Top 10 AWS SAP-C02 interview questions and how to answer them in 2026

The 10 questions

1. AWS Organizations, Control Tower, and the old Landing Zone — which goes where?

Organizations is the raw multi-account primitive: organizational units (OUs), service control policies (SCPs), and consolidated billing. Control Tower is the managed governance layer on top — it sets up Organizations, configures the management account, deploys mandatory guardrails (preventive SCPs and detective AWS Config rules), and provisions an account factory backed by Service Catalog. The legacy AWS Landing Zone solution was retired in favor of Control Tower for new builds in 2018. The senior-architect answer in 2026 is Control Tower for greenfield, Organizations directly when you need patterns Control Tower can’t express (custom OU layouts, partial-region rollouts), and Landing Zone only in maintenance for legacy customers. Candidates who say “just use Organizations and roll your own” lose the round to the candidate who understands why Control Tower exists.

2. Design a multi-account strategy for a 200-engineer enterprise. What does the OU layout look like?

Per the AWS Security Reference Architecture, group accounts by purpose into OUs: Security (log archive, security tooling), Infrastructure (shared networking, shared services), Workloads (Prod and Non-Prod sub-OUs by team), Sandbox (developer experimentation, budget-capped), Suspended (decommissioning). Dedicate account-level isolation for the log archive (immutable CloudTrail and Config bucket with object lock) and a separate security tooling account that is the delegated administrator for GuardDuty, Security Hub, Detective, and Macie. Shared networking lives in its own account: Transit Gateway, Resolver, and centralized egress. Workload accounts live one-per-team-per-environment, provisioned through Control Tower Account Factory for Terraform. SSO via IAM Identity Center mapped to permission sets — never IAM users in workload accounts. SCPs at OU level enforce region restrictions, deny root usage, and block high-risk APIs.

3. SCP versus IAM policy versus permission boundary — when does each apply?

Order of evaluation matters: a request must pass every layer. SCPs are the maximum-permission ceiling at the AWS Organizations level — they can’t grant, only deny or allow-list (and they don’t apply to the management account, which is a frequent interview trap). Permission boundaries cap what an IAM role or user can grant to others — used to safely delegate IAM administration to developers (“you can create roles, but only within this boundary”). IAM identity policies grant permissions to a principal. Resource policies grant access to a resource. Session policies trim a session further than the identity policy. The pattern hiring managers reward: SCPs for governance guardrails (no public S3, no IAM user creation, no Internet Gateway in regulated OUs), permission boundaries to enable developer self-service IAM, IAM policies for day-to-day permissions, and resource policies for cross-account access.

4. How do you wire up a hub-and-spoke VPC topology with Transit Gateway?

Deploy Transit Gateway in a dedicated networking account, share it via AWS Resource Access Manager (RAM) to every spoke VPC’s account, and attach the spokes. Use Transit Gateway route tables to segment traffic: one route table for production, another for non-production, a third for shared services. Centralize egress through a firewall VPC (AWS Network Firewall or a third-party NGFW behind a Gateway Load Balancer) so spokes have no NAT gateways. Use Transit Gateway peering for inter-region connectivity rather than full meshes of VPC peering — peered VPCs don’t support transitive routing, which is the failure mode every junior architect hits. For on-prem, terminate Direct Connect or Site-to-Site VPN on the Transit Gateway, not on individual VPCs. The interview tell-tale: candidates who reach for VPC peering at scale haven’t designed past five VPCs.

5. PrivateLink, VPC endpoints (Gateway and Interface), and Transit Gateway — when do you use which?

Gateway endpoints (S3, DynamoDB only) are free, sit on a route-table entry, and keep traffic on AWS’s private backbone — use these every time, no excuses. Interface endpoints (powered by PrivateLink) put an ENI in your VPC for ~150 AWS services and third-party SaaS — charged per hour and per GB, but they remove NAT-gateway data-processing charges and remove the need to traverse the Internet. PrivateLink for your own service: expose an NLB or GWLB through a VPC endpoint service so consumer VPCs can call you without VPC peering, route propagation, or overlapping CIDR concerns — this is the senior-architect pattern for SaaS-style internal platforms. Transit Gateway is for connecting your own networks; PrivateLink is for service-to-service access where the consumer doesn’t need to see the producer’s network at all. Mixing them up costs the offer.

6. Walk me through the four AWS disaster-recovery strategies.

Backup-and-restore: only data is replicated; infrastructure rebuilt on demand. RTO hours, RPO hours, cheapest. Pilot light: core resources (databases, key compute baseline) run idle in DR region; the rest spins up on failover. RTO tens of minutes, RPO minutes. Warm standby: a scaled-down full stack runs in DR; auto-scaling brings it to full capacity on failover. RTO minutes, RPO seconds. Multi-site active-active: full stacks running in both regions, traffic split via Route 53 or Global Accelerator. RTO seconds, RPO near-zero, most expensive. The senior-architect answer maps RTO and RPO to dollars-of-downtime-per-hour and picks the cheapest tier that meets the target — warm standby is roughly 30–50 percent of full active-active cost for 90 percent of the RTO benefit. Mention AWS Elastic Disaster Recovery (DRS) as the managed replication primitive for pilot light and warm standby, and the AWS Resilience Hub for measuring policy compliance.

7. A legacy on-prem datacenter needs to move 800 TB and 400 VMs to AWS over 6 months. What’s the migration plan?

Three streams in parallel. Discovery: AWS Application Discovery Service (or Migration Evaluator) to inventory dependencies, build the wave plan, and price the target state. Data: continuous replication for hot data via AWS DMS for databases and AWS DataSync for file shares; AWS Snowball or Snowmobile for the bulk one-shot transfer of cold data — bandwidth math first (over a 1 Gbps link, 800 TB takes ~74 days non-stop). Compute: AWS Application Migration Service (MGN) for lift-and-shift of the VMs in waves, with cutover windows scheduled by application dependency. Land in a Control-Tower-governed landing zone with the security baseline already in place — don’t migrate into accounts you’ll have to retrofit. AWS Migration Hub coordinates the streams; the AWS Migration Acceleration Program (MAP) funds the engagement. The candidate who proposes “rsync over the internet” for 800 TB is signaling they haven’t done a real migration.

8. The CFO wants to cut the AWS bill 20 percent in 90 days. What’s your move?

FinOps-flavored answers win this round. First, buy what you should have bought already: a 1-year Compute Savings Plan covering the steady-state baseline (typically 30–50 percent of spend) lands 27 percent savings overnight with zero engineering risk. Second, rightsize: AWS Compute Optimizer for EC2 and EBS recommendations, and S3 Storage Lens for objects — expect 15–25 percent of compute and 30–40 percent of S3 are oversized or unused. Third, kill zombies: unattached EBS volumes, orphaned snapshots, unused Elastic IPs, idle NAT gateways in dev accounts. Fourth, S3 Intelligent-Tiering on the data lake and Glacier Instant Retrieval on the cold archive. Fifth, attribute the bill: enable Cost Allocation Tags, push the report to each engineering team weekly, and gate new spend with AWS Budgets and CUR-driven alerts. Don’t lead with “move to Graviton” — the highest-leverage move in 90 days is contractual (Savings Plans), not architectural.

9. Hybrid AWS: Outposts, Local Zones, Wavelength, and ECS Anywhere — what does each solve?

Outposts is an AWS-managed rack of physical hardware delivered to your datacenter, running EC2, EBS, S3 on Outposts, RDS, ECS, and EKS locally. Use for ultra-low-latency to on-prem systems (manufacturing, trading) or strict data-residency rules where data can’t leave the building. Local Zones are AWS-owned extensions of a region into a metro (Boston, Houston, etc.) that bring compute, storage, and GPU close to the user — use for sub-10ms latency to a metro, no on-prem hardware needed. Wavelength embeds AWS compute inside telco 5G networks — for sub-10ms to mobile devices, niche but real for AR/VR and live video. ECS Anywhere and EKS Anywhere run AWS’s container control plane against your on-prem hardware, giving a unified deployment plane without delivering AWS hardware on-site. Hiring managers test whether you reach for Outposts when Local Zones (or just regional latency) would have done.

10. How much do SAP-C02-anchored senior AWS architect roles pay in 2026?

$150,000–$220,000 base in US metros for senior cloud architect and principal solutions architect roles requiring SAP-C02 plus 5+ years of AWS operations. Total comp reaches $250,000–$320,000 at FAANG-adjacent employers with RSU grants and bonus. The official AWS SAP-C02 page lists the current exam guide and skills measured. The BLS reports a 2024 median wage of $130,390 for computer network architects; SAP-C02-anchored postings cluster at the 75th to 90th percentile of that distribution, with a clear premium when paired with hands-on Terraform, EKS, or Organizations design portfolio evidence.

What these questions test

Every question has a “cert-book answer” and a “design-judgment answer.” SAP-C02 interviews want the second — the version that names the trade-off, the cost lever, and the operational gotcha (Control Tower over rolling your own, permission boundaries for self-service IAM, Transit Gateway over peering meshes, Savings Plans before re-architecture, warm standby instead of full active-active when the budget can’t justify it). Passing SAP-C02 proves you can recognize the right service. Answering these correctly proves you’ve actually shipped an AWS landing zone with auditors, a CFO, and 200 engineers watching.

Frequently asked questions