Back to AWS Certified Solutions Architect - Professional (SAP-C02)

Design Solutions for Organizational Complexity

Architect network connectivity, prescribe security controls, design resilient architectures, multi-account environments, and cost optimization strategies (~26% of exam).

Covers architecting network connectivity strategies including AWS Global Infrastructure, VPC connectivity, Direct Connect, VPN, transitive routing, hybrid DNS with Route 53 Resolver, network segmentation, subnetting, IP addressing, and network traffic monitoring. Also covers prescribing security controls including IAM, IAM Identity Center, route tables, security groups, network ACLs, encryption keys, certificate management with KMS and ACM, and AWS security tools like CloudTrail, IAM Access Analyzer, Security Hub, and Inspector. Additionally covers designing reliable and resilient architectures with RTO/RPO requirements, disaster recovery strategies (Elastic Disaster Recovery, pilot light, warm standby, multi-site), backup and restoration, auto-recovery, and scale-up/scale-out options. Also covers multi-account AWS environment design with AWS Organizations, Control Tower, cross-account event notifications, and resource sharing. Finally covers cost optimization including AWS cost monitoring tools (Trusted Advisor, Pricing Calculator, Cost Explorer, Budgets), purchasing options (Reserved Instances, Savings Plans, Spot Instances), and rightsizing tools (Compute Optimizer, S3 Storage Lens).
5 minutes 5 Questions

Design Solutions for Organizational Complexity in AWS focuses on architecting systems that accommodate multi-account strategies, cross-account access, and enterprise-scale governance requirements. **Multi-Account Strategies:** AWS Organizations enables centralized management of multiple AWS accoun…

Concepts covered: AWS Global Infrastructure, Amazon VPC networking concepts, AWS Direct Connect, AWS Site-to-Site VPN, Transitive routing in AWS, AWS Transit Gateway, VPC peering connections, AWS container networking services, Hybrid DNS with Route 53 Resolver, On-premises DNS integration, Network segmentation and subnetting, IP addressing and CIDR blocks, Connectivity among multiple VPCs, Network traffic monitoring, VPC Flow Logs, AWS Network Firewall, Evaluating VPC connectivity options, On-premises to cloud integration, Co-location connectivity, AWS Region and Availability Zone selection, Network latency requirements, Troubleshooting traffic flows, VPC endpoints for service integrations, AWS PrivateLink, AWS IAM Identity Center, IAM users, groups, and roles, IAM policies and permissions, Route tables for security, Security groups, Network ACLs, AWS Key Management Service (KMS), KMS key policies and grants, AWS Certificate Manager (ACM), Certificate management best practices, AWS CloudTrail, IAM Access Analyzer, AWS Security Hub, Amazon Inspector, Cross-account access management, Third-party identity provider integration, Encryption strategies for data at rest, Encryption strategies for data in transit, Centralized security event notifications, Security auditing strategies, Recovery Time Objectives (RTO), Recovery Point Objectives (RPO), AWS Elastic Disaster Recovery, Pilot light disaster recovery, Warm standby disaster recovery, Multi-site disaster recovery, Data backup strategies, AWS Backup service, Designing DR solutions for RTO/RPO requirements, Automatic failure recovery architectures, Scale-up vs scale-out architectures, Effective backup and restoration strategies, AWS Organizations, AWS Control Tower, Service Control Policies (SCPs), Multi-account event notifications, AWS Resource Access Manager (RAM), Cross-account resource sharing, Account structure for organizational requirements, Centralized logging strategies, Multi-account governance models, Landing zone design, AWS Trusted Advisor, AWS Pricing Calculator, AWS Cost Explorer, AWS Budgets, Reserved Instances, AWS Savings Plans, Spot Instances, AWS Compute Optimizer, Amazon S3 Storage Lens, Monitoring cost and usage, Cost allocation tagging strategies, Purchasing options impact on cost and performance

Test mode:
Start practice test
SAP-C02 - Design Solutions for Organizational Complexity Example Questions

Test your knowledge of Design Solutions for Organizational Complexity

Question 1

A financial services company operates a trading platform across 4 AWS accounts with an Enterprise Support plan. Their infrastructure includes 156 EC2 instances, 32 RDS databases, and multiple NAT Gateways. The cloud operations team has been tasked with building an automated governance framework that responds to Trusted Advisor check status changes in real-time. When a check transitions from green to yellow or red status, the framework must automatically create a ServiceNow incident ticket, update a centralized DynamoDB tracking table, and send notifications to the appropriate engineering team based on the check category. The team has already configured an SNS topic for notifications but needs to determine how to trigger these automated responses when Trusted Advisor check statuses change. The senior engineer suggests polling the Support API every 5 minutes, while a junior engineer proposes using a native event-driven approach. The operations director requires a solution that minimizes latency between status changes and automated responses while reducing operational overhead. Which AWS service integration should the solutions architect configure to enable event-driven automation that triggers Lambda functions when AWS Trusted Advisor check statuses change?

