SAP-C02 Cheatsheet — Deep Architecture Patterns, Decision Tables & Diagrams

High-signal, professional-level SAP-C02 reference: multi-account governance (Organizations/Control Tower/SCPs), hybrid + multi-VPC networking (TGW/Cloud WAN/DX/PrivateLink), security controls (IAM/KMS/logging), DR strategy selection, migration/modernization, performance trade-offs, and cost visibility.

On this page

Keep this page open while drilling SAP‑C02 questions. Prioritize constraints → trade-offs → simplest compliant architecture.

Quick facts (SAP-C02)

Item	Value
Questions	75 (multiple-choice + multiple-response)
Time	180 minutes
Passing score	750 (scaled 100–1000)
Cost	300 USD
Delivery	Pearson VUE test center or online proctored
Domains	D1 26% • D2 29% • D3 25% • D4 20%

SAP-C02 “professional level” mental model

SAP-C02 is rarely about knowing a single service. It’s about designing under constraints:

Organization + governance first (accounts, guardrails, identity)
Connectivity strategy (hybrid, multi-VPC, DNS, inspection)
Security controls (preventive + detective + response)
Resilience plan (multi-AZ, multi-Region DR, dependencies)
Delivery + operations (IaC, CI/CD, observability, automation)
Cost and performance trade-offs (TCO, data transfer, purchase options)

If an answer “works” but ignores governance, operations, or recoverability, it’s usually not the best answer.

1) Multi-account governance (Organizations + Control Tower)

A practical multi-account layout (common SAP-C02 pattern)

    flowchart TB
	  Root[Organizations Root] --> SecOU[Security OU]
	  Root --> InfraOU[Infrastructure OU]
	  Root --> WorkloadsOU[Workloads OU]
	  Root --> SandboxOU[Sandbox / Experiments]
	
	  SecOU --> LogArchive[Log Archive]
	  SecOU --> Audit[Security / Audit Tooling]
	
	  InfraOU --> Net[Networking]
	  InfraOU --> Shared[Shared Services]
	  InfraOU --> CI[CI/CD Tooling]
	
	  WorkloadsOU --> Prod[Prod Accounts]
	  WorkloadsOU --> NonProd[Non-Prod Accounts]

Why this pattern wins: it limits blast radius, supports centralized logging/security, and aligns with “organizational complexity” scenarios.

Landing zone checklist (what SAP-C02 expects you to think about)

Account / capability	Purpose	Typical services
Management account	Owns the org; keep it “clean”	Organizations billing/guardrails (minimize workloads)
Log archive	Central, tamper-resistant logging	CloudTrail org trail, S3 log buckets, lifecycle/Object Lock
Security/Audit	Central security visibility and response	GuardDuty, Security Hub, Inspector, Macie, Detective, IAM Access Analyzer
Networking	Shared connectivity and inspection	TGW/Cloud WAN, shared subnets (RAM), Network Firewall, GWLB
Shared services	Org-wide platform services	IAM Identity Center integration, DNS, directory, tooling
Workload accounts	Apps/data split by env/team	VPCs, compute, data services, app pipelines

Baseline checklist

Define an OU structure that matches isolation boundaries (prod/non-prod, regulated, sandbox).
Implement preventive guardrails (SCPs) and enforce tagging (tag policies + “tag-on-create” controls).
Centralize identity (IdP → IAM Identity Center) and establish break-glass access procedures.
Centralize logging (org CloudTrail + Config) and define retention/immutability requirements.
Turn on detective controls org-wide (GuardDuty/Security Hub) with delegated admin and aggregation.
Decide shared networking: TGW/Cloud WAN, shared services VPC, centralized inspection, and egress controls.
Set up cost visibility early (cost categories, budgets, CUR) so the organization can do chargeback/showback.

Guardrails: SCP vs IAM vs resource policy vs key policy

High-yield rule: SCP is a boundary (it can only restrict). Even if IAM allows, an SCP deny still blocks the action.

