A W S C E R T I F I C A T I O N
SAP C02 Solutions Architect Professional Practice Exam
Exam Number: 1203 | Last updated April 24, 2026 | 700+ questions across 4 vendor-aligned objectives
The AWS Certified Solutions Architect Professional (SAP-C02) is the senior architect credential for professionals who design and evolve complex, multi-account, multi-Region environments on AWS. Candidates typically have two or more years of hands-on architecture experience and are expected to recommend solutions that balance cost, performance, security, reliability, and operational excellence under realistic enterprise constraints. The exam runs three hours and contains lengthy scenarios with subtle correct answers.
Continuous Improvement for Existing Solutions and Design Solutions for Organizational Complexity dominate the blueprint. Continuous Improvement for Existing Solutions (29%) is the largest domain and covers cost optimization, performance tuning, modernization patterns, and operational improvements across compute, storage, and database tiers. Design Solutions for Organizational Complexity (26%) focuses on AWS Organizations, AWS Control Tower, multi-account governance, hybrid connectivity through AWS Direct Connect and AWS Transit Gateway, and federated identity using AWS IAM Identity Center.
The remaining domains test depth across the architectural lifecycle. Design for New Solutions (29%) covers greenfield architecture across compute (Amazon EC2, AWS Lambda, AWS Fargate), data (Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon Aurora), and integration (Amazon SQS, Amazon SNS, Amazon EventBridge). Accelerate Workload Migration and Modernization (16%) covers AWS Migration Hub, AWS Database Migration Service, AWS Application Migration Service, and the 7 Rs migration strategies framework.
Every answer links to the source. Each explanation below includes a hyperlink to the exact AWS documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
318
practice exam users
97.8%
satisfied users
93%
passed the exam
4.2/5
quality rating
Test your aws-solutions-architect-professional knowledge
10 of 700+ questions
Question #1 - Design for New Solutions
A global SaaS company needs a multi-Region active-active architecture for a low-latency API with strict eventual consistency requirements for user profile data.
Which database choice best meets these requirements with the least operational overhead?
A) Amazon RDS Multi-AZ in one Region with read replicas in others
B) Amazon DynamoDB Global Tables
C) Self-managed Cassandra on EC2 across Regions
D) Amazon Aurora single-Region with cross-Region snapshots
Show solution
Correct answers: B – Explanation:
DynamoDB Global Tables provide multi-Region, multi-active replication with last-writer-wins conflict resolution and managed operations. RDS Multi-AZ is single-Region; self-managed Cassandra has high ops overhead; single-Region Aurora is not active-active. Source: [DynamoDB Global Tables](https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GlobalTables.html)
Question #2 - Continuous Improvement
An EC2-based microservice has stable baseline traffic plus large unpredictable bursts. The team wants to minimize cost without risking capacity during bursts.
Which purchase strategy is most appropriate?
A) 100% Spot Instances
B) All On-Demand
C) Reserved Instances at burst peak capacity
D) Compute Savings Plan covering baseline; On-Demand or Spot for bursts
Show solution
Correct answers: D – Explanation:
A Savings Plan sized to the steady baseline locks in the largest discount; bursts use On-Demand (or Spot for fault-tolerant work) so you don’t overcommit. 100% Spot risks interruption; RIs at peak waste money; pure On-Demand misses available discounts. Source: [Savings Plans best practices](https://docs.aws.amazon.com/savingsplans/latest/userguide/sp-applying.html)
Question #3 - Migration Planning
A company is migrating 200 VMs from a VMware data center to AWS with minimal application changes and a tight timeline.
Which migration tool is best suited?
A) AWS Database Migration Service
B) AWS Snowball Edge for VM images
C) AWS Application Migration Service (MGN)
D) Manual rebuild on EC2
Show solution
Correct answers: C – Explanation:
AWS Application Migration Service (MGN) lift-and-shifts servers at scale by continuously replicating block storage to AWS, enabling fast cutover with minimal app change. DMS is for databases; Snowball is for offline data transfer; manual rebuild is slow. Source: [AWS Application Migration Service](https://docs.aws.amazon.com/mgn/latest/ug/what-is-application-migration-service.html)
Question #4 - Design for New Solutions
A regulated workload requires that all data at rest be encrypted with keys whose material was generated in a FIPS 140-2 Level 3 hardware security module that the customer controls.
Which key management option satisfies this?
A) AWS-owned KMS keys
B) AWS KMS custom key store backed by AWS CloudHSM
C) AWS-managed KMS keys
D) Client-side encryption with a static password
Show solution
Correct answers: B – Explanation:
A KMS custom key store backed by CloudHSM (FIPS 140-2 L3) gives the customer dedicated, single-tenant HSMs while integrating with KMS-aware services. AWS-owned and AWS-managed keys do not meet the customer-control requirement; static passwords are not HSM-backed. Source: [KMS custom key stores](https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html)
Question #5 - Organizational Complexity
A large enterprise has 80 AWS accounts and wants to enforce a service control policy that prevents anyone, including account admins, from disabling CloudTrail.
Where should this control be applied?
A) IAM policy on each account’s admin role
B) An SCP at the AWS Organizations OU level
C) A bucket policy on the CloudTrail S3 bucket
D) A tag policy on CloudTrail resources
Show solution
Correct answers: B – Explanation:
SCPs in AWS Organizations set the maximum permissions for accounts and override account-level admin permissions. IAM policies can be modified by account admins; bucket policies don’t stop StopLogging; tag policies don’t restrict actions. Source: [Service Control Policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html)
Question #6 - Design for New Solutions
A media company streams live video to a global audience and needs sub-second latency end-to-end with minimal infrastructure management.
Which combination is most appropriate?
