AWS Solutions Architect Professional (SAP-C02) Study Guide for 2026

The AWS Solutions Architect Professional (SAP-C02) is one of the harder certifications in the cloud space — not because of trick questions, but because the exam tests whether you can reason about trade-offs across dozens of services simultaneously. You are given a complex scenario and asked to pick the best design. Getting it right requires knowing not just what each service does, but when to prefer one over another and why.

This guide covers what the exam actually tests, the domain weights, the services you need to know deeply, a realistic study plan, and the failure patterns that cause people to retake.

What the SAP-C02 Exam Tests

The exam consists of 75 scored questions in multiple-choice or multiple-response format. You have 180 minutes, which averages to about 2.5 minutes per question. The passing score is approximately 750 out of 1000. The exam costs around $300.

There are no hard prerequisites. AWS recommends at least two years of hands-on experience designing and deploying cloud architecture on AWS. That recommendation is meaningful. Without real hands-on time, the scenario-based questions are genuinely difficult to reason through — you can memorize service names, but the questions ask you to apply judgment.

The questions I found hardest were in Domain 1’s networking scenarios, where you are given a diagram of a multi-account architecture and asked to identify why cross-account traffic is not flowing as expected. You need to hold the mental model of Transit Gateway, PrivateLink, VPC peering, route tables, and security groups all at once to answer correctly.

The Four Domains

Understanding the domain weights tells you where to invest study time.

Domain 1: Design Solutions for Organizational Complexity — 26%

Domain 2: Design for New Solutions — 29%

Domain 3: Continuous Improvement for Existing Solutions — 25%

Domain 4: Accelerate Workload Migration and Modernization — 20%

Domain 2 is the largest single domain and the one that covers the broadest range of services. Most people who fail do so because they underestimated how deeply Domain 2 expects you to know the trade-offs between service options.

Domain 1: Organizational Complexity

This domain tests multi-account strategy, hybrid networking, identity federation, and cost governance at scale.

Multi-account architecture means knowing AWS Organizations end to end. You need to understand how Service Control Policies (SCPs) work, what they can and cannot restrict, and how permission inheritance flows through an organizational unit hierarchy. AWS Control Tower is the managed guardrails layer on top of Organizations — you should understand what it automates (account vending, logging, security baselines) versus what you still configure manually.

Networking at scale is where this domain gets complex. The key concepts are:

• Transit Gateway — a regional network hub that replaces mesh VPC peering at scale. Understand TGW route tables, route propagation, and how TGW peering connects across regions.
• Direct Connect — a dedicated physical connection from on-premises to AWS. Know the difference between hosted connections (through partners) and dedicated connections (directly from AWS), and understand Direct Connect Gateway for multi-region or multi-VPC connectivity.
• Site-to-Site VPN — encrypted tunnels over the public internet, faster to set up than Direct Connect but with variable latency and lower throughput. Know when to choose VPN over Direct Connect and when to use both together for redundancy.
• PrivateLink — exposes a service in one VPC to consumers in other VPCs without requiring VPC peering or traffic traversal over the internet. Important for sharing services across accounts without opening broad network routes.

Identity federation covers IAM Identity Center (formerly AWS SSO), SAML 2.0 federation, cross-account IAM roles, and the relationship between identity providers and AWS. You should understand the difference between web identity federation (for mobile/web apps using Cognito or OIDC) and enterprise SAML federation.

Cost governance at this level means knowing AWS Cost Explorer, Cost and Usage Reports, Savings Plans vs Reserved Instances, and how resource tagging strategies support chargeback models in multi-account environments.

Domain 2: Design for New Solutions

This is the widest domain. It covers the Well-Architected Framework, serverless patterns, container orchestration, and data analytics architectures.

The Well-Architected Framework’s six pillars — operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability — are referenced throughout the exam. You do not need to memorize the pillar documents verbatim, but you need to understand the design principles behind each one well enough to apply them. When a question describes a system that is not recovering correctly from failures, that is a reliability question. When a question asks how to reduce costs without changing functionality, that is a cost optimization question.

Serverless patterns means Lambda, API Gateway, SQS, SNS, EventBridge, and Step Functions — and knowing when to compose them. Lambda has concurrency limits (default 1000 per region, adjustable). You need to understand reserved concurrency vs provisioned concurrency and when each matters. API Gateway has two main flavors: REST API (more features, more cost) and HTTP API (faster, cheaper, fewer features).