Control	Applies to	Use it for	Common gotcha
SCP (Organizations)	Accounts/OUs	Org-wide guardrails (region allow/deny, disallow leaving org, block risky services)	Impacts everyone, including admins; global services/regions can surprise you
IAM identity policy	Users/roles	Least-privilege permissions for principals	Too-broad wildcards and missing conditions
Resource-based policy	S3/SQS/KMS/etc	Cross-account access without needing IAM users	Must align with trust/identity policies; can be blocked by SCP
Permission boundary	IAM roles/users	Max permissions a role can ever get (delegation)	Doesn’t grant permissions; it only bounds them
KMS key policy	KMS keys	Who can administer/use the key	If key policy doesn’t allow use/admin, IAM alone won’t save you

Exam cue: If you see “prevent anyone in an account from doing X,” think SCP. If you see “allow this other account/service to access Y,” think resource policy + role (and confirm SCPs don’t block it).

Control Tower (landing zone) basics

Control Tower is often the “least operational overhead” answer when you need:

Fast creation of a landing zone with guardrails
Account factory / vending
Centralized audit/log archive foundations

Use custom landing zones only when the question explicitly calls for it or constraints require non-standard behavior.

Cross-account access patterns (humans vs workloads)

Access type	Best-fit pattern	Notes
Human workforce access	IAM Identity Center + permission sets	Centralize identities; avoid long-lived IAM users
App-to-app (service)	AssumeRole cross-account	Tight trust policy + least privilege
Shared resources	AWS RAM (resource sharing)	Useful for sharing subnets, TGW, Route 53 Resolver rules, etc.

Rule of thumb: Humans get federated, short-lived access; workloads assume roles.

2) Networking & connectivity (multi-VPC, hybrid, DNS, inspection)

Inter-VPC connectivity: choose the right primitive

Option	Best for	Strengths	Trade-offs / gotchas
VPC Peering	Few VPCs, simple routing	Simple, low latency	No transitive routing; becomes a mesh at scale
Transit Gateway (TGW)	Many VPCs + on-prem, shared routing	Transitive routing, scalable hub-and-spoke	Data processing cost; route table design matters
Cloud WAN	Global networks with policy-based connectivity	Central network policy + segmentation	Newer; still a “choose for global scale” answer
PrivateLink (Interface endpoints)	Private service exposure across VPCs/accounts	No routing overlap issues; strong isolation	Per-AZ endpoint cost; not a general routing solution

Exam cue: If you see “dozens/hundreds of VPCs, shared services, on-prem connectivity,” think TGW (or Cloud WAN for global policy-driven networks).

Transit Gateway (TGW) design patterns (route tables + segmentation)

TGW questions are rarely “what is TGW?” They’re usually about segmentation, routing intent, and operational scale.

High-yield TGW concepts

TGW enables transitive routing (solves the peering-mesh problem).
Use multiple TGW route tables to enforce segmentation (prod vs non-prod vs shared vs inspection).
Prefer “hub-and-spoke”: spokes attach to TGW; shared services and egress/inspection live in dedicated VPCs/accounts.
For centralized inspection, design for symmetric flows (appliance mode / routing patterns) so return traffic goes through the inspection layer.

Common TGW route table layout

TGW route table	Associate with	Propagate from	Typical intent
Spoke RT	Workload VPC attachments	Shared services + egress + on-prem	Spokes can reach shared/egress/on-prem
Shared services RT	Shared services attachment	Spokes	Shared services can reach spokes (selectively)
Inspection/Egress RT	Inspection + egress attachments	Spokes + on-prem	Force internet/on-prem flows through inspection
On-prem RT	DX/VPN attachment	Spokes + shared services	Control which VPCs are reachable from on-prem

Exam cue: If the scenario says “separate business units and prevent lateral movement,” the best answer often includes separate accounts/VPCs + TGW segmentation (not one giant flat network).

