CertPrepNowFREE
AWSSAP-C02Updated 2026-05-27

SAP-C02 Study Guide

Everything you need to pass the AWS Certified Solutions Architect – Professional exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The SAP-C02 is one of the hardest AWS exams, but it can be passed without expensive prep courses:

  • AWS official exam guide and sample questions (free)
  • AWS Well-Architected Framework whitepapers (free)
  • AWS re:Invent session recordings on YouTube (free)
  • 500+ free practice questions on this site

Professional-level exams benefit greatly from real-world AWS experience. Hands-on practice with AWS services is highly recommended.

Choose Your Study Path

You hold the Solutions Architect Associate and want to advance to Professional level.

Week 1–2Multi-account strategies: AWS Organizations, Control Tower, SCPs, cross-account access patterns, centralized logging
Week 3–4Advanced networking: Transit Gateway, Direct Connect with VPN backup, PrivateLink, hybrid DNS, multi-Region VPC design
Week 5–6Migration strategies (6 Rs), AWS Migration Hub, DMS, SCT, Application Discovery Service, large-scale data transfer
Week 7–8Advanced HA/DR: multi-Region active-active, RPO/RTO optimization, disaster recovery automation with CloudFormation/CDK
Week 9–10Cost optimization at scale, Reserved Instance management across accounts, Compute Optimizer, rightsizing strategies
Week 11–12Mock exams (target 75%+), review complex multi-service scenarios, practice elimination technique for 3-4 plausible answers

Exam Overview

Format

75 questions, 180 minutes. Multiple choice (4 options, 1 correct) and multiple response (5–6 options, 2–3 correct).

Scoring

Scaled score 100–1000. Passing: 750. No penalty for wrong answers — always guess if unsure.

Domains & Weights

  • Design Solutions for Organizational Complexity26%
  • Design for New Solutions29%
  • Continuous Improvement for Existing Solutions25%
  • Accelerate Workload Migration and Modernization20%

Registration

$300 USD. Available at Pearson VUE testing centers or online proctored from home.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowDeeply tested across all domains. You need to understand architecture patterns, not just what they do.
Tier 2: Should KnowImportant for specific scenarios. Expect 2-4 questions involving each.
Tier 3: Recognize OnlySpecialty services appearing in 1-2 questions. Know the use case and when to choose them.
Domain 126% of exam

Design Solutions for Organizational Complexity

Tests your ability to design multi-account architectures, cross-account access patterns, and network connectivity for complex organizations. This is the domain that most distinguishes Professional from Associate — it's about enterprise-scale governance, not individual service knowledge.

Key Topics

AWS OrganizationsControl TowerSCPsTransit GatewayDirect ConnectRAMIAM Identity CenterService CatalogCloudFormation StackSets

Must-Know Concepts

  • Multi-account strategy: separate accounts by environment, workload, team, or compliance boundary
  • SCP design: deny-list vs allow-list approach, inheritance through OUs, interaction with IAM policies
  • Cross-account access: IAM roles with trust policies, resource-based policies, RAM for resource sharing
  • Network topology: Transit Gateway hub-and-spoke, shared VPC (RAM), network segmentation via TGW route tables
  • Hybrid DNS: Route 53 Resolver (inbound/outbound endpoints), forwarding rules, private hosted zone associations
  • Centralized logging and security: CloudTrail org trail, Config Aggregator, Security Hub delegated admin, GuardDuty org

Common Exam Traps

An SCP applied to an OU affects all accounts in that OU AND all child OUs — inheritance cascades down
The management account is NOT affected by SCPs — never run workloads in the management account
RAM shared subnets allow resources from different accounts to be in the same subnet but each account still controls its own resources
Transit Gateway route table segmentation can isolate VPCs — not all attachments need to reach all other attachments
Quick Check: Design Solutions for Organizational Complexity

Question 1 of 3

A company with 200 AWS accounts needs to prevent any account from launching EC2 instances outside of approved Regions (us-east-1 and eu-west-1). Some accounts in the Security OU need global service access (IAM, CloudFront, Route 53). What is the MOST effective solution?

Domain 229% of exam

Design for New Solutions

The heaviest domain at 29%. Tests your ability to design new architectures that meet complex business requirements — multi-Region, high availability, security, and performance at scale. Think of this as SAA on hard mode: longer scenarios, more constraints, and multiple valid-looking answers where you must pick the BEST.

Key Topics

Aurora Global DatabaseDynamoDB Global TablesAPI GatewayLambdaECS/EKSCloudFrontRoute 53Step FunctionsEventBridgeKinesis

Must-Know Concepts

  • Multi-Region active-active: DynamoDB Global Tables, Aurora Global Database, Route 53 latency routing, CloudFront
  • Event-driven architecture: EventBridge for cross-account events, Step Functions for orchestration, SQS for buffering
  • Microservices patterns: API Gateway + Lambda, ECS/EKS with service mesh, async communication via SQS/SNS
  • Data lake architecture: S3 + Glue + Athena + Lake Formation for governance, Redshift for analytics
  • Serverless at scale: Lambda concurrency management, API Gateway throttling, SQS as buffer for spiky workloads
  • Security by design: encryption everywhere, least privilege, network isolation, secrets rotation

Common Exam Traps

DynamoDB Global Tables provide multi-Region active-active with last-writer-wins conflict resolution — not suitable for strict consistency requirements
API Gateway has hard limits: 10,000 requests/second default (can be raised), 29-second integration timeout for Lambda
Step Functions Standard vs Express: Standard for long-running, exactly-once. Express for high-volume, at-least-once, <5 min
Aurora Serverless v2 scales in 0.5 ACU increments — good for variable workloads but has minimum ACU cost even when idle
Quick Check: Design for New Solutions

Question 1 of 3

A global SaaS company needs to serve API requests from users worldwide with <100ms latency. The backend processes orders that require strong consistency. Data must be replicated across 3 Regions for DR. Which architecture meets ALL requirements?

Domain 325% of exam

Continuous Improvement for Existing Solutions

Tests your ability to improve existing architectures for performance, cost, reliability, and operational efficiency. Key theme: you're given a working-but-suboptimal architecture and must identify the best improvement. This domain rewards real-world experience with optimization.

Key Topics

CloudWatchX-RayCompute OptimizerCost ExplorerTrusted AdvisorAuto ScalingElastiCacheCloudFrontConfigSystems Manager

Must-Know Concepts

  • Performance optimization: identify bottlenecks (CloudWatch, X-Ray), add caching (ElastiCache, CloudFront, DAX), right-size resources
  • Cost optimization: Compute Optimizer recommendations, RI/Savings Plan coverage, S3 lifecycle policies, idle resource detection
  • Operational improvement: Systems Manager for patching/automation, CloudFormation drift detection, Config compliance
  • Reliability improvement: add Multi-AZ, implement health checks, convert to stateless design, add circuit breakers
  • Modernization patterns: strangler fig (incremental migration), decompose monolith to microservices, containerize for portability
  • Monitoring and observability: CloudWatch dashboards, composite alarms, X-Ray for distributed tracing, Contributor Insights

Common Exam Traps

Auto Scaling cooldown period prevents rapid scale-in/out. If scaling is too slow, check cooldown and warm-up settings first
CloudWatch metric resolution: standard = 5 min, detailed = 1 min, high-resolution custom = 1 sec. Know when you need each
ElastiCache write-through vs lazy-loading: write-through keeps cache fresh (higher write latency), lazy-loading may serve stale data
Cost Explorer shows past spend. Compute Optimizer and Trusted Advisor recommend changes. Budgets alert on thresholds. Different tools, different purposes.
Quick Check: Continuous Improvement for Existing Solutions

Question 1 of 3

A company's web application has response times that spike to 5 seconds during peak hours. The architecture is: ALB → EC2 Auto Scaling Group → RDS MySQL. CloudWatch shows EC2 CPU at 40% during spikes, but RDS CPU at 95%. What is the MOST effective improvement?

Domain 420% of exam

Accelerate Workload Migration and Modernization

Tests your ability to plan and execute migrations of on-premises workloads to AWS. Key themes: the 6 Rs migration strategies, database migration (DMS/SCT), large-scale data transfer, and post-migration optimization. You must know which tools and strategies fit which scenario.

Key Topics

Migration HubApplication Discovery ServiceDMSSCTMGN (Application Migration Service)DataSyncSnow FamilyTransfer FamilyVMware Cloud on AWS

Must-Know Concepts

  • 6 Rs: Rehost (lift-shift), Replatform (lift-tinker-shift), Repurchase (re-buy SaaS), Refactor (re-architect), Retire (decommission), Retain (keep on-prem)
  • Migration phases: Assess (Discovery Service) → Mobilize (plan, pilot) → Migrate (bulk) → Optimize (right-size, modernize)
  • Database migration: DMS for live replication, SCT for schema conversion, both together for heterogeneous migrations
  • Large data transfer decision tree: <10TB = internet/Direct Connect. 10-80TB = Snowball Edge. 80TB+ = multiple Snowballs or Snowmobile
  • Application Migration Service (MGN): automated rehost for VMs. Continuous replication + cutover with minimal downtime
  • Hybrid patterns during migration: Direct Connect + VPN, Storage Gateway for hybrid storage, Route 53 for gradual DNS cutover

Common Exam Traps

MGN (Application Migration Service) replaced Server Migration Service (SMS). If you see SMS in an answer, it's likely outdated/wrong
DMS ongoing replication keeps source and target in sync — enables near-zero downtime cutover by switching DNS after sync
Snowball Edge has compute capability (EC2, Lambda) — can preprocess data before shipping to reduce transfer volume
Application Discovery Service has two modes: agentless (VMware only, basic info) and agent-based (detailed dependencies and performance)
Quick Check: Accelerate Workload Migration and Modernization

Question 1 of 3

A company needs to migrate a 50TB Oracle database to Aurora PostgreSQL with less than 1 hour of downtime. The database has complex stored procedures and triggers. Which combination of AWS services should they use?

Confusing AWS Services Compared

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Transit Gateway vs VPC Peering

Use Transit Gateway when…

You have 10+ VPCs to connect, need centralized routing, or need to connect VPNs and Direct Connect to multiple VPCs through a single hub.

Use VPC Peering when…

You have 2-3 VPCs to connect with simple, low-cost point-to-point connectivity. No transitive routing needed.

Exam trap

VPC Peering is NOT transitive and doesn't scale. Transit Gateway supports transitive routing, route tables for segmentation, and thousands of attachments. SAP questions almost always favor Transit Gateway for enterprise scenarios.

Direct Connect Gateway vs Transit Gateway + Direct Connect

Use Direct Connect Gateway when…

You need to connect on-premises to VPCs in multiple Regions via a single Direct Connect. Simple hub-spoke, no VPC-to-VPC traffic through DC.

Use Transit Gateway + Direct Connect when…

You need full any-to-any connectivity: on-premises to VPCs, VPC to VPC via on-premises, and centralized routing with segmentation.

Exam trap

Direct Connect Gateway alone does NOT allow VPC-to-VPC traffic through the connection. For that, attach Direct Connect to Transit Gateway.

Aurora Global Database vs RDS Cross-Region Read Replica

Use Aurora Global Database when…

You need multi-Region DR with <1 second replication lag and <1 minute RTO. Supports up to 5 secondary Regions with fast promote.

Use RDS Cross-Region Read Replica when…

You need cross-Region read scaling or DR for non-Aurora engines (MySQL, PostgreSQL, MariaDB). Asynchronous replication, manual promotion.

Exam trap

Aurora Global DB has purpose-built storage-level replication (<1s lag). RDS cross-Region replicas use standard async replication (seconds to minutes lag). For strict RPO requirements, choose Aurora Global.

AWS PrivateLink vs VPC Peering

Use AWS PrivateLink when…

You need to expose a specific service (API, NLB) to another VPC or account without exposing the entire network. One-directional, service-level.

Use VPC Peering when…

You need full network-level bidirectional connectivity between two VPCs — any resource can talk to any other resource.

Exam trap

PrivateLink doesn't require overlapping CIDR management and is more secure (minimal surface area). VPC Peering requires non-overlapping CIDRs and exposes the full network.

SCPs (Service Control Policies) vs IAM Permission Boundaries

Use SCPs (Service Control Policies) when…

You want to set maximum permissions at the ACCOUNT or OU level across an entire organization. Applied by management account.

Use IAM Permission Boundaries when…

You want to set maximum permissions for a specific IAM USER or ROLE. Typically used for delegated admin scenarios.

Exam trap

SCPs = organization-level guardrails (applied to accounts). Permission Boundaries = entity-level caps (applied to users/roles). Both restrict but don't grant. They stack: effective permissions = IAM policy ∩ Permission Boundary ∩ SCP.

Pilot Light vs Warm Standby

Use Pilot Light when…

Minimal cost DR: only database and critical data replication runs in DR Region. Compute is stopped/nonexistent. RTO: tens of minutes.

Use Warm Standby when…

Scaled-down but fully running copy in DR Region. Can serve traffic immediately (at reduced capacity), then scale out. RTO: minutes.

Exam trap

Pilot Light = data live, compute off. Warm Standby = everything running at small scale. Cost: Pilot Light < Warm Standby. RTO: Pilot Light > Warm Standby. SAP-C02 often asks for the CHEAPEST that meets a specific RTO.

AWS DMS vs AWS DataSync

Use AWS DMS when…

You're migrating DATABASES with ongoing replication (CDC). Supports schema conversion, heterogeneous migrations (Oracle → Aurora).

Use AWS DataSync when…

You're migrating FILE DATA (NFS, SMB, HDFS, S3, EFS, FSx). High-speed transfer with scheduling and integrity verification.

Exam trap

DMS = database migration and replication. DataSync = file/object storage migration. Never use DMS for file transfers or DataSync for database migration.

CloudFormation StackSets vs AWS Control Tower

Use CloudFormation StackSets when…

You need to deploy specific infrastructure (CloudFormation templates) across multiple accounts and Regions. Targeted deployments.

Use AWS Control Tower when…

You need to SET UP and GOVERN a multi-account environment with account factory, guardrails, and landing zone best practices.

Exam trap

Control Tower uses StackSets internally for guardrails. But Control Tower is for governance/setup, StackSets is for specific resource deployment. They complement, not compete.

Top Mistakes to Avoid

Choosing VPC Peering when Transit Gateway is needed — VPC Peering doesn't scale and isn't transitive
Forgetting that SCPs don't affect the management account — never run workloads in the management account
Confusing Direct Connect Gateway (multi-Region VPC access) with Transit Gateway (transitive routing hub)
Selecting DMS for file/object migration — DMS is for databases only, use DataSync for files
Picking Snowball when the network can handle the transfer in time — always calculate transfer time first
Choosing Multi-AZ when the question asks for multi-Region DR — they are completely different scopes
Using IAM users and access keys for cross-account access — always use IAM roles with trust policies
Confusing Aurora Global Database (storage-level replication) with RDS cross-Region Read Replicas (async logical replication)
Overcomplicating answers with custom solutions when managed services (Control Tower, MGN, Step Functions) exist
Missing the distinction between preventive controls (SCPs block actions) and detective controls (Config rules detect drift)

Exam-Ready Checklist

Can design a multi-account architecture with Organizations, SCPs, and Control Tower guardrails
Know Transit Gateway routing tables, segmentation, and hybrid connectivity patterns
Can select the correct migration strategy (6 Rs) for any given workload scenario
Understand DMS + SCT for heterogeneous database migrations with minimal downtime
Can design multi-Region active-active and active-passive DR architectures with specific RPO/RTO targets
Know the difference between all networking connectivity options (Peering, TGW, PrivateLink, DC, VPN)
Can optimize existing architectures for cost, performance, and reliability
Understand serverless orchestration patterns with Step Functions and EventBridge
Scored 75%+ on at least two full mock exams (SAP pass mark is higher at 750/1000)
Can manage time: 2.4 minutes per question for 75 questions in 180 minutes

Recommended Resources

Free & Official Resources

AWS SAP-C02 Official Exam Guide

Official exam domains, sample questions, and recommended knowledge. Start here.

Official

AWS Well-Architected Labs

Hands-on labs for each Well-Architected pillar — directly relevant to SAP scenarios.

Official

AWS Architecture Blog

Real-world architecture patterns and best practices from AWS architects.

Official

AWS Prescriptive Guidance

Migration strategies, patterns, and decision guides. Gold mine for Domain 4.

Official

AWS re:Invent Architecture Sessions (YouTube)

Deep-dive architecture talks. Search for 'ARC' sessions on multi-account, networking, and migration.

Free

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Adrian Cantrill — AWS SAP-C02 Course

The most thorough SAP course available. 80+ hours with production-grade labs. Highly recommended.

Paid

Stephane Maarek — AWS SAP-C02 (Udemy)

Comprehensive video course covering all domains with practical examples.

Paid

Tutorials Dojo — SAP-C02 Practice Exams

Scenario-heavy practice exams that match real exam complexity and length.

Paid

Jon Bonso — SAP-C02 Study Guide (Tutorials Dojo)

Concise study notes and cheat sheets organized by exam domain.

Paid

Frequently Asked Questions