AWS Study Guide

AWS SAA-C03: Solutions Architect Associate Study Guide

The AWS Certified Solutions Architect - Associate (SAA-C03) validates your ability to design secure, resilient, high-performing, and cost-optimized distributed systems on AWS. It is aimed at people with hands-on experience designing AWS solutions who can translate business requirements into architectures using AWS compute, storage, database, networking, and security services. The exam is 130 minutes, scenario-heavy, scored 100-1000 with a passing score of 720, and uses multiple-choice and multiple-response questions.

Domain 1 Domain 2 Domain 3 Domain 4

Practice AWS SAA-C03 questions free Create free account

Domain 1: Design Secure Architectures

Key concepts you must know · 168 practice questions

IAM roles deliver temporary credentials via the EC2 instance profile and should always be used for EC2/Lambda/ECS instead of embedding long-term access keys; follow least privilege by granting only specific actions on specific resource ARNs.
Service Control Policies (SCPs) in AWS Organizations set the maximum permissions for member accounts but never grant permissions themselves; an explicit Deny in an SCP cannot be overridden by any account-level IAM policy.
SSE-KMS with a customer managed key (CMK) gives you control over the key policy, automatic annual key rotation, and CloudTrail audit logging of every key use; SSE-S3 and AWS managed keys (aws/s3) do not let you control rotation or the key policy.
Cross-account access is done with an IAM role: create the role in the target account with the needed permissions and a trust policy naming the source account/role, and have the source principal call sts:AssumeRole - never share access keys across accounts.
A NAT gateway lives in a public subnet and provides outbound-only internet access for private subnets; the private subnet route table sends 0.0.0.0/0 to the NAT gateway, while the public subnet routes to an internet gateway.
Security groups are stateful (return traffic is automatically allowed) and support allow rules only; reference one security group as the source in another (for example, allow DB SG inbound 3306 only from the app-tier SG) instead of using IP ranges.
Network ACLs are stateless, evaluated by numbered rule order, support both allow and deny, and require explicit rules for return traffic on ephemeral ports.
A gateway VPC endpoint (S3 and DynamoDB only) keeps traffic on the AWS network and is free; restrict bucket access to it with a bucket policy condition on aws:sourceVpce. Interface endpoints (PrivateLink) use ENIs and are billed hourly plus per-GB.
AWS Secrets Manager natively rotates database credentials on a schedule via Lambda; SSM Parameter Store SecureString stores secrets but has no built-in rotation.
CloudFront Origin Access Control (OAC) plus a restrictive S3 bucket policy ensures objects are reachable only through CloudFront, not by direct S3 URL; OAC is the current replacement for the legacy Origin Access Identity (OAI).
Amazon Cognito identity pools issue temporary, scoped AWS credentials to authenticated/guest users (for example, to upload to one S3 prefix), while Cognito user pools handle sign-up/sign-in and can act as an API Gateway authorizer.
Enforce MFA in IAM policies with a condition of aws:MultiFactorAuthPresent set to true; combine an organization-wide CloudTrail trail with an SCP denying cloudtrail:StopLogging and cloudtrail:DeleteTrail to make audit logs tamper-resistant.
Enable EBS encryption by default at the account/Region level and set a default KMS key so all new volumes and snapshots are encrypted automatically; existing unencrypted volumes must be encrypted via a snapshot copy.
Encrypt traffic end to end by using an HTTPS listener and an HTTPS target group on an ALB; AWS Certificate Manager (ACM) provisions and auto-renews public TLS certificates for ALB, CloudFront, and API Gateway at no charge.

