The AWS Solutions Architect Associate (SAA-C03) is the most popular cloud certification in the world. It validates your ability to design distributed systems on AWS — and it's a legitimate career accelerator. Engineers with the SA Associate consistently report $10-30K salary increases.
But the exam is genuinely difficult. It covers a vast surface area of AWS services, and the questions are scenario-based, not simple recall. You need to understand when and why to use each service, not just what it does.
This guide covers every domain, the key services you must master, architecture patterns the exam tests, and a practical study plan.
Exam Structure
| Detail | Value |
|---|---|
| Exam code | SAA-C03 |
| Duration | 130 minutes |
| Questions | 65 (multiple choice and multi-select) |
| Passing score | 720/1000 |
| Cost | $150 USD |
| Validity | 3 years |
| Prerequisite | None (but 1+ year AWS experience recommended) |
Domain Breakdown
| Domain | Weight | Focus Areas |
|---|---|---|
| 1. Secure Architectures | 30% | IAM, encryption, network security |
| 2. Resilient Architectures | 26% | HA, fault tolerance, disaster recovery |
| 3. High-Performing Architectures | 24% | Compute, storage, networking optimization |
| 4. Cost-Optimized Architectures | 20% | Cost management, right-sizing, pricing models |
Domain 1: Secure Architectures (30%)
This is the largest domain. AWS is obsessed with security, and so is this exam.
IAM Deep Dive
You need to understand IAM at a detailed level:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
Key IAM concepts:
- Least privilege — Default deny. Grant minimum permissions needed.
- Roles vs. users — Use roles for services (EC2, Lambda), users for humans.
- Policy evaluation — Explicit deny > explicit allow > implicit deny.
- Cross-account access — Use IAM roles with trust policies, not shared credentials.
- Service control policies (SCPs) — Organization-level guardrails that override account policies.
- Permission boundaries — Maximum permissions an IAM entity can have.
Encryption Patterns
| Scenario | Service | Key Type |
|---|---|---|
| S3 data at rest | SSE-S3, SSE-KMS, SSE-C | AWS managed / Customer managed |
| EBS volumes | EBS encryption | KMS |
| RDS databases | RDS encryption | KMS |
| Data in transit | TLS/SSL | ACM certificates |
| Application secrets | Secrets Manager / SSM Parameter Store | KMS |
Exam tip: When a question mentions "regulatory compliance" or "customer-managed keys," the answer is almost always SSE-KMS with a customer-managed CMK.
Network Security
VPC Security Layers:
1. NACLs (Network ACLs)
- Stateless (must define inbound AND outbound rules)
- Applied at subnet level
- Rules processed in order (lowest number first)
- Default NACL allows all traffic
2. Security Groups
- Stateful (return traffic automatically allowed)
- Applied at ENI/instance level
- Can reference other security groups
- Default: allow all outbound, deny all inbound
3. VPC Flow Logs
- Capture traffic metadata (not content)
- Stored in CloudWatch Logs or S3
- Can be enabled at VPC, subnet, or ENI level
Domain 2: Resilient Architectures (26%)
Design for failure. Everything fails eventually.
High Availability Patterns
Multi-AZ deployments:
Region: us-east-1
├── AZ: us-east-1a
│ ├── EC2 instance (primary)
│ ├── RDS primary
│ └── ElastiCache node
├── AZ: us-east-1b
│ ├── EC2 instance (standby)
│ ├── RDS standby (synchronous replication)
│ └── ElastiCache node
└── AZ: us-east-1c
├── EC2 instance (standby)
└── ElastiCache node
Load Balancer distributes across all AZs
Auto Scaling maintains desired capacity per AZ
Disaster Recovery Strategies
| Strategy | RTO | RPO | Cost | Use Case |
|---|---|---|---|---|
| Backup & Restore | Hours | Hours | Low | Non-critical |
| Pilot Light | Minutes | Minutes | Medium | Databases, core services |
| Warm Standby | Seconds-Minutes | Seconds | High | Business-critical |
| Multi-Region Active-Active | Near-zero | Near-zero | Highest | Mission-critical |
Exam tip: Match the DR strategy to the RTO/RPO requirements in the question. If the question says "minimize cost" with "acceptable RTO of 4 hours," the answer is Backup & Restore.
Key Services for Resilience
Auto Scaling patterns:
- Target tracking — Maintain CPU at 70%. Simplest, works for most cases.
- Step scaling — Add 2 instances when CPU > 80%, add 4 when > 90%.
- Predictive scaling — ML-based, scales before demand spikes. Good for predictable patterns.
Decoupling with SQS:
Web Tier → SQS Queue → Worker Tier → Database
Benefits:
- Web tier doesn't wait for processing
- Workers process at their own pace
- Queue absorbs traffic spikes
- Failed messages go to Dead Letter Queue
- Workers can scale independently
Domain 3: High-Performing Architectures (24%)
Storage Selection Guide
| Storage | Use Case | Performance | Cost |
|---|---|---|---|
| S3 Standard | Frequently accessed data | High throughput | $$$ |
| S3 IA | Infrequent access, immediate retrieval | Same as Standard | $$ |
| S3 Glacier Instant | Archive, millisecond retrieval | Fast retrieval | $ |
| S3 Glacier Flexible | Archive, minutes-hours retrieval | Slow retrieval | $ |
| S3 Glacier Deep | Long-term archive, hours retrieval | Slowest | ¢ |
| EBS gp3 | General purpose, EC2 boot volumes | 3000 IOPS baseline | $$ |
| EBS io2 | High IOPS databases | Up to 64,000 IOPS | $$$$ |
| EFS | Shared file system, multiple EC2 | Scalable throughput | $$$ |
| FSx for Lustre | HPC, ML training | Massive throughput | $$$$ |
Exam tip: S3 Lifecycle policies are heavily tested. Know how to transition objects: Standard → IA → Glacier Instant → Glacier Flexible → Deep Archive.