A) Amazon IVS (Interactive Video Service)
B) S3 CloudFront with default TTL
C) MediaLive MediaStore CloudFront
D) EC2-hosted Wowza streaming server
Show solution
Correct answers: A – Explanation:
Amazon IVS is purpose-built for low-latency (<3s) live streaming as a fully managed service. S3 CloudFront has minute-scale latency for VOD; MediaLive MediaStore CloudFront works but with higher latency and more components; EC2 Wowza is high-ops. Source: [Amazon IVS](https://docs.aws.amazon.com/ivs/latest/userguide/what-is.html)
Question #7 - Continuous Improvement
A workload’s RDS for PostgreSQL DB instance shows high CPU and slow queries during business hours. The team wants automated, AWS-native query and performance recommendations.
Which feature should they enable?
A) RDS Enhanced Monitoring only
B) AWS Config rules
C) VPC Flow Logs
D) Amazon RDS Performance Insights with DevOps Guru for RDS
Show solution
Correct answers: D – Explanation:
Performance Insights surfaces top SQL and wait events; DevOps Guru for RDS adds ML-based anomaly detection and recommendations. Enhanced Monitoring is OS metrics only; Flow Logs are network; Config tracks configuration. Source: [Performance Insights](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.html)
Question #8 - Design for New Solutions
An architect needs to expose hundreds of REST APIs to internal corporate users only, with mTLS authentication and a private endpoint reachable from on-premises via Direct Connect.
Which design fits best?
A) Private API Gateway REST APIs accessed via interface VPC endpoints
B) Public API Gateway REST APIs with WAF
C) Application Load Balancer with HTTP listeners
D) CloudFront distributions in front of Lambda URLs
Show solution
Correct answers: A – Explanation:
Private REST APIs in API Gateway are reachable only through interface VPC endpoints (PrivateLink), so they integrate with on-prem via Direct Connect/VPN; mTLS is supported on REST APIs. Public APIs traverse the internet; ALB lacks API-gateway features; Lambda URLs are public. Source: [Private API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-apis.html)
Question #9 - Migration Planning
A company must move 800 TB of cold archival data from on-prem to AWS within 30 days; their internet circuit is 200 Mbps.
Which transfer method meets the timeline most cost-effectively?
A) AWS DataSync over the internet
B) AWS Snowmobile
C) AWS Snowball Edge devices
D) S3 multipart upload over public endpoints
Show solution
Correct answers: C – Explanation:
200 Mbps would take well over a year for 800 TB; Snowball Edge ships physical devices and meets the timeline cost-effectively. Snowmobile is for exabyte-scale and overkill; DataSync and S3 multipart both depend on the slow link. Source: [AWS Snowball Edge](https://docs.aws.amazon.com/snowball/latest/developer-guide/whatisedge.html)
Question #10 - Design for New Solutions
A high-throughput event-driven system fans out 1 million messages per second to 10 different downstream consumers, each with independent processing speeds.
Which messaging pattern best fits?
A) Single SQS queue read by all consumers
B) EventBridge with a single default bus and direct Lambda invocations
C) Amazon Kinesis Data Streams with a single shard
D) Amazon SNS topic with one SQS queue per consumer (fanout)
Show solution
Correct answers: D – Explanation:
SNS-to-SQS fanout decouples producers from consumers; each consumer reads from its own queue at its own pace, with retries and DLQs per consumer. A single SQS queue can’t deliver to 10 independent consumers; one Kinesis shard caps throughput; direct EventBridge→Lambda lacks per-consumer buffering. Source: [SNS Fanout to SQS](https://docs.aws.amazon.com/sns/latest/dg/sns-common-scenarios.html)
Get 700+ more questions with source-linked explanations
Every answer traces to the exact AWS documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 24, 2026
Learn more...
What the aws-solutions-architect-professional exam measures
- Design Solutions for Organizational Complexity (26%) — Architect network connectivity and security across multi-account environments using AWS Organizations, AWS Control Tower, and AWS IAM Identity Center.
- Design for New Solutions (29%) — Design solutions that meet business requirements for performance, reliability, security, cost, and operational excellence across compute, storage, database, and integration services.
- Continuous Improvement for Existing Solutions (29%) — Identify and remediate operational issues, modernize legacy workloads, optimize cost and performance, and improve security posture for live environments.
- Accelerate Workload Migration and Modernization (16%) — Apply the 7 Rs framework, select migration tools (AWS Migration Hub, AWS Database Migration Service, AWS Application Migration Service), and design refactoring strategies.
How to prepare for this exam
- Review the official AWS exam guide and confirm the latest domain weights and content scope before scheduling.
- Complete the matching learning plan on AWS Skill Builder, including the digital courses and exam prep modules.
- Build hands-on muscle memory in an AWS Free Tier account by deploying the services that appear in the Continuous Improvement for Existing Solutions domain.
- Apply your skills to a real-world project — workplace assignments, volunteer work, or open-source contributions where AWS services solve a concrete problem.
- Master one objective at a time, beginning with the highest-weighted domain so the score impact of each study session is maximized.
- Run PowerKram in Learn mode to read the explanations and follow every sourced documentation link until you can predict the right answer before reading the choices.
- Switch to PowerKram Exam mode across all objectives once your accuracy in Learn mode passes 85%, simulating the timed exam experience.
Career paths and salary outlook
This is one of the highest-leverage AWS credentials for senior individual contributors:
- Senior Cloud Architect — $160,000 to $230,000. Levels.fyi: Solutions Architect Compensation
- Principal Solutions Architect — $190,000 to $290,000 base, with significant equity at top firms. Glassdoor: Principal Solutions Architect Salaries
- Cloud Migration Lead — $150,000 to $215,000. BLS: Computer Network Architects Outlook
Official resources
Combine AWS-authored deep dives with PowerKram repetition for the long scenarios: