AWS · SAP-C02

Security Posture Assessment And Improvement — AWS Solutions Architect Pro (SAP-C02)

4%of exam questions (8 of 200)

Config Detects Drift; Security Hub Aggregates Findings

Ongoing drift detection and configuration compliance history address a different problem than a consolidated security posture view. AWS Config evaluates resource configurations against defined rules on a continuous basis and records configuration state over time, answering 'was this resource compliant six months ago?' Security Hub aggregates normalized findings from Config, GuardDuty, Inspector, and third-party integrations across all organization accounts, answering 'what is the current security posture across accounts?' Config conformance packs enforce standards across accounts; Security Hub reports compliance status in a single view. SAP-C02 questions test whether you can distinguish which service satisfies which specific evidence or visibility requirement.

What This Pattern Tests

The exam describes a security assessment need and tests tool selection. Security Hub provides a compliance score against frameworks (CIS Benchmarks, PCI-DSS, AWS Foundational Security Best Practices). Inspector scans EC2 instances and container images for CVEs and network exposure. IAM Access Analyzer identifies resources shared with external accounts and overly broad IAM policies. Trusted Advisor checks service limits, cost optimization, and basic security (open ports, MFA on root). The trap is using Security Hub to find CVEs (that is Inspector) or Inspector to assess IAM policies (that is Access Analyzer).

Decision Axis

Assessment scope determines the tool: compliance posture = Security Hub, vulnerability scanning = Inspector, permission analysis = Access Analyzer, operational best practices = Trusted Advisor.

Associated Traps

Near-Right Architecture (8)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

More Top Traps on This Exam

Operational Complexity Underestimation · 39%Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.Cost Blind Spot · 17%Spot Instances cut that ECS cluster by 70% — but you built Multi-AZ with On-Demand because it felt safer.

Decision Rules

Whether layering Security Hub aggregation (delegated admin) over Config conformance pack rules, with EventBridge routing findings to SSM Automation runbooks, satisfies the 15-minute automated-remediation SLA — versus Config rules with SNS alerting, which surfaces drift accurately but routes to human operators, making remediation latency indeterminate and unable to reliably meet the SLA at 40-account scale.

AWS ConfigAWS Security HubAWS Systems Manager

Whether enabling AWS Security Hub as the cross-account normalized-finding aggregation layer—above the existing Config rules and Config Aggregator—with EventBridge-triggered Systems Manager Automation for remediation satisfies the 15-minute SLA and severity-ranked single-pane requirement, versus retaining Config Aggregator alone, which collects compliance snapshots but neither normalizes findings by severity nor produces the event-driven, per-finding hooks required for sub-15-minute coordinated automated remediation across accounts.

AWS ConfigAWS Security HubAWS Systems Manager

Domain Coverage

Continuous Improvement for Existing Solutions

Difficulty Breakdown

Medium: 4Hard: 4

Build recognition speed →

See all SAP-C02 patterns →