Correct Answer: Configure Amazon EventBridge rules to capture Trusted Advisor check status change events from the AWS Health service and route them to Lambda functions for processing the automated governance workflows

The correct solution is to configure Amazon EventBridge rules to capture Trusted Advisor check status change events from the AWS Health service and route them to Lambda functions.

AWS Trusted Advisor integrates with AWS Health, which publishes events to Amazon EventBridge when Trusted Advisor check statuses change. This is the native event-driven approach that the junior engineer suggested. When a Trusted Advisor check transitions between states (green to yellow, yellow to red, etc.), AWS Health automatically generates events that can be captured by EventBridge rules.

This approach provides several key benefits:

  1. Real-time event-driven architecture: Events are published immediately when status changes occur, minimizing latency between the change and the automated response - directly addressing the operations director's requirement.

  2. No polling required: Unlike the senior engineer's suggestion of polling the Support API every 5 minutes, EventBridge eliminates the need for scheduled polling, reducing operational overhead and ensuring immediate notification of changes.

  3. Native AWS integration: EventBridge rules can directly invoke Lambda functions, which can then create ServiceNow tickets, update DynamoDB tables, and publish to SNS topics for team notifications based on check categories.

  4. Enterprise Support plan requirement: The company has an Enterprise Support plan, which is required for programmatic access to Trusted Advisor through AWS Health events.

The CloudTrail option is incorrect because CloudTrail monitors API calls, not the actual status change events from Trusted Advisor checks. It would only capture when someone refreshes or queries Trusted Advisor, not when the underlying check status changes.

The CloudWatch Events option mentioning metric threshold breaches is incorrect because Trusted Advisor doesn't publish check status changes as CloudWatch metrics that can be monitored for threshold breaches. Additionally, while CloudWatch Events and EventBridge share similar functionality, the specific integration with Trusted Advisor status changes comes through AWS Health events.

The AWS Config option is incorrect because AWS Config evaluates resource configurations against rules you define - it doesn't natively integrate with Trusted Advisor check results. Trusted Advisor checks are separate from AWS Config compliance evaluations.

Question 2

A global e-commerce company operates a distributed order management system across three VPCs in the same AWS Region: VPC-Orders (10.10.0.0/16) for order processing, VPC-Inventory (10.20.0.0/16) for inventory management, and VPC-Payments (10.30.0.0/16) for payment processing. All three VPCs are interconnected through a transit gateway with appropriate route table configurations. The order processing instances (SG-Orders) must communicate with inventory instances (SG-Inventory) on TCP port 8500 and with payment instances (SG-Payments) on TCP port 9500. The inventory instances must also communicate with payment instances on TCP port 9600 for reconciliation. Network ACLs in all VPCs allow all traffic. After deployment, the operations team reports the following symptoms: order-to-inventory communication on port 8500 works correctly, order-to-payment communication on port 9500 times out, and inventory-to-payment communication on port 9600 also times out. The team has verified that all services are running, DNS resolution works, and transit gateway attachments are active. SG-Orders has outbound rules for TCP 8500 to 10.20.0.0/16 and TCP 9500 to 10.30.0.0/16. SG-Inventory has an inbound rule for TCP 8500 from 10.10.0.0/16 and an outbound rule for TCP 9600 to 10.30.0.0/16. SG-Payments has an inbound rule for TCP 9500 from SG-Orders. What explains the selective connectivity failures?

Correct Answer: SG-Payments references SG-Orders as the source, but cross-VPC traffic cannot use security group references; the rule must specify the CIDR 10.10.0.0/16 for the order processing VPC, and an additional inbound rule for TCP 9600 from 10.20.0.0/16 is needed for inventory access

The correct answer identifies the fundamental limitation of AWS security groups: security group references only work within the same VPC. When SG-Payments has an inbound rule that references SG-Orders as the source, this rule cannot match traffic coming from instances in a different VPC, even when connected via a transit gateway.

