AWS · SAP-C02

Compliance And Audit Architecture — AWS Solutions Architect Pro (SAP-C02)

3%of exam questions (5 of 200)

CloudTrail Records Actions; Config Records Configuration State

A regulator asking 'who deleted this S3 bucket and when' needs CloudTrail: it records API calls with principal identity, source IP, and timestamp. An auditor asking 'was encryption enabled on this bucket consistently over the past six months' needs AWS Config: it records resource configuration history and evaluates compliance against rules over time. CloudTrail has no configuration history; Config has no identity attribution for individual actions. Most compliance frameworks require both, but SAP-C02 questions often isolate a single evidence request and expect you to identify which service produces that specific evidence rather than which service is generally useful for compliance posture.

What This Pattern Tests

The exam describes a compliance requirement and tests which service serves which function. AWS Config evaluates resource configurations against rules (is encryption enabled? is public access blocked?). CloudTrail records every API call for audit trails (who created this bucket? when was the policy changed?). GuardDuty analyzes CloudTrail, VPC Flow Logs, and DNS logs for threat detection (cryptocurrency mining, compromised credentials). Security Hub aggregates findings from Config, GuardDuty, Inspector, and third-party tools into a compliance score. The trap is using GuardDuty for configuration compliance (that is Config) or CloudTrail for threat detection (that is GuardDuty).

Decision Axis

Compliance function determines the service: configuration compliance = Config, audit trail = CloudTrail, threat detection = GuardDuty, posture aggregation = Security Hub.

Associated Traps

Operational Complexity Underestimation (5)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Near-Right Architecture · 45%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether to satisfy continuous PCI-DSS resource-configuration compliance evidence using managed evaluation controls (Config conformance packs delegated via Organizations + Security Hub PCI-DSS standard + Audit Manager automated evidence mapping) versus building a custom compliance pipeline on top of CloudTrail log aggregation and ad-hoc query/Lambda orchestration.

AWS ConfigAWS Security HubAWS Audit Manager

Domain Coverage

Design for New Solutions

Difficulty Breakdown

Hard: 5
Build recognition speed →

See all SAP-C02 patterns →