Study SAP-C02 Multi-Account AWS Environment: key concepts, common traps, and exam decision cues.
Multi-account questions are where SAP-C02 becomes unmistakably professional-level. AWS is testing whether you can design an environment that stays governable across many teams, many workloads, and many controls without collapsing into one oversized account.
| Need | Strongest first fit | Why |
|---|---|---|
| organization-wide account and OU structure | AWS Organizations | base control plane for multi-account design |
| faster standardized landing zone | Control Tower | opinionated setup for guardrails and account vending |
| central logging and audit accounts | dedicated log archive and audit/security accounts | reduces blast radius and improves traceability |
| central management for supported services | delegated administrator model | avoids using only the management account |
| cross-account resource sharing | AWS RAM | share specific resources without flattening everything |
| Scenario clue | Strongest first reasoning move |
|---|---|
| “many business units with separate controls” | think OU structure and account boundaries first |
| “centralized security and immutable logs” | log archive and audit account pattern |
| “need fast landing zone with baseline guardrails” | Control Tower is often the low-ops answer |
| “shared subnets, resolver rules, or TGW attachments” | AWS RAM is often part of the design |
| Trap | Better rule |
|---|---|
| keeping too many workloads in one account because it feels simpler | SAP-C02 usually rewards clearer blast-radius and ownership boundaries |
| using the management account for normal workloads | keep it clean and minimize operational sprawl there |
| treating central logging as optional | enterprise designs usually centralize CloudTrail and related events |
| ignoring delegated admin models | service administration does not always belong in the management account |
Landing-zone questions usually test whether you can separate account structure from resource sharing. If the requirement is baseline multi-account setup with guardrails, think Control Tower. If the requirement is central durable audit records, think log archive account. If the requirement is selective resource sharing without removing account isolation, think AWS RAM. SAP-C02 generally rewards preserving account boundaries while centralizing governance.