The AWS Certified Solutions Architect - Associate (SAA-C03) is the most widely held AWS certification and one of the most recognized cloud credentials in the industry. It validates the ability to design cost-effective, resilient, and performant solutions using AWS services. The exam is scenario-heavy — most questions present an architecture problem and ask you to choose the best solution from four plausible options.
Passing SAA-C03 requires more than knowing service names. You need to understand when to use each service, how services integrate, and how trade-offs between cost, complexity, and availability affect design decisions.
Exam Overview
The SAA-C03 exam contains 65 questions (50 scored, 15 unscored) with a 130-minute time limit. The passing score is 720 out of 1000. Questions are multiple choice and multiple response. Multiple response questions specify how many answers to select; there is no partial credit.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Design Secure Architectures | 30% |
| Domain 2: Design Resilient Architectures | 26% |
| Domain 3: Design High-Performing Architectures | 24% |
| Domain 4: Design Cost-Optimized Architectures | 20% |
Domain 1: Design Secure Architectures (30%)
Security is the highest-weighted domain. Questions focus on IAM, network security, data protection, and service-level security controls.
IAM Design Patterns
- Roles over access keys: Assign IAM roles to EC2 instances and Lambda functions rather than embedding credentials
- Permission boundaries: Limit the maximum permissions a role or user can have, used in delegation scenarios
- Service Control Policies (SCPs): Applied at the AWS Organizations level to restrict what accounts can do regardless of local IAM policies
- Resource-based policies: Attached to resources like S3 buckets; allow cross-account access without role assumption
Cross-account access is a frequent scenario. The correct pattern is to create a role in the target account and have the source account assume it. Direct access via access keys is wrong for this scenario.
VPC Security
Understanding VPC security layers is critical for this domain.
| Layer | Component | Scope |
|---|---|---|
| Subnet boundary | Network ACL (NACL) | Stateless, applies to all traffic in/out of subnet |
| Instance boundary | Security Group | Stateful, applies per instance |
| Network monitoring | VPC Flow Logs | Records accepted and rejected traffic |
NACLs are stateless — return traffic must be explicitly allowed in the outbound rules. Security groups are stateful — if inbound traffic is allowed, the return traffic is automatically permitted.
Data Protection
- Encryption at rest: S3 server-side encryption (SSE-S3, SSE-KMS, SSE-C), EBS encryption with KMS
- Encryption in transit: TLS/SSL enforced via bucket policies, HTTPS-only endpoints
- AWS KMS: Central key management; CMKs can be AWS-managed or customer-managed
- AWS Secrets Manager: Stores and rotates credentials, RDS passwords, API keys
- AWS Systems Manager Parameter Store: Lightweight alternative to Secrets Manager for non-rotating config values
Domain 2: Design Resilient Architectures (26%)
Resilience questions focus on high availability, fault tolerance, disaster recovery, and decoupled architectures.
Availability Zones and Regions
Designing for high availability means spreading resources across at least two Availability Zones. Key patterns:
- Multi-AZ RDS: Synchronous replication to standby in another AZ; automatic failover on failure
- Multi-AZ deployments for EC2: Use Auto Scaling Groups with subnets in multiple AZs, behind a load balancer
- S3: Automatically stores data across multiple AZs within a region; 99.999999999% durability
Decoupling with SQS and SNS
Tight coupling creates fragile architectures. The exam tests decoupling patterns heavily.
- Amazon SQS: Message queue; producers write messages, consumers poll. Standard queues offer at-least-once delivery; FIFO queues guarantee exactly-once ordering
- Amazon SNS: Pub/sub; a single message fans out to multiple subscribers (SQS, Lambda, HTTP endpoints, email)
- Fan-out pattern: SNS topic writes to multiple SQS queues for parallel independent processing
Disaster Recovery Tiers
The SAA-C03 expects you to know the four DR strategies and their trade-offs:
| Strategy | RTO | RPO | Cost |
|---|---|---|---|
| Backup and Restore | Hours | Hours | Lowest |
| Pilot Light | Tens of minutes | Minutes | Low |
| Warm Standby | Minutes | Seconds to minutes | Medium |
| Multi-Site Active/Active | Near zero | Near zero | Highest |
RTO (Recovery Time Objective) is how quickly you recover. RPO (Recovery Point Objective) is how much data you can afford to lose. Questions often state a business requirement and ask you to identify the appropriate DR strategy.
Domain 3: Design High-Performing Architectures (24%)
Performance questions focus on caching, compute scaling, database performance, and network acceleration.
Caching Strategies
- Amazon CloudFront: CDN for static content, API responses, and dynamic content. Use with S3 origins for static sites
- Amazon ElastiCache (Redis): In-memory cache for database query results, session data
- Amazon ElastiCache (Memcached): Simple caching for multithreaded applications
- DAX (DynamoDB Accelerator): Microsecond read latency for DynamoDB; fully managed, no application code changes required
A common question pattern: "An application experiences slow database reads at peak times." The answer involves ElastiCache or DAX depending on whether the database is relational or DynamoDB.
Compute Scaling
- Auto Scaling Groups: Scale EC2 capacity based on CloudWatch metrics, schedules, or predictive scaling
- Target tracking scaling: The simplest policy; maintain a metric at a target value (e.g., 50% CPU)
- Step scaling: Scale in steps based on metric thresholds
- Lambda: Scales automatically; no capacity planning required
Storage Performance
- EBS volume types: gp3 for general purpose, io2/io2 Block Express for high IOPS databases, st1 for sequential throughput (log processing), sc1 for cold archives
- Instance store: Ephemeral storage physically attached to the host; highest performance but data is lost when the instance stops
- S3 Transfer Acceleration: Uses CloudFront edge locations to accelerate uploads to S3
Domain 4: Design Cost-Optimized Architectures (20%)
Cost optimization questions ask you to identify the right pricing model, right-sizing opportunity, or architectural change that reduces spend.
Compute Cost Optimization
- Spot Instances: Up to 90% discount; appropriate for fault-tolerant batch processing, stateless web servers
- Reserved Instances: 1- or 3-year commitment; best for predictable baseline workloads
- Savings Plans: More flexible than RIs; cover EC2, Lambda, and Fargate usage
- On-Demand: Use only when workload duration is unknown or very short
Storage Cost Optimization
S3 lifecycle policies are a key exam topic. Transition objects between storage classes based on age:
| Class | Use Case | Retrieval |
|---|---|---|
| S3 Standard | Frequently accessed | Milliseconds |
| S3 Standard-IA | Infrequent access, retrieval fee | Milliseconds |
| S3 One Zone-IA | Non-critical, single AZ | Milliseconds |
| S3 Glacier Instant | Rarely accessed archives | Milliseconds |
| S3 Glacier Flexible | Archives, minutes to hours | Minutes to hours |
| S3 Glacier Deep Archive | Long-term archives | Up to 12 hours |
Common Cost Mistakes
- Running oversized EC2 instances: use AWS Compute Optimizer for right-sizing recommendations
- Storing all data in S3 Standard when access patterns allow tiering
- Running NAT Gateway when all traffic could route through an internet gateway with proper subnet design
- Not using VPC endpoints for S3 or DynamoDB access from EC2 (avoid NAT Gateway data charges)
Key Services to Know Cold
Beyond the services mentioned in each domain, these services appear frequently in scenario questions:
- AWS Lambda: Event-driven compute; know triggers (S3, DynamoDB Streams, SQS, API Gateway, EventBridge)
- Amazon API Gateway: Managed REST and WebSocket APIs; integrates with Lambda, EC2, HTTP backends
- Amazon ECS and EKS: Container orchestration; understand Fargate vs. EC2 launch types
- Amazon Aurora: MySQL/PostgreSQL-compatible, higher throughput than RDS; Aurora Serverless v2 scales automatically
- AWS Step Functions: Orchestrates multi-step workflows; replaces complex Lambda chaining with state machines
"The SAA-C03 is fundamentally a trade-off exam. Almost every question has four plausible answers. Passing requires knowing not just what a service does but when it is the right choice over a cheaper or simpler alternative — and being able to reason through that in 90 seconds." — Adrian Cantrill, AWS instructor and author of the SAA-C03 course used by over 150,000 candidates
What to Skip
Do not spend time on:
- Specific CLI syntax or SDK code
- Deep CloudFormation template structure
- Fine-grained DynamoDB capacity calculation formulas
- Detailed VPC peