AWS Certified Solutions Architect – Associate (SAA-C03) Exam Course

1. Exam Overview

What the exam is testing

The AWS Certified Solutions Architect – Associate (SAA-C03) exam tests whether you can design secure, resilient, high-performing, and cost-optimized architectures on AWS. It is not mainly a memorization exam. Most questions describe a business scenario, constraints, and several plausible AWS services. Your job is to choose the design that best satisfies the requirement with the least operational burden and the most appropriate tradeoff.

The exam commonly tests your ability to:

• Translate business requirements into AWS architecture choices.
• Select the right managed service instead of overengineering.
• Apply security controls without breaking application access.
• Design for Availability Zone or Regional failure where required.
• Improve performance with caching, scaling, partitioning, and service selection.
• Reduce cost without sacrificing stated requirements.
• Eliminate distractors that are technically possible but not the best architecture.

How to think like the exam

Read every scenario in this order:

1. Requirement: What must the architecture achieve? Security, resiliency, performance, cost, migration, or operations?
2. Constraint: Least operational effort, no code change, low latency, private connectivity, multi-account governance, compliance, or cost reduction?
3. Data pattern: Object, block, file, relational, key-value, streaming, queue, analytics, or archive?
4. Traffic pattern: Steady, unpredictable, spiky, global, read-heavy, write-heavy, or batch?
5. Failure scope: Instance, Availability Zone, Region, account, or user mistake?
6. Best AWS-native answer: Prefer managed, scalable, secure-by-default services unless the question explicitly requires custom control.

How to use this course

Use this file as a compressed revision guide. First read the domain sections to understand the exam logic. Then use the service-selection tables to learn how to choose between confusing AWS services. Finally, use the exam traps, memory rules, and exam-day checklist to revise quickly before the test.

This course is synthesized from the SAA-C03 blueprint and from repeated patterns in the generated practice question bank. It does not reproduce raw questions or dumps.

2. Exam Domains

Priority notes

Security has the largest weighting, so expect many questions where the obvious service is not enough unless access control, encryption, logging, or network isolation is handled correctly. Resiliency and performance questions often look similar, but resiliency focuses on surviving failures while performance focuses on latency, throughput, and scalability. Cost questions often contain traps where the cheapest option violates availability, durability, or performance requirements.

What matters most

The most repeated high-value services and concepts are:

• Amazon S3: storage classes, lifecycle policies, encryption, bucket policies, access points, versioning, replication, Object Lock, VPC endpoints.
• Amazon EC2: Auto Scaling, purchase options, placement groups, AMIs, EBS, instance families, load balancing.
• VPC networking: public/private subnets, NAT gateway, internet gateway, route tables, security groups, NACLs, VPC endpoints, peering, Transit Gateway, VPN, Direct Connect.
• IAM and Organizations: least privilege, roles, resource policies, SCPs, identity federation, permission boundaries.
• Databases: RDS/Aurora, DynamoDB, ElastiCache, Redshift, OpenSearch, read replicas, Multi-AZ, global tables.
• Resiliency services: ELB, Auto Scaling, Route 53 failover, AWS Backup, SQS, SNS, EventBridge, multi-AZ databases.
• Monitoring and governance: CloudWatch, CloudTrail, AWS Config, GuardDuty, Security Hub, WAF, Shield, Systems Manager.

3. Start-to-Finish Study Path

Foundation

Learn the core AWS building blocks before memorizing edge cases:

• AWS global infrastructure: Regions, Availability Zones, edge locations.
• Shared responsibility model.
• IAM users, groups, roles, policies, and resource-based policies.
• VPC basics: CIDR, subnets, route tables, gateways, security groups, NACLs.
• Storage basics: S3, EBS, EFS, FSx.
• Compute basics: EC2, Auto Scaling, ELB, Lambda, ECS/Fargate.
• Database basics: RDS, Aurora, DynamoDB, ElastiCache, Redshift.

Intermediate

Build service-selection instincts:

• Choose S3 vs EBS vs EFS vs FSx.
• Choose RDS/Aurora vs DynamoDB vs Redshift vs OpenSearch.
• Choose ALB vs NLB vs Gateway Load Balancer.
• Choose CloudFront vs Global Accelerator vs Route 53 latency routing.
• Choose SQS vs SNS vs EventBridge vs Step Functions.
• Choose VPN vs Direct Connect vs Transit Gateway vs VPC peering.
• Choose KMS key policy vs IAM policy vs bucket policy vs SCP.

Advanced

Practice tradeoff questions:

• Multi-AZ vs multi-Region.
• Read replica vs Multi-AZ standby.
• NAT gateway vs VPC endpoint.
• S3 Standard-IA vs One Zone-IA vs Glacier Instant Retrieval vs Flexible Retrieval vs Deep Archive.
• Reserved Instances vs Savings Plans vs Spot Instances.
• CloudFront caching vs ElastiCache vs DynamoDB DAX.
• S3 replication vs AWS Backup vs versioning.
• RTO/RPO-driven disaster recovery patterns.

Final review

Use the last stage to improve elimination speed:

• Mark the keyword that decides the answer: private, managed, least operational overhead, global low latency, compliance, multi-account, unpredictable traffic, archive, read-heavy, asynchronous, event-driven.
• Remove any answer that violates the explicit requirement.
• Prefer fully managed services when the question asks for reduced operational overhead.
• Prefer serverless when traffic is unpredictable and the workload fits the service limits.
• Prefer multi-AZ for high availability inside a Region; prefer multi-Region only when the question requires Regional disaster recovery or global users.

4. Core Concepts by Domain

Domain 1: Design Secure Architectures

Concepts

Security questions test whether you can design access control, network isolation, encryption, auditability, and governance together. The exam often gives a design that works functionally but misses a security control.

Key concepts:

• Least privilege: Grant only required actions on required resources.
• IAM roles over long-term keys: Use roles for EC2, Lambda, ECS tasks, and cross-account access.
• Resource policies: Use S3 bucket policies, KMS key policies, SQS queue policies, SNS topic policies, and Lambda resource policies when access is controlled from the resource side.
• SCPs: Use AWS Organizations service control policies to set account-level guardrails. SCPs do not grant permissions; they only limit maximum permissions.
• Encryption at rest: Use KMS-managed keys when audit, rotation, key policy control, or cross-account access matters.
• Encryption in transit: Use TLS/HTTPS, ACM certificates, ALB listeners, CloudFront viewer policies.
• Private access: Use VPC endpoints for private access to AWS services without internet or NAT.
• Secrets: Use AWS Secrets Manager for automatic rotation and AWS Systems Manager Parameter Store for configuration/secrets with simpler requirements.
• Monitoring and audit: Use CloudTrail for API activity, CloudWatch for metrics/logs/alarms, AWS Config for configuration history/compliance.
• Threat detection: GuardDuty detects suspicious activity; Inspector scans vulnerabilities; Macie discovers sensitive data in S3; Security Hub aggregates findings.

Services

• IAM, IAM Identity Center, STS, AWS Organizations, SCPs.
• Amazon VPC, security groups, NACLs, VPC endpoints, PrivateLink.
• AWS KMS, CloudHSM, ACM, Secrets Manager, Parameter Store.
• S3 bucket policies, S3 Block Public Access, Object Lock, versioning, access points.
• CloudTrail, CloudWatch Logs, AWS Config, GuardDuty, Security Hub, Inspector, Macie.
• AWS WAF and AWS Shield for application and DDoS protection.

Patterns

Traps

• Using IAM users/access keys for applications when an IAM role is available.
• Confusing SCPs with IAM policies: SCPs restrict; they do not grant.
• Forgetting KMS permissions: Access to an encrypted S3 object requires S3 permission and KMS key permission.
• Choosing NAT gateway for private S3 access when a gateway VPC endpoint is more secure and cheaper.
• Using security groups as deny rules: Security groups allow only; NACLs can allow and deny.
• Assuming CloudTrail prevents attacks: CloudTrail records API events; it does not block by itself.

Domain 2: Design Resilient Architectures

Concepts

Resiliency questions test how systems continue operating during failures. The exam usually asks for the simplest architecture that satisfies availability, durability, RTO, and RPO requirements.

Key concepts:

• High availability: Survive component or Availability Zone failures.
• Fault tolerance: Continue operating even when components fail.
• Durability: Avoid data loss.
• RTO: Maximum acceptable downtime.
• RPO: Maximum acceptable data loss.
• Stateless compute: Store session state outside instances, such as in ElastiCache, DynamoDB, or cookies.
• Decoupling: Use SQS, SNS, EventBridge, or Kinesis to absorb failure and spikes.
• Backups and replication: Use AWS Backup, snapshots, database backups, S3 versioning, and cross-Region replication as appropriate.

Services

• Elastic Load Balancing, Auto Scaling groups, Route 53 health checks/failover.
• RDS Multi-AZ, Aurora Multi-AZ, read replicas, Aurora Global Database.
• DynamoDB global tables, point-in-time recovery, on-demand backups.
• S3 versioning, replication, Object Lock, lifecycle rules.
• AWS Backup, Elastic Disaster Recovery, EBS snapshots, AMIs.
• SQS, SNS, EventBridge, Step Functions.

Patterns

Traps

• Read replica vs Multi-AZ: Read replicas improve read scalability; Multi-AZ improves availability and failover.
• Backups are not high availability: Backups help recovery but do not automatically keep apps online.
• Multi-Region is not always required: It adds cost and complexity. Use it only if the question requires Regional resilience or global DR.
• EBS is AZ-scoped: To recover in another AZ, use snapshots or AMIs.
• EFS is Regional and multi-AZ by design: Useful for shared Linux file storage across AZs.
• SQS standard queues are at-least-once: Applications must handle duplicate messages.

Domain 3: Design High-Performing Architectures

Concepts

Performance questions test latency, throughput, scalability, and service fit. The best answer often uses caching, distribution, parallelism, read scaling, or a more suitable managed service.

Key concepts:

• Elasticity: Automatically add/remove capacity based on demand.
• Caching: Move repeated reads closer to users or applications.
• Partitioning: Scale data access through partition keys and sharding.
• Asynchronous processing: Use queues/events to avoid blocking user requests.
• Global acceleration: Use edge services for global users.
• Right storage performance: Choose the storage system that matches access pattern and throughput.

Services

• CloudFront, Global Accelerator, Route 53 latency/geolocation routing.
• ALB, NLB, Auto Scaling, EC2 placement groups.
• Lambda, ECS, EKS, Fargate.
• S3 Transfer Acceleration, multipart upload, S3 request rate scaling.
• EBS gp3/io2, EFS performance modes, FSx for Lustre/Windows/NetApp/OpenZFS.
• RDS read replicas, Aurora replicas, DynamoDB on-demand/provisioned capacity, DAX.
• ElastiCache for Redis/Memcached.
• Kinesis, MSK, SQS, EventBridge.

Patterns

Traps

• CloudFront vs Global Accelerator: CloudFront caches HTTP content; Global Accelerator improves TCP/UDP traffic using AWS global network without caching.
• ElastiCache vs read replica: Cache repeated queries/session data with ElastiCache; use read replicas for SQL read scaling.
• DAX vs ElastiCache: DAX is DynamoDB-specific cache; ElastiCache is general application caching.
• Provisioned IOPS vs gp3: Use io2/io2 Block Express for very high IOPS/critical workloads; gp3 is often cost-effective for general purpose.
• Lambda is not always best: Long-running or specialized runtime workloads may fit ECS, EKS, or EC2 better.