Skip to main content
Exam Guides 🇺🇸 · 9 min read

SAP-C02 Deep Dive: Organizational Complexity and New Solution Design (Domains 1 & 2)

Master 55% of the SAP-C02 exam with this deep dive into Domains 1 and 2. Covers multi-account architecture, Transit Gateway, DR strategies, database selection, event-driven patterns, and new AWS services.

0 likes 0 comments

Domains 1 and 2 of the AWS Solutions Architect Professional (SAP-C02) exam represent 55% of your total score. Domain 1 (Organizational Complexity) carries 26% and Domain 2 (New Solutions) carries 29%. If you master these two domains, you only need to survive Domains 3 and 4 to pass.

This deep dive covers the architecture patterns, service comparisons, and decision frameworks that the SAP-C02 tests most heavily. We include CLI examples, architecture patterns in text, and the comparison tables you need to memorize before exam day.

Domain 1: Design Solutions for Organizational Complexity (26%)

This domain tests your ability to design architectures that span multiple AWS accounts, regions, and hybrid environments. The key word is "organizational" -- think enterprise-scale with governance, compliance, and cross-account access patterns.

Multi-Account Architecture

AWS Organizations is the foundation of multi-account architecture. Every SAP-C02 candidate must understand these concepts deeply:

Service Control Policies (SCPs): SCPs are the most-tested topic in Domain 1. Key rules:

  • SCPs define the maximum permissions available to accounts in an OU or the entire organization
  • An SCP Deny cannot be overridden -- not by IAM policies, not by resource policies, not even by the account root user (for member accounts)
  • SCPs do NOT grant permissions. They only restrict what identity policies can grant
  • SCPs do not affect the management account -- only member accounts
  • Effective permissions = SCP intersection with identity policy intersection with resource policy
Exam Tip: If a question mentions "prevent anyone in the account from performing action X, regardless of their IAM permissions," the answer is an SCP Deny. No other mechanism provides this level of guardrail in a multi-account setup.

AWS Control Tower: Builds on Organizations to provide automated account provisioning with guardrails (preventive via SCPs, detective via Config rules). Know that Control Tower uses a landing zone with shared accounts: Management, Log Archive, and Audit.

IAM Identity Center (formerly SSO): Centralized access management across all accounts in the organization. Users authenticate once and can access any account they have permission sets for. Key for the exam: Identity Center integrates with external IdPs (Active Directory, Okta, etc.) via SAML 2.0.

AWS Resource Access Manager (RAM): Share resources across accounts without creating duplicates. Common shared resources on the exam: Transit Gateway, subnets, Route 53 Resolver rules, License Manager configurations, and Aurora DB clusters.

CLI Example -- Create an SCP that denies leaving the organization:

aws organizations create-policy \
  --name "DenyLeaveOrg" \
  --type SERVICE_CONTROL_POLICY \
  --description "Prevent member accounts from leaving the organization" \
  --content '{
    "Version": "2012-10-17",
    "Statement": [{
      "Sid": "DenyLeaveOrg",
      "Effect": "Deny",
      "Action": "organizations:LeaveOrganization",
      "Resource": "*"
    }]
  }'

Advanced Networking: Transit Gateway, Direct Connect, Hybrid DNS

Transit Gateway (TGW) is the hub-and-spoke networking service for connecting VPCs, VPNs, and Direct Connect. Architecture pattern:

                      +-------------------+
                      |  Transit Gateway  |
                      +-------------------+
                     /    |    |    |    \
                    /     |    |    |     \
              VPC-A   VPC-B  VPC-C  VPN   Direct Connect
              (Dev)  (Stg)  (Prod) (On-prem) (On-prem DC)

Route Table Associations:
  - Dev RT: VPC-A can reach VPC-B, but NOT VPC-C (prod isolation)
  - Prod RT: VPC-C can reach On-prem via VPN and DX
  - Shared RT: All VPCs can reach shared-services VPC

Key TGW facts for the exam:

  • TGW supports cross-region peering (inter-region TGW peering)
  • TGW route tables control which attachments can communicate
  • TGW can be shared across accounts via RAM
  • Each TGW attachment (VPC, VPN, DX) is associated with exactly one route table
  • TGW supports ECMP (Equal-Cost Multi-Path) for VPN, allowing you to aggregate bandwidth from multiple VPN connections

Direct Connect + VPN failover: Direct Connect provides dedicated, private connectivity to AWS. For resilience, pair it with a Site-to-Site VPN as a failover path. The VPN connection goes over the public internet but is encrypted. Use BGP to automatically failover from DX to VPN when the DX connection is down. For the exam, know that DX provides consistent latency and bandwidth, while VPN provides encrypted failover but with variable latency.

