AWS Certified Solutions Architect – Professional (SAP-C02) Exam Learning Path
- AWS Certified Solutions Architect – Professional (SAP-C02) exam is the upgraded pattern of the previous Solution Architect – Professional SAP-C01 exam and was released in Nov. 2022.
- SAP-C02 is quite similar to SAP-C01 but has included some new services.
AWS Certified Solutions Architect – Professional (SAP-C02) exam basically validates the ability to complete tasks within the scope of the AWS Well-Architected Framework
- Design for organizational complexity
- Design for new solutions
- Continuously improve existing solutions
- Accelerate workload migration and modernization
Refer to AWS Certified Solutions Architect – Professional Exam Guide

AWS Certified Solutions Architect – Professional (SAP-C02) Exam Resources
- Online Courses
- Stephane Maarek – Ultimate AWS Certified Solutions Architect Professional 2022
- DolfinEd AWS Certified Solutions Architect Professional (E-Study Guide & Lab Guides Included)
- Coursera – AWS Cloud Solutions Architect Professional Certificate
- Whizlabs – AWS Solutions Architect Professional Online Course
- Practice tests
AWS Certified Solutions Architect – Professional (SAP-C02) Exam Summary
- AWS Certified Solutions Architect – Professional (SAP-C02) exam has 75 questions to be solved in 170 minutes.
- AWS Certified Solutions Architect – Professional (SAP-C02) focuses a lot on concepts and services related to Architecture & Design, Scalability, High Availability, Disaster Recovery, Migration, Security, and Cost Control.
- Each question mainly touches multiple AWS services.
- Questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
- As always, mark the questions for review and move on and come back to them after you are done with all.
- As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.
AWS Certified Solutions Architect – Professional (SAP-C02) Exam Topics
Storage
- Simple Storage Service – S3
- S3 Permissions & S3 Data Protection
- S3 bucket policies to control access to VPC Endpoints and provide cross-account access.
- S3 Storage Classes & Lifecycle policies
- covers S3 Standard, Infrequent access, intelligent tier, and Glacier for archival and object transitions & deletions for cost management.
- S3 Performance
- S3 Transfer Acceleration can be used for fast, easy, and secure transfers of files over long distances between the client and an S3 bucket.
- S3 Multi-part upload can help improve upload performance and resiliency.
- S3 can be used for static website hosting and integrates with CloudFront to improve performance and latency.
- S3 Security
- S3 supports encryption using KMS
- S3 supports Object Lock and Glacier supports Vault lock to prevent the deletion of objects, especially required for compliance requirements.
- CORS allows client web applications loaded in one domain access to the restricted resources to be requested from another domain.
- S3 supports the same and cross-region replication for disaster recovery.
- supports S3 Select feature to query selective data from a single object.
- S3 Event Notification enables notifications to be triggered when certain events happen in the bucket and support SNS, SQS, and Lambda as the destination.
- S3 Permissions & S3 Data Protection
- Elastic Block Store
- EBS Backup using snapshots for HA and Disaster recovery
- Data Lifecycle Manager can be used to automate the creation, retention, and deletion of snapshots taken to back up the EBS volumes.
- Storage Gateway
- supports File Gateways and Volume Gateways
- File Gateways provides a file interface into S3 and allows storing and retrieving of objects in S3 using industry-standard file protocols such as NFS and SMB.
- Elastic File System – EFS
- provides fully managed, scalable, serverless, shared, and cost-optimized file storage for use with AWS and on-premises resources.
- supports cross-region replication for disaster recovery
- supports storage classes like S3
- supports only Linux-based AMIs
- AWS Transfer Family
- FSx for Lustre
- managed, cost-effective service to launch and run the HPC high-performance Lustre file system.
- Understand different use cases for S3 vs EBS vs EFS
Database
- DynamoDB
- provides a fully managed NoSQL database service with fast and predictable performance with seamless scalability.
- supports following capacity modes
- Provisioned – the maximum amount of capacity in terms of reads/writes per second that an application can consume from a table or index
- On-demand – serves thousands of requests per second without capacity planning.
- DynamoDB Auto Scaling can be used to handle peaks or bursts.
- DynamoDB Streams for tracking changes
- TTL to expire objects automatically and cost-effectively.
- Global tables for multi-master, active-active inter-region storage needs.