Domain 2: Design Resilient Architectures

Key concepts you must know · 183 practice questions

RDS Multi-AZ provides a synchronous standby in a second AZ for high availability with automatic failover (typically 60-120 seconds); it is not a read scaling feature - use read replicas (asynchronous) for read scaling.
Aurora replicates six copies of data across three AZs, automatically promotes a reader to writer on failure (failover usually under 30 seconds), and exposes a cluster (writer) endpoint and a reader endpoint for load-balanced reads.
Aurora Global Database replicates to a secondary Region with typical lag under one second, supports promotion for cross-Region DR in under a minute, and is the preferred choice for low-RPO/RTO global resilience.
Decouple producers from consumers with Amazon SQS so traffic spikes are buffered; set the visibility timeout to be at least as long as the consumer's processing time to prevent duplicate processing.
An S3 event notification can push directly to SQS, SNS, Lambda, or EventBridge so uploads trigger downstream processing without polling the bucket.
Multi-AZ Auto Scaling groups behind an ALB are the standard pattern for instance-level resilience; to survive one AZ failure, provision enough instances so the surviving AZs still meet required capacity (for example, 3 AZs x 3 = 9 instances to keep 6 running).
Store HTTP session state in Amazon ElastiCache for Redis (or DynamoDB) so the application tier is stateless and any instance can serve any user, enabling clean scaling and instance replacement.
Route 53 failover routing with health checks supports active-passive DR by routing to the secondary record when the primary endpoint becomes unhealthy; lowering the record TTL makes clients pick up DNS changes faster during failover.
S3 is designed for 11 nines of durability; S3 Cross-Region Replication (CRR) asynchronously copies new objects to a bucket in another Region (requires versioning on both buckets) for DR and lower-latency regional access.
DynamoDB on-demand capacity mode auto-scales to traffic with no capacity planning; use DynamoDB TTL to auto-expire old items and DynamoDB Streams plus Lambda to archive items to S3 before deletion.
Disaster recovery strategies trade cost against RTO/RPO: Backup and Restore (cheapest, slowest), Pilot Light, Warm Standby, and Multi-Site Active-Active (most expensive, near-zero RTO/RPO).
AWS Backup centralizes scheduled backups and retention across RDS, EBS, DynamoDB, EFS, and more through backup plans; AWS DMS migrates databases and its data validation feature compares source and target to confirm completeness.
ECS on AWS Fargate runs containers without managing EC2 hosts and self-heals failed tasks across AZs, providing resilient serverless container compute.
SNS fan-out (SNS topic to multiple SQS queues) delivers each message to many independent consumers, and SQS dead-letter queues capture messages that repeatedly fail processing for later inspection.

Domain 3: Design High-Performing Architectures

Key concepts you must know · 147 practice questions

Amazon CloudFront caches content at global edge locations to cut latency for distant users; it serves static and dynamic content over the AWS backbone and can use S3, ALB, or any HTTP origin as its origin.
ElastiCache for Redis offloads read-heavy databases via a cache-aside pattern and supports advanced data structures (for example, Sorted Sets for real-time leaderboards); Memcached is simpler and multi-threaded but lacks persistence and replication.
DynamoDB Accelerator (DAX) is an in-memory cache for DynamoDB that delivers microsecond read latency for read-heavy, eventually-consistent workloads with no application cache-management code.
RDS read replicas (up to 15 for Aurora, 5 for RDS) offload read traffic from the primary; they are asynchronous and can be promoted to standalone databases.
Amazon Kinesis Data Streams ingests high-volume real-time data by shards (each shard handles 1 MB/s or 1,000 records/s in); Kinesis Data Firehose batches and delivers to S3/Redshift/OpenSearch, and Managed Service for Apache Flink (formerly Kinesis Data Analytics) does real-time analytics.
Amazon Athena runs serverless SQL directly against data in S3 and is far cheaper and faster when data is partitioned and stored in columnar formats like Parquet, which reduce data scanned.
Amazon FSx for Lustre provides a high-throughput, low-latency parallel file system for HPC and ML and can link to an S3 bucket to lazy-load data; FSx for Windows File Server provides SMB shares.
For tightly coupled HPC/ML, use a cluster placement group (instances packed in one AZ for low latency, high bandwidth) with Elastic Fabric Adapter (EFA) and network-optimized instances such as c5n.
API Gateway plus Lambda gives a fully serverless, auto-scaling REST/HTTP backend; API Gateway response caching serves repeated requests without invoking Lambda, improving latency and lowering cost.
S3 scales to very high request rates per prefix (about 5,500 GET/3,500 PUT per second per prefix), so spreading objects across prefixes increases throughput; S3 Transfer Acceleration speeds long-distance uploads via edge locations.
AWS Snowball Edge physically ships large datasets (tens of TB to PB) when transferring over the network would take too long; AWS DataSync handles ongoing online transfers to S3, EFS, or FSx.
AWS Global Accelerator provides static anycast IPs and routes user traffic over the AWS backbone to the nearest healthy regional endpoint, improving performance and failover for non-HTTP and TCP/UDP workloads.
AWS Transit Gateway is a hub-and-spoke router that connects many VPCs and on-premises networks at scale, replacing complex VPC peering meshes.
EBS volume types match performance needs: gp3 (general purpose, independently provisioned IOPS/throughput), io1/io2 (high, provisioned IOPS for critical databases), st1 (throughput-optimized HDD for big data), and sc1 (cold HDD for infrequent access).

