SAP-C02 Domain 1: Design Solutions for Organizational Complexity: Deep Dive Study Guide 2026
Deep dive on Domain 1: Design Solutions for Organizational Complexity for the SAP-C02 exam. Covers every subtopic, sample questions, and common traps.
Domain 1 carries 25% of the SAP-C02 exam — the single heaviest domain. It tests whether you can design AWS architectures that work across multiple accounts, multiple teams, multiple compliance regimes, and multiple network boundaries at the same time. If your experience is mostly single-account workloads, this domain is where the exam will expose you. This guide goes deep on every subtopic so you walk into the exam knowing exactly how AWS expects an architect to think at enterprise scale.
What This Domain Actually Covers
The official blueprint breaks Domain 1 into three task statements:
- 1.1 — Architect network connectivity strategies
- 1.2 — Prescribe security controls
- 1.3 — Design reliable and resilient architectures
In practice, these three areas bleed into each other constantly. A Transit Gateway question is also a security question. An AWS Organizations question is also a reliability question. Don't study them in isolation.
1.1 Network Connectivity Strategies at Scale
AWS Transit Gateway — the hub you must master
At enterprise scale, VPC peering falls apart. You cannot peer 50 VPCs in a full mesh — the operational overhead is unmanageable and peering is non-transitive by design. Transit Gateway (TGW) solves this by acting as a regional, managed hub. Know these specifics cold:
- TGW supports route tables per attachment. You can isolate spoke VPCs so they can only reach shared services, not each other — this is the "hub-and-spoke with segmentation" pattern the exam loves.
- TGW peering extends the hub across regions. It is static routing only — no BGP between TGW peers.
- AWS Resource Access Manager (RAM) is how you share a TGW across Organization accounts. Questions will test whether you know RAM is required — you cannot attach a TGW from account A to a VPC in account B without RAM.
- For on-premises connectivity, TGW integrates with Site-to-Site VPN (ECMP across multiple tunnels for up to 50 Gbps aggregate) and with Direct Connect via a Direct Connect Gateway.
Direct Connect — when bandwidth and latency are non-negotiable
The exam will describe a scenario with consistent sub-millisecond latency requirements or multi-gigabit throughput to on-premises. The answer is Direct Connect, not VPN. Know the difference between a hosted connection (provisioned by an APN partner, speeds from 50 Mbps to 10 Gbps) and a dedicated connection (1 Gbps or 10 Gbps directly from AWS). For resilience, the blueprint expects you to recommend two Direct Connect connections from separate locations — and a Site-to-Site VPN as a cold backup.
AWS PrivateLink and endpoint strategies
When a shared-services account needs to expose an internal service to hundreds of spoke accounts without routing their entire VPCs together, PrivateLink is the answer. An interface VPC endpoint creates an ENI in the consumer VPC — traffic never crosses the public internet and never requires VPC peering. Know that PrivateLink works for your own services (via Network Load Balancer) and for AWS services alike.
1.2 Prescribing Security Controls Across Accounts
AWS Organizations and Service Control Policies
SCPs are the architectural guardrail that distinguishes a professionally designed multi-account environment from an ad-hoc one. Key exam points:
- SCPs are permission boundaries for the account, not grants. An SCP that allows
s3:*does not give any IAM principal S3 access — it only sets the ceiling. The actual IAM policy must still grant it. - SCPs apply to every principal in the account except the management account itself. Exam scenarios will try to trick you into thinking an SCP will protect the management account — it will not.
- The deny-list strategy (allow
*at root, deny specific actions in child OUs) versus the allow-list strategy (deny*at root, allow specific services in child OUs) is a real architectural decision. The exam will give you a scenario and ask which is appropriate. Allow-list is safer but more operationally intensive.
AWS Control Tower
Control Tower automates the setup of a well-architected multi-account environment. The exam tests conceptual understanding, not console steps. Know that Control Tower uses guardrails (which are either SCPs or AWS Config rules), that it provisions accounts via Account Factory, and that it creates a Log Archive account and an Audit account by default. If a question asks how to enforce a new compliance rule across all existing Control Tower accounts simultaneously, the answer involves updating the guardrail — not manually applying Config rules account by account.
Cross-account IAM roles and trust policies
The professional exam expects you to design least-privilege cross-account access precisely. Know that sts:AssumeRole with an external ID prevents the confused deputy problem when a third party assumes a role in your account. Know that permission boundaries on IAM roles cap what a role can do even if its policy grants more — useful when you delegate role creation to developers.
1.3 Reliable and Resilient Architectures for Complex Organizations
Multi-account patterns for resilience
Account-level isolation is a resilience pattern, not just a security one. Service quota limits, API throttling, and blast radius all improve when workloads are separated into dedicated accounts. The exam will present a company whose production environment is being throttled by a runaway batch workload — the correct long-term answer is account separation, not just IAM restrictions.
Route 53 for cross-account DNS
In a multi-account setup, centralized DNS is usually hosted in a shared-services account. A spoke account that needs to resolve private hosted zone records from the central account must use Route 53 Resolver with inbound and outbound endpoints, and the private hosted zone must be associated with the spoke VPC via a cross-account association (using RAM or CLI commands). This is an operational detail the exam tests at the professional level.
Data residency and compliance boundaries
The exam will describe a multinational company with data residency requirements in specific countries. Architectural answers should include: SCPs that deny any action creating resources outside approved regions (aws:RequestedRegion condition key), separate OUs per regulatory boundary, and CloudTrail organization trails that log to a centralized, immutable S3 bucket in the security account.
Sample Questions
Question 1
A company has 80 AWS accounts managed under AWS Organizations. The security team requires that no account — including those owned by senior engineers — can disable AWS CloudTrail logging in any account. The management account must be excluded from this control. What is the MOST operationally efficient solution?
- A) Create an IAM permission boundary in every account that denies
cloudtrail:StopLogging - B) Apply an SCP to the Root OU that denies
cloudtrail:StopLogging, and move all non-management accounts under this OU - C) Enable AWS Config in all accounts with a rule that reverts CloudTrail changes
- D) Use AWS Control Tower to apply a guardrail that denies
cloudtrail:StopLoggingon the root OU
Correct answer: B. An SCP at the Root OU (excluding the management account, which SCPs cannot govern) is the most operationally efficient preventative control. Option D is plausible but Control Tower guardrails are applied per-OU from within the Control Tower console and are not equivalent to a manually crafted SCP at root — and Control Tower was not mentioned as the existing framework. Option C is detective, not preventative. Option A requires per-account operations at scale.
Question 2
A company uses a single Transit Gateway in a hub-and-spoke model across 40 VPCs. The security team requires that production VPCs can reach the shared-services VPC but cannot communicate with development VPCs. What is the correct TGW configuration?
- A) Use VPC peering between production and shared-services only; remove all TGW attachments for dev VPCs
- B) Create separate TGW route tables for production and development; associate each with the correct attachments; propagate only shared-services routes into both tables
- C) Apply NACLs on all development VPC subnets to deny traffic from production CIDR ranges
- D) Create a second Transit Gateway for development VPCs and peer it to the production TGW without route propagation
Correct answer: B. TGW route table segmentation is precisely designed for this pattern. Option A abandons the scalable hub model. Option C requires maintaining CIDR-based NACLs at scale — fragile and operationally heavy. Option D adds cost and complexity without solving the routing problem cleanly.
What the Exam Actually Tests — Common Traps
- SCPs don't protect the management account. Any scenario asking you to restrict what the management account can do requires a different control (IAM policies on the root user, or simply not using the management account for workloads).
- VPC peering is never the right answer at scale. If the scenario has more than ~5 VPCs and mentions growth, TGW is expected.
- RAM is required for cross-account TGW sharing. Forgetting RAM is the single most common wrong answer in network connectivity questions.
- PrivateLink vs. VPC peering. If the consuming VPCs should not have routed access to the provider VPC's full address space, PrivateLink is the answer. Peering exposes everything.
- Detective vs. preventative controls. AWS Config rules detect and can remediate, but they are not preventative. SCPs and IAM are preventative. The exam will ask for one or the other — read carefully.
- Direct Connect resilience requires two separate physical locations. Two connections to the same DX location is not sufficient for high availability against a facility outage.
Study Recommendations for Domain 1
Build a multi-account lab in AWS Organizations with at least three accounts — management, shared-services, and workload. Manually create a TGW, share it via RAM, attach VPCs from different accounts, and configure isolated route tables. There is no substitute for having seen the console and the routing behavior firsthand. For SCPs, write a deny policy, apply it, and then test it by attempting the denied action — the experience of seeing the explicit deny in action is what makes it stick.
Complement lab work with the AWS whitepaper Organizing Your AWS Environment Using Multiple Accounts and the AWS Transit Gateway Network Manager documentation. For Control Tower, the AWS Control Tower User Guide section on guardrails is required reading.
Practice full-length SAP-C02 exams on CertLand to see how Domain 1 questions are woven into multi-domain scenarios — the exam regularly combines a network connectivity constraint with a cost optimization or reliability requirement in the same question stem.
Comments
No comments yet. Be the first!
Comments are reviewed before publication.