Container orchestration means knowing ECS versus EKS. ECS is the AWS-managed option with lower operational overhead. EKS is Kubernetes, which gives you portability and the full Kubernetes ecosystem but requires more operational knowledge. On the exam, ECS with Fargate is usually the right answer when the scenario emphasizes managed infrastructure and reducing ops burden. EKS is the right answer when the scenario involves existing Kubernetes workloads, portability across clouds, or specific Kubernetes features.

Data analytics pipelines require knowing when to use Kinesis vs Amazon MSK (Kafka), and when to use Redshift vs Athena. Kinesis Data Streams is fully managed serverless streaming with AWS-native integration. MSK is managed Kafka, better when you need Kafka compatibility or have existing Kafka tooling. Redshift is a provisioned data warehouse for structured query workloads at scale. Athena is serverless SQL over S3, better when your data is already in S3 and you need ad-hoc queries without loading data into a warehouse.

Services You Must Know Deeply

Below is the practical list. For each service category, I’ve noted what the exam specifically tests.

Networking

• VPC peering vs Transit Gateway vs PrivateLink — understand the routing limits and use cases for each
• Direct Connect Gateway — connects a DX connection to multiple VPCs or Transit Gateways across regions
• Route 53 routing policies — simple, weighted, latency-based, failover, geolocation, multivalue. Know when each policy applies.

Compute

• EC2 Auto Scaling lifecycle hooks — let you pause instance launch or termination to run custom actions (install software, drain connections)
• Spot Fleet strategies — lowest-price, diversified, capacity-optimized. Understand interruption handling.
• Lambda concurrency limits and the difference between reserved and provisioned concurrency
• ECS task placement constraints and strategies (binpack, spread, random)

Storage

• S3 lifecycle policies — transitioning objects between storage classes (Standard → Standard-IA → Glacier) based on age or access patterns
• S3 Object Lock — WORM (Write Once Read Many) compliance. Know Compliance mode (cannot be overridden by any user, including root) vs Governance mode (can be overridden with specific permissions).
• EBS vs EFS vs FSx — EBS is block storage for a single EC2 instance. EFS is shared NFS file storage for Linux. FSx for Windows File Server is managed SMB/Windows file storage. FSx for Lustre is high-performance parallel file storage for compute workloads.

Database

• RDS Multi-AZ vs Read Replicas — Multi-AZ is for high availability (synchronous replication, automatic failover, no read traffic). Read Replicas are for read performance (asynchronous replication, can be promoted, can serve read traffic).
• Aurora Serverless v2 — scales in fine-grained increments, better for unpredictable workloads than provisioned Aurora
• DynamoDB capacity modes — on-demand vs provisioned. Global Secondary Indexes vs Local Secondary Indexes and their limitations.
• ElastiCache eviction policies — know allkeys-lru vs volatile-lru and when each is appropriate

Security

• KMS key rotation — automatic annual rotation for AWS-managed keys. Customer-managed keys support manual rotation.
• CloudHSM vs KMS — KMS is multi-tenant managed key management. CloudHSM gives you dedicated hardware for keys, required for some compliance scenarios (FIPS 140-2 Level 3).
• GuardDuty, Security Hub, Macie — GuardDuty is threat detection from logs. Security Hub aggregates findings across security services. Macie discovers and protects sensitive data in S3.
• WAF rate limiting — know how to configure rate-based rules to block IPs exceeding request thresholds

Migration

• AWS Database Migration Service (DMS) — migrates databases with minimal downtime. Supports homogeneous and heterogeneous migrations.
• AWS Schema Conversion Tool (SCT) — converts database schemas from one engine to another (Oracle to PostgreSQL, SQL Server to Aurora). Used with DMS for heterogeneous migrations.
• Snow family — Snowball Edge (storage or compute) for large data transfers and edge computing. Snowcone is the smallest device (8TB usable), suitable for IoT and edge scenarios with limited space.

Analytics

• AWS Glue ETL — serverless ETL service. Glue crawlers discover schema and populate the Glue Data Catalog. Glue jobs transform data.
• Athena partitioning — partitioning S3 data by date or other key dimensions dramatically reduces query cost and time
• Redshift Spectrum — query data directly in S3 from Redshift without loading it into Redshift tables
• EMR cluster types — on-demand (persistent), spot (cost-optimized but interruptible), and instance fleets

Three-Phase Study Strategy

Phase 1 (Weeks 1–3): Build Breadth

Use a structured video course that covers every exam domain. Stephane Maarek’s SAP-C02 course on Udemy and Adrian Cantrill’s course are both well-regarded. Do not just watch the videos passively. For each service covered, open the AWS console and build it. Create a Transit Gateway and connect two VPCs. Set up an SCP in Organizations that denies a specific action. Configure a DynamoDB table with a GSI and run queries against it. The free tier covers enough of this to be worthwhile.

Take notes on the services where you feel uncertain. These are your Phase 3 targets.

Phase 2 (Weeks 4–6): Practice Exams

Tutorials Dojo (Jon Bonso) has the best SAP-C02 practice exams available. The question quality closely mirrors the real exam in terms of scenario complexity. Work through the practice exams in timed mode. When you get a question wrong, do not just read the explanation — go find the AWS documentation page it references and read the relevant section.

Target 70% or higher consistently before booking the real exam. A score below 70% on Tutorials Dojo practice tests typically predicts a fail on the real exam.

Phase 3 (Days Before the Exam): Whitepaper Review

Focus your final review on the whitepapers covering your weak areas. The ones most referenced on the exam are:

• AWS Well-Architected Framework whitepaper
• Disaster Recovery of Workloads on AWS whitepaper (the four strategies: backup and restore, pilot light, warm standby, multi-site active/active)
• AWS Security Best Practices whitepaper
• Microservices on AWS whitepaper

You do not need to read all of them end to end. Use them to fill specific gaps you identified in Phase 2.

Common Failure Patterns

Confusing HA with DR. High availability means the system keeps running through component failures (Multi-AZ RDS, Auto Scaling across AZs). Disaster recovery means the system can recover after a regional outage or catastrophic failure. The exam tests both, and the correct service choices differ. Do not recommend Multi-AZ as a DR solution.

Getting Direct Connect vs VPN wrong. Direct Connect has predictable latency, higher bandwidth, and higher cost with weeks-long provisioning time. Site-to-Site VPN is fast to set up, uses the public internet, and has variable latency. The exam will give you scenarios where one is clearly preferable — know the decision criteria: latency sensitivity, bandwidth requirements, setup timeline, and cost constraints.

Confusing RDS Read Replicas with Multi-AZ. Read Replicas use asynchronous replication and are used for read performance and geographic distribution. Multi-AZ uses synchronous replication and is used for availability — the standby instance cannot serve traffic. This distinction appears on nearly every practice exam.

Defaulting to Lambda for everything. Lambda is the right answer for event-driven, short-duration workloads with unpredictable traffic. It is not the right answer for long-running batch jobs (use Batch or ECS), persistent connections (use ECS or EC2), or workloads requiring more than 15 minutes of execution time. The exam will test whether you recognize these limits.

Misunderstanding SCP inheritance. An SCP applied to an organizational unit does not grant permissions — it restricts the maximum permissions that can be granted. An Allow in an SCP means “this action is not denied at the org level.” Actual permissions still require an IAM policy grant. SCPs also do not apply to the management account.

Scheduling and Logistics

You can reschedule your exam up to 24 hours before the appointment without penalty. If you cancel within 24 hours, you forfeit the fee.

Take the exam at a testing center rather than at home if you can. Proctored at-home exams have more technical friction (room setup, camera checks, software issues) that can eat into your mental preparation. Testing centers remove that variable.

If you fail, you must wait 14 days before retaking. Use that time to review your score report — it shows your performance by domain, which tells you exactly where to focus. Most people who fail and retake within 30 days pass the second attempt.

The exam is in English, Japanese, Korean, and Simplified Chinese. If you are taking it in a non-native language, AWS offers accommodations for additional time — request this when registering.

Related Reading

• AWS FinOps and Well-Architected 2026
• High Availability on AWS 2026
• AWS VPC Design Patterns 2026
• Amazon DynamoDB in 2026

Once you have a consistent 70%+ on practice exams and you have reviewed your weak domains, book the exam. Waiting longer for more preparation tends to produce diminishing returns. The goal is to take the exam while the material is fresh, not to achieve certainty before sitting down.