CertQuests
What changes between Associate and Professional
The AWS Certified Solutions Architect – Associate (SAA-C03) proves you can select the right AWS services for a given scenario. It does not prove you can design a governance structure for a 50-account AWS Organisation, define a disaster recovery architecture with a 15-minute RTO across two regions, or plan a large-scale database migration from on-premises Oracle to Aurora PostgreSQL with minimal downtime. Those are Professional-level problems.
SAP-C02 questions present real production constraints — a regulatory requirement, a latency budget, an existing Direct Connect circuit, a $40,000/month cost ceiling — and require you to satisfy all of them simultaneously with the selected architecture. There are very few “which service handles X?” questions. The exam assumes you already know that. Every scenario is a multi-constraint trade-off, and the correct answer is the one that satisfies all stated requirements at the lowest operational overhead. The exam costs $300 USD, runs at Pearson VUE centres and via online proctoring, and is available in eight languages.
At the Associate level, you identify the right service. At the Professional level, you design the right architecture under constraints. When you read a SAP-C02 scenario, resist the urge to answer “which service?” and instead ask: “which combination of services and configurations satisfies all stated constraints — RTO, cost, compliance, and operational burden — simultaneously?” That architectural reasoning under constraint is what the exam actually measures.
The four exam domains
AWS publishes the full exam guide at aws.amazon.com/certification. The four domains and their weightings are:
Domain 1 — Design Solutions for Organisational Complexity (26%)
The heaviest domain and the most underestimated by candidates arriving from the Associate exam. Know AWS Organizations end-to-end: root, organisational units (OUs), member accounts, and the management account. Service control policies (SCPs) are the core governance mechanism — they restrict the maximum permissions IAM policies can grant (they cannot grant permissions themselves). Know SCP strategies: deny-list (everything permitted except explicit denials) vs allow-list (nothing permitted unless explicitly allowed — used in regulated workloads). Know that SCPs do not affect the management account and do not affect service-linked roles.
AWS Control Tower automates landing zone setup: it creates a management account, a Log Archive account, and an Audit account, deploys Account Factory for standardised account vending, and applies mandatory and strongly recommended guardrails. Preventive guardrails are implemented as SCPs; detective guardrails as AWS Config rules. Delegated administrator: a member account designated to manage a specific AWS service (GuardDuty, Security Hub, Inspector, Firewall Manager) across the organisation without requiring management account credentials for day-to-day operations.
Cross-account networking: AWS Resource Access Manager (RAM) for sharing VPC subnets across accounts within the same organisation; AWS Transit Gateway for hub-and-spoke topologies connecting multiple VPCs and on-premises networks via a single attachment point; AWS Network Firewall in a centralised inspection VPC for egress filtering and east-west traffic inspection. AWS IAM Identity Center (formerly SSO) for workforce access across all accounts: permission sets are IAM roles deployed to member accounts, configurable per account-group assignment. SAML 2.0 integration with corporate identity providers (Okta, Azure AD, Active Directory via AD Connector or AWS Managed Microsoft AD) and SCIM for automatic user provisioning and de-provisioning.
Domain 2 — Design for New Solutions (29%)
The largest domain. Know the four disaster recovery strategies and when each is appropriate. Backup and Restore: lowest cost, highest RTO/RPO (hours) — suitable for non-critical workloads with flexible recovery windows. Pilot Light: minimal replicated core infrastructure always running (database replicated, application servers stopped), warm-up required — RTO in tens of minutes. Warm Standby: scaled-down but fully functional copy running in the target region, scaled up at failover — RTO in minutes. Multi-Site Active-Active: full production capacity in multiple regions simultaneously, traffic distributed by Route 53 or Global Accelerator — near-zero RTO and RPO, highest cost. Know which AWS services enable each tier: Aurora Global Database (sub-second replication lag for cross-region reads, 1-minute RPO, 1-minute RTO with managed failover), DynamoDB Global Tables (multi-region active-active with last-writer-wins conflict resolution), and Route 53 health checks with failover routing policies.
