Home/ cloud-computing/ AWS Certified Solutions Architect - Professional/ Cheat Sheet
AWS Certified Solutions Architect - Professional· Exam reference card · 2026 · Edureify AI
AWS Certified Solutions Architect - Professional

AWS Certified Solutions Architect - Professional Cheat Sheet

AWS SAP-C02: Architect at Scale — Trade-offs at Every Layer

The professional exam expects you to design complex, multi-account, hybrid architectures — not just select individual services. Integration patterns and migration strategies dominate.

Check Your Readiness →
Among the harder certs
Avg: Approximately 60–65%
Pass: 750 / 1000
Most candidates understand AWS Certified Solutions Architect - Professional concepts — and still fail. This exam tests how you apply knowledge under pressure.
Core Framework

SAP-C02 Architecture Decision Framework

SAP-C02 requires synthesis across multiple AWS domains simultaneously. Every question presents a complex scenario with multiple valid options — the correct answer is the one that best balances all specified constraints including cost, operational complexity, resilience, and security.

  1. 01
    Design for complexity — Multi-account, multi-region, hybrid architectures
  2. 02
    Optimize continuously — Cost, performance, resilience in conflict at scale
  3. 03
    Accelerate migration — 7 Rs of migration: Retire, Retain, Rehost, Replatform, Repurchase, Refactor, Relocate
  4. 04
    Improve reliability — RTO/RPO-driven DR strategies
  5. 05
    Secure everything — Cross-account IAM, SCPs, Organizations policies
Scenario Traps

Wrong instinct vs correct approach

A company needs to migrate 100 on-premises servers to AWS with minimal disruption
✕ Wrong instinct

Rehost all servers using lift-and-shift to minimize risk

✓ Correct approach

Assess each workload against the 7 Rs — some servers may be candidates for retirement, replatforming, or refactoring that deliver better outcomes than a blanket lift-and-shift approach

A global application needs RTO of 1 minute and RPO of near-zero
✕ Wrong instinct

Use Warm Standby since it's cost-effective and provides fast recovery

✓ Correct approach

RTO of 1 minute requires Multi-Site Active/Active or Multi-Region Active-Active — Warm Standby typically achieves minutes-to-tens-of-minutes RTO, which doesn't meet the requirement

Multiple business units need isolated environments but centralized networking
✕ Wrong instinct

Create separate VPCs and peer them all

✓ Correct approach

Use AWS Transit Gateway for hub-and-spoke networking at scale; VPC peering doesn't scale to many accounts and requires N*(N-1)/2 connections

Quick Rules

Know these cold

  • Multi-account = AWS Organizations + SCPs + consolidated billing
  • 7 Rs: Retire, Retain, Rehost, Replatform, Repurchase, Refactor, Relocate — know when each applies
  • DR hierarchy — ackup/Restore → Pilot Light → Warm Standby → Multi-Site Active/Active (RTO order)
  • Transit Gateway for multi-VPC/multi-account networking; VPC peering doesn't scale
  • SCPs restrict maximum permissions — IAM grants within those limits
  • AWS Control Tower automates multi-account governance with landing zones
  • Network Firewall for deep packet inspection; WAF for web application protection
Self Check

Can you answer these without checking your notes?

In this scenario: "A company needs to migrate 100 on-premises servers to AWS with minimal disruption" — what should you do first?
Assess each workload against the 7 Rs — some servers may be candidates for retirement, replatforming, or refactoring that deliver better outcomes than a blanket lift-and-shift approach
In this scenario: "A global application needs RTO of 1 minute and RPO of near-zero" — what should you do first?
RTO of 1 minute requires Multi-Site Active/Active or Multi-Region Active-Active — Warm Standby typically achieves minutes-to-tens-of-minutes RTO, which doesn't meet the requirement
In this scenario: "Multiple business units need isolated environments but centralized networking" — what should you do first?
Use AWS Transit Gateway for hub-and-spoke networking at scale; VPC peering doesn't scale to many accounts and requires N*(N-1)/2 connections
Failure Patterns

Common Exam Mistakes — What candidates get wrong

Designing single-account architectures when multi-account is required

Enterprise architectures on AWS use AWS Organizations with multiple accounts for security isolation, billing separation, and compliance. Candidates who design everything in one account miss the organizational architecture layer.

Confusing the 7 Rs migration strategies

Rehosting (lift-and-shift) is fast but misses cloud benefits. Replatforming makes targeted changes (e.g., switch to RDS). Refactoring redesigns for cloud-native. Selecting the wrong migration strategy for the business context is a common error.

Misapplying DR strategies to RTO/RPO requirements

Backup & Restore has the longest RTO/RPO. Pilot Light maintains core services warm. Warm Standby maintains a scaled-down full environment. Multi-Site Active/Active has near-zero RTO/RPO. Matching the wrong strategy to the RPO requirement is a fundamental error.

Overcomplicating architectures when simpler solutions meet the requirements

SAP-C02 rewards architecturally sound simplicity. Candidates who design highly complex solutions when a simpler managed service approach meets the stated requirements score lower than those who identify the elegantly simple answer.

Ignoring AWS Organizations and Service Control Policies

At enterprise scale, SCPs restrict what accounts can do regardless of IAM policies. Candidates who don't account for SCP restrictions when designing cross-account access patterns produce incorrect security designs.

Professional-level AWS tests synthesis and trade-offs, not individual service knowledge. Test whether you can architect at enterprise scale.

Start Diagnostic Test → View all exams