- Global tables do not support strong global consistency
- DynamoDB Accelerator – DAX for seamless caching to reduce the load on DynamoDB for read-heavy requirements.
- RDS
- supports cross-region read replicas ideal for disaster recovery with low RTO and RPO.
- provides RDS proxy for effective database connection polling
- RDS Multi-AZ vs Read Replicas
- Aurora
- fully managed, MySQL- and PostgreSQL-compatible, relational database engine
- Aurora Serverless provides on-demand, autoscaling configuration.
- Aurora Global Database consists of one primary AWS Region where the data is mastered, and up to five read-only, secondary AWS Regions.
- Understand DynamoDB Global Tables vs Aurora Global Databases
- DocumentDB as a replacement for MongoDB
- Keyspaces as a replacement for Cassandra
Data Migration & Transfer
- Cloud Migration Services
- Cloud Migration (hint: make sure you understand the difference between rehost, replatform, and rearchitect)
- Server Migration Service helps to migrate servers and applications.
- Database Migration Service
- enables quick and secure data migration with minimal to zero downtime
- supports Full and Change Data Capture – CDC migration to support continuous replication for zero downtime migration.
- homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations (using SCT) between different database platforms, such as Oracle or Microsoft SQL Server to Aurora.
- Snow Family
- Ideal for one-time huge data transfers usually for use cases with limited bandwidth from on-premises to AWS.
- Understand use cases for data transfer using VPN (quick, slow, uses the Internet), Direct Connect (time to set up, private, recurring transfers), Snow Family (moderate time, private, one-time huge data transfers)
- Application Discovery Service
- Agent ones can be used for hyper-v and physical services
- Agentless can be used for VMware but does not track processes
- AWS Migration Hub provides a central location to collect server and application inventory data for the assessment, planning, and tracking of migrations to AWS and also helps accelerate application modernization following migration.
Networking & Content Delivery
- VPC – Virtual Private Cloud
- Security Groups, NACLs
- NACLs are stateless and need to open ephemeral ports for response traffic.
- VPC Gateway Endpoints to provide access to S3 and DynamoDB
- VPC Interface Endpoints or PrivateLink provide access to a variety of services like SQS, Kinesis, or Private APIs exposed through NLB.
- VPC Peering to enable communication between VPCs within the same or different regions.
- VPC Peering does not support overlapping CIDRs while PrivateLink does as only the endpoint is exposed.
- VPC Flow Logs to track network traffic
- NAT Gateway provides managed NAT service that provides better availability, higher bandwidth, and requires less administrative effort.
- Security Groups, NACLs
- Route 53
- Routing Policies
- focus on Weighted, Latency, and failover routing policies
- failover routing provides active-passive configuration for disaster recovery while the others are active-active configurations.
- Route 53 Resolver
- Outbound endpoint for AWS -> On-premises DNS query resolution
- Inbound endpoint for On-premises DNS query resolution
- Routing Policies
- CloudFront
- fully managed, fast CDN service that speeds up the distribution of static, dynamic web or streaming content to end-users.
- supports Origin Groups for multiple origins providing failover capability with primary and secondary origins.
- does not support Auto Scaling as an origin
- supports Geo-restriction
- supports Lambda@Edge and Cloud Functions to execute code closer to the user.
- Lambda@Edge can be used for quick auth checks, and redirect users based on request data.
- Security can be enhanced by whitelisting CloudFront IPs or adding a custom header in CloudFront and verifying it in ALB.
- API Gateway
- supports throttling, caching and helps define usage plans with API keys to identify clients
- provides regional and edge-optimized endpoint types
- supports CORS for cross-domain calls.
- supports authentication mechanisms, such as AWS IAM policies, Lambda authorizer functions, and Amazon Cognito user pools.
- provide serverless architecture with Lambda.
- Load Balancer – ELB, ALB and NLB
- ELB with Auto Scaling to provide scalable and highly available applications
- Understand ALB vs NLB and their use cases.
- Global Accelerator
- optimizes the path to applications to keep packet loss, jitter, and latency consistently low.
- helps improve the performance of the applications by lowering first-byte latency
- provides 2 static IP addresses
- does not preserve the client’s IP address with NLB
- Transit Gateway or Transit VPC
- is a network transit hub that can be used to interconnect VPCs and on-premises networks via Direct Connect or VPN.
- Transit Gateway is regional and Transit Gateway Peering needs to be configured to peer regional Transit gateways.
