Cloud Governance & Organization Scenarios

#

Category Overview

#

Governance scenarios represent approximately 15-20% of SAP-C02 exam content, appearing across multiple domains including security, cost optimization, and operational excellence. These questions test your ability to design and implement enterprise-scale governance architectures that balance centralized control with operational flexibility.

The exam assumes you are architecting for organizations with dozens to hundreds of AWS accounts, multiple business units, varying compliance requirements, and complex organizational structures. Single-account thinking will lead to incorrect answers—SAP-C02 governance questions require multi-account architectural reasoning.

Core Decision Pillars

#

These governance scenarios are primarily tested through the following architectural decision pillars:

• AWS Organizations & SCP Governance
  → When SAP-C02 requires preventive, organization-wide control
  👉 /aws/sap/governance-multi-account-scp-logic/

• Control Tower & Landing Zone Automation
  → When rapid, standardized governance is required
  👉 /aws/sap/governance-control-tower-automation/

Why Governance Dominates SAP-C02

#

AWS Solutions Architect Professional certification validates enterprise architecture skills. In enterprise environments, governance is not optional—it is foundational. Organizations without effective governance face security incidents, compliance failures, cost overruns, and operational chaos.

The exam tests governance because:

Scale creates complexity. Managing permissions, compliance, and cost across hundreds of accounts requires architectural patterns that do not exist in single-account environments. SCPs, Control Tower, and organizational design become essential tools.

Compliance is non-negotiable. Regulated industries require demonstrable controls that auditors can verify. The exam tests whether you understand which AWS mechanisms provide auditable, enforceable governance versus those that rely on trust or manual processes.

Mergers and acquisitions are common. Enterprise architects frequently face scenarios where governance must be rapidly extended to newly acquired AWS environments. The exam tests patterns for establishing immediate control without disrupting existing workloads.

Delegation requires boundaries. Large organizations delegate AWS administration to multiple teams while maintaining central oversight. The exam tests your understanding of how to enable delegation without sacrificing governance.

Core Governance Services

#

AWS Organizations

#

AWS Organizations provides the foundation for multi-account governance. Every governance scenario in SAP-C02 assumes Organizations is in place. Key architectural concepts include:

Organizational Units (OUs) provide hierarchical grouping for accounts. OU design determines how policies are inherited and applied. Poor OU design leads to complex, hard-to-maintain governance policies.

Service Control Policies (SCPs) establish permission boundaries that cannot be exceeded by any principal in affected accounts. SCPs are preventive controls—they stop actions before they occur.

Consolidated billing aggregates costs across all accounts, enabling volume discounts and centralized cost management. Governance scenarios often combine security requirements with cost optimization.

Delegated administrator allows specific member accounts to manage organization-wide services without requiring management account access. This pattern appears in scenarios involving security team responsibilities.

AWS Control Tower

#

Control Tower provides managed governance for multi-account environments. SAP-C02 tests when Control Tower is appropriate versus custom governance implementations:

Landing zones establish pre-configured multi-account environments with baseline governance. Use Control Tower when standard patterns meet requirements and rapid deployment is prioritized.

Guardrails implement preventive controls (via SCPs) and detective controls (via Config rules). Control Tower distinguishes between mandatory, strongly recommended, and elective guardrails.

Account Factory provisions new accounts with consistent baseline configurations. Scenarios involving standardized account provisioning often point toward Control Tower solutions.

Customizations for Control Tower (CfCT) extends Control Tower with organization-specific requirements. Use when Control Tower’s baseline is appropriate but additional customization is needed.

AWS Config

#

Config provides detective controls and compliance monitoring. While SCPs prevent actions, Config detects non-compliant states and can trigger remediation:

Config rules evaluate resource configurations against desired states. Rules can be AWS-managed or custom.

Conformance packs bundle related rules for specific compliance frameworks. Use when implementing standard compliance requirements like PCI-DSS or HIPAA.

Aggregators collect Config data across accounts and regions. Essential for organization-wide compliance visibility.

Remediation actions automatically correct non-compliant configurations. Combines with SCPs for comprehensive governance—SCPs prevent, Config detects and remediates.

AWS Service Catalog

#

Service Catalog enables governed self-service provisioning. Scenarios involving developer enablement while maintaining governance often include Service Catalog:

Portfolios group related products and control access. Different teams can have access to different portfolios based on their requirements.

Products are CloudFormation templates that provision approved architectures. Developers can deploy without direct CloudFormation access.

Constraints limit how products can be configured. Launch constraints specify the IAM role used for provisioning, enabling least-privilege deployment.

TagOptions enforce consistent tagging during provisioning. Combines with SCP-based tag enforcement for comprehensive tagging governance.

Governance Decision Patterns

#

Preventive vs Detective Controls

#

SAP-C02 frequently tests the distinction between preventive and detective controls:

Preventive controls stop non-compliant actions before they occur. SCPs are the primary preventive mechanism at the organization level. IAM policies and permission boundaries provide preventive controls at the account level.

Detective controls identify non-compliant states after they occur. Config rules, CloudTrail analysis, and Security Hub findings are detective mechanisms.

The architectural principle: Use preventive controls for actions that must never occur. Use detective controls for configurations that should be compliant but may drift. Most governance architectures combine both.

Centralized vs Federated Governance

#

Scenarios often present tension between central control and team autonomy:

Centralized governance provides consistency and simplifies compliance but can create bottlenecks and reduce agility. Appropriate for security-critical controls and organization-wide policies.

Federated governance enables team autonomy and faster iteration but requires trust and can lead to inconsistency. Appropriate for team-specific configurations within established boundaries.

The architectural pattern: Establish centralized boundaries (via SCPs) within which federated governance operates (via delegated IAM administration). This provides both control and flexibility.

Compliance Framework Mapping

#

Enterprise scenarios often reference specific compliance frameworks:

PCI-DSS requires strict access controls, encryption, and audit logging. Scenarios may involve isolating cardholder data environments in dedicated accounts with restrictive SCPs.

HIPAA requires protected health information safeguards. Scenarios may involve region restrictions, encryption requirements, and access logging.

SOC 2 requires demonstrable controls for security, availability, and confidentiality. Scenarios may involve Control Tower guardrails and Config conformance packs.

GDPR requires data protection and privacy controls. Scenarios may involve region restrictions for EU data and data lifecycle management.

The exam tests whether you can map compliance requirements to appropriate AWS governance mechanisms.

Common Scenario Patterns

#

Pattern: Rapid Governance for Acquired Accounts

#

Scenario: Company acquires another organization with existing AWS accounts. Security team must establish governance immediately without disrupting workloads.

Solution approach: Invite acquired accounts to AWS Organizations. Apply SCPs at the organizational root or dedicated OU to establish immediate boundaries. Use Config rules to assess current compliance state. Remediate over time without blocking existing operations.

Key insight: SCPs provide immediate preventive control without requiring changes to existing IAM policies. This enables “day one governance” for acquisitions.

Pattern: Developer Enablement with Guardrails

#

Scenario: Development teams need autonomy to experiment and iterate quickly. Security team must ensure experiments cannot affect production or violate compliance requirements.

Solution approach: Create sandbox OU with permissive SCPs but strict boundaries (region restrictions, service limitations, spending limits). Use Service Catalog for production deployments with approved architectures. Implement Config rules for detective monitoring.

Key insight: Governance should enable rather than block. Sandbox environments with appropriate boundaries allow experimentation without risk.

Pattern: Multi-Business-Unit Compliance

#

Scenario: Organization has multiple business units with different compliance requirements. Some units handle regulated data, others do not.

Solution approach: Design OU hierarchy based on compliance requirements. Apply restrictive SCPs to regulated OUs, permissive SCPs to non-regulated OUs. Use Config conformance packs appropriate to each unit’s requirements.

Key insight: OU design should reflect governance requirements, not organizational charts. Accounts should be placed based on their compliance needs.

Pattern: Security Service Protection

#

Scenario: Security team must ensure CloudTrail, GuardDuty, and Config cannot be disabled by account administrators.

Solution approach: Apply SCPs that deny actions like cloudtrail:StopLogging, guardduty:DeleteDetector, and config:StopConfigurationRecorder. Apply at root or high-level OU to affect all accounts. Place security team account in OU without these restrictions if they need to manage these services.

Key insight: SCPs protect security services from insider threats and compromised credentials. This is a common pattern in regulated environments.

Pattern: Cost Governance

#

Scenario: Organization must prevent unexpected costs from expensive services or unapproved regions.

Solution approach: Apply SCPs that deny expensive services (large EC2 instance types, certain database configurations) in non-production OUs. Implement region restrictions to prevent resource creation in unapproved regions. Use AWS Budgets with actions for reactive cost control.

Key insight: Cost governance combines preventive controls (SCPs) with detective controls (Budgets, Cost Explorer) and reactive controls (Budget actions).

Exam Preparation Focus Areas

#

OU Hierarchy Design

#

Expect scenarios that present organizational structures and ask about appropriate OU design. Practice identifying whether OUs should be organized by:

• Environment type (production, development, sandbox)
• Business unit or team
• Compliance requirement
• Geographic region
• Application or workload

The correct answer depends on the governance requirements presented in the scenario.

SCP Inheritance and Effective Permissions

#

Expect scenarios that present OU hierarchies with multiple SCPs and ask about effective permissions. Practice tracing SCP inheritance from root to account and identifying the intersection of all applicable policies.

Control Tower vs Custom Governance

#

Expect scenarios that present governance requirements and ask whether Control Tower or custom implementation is appropriate. Control Tower is appropriate when:

• Standard governance patterns meet requirements
• Rapid deployment is prioritized
• Organization can adopt Control Tower’s landing zone design

Custom implementation is appropriate when:

• Requirements exceed Control Tower’s capabilities
• Existing organizational structure cannot accommodate Control Tower
• Highly specific compliance requirements exist

Integration Patterns

#

Expect scenarios that require combining multiple governance services. Practice identifying when to use:

• SCPs + Config rules (preventive + detective)
• Control Tower + CfCT (managed + customized)
• Service Catalog + SCPs (governed provisioning + boundaries)
• Organizations + RAM (multi-account + resource sharing)

Related Pillar Articles

#

This category connects to detailed pillar articles covering specific governance topics:

• AWS Organizations & SCP Governance - Deep dive into SCP decision logic, inheritance patterns, and common exam traps
• Control Tower Architecture Patterns - When to use Control Tower, customization approaches, and landing zone design
• Config Rules and Compliance Automation - Detective controls, conformance packs, and remediation patterns
• Multi-Account Cost Governance - Cost allocation, budgets, and financial governance patterns

Category Summary

#

Governance scenarios in SAP-C02 test enterprise-scale architectural thinking. Success requires understanding:

1. SCPs establish boundaries that cannot be exceeded regardless of IAM policies
2. OU design determines governance scope and should reflect compliance requirements
3. Preventive and detective controls are complementary and most architectures need both
4. Control Tower provides managed governance appropriate for standard requirements
5. Governance should enable, not just restrict by providing safe paths for teams to operate

Approach governance questions by first identifying the core requirement (preventive vs detective, centralized vs federated, compliance-driven vs operational), then selecting the mechanism that addresses that requirement with appropriate scope and minimal operational friction.