Compute selection at the Professional level means knowing not just which service but when a managed service’s operational advantage outweighs its cost premium. EC2 for stateful workloads, GPU/HPC processing, or long-running jobs requiring specific instance families. Lambda for event-driven stateless processing up to 15 minutes with 10 GB memory. Fargate for containerised workloads without cluster management overhead (per-task billing favours variable or bursty load). ECS or EKS on EC2 with reserved capacity for sustained high-throughput containerised workloads. Step Functions for orchestrating multi-step workflows with error handling, retries, and parallel branches — Express Workflows for high-volume, short-duration flows; Standard Workflows for long-running, auditable flows.
Data tier selection: DynamoDB for single-digit millisecond key-value and document access with predictable patterns; DynamoDB Streams with Lambda for change data capture and event-driven downstream processing. Aurora Serverless v2 scales in 0.5 ACU increments down to 0.5 ACU minimum — suited for variable-load relational workloads where a provisioned instance would be over-provisioned during off-peak hours. Redshift with RA3 nodes (managed storage on S3, compute and storage scaled independently) for analytical workloads; AQUA (Advanced Query Accelerator) for hardware-accelerated query processing. ElastiCache for Redis for real-time leaderboards, session caching, and pub/sub; OpenSearch Service for full-text search, log analytics, and vector similarity search for RAG architectures.
Domain 3 — Continuous Improvement for Existing Solutions (25%)
The Well-Architected Framework review is the exam’s primary frame for this domain. Know all six pillars: Operational Excellence (runbooks, automation, feedback loops), Security (identity, detection, protection, data security), Reliability (foundations, workload architecture, change management, failure management), Performance Efficiency (selection, review, monitoring, trade-offs), Cost Optimisation (cloud financial management, expenditure awareness, cost-effective resources, demand management), and Sustainability (region selection, workload optimisation, hardware utilisation, data management). The exam presents a production scenario with a stated problem (latency spikes, rising costs, security audit findings) and asks which pillar improvement action to apply and why.
Observability stack: CloudWatch metrics, Metric Math for derived metrics (error rate = errors / total invocations), Composite Alarms for reducing alarm noise, Logs Insights for querying structured log data at scale. AWS X-Ray for distributed tracing: trace IDs propagated via HTTP headers across Lambda, ECS, EC2, and API Gateway; subsegments for downstream calls; service map for dependency visualisation and latency heatmaps. Amazon DevOps Guru uses machine learning to detect operational anomalies and surface insights before they become customer-impacting failures.
Configuration governance: AWS Config rules (managed rules for common checks vs custom Lambda rules for organisation-specific requirements), conformance packs for grouped compliance requirements, and Config Aggregator for organisation-wide compliance dashboards across all accounts and regions. Systems Manager Automation for operational runbooks; Patch Manager for automated patching with patch baselines, patch groups, and maintenance windows; Run Command for fleet-wide command execution without bastion host access. Trusted Advisor for real-time guidance across five categories (cost, security, fault tolerance, performance, service quotas) — Business and Enterprise Support plans unlock all checks and API access for programmatic review.
Domain 4 — Accelerate Workload Migration and Modernisation (20%)
The six Rs of migration are fundamental exam vocabulary. Retire: decommission (no cloud equivalent needed). Retain: keep on-premises (compliance, latency, or dependency reasons). Rehost: lift-and-shift to EC2 with AWS Application Migration Service (MGN) — continuous block-level replication to a staging area in AWS, then cutover with minimal downtime. Replatform: minimal code changes to use a managed service — on-premises MySQL to Amazon RDS, self-managed Tomcat to Elastic Beanstalk, Kafka cluster to Amazon MSK. Refactor: re-architect to cloud-native patterns — monolith to Lambda microservices, stateful application to DynamoDB-backed serverless. Repurchase: replace with SaaS — on-premises CRM to Salesforce, on-premises ERP to SAP on AWS.