Hub-and-spoke with centralized inspection (classic SAP-C02)

    flowchart LR
	  OnPrem[On-Premises] --- DX[Direct Connect]
	  DX --- DXGW[DX Gateway]
	  DXGW --- TGW[Transit Gateway]
	  TGW --- Egress[Central Egress + Inspection]
	  TGW --- Shared[Shared Services VPC]
	  TGW --- App1[App VPC - Account A]
	  TGW --- App2[App VPC - Account B]
	  Egress --> IGW[Internet Gateway]

Inspection building blocks:

AWS Network Firewall for managed L3/L4 inspection
GWLB to insert third-party appliances transparently
Separate TGW route tables for segmentation (prod/non-prod, shared services, inspection)

Hybrid connectivity: DX vs VPN (and how to make it resilient)

Connectivity	Best for	HA guidance
Site-to-Site VPN	Quick setup, encryption, backup path	Use two tunnels; consider multiple VPNs across devices
Direct Connect	Predictable bandwidth/latency	Use two DX locations, redundant connections; often pair with VPN for encryption/backup
DX + VPN	Professional-level “best practice”	VPN can provide failover; encryption if required

Exam cue: If you see “must be encrypted” + “needs predictable performance,” choose DX + VPN (VPN for encryption/failover; DX for throughput).

DNS across hybrid and multi-account

High-yield components:

Route 53 Resolver inbound endpoint: on-prem → AWS name resolution
Route 53 Resolver outbound endpoint: AWS → on-prem DNS
Resolver rules shared across accounts with AWS RAM
Private hosted zones associated to VPCs (including shared VPC/subnet scenarios)

Common trap: Forgetting that DNS in large orgs needs a sharing model (RAM) and centralized governance.

Private access: endpoints beat NAT for security and cost

Default pattern: Private subnets use VPC endpoints wherever possible.

Endpoint type	Services	Why it matters
Gateway endpoint	S3, DynamoDB	Route-table based, no per-hour cost; big NAT cost saver
Interface endpoint (PrivateLink)	Many AWS services	Private access without internet; per-AZ hourly cost

Exam cue: “No internet egress allowed” + “private subnets need to call AWS service” → VPC endpoint.

Egress control patterns (centralize, distribute, or eliminate)

Pattern	Pros	Cons	Use when
Distributed egress (NAT per VPC/AZ)	Simple ownership, fewer shared dependencies	Higher NAT cost at scale; inconsistent controls	Smaller orgs or teams with autonomy
Centralized egress VPC (inspection + NAT)	Consistent inspection and policy; easy to audit	Potential cross-AZ data costs; design carefully to avoid bottlenecks	Enterprise orgs with compliance/inspection needs
No general internet egress (endpoints-first)	Strong data exfiltration control; cost savings	Not all services support endpoints; some workloads need internet	Regulated/locked-down workloads

High-yield guidance

For resilience, NAT is typically one per AZ (avoid a single NAT as a SPOF and avoid cross-AZ routing).
If the scenario emphasizes inspection, expect to see Network Firewall or GWLB patterns.
If the scenario emphasizes cost and AWS service access, push toward VPC endpoints over NAT.

3) Security controls as architecture (IAM, KMS, logging, detection)

Identity and access: a few rules that show up everywhere

Prefer roles + short-lived credentials (STS).
Use MFA for privileged actions; use “break-glass” only with strict monitoring.
In orgs: use Identity Center + permission sets, not IAM users in every account.
For cross-account: lock down the trust policy (who can assume) and the permissions policy (what they can do).

IAM policy types: trust vs permissions (common SAP-C02 confusion)

Policy	Answers “who can assume?”	Answers “what can they do?”	Typical mistake
Trust policy	Yes	No	Over-broad principals or missing `ExternalId`/conditions
Permissions policy	No	Yes	Too-broad actions/resources; missing conditions
Permission boundary	No	Bounds max permissions	Assuming it grants permissions
SCP	Org guardrail	Restricts	Forgetting SCP deny overrides everything

Exam cue: If the scenario says “a pipeline in Account A must deploy to Account B,” the answer usually includes AssumeRole with a tight trust policy in Account B.

S3 security patterns that show up in architecture questions

High-yield defaults

Turn on S3 Block Public Access at the account level (and keep it on).
Prefer private buckets + controlled access: bucket policy, access points, and VPC endpoints.
Enforce TLS (aws:SecureTransport) and require encryption (SSE-S3 or SSE-KMS) where needed.