Here's the detailed analysis:

  1. Why order-to-inventory works (port 8500): SG-Inventory has an inbound rule for TCP 8500 from 10.10.0.0/16 (CIDR-based), which correctly matches cross-VPC traffic from VPC-Orders.

  2. Why order-to-payment fails (port 9500): SG-Payments has an inbound rule for TCP 9500 from SG-Orders (security group reference). Since SG-Orders is in a different VPC (VPC-Orders), this reference doesn't work across VPCs. The rule needs to specify CIDR 10.10.0.0/16 instead.

  3. Why inventory-to-payment fails (port 9600): SG-Payments has no inbound rule for TCP 9600 at all. It needs an inbound rule for TCP 9600 from 10.20.0.0/16 to allow inventory instances to connect.

The other answers are incorrect for the following reasons:

  • The transit gateway route propagation explanation is invalid because the problem statement confirms transit gateway attachments are active and order-to-inventory communication works, proving routes exist for cross-VPC communication.

  • The suggestion about security group sharing on transit gateway is incorrect because AWS Transit Gateway does not have a "security group sharing" feature. Security groups are VPC-level constructs and cannot be shared across VPCs.

  • Transit gateway attachments do not have security group associations. Transit gateway attachments are network-level constructs that route traffic between VPCs; security groups are applied to ENIs on instances, not on transit gateway attachments.

Question 3

A multinational insurance company operates 94 AWS accounts organized into OUs for Claims-Processing, Underwriting, Customer-Portal, Actuarial-Services, and Corporate-IT. The organization has been using AWS Organizations for three years with all features enabled. The enterprise architecture team recently designed a complex SCP inheritance strategy where the root has an SCP allowing all services, the Claims-Processing OU has an SCP explicitly allowing only EC2, S3, RDS, and Lambda, and a child OU called Claims-Automation under Claims-Processing has an additional SCP that explicitly allows Step Functions and EventBridge. An account called automation-prod exists within the Claims-Automation OU. A developer in automation-prod with full IAM AdministratorAccess attempts to create an AWS Step Functions state machine but receives an access denied error. The developer also cannot access Amazon SNS, which they need for notification workflows. The cloud governance team needs to understand why the Step Functions access is being denied despite the Claims-Automation OU SCP explicitly allowing it. What explains the effective permissions issue preventing Step Functions access in the automation-prod account?

Correct Answer: The parent Claims-Processing OU SCP does not include Step Functions in its allow list, and SCPs at each level must permit an action for it to be allowed, creating an intersection of permissions across the hierarchy.

The correct answer explains the fundamental principle of how Service Control Policies (SCPs) work in AWS Organizations: SCPs use an intersection model across the organizational hierarchy.

In this scenario, the permission chain works as follows:

  1. Root OU: Allows all services (FullAWSAccess)
  2. Claims-Processing OU: Explicitly allows only EC2, S3, RDS, and Lambda
  3. Claims-Automation OU (child of Claims-Processing): Explicitly allows Step Functions and EventBridge

The critical concept here is that SCPs create a permission boundary through INTERSECTION, not UNION. For any action to be permitted, it must be allowed at EVERY level in the hierarchy from the root down to the account. Even though the Claims-Automation OU explicitly allows Step Functions, the parent Claims-Processing OU does NOT include Step Functions in its allow list.

Since the Claims-Processing OU only allows EC2, S3, RDS, and Lambda, Step Functions is effectively blocked at that level. The child OU's SCP allowing Step Functions cannot grant permissions that the parent OU's SCP has already excluded. The effective permissions are the intersection of all SCPs from root to the account, meaning Step Functions must be allowed at ALL levels.

The second answer is incorrect because SCPs work with both allow and deny statements, and child OUs cannot override parent restrictions regardless of whether they use deny or allow statements.

The third answer is incorrect because SCPs ARE inherited from OUs to accounts. You don't need to attach SCPs at the account level for them to apply - OU-level SCPs automatically apply to all accounts within that OU.

The fourth answer incorrectly describes how SCP conflicts work. The root-level SCP allowing all services doesn't create a conflict - it simply provides the broadest permission set. The Claims-Processing OU then restricts this further. There's no 'highest level takes precedence' rule; instead, it's an intersection of all applicable SCPs.

More Design Solutions for Organizational Complexity questions
2337 questions (total)
Start 100 question test