Over 60% of first-time AWS Solutions Architect Associate candidates fail — not because the material is too hard, but because they study the wrong way. They memorize service names instead of learning when and why to choose each one, which is exactly what the scenario-based questions test.
The SAA-C03 is the most popular cloud certification in the world, and engineers who pass consistently report $10–30K salary increases. This guide covers every exam domain, the services you must master, architecture patterns the exam loves, and a week-by-week study plan.
Exam Structure
| Detail | Value |
|---|---|
| Exam code | SAA-C03 |
| Duration | 130 minutes |
| Questions | 65 (multiple choice and multi-select) |
| Passing score | 720/1000 |
| Cost | $150 USD |
| Validity | 3 years |
| Prerequisite | None (but 1+ year AWS experience recommended) |
Domain Breakdown
| Domain | Weight | Focus Areas |
|---|---|---|
| 1. Secure Architectures | 30% | IAM, encryption, network security |
| 2. Resilient Architectures | 26% | HA, fault tolerance, disaster recovery |
| 3. High-Performing Architectures | 24% | Compute, storage, networking optimization |
| 4. Cost-Optimized Architectures | 20% | Cost management, right-sizing, pricing models |
Domain 1: Secure Architectures (30%)
This is the largest domain. AWS is obsessed with security, and so is this exam.
IAM Deep Dive
You need to understand IAM at a granular level — policies, trust relationships, and evaluation logic:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOnly",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
Key IAM concepts:
- Least privilege — Default deny. Grant the minimum permissions needed.
- Roles vs. users — Use roles for services (EC2, Lambda), users for humans.
- Policy evaluation — Explicit deny > explicit allow > implicit deny.
- Cross-account access — Use IAM roles with trust policies, never shared credentials.
- Service control policies (SCPs) — Organization-level guardrails that override account-level policies.
- Permission boundaries — Cap on the maximum permissions an IAM entity can have.
Encryption Patterns
| Scenario | Service | Key Type |
|---|---|---|
| S3 data at rest | SSE-S3, SSE-KMS, SSE-C | AWS managed / Customer managed |
| EBS volumes | EBS encryption | KMS |
| RDS databases | RDS encryption | KMS |
| Data in transit | TLS/SSL | ACM certificates |
| Application secrets | Secrets Manager / SSM Parameter Store | KMS |
Exam tip: When a question mentions "regulatory compliance" or "customer-managed keys," the answer is almost always SSE-KMS with a customer-managed CMK.
Network Security
VPC Security Layers:
1. NACLs (Network ACLs)
- Stateless (must define inbound AND outbound rules)
- Applied at subnet level
- Rules processed in order (lowest number first)
- Default NACL allows all traffic
2. Security Groups
- Stateful (return traffic automatically allowed)
- Applied at ENI/instance level
- Can reference other security groups
- Default: allow all outbound, deny all inbound
3. VPC Flow Logs
- Capture traffic metadata (not content)
- Stored in CloudWatch Logs or S3
- Can be enabled at VPC, subnet, or ENI level
Domain 2: Resilient Architectures (26%)
Design for failure. Everything fails eventually — your architecture should survive it.
High Availability Patterns
Multi-AZ deployments:
Region: us-east-1
├── AZ: us-east-1a
│ ├── EC2 instance (primary)
│ ├── RDS primary
│ └── ElastiCache node
├── AZ: us-east-1b
│ ├── EC2 instance (standby)
│ ├── RDS standby (synchronous replication)
│ └── ElastiCache node
└── AZ: us-east-1c
├── EC2 instance (standby)
└── ElastiCache node
Load Balancer distributes across all AZs
Auto Scaling maintains desired capacity per AZ
Disaster Recovery Strategies
| Strategy | RTO | RPO | Cost | Use Case |
|---|---|---|---|---|
| Backup & Restore | Hours | Hours | Low | Non-critical |
| Pilot Light | Minutes | Minutes | Medium | Databases, core services |
| Warm Standby | Seconds–Minutes | Seconds | High | Business-critical |
| Multi-Region Active-Active | Near-zero | Near-zero | Highest | Mission-critical |
Exam tip: Match the DR strategy to the RTO/RPO requirements in the question. If it says "minimize cost" with "acceptable RTO of 4 hours," the answer is Backup & Restore.
Key Services for Resilience
Auto Scaling patterns:
- Target tracking — Maintain CPU at 70%. Simplest approach, works for most cases.
- Step scaling — Add 2 instances when CPU > 80%, add 4 when > 90%.
- Predictive scaling — ML-based, scales proactively before demand spikes.
Decoupling with SQS:
Web Tier → SQS Queue → Worker Tier → Database
Benefits:
- Web tier doesn't wait for processing
- Workers process at their own pace
- Queue absorbs traffic spikes
- Failed messages go to Dead Letter Queue
- Workers can scale independently
Domain 3: High-Performing Architectures (24%)
Storage Selection Guide
| Storage | Use Case | Performance | Cost |
|---|---|---|---|
| S3 Standard | Frequently accessed data | High throughput | $$$ |
| S3 IA | Infrequent access, immediate retrieval | Same as Standard | $$ |
| S3 Glacier Instant | Archive, millisecond retrieval | Fast retrieval | $ |
| S3 Glacier Flexible | Archive, minutes–hours retrieval | Slow retrieval | $ |
| S3 Glacier Deep | Long-term archive, hours retrieval | Slowest | ¢ |
| EBS gp3 | General purpose, EC2 boot volumes | 3000 IOPS baseline | $$ |
| EBS io2 | High IOPS databases | Up to 64,000 IOPS | $$$$ |
| EFS | Shared file system, multiple EC2 | Scalable throughput | $$$ |
| FSx for Lustre | HPC, ML training | Massive throughput | $$$$ |
Exam tip: S3 Lifecycle policies are heavily tested. Know the transition path: Standard → IA → Glacier Instant → Glacier Flexible → Deep Archive.