Hybrid DNS with Route 53 Resolver: To resolve on-premises DNS names from AWS (and vice versa), use Route 53 Resolver endpoints:

  • Inbound endpoint: On-premises DNS servers forward queries to this endpoint to resolve AWS private hosted zones
  • Outbound endpoint: AWS resources use this endpoint to forward queries to on-premises DNS servers
  • Resolver rules can be shared across accounts via RAM

AWS PrivateLink: Expose a service in one VPC to consumers in other VPCs (same or different accounts) without traversing the public internet, VPC peering, or Transit Gateway. The provider creates a Network Load Balancer and a VPC endpoint service. The consumer creates an interface VPC endpoint. Traffic stays on the AWS private network.

Disaster Recovery Strategies

This is one of the most-tested topics on SAP-C02. You must know all four strategies and their RTO/RPO characteristics.

Strategy RTO RPO Cost Description
Backup & Restore Hours Hours $ Back up data to S3/Glacier; restore from backup when disaster occurs. Slowest recovery, lowest cost.
Pilot Light Tens of minutes Minutes $$ Core infrastructure (DB replicas) always running in DR region. Compute scaled up on failover.
Warm Standby Minutes Seconds to minutes $$$ Scaled-down but fully functional copy running in DR region. Scale up on failover.
Multi-Site Active-Active Near-zero Near-zero $$$$ Full production in both regions, traffic split via Route 53. Most expensive, fastest recovery.
Exam Tip: When a question says "minimize cost" with an acceptable RTO of "several hours," the answer is Backup & Restore. When it says "RTO under 15 minutes," you need at least Pilot Light. When it says "near-zero downtime," you need Multi-Site Active-Active. The exam always includes a cost or RTO constraint -- use it to eliminate strategies.

Centralized Security Logging

Enterprise-scale security requires centralized logging across all accounts. The SAP-C02 pattern:

  • CloudTrail organization trail: A single trail in the management account that logs API calls from ALL member accounts. Logs are delivered to a centralized S3 bucket in the Log Archive account.
  • VPC Flow Logs: Send to a centralized S3 bucket or CloudWatch Logs in the security account. Use for network forensics and anomaly detection.
  • AWS Config aggregator: Aggregates Config compliance data from all accounts and regions into a single view.
  • GuardDuty with delegated administrator: Enable GuardDuty across all accounts in the organization with a delegated admin account for centralized threat detection.
  • Security Hub: Aggregates findings from GuardDuty, Inspector, Macie, Config, and third-party tools into a single dashboard.

Domain 2: Design for New Solutions (29%)

This is the largest domain on the exam. It tests your ability to design greenfield architectures that meet complex requirements using the right AWS services.

Elastic Disaster Recovery and New Services

AWS Elastic Disaster Recovery (DRS): Provides continuous block-level replication of on-premises or cloud servers to AWS. When you initiate failover, DRS launches fully provisioned servers in AWS within minutes. Key differentiator from Backup & Restore: DRS uses continuous replication (RPO measured in seconds) rather than periodic snapshots (RPO measured in hours).

New services frequently tested on SAP-C02:

Service What It Does When to Choose It
App Runner Deploy web apps from source or container image Simple web services, team without container expertise
Managed Grafana Managed dashboards for operational monitoring Teams already using Grafana, multi-source visualization
Managed Prometheus Managed metrics collection compatible with Prometheus Kubernetes workloads, teams using PromQL
Amazon Proton Platform team manages templates, devs self-service deploy Large orgs standardizing deployment patterns
ECS Anywhere Run ECS tasks on on-premises servers Hybrid container workloads managed from AWS
EKS Anywhere Run EKS on on-premises infrastructure Kubernetes on-prem with AWS tooling and support
MemoryDB for Redis Durable, Redis-compatible in-memory database Primary database with microsecond reads AND durability

MemoryDB vs ElastiCache -- critical distinction: ElastiCache is a cache -- it stores temporary copies of data for fast access. If ElastiCache loses data, the application reads from the primary database. MemoryDB is a database -- it stores data durably with transaction logging. If you need Redis-compatible microsecond reads AND data durability (as a primary data store), the answer is MemoryDB. If you need Redis as a caching layer in front of another database, the answer is ElastiCache.

Database Selection Matrix

Requirement Best Service Why
Relational, MySQL/PostgreSQL compatible, auto-scaling Aurora 5x MySQL performance, auto-scaling storage, up to 15 replicas
Key-value, single-digit ms latency, limitless scale DynamoDB Serverless, auto-scaling, global tables for multi-region
Graph database, relationship queries Neptune Optimized for connected data (social networks, fraud detection)
Time-series data (IoT, metrics) Timestream Built-in time-series functions, auto data tiering
Immutable, cryptographically verifiable ledger QLDB Transparent, immutable journal with cryptographic hash chain
In-memory cache for read-heavy workloads ElastiCache Microsecond reads, Redis or Memcached engines
In-memory primary database with durability MemoryDB Redis-compatible with transaction log for durability
Document database, MongoDB compatible DocumentDB Managed, MongoDB-compatible, auto-scaling storage

Event-Driven Patterns: EventBridge vs SNS vs SQS

The SAP-C02 loves questions about choosing the right messaging service. Here is the decision framework:

Pattern Best Service Key Details
Route events based on content/rules EventBridge Content-based filtering, schema registry, 300+ event sources, cross-account delivery
Fan-out: one message to many subscribers SNS Push-based, supports SQS, Lambda, HTTP, email, SMS subscribers. Filter policies for selective delivery.
Decouple producer/consumer, buffering SQS Pull-based, at-least-once (standard) or exactly-once (FIFO). Dead-letter queue for failed messages.
Fan-out with buffering SNS + SQS SNS fans out to multiple SQS queues. Each consumer processes at its own pace.
Ordered processing with deduplication SQS FIFO 300 msg/s (3,000 with batching). Exactly-once. Message group IDs for ordering.
Cross-account event routing EventBridge Event buses can receive events from other accounts. Ideal for org-wide event architecture.

Dead Letter Queues (DLQ): Both SQS and SNS support DLQs. An SQS DLQ captures messages that exceed the maximum receive count. An SNS DLQ captures messages that fail delivery to a subscriber. For the exam, when a question mentions "messages that fail processing should be retained for investigation," the answer involves a DLQ.

CLI Example -- Create an EventBridge rule for cross-account event routing:

# In the source account: create a rule that forwards to the target account's event bus
aws events put-rule \
  --name "ForwardSecurityFindings" \
  --event-bus-name "default" \
  --event-pattern '{
    "source": ["aws.securityhub"],
    "detail-type": ["Security Hub Findings - Imported"],
    "detail": {
      "findings": {
        "Severity": {
          "Label": ["CRITICAL", "HIGH"]
        }
      }
    }
  }'

aws events put-targets \
  --rule "ForwardSecurityFindings" \
  --targets '[{
    "Id": "SecurityAccountBus",
    "Arn": "arn:aws:events:us-east-1:SECURITY_ACCOUNT_ID:event-bus/default",
    "RoleArn": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/EventBridgeCrossAccountRole"
  }]'
Practice These Domains: CertLand's 380 SAP-C02 practice questions include deep-dive scenarios for Domains 1 and 2. Filter by domain to focus on organizational complexity and new solution design. Every question includes multi-constraint scenarios with full explanations.

Mastering Domains 1 and 2 gives you control over 55% of the SAP-C02 exam. Focus on the decision frameworks: when to use which DR strategy, which database for which access pattern, and which messaging service for which event pattern. These frameworks will carry you through the toughest questions.

Ready to practice at professional level? Try CertLand's SAP-C02 practice exams today.

Comments

Sign in to leave a comment.

No comments yet. Be the first!

Comments are reviewed before publication.