AWS Certified Solutions Architect - Professional (SAP-C02): Complete Study Guide 2026
Complete 2026 study guide for AWS Certified Solutions Architect - Professional (SAP-C02). Covers all domains, sample questions, free resources, and next certification recommendations.
The AWS Certified Solutions Architect – Professional (SAP-C02) is the hardest architect-track certification AWS offers — and one of the most respected credentials in cloud computing. It validates that you can design complex, multi-account AWS environments, lead migration programs, and make cost-performance trade-offs across an enterprise portfolio. If you hold the Associate-level SAA-C03, this is the natural next step. If you're sitting for it cold, expect a steep climb.
This guide gives you a direct path through all four domains in four weeks or less. No padding, no fluff — just what you need to pass on the first attempt.
Exam At a Glance
- Exam code: SAP-C02
- Questions: 75 (multiple choice and multiple response)
- Duration: 180 minutes
- Passing score: 750 / 1000
- Prerequisite: Recommended 5+ years hands-on AWS experience; SAA-C03 strongly advised first
- Cost: $300 USD
- Validity: 3 years
The exam is scenario-heavy. Almost every question drops you into a real business situation — a retail company facing peak-season traffic, a healthcare org with strict compliance mandates, a startup migrating a legacy monolith — and asks you to choose the most operationally excellent or most cost-effective solution. "Most" is the key word. Multiple answers will technically work; only one fits all the constraints in the scenario.
Domain 1: Design Solutions for Organizational Complexity (26%)
This is the exam's heaviest domain by weight, and it tests the skills that separate a senior architect from a mid-level one: operating at enterprise scale across dozens of accounts, business units, and regulatory regimes.
Key subtopics
- Multi-account strategies: AWS Organizations, Service Control Policies (SCPs), delegated administrator accounts, and account vending via AWS Control Tower and Account Factory for Terraform (AFT). Know how SCPs layer with IAM policies — an SCP cannot grant permissions, only restrict them.
- Network connectivity at scale: AWS Transit Gateway (TGW) topologies — hub-and-spoke vs. full mesh, TGW route tables, route propagation, and TGW peering across regions. AWS PrivateLink for service exposure without VPC peering. AWS Direct Connect + Site-to-Site VPN as redundant hybrid paths.
- Centralized security controls: AWS Security Hub with aggregated findings, Amazon GuardDuty with Organization-level enablement, AWS Config with conformance packs deployed via Organizations. Understand the difference between detective (GuardDuty, Security Hub) and preventive (SCPs, Permission Boundaries) controls.
- Cost visibility: AWS Cost Explorer, AWS Budgets, Cost Allocation Tags, and Savings Plans vs. Reserved Instances trade-offs across a large fleet. Compute Optimizer recommendations for right-sizing.
Study tip: Draw a Transit Gateway topology on paper. Include 3 spoke VPCs, a shared-services VPC, and a Direct Connect gateway. Walk through which route tables allow which traffic. Exam questions on this topic reward candidates who have internalized the routing model, not just the service names.
Domain 2: Design for New Solutions (29%)
The largest domain. You'll design greenfield architectures from requirements — performance targets, RTO/RPO, compliance constraints, budget ceilings — and justify every choice. This domain is where SAP-C02 earns its "Professional" label.
Key subtopics
- Deployment strategies: Blue/green deployments with Route 53 weighted routing or ALB target group swaps. Canary and linear deployments via AWS CodeDeploy. Feature flags with AWS AppConfig. Know when to use each and what the rollback story is.
- Business continuity: Multi-region active-passive vs. active-active trade-offs. Route 53 Application Recovery Controller (ARC) for zonal shift. AWS Resilience Hub for RTO/RPO modeling. Pilot light vs. warm standby vs. multi-site active patterns — and their cost implications.
- Security for new workloads: Encryption at rest with AWS KMS CMKs vs. AWS-managed keys. Secrets Manager rotation strategies. VPC endpoint policies. Amazon Macie for S3 data classification. IAM Access Analyzer to validate resource policies before deployment.
- Performance and reliability: Amazon ElastiCache (Redis vs. Memcached) for read-heavy workloads. DynamoDB capacity modes — on-demand vs. provisioned with auto-scaling. Global Tables for multi-region writes. SQS vs. SNS vs. EventBridge for decoupled architectures.
- Cost optimization for new builds: Spot Instances with Spot Fleet / EC2 Auto Scaling mixed instances policy. Graviton3 processor families for compute-intensive workloads. S3 Intelligent-Tiering for unpredictable access patterns. Lambda Power Tuning for serverless cost profiling.
Domain 3: Continuous Improvement for Existing Solutions (25%)
This domain tests your ability to walk into someone else's architecture and make it better — more reliable, more secure, more efficient — without tearing it down. Expect questions with legacy constraints ("the application cannot be modified") that force creative architectural solutions.
Key subtopics
- Operational excellence improvements: AWS Systems Manager — Patch Manager, Session Manager (eliminating bastion hosts), OpsCenter for incident tracking, and Automation runbooks. CloudWatch Contributor Insights for high-cardinality log analysis. AWS Trusted Advisor checks for operational hygiene.
- Security posture improvements: Remediating findings from Security Hub with EventBridge + Lambda auto-remediation pipelines. Using AWS Config rules with auto-remediation. Rotating long-lived IAM access keys to short-lived STS credentials via IAM roles.
- Performance optimization: Amazon CloudFront with Lambda@Edge vs. CloudFront Functions — know the latency/capability trade-off. RDS Performance Insights for query-level database bottlenecks. EBS volume type migrations (gp2 → gp3) for IOPS/throughput improvements at lower cost.
- Reliability improvements: Converting single-AZ deployments to multi-AZ without downtime. Implementing health checks and automated failover. Adding SQS dead-letter queues to catch processing failures. AWS Fault Injection Simulator (FIS) for chaos engineering validation.
- Cost optimization for existing workloads: S3 Lifecycle policies, S3 Storage Lens for usage analysis, RDS Reserved Instance coverage analysis, and identifying idle or underutilized resources with AWS Cost Explorer and Compute Optimizer.
Domain 4: Accelerate Workload Migration and Modernization (20%)
Migration questions are scenario-rich and test process as much as technology. AWS has a well-defined migration methodology — the 7 Rs — and the exam expects you to know which strategy applies to which business constraint.
Key subtopics
- The 7 Rs framework: Retire, Retain, Rehost (lift-and-shift), Relocate (VMware on AWS), Repurchase (move to SaaS), Replatform (lift-and-optimize), and Refactor/Re-architect. The exam frequently tests the boundary between Replatform and Refactor — know the cost and risk profile of each.
- Migration tooling: AWS Application Migration Service (MGN) for server replication and cutover. AWS Database Migration Service (DMS) with Schema Conversion Tool (SCT) for heterogeneous database migrations (Oracle → Aurora PostgreSQL). AWS DataSync for large-scale file migrations. AWS Snow family (Snowball Edge, Snowmobile) for offline bulk data transfer.
- Modernization patterns: Decomposing monoliths into microservices using Amazon ECS or EKS. Replacing synchronous API calls with asynchronous event-driven patterns (SNS/SQS/EventBridge). Migrating batch workloads to AWS Batch or Step Functions. Moving session state from application servers to ElastiCache.
- Selecting workloads for migration: Migration Evaluator (formerly TSO Logic) for business case modeling. AWS Migration Hub for tracking migration status across accounts. Portfolio assessment using the six business drivers: cost, agility, security, compliance, performance, and operational resilience.
Sample Questions
Question 1 — Easy
A company uses a single AWS account. The security team needs to ensure that no IAM user in any team can disable AWS CloudTrail logging across the organization. The company recently enrolled in AWS Organizations. What is the MOST operationally efficient solution?
- A) Create an IAM policy denying
cloudtrail:StopLoggingand attach it to every IAM user. - B) Enable AWS Config with a rule that detects when CloudTrail is disabled and triggers a Lambda to re-enable it.
- C) Create a Service Control Policy (SCP) denying
cloudtrail:StopLoggingand attach it to the root of the organization. - D) Use AWS Control Tower to deploy a mandatory guardrail that prevents CloudTrail from being disabled.
Correct answer: C
Explanation: An SCP attached to the organization root applies to every account and every principal (including root users) in the organization, with no per-user maintenance. Option A requires updating every IAM user — operationally expensive and incomplete (it misses future users). Option B is detective and reactive, not preventive. Option D is valid if Control Tower is already deployed, but deploying Control Tower just for this control is disproportionate and slower than an SCP. SCPs are the lightest-weight, broadest-reach preventive control in a multi-account organization.
Question 2 — Medium
A financial services company runs a trading platform on EC2 instances behind an Application Load Balancer. Latency spikes occur every day at market open (9:30 AM). Auto Scaling takes 4–6 minutes to launch and warm new instances, which is too slow. The company cannot change the application code. What should the solutions architect recommend?
- A) Switch from an ALB to a Network Load Balancer for lower latency.
- B) Configure a scheduled scaling action to pre-warm capacity before 9:30 AM.
- C) Enable dynamic scaling with a target tracking policy based on ALB request count.
- D) Use AWS Lambda behind the ALB to handle the burst traffic at market open.
Correct answer: B
Explanation: The problem is predictable — market open is the same time every day. Scheduled scaling launches instances in advance, so capacity is ready before the spike hits. Dynamic scaling (Option C) is reactive by definition — it fires after CloudWatch detects elevated metrics, which still takes several minutes. Switching to NLB (Option A) reduces connection latency by milliseconds but does nothing for compute capacity. Lambda (Option D) would require application code changes, which the constraint forbids. When the demand pattern is predictable, scheduled scaling is always preferable to reactive scaling.
Question 3 — Hard
A global e-commerce company operates in us-east-1 and eu-west-1. They use DynamoDB Global Tables for the product catalog and Aurora PostgreSQL for order processing in us-east-1 only. RTO is 15 minutes and RPO is 1 minute for the order database. A major incident takes down us-east-1 entirely. Which combination of actions meets the recovery objectives at the LOWEST cost? (Select TWO)
- A) Promote an Aurora read replica in eu-west-1 to a standalone cluster.
- B) Restore Aurora from an automated backup stored in an S3 cross-region copy in eu-west-1.
- C) Use Aurora Global Database with a managed planned/unplanned failover to eu-west-1.
- D) Deploy a full active Aurora cluster in eu-west-1 and use synchronous multi-master replication.
- E) Configure Route 53 health checks to automatically reroute order traffic to eu-west-1 after failover.
Correct answers: C and E
Explanation: Aurora Global Database replicates with typical lag under 1 second, satisfying the 1-minute RPO. Managed failover to the secondary region completes in under 1 minute for the database layer, well within the 15-minute RTO. Option A (cross-region read replica promotion) takes 15–20 minutes and has higher replication lag — it risks violating both objectives. Option B (restore from backup) takes 30–60 minutes minimum — far outside the RTO. Option D meets RPO but Aurora multi-master does not span regions; this is a distractor conflating multi-AZ with multi-region. Route 53 health checks (Option E) are required to redirect application traffic after the database failover completes — without them, the application still sends requests to the failed region. Together, C and E form the complete, lowest-cost solution: Global Database is cheaper than running a full active-active cluster (Option D) while still meeting both RTO and RPO.
Free Resources from AWS
- Official exam guide: The SAP-C02 exam guide PDF lists every domain, task statement, and in-scope AWS service. Print it and use it as your study checklist.
- AWS Skill Builder — Exam Prep Official Course: Free with an AWS account. Covers all four domains with practice question sets.
- AWS Well-Architected Framework whitepapers: The six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability) are foundational to how the exam evaluates every answer. Read the framework overview and the Reliability and Cost Optimization pillar whitepapers in full.
- AWS Architecture Blog: Real-world architecture case studies. Pay particular attention to multi-account, hybrid networking, and migration posts from the past 18 months.
- AWS re:Invent sessions on YouTube: Search "re:Invent 2023 Transit Gateway," "re:Invent 2024 multi-account strategies," and "re:Invent 2024 migration." These 400-level sessions go deeper than any prep course.
4-Week Study Plan
| Week | Focus | Activities |
|---|---|---|
| Week 1 | Domains 1 & 4 | Transit Gateway labs, multi-account Organizations setup, MGN migration walkthrough |
| Week 2 | Domain 2 | Design 3 greenfield architectures from scratch using Well-Architected pillars as criteria |
| Week 3 | Domain 3 + gaps | Review existing architecture case studies, Systems Manager labs, Cost Explorer analysis |
| Week 4 | Practice exams | Full timed practice exams, review every wrong answer against the official exam guide task statements |
Recommended Next Certifications
Passing SAP-C02 puts you in rare company. Here's where to go next depending on your career direction:
- AWS Certified Security – Specialty (SCS-C02): Deepens the security controls you applied at a high level in SAP-C02. Covers KMS key policies, Detective, Macie, and compliance automation in far greater depth. Ideal if your role touches compliance or you want to move into cloud security architecture.
- AWS Certified Advanced Networking – Specialty (ANS-C01): Extends the Transit Gateway and Direct Connect knowledge from Domain 1 into BGP routing, DNS resolution patterns, and high-availability VPN architectures. Essential for architects owning hybrid connectivity.
- HashiCorp Terraform Associate / Professional: SAP-C02 assumes you can design infrastructure; Terraform certifications prove you can codify it. Infrastructure-as-code skills are non-negotiable at the enterprise level where SAP-C02 lives.
- Google Cloud Professional Cloud Architect or Microsoft AZ-305: Multi-cloud fluency is increasingly expected at the staff architect level. If your organization uses a second cloud, certification in that platform compounds the value of your AWS credentials significantly.
Final Advice
SAP-C02 rewards architects who have made real decisions under real constraints. If you can, spend time in the AWS console building the topologies you're studying — a two-hour Transit Gateway lab will do more for your recall than four hours of flashcards. When you practice questions, don't just identify the right answer; articulate in one sentence why each wrong answer is wrong. That habit is exactly what the exam is testing.
Good luck — and when you pass, the SAP-C02 badge is one worth displaying.
🎯 Free readiness check
Are you ready for AWS Certified Solutions Architect Professional - SAP-C02?
Free diagnostic scores your weak domains and builds a personalized study plan.
📝 Practice exam
AWS Certified Solutions Architect Professional - SAP-C02
questions · Hard
Comments
No comments yet. Be the first!
Comments are reviewed before publication.