Copy-ready snippets (adapt as needed)

Require TLS for all S3 requests:

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "DenyInsecureTransport",
 6      "Effect": "Deny",
 7      "Principal": "*",
 8      "Action": "s3:*",
 9      "Resource": [
10        "arn:aws:s3:::my-bucket",
11        "arn:aws:s3:::my-bucket/*"
12      ],
13      "Condition": {
14        "Bool": { "aws:SecureTransport": "false" }
15      }
16    }
17  ]
18}

Restrict access to principals in your AWS Organization:

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "DenyOutsideOrg",
 6      "Effect": "Deny",
 7      "Principal": "*",
 8      "Action": "s3:*",
 9      "Resource": [
10        "arn:aws:s3:::my-bucket",
11        "arn:aws:s3:::my-bucket/*"
12      ],
13      "Condition": {
14        "StringNotEquals": { "aws:PrincipalOrgID": "o-xxxxxxxxxx" }
15      }
16    }
17  ]
18}

CloudFront note: For public content, CloudFront should access S3 via Origin Access Control (OAC) (not a public bucket). The best answer often combines CloudFront + private S3 + controlled bucket policy.

Secrets and certificates (pick the right tool)

Need	Best fit	Why
Rotate database/API secrets	Secrets Manager	Native rotation workflows and secure retrieval
App configuration parameters	SSM Parameter Store	Simple config/parameters (advanced parameters when needed)
Public TLS certificates	ACM (public)	Managed issuance and renewal
Internal PKI	ACM Private CA	Managed private CA for enterprise environments

KMS “gotchas” (professional-level)

Mental model: To use a KMS key, permissions must line up across:

Key policy
IAM policy
(Sometimes) grants / service integration
Org guardrails (SCP can still block)

Copy-ready example: region restriction SCP (use with care)

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "DenyOutsideApprovedRegions",
 6      "Effect": "Deny",
 7      "Action": "*",
 8      "Resource": "*",
 9      "Condition": {
10        "StringNotEquals": {
11          "aws:RequestedRegion": ["us-east-1", "us-west-2"]
12        }
13      }
14    }
15  ]
16}

Exam note: Region-deny SCPs can unintentionally block global services or required Regions. The “best” answer often includes a well-defined approved Region list + documented exceptions.

KMS key policy patterns (admin vs usage, cross-account)

High-yield rules

Separate key administrators from key users (different principals).
If a service can’t use the key, the first place to look is often the key policy (not the IAM role).
For cross-account encryption/decryption, you must allow the external account principal to use the key (and ensure SCPs don’t block it).

Minimal example key policy pattern (illustrative):

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "KeyAdmins",
 6      "Effect": "Allow",
 7      "Principal": { "AWS": "arn:aws:iam::111122223333:role/SecOpsKmsAdmin" },
 8      "Action": "kms:*",
 9      "Resource": "*"
10    },
11    {
12      "Sid": "AllowUseFromAppRole",
13      "Effect": "Allow",
14      "Principal": { "AWS": "arn:aws:iam::444455556666:role/AppRole" },
15      "Action": [
16        "kms:Encrypt",
17        "kms:Decrypt",
18        "kms:GenerateDataKey*",
19        "kms:DescribeKey"
20      ],
21      "Resource": "*"
22    }
23  ]
24}

Exam cue: If the scenario mentions multi-Region DR with encrypted data, consider multi-Region keys (simplifies replicated encryption across Regions).

Logging and audit (centralize it)

High-yield pattern: Dedicated log archive account + org-wide CloudTrail + centralized S3 + lifecycle/immutability.

Core building blocks:

Organizations trail (CloudTrail across accounts)
CloudTrail Lake for queryable event storage and investigations
AWS Config for config history and compliance
Centralized aggregation for GuardDuty and Security Hub

Exam cue: “Need visibility across all accounts” → centralized security + logging accounts, delegated admin, org trail.

Detection and response: align to “least ops”

Common pro-level combinations:

GuardDuty (threat detection) + Security Hub (posture + findings aggregation)
EventBridge rules to trigger automation (SSM Automation / Lambda) for containment and response
Config rules / conformance packs for continuous compliance

4) Reliability, DR, and business continuity (RTO/RPO selection)

DR strategy selection table (memorize this)

Strategy	Typical RTO	Typical RPO	When it’s the best answer
Backup & restore	Hours–days	Hours	Lowest cost, “good enough” recovery
Pilot light	Tens of minutes–hours	Minutes–hours	Minimal core services running; faster recovery than restore
Warm standby	Minutes	Minutes	Scaled-down but running; quicker cutover
Multi-site active-active	Seconds–minutes	Near-zero	Strict RTO/RPO, global users, highest cost/complexity

Exam cue: If you see strict RTO/RPO and “business can’t tolerate downtime,” you’re in warm standby or active-active territory.

