Near-Right Architecture — AWS Solutions Architect Pro (SAP-C02)

Whether the pipeline includes CodeDeploy as a deployment execution engine with native ALB health-check integration and automatic rollback capability, versus a CodePipeline + CodeBuild design that automates source-to-artifact promotion but lacks a deployment lifecycle layer and therefore cannot natively evaluate fleet health-check failure rates or trigger rollback without custom scripting.

Whether to commit reserved or Savings Plans capacity at Q4 peak instance count—maximizing the per-unit discount rate but stranding committed spend during 42 off-peak weeks—or to commit Compute Savings Plans only at the Compute Optimizer-validated steady-state baseline and absorb seasonal burst with Spot, achieving the required 35% blended savings rate without idle-capacity lock-in.

When source and target database engines differ (heterogeneous migration), AWS SCT must precede AWS DMS to convert schema objects and stored procedures; DMS alone satisfies the minimal-downtime constraint via CDC but fails the engine-compatibility constraint, making SCT the deciding differentiator between the correct answer and the near-right distractor.

Whether the workload's dominant access pattern—multi-table relational JOINs—maps to a managed relational engine (Aurora) or a purpose-built NoSQL engine (DynamoDB), where the JOIN requirement is a hard disqualifier for DynamoDB regardless of its operational, scalability, or modernization appeal.

Choose a CodeDeploy canary or linear Lambda deployment configuration with CloudWatch alarm-triggered automatic rollback over all-at-once or manual alias-flip strategies, because only canary/linear configurations support the pre/post traffic hook evaluation required for sub-60-second alarm-driven rollback without custom out-of-band orchestration.

Determine whether warm standby (reduced-capacity standby compute with continuous replication and automated DNS failover) satisfies the stated 1-hour RPO and 15-minute RTO at materially lower cost than multi-site active-active, which runs full duplicate production capacity continuously and is unjustified by the recovery objectives.

Whether to implement multi-attribute content-based event routing using EventBridge event pattern rules with centralized rule management and native archive-and-replay, or to approximate the same topology using SNS fan-out with per-subscription message filter policies or a custom Lambda dispatcher shim—evaluated under a governing constraint of minimal routing-layer operational overhead as consumer count and predicate complexity grow.

Whether to use Transit Gateway with a Direct Connect gateway (hub-and-spoke, transitive routing, fixed VIF count) versus flat VPC peering or per-VPC Direct Connect VIFs (non-transitive, O(N) operational surface)—the VPC fan-out count and private-traffic requirement disqualify all flat approaches.

Whether to federate human identity at the organization level using IAM Identity Center permission sets (single control plane, unified audit trail, automatic propagation) or retain per-account SAML IAM role federation (distributed, operationally familiar, but ungovernable at 50-account scale when both centralized auditing and same-day policy propagation are explicit compliance constraints).

Whether to apply rehost uniformly across all workloads for speed, or to differentiate R-strategy by workload characteristic—specifically selecting replatform to Aurora PostgreSQL for the Oracle database—because the Oracle license cost elimination constraint disqualifies any strategy that preserves Oracle licensing (EC2 rehost, RDS for Oracle BYOL) on the target platform.

Whether a stateful, approval-aware orchestration pipeline (EventBridge → Step Functions → Systems Manager Automation) satisfies change-management-compliance and runbook-idempotency constraints better than a lightweight event-notification pipeline (CloudWatch Alarm → SNS → Lambda) when approval gates, structured queryable audit trails, and automatic rollback are all explicitly required.

Determine which network-layer acceleration service correctly handles non-HTTP UDP gaming traffic to resolve the geographic latency breach—distinguishing between CloudFront (HTTP/HTTPS edge cache operating at L7, wrong protocol layer) and Global Accelerator (anycast TCP/UDP routing over the AWS private backbone at L4, correct layer).

Whether layering Security Hub aggregation (delegated admin) over Config conformance pack rules, with EventBridge routing findings to SSM Automation runbooks, satisfies the 15-minute automated-remediation SLA — versus Config rules with SNS alerting, which surfaces drift accurately but routes to human operators, making remediation latency indeterminate and unable to reliably meet the SLA at 40-account scale.

Whether enabling AWS Security Hub as the cross-account normalized-finding aggregation layer—above the existing Config rules and Config Aggregator—with EventBridge-triggered Systems Manager Automation for remediation satisfies the 15-minute SLA and severity-ranked single-pane requirement, versus retaining Config Aggregator alone, which collects compliance snapshots but neither normalizes findings by severity nor produces the event-driven, per-finding hooks required for sub-15-minute coordinated automated remediation across accounts.

Whether SCT must precede DMS replication when the source and target database engines differ, making SCT a non-negotiable sequence step alongside MGN and DMS even when the cutover window constraint appears satisfied by replication continuity alone.

Whether AWS Application Migration Service alone satisfies both the application-server rehost and the Oracle-to-Aurora heterogeneous engine migration, or whether the Oracle tier requires a separate SCT-plus-DMS-CDC pathway alongside MGN for the application servers.

When the workload is stateless, short-duration, and variably loaded with long idle windows, Lambda + API Gateway + DynamoDB satisfies the minimize-operational-overhead and pay-per-use constraints decisively; Fargate is the near-right trap because it modernizes the monolith but imposes cluster sizing, minimum running task counts, and persistent idle cost that violate the stated constraints.

Whether GuardDuty findings are centrally aggregated via Security Hub and automatically routed through EventBridge to trigger alerts (full pipeline satisfies the SLA), versus GuardDuty enabled org-wide with a delegated admin but no Security Hub aggregation or EventBridge notification rule (detection is real and multi-account but the alert SLA is unmet because no automated response stage exists).

Select Transit Gateway over VPC peering mesh when the topology requires transitive, centralized routing at scale, because VPC peering is non-transitive and cannot support hub-and-spoke inspection without an O(n²) peering explosion that also breaks the no-re-architecture-on-new-VPC constraint.

Whether to use AWS Transit Gateway (scalable, cross-account, private, but grants transitive network-level routing into the full provider VPC) or AWS PrivateLink (service-scoped private endpoint that satisfies least-privilege-network-access by exposing a service rather than a network) when the dominant constraint is endpoint-only structural isolation.