Decision Matrix

SCP Explicit Deny vs FullAWSAccess | SAP-C02

4 January 2026·1098 words·6 mins

Architecture Drills AWS SAP-C02 FinOps Decision Matrix AWS Organizations SCP IAM Governance Multi-Account Strategy

A critical analysis of SCP inheritance and policy evaluation logic in AWS Organizations, focusing on the explicit deny requirement to override default FullAWSAccess permissions.

ALB HTTPS Redirect Decision Logic | SAA-C03

4 January 2026·1240 words·6 mins

Architecture Drills AWS SAA-C03 FinOps Decision Matrix Application Load Balancer HTTPS Security Redirect Rules

A foundational analysis of ALB redirect rules vs. alternative approaches to enforce HTTPS traffic, examining why native load balancer features trump complex network-layer solutions for this common security requirement.

Private Marketplace Governance via SCPs | SAP-C02

3 January 2026·1427 words·7 mins

Architecture Drills AWS SAP-C02 FinOps Decision Matrix AWS Organizations SCP Private Marketplace IAM Governance

How do you enforce centralized procurement controls across a multi-account AWS Organization while maintaining least-privilege access? This drill explores SCP design patterns, role naming protection, and the critical difference between account-level and organization-level governance.

Clickstream Streaming vs Batch Decision | SAA-C03

3 January 2026·1146 words·6 mins

Architecture Drills AWS SAA-C03 FinOps Decision Matrix Kinesis EMR Redshift Data Pipeline Analytics

Comparing streaming ingestion (Kinesis) vs. batch processing (EMR) for 30TB daily clickstream data - focusing on latency, cost, and operational simplicity.

Multi-Account Transit Gateway Automation | SAP-C02

3 January 2026·1697 words·8 mins

Architecture Drills AWS SAP-C02 FinOps Decision Matrix Transit Gateway AWS Organizations CloudFormation StackSets AWS RAM Multi-Account Strategy

How do you automate VPC connectivity across dozens of AWS accounts while minimizing operational overhead? This drill explores the critical decision between centralized Transit Gateway sharing via AWS RAM versus distributed deployment patterns, and why CloudFormation StackSets are essential for scale.

ECS vs Fargate Control Trade-offs | SAA-C03

3 January 2026·902 words·5 mins

Architecture Drills AWS SAA-C03 FinOps Decision Matrix ECS Fargate Container Orchestration Serverless

A healthcare analytics startup needs to run mission-critical containerized workloads with minimal infrastructure overhead. This drill explores the spectrum from self-managed Docker to fully serverless ECS/Fargate, analyzing the infrastructure abstraction continuum.

Multi-Account Chargeback Decision Matrix | SAP-C02

2 January 2026·1174 words·6 mins

Architecture Drills AWS SAP-C02 FinOps Decision Matrix AWS Organizations Cost and Usage Reports Cost Allocation Tags Chargeback

When compliance tooling spans multiple AWS accounts, accurate cost allocation requires activated cost allocation tags at the management account level, combined with CUR tag-based filtering—not Trusted Advisor or member-account-only activation.

Content Moderation Build vs Buy | SAA-C03

2 January 2026·887 words·5 mins

Architecture Drills AWS SAA-C03 FinOps Decision Matrix Amazon Rekognition AI/ML Services Content Moderation

A social media platform needs automated image moderation with minimal development effort. This drill compares AWS AI services (Rekognition, Comprehend, SageMaker) and analyzes the classic ‘build vs. buy’ decision for content safety systems.

Domain Redirects—Cost vs Operability | SAP-C02

2 January 2026·799 words·4 mins

Architecture Drills Cloud Provider (AWS) AWS SAP-C02 FinOps Decision Matrix Route 53 Lambda@Edge

A digital marketing firm must build an efficient, scalable domain redirection service with multiple domain names, minimizing ops overhead while supporting HTTP and HTTPS. This drill clarifies the best design pattern and FinOps considerations.

API Gateway Domain Cert Region Choice | SAA-C03

2 January 2026·1017 words·5 mins

Architecture Drills AWS SAA-C03 FinOps Decision Matrix API Gateway ACM Route 53 Custom Domain HTTPS

A critical analysis of API Gateway custom domain configuration, focusing on the regional vs. edge-optimized endpoint decision and the often-overlooked ACM certificate region requirement that trips up SAA candidates.