Multi-Region data options (high-yield)

Data layer	Multi-Region option	Notes
S3	CRR (Cross-Region Replication)	Pair with versioning; consider replication time control if needed
DynamoDB	Global tables	Multi-Region active-active; watch conflict resolution patterns
Aurora	Aurora Global Database	Very low replication lag; fast cross-region failover for reads
RDS (non-Aurora)	Cross-Region read replicas / snapshots	More manual; generally slower RTO
KMS	Multi-Region keys	Simplifies encryption across Regions for replicated data

Traffic failover: Route 53 vs Global Accelerator vs CloudFront

Service	Best for	Why it wins
Route 53	DNS-based failover and policy routing	Health checks + routing policies; simple and flexible
Global Accelerator	Fast failover for TCP/UDP apps	Anycast IPs, fast health-based routing
CloudFront	Global content delivery + origin failover	Edge caching + origin failover; strong for HTTP(S)

Rule of thumb: If you need static anycast IPs and fast failover, look at Global Accelerator. If you need caching and HTTP edge, look at CloudFront.

Route 53 routing policies (quick selection table)

Policy	Best for	Key detail
Failover	Active-passive DR	Health checks drive failover (DNS TTL still matters)
Weighted	Gradual migration / canary	Shift % of traffic between endpoints
Latency	Lowest latency routing	Routes to the region with best latency for the user
Geolocation	Compliance / content by country	Routes based on user location
Geoproximity	Route based on “distance” with bias	Uses Route 53 traffic flow / bias control
Multi-value	Simple multi-endpoint answers	Returns multiple healthy records (not full load balancing)
Simple	Single record	No routing logic

Exam cues

“Active-passive DR” → Failover routing with health checks.
“Gradually shift traffic / A/B testing” → Weighted routing.
“Optimize latency for global users” → Latency routing (or Global Accelerator for faster failover with anycast IPs).

DR readiness checklist (what good answers include)

Clear mapping from requirements to RTO/RPO and chosen DR strategy.
Automated backup with cross-account/cross-region protection where needed (AWS Backup, vault lock, lifecycle).
Explicit failover and failback plan (including DNS/traffic and data directionality).
Validation plan: game days, restore tests, and monitoring for replication lag and backup failures.
Awareness of dependencies (identity, DNS, certificates, secrets, third-party services).

DR architecture sketch (active-passive)

    flowchart LR
	  Users[Users] --> R53[Route 53 / GA]
	  R53 -->|Primary| RegionA[Region A]
	  R53 -->|Failover| RegionB[Region B]
	
	  subgraph Region A
	    ALBA[ALB] --> AppA[App Tier]
	    AppA --> DBA[(Primary DB)]
	  end
	
	  subgraph Region B
	    ALBB[ALB] --> AppB[Warm App Tier]
	    AppB --> DBB[(Replica/Global DB)]
	  end

5) Deployment strategy (CI/CD + IaC + multi-account)

A common “least operational overhead” pipeline design

    sequenceDiagram
	  participant Dev as Developer
	  participant Repo as Source Repo
	  participant Pipe as CI/CD (Tools Account)
	  participant Stg as Staging Account
	  participant Prod as Prod Account
	
	  Dev->>Repo: Commit / PR
	  Repo->>Pipe: Trigger build + tests
	  Pipe->>Stg: Assume deploy role\nDeploy IaC + app
	  Pipe->>Prod: Approval gate\nAssume deploy role\nDeploy
	  Prod-->>Pipe: Health checks + alarms

High-yield implementation pieces:

Pipeline in a tools account
Cross-account deployment via AssumeRole
IaC promotion (dev → stage → prod)
Automated rollback based on alarms/SLOs

Cross-account deployments: trust policy (example)

Target accounts typically expose a deployment role that the tools account can assume.