Domain 4: Design Cost-Optimized Architectures

Key concepts you must know · 152 practice questions

EC2 Spot Instances offer up to 90 percent off On-Demand for interruptible, restartable workloads; diversify across instance types and AZs and use checkpointing to handle the two-minute interruption notice gracefully.
Savings Plans and Reserved Instances reduce cost for steady workloads: Compute Savings Plans are most flexible, EC2 Instance Savings Plans give deeper discounts tied to a family/Region, and 3-year All Upfront RIs deliver the maximum discount (up to ~72 percent).
S3 lifecycle policies transition objects across tiers to cut storage cost: Standard, then Standard-IA, then Glacier Instant Retrieval, Glacier Flexible Retrieval, and Glacier Deep Archive for long-term cold archival.
S3 Intelligent-Tiering automatically moves objects between access tiers based on usage with no retrieval fees, ideal when access patterns are unknown or unpredictable.
Right-size oversized resources: if an RDS instance shows low CPU and memory utilization, move to a smaller instance class (for example db.r5.2xlarge to db.r5.large) while keeping Multi-AZ to cut cost roughly in half.
AWS Instance Scheduler starts and stops EC2 and RDS instances on a defined schedule to eliminate cost for dev/test resources outside business hours.
Lambda cost is memory x duration x invocations; raising memory can increase allocated CPU, shorten runtime, and lower total cost even at a higher per-millisecond rate, so tune memory for the cost-optimal point.
Replace always-on EC2 with event-driven Lambda (for example, triggered by S3 events) or scale Auto Scaling groups to zero to remove idle compute cost; Aurora Serverless v2 auto-scales capacity and bills only for what is used.
Cost allocation tags plus AWS Cost Explorer let you attribute spend by project, team, or environment; activate user-defined tags in the Billing console and require teams to tag all resources for chargeback and visibility.
AWS Trusted Advisor and Cost Explorer surface idle/underutilized resources, unattached EBS volumes, idle RDS, and Savings Plans/RI purchase recommendations.
For EMR, run On-Demand or Reserved master and core nodes for stability and use Spot task nodes for interruptible work; pause an Amazon Redshift cluster during non-business hours to stop compute charges while retaining storage.
AWS Budgets sends alerts (and can take actions) when actual or forecasted spend crosses thresholds, while Cost Anomaly Detection flags unexpected spikes using machine learning.
Data transfer costs matter: inbound to AWS is free, data out to the internet is billed, traffic between AZs is charged, and using VPC gateway endpoints for S3/DynamoDB avoids NAT gateway data-processing charges.
Consolidated billing in AWS Organizations aggregates usage so volume discounts apply across the org, and Reserved Instance/Savings Plans benefits are shared across linked accounts by default.

AWS SAA-C03 exam tips

Read the qualifiers in every scenario - words like 'most cost-effective', 'least operational overhead', 'highest availability', or 'lowest latency' usually eliminate two or three technically valid options and point to the one intended answer.
Default to managed and serverless services (Fargate, Lambda, Aurora, SQS, S3) when a question stresses reducing operational overhead, since AWS favors removing undifferentiated heavy lifting.
Map availability requirements to AZ and Region scope: single-AZ is not resilient, Multi-AZ survives an AZ failure, and Multi-Region survives a Region failure - match the chosen pattern to the stated RTO/RPO.
Watch the budget: about 130 minutes for roughly 65 questions is under two minutes each, so flag long scenarios, answer the quick ones first, and return to flagged items rather than stalling.
Memorize the decision triggers: SQS for decoupling/buffering, CloudFront/ElastiCache/DAX for latency, Spot for interruptible batch, IAM roles over access keys, and KMS CMK when you need control over rotation and audit.

Study guide FAQ

How many questions are on the SAA-C03 exam and what score do I need to pass?

The exam has about 65 questions (multiple-choice and multiple-response) to be answered in 130 minutes. Scores range from 100 to 1000, and you need 720 to pass. The score is scaled, so you do not need to get a fixed percentage of questions right; roughly 70-75 percent correct is a safe target.

Which domain carries the most weight, and how should I prioritize studying?

Design Resilient Architectures is the largest domain (about 26 percent), followed by Design Secure Architectures (about 30 percent in the official blueprint), Design High-Performing Architectures (about 24 percent), and Design Cost-Optimized Architectures (about 20 percent). Prioritize security and resiliency patterns, but do not neglect cost optimization, since it appears in many scenarios.

Do I need deep hands-on experience or hard coding skills to pass?

You do not need to write application code, but AWS recommends about one year of hands-on experience designing solutions on AWS. The exam is scenario-based and tests whether you can choose the right service and architecture for a requirement, so practicing in the console and building sample architectures matters far more than memorizing CLI syntax.

How current is the exam content and what services should I focus on?

SAA-C03 emphasizes core, widely used services rather than niche or brand-new ones. Focus on EC2, Auto Scaling, ELB/ALB, S3, EBS, EFS, RDS, Aurora, DynamoDB, VPC and networking, IAM, KMS, CloudFront, Route 53, SQS, SNS, Lambda, ECS/Fargate, ElastiCache, CloudWatch, CloudTrail, AWS Organizations, and the cost tools (Cost Explorer, Budgets, Trusted Advisor). Knowing when to use each service over its alternatives is the heart of the exam.

Test yourself: 650 AWS SAA-C03 practice questions