DEV Community

Cover image for How to Pass the AWS Solutions Architect Professional Certification Like a Real Pro

How to Pass the AWS Solutions Architect Professional Certification Like a Real Pro

Imagine this: after months of studying, practice exams, and a few moments of doubt, you finally hit that submit button. Then the screen flashes with the words you’ve been waiting for:

“Congratulations, you have passed the AWS Certified Solutions Architect – Professional.” 🎉

That was me not long ago, and let me tell you, the feeling was just like finishing a big meal after hours in the kitchen. Full of relief, pride, and maybe even a little exhaustion.

This certification is no small feat it’s all about mastering:

🌐 Designing complex architectures on AWS
🔒 Security, compliance & governance at scale
⚙️ Cost, performance & resilience optimization
🛠️ Migration & modernization of workloads
📊 Balancing trade-offs for real business needs

But here’s the thing: passing the exam isn’t just about memorizing questions. It’s about really understanding how AWS works at scale. And for me, two topics stood out more than anything else:

✅ Service Control Policies (SCPs) – the guardrails that keep your AWS accounts safe and consistent.
✅ Migrations – the strategies that help move workloads to AWS without breaking the business.

In this article, I’ll share my insights on these two areas. I’ll keep it simple, using real world analogies and examples that you can actually apply. Because I know many of you are learning AWS as a second language, or maybe just getting started in the cloud. And if you’re already an expert, consider this a refreshing walk through with a new perspective.

Service Control Policies (SCPs) – the guardrails that keep your AWS accounts safe and consistent.
Migrations – the strategies that help move workloads to AWS without breaking the business.

Service Control Policies (SCPs) – The Technical Part

Alright, let’s break down what AWS documentation says about Service Control Policies (SCPs) in a way that’s easier to digest:

Part of AWS Organizations

  • SCPs live inside AWS Organizations, which is the service you use to manage multiple AWS accounts in one place.
  • Important: SCPs only work if you enable “all features”. If you only have consolidated billing, SCPs won’t be available.

SCPs Do Not Grant Permissions

  • This is the most important thing: SCPs don’t give access.
  • They simply define the maximum permissions an account can ever have.
  • Example: if IAM says “yes” but SCP says “no,” the result is no.

Hierarchy and Inheritance

  • SCPs can be attached at the root, to Organizational Units (OUs), or to individual accounts.
  • Rules flow downward: a root SCP impacts everything; OU SCPs impact all accounts inside that OU.
  • Effective permissions = intersection of SCPs + IAM. For an action to work, it must be allowed everywhere.

Allow List vs Deny List

  • Allow List (deny by default): Everything is denied unless you allow it. Very strict, lots of overhead.
  • Deny List (allow by default): Everything is allowed unless you deny it. Easier to manage and most common.

Impact on Permissions

  • SCPs affect IAM users and roles in member accounts, including the root user.
  • They do not affect the management account or service-linked roles.

Centralized Control

  • SCPs help organizations keep accounts under control by:

    • Blocking specific services
    • Enforcing regional restrictions
    • Ensuring compliance

Best Practices

  • Don’t start at the root. Test in an OU first to avoid blocking critical services.
  • Use IAM last accessed data or CloudTrail to check usage before applying restrictions.

🏠 The Family House Analogy (Root, OUs, SCPs)

  • Root = the parents’ house.
  • Each OU = a different child’s bedroom.
  • Each account = the kid who lives in that bedroom.

Scenario 1: Root Deny (bad idea)

  • Parents put a lock on the fridge: “Nobody can eat ice cream.”
  • Even if one kid’s rules say they can, the house rule applies → no ice cream for anyone.
  • That’s what happens if you deny at root: no exceptions possible.

Scenario 2: Root Full Access + OU Deny (best practice)

  • Parents say: “Everyone can eat anything.” (default FullAWSAccess).
  • Each bedroom (OU) adds its own rules:

    • Kid #1 → No ice cream.
    • Kid #2 → No candy.
    • Kid #3 → Full access.
  • If Kid #1 suddenly needs ice cream for a school project, just move them into Kid #3’s room.

  • That’s OU-level deny: flexible and easier to manage.

Scenario 3: Allow List at Root (too strict)

  • Parents put a giant whiteboard: “Only pizza and apples allowed.”
  • Every new food = update the board. Too much work.
  • That’s an allow list at root → high overhead.