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "AllowToolsAccountToAssume",
 6      "Effect": "Allow",
 7      "Principal": { "AWS": "arn:aws:iam::111122223333:role/ToolsDeployRole" },
 8      "Action": "sts:AssumeRole"
 9    }
10  ]
11}

Exam cue: If the question mentions “many accounts” and “standard baselines,” consider CloudFormation StackSets (or Control Tower customizations) to deploy org-wide resources consistently.

Deployment patterns: pick based on risk and state

Pattern	Best for	What you must remember
Blue/green	Big risk releases, fast rollback	Requires parallel environment and cutover
Canary	Gradual traffic shifting	Automate rollback via alarms
Rolling	Simple updates with some risk	Not great for strict zero-downtime unless carefully designed
Immutable	Consistency and safe rollbacks	Rebuild instead of patch-in-place

Exam cue: If the question says “minimize downtime and risk” → blue/green or canary with automated rollback.

6) Performance design (end-to-end)

Load balancers: ALB vs NLB vs GWLB

Service	Best for	Notes
ALB	HTTP/HTTPS, L7 routing	Host/path routing, WAF integration
NLB	TCP/UDP, high throughput, low latency	Static IPs per AZ, good for non-HTTP
GWLB	Inline network appliance insertion	Pairs with centralized inspection patterns

Compute selection (EC2 vs containers vs serverless)

Option	Best for	Why it wins	Typical trade-off
EC2	Full control, special OS needs	Maximum flexibility	Highest ops burden
ECS (Fargate)	Containerized apps with low ops	No cluster management	Less control than EC2
EKS	Kubernetes standardization	Ecosystem + portability	More complexity/ops than ECS
Lambda	Event-driven + bursty workloads	Minimal ops, scales fast	Cold starts, runtime limits, cost under high steady load

Exam cue: If the scenario says “minimize operational overhead,” managed options (Fargate/Lambda/managed data stores) usually beat self-managed EC2.

Cache and edge: what improves “global performance” fastest

CloudFront: caching, TLS offload, origin failover for HTTP(S)
ElastiCache (Redis/Memcached): hot data, session caches, query caching
DynamoDB DAX: microsecond read cache for DynamoDB-heavy workloads

Exam cue: If latency is for global users and content is cacheable → CloudFront.

7) Cost optimization & visibility (FinOps patterns)

Cost visibility building blocks (multi-account)

Cost allocation tags + cost categories for showback/chargeback
CUR to S3 + Athena/QuickSight for deep analysis
Budgets + alerts + automated actions for guardrails
Savings Plans / Reserved Instances governance for predictable workloads
Compute Optimizer for rightsizing

Purchase options (fast table)

Option	Best for	Notes
Savings Plans	Compute spend across many services	Flexible; good default for predictable usage
Reserved Instances	Specific instance families (or RDS, etc.)	Strong discounts when you know the shape
Spot	Fault-tolerant, flexible workloads	Biggest savings; design for interruption

Exam cue: If the workload is fault-tolerant and batch/async, Spot is often the “most cost-effective” answer (paired with retries/checkpointing).

Data transfer cost quick wins (commonly tested)

Prefer same-AZ traffic paths when possible (avoid hidden cross-AZ transfer).
Replace NAT-heavy service access with VPC endpoints (especially S3/DynamoDB gateway endpoints).
Use CloudFront for cacheable global content to reduce origin egress.
Consider Direct Connect for large, steady hybrid data movement (and model the TCO).
Watch “per-GB processing” services in the middle of flows (TGW, GWLB) when cost is a key constraint.

High-yield cost “gotchas” in architectures

Cross-AZ data transfer: invisible until it’s huge; design for AZ-local paths when possible.
NAT Gateway costs: expensive at scale; prefer VPC endpoints.
Data processing costs: TGW, GWLB, and some managed services have per-GB processing fees.
Logging costs: high-volume logs with long retention can explode budgets; tune retention and sampling.

