Study SAP-C02 Security Improvements: key concepts, common traps, and exam decision cues.
Security-improvement questions are about strengthening a live environment without breaking it. SAP-C02 expects you to improve credential hygiene, traceability, patching, backup practice, and automated response in ways that actually reduce risk.
| Need | Strongest first fit | Why |
|---|---|---|
| secrets scattered in code or hosts | Secrets Manager or Parameter Store | centralized credential handling |
| overly broad permissions | least-privilege review and policy tightening | identity risk reduction |
| poor visibility into changes and actions | CloudTrail and related traceability controls | auditability |
| missing patch discipline | Systems Manager patch automation | repeatable update process |
| weak backup hygiene | consistent backup process and validation | recoverability is part of security |
| slow response to findings | automated Config or security-driven remediation | faster risk reduction |
| Trap | Better rule |
|---|---|
| improving detection without improving response | visibility matters most when it leads to action |
| treating secrets and config as identical | both matter, but secret risk is higher and needs tighter handling |
| tightening permissions without traceability | auditability helps prove and maintain least privilege |
| forgetting that backup process is a security control too | recoverability matters after ransomware, deletion, or corruption events |
Security-improvement questions usually start with the operational weakness, not a full redesign. If secrets are in code, move them to managed secret storage. If traceability is weak, use CloudTrail. If patching is inconsistent, lean on Systems Manager automation. SAP-C02 prefers the direct operational fix that reduces the actual security gap today.