Architecture patterns are where individual decisions become complete systems.
While pillars explain how to make specific decisions and topics organize what decisions you’ll face, patterns show how everything fits together in production-ready architectures.
These aren’t theoretical patterns. They’re the recurring enterprise architectures that AWS Solutions Architects design repeatedly—and that SAP-C02 tests repeatedly.
For enterprise architects, security is not a perimeter—it is a pervasive framework. The Security & Governance at Scale pattern focuses on building a “Landing Zone” that enforces compliance, automates guardrails, and centralizes identity across thousands of resources. In SAP-C02, you must think like a CISO, balancing strict Service Control Policies (SCPs) with operational efficiency.
🏗️ Core Architectural Patterns #
SAP-C02 focuses on the “Invariants” of cloud governance: Isolation, Identity, and Inspection.
1. Multi-Account Strategy & Guardrails #
- AWS Organizations: The root of trust. Use Service Control Policies (SCPs) to set the maximum available permissions—even for the Root user.
- AWS Control Tower: Automates the setup of a baseline environment (Landing Zone) with pre-configured detective and preventive guardrails.
- AWS Resource Access Manager (RAM): Securely sharing resources (like Transit Gateway or Subnets) across accounts without duplicating them.
2. Centralized Identity & Access #
- AWS IAM Identity Center (SSO): The modern way to manage access. It decouples the identity provider (Okta, AD, Azure AD) from the AWS accounts.
- ABAC (Attribute-Based Access Control): Using tags to scale permissions instead of managing thousands of individual IAM policies.
3. Continuous Compliance & Inspection #
- AWS Config & Aggregators: Tracking resource changes and compliance status across the entire organization.
- AWS Security Hub & Amazon GuardDuty: Centralizing threat detection and security alerts into a single “Security Account” for the SOC team.
📚 Key Decision Pillars (Deep Dives) #
These pillars provide the technical depth required for the most difficult Governance scenarios:
- AWS Organizations & SCP Governance: Mastering the inheritance and override logic of SCPs.
- IAM Identity Center & SSO Federation: Designing cross-account trust relationships.
- Security Monitoring: GuardDuty & Config: Automating remediation for non-compliant resources.
- KMS Multi-Region Keys & HSM Security: Managing the encryption lifecycle at scale.