Domain 3 of 4

Continuous Improvement for Existing Solutions

Domain · 25% of the SAP-C02 exam

You cannot improve what you cannot measure

Assuming you know the AWS services that already run a workload, by the end of this domain you will be able to improve one in production through a measure-find-act loop (measure, let AWS's engines find the waste and risk, act with automated remediation, re-measure) and the four principles below are that loop's stages. Every later stage depends on the signal, so establish it first: Amazon CloudWatch metrics, alarms, and dashboards for the "what", AWS X-Ray traces and service maps for the "where" when latency crosses service boundaries, and Amazon RDS Performance Insights for the database tier. Only with that baseline can you tell over-provisioning from genuine demand, or a bad release from a capacity ceiling: improving a running system without measurement is guessing.

Let AWS’s recommendation engines find the opportunities

On an existing fleet you should not hunt for waste and risk by hand; AWS ships purpose-built engines that mine your own telemetry. AWS Compute Optimizer rightsizes EC2, Auto Scaling groups, EBS, Lambda, ECS-on-Fargate, and Aurora/RDS from 14 days of CloudWatch history (93 days with enhanced metrics); AWS Cost Explorer surfaces rightsizing and spend trends over up to 13 months; AWS Trusted Advisor spans cost, performance, security, fault tolerance, service limits, and operational excellence; Amazon DevOps Guru applies ML to flag anomalies with no static thresholds; AWS Security Hub aggregates security findings against FSBP/CIS; and AWS Resilience Hub scores an application against its RTO/RPO targets. Note the Trusted Advisor full check set and API require a Business, Enterprise, or Unified Operations support plan: Basic/Developer get only the Service Limits checks plus selected Security and Fault Tolerance checks.

Close the loop with automated remediation, not manual toil

A recommendation you act on once is a fix; one you act on automatically is an improvement. Turn findings into self-healing: AWS Config rules evaluate resource compliance and attach an SSM Automation document (managed or custom) to remediate non-compliant resources manually or automatically; AWS Systems Manager Automation runbooks execute the multi-step remediation or maintenance workflow; and Amazon EventBridge routes the triggering event (a finding, a state change, a schedule) to that runbook so the loop runs without a human. The same pattern applies to cost and reliability: schedule a quota-headroom alarm via Service Quotas + CloudWatch and re-converge drift instead of paging an engineer at 3 a.m.

Make Well-Architected reviews the cadence that re-runs the loop

The five subtopics here map one-to-one onto the AWS Well-Architected Framework pillars: operational excellence, security, reliability, performance efficiency, and cost optimization (sustainability is the sixth pillar). A periodic AWS Well-Architected Tool review re-runs the measure-find-act loop on a cadence: it surfaces high-risk issues (HRIs) and tracks their remediation as milestones over time, so improvement is a repeatable point-in-time review rather than a one-off. Validate reliability claims empirically with AWS Fault Injection Service experiments and AWS Backup restore testing (proving the restore meets RTO), and convert the cleaned-up steady-state baseline into commitment discounts via Savings Plans or a move to Graviton (up to 20% lower cost and up to 60% less energy): improving a running system means re-architecting in place, not redesigning from scratch.

The five improvement pillars and their primary AWS engines (SAP-C02)

Pillar (subtopic)Question it answersPrimary AWS discovery engine(s)Closing-the-loop / remediation tool
Operational excellence (improve-operational-excellence)Can I see, respond to, and predict operational issues?CloudWatch, X-Ray, DevOps Guru, Well-Architected ToolEventBridge → SSM Automation runbook; Config remediation
Security (improve-security)Where are my misconfigurations and exposed findings?Security Hub, GuardDuty, IAM Access Analyzer, Trusted Advisor (Security)Config rules + SSM Automation; Firewall Manager org-wide policy
Performance (improve-performance)Where is the bottleneck and is anything under-provisioned?Compute Optimizer, Performance Insights, CloudWatch, X-RayRightsize / change instance family; DynamoDB auto scaling or on-demand
Reliability (improve-reliability)Does the workload meet its RTO/RPO and survive failures?Resilience Hub, AWS Health, Trusted Advisor (Fault tolerance)FIS experiments; AWS Backup restore testing; ARC routing controls
Cost (improve-cost)Where is the waste and where can I commit on the baseline?Cost Explorer, Compute Optimizer, Trusted Advisor (Cost), Cost Anomaly DetectionRightsize/schedule first, then Savings Plans / Graviton on steady-state

Subtopics in this domain