AWS Study Guide

AWS SAP-C02: Solutions Architect Professional Study Guide

The AWS Certified Solutions Architect - Professional (SAP-C02) validates advanced skills in designing cost-optimized, resilient, secure, and scalable solutions across complex multi-account AWS environments. It is intended for experienced architects who can evaluate trade-offs, plan migrations, and continuously improve existing workloads. The exam is 180 minutes, 75 questions (scored plus unscored), uses a scaled passing score of 750 out of 1000, and is heavy on long multi-service scenarios with multiple-response questions.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AWS SAP-C02 questions free Create free account

Domain 1: Design Solutions for Organizational Complexity

Key concepts you must know · 192 practice questions

Service Control Policies (SCPs) are guardrails that set the maximum available permissions for accounts in an OU or organization; they never grant permissions and do not apply to the management account or to service-linked roles.
AWS IAM Identity Center (successor to AWS SSO) provides centralized workforce SSO and permission sets across all accounts, and integrates with external IdPs via SAML 2.0 and SCIM for automated user/group provisioning.
Cross-account access is best done with IAM roles and sts:AssumeRole; for third-party access, require an ExternalId condition to prevent the confused-deputy problem.
AWS Control Tower automates landing zone setup with a multi-account baseline, mandatory and elective guardrails (implemented via SCPs and AWS Config rules), and account provisioning through Account Factory.
AWS Resource Access Manager (RAM) shares resources such as Transit Gateways, subnets, License Manager configurations, and Route 53 Resolver rules across accounts without resource policies or peering.
Transit Gateway is the hub-and-spoke router for connecting many VPCs and on-premises networks; it supports route tables for segmentation and is the standard pattern for a centralized inspection/egress VPC.
AWS PrivateLink (interface VPC endpoints powered by endpoint services and Network Load Balancers) exposes a service privately across VPCs/accounts without VPC peering, Transit Gateway, or internet exposure.
An organization CloudTrail trail (created from the management or delegated admin account) logs events for all member accounts into a central S3 bucket and cannot be modified or deleted by member accounts.
AWS Config aggregators collect configuration and compliance data from multiple accounts and Regions into a single account; conformance packs deploy collections of Config rules org-wide.
AWS KMS multi-Region keys are replicas sharing the same key material and key ID across Regions, enabling encrypt in one Region and decrypt in another - useful for cross-Region DR and global tables.
Route 53 Resolver inbound endpoints let on-premises resolve AWS private DNS; outbound endpoints plus forwarding rules let VPC resources resolve on-premises domains over Direct Connect or VPN.
S3 Cross-Region Replication (CRR) requires versioning on source and destination buckets; replication is asynchronous and, by default, does not replicate existing objects, delete markers, or objects already replicated.
An SCP using a Deny with aws:RequestedRegion (StringNotEquals to allowed Regions) enforces Region restrictions org-wide; pair with allow-listing global services like IAM, CloudFront, and Route 53.
A delegated administrator account lets you run org-wide services (GuardDuty, Security Hub, Config, Firewall Manager) from a dedicated security/audit account instead of the management account, following least-privilege best practice.