- Placement Groups
- Cluster placement group with Enhanced Networking for HPC
- Spread placement group for fault tolerance and high availability.
- Direct Connect & VPN
- provide on-premises to AWS connectivity
- Understand Direct Connect vs VPN
- VPN can provide a cost-effective, quick failover for Direct Connect.
- VPN over Direct Connect provides a secure dedicated connection and requires a public virtual interface.
- Direct Connect Gateway is a global network device that helps establish connectivity that spans VPCs spread across multiple AWS Regions with a single Direct Connect connection.
Security, Identity & Compliance
- AWS Identity and Access Management
- IAM Roles and use cases
- IAM Web Identity & Federation
- IAM Best Practices
- AWS Shield & Shield Advanced
- for DDoS protection and integrates with Route 53, CloudFront, ALB, and Global Accelerator.
- AWS WAF
- protects from common attack techniques like SQL injection and XSS, Conditions based include IP addresses, HTTP headers, HTTP body, and URI strings.
- integrates with CloudFront, ALB, and API Gateway.
- supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries as well.
- ACM – AWS Certificate Manager
- helps easily provision, manage, and deploy public and private SSL/TLS certificates
- is regional and you need to request certificates in all regions and associate individually in all regions.
- does not provide certificates for EC2 instances.
- AWS KMS – Key Management Service
- managed encryption service that allows the creation and control of encryption keys to enable data encryption.
- KMS Multi-region keys
- are AWS KMS keys in different AWS Regions that can be used interchangeably – as though having the same key in multiple Regions.
- are not global and each multi-region key needs to be replicated and managed independently.
- Secrets Manager
- helps protect secrets needed to access applications, services, and IT resources.
- Secrets Manager vs SSM Parameter Store.
- Secrets Manager supports random generation and automatic rotation of secrets, which is not provided by SSM Parameter Store.
- Costs more than SSM Parameter Store.
- Amazon Macie is a data security and data privacy service that uses ML and pattern matching to discover and protect sensitive data in S3.
- AWS Security Hub is a cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
Compute
- EC2
- Auto Scaling provides the ability to ensure a correct number of EC2 instances are always running to handle the load of the application
- Lambda
- offers Serverless computing
- Lambda running in VPC requires NAT Gateway to communicate with external public services
- Lambda CPU can be increased by increasing memory only.
- helps define reserved concurrency limits to reduce the impact
- Lambda Alias now supports canary deployments
- Lambda supports docker containers
- Reserved Concurrency guarantees the maximum number of concurrent instances for the function
- Provisioned Concurrency provides greater control over the performance of serverless applications and helps keep functions initialized and hyper-ready to respond in double-digit milliseconds.
- Lambda Best Practices esp. handling the database connection code.
- ECS – Elastic Container Service
- container management service that supports Docker containers
- supports two launch types
- EC2 and
- Fargate which provides the serverless capability
- For least privilege, the role should be assigned to the Task.
awsvpc
network mode gives ECS tasks the same networking properties as EC2 instances.
Disaster Recovery
- Disaster Recovery whitepaper, although outdated, make sure you understand the differences and implementation for each type esp. pilot light, warm standby w.r.t RTO, and RPO.
- Compute
- Make components available in an alternate region,
- Backup and Restore using either snapshots or AMIs that can be restored.
- Use minimal low-scale capacity running which can be scaled once the failover happens
- Use fully running compute in active-active confirmation with health checks.
- CloudFormation to create, and scale infra as needed
- Storage
- S3 and EFS support cross-region replication
- DynamoDB supports Global tables for multi-master, active-active inter-region storage needs.
- Aurora Global Database provides cross-region read replicas and failover capabilities.
- RDS supports cross-region read replicas which can be promoted to master in case of a disaster. This can be done using Route 53, CloudWatch, and lambda functions.
- Network
- Route 53 failover routing with health checks to failover across regions.
- CloudFront Origin Groups support primary and secondary endpoints with failover.
Management & Governance tools
- AWS Organizations
- Difference between Service Control Policies and IAM Policies
- SCP provides the maximum permission that a user can have, however, the user still needs to be explicitly given IAM policy.
- Systems Manager
- AWS Systems Manager and its various services like parameter store, patch manager
- Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management. Does not support secrets rotation. Use Secrets Manager instead
- Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys.
