Examworthyexamworthy.comAWS Certified Solutions Architect - Professional cheat sheet
Amazon Web Services
Free to share. Examworthy is not affiliated with or endorsed by Amazon Web Services; SAP-C02 and related marks belong to their respective owners.
At a glance
Format: Multiple choice and multiple response
Domain weight map
Heaviest first - spend your time hereHow this exam thinks
SAP-C02 is a pick-the-best-architecture exam at estate scale: long multi-constraint scenarios where three options work and the right one is the managed, requirement-fit design that satisfies every stated limit (cost, resilience scope, operational overhead, no application change, RTO and RPO, compliance) at once.
Spot the trap
Tempting wrong answers, and why they failTempting but wrong
CloudFormation rollback triggers on CloudWatch alarms give you a preview of an update's impact before it runs.
Why it fails
Rollback triggers act only after the update has already started executing, by which point a resource may already have been replaced. They revert a stack after a fault, they do not preview planned actions. To see resource actions and replacements before anything runs, use a change set.
Design for New Solutions
Tempting but wrong
A full mesh of VPC peering connections is a clean way to give hundreds of VPCs any-to-any reachability.
Why it fails
VPC peering is non-transitive, so a mesh needs a link between every pair, and the link count grows roughly with the square of the VPC count. That becomes unmanageable well before 200 VPCs. AWS Transit Gateway provides transitive routing through one hub instead.
Design Solutions for Organizational Complexity
Tempting but wrong
A CloudWatch alarm on a custom memory metric that emails the on-call rota through Amazon SNS removes the manual reboot.
Why it fails
Paging an engineer only shortens the response, it does not remove it. A human still has to log in and reboot the instance, so the recovery stays manual. A CloudWatch alarm with a native EC2 reboot action remediates automatically with no person in the loop.
Continuous Improvement for Existing Solutions
Tempting but wrong
A closed packaged ERP suite should be classified as refactor, and lifting a SQL Server estate into AWS unchanged is relocate.
Why it fails
Refactor means re-architecting an application you control, which a closed packaged ERP suite does not allow. Relocate is the VMware Cloud on AWS hypervisor move, not a database engine change, so both labels are mismatched.
Accelerate Workload Migration and Modernization
Tempting but wrong
CloudFormation drift detection plus termination protection will show which resources an update is about to replace or delete.
Why it fails
Termination protection only blocks stack deletion, and drift detection compares already-deployed resources to the template after the fact. Neither previews a pending update or reveals planned replacements before execution. A change set is what computes planned actions ahead of time.
Design for New Solutions
Tempting but wrong
AWS PrivateLink interface endpoints can build general any-to-any connectivity between many product VPCs.
Why it fails
PrivateLink exposes single services rather than whole VPCs, so it cannot deliver the general transitive routing a large estate needs between every VPC. It is ideal for publishing one shared service, but AWS Transit Gateway is the tool for broad VPC-to-VPC routing.
Design Solutions for Organizational Complexity
Tempting but wrong
An EC2 Auto Scaling group with a target tracking policy on average CPU will replace instances disabled by a memory leak.
Why it fails
Target tracking scales for load, not for unhealthy hosts. A leaking instance that still burns CPU would not be replaced, so the fault persists. A CloudWatch alarm with a native EC2 recovery action targets the actual status-check failure instead.
Continuous Improvement for Existing Solutions
Tempting but wrong
A per-server licensed ERP suite is a rehost, and migrating SQL Server data to a managed engine counts as retire.
Why it fails
Rehost ignores that the ERP is licensed per server with SaaS as the intent. Retire means switching an application off for good, not migrating its data to a managed engine, so both classifications misread the 7Rs.
Accelerate Workload Migration and Modernization
Key terms
Exam-day rules
- Read the long stem for its binding constraint before judging any option. Professional scenarios name several limits at once (cost, RTO and RPO, operational overhead, no application change, a compliance control); the one that breaks the tie is what picks the answer, and the rest is noise.
- When two designs both work, default to the managed, lowest-overhead one. AWS prefers managed and native services, so Transit Gateway over EC2 routers, change sets over rollback triggers, MGN over manual image export; reach for the manual option only when the scenario names a reason such as an engine to preserve or a provider with no managed rotation.
- Treat a service control policy as the answer for any control that must hold against an account administrator. An SCP is evaluated above IAM, so it binds every principal preventatively; a permission boundary, a Config rule or a Security Hub finding cannot, and offering one of those is the trap.
- On multiple-response questions, both halves must be right or you score nothing. These often pair a network-layer control with a service-layer control, or a remediation action with a preventative guardrail; pick the complementary pair, not two answers that do the same job.
- Match the migration tooling to what is moving. AWS Application Migration Service replicates whole servers for low-downtime rehosting, AWS Database Migration Service moves database rows with full-load-plus-change-data-capture for near-zero downtime, and the 7Rs label (repurchase, replatform, rehost) classifies the workload before any move.
Revision schedule
- Day 1Map the four domains and book a date
- Week 1Build the estate-scale decision trees
- Weeks 1 to 2Go deep on organisational complexity (Domain 1)
- Weeks 2 to 3Master new-solution design (Domain 2)
- Weeks 3 to 4Lock continuous improvement and migration (Domains 3 and 4)