In plain English:

  • Root deny = fridge locked for all, no exceptions.
  • OU deny = bedroom rules, exceptions possible.
  • Allow list = whiteboard nightmare.

👉 The winning strategy: Root = leave FullAWSAccess. OU = apply deny lists. Exceptions = move accounts.

Migrations What You Need to Know for the AWS SAP Exam

Migration Planning

When AWS talks about migrations, they don’t just mean “move everything to the cloud and hope it works.” They want you to plan like a pro:

  • Discover what you have (servers, databases, apps).
  • Group things logically (applications, dependencies).
  • Choose the right migration strategy (the famous 6 R’s).

This planning stage is like preparing for a big family move. You don’t just grab boxes randomly. You will make a list, decide what goes, what stays, and what needs upgrading. Right?

AWS Application Discovery Service (ADS)

This tool is your inventory manager before moving day. It automatically scans your on premises environment and collects details about servers, VMs, databases, and even network connections.

It has three main ways to discover data:

  • Agentless Collector:

    • No need to install anything on each server.
    • Great for VMware environments.
    • Collects basic info: hostname, IP, CPU, RAM, disk usage.
    • Limitation: cannot see running processes or network dependencies.
  • Agent-based Discovery Agent:

    • Installed directly on each server.
    • Provides deep insights: processes, network flows, performance data.
    • Best if you need to understand how servers talk to each other.
  • File-based Import:

    • For when you already have an inventory from another system.
    • You can import that data straight into Migration Hub.

📊 What happens after discovery?

  • Data is sent to your Migration Hub Home Region.
  • You can group servers into applications.
  • Export the data to S3, Athena, or QuickSight for cost analysis.
  • Use the info to right size EC2 instances and plan costs more accurately.

Migration Services: Moving from VMware or On-Prem to AWS

Once planning is done, it’s time to move the boxes. For SAP exam purposes, you need to know the main AWS services:

  • AWS Application Migration Service (MGN)

    • Think of this as the lift and shift champion.
    • It replicates servers into AWS and automatically converts them into EC2 instances.
    • Great for minimizing downtime.
    • Works with Migration Hub so you can track progress.
    • Bonus: after rehosting, you can later replatform or refactor easily.
  • AWS Database Migration Service (DMS)

    • Specifically for migrating databases.
    • Supports homogeneous migrations (Oracle → Oracle) and heterogeneous (SQL Server → Aurora).
    • Also integrates with Fleet Advisor to discover and plan DB migrations.
  • AWS Migration Hub

    • The central dashboard for all migration projects.
    • Shows the status of servers and applications, regardless of which tool you use.
    • Think of it like the moving company coordinator that tracks every truck and box.

Migration Strategies (The 6 R’s)

You’ll definitely see these on the exam:

  • Rehost (Lift & Shift): Move as-is. Example: VM → EC2.
  • Replatform: Small changes. Example: App → Elastic Beanstalk, DB → RDS.
  • Refactor (Re-architect): Big changes. Example: Monolith → microservices with Lambda.
  • Repurchase: Replace with SaaS. Example: On-prem CRM → Salesforce.
  • Retire: Decommission unused apps.
  • Retain: Keep it on-prem for now.

Conclusions

  • Service Control Policies (SCPs): They are the guardrails of AWS Organizations. SCPs don’t give access but define the maximum boundaries of permissions. The best approach is to leave FullAWSAccess at the root and apply deny lists at the OU level for flexibility and safer management.

  • Migrations: A successful migration is not just lifting and shifting servers. It requires planning, discovering your environment with ADS, moving workloads with MGN or DMS, tracking with Migration Hub, and finally applying the right strategy from the 6 R’s. With the right approach, migrations become predictable and cost-efficient.

That’s a wrap! 🎬 You’ve now seen two of the heaviest topics for the AWS SAP exam: SCPs and Migrations. Both are critical to not just passing the exam, but also working as a real Solutions Architect in the field.

If this article helped you, here’s what you can do next:

  • Follow me on X and YouTube for more AWS, DevOps, and Terraform content that’s beginner-friendly but also exam-ready.
  • Leave a comment with your thoughts, your own AWS SAP journey, or questions you’d like me to cover next.
  • Coming soon, a GitHub repo where I’ll be sharing supporting resources and examples to practice with.

Good luck with your AWS SAP journey, and remember: preparation + practice = passing like a pro!

Top comments (0)