8) Operational excellence (improve what already exists)

Professional-level answers often include:

Standardized IaC + drift detection
Centralized observability (logs/metrics/traces) across accounts
Automated remediation (SSM Automation + EventBridge)
Runbooks + game days + postmortems

Centralized observability (one common enterprise pattern)

    flowchart LR
	  subgraph Workloads
	    A1[Workload Account A] --> CW1[CloudWatch]
	    A2[Workload Account B] --> CW2[CloudWatch]
	  end
	
	  CW1 --> Agg[Central Observability]
	  CW2 --> Agg
	  Agg --> S3[(Central Log Archive S3)]
	  Agg --> SO[Search/Analytics]
	  Agg --> IR[Incident Response Runbooks]

High-yield implementation ideas:

Centralize CloudTrail and Config in security/log archive accounts.
Use log subscriptions/aggregation for app logs (central store with defined retention).
Use dashboards + alarms tied to SLOs; wire alarms into incident workflows.

If the question is “how to improve,” the best answer is usually the one that is systematic and automatable (not a one-off manual fix).

9) Migration & modernization (portfolio → approach → target architecture)

The 6Rs (migration strategies)

Strategy	Meaning	When it’s best
Rehost	Lift-and-shift	Fastest path; minimal change
Replatform	Small optimizations	Some benefit with limited refactor
Refactor	Re-architect	Cloud-native goals (scale, resilience)
Repurchase	SaaS	Replace with managed SaaS
Retire	Turn it off	Reduce scope and cost
Retain	Keep as-is	Constraints prevent migration now

Modernization patterns (what “professional-level” answers look like)

Common patterns that show up in SAP-C02 scenarios:

Strangler fig: route a slice of traffic to new services while the monolith remains.
Parallel run: run old and new in parallel with validation, then cut over.
Event-driven decomposition: introduce events (EventBridge/SNS/SQS/Kinesis) to decouple domains.
Managed service adoption: move from self-managed to managed databases/queues/cache to reduce ops.

Strangler fig sketch:

    flowchart LR
	  Users --> Edge[Edge/Router]
	  Edge -->|Legacy paths| Mono[Monolith]
	  Edge -->|New paths| New[New Service]
	  New --> Data[(Managed Data)]

Exam cue: When the question says “modernize with minimal downtime and risk,” incremental patterns like strangler fig + canary/weighted routing often beat “big bang” rewrites.

Migration tooling map (high-yield)

Migration Hub: portfolio tracking and migration visibility
Application Migration Service (MGN): server replication + cutover for rehost
DMS + SCT: database migration with CDC and schema conversion
Snowball / Direct Connect: large data transfer depending on constraints

Migration waves (sequencing and risk control)

    flowchart LR
	  A[Discover + Assess] --> B[Plan Waves]
	  B --> C[Build Landing Zone]
	  C --> D[Pilot Wave]
	  D --> E[Scale Waves]
	  E --> F[Stabilize + Optimize]

10) High-yield scenario cues (fast picks)

Many VPCs across accounts + on-prem + transitive routing → Transit Gateway (or Cloud WAN for global policy control).
Private access to AWS services without internet/NAT → VPC endpoints (gateway for S3/DynamoDB; interface for others).
Need to expose a service privately across accounts without routing complexity → PrivateLink.
Org-wide guardrail (“nobody in this OU may do X”) → SCP.
“KMS access denied” in a cross-account setup → check key policy and grants (IAM alone isn’t enough).
Strict RTO/RPO and business can’t tolerate downtime → warm standby or active-active (Route 53 / GA + replicated data).
Need ultra-fast failover + static anycast IPs → Global Accelerator.
Need edge caching for global HTTP performance → CloudFront.
Improve an existing system long-term → Well-Architected review + automation + guardrails, not manual one-off fixes.
Hybrid name resolution requirement (on-prem ↔ AWS) → Route 53 Resolver inbound/outbound endpoints + shared resolver rules (RAM).
“Need a landing zone quickly with guardrails” → Control Tower (often least ops).
“Share network building blocks across accounts” → AWS RAM (shared subnets, resolver rules, TGW attachments where applicable).
“Centralize inspection for ingress/egress” → Network Firewall or GWLB + segmented TGW route tables.
“Keep S3 private and accessible from private subnets” → Gateway VPC endpoint + bucket policy/VPC endpoint policy.
“Make audit logs tamper-resistant” → dedicated log archive account + lifecycle/Object Lock controls.

Next steps

Work the blueprint: Syllabus →
Drill under time: Practice →
Confirm format and weights: Overview →

Syllabus

Practice

Browse Exams — Mock Exams & Practice Tests