SAP-C02 - AWS Certified Solutions Architect - Professional Cheat Sheet

🎯Take a practice test on this topic14 practice tests · 484 questions→

This sheet covers the AWS Certified Solutions Architect - Professional exam (exam code SAP-C02, the version in force since November 2022). The exam validates advanced skills in designing distributed systems on AWS: it weighs four domains, Design Solutions for Organizational Complexity (26%), Design for New Solutions (29%), Continuous Improvement for Existing Solutions (25%), and Accelerate Workload Migration and Modernization (20%). Because the same themes (networking, security, reliability, performance, cost, and migration) recur across all four domains, this sheet is organized by cohesive architecture theme rather than by domain, so each concept lives in exactly one place. The single most reliable way to pass is to learn AWS's own preferred service for each scenario, because the exam rewards the AWS-recommended design, not merely a design that would technically work.

What This Cheat Sheet Covers

This topic spans 42 focused tables and 371 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: VPC Segmentation, Routing and Traffic FilteringTable 2: Multi-VPC and Transitive ConnectivityTable 3: Hybrid Connectivity (Direct Connect and VPN)Table 4: Hybrid DNS and Route 53 ResolverTable 5: VPC Endpoints and Private Service IntegrationTable 6: Network Traffic Monitoring and TroubleshootingTable 7: AWS Global Infrastructure, Regions and Availability ZonesTable 8: IAM Identities, Policies and Least PrivilegeTable 9: Cross-Account Access and Identity FederationTable 10: Encryption, Key Management and SecretsTable 11: Logging, Audit Trail and Compliance MonitoringTable 12: Threat Detection and Security Posture ManagementTable 13: Edge Protection and Attack MitigationTable 14: Patch Management and Automated Security RemediationTable 15: RTO, RPO and Disaster Recovery Strategy SelectionTable 16: DR Implementation, Replication and TestingTable 17: Backup, Restore and Data DurabilityTable 18: High Availability and Removing Single Points of FailureTable 19: Auto Scaling and ElasticityTable 20: Decoupling and Application IntegrationTable 21: Route 53 DNS Routing PoliciesTable 22: Service Quotas and LimitsTable 23: EC2 Compute Selection, Instance Families and RightsizingTable 24: Storage Services and Performance SelectionTable 25: Caching, Buffering and Read ReplicasTable 26: Purpose-Built Databases SelectionTable 27: Global Performance and Edge AccelerationTable 28: Performance Monitoring and Bottleneck AnalysisTable 29: Pricing Models and Purchase OptionsTable 30: Cost Monitoring, Governance and ReportingTable 31: Storage Tiering and Data Transfer Cost OptimizationTable 32: Infrastructure as Code with CloudFormationTable 33: CI/CD Pipelines and Deployment StrategiesTable 34: Configuration Management and Operations AutomationTable 35: Operational Monitoring, Alerting and Auto-RemediationTable 36: Migration Assessment and Portfolio PlanningTable 37: The 7 Rs Migration StrategiesTable 38: Application and Server Migration ExecutionTable 39: Data Migration and Transfer ServicesTable 40: Database Migration (DMS and SCT)Table 41: Governance at Scale and Multi-Account ManagementTable 42: Compute Platform Modernization (Containers and Serverless)

Table 1: VPC Segmentation, Routing and Traffic Filtering

SAP-C02 Domain 1 (Design Solutions for Organizational Complexity) Task 1.1 network connectivity and Domain 2 Task 2.3 security controls: how to segment a VPC with subnets and CIDR planning, steer traffic with route tables, and filter packets with stateful security groups and stateless network ACLs.

Concept	Example	Description
CIDR Planning (Non-Overlapping)	VPC `10.0.0.0/16` split into `10.0.0.0/24` and `10.0.1.0/24` (subnet CIDRs must not overlap)	• Subnet CIDR is a subset of the VPC CIDR; subnets in a VPC cannot overlap • Overlapping CIDRs block VPC peering and on-premises connectivity, so plan address space before you build
Subnet Reserved IP Addresses	A `/24` (256 addresses) yields 251 usable; AWS reserves the first 4 and the last 1	• Allowed IPv4 subnet size is `/28` to `/16` • Reserved: `.0` network, `.1` router, `.2` DNS, `.3` future, last address broadcast. Not to be confused with assuming all 256 are usable
Route Table and Local Route	Every route table has `VPC CIDR → local` (cannot be deleted) plus e.g. `0.0.0.0/0 → igw-id` for a public subnet	• A route maps a destination (CIDR or prefix list) to a target (IGW, NAT, peering, VPN, endpoint) • The local route enables intra-VPC communication and is always present
Longest-Prefix-Match Routing	With `0.0.0.0/0 → nat` and `10.25.0.0/16 → pcx`, traffic to `10.25.x.x` takes the peering route	• The most specific (longest prefix) matching route always wins • On a tie, static routes beat propagated routes. This is how more specific endpoint or peering routes override a default route
Security Group (Stateful)	Allow inbound `TCP 443` from `0.0.0.0/0`; no return rule needed, the response is auto-allowed	• Operates at the instance/ENI level and is stateful: return traffic for an allowed flow is automatically permitted • AWS's primary, preferred mechanism for controlling instance access

Table 1: VPC Segmentation, Routing and Traffic Filtering

Concept	Example	Description
CIDR Planning (Non-Overlapping)	VPC `10.0.0.0/16` split into `10.0.0.0/24` and `10.0.1.0/24` (subnet CIDRs must not overlap)	• Subnet CIDR is a subset of the VPC CIDR; subnets in a VPC cannot overlap • Overlapping CIDRs block VPC peering and on-premises connectivity, so plan address space before you build
Subnet Reserved IP Addresses	A `/24` (256 addresses) yields 251 usable; AWS reserves the first 4 and the last 1	• Allowed IPv4 subnet size is `/28` to `/16` • Reserved: `.0` network, `.1` router, `.2` DNS, `.3` future, last address broadcast. Not to be confused with assuming all 256 are usable
Route Table and Local Route	Every route table has `VPC CIDR → local` (cannot be deleted) plus e.g. `0.0.0.0/0 → igw-id` for a public subnet	• A route maps a destination (CIDR or prefix list) to a target (IGW, NAT, peering, VPN, endpoint) • The local route enables intra-VPC communication and is always present
Longest-Prefix-Match Routing	With `0.0.0.0/0 → nat` and `10.25.0.0/16 → pcx`, traffic to `10.25.x.x` takes the peering route	• The most specific (longest prefix) matching route always wins • On a tie, static routes beat propagated routes. This is how more specific endpoint or peering routes override a default route
Security Group (Stateful)	Allow inbound `TCP 443` from `0.0.0.0/0`; no return rule needed, the response is auto-allowed	• Operates at the instance/ENI level and is stateful: return traffic for an allowed flow is automatically permitted • AWS's primary, preferred mechanism for controlling instance access