Database Selection
| Requirement | Service | Key Feature |
|---|---|---|
| Relational, ACID | RDS (Aurora) | Multi-AZ, read replicas |
| Key-value, < 10ms | DynamoDB | Serverless, global tables |
| In-memory cache | ElastiCache (Redis) | Sub-millisecond reads |
| Document (JSON) | DocumentDB | MongoDB compatible |
| Graph relationships | Neptune | Social networks, fraud |
| Time-series | Timestream | IoT, metrics |
| Ledger (immutable) | QLDB | Financial, audit |
| Data warehouse | Redshift | Petabyte-scale analytics |
Exam tip: When a question mentions "serverless" + "database" + "auto-scaling," the answer is usually DynamoDB on-demand or Aurora Serverless.
Caching Strategies
CloudFront (CDN) → API Gateway Cache → ElastiCache → Database
Question: "Reduce load on the database for read-heavy workload"
Answer: ElastiCache (Redis or Memcached)
Question: "Reduce latency for global users accessing static content"
Answer: CloudFront
Question: "Cache API responses"
Answer: API Gateway caching or ElastiCache
Domain 4: Cost-Optimized Architectures (20%)
EC2 Pricing Models
| Model | Discount | Commitment | Use Case |
|---|---|---|---|
| On-Demand | 0% | None | Unpredictable, short-term |
| Reserved (1yr) | ~40% | 1 year | Steady-state, known baseline |
| Reserved (3yr) | ~60% | 3 years | Long-term, predictable |
| Savings Plans | ~40-60% | 1-3 years | Flexible across instance types |
| Spot | Up to 90% | None (can be interrupted) | Fault-tolerant, batch, CI/CD |
| Dedicated Hosts | Varies | Required for licensing | Compliance, BYOL |
Exam tip: When the question says "most cost-effective" for a workload that can handle interruptions (batch processing, data analysis, CI/CD), the answer is Spot Instances.
Cost Optimization Checklist
- Right-size instances — Use AWS Compute Optimizer recommendations
- Use Savings Plans — Cover baseline with 1-year compute savings plans
- S3 Lifecycle policies — Transition infrequently accessed data to cheaper tiers
- Delete unused resources — Unattached EBS volumes, idle load balancers, stopped instances
- Use serverless where possible — Lambda, Fargate, DynamoDB on-demand
- Reserved capacity for databases — RDS Reserved Instances for production databases
- Data transfer optimization — Use VPC endpoints, CloudFront, minimize cross-region transfer
8-Week Study Plan
| Week | Focus | Study Hours |
|---|---|---|
| 1 | IAM, security fundamentals, VPC basics | 10 |
| 2 | EC2, EBS, ELB, Auto Scaling | 10 |
| 3 | S3, storage services, databases (RDS, DynamoDB) | 10 |
| 4 | Serverless (Lambda, API Gateway, SQS, SNS) | 10 |
| 5 | Networking (VPC advanced, Route 53, CloudFront) | 8 |
| 6 | Monitoring (CloudWatch, CloudTrail), DR patterns | 8 |
| 7 | Practice exams — analyze every wrong answer | 12 |
| 8 | Weak areas review, final practice exams | 12 |
Study Resources Hierarchy
- AWS documentation (free) — Definitive reference, especially FAQs
- Hands-on labs — Build real architectures in a free-tier account
- Practice exams — At least 3 full practice exams before the real test
- Structured study guides — Organized by domain for efficient review
- Cheat sheets — Quick reference for exam day review
Practice Questions
Q1: A company needs to store 100TB of log data. The data is queried infrequently (once per quarter) but must be available within minutes. What's the most cost-effective storage solution?
Answer: S3 Glacier Instant Retrieval. Infrequent access + minutes retrieval + cost optimization = Glacier Instant. S3 IA would work but is more expensive for this access pattern.
Q2: An application has a multi-tier architecture with a web tier, application tier, and database tier. The application tier needs to process requests asynchronously and handle traffic spikes. What should you add?
Answer: SQS queue between the web tier and application tier, with Auto Scaling on the application tier based on queue depth. This decouples the tiers and handles spikes.
Q3: A company is migrating an on-premises Oracle database to AWS. The database uses Oracle-specific features (stored procedures, packages). They want minimal refactoring. Which service should they use?
Answer: Amazon RDS for Oracle. The question specifies "minimal refactoring" and "Oracle-specific features," which rules out Aurora (PostgreSQL/MySQL only) and DynamoDB (NoSQL).
Exam Day Tips
- Flag and skip — Don't spend more than 2 minutes on any question. Flag it and come back.
- Eliminate obviously wrong answers — Usually 2 of 4 answers are clearly wrong.
- Look for keywords — "cost-effective," "most resilient," "least operational overhead" — these narrow the answer.
- When in doubt, choose serverless — AWS loves serverless answers when the question allows it.
- Read the whole question — The last sentence often contains the key constraint.
Structured Study Materials for AWS SA
If you want organized, domain-by-domain study materials, the AWS SA Associate Study Guide from Certification Prep Pro gives you comprehensive coverage of all exam domains with architecture diagrams, practice scenarios, and cheat sheets designed for efficient exam prep.
The full Certification Prep Pro collection covers 11 certifications: AWS, Azure, Kubernetes (CKA/CKAD), Terraform, Docker, GCP, Databricks, and CompTIA Security+ — all with structured study guides and lab exercises.
Use code LAUNCH40 for 40% off, or STUDENT for 50% off.
Top comments (0)