: Route events by pattern. Ideal for SaaS integrations, cross-account event routing. EventBridge Pipes: point-to-point with filtering and enrichment.

Kinesis Data Streams: Real-time, ordered, replay-capable. 1MB/s per shard. Enhanced fan-out: 2MB/s per consumer per shard via push model.
💡
Exam Pattern: "Highly available, decoupled, durable" → SQS. "Fan-out to multiple consumers" → SNS + SQS. "Real-time ordered stream with replay" → Kinesis Data Streams. "Cross-account events" → EventBridge.
Domain 3 · 26% — Continuous Improvement & Migration

Continuous Improvement for Existing Solutions

Master the 7 Rs migration strategies, AWS migration tools, database migration, and how to modernize existing on-premises workloads incrementally with minimal disruption.

03

Migration & Modernization

7 Rs · Application Migration Service · DMS · Snow Family · DataSync · Storage Gateway

26%
OF EXAM
StrategyNameDescriptionUse When
RetireDecommissionShut down apps that are no longer neededRedundant or unused workloads
RetainKeep on-premLeave as-is (too complex/costly to migrate)Recently upgraded or compliance-bound
RehostLift & ShiftMove VMs as-is to EC2 (no code changes)Quick migration, large fleet
RelocateHypervisor-levelMove VMware to VMware Cloud on AWSVMware workloads, zero downtime
RepurchaseDrop & ShopSwitch to SaaS product (e.g., Salesforce)COTS application with SaaS equivalent
ReplatformLift, Tinker & ShiftMinor optimizations (e.g., RDS instead of EC2 DB)Some benefit without full refactor
RefactorRe-architectRedesign for cloud-native (microservices, serverless)New capabilities needed; long-term agility

Application Migration Service (MGN)

  • Rehost (lift & shift) automation — replaces SMS
  • Agent-based: continuous block-level replication
  • Cutover window: minimal downtime (seconds to minutes)
  • Supports physical, VMware, Hyper-V, cloud
  • Test instances before cutover

Database Migration Service (DMS)

  • Migrate databases to AWS with minimal downtime
  • Schema Conversion Tool (SCT): convert Oracle→Aurora, etc.
  • Homogeneous: same engine (MySQL→RDS MySQL) — no SCT
  • Heterogeneous: different engine — requires SCT first
  • CDC (Change Data Capture): keep source in sync during migration
  • DMS Serverless: auto-scales migration capacity

Snow Family — Large Data Transfer

  • Snowcone: 8TB usable, smallest, edge compute
  • Snowball Edge Storage: 80TB usable, S3-compatible
  • Snowball Edge Compute: GPU for edge ML, IoT
  • Snowmobile: exabyte-scale (100PB per truck)
  • Rule of thumb: >10TB or poor network → Snow > internet
  • OpsHub: GUI management for Snow devices

DataSync & Transfer Family

  • DataSync: online, scheduled; NFS/SMB/S3/EFS/FSx
  • DataSync: auto-bandwidth scheduling, data integrity checks
  • Storage Gateway: File (S3 backend), Volume (iSCSI), Tape
  • Transfer Family: SFTP/FTPS/FTP to S3 or EFS
  • DataSync vs Snow: DataSync = ongoing/online; Snow = one-time large

Modernization Services

  • ECS / EKS: containerize monolith → microservices
  • App2Container: analyze & containerize Java/.NET apps
  • Migration Hub Refactor Spaces: incremental strangler-fig pattern
  • Migration Evaluator: TCO analysis pre-migration
  • CloudEndure Disaster Recovery → now AWS Elastic DR

VMware Cloud on AWS

  • Run VMware SDDC on dedicated AWS hardware
  • Relocate strategy: zero-code-change migration
  • Native AWS services via VPC connectivity
  • HCX: live migration of VMs without downtime
  • Same vCenter/vSphere tools — no retraining
💡
Exam Pattern: "Migrate Oracle to Aurora" → DMS + SCT (heterogeneous). "Migrate 50TB on 10Mbps link" → Snowball Edge. "Minimal downtime server migration" → AWS MGN. "Incremental traffic shift from monolith to microservices" → Migration Hub Refactor Spaces (strangler-fig).
Domain 4 · 24% — Cost & Performance Optimization

Cost Optimization & High Performance

At the professional level, you must balance cost, performance, and reliability simultaneously. Master purchasing strategies, networking for performance, and advanced compute optimization patterns.

04

Cost & Performance

Purchasing Options · Compute Optimizer · Cost Explorer · Network Performance · Advanced Storage

24%
OF EXAM

EC2 Purchasing Strategies

  • On-Demand: no commitment, highest unit cost
  • Reserved (1/3yr): up to 72% off; Standard or Convertible
  • Savings Plans: Compute (any instance family/region) or EC2
  • Spot: 90% off; 2-min interruption; fault-tolerant only
  • Dedicated Host: BYOL, physical server control
  • Dedicated Instances: hardware not shared, per-instance charge
  • Convertible RIs: cannot sell on Marketplace (Standard can)

Auto Scaling Cost Optimization

  • Mixed Instances Policy: combine On-Demand + Spot in ASG
  • Capacity Rebalancing: proactively replace Spot at-risk instances
  • Scheduled Scaling: pre-scale for known demand patterns
  • Predictive Scaling: ML-based, launch before demand
  • Spot Instance Pools: diversify across instance types/AZs

Cost Management Tools

  • Cost Explorer: 12-month history, forecast, tag filters
  • AWS Budgets: alert on cost/usage/RI/Savings Plans threshold
  • CUR: most granular data → S3 → Athena/QuickSight
  • Compute Optimizer: ML right-sizing (needs 30 days CW data)
  • Trusted Advisor: 5 categories; Business/Enterprise = all checks
  • Cost Allocation Tags: activate in Billing console

Storage Cost Optimization

  • S3 Intelligent-Tiering: auto-move, no retrieval fee
  • S3 Lifecycle: transition to IA/Glacier on schedule
  • EBS gp3: 20% cheaper than gp2; independent IOPS
  • EBS Snapshots: incremental; move to Recycle Bin for recovery
  • EFS Lifecycle: move to IA after 30/60/90 days
  • S3 Object Lock: WORM compliance (Governance/Compliance modes)

Network Performance

  • Placement Groups: Cluster (low latency HPC), Spread (max availability), Partition (Hadoop/Kafka)
  • Enhanced Networking (ENA): up to 100Gbps, lower CPU
  • EFA: Elastic Fabric Adapter for HPC/MPI workloads
  • Global Accelerator: anycast, TCP/UDP, static IPs, non-HTTP
  • CloudFront: HTTP/S only, CDN edge caching
  • Direct Connect: consistent latency, dedicated circuit

Hybrid & Edge Patterns

  • Outposts: AWS hardware on-premises; same APIs
  • Local Zones: extend AWS region to metro areas; low latency
  • Wavelength: embed AWS compute in telecom 5G networks
  • Snow Edge: compute at the edge without connectivity
  • Direct Connect + VPN backup: resilient hybrid connectivity
  • DX Gateway: connect multiple VPCs/regions from one DX
💰 Cost Pattern
Reserved + Spot + On-Demand Strategy
Baseline load: Reserved Instances or Savings Plans (commit 1–3yr, save up to 72%).
Variable but predictable: Compute Savings Plans (flexible) or Convertible RIs.
Spiky/fault-tolerant: Spot Instances with Mixed Instances Policy in ASG.
Truly unpredictable or small: On-Demand for the remaining delta.

This layered approach minimizes cost while maintaining availability.
💡
Exam Pattern: "Lowest latency between EC2 instances" → Cluster Placement Group. "Consistent latency to on-premises" → Direct Connect. "Non-HTTP global acceleration with static IPs" → Global Accelerator. "HPC with tight coupling between nodes" → EFA (Elastic Fabric Adapter).
📋 Quick Reference
Global Accelerator vs CloudFront
CloudFront: HTTP/HTTPS only. Caches content at edge. Best for static assets, APIs, streaming. Improves cache-hit latency.

Global Accelerator: TCP/UDP any protocol. No caching. Routes traffic via AWS backbone to nearest healthy endpoint. Best for gaming, IoT, VoIP, non-HTTP, or when you need static IPs.

Key differentiator: need static Anycast IPs → always Global Accelerator.
Master Reference

Know These Cold — SAP-C02

ConceptDomainKey Rule
SCPsD1Max permissions — do NOT grant access; skip management account
Control Tower GuardrailsD1Preventive = SCPs; Detective = Config rules
RAM Shared SubnetsD1Centralize networking; workloads in shared subnets, pay no cross-AZ if using AZ ID
TGW vs VPC PeeringD1TGW = transitive hub; Peering = non-transitive, no overlapping CIDRs
IAM Identity CenterD1Recommended for multi-account human access (replaces cross-account role juggling)
DMS + SCTD3Heterogeneous DB migration (e.g., Oracle→Aurora) — SCT converts schema first
AWS MGND3Rehost automation; replaces SMS; minimal downtime cutover
Snowball Edge vs DataSyncD3Snowball = offline, large one-time; DataSync = online, ongoing
7Rs: RefactorD3Most expensive/complex — redesign cloud-native; highest long-term benefit
Savings PlansD4Compute Savings Plans = most flexible (any instance, region, OS)
Spot InterruptionD42-min warning; use with fault-tolerant, stateless workloads only
Global Accelerator vs CFD4GA = TCP/UDP + static IPs; CF = HTTP/S + caching
Aurora Global DBD2<1s RPO, ~1min RTO cross-region failover
Step Functions ExpressD25-min max, at-least-once, for high-volume short workflows
Kinesis vs SQSD2Kinesis = ordered, replay; SQS = decoupled, at-least-once delivery

SAP-C02 Mock Exam — 100 Questions

Professional-level scenario questions. Each question has an optional explanation to deepen your understanding.

0/100

Quiz Complete!