- Patch Manager helps automate the process of patching managed instances with both security-related and other types of updates.
- CloudWatch
- CloudWatch logs
- CloudWatch Subscription Filters and their integration with other services.
- CloudWatch Events or EventBridge
- CloudTrail
- for audit and governance
- With Organizations, the trail can be configured to log CloudTrail from all accounts to a central account.
- CloudFormation
- Handle disaster Recovery by automating the infra to replicate the environment across regions.
- Deletion Policy to prevent, retain, or backup RDS, EBS Volumes
- Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update. Stack Policy only applies for Stack updates and not stack deletion.
- StackSets helps to create, update, or delete stacks across multiple accounts and Regions with a single operation.
- Control Tower
- to setup, govern, and secure a multi-account environment
- strongly recommended guardrails cover EBS encryption
- Service Catalog
- allows organizations to create and manage catalogues of IT services that are approved for use on AWS with minimal permissions.
- Trusted Advisor
- helps with cost optimization and service limits in addition to security, performance and fault tolerance.
- Compute Optimizer recommends optimal AWS resources for the workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
- AWS Budgets to see usage-to-date and current estimated charges from AWS, set limits and provide alerts or notifications.
- Cost Allocation Tags can be used to organize AWS resources, and cost allocation tags to track the AWS costs on a detailed level.
- Cost Explorer helps visualize, understand, manage and forecast the AWS costs and usage over time.
- Amazon WorkSpaces provides a virtual workspace for varied worker types, especially hybrid and remote workers.
Integration Tools
- SQS in terms of loose coupling and scaling.
- Difference between SQS Standard and FIFO esp. with throughput and order
- SQS supports dead letter queues
- CloudWatch integration with SNS and Lambda for notifications.
Analytics
- Kinesis
- for real-time data ingestion and analytics.
- Difference between Kinesis Data Streams and Kinesis Firehose
- Kinesis Data Firehose integrates with S3, Redshift, and OpenSearch.
- OpenSearch (Elasticsearch) provides a managed search solution.
- Amazon Timestream is a fast, scalable, and serverless time-series database service that makes it easier to store and analyze trillions of events per day.
- Amazon Connect is an omnichannel cloud contact center.
- Amazon Pinpoint is a flexible, scalable marketing communications service that helps connects customers over email, SMS, push notifications or voice
- Amazon Rekognition offers pre-trained and customizable computer vision capabilities to extract information and insights from images and videos
- Amazon Transcribe to Voice to Text conversion
Architecture & Design Flows
- Disaster Recovery
- Multi-Region Compute and Security
- Multi-Region Storage and Data
- S3, EFS cross-region replication
- DynamoDB Global Tables – Multi-Master
- Aurora Global Database, RDS – Cross-region read replica
- WAF/AWS Shield -> CloudFront -> S3 with WAF-managed Amazon IP reputation rule group or country-specific rule
- Kinesis Data Streams -> Kinesis Data Firehose -> ES/S3/Redshift
- Kinesis Data Agent -> Kinesis Data Firehose -> ES/S3/Redshift
- CloudWatch Logs -> (Subscription Filter) -> Kinesis Data Streams
- Quota Monitor & Solution Definition
- Enhance Security with CloudFront + WAF
- S3 Event Notification -> SNS/SQS/Lambda
- Analysing SES data – SES Logs -> Kinesis Data Firehose -> S3 -> Athena
- Centralized Networking using Network Firewall
- Multi-Account Strategy
- Identity account for role and users
- Infosec account
- Logging account
- Direct Connect with VPN – Low latency, Secure Connectivity
- Detect/Remediate Security/Compliance Rules with AWS Config -> Systems Manager Automation/Lambda to remediate findings
- Real-time Leadership Dashboard with ElastiCache
- RDS/S3 -> Glue Crawler -> Glue Catalog -> Athena
- Lambda@Edge + CloudFront to dynamically route requests
- AppSync Mobile Architecture
- Centralized Logging
- Multi-region API Gateway with CloudFront
- Accessing VPC Endpoints from On-premises
- Migrate Oracle to Amazon Redshift
- Monitor IAM Root User Activity
- Migrate an Oracle database to Aurora MySQL using AWS DMS and SCT
- Archive DynamoDB data to S3 using TTL
- Encrypt Existing and New EBS Volumes
- Building Fault-Tolerant Applications on AWS