Last-Minute Revision for the Solutions Architect – Professional exam

January 15, 2026 Leave a comment

I still remember walking out of the AWS Certified Solutions Architect – Professional (SAP-C02) exam knowing one thing for certain: this was not an easy certification. The questions were long, the scenarios were realistic, and every option looked almost correct. I believe I passed with a score of 873, but only because I spent the final days before the exam revising the right things — not everything.

This blog series comes directly from those last-minute revision notes. They are the notes I reviewed repeatedly in the days leading up to the exam, focusing on how AWS services behave in real architectures, not just how they are described in documentation. Writing them down helped me clarify my own thinking, and publishing them now is a way to help others do the same.

These posts are not beginner tutorials. They assume you already understand core AWS services such as VPC, EC2, S3, IAM, and RDS. The goal here is different: to highlight the key architectural decisions, service limitations, and trade-offs that appear again and again in the Solutions Architect – Professional exam. If your concepts are clear, you can use these notes to quickly skim and reinforce your understanding just before exam day.

Think of this series as a calm review, written by someone who has recently sat the exam and learned — sometimes the hard way — what AWS expects you to know at a professional level.

The Iron Fist of Governance (AWS Organizations)

In the multi-account world, you are the security guardian.

  • Lesson: Segregate and Auditing is King.
    • The Rule: Keep all your application resources out of the Management Account. Use member accounts for all workloads.
    • The Exception: The only critical resource that belongs in the Management Account is a centralized AWS CloudTrail trail for logging all events across the Organization. It’s your security audit of last resort.
  • Lesson: SCPs are Filters, not Grants.
    • The Mechanism: Service Control Policies (SCPs) do not grant any permissions; they merely set the maximum available permissions for every user and role in the account. An explicit Deny in an SCP is an unassailable security boundary.
    • The Blind Spot: Be aware that SCPs do not restrict the Management Account’s root user or any users/roles directly within the Management Account.
  • Lesson: Onboarding Invited Accounts.
    • The Gotcha: When you invite an existing AWS account to your Organization, the Management Account does not automatically gain administrative control.
    • The Fix: The invited account owner must explicitly create the
    • OrganizationAccountAccessRole
    • IAM role to allow the Management Account to assume an administrator role.

The Architect’s Network Blueprint

Networking issues are often the most time-consuming to resolve. Know these connectivity rules.

  • Lesson: NAT Gateways
    • The Truth: NAT gateways do not support IPv6 traffic. For IPv6, instances in a private subnet use an Egress-Only Internet Gateway.
    • The Availability: Remember that a NAT Gateway is highly available only within a single Availability Zone where it’s deployed.
  • Lesson: Direct Connect’s Split Personality.
    • Private VIFs: Only for connecting to private IP addresses of resources within a VPC (e.g., EC2 instances, internal ALBs).
    • Public VIFs: Must be used to reach AWS public endpoints (like an S3 bucket or DynamoDB) from your on-premises data center.
    • Transit VIF: Multiple VPCs in the same region
  • Lesson: Cross-Account Private DNS (Route 53).
    • The Limitation: You cannot use the Route 53 console to authorize or complete a VPC association for a private hosted zone across different AWS accounts.
    • The Procedure: You must use the AWS CLI, SDK, or API (specifically create-vpc-association-authorization) and must submit a separate authorization request for each VPC to be associated.

The Storage & Data Optimisation Strategy

Choosing the right file format and security configuration is key to cost and performance.

  • Lesson: Apache Parquet is Your Analytics Ally.
    • The Edge: When processing large volumes of data (like VPC flow logs) for analytical queries in services like Amazon S3/Athena, the columnar storage format of Apache Parquet is superior.
    • The Benefit: It allows for predicate filtering (skipping unnecessary rows) and results in fewer reads on S3, directly leading to both performance gains and storage cost reduction.
  • Lesson: Hardening S3 Encryption (The Policy Enforcer).
    • The Goal: To prevent the upload of unencrypted objects.
    • The Solution: Implement a Bucket Policy that explicitly denies any s3:PutObject request unless it includes the required x-amz-server-side-encryption HTTP header (with a value like AES256 or aws:kms).
  • Lesson: S3 Object Lock is a Creation-Time Feature.
    • The Restriction: For regulatory compliance, if you need to use Object Lock (WORM – Write Once Read Many) on an S3 bucket, it must be configured when the bucket is first created. You cannot enable it later on an existing bucket.