Database Selection
| Requirement | Service | Key Feature |
|---|---|---|
| Relational, ACID | RDS (Aurora) | Multi-AZ, read replicas |
| Key-value, < 10ms | DynamoDB | Serverless, global tables |
| In-memory cache | ElastiCache (Redis) | Sub-millisecond reads |
| Document (JSON) | DocumentDB | MongoDB compatible |
| Graph relationships | Neptune | Social networks, fraud |
| Time-series | Timestream | IoT, metrics |
| Ledger (immutable) | QLDB | Financial, audit |
| Data warehouse | Redshift | Petabyte-scale analytics |
Exam tip: When a question mentions "serverless" + "database" + "auto-scaling," the answer is usually DynamoDB on-demand or Aurora Serverless.
Caching Strategies
CloudFront (CDN) → API Gateway Cache → ElastiCache → Database
Question: "Reduce load on the database for read-heavy workload"
Answer: ElastiCache (Redis or Memcached)
Question: "Reduce latency for global users accessing static content"
Answer: CloudFront
Question: "Cache API responses"
Answer: API Gateway caching or ElastiCache
Domain 4: Cost-Optimized Architectures (20%)
EC2 Pricing Models
| Model | Discount | Commitment | Use Case |
|---|---|---|---|
| On-Demand | 0% | None | Unpredictable, short-term |
| Reserved (1yr) | ~40% | 1 year | Steady-state, known baseline |
| Reserved (3yr) | ~60% | 3 years | Long-term, predictable |
| Savings Plans | ~40–60% | 1–3 years | Flexible across instance types |
| Spot | Up to 90% | None (can be interrupted) | Fault-tolerant, batch, CI/CD |
| Dedicated Hosts | Varies | Required for licensing | Compliance, BYOL |
Exam tip: When the question says "most cost-effective" for a workload that can handle interruptions (batch processing, data analysis, CI/CD), the answer is Spot Instances.
Cost Optimization Checklist
- Right-size instances — Use AWS Compute Optimizer recommendations.
- Use Savings Plans — Cover baseline with 1-year compute savings plans.
- S3 Lifecycle policies — Transition infrequently accessed data to cheaper tiers.
- Delete unused resources — Unattached EBS volumes, idle load balancers, stopped instances.
- Use serverless where possible — Lambda, Fargate, DynamoDB on-demand.
- Reserved capacity for databases — RDS Reserved Instances for production databases.
- Data transfer optimization — Use VPC endpoints, CloudFront, minimize cross-region transfer.
8-Week Study Plan
| Week | Focus | Study Hours |
|---|---|---|
| 1 | IAM, security fundamentals, VPC basics | 10 |
| 2 | EC2, EBS, ELB, Auto Scaling | 10 |
| 3 | S3, storage services, databases (RDS, DynamoDB) | 10 |
| 4 | Serverless (Lambda, API Gateway, SQS, SNS) | 10 |
| 5 | Networking (VPC advanced, Route 53, CloudFront) | 8 |
| 6 | Monitoring (CloudWatch, CloudTrail), DR patterns | 8 |
| 7 | Practice exams — analyze every wrong answer | 12 |
| 8 | Weak areas review, final practice exams | 12 |
Study Resources Hierarchy
- AWS documentation (free) — Definitive reference, especially the service FAQs.
- Hands-on labs — Build real architectures in a free-tier account.
- Practice exams — Take at least 3 full practice exams before the real test.
- Structured study guides — Organized by domain for efficient review.
- Cheat sheets — Quick reference for exam-day review.
Practice Questions
Q1: A company needs to store 100TB of log data. The data is queried infrequently (once per quarter) but must be available within minutes. What's the most cost-effective storage solution?
Answer: S3 Glacier Instant Retrieval. Infrequent access + minutes retrieval + cost optimization = Glacier Instant. S3 IA would work but costs more for this access pattern.
Q2: An application has a multi-tier architecture with a web tier, application tier, and database tier. The application tier needs to process requests asynchronously and handle traffic spikes. What should you add?
Answer: An SQS queue between the web tier and application tier, with Auto Scaling on the application tier based on queue depth. This decouples the tiers and absorbs spikes gracefully.
Q3: A company is migrating an on-premises Oracle database to AWS. The database uses Oracle-specific features (stored procedures, packages). They want minimal refactoring. Which service should they use?
Answer: Amazon RDS for Oracle. The question specifies "minimal refactoring" and "Oracle-specific features," which rules out Aurora (PostgreSQL/MySQL only) and DynamoDB (NoSQL).
Exam Day Tips
- Flag and skip — Don't spend more than 2 minutes on any question. Flag it and return later.
- Eliminate wrong answers — Usually 2 of 4 answers are clearly wrong.
- Watch for keywords — "cost-effective," "most resilient," "least operational overhead" — these narrow the answer.
- When in doubt, choose serverless — AWS favors serverless answers when the question allows it.
- Read the full question — The last sentence often contains the key constraint.
If you're looking for structured, domain-by-domain study materials to accelerate your certification prep, check out the resources at DataStack Pro.
Top comments (0)