AWS Database Migration Service (DMS): source and target endpoint configuration, replication instances (standard vs high-availability with Multi-AZ standby), and task types. Full Load copies all existing data; Full Load + CDC replicates existing data and then continuously applies ongoing changes; CDC Only for when the initial load is handled separately. The Schema Conversion Tool (SCT) handles heterogeneous migrations (Oracle to Aurora PostgreSQL, SQL Server to Aurora MySQL): it converts schema objects, stored procedures, views, and functions and flags items requiring manual review. DMS Validation runs a row-level comparison between source and target to confirm data fidelity.
Hybrid connectivity: Site-to-Site VPN (IPSec, public internet, quick setup, variable latency) for temporary migration connectivity or low-bandwidth hybrid patterns. AWS Direct Connect (dedicated 1 Gbps or 10 Gbps fibre, consistent sub-millisecond latency) for sustained high-volume migration traffic and production hybrid workloads. Direct Connect Gateway for connecting a single Direct Connect connection to VPCs across multiple AWS regions. Transit Gateway Connect for integrating SD-WAN virtual appliances using GRE tunnels — higher throughput than VPN attachments. AWS Outposts for workloads that cannot leave on-premises due to data residency or ultra-low latency requirements: an AWS-managed rack running AWS APIs (EBS, ECS, RDS on Outposts) physically installed at the customer site.
The most common SAP-C02 failure mode is applying Associate-level thinking to Professional-level questions. At the Associate level, you pick the right service. At the Professional level, the “right service” depends entirely on constraints stated in the scenario — cost budget, RTO/RPO target, compliance requirement, existing infrastructure. Read every scenario question twice: once to understand the technical problem, once to catalogue the constraints. The answer that is technically correct but violates a stated constraint is wrong. Practice on AWS Skill Builder’s official SAP-C02 sample questions and focus on understanding why the correct answer satisfies all constraints, not just why the other answers are worse.
Where SAP-C02 leads on the cert map
SAP-C02 is the gateway to the AWS professional-level credential tier. From here, the natural progressions are AWS Certified DevOps Engineer – Professional (DEP-C02) — which shares significant overlap with SAP-C02’s operational excellence and continuous improvement domains — and AWS Certified Advanced Networking – Specialty (ANS-C01), which deepens the Transit Gateway, Direct Connect, and hybrid connectivity patterns that Domain 4 introduces. On the AWS Partner Network, SAP-C02 is required for the Solutions Architect Technical Validation credential, which distinguishes AWS Partners delivering complex enterprise architecture engagements.
The SAP-C02 also qualifies holders for DoD 8570 IAT Level II and IAM Level II roles, making it relevant for US government and defense contractor cloud architect positions. Salary data from Dice, LinkedIn Salary, and Glassdoor consistently places AWS-certified professionals holding the SAP-C02 at $160,000–$200,000+ for senior architect roles in major US markets, with the Professional credential commanding a 20–30% premium over Associate-only holders for equivalent titles. The typical preparation timeline for a candidate with the SAA-C03 and two years of hands-on AWS experience is 6–10 weeks of dedicated study, with the final two weeks focused on full-length practice exams and scenario analysis.
SAP-C02 is the credential that signals you can own cloud architecture decisions for enterprise workloads — not just implement them. It is the single exam that proves AWS knowledge at the design level: governance structures, multi-account patterns, disaster recovery architecture, migration strategy, and cost optimisation at scale. Preparation requires hands-on experience with AWS Organizations, multi-region deployments, and database migration tools. Use the official AWS SAP-C02 exam guide, Jon Bonso’s TutorialsDojo practice exams (the most representative available), and AWS Skill Builder labs. Build at least one multi-account environment from scratch using AWS Control Tower — the domain questions on SCP behaviour and account factory configuration are much harder to answer from documentation alone than from memory of a working setup.
Not yet at the Professional level? Reinforce the AWS foundations every SAP-C02 candidate needs with Solutions Architect Associate practice questions.
Start AWS SAA-C03 Practice Questions →