Lessons from the Limits: Security and Networking

When I was revising, I realised that the exam loves to test where AWS stops you, not just where it lets you go. Security and networking are full of little traps:

Security groups vs NACLs – Security groups don’t filter DNS, DHCP, instance metadata, time sync, or license activation traffic. NACLs, on the other hand, cannot be attached to ENIs, so don’t assume they work everywhere.

Route 53 health checks – They don’t validate SSL/TLS certificates, so a failed or expired certificate won’t trip the check.

Lambda networking – Since Lambda doesn’t have a static IP, whitelisting it in a security group is impractical. Also, Lambda cannot be shared via AWS RAM, unlike some other resources.

Private vs Public VIF – A private virtual interface connects your on-prem network directly into a VPC using private IPs. A public virtual interface never enters your VPC and uses NAT to reach public AWS services. Understanding this distinction is key for exam scenarios.

Managed Services: Know What You Can’t Change

Professional-level questions often focus on AWS defaults and limitations. It’s not about theory; it’s about knowing the facts:

Aurora logging – Error logs are automatic, but slow query logs require parameter changes.

Redshift audit logging – Only supports SSE-S3 encryption (AES-256).

S3 Replication Time Control (RTC) – Guarantees 99.99% of objects replicate within 15 minutes. Don’t assume replication is instant.

RDS snapshots – Manual snapshots can be shared with up to 20 accounts, but automated snapshots cannot.

AWS Glue, Athena, and S3 – Athena provides specific ODBC drivers and Power BI connectors. Glacier Select cannot query compressed data, and Macie cannot scan AWS-managed service buckets like CodeCommit.

Resilience and Scaling: AWS Works for You, If You Know How

AWS often does the heavy lifting — if you understand the rules:

EC2 Auto Scaling – During rebalancing, new instances launch before terminating old ones, keeping performance steady.

ECS and Spot Instances – ECS gracefully drains tasks and manages LB connections when Spot instances are terminated.

Replication strategies – Multi-AZ uses synchronous replication; read replicas are asynchronous. Choosing correctly is about RPO and RTO, not preference.

Topology spread constraints – Using AZ-based spread in EKS clusters increases node resilience, a subtle but exam-relevant detail.

Deployment Patterns: The Right Tool, Not the Fancy Tool

Even deployment questions test your knowledge of AWS realities:

  • OpsWorks – Supports blue/green, not canary deployments.
  • Elastic Beanstalk – supports blue/green deployments.
  • Aurora Blue/Green – For database updates, AWS has its own built-in method.
  • SAM and Code Deploy– Also supports blue/green deployments.

Knowing what AWS actually supports vs. what is theoretically possible is often the difference between a correct answer and a trap.

Observability and Logging: Details Matter

Logging is another favourite exam trap — AWS gives you tools, but they come with boundaries:

VPC Flow Logs – Only OSI Layer 4 info; payload is not captured. Can be published to CloudWatch, S3, or Kinesis Data Firehose.

AWS WAF – Logs go to CloudWatch, S3, or Kinesis Firehose; monitors HTTP/S requests from CloudFront, API Gateway, ALB, or AppSync.

SES and TLS – Uses opportunistic TLS with STARTTLS by default. Using TLS wrapper changes responsibility to the client. TLSWrapper is better fit for legacy system

Compute Optimizer – Recommendations are exported to CSV, metadata to JSON. Works for EC2, Auto Scaling, EBS, Lambda, or ECS on Fargate.

Final Thoughts

————————————————-

The AWS Certified Solutions Architect – Professional exam rewards clear thinking, not guesswork. It tests whether you understand why one architectural choice is better than another under pressure — cost, scale, security, or failure. That’s why surface-level knowledge is not enough, and why rushed revision usually backfires.

The notes in this series are meant to slow you down and sharpen your judgement. If you already have hands-on experience and solid fundamentals, revisiting these distinctions can help you approach exam questions with confidence instead of doubt. That was their purpose for me, and that is exactly how they should be used.

In the next post, I’ll start breaking down the first set of high-impact architectural concepts that repeatedly appear in the exam — the ones that are easy to misunderstand and costly to get wrong. Take a breather, let this sink in, and come back for the next lesson.

I would like to hear your thoughts