Domain 2: Design for New Solutions

Key concepts you must know · 175 practice questions

Amazon SQS decouples producers from consumers so each scales independently; standard queues offer at-least-once delivery and best-effort ordering, while FIFO queues guarantee exactly-once processing and strict ordering within a message group.
SQS FIFO uses MessageGroupId to preserve ordering per group (e.g., per customer) while allowing parallel processing across groups; ContentBasedDeduplication or a MessageDeduplicationId enforces exactly-once over a 5-minute window.
SNS fan-out publishes one message to a topic that delivers to multiple subscribers (SQS queues, Lambda, HTTP); pairing SNS with SQS gives durable, decoupled parallel processing.
Amazon Aurora Global Database replicates to up to five secondary Regions with typical sub-second lag, supports cross-Region disaster recovery with promotion in under a minute, and enables low-latency global reads.
Multi-AZ RDS provides synchronous standby replication and automatic failover for high availability (not read scaling); read replicas provide asynchronous read scaling and can be promoted for DR.
DynamoDB on-demand (PAY_PER_REQUEST) automatically scales for unpredictable traffic with no capacity planning; provisioned mode with auto scaling is cheaper for steady, predictable workloads. DAX provides microsecond read caching.
API Gateway plus Lambda plus DynamoDB is the canonical serverless REST pattern; use Lambda provisioned concurrency to eliminate cold starts for latency-sensitive functions.
AWS Fargate runs containers (ECS or EKS) without managing EC2 hosts; ECS tasks using Fargate must use awsvpc network mode and specify cpu and memory at the task level.
CloudFront caches content at edge locations to reduce latency and origin load; cache behaviors with cache policies and TTLs control what is cached, and origin access control (OAC) secures S3 origins.
AWS WAF protects against common web exploits (SQL injection, XSS) and supports rate-based rules; attach it to CloudFront, ALB, API Gateway, or AppSync. AWS Shield Advanced adds enhanced DDoS protection.
Store session state in a shared store such as ElastiCache for Redis so any instance behind a load balancer can serve any request, keeping the application tier stateless and horizontally scalable.
Enforce encryption in transit on S3 with a bucket policy that denies requests where aws:SecureTransport is false; enforce TLS and least-privilege at the boundary by default.
EventBridge routes events using rules with content-based filtering patterns and supports scheduled rules, cross-account event buses, and many native targets - the preferred service for event-driven and SaaS integration.
Gateway VPC endpoints for S3 and DynamoDB are free and route traffic over the AWS network without a NAT gateway; interface endpoints (PrivateLink) for other services incur hourly and data charges.

Domain 3: Continuous Improvement for Existing Solutions

Key concepts you must know · 218 practice questions

Compute Savings Plans offer the largest, most flexible discount across EC2, Fargate, and Lambda regardless of instance family or Region in exchange for a 1- or 3-year hourly spend commitment; EC2 Instance Savings Plans give deeper discounts but lock to a family/Region.
Spot Instances provide up to about 90 percent savings for fault-tolerant, interruptible workloads; design for the 2-minute interruption notice with checkpointing and use Spot via EC2 Fleet or Auto Scaling mixed-instances policies.
S3 lifecycle rules transition objects across tiers (Standard to Standard-IA, then Glacier Instant/Flexible Retrieval, then Glacier Deep Archive) and expire them; S3 Intelligent-Tiering moves objects automatically based on access with no retrieval fees.
Add a caching layer to cut read load and latency: ElastiCache (Redis/Memcached) for general caching and DynamoDB Accelerator (DAX) for DynamoDB; for read-heavy relational workloads, add RDS read replicas.
The four DR strategies in order of increasing cost and decreasing RTO/RPO are Backup and Restore, Pilot Light, Warm Standby, and Multi-Site Active/Active; warm standby keeps a scaled-down but always-running stack ready to scale up.
AWS Config rules with automatic SSM Automation remediation enforce compliance, and conformance packs deploy rule collections across an organization for continuous governance.
Use EventBridge rules or CloudWatch alarms to trigger Lambda functions or SSM Automation documents for automated remediation, patching, and operational responses.
Auto Scaling target tracking adjusts capacity to keep a metric (e.g., average CPU at 50 percent) at target; predictive scaling provisions ahead of forecasted load for cyclical traffic.
DynamoDB point-in-time recovery (PITR) enables continuous backups with restore to any second in the last 35 days; enable per table to protect against accidental writes/deletes.
AWS Cost Explorer (ce get-cost-and-usage) and AWS Budgets analyze and alert on spend; Compute Optimizer and Trusted Advisor recommend rightsizing and surface idle or underutilized resources.
CloudWatch covers metrics, logs, and alarms while AWS X-Ray provides distributed tracing across services; enable both for observability of microservice and serverless applications.
Tune CloudFront cache behaviors and policies to raise cache-hit ratio so cacheable responses are served from the edge instead of repeatedly hitting and scaling the origin.
Deploy across multiple Availability Zones behind an Elastic Load Balancer for high availability; for multi-Region failover use Route 53 health checks with failover or latency-based routing.
Aurora Serverless v2 scales database capacity in fine-grained increments for variable workloads, and Aurora Auto Scaling adds read replicas based on load to optimize cost and performance.

Domain 4: Accelerate Workload Migration and Modernization

Key concepts you must know · 111 practice questions

The 7 Rs migration strategies are Retire, Retain, Rehost (lift-and-shift), Relocate (e.g., VMware Cloud on AWS), Repurchase (move to SaaS/buy new), Replatform (lift-tinker-shift), and Refactor/Re-architect (redesign cloud-native).
AWS Application Migration Service (MGN) is the primary rehosting tool: a lightweight agent does continuous block-level replication to a staging area, then performs test launches and a short orchestrated cutover with minimal downtime.
AWS Database Migration Service (DMS) migrates databases with minimal downtime; the full-load-and-cdc task type does a full copy then keeps changes synchronized via change data capture until cutover.
AWS Schema Conversion Tool (SCT) converts schema and procedural code for heterogeneous migrations (e.g., Oracle/SQL Server to Aurora PostgreSQL); homogeneous migrations need only DMS.
Refactoring a commercial database to Amazon Aurora PostgreSQL or MySQL with DMS plus SCT is the standard way to escape expensive commercial licensing while gaining managed scalability.
AWS Application Discovery Service collects on-premises server inventory, performance, and network dependencies, feeding AWS Migration Hub for centralized discovery, dependency mapping, and migration tracking.
AWS DataSync efficiently transfers large file and object datasets over network or Direct Connect to S3, EFS, or FSx, with built-in encryption, scheduling, and integrity verification.
AWS Snowball Edge and the Snow Family move very large datasets offline when network bandwidth is insufficient; Snowball Edge is the right choice for petabyte-scale transfers under tight deadlines (e.g., 600 TB in two weeks).
AWS DataSync is for ongoing/network-based file transfer, while Snow devices are for one-time bulk offline transfer; choose based on data volume, available bandwidth, and timeline.
Modernize by containerizing on ECS with Fargate for simpler services or EKS with Fargate for Kubernetes-native workloads, and break monoliths into microservices or Lambda functions when refactoring.
The AWS Well-Architected Framework's six pillars are Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability - used to evaluate and improve designs.
AWS Migration Hub Refactor Spaces helps incrementally refactor monoliths to microservices using the strangler-fig pattern by routing portions of traffic to new services behind a managed application proxy.
AWS Transfer Family provides managed SFTP/FTPS/FTP endpoints backed by S3 or EFS for migrating partner file-exchange workflows without running file-transfer servers.
For VMware estates, MGN agentless replication or VMware Cloud on AWS (Relocate) preserves operations during transition; choose rehost for speed and refactor later for cloud-native benefits.

AWS SAP-C02 exam tips

Read the last sentence of each scenario first - it states the actual requirement (lowest cost, least operational overhead, highest availability, minimal downtime) that distinguishes the one best answer from several technically valid options.
Watch for multiple-response questions that ask you to choose two or three answers; partial credit is not given, so each selected item must independently be correct.
Eliminate answers that violate AWS best practices: using the management account for workloads, hardcoding credentials, opening security groups to 0.0.0.0/0, or solutions with unnecessary operational overhead.
Map keywords to services: decouple to SQS, fan-out to SNS, event-driven to EventBridge, minimal-downtime server migration to MGN, heterogeneous database migration to DMS plus SCT, and offline bulk transfer to Snow Family.
With 75 questions in 180 minutes you have roughly 2.4 minutes each; flag long multi-part scenarios, answer the quick ones first, and budget time to revisit flagged questions.

Study guide FAQ

What score do I need to pass the SAP-C02 exam?

You need a scaled score of 750 on a scale from 100 to 1000. The exam is scored as a whole using compensatory scoring, so you do not have to pass each domain individually - a strong performance in some domains can offset weaker ones.

How is the exam structured and how long is it?

You have 180 minutes to answer 75 questions, a mix of multiple-choice (one correct answer) and multiple-response (two or more correct answers). Some questions are unscored pilot items that do not affect your result, but you cannot tell which ones, so answer every question.

Do I need the Associate certification first, and how much experience is recommended?

No prerequisite certification is required since AWS retired that rule, but AWS recommends two or more years of hands-on experience designing and managing solutions on AWS. Holding the SAA-C03 first is a common and helpful path.

What is the biggest difference between the Professional and Associate exams?

The Professional exam features long, multi-paragraph scenarios that span many services and require you to weigh trade-offs across cost, resilience, security, and operational overhead - especially around multi-account organizations and migrations - rather than testing isolated service facts.

Test yourself: 696 AWS SAP-C02 practice questions