AWS · SAP-C02

Operations Automation And Runbook Design — AWS Solutions Architect Pro (SAP-C02)

5%of exam questions (10 of 200)

Lambda Runs Steps; SSM Automation Runs the Process

'Human approval before proceeding,' 'auditable change record,' and 'sequential remediation steps with rollback' all point to AWS Systems Manager Automation, not Lambda. Lambda handles stateless, event-driven compute and works for simple automated remediation: stop a resource, update a tag, send a notification. SSM Automation documents support multi-step workflows with manual approval tasks, conditional branching, and Change Manager integration for change control compliance. Lambda can execute individual steps inside an SSM Automation document, but it is not a substitute for the operational process structure that SSM Automation provides at the workflow level.

What This Pattern Tests

The exam describes an operational scenario and tests automation design. Systems Manager Automation runbooks execute predefined remediation steps (restart instance, update security group, rotate credentials). EventBridge rules trigger automation based on events (CloudTrail API call, Config compliance change, GuardDuty finding). Lambda handles custom remediation logic. The key decision is automatic vs. manual approval — critical changes (modifying production security groups, rotating database credentials) may require SNS notification and human approval before execution.

Decision Axis

Remediation urgency and risk determine automation level: low-risk = fully automatic, high-risk = automatic detection with human approval gate.

Associated Traps

Near-Right Architecture (5)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Operational Complexity Underestimation (5)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether a stateful, approval-aware orchestration pipeline (EventBridge → Step Functions → Systems Manager Automation) satisfies change-management-compliance and runbook-idempotency constraints better than a lightweight event-notification pipeline (CloudWatch Alarm → SNS → Lambda) when approval gates, structured queryable audit trails, and automatic rollback are all explicitly required.

AWS Systems ManagerAmazon EventBridgeAWS Step Functions

Whether stateful, approval-gated orchestration (Step Functions waitForTaskToken + SSM Automation) is required instead of a lightweight event-notification pipeline (EventBridge → SNS → Lambda) or a single-service automation tool (SSM Automation alone) when the scenario explicitly mandates approval gates, automatic rollback on failure, and a durable consolidated audit trail.

AWS Systems ManagerAmazon EventBridgeAWS Step Functions

Domain Coverage

Continuous Improvement for Existing Solutions

Difficulty Breakdown

Medium: 5Hard: 5

Build recognition speed →

See all SAP-C02 patterns →