AWS · SAP-C02

Landing Zone And Guardrail Design — AWS Solutions Architect Pro (SAP-C02)

3%of exam questions (5 of 200)

SCPs Block Before Actions Complete; Config Detects Drift After

Service Control Policies are preventive controls: they deny prohibited actions before they complete, regardless of what IAM policies permit inside the account. AWS Config rules are detective controls: they evaluate resource configuration state after changes occur and flag noncompliance. A scenario requiring 'no account may ever disable CloudTrail' requires an SCP, because the prohibition must be enforced at the action level. A scenario focused on 'continuous visibility into configuration drift without restricting developer velocity' requires Config rules. Questions that name a single specific requirement expect you to identify the correct control type, not apply both when only one satisfies the stated objective.

What This Pattern Tests

The exam describes multi-account setup and tests guardrail implementation. AWS Control Tower automates landing zone creation with a management account, log archive account, and audit account. Preventive guardrails (SCPs) block actions before they happen — "deny creating resources outside approved regions." Detective guardrails (Config rules) detect violations after they happen — "flag S3 buckets without encryption." The trap is using detective controls when prevention is required (an SCP blocks the action; a Config rule only reports it after the fact) or preventive controls for audit requirements (SCPs cannot generate compliance reports).

Decision Axis

Preventive guardrails (SCPs, block actions) vs. detective guardrails (Config rules, detect drift). Prevention is stronger but less flexible.

Associated Traps

Operational Complexity Underestimation (5)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Near-Right Architecture · 45%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Choose between AWS Control Tower's managed landing zone with Account Factory versus a manually assembled AWS Organizations plus SCP plus AWS Config conformance pack stack, where the deciding constraint is minimizing ongoing operational overhead for guardrail maintenance, drift detection, and per-account baselining as the account estate grows over 18 months.

AWS Control TowerAWS OrganizationsAWS IAM Identity Center

Domain Coverage

Design Solutions for Organizational Complexity

Difficulty Breakdown

Hard: 5

Build recognition speed →

See all SAP-C02 patterns →