Cloud/ AWS / AWS Certified Solutions Architect โ€” Professional (SAP-C02) / SAP-C02 Cost & Governance: Enterprise FinOps and Exam Strategy

AWS Amazon Web Services Professional Step 5 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 5 โ€” Cost & Governance

Hereโ€™s a question worth sitting with before you open the exam guide: who in your organization actually knows what a single feature costs, once its compute spans four accounts, three Regions, and a shared RDS cluster billed to a fifth account entirely? At small scale, cost tracking is a spreadsheet. At the scale this exam assumes โ€” dozens to hundreds of linked accounts โ€” cost visibility has to be engineered as deliberately as the workload itself. This closing step covers that engineering, plus a candid look at how the exam itself is structured so your last few days of prep go toward the right things.


Cost Allocation That Survives an Org of 200 Accounts

Tags are the raw material of cost attribution, but tags alone donโ€™t answer โ€œhow much did the Payments product line cost us last quarterโ€ when Payments spans twelve accounts and shares a networking bill with four other product lines. AWS Organizations gives you three tools that build on each other rather than compete:

ToolQuestion It AnswersGranularity
Cost Allocation TagsWhat did this specific resource cost?Per resource
Cost CategoriesWhat did this business dimension cost, aggregated across accounts, tags, and services?Custom-defined rules, org-wide
AWS Budgets + Anomaly DetectionAre we about to exceed a threshold, or does spend look statistically unusual?Account, tag, category, or service level

Cost Categories is the one Associate-level material never covers and Professional-level scenarios lean on constantly. It lets you define rules โ€” โ€œany account in the Payments OU, or any resource tagged product:payments, belongs to the Payments categoryโ€ โ€” and then Cost Explorer and Cost and Usage Reports can group by that category regardless of which account or which tag actually produced the spend. This solves the shared-cost problem: a shared Transit Gateway or a shared RDS cluster can be split by a percentage rule across categories, so โ€œwhat did Payments really cost including its share of shared infrastructureโ€ has an actual answer instead of a shrug.

Anomaly Detection matters at this scale because a human staring at a dashboard cannot catch a 40,000/monthspendspikeburiedinsidea40,000/month spend spike buried inside a 2 million/month total bill. It builds a spend baseline per service/account/category and alerts when actual spend deviates from the expected pattern โ€” this is the tested contrast against a static AWS Budget, which only tells you when youโ€™ve crossed a fixed number you chose in advance. A scenario describing โ€œcatch unexpected spend increases before they show up on the monthly bill, without setting a fixed thresholdโ€ is describing Anomaly Detection specifically, not Budgets.


Savings Plans and Reserved Instance Portfolio Management

At Associate level, Reserved Instances and Savings Plans are things you buy for a workload. At Professional level, theyโ€™re a portfolio you manage across an entire Organization, and the central lever is consolidated billing combined with Savings Plans/RI sharing.

Management Account (purchases Compute Savings Plan)
โ”‚
โ”‚ discount automatically applies across the whole Organization
โ”‚
โ”Œโ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ โ”‚ โ”‚ โ”‚
Account A Account B Account C Account D
(EC2) (Fargate) (Lambda) (unused EC2 capacity
still gets the discount
applied to on-demand usage)

Because commitment-based discounts apply at the Organization payer level by default, a Compute Savings Plan purchased once in the management account discounts eligible usage anywhere in the Org โ€” you donโ€™t buy a separate plan per account. This is the mechanism behind portfolio-level cost governance: a central FinOps function purchases commitments based on aggregate historical usage across the whole estate, rather than every team independently guessing at their own future usage and under- or over-committing.

The decision between Savings Plans and Reserved Instances comes down to flexibility versus specificity:

FactorReserved InstancesCompute Savings Plans
Applies across instance familiesNo (Standard RIs are family-locked; Convertible RIs allow exchange)Yes, automatically
Applies across compute types (EC2/Fargate/Lambda)NoYes
Marketplace resale if unusedYes, for Standard RIsNo
Best fitStable, unchanging workload footprint youโ€™re certain aboutEstate with evolving instance types, mixed compute across EC2/Fargate/Lambda

A mature portfolio typically ladders commitment terms โ€” some 1-year, some 3-year, staggered rather than purchased all at once โ€” so the organization isnโ€™t fully locked in at a single point in time and can adjust as workload patterns shift. Exam scenarios describing โ€œusage patterns are still evolvingโ€ or โ€œworkloads span EC2, Fargate, and Lambdaโ€ point toward Compute Savings Plans; scenarios describing โ€œstable workload, want to resell excess capacity if requirements changeโ€ point toward Standard Reserved Instances specifically, because that resale option doesnโ€™t exist for Savings Plans.


Enforcing Tagging at Scale

A tagging strategy that exists only as a wiki page gets ignored within a quarter. The tested enforcement mechanisms build in layers:

Layer 1 โ€” Prevent untagged resources from being created at all
SCP: deny ec2:RunInstances unless request includes tag "cost-center"
Layer 2 โ€” Detect resources that slipped through anyway
AWS Config rule: required-tags, flags non-compliant resources
Layer 3 โ€” Standardize the tag vocabulary itself
Tag Policies (Organizations): defines allowed keys/values,
prevents "Cost-Center" vs "costcenter" vs "CostCtr" drift

Tag Policies solve a subtler problem than the SCP layer does โ€” even with a hard requirement to tag everything, without a Tag Policy you end up with a dozen inconsistent spellings of the same conceptual tag, each of which Cost Explorer treats as a separate value. The exam sometimes frames this as โ€œcost reports show fragmented, inconsistent categories despite mandatory taggingโ€ โ€” thatโ€™s the signature of missing Tag Policies, not missing SCPs. You need both: the SCP forces a tag to exist, the Tag Policy forces it to be spelled consistently.


SAP-C02 Exam Domains and Realistic Weighting

The exam blueprint groups questions into four domains. Treat these percentages as directional, not exact โ€” AWS updates them periodically, but the relative emphasis has held roughly steady across recent exam versions:

DomainApprox. WeightCore Territory
Design for Organizational Complexity~12%Multi-account strategy, Organizations, Control Tower, governance
Design for New Solutions~30%Greenfield architecture across compute, data, networking, and application design
Continuous Improvement for Existing Solutions~26%Well-Architected reviews, cost/performance/operational optimization, modernization
Migration Planning~20%The 7 Rs, migration tooling, hybrid connectivity

Notice cost and governance arenโ€™t a standalone domain โ€” theyโ€™re woven through all four, which is exactly why this step exists as a synthesis rather than an isolated topic. A migration question can just as easily be graded on whether your answer accounts for Reserved Instance implications as on whether you picked the right migration tool.


Study Tips and Common Traps at This Level

The single biggest adjustment coming from Associate-level prep: stop looking for the โ€œcorrectโ€ service and start looking for the โ€œbest fit given every stated constraint,โ€ because Professional-level questions are deliberately written so that two or three answer choices are technically valid AWS architectures โ€” the wrong ones just violate a constraint buried in the second sentence of the scenario (a compliance requirement, a stated budget ceiling, an existing tooling investment, a stated RTO/RPO).

A few traps worth naming directly because they recur across practice exams and real sittings:

Budget your final study days toward scenario practice over flashcard memorization โ€” this exam rewards pattern recognition across long scenario paragraphs far more than recall of individual service facts, and that skill only builds by working through full-length scenarios under time pressure, not by re-reading service documentation one more time.


Exam Focus: What Questions Test From This Step