While preparing for the AWS SAP-C02, many candidates get confused by cross-account resource sharing and migration. In the real world, this is fundamentally a decision about balancing downtime minimization with operational complexity and cost control. Let’s drill into a simulated scenario.
The Scenario #
A mid-sized retailer, Acme Retail, operates a mission-critical inventory tracking application deployed in their AWS account named “LegacyAccount.” This application uses AWS Lambda to process real-time events and stores inventory metadata in an Amazon Aurora PostgreSQL cluster. The Lambda functions are deployed as ZIP packages packaged outside the AWS Console. The Aurora cluster is configured with automated backups and daily snapshots.
Acme Retail is restructuring and needs to migrate the entire application stack — both Lambda functions and the Aurora database — into a newly created AWS account called “NewAccount.” The application handles sensitive inventory records, so minimizing downtime during the migration is paramount to keep store operations seamless.
Key Requirements #
- Migrate both the Lambda functions and Aurora cluster from LegacyAccount to NewAccount with minimal downtime.
- Maintain strict security controls; only authorized accounts should access database snapshots or clone clusters.
- Use AWS best practices to reduce operational overhead and avoid costly prolonged outages.
- Consider the options carefully with regard to cross-account sharing capabilities and the ability to clone or copy database snapshots.
The Options #
- A) Download the Lambda deployment package from LegacyAccount and create new Lambda functions manually in NewAccount. Share the Aurora cluster’s automated snapshots with NewAccount and restore from snapshot to create the Aurora cluster there.
- B) Download the Lambda deployment package from LegacyAccount and create new Lambda functions in NewAccount. Use AWS Resource Access Manager (AWS RAM) to share the Aurora cluster with NewAccount, granting it permissions to clone the Aurora cluster directly.
- C) Use AWS RAM to share both the Lambda functions and Aurora cluster with NewAccount, granting permissions for NewAccount to clone the Aurora cluster.
- D) Use AWS RAM to share Lambda functions with NewAccount and share the Aurora cluster’s automated snapshots with NewAccount for restoration there.
Correct Answer #
Option B.
Step-by-Step Winning Logic #
Option B strikes the best balance between minimal downtime, security, and operational efficiency. Using AWS Resource Access Manager (RAM) to share the Aurora cluster allows the target account to clone the database cluster natively. Cluster cloning is significantly faster than restoring from snapshots and incurs less downtime — a critical factor for a mission-critical inventory system.
Downloading the Lambda function deployment package and manually re-creating the function in the target account offers full control over code and versioning without introducing unsupported sharing mechanisms. AWS RAM does not support sharing Lambda functions directly, so attempts to share the function via RAM (Options C and D) are not feasible.
Sharing only snapshots (Option A) forces a snapshot restore method that can take longer and result in longer outage windows. Moreover, snapshot sharing requires careful IAM and KMS setup to ensure secure access. Option B streamlines this by allowing cloning with proper cross-account permissions granted via RAM.
💎 Professional-Level Analysis #
This section breaks down the scenario from a professional exam perspective, focusing on constraints, trade-offs, and the decision signals used to eliminate incorrect options.
🔐 Expert Deep Dive: Why Options Fail #
This walkthrough explains how the exam expects you to reason through the scenario step by step, highlighting the constraints and trade-offs that invalidate each incorrect option.
Prefer a quick walkthrough before diving deep?
[Video coming soon] This short walkthrough video explains the core scenario, the key trade-off being tested, and why the correct option stands out, so you can follow the deeper analysis with clarity.
🔐 The Traps (Distractor Analysis) #
This section explains why each incorrect option looks reasonable at first glance, and the specific assumptions or constraints that ultimately make it fail.
The difference between the correct answer and the distractors comes down to one decision assumption most candidates overlook.
- Why not A?
Snapshot share-and-restore can be slow, increasing downtime. It also requires careful key policy and snapshot permission management. Downtime risk is higher. - Why not C?
Lambda functions cannot be shared through AWS RAM, so this option is invalid. The database sharing is also unnecessary here since Option B covers it efficiently. - Why not D?
Attempts to share Lambda via AWS RAM are not supported. Sharing snapshots only (without cluster clone permissions) means longer recovery and downtime.
🔐 The Solution Blueprint #
This blueprint visualizes the expected solution, showing how services interact and which architectural pattern the exam is testing.
Seeing the full solution end to end often makes the trade-offs—and the failure points of simpler options—immediately clear.
graph TD
LegacyAccount_Lambda[Legacy Account: Download Lambda deployment package] --> NewAccount_Lambda[Create Lambda function in New Account]
LegacyAccount_DB[Aurora cluster in Legacy Account] --- AWS_RAM[Share Aurora cluster via AWS RAM]
AWS_RAM --> NewAccount_DB[New Account clones Aurora cluster from shared source]
NewAccount_Lambda --> NewAccount_App[Application in New Account]
NewAccount_DB --> NewAccount_App
Diagram Note: This diagram shows manually migrating Lambda via deployment package and using AWS RAM to share and clone the Aurora cluster with minimal downtime.
🔐 Real-World Practitioner Insight #
This section connects the exam scenario to real production environments, highlighting how similar decisions are made—and often misjudged—in practice.
This is the kind of decision that frequently looks correct on paper, but creates long-term friction once deployed in production.
Exam Rule #
For the AWS SAP-C02 exam, always prefer AWS RAM Aurora cluster sharing and cloning when migrating cross-account to minimize downtime and operational complexity.
Real World #
In real enterprise settings, teams might combine this native cloning with a blue-green deployment strategy for Lambdas, or introduce incremental data replication for zero downtime migrations. Other constraints like compliance, network architecture, or data residency may influence migration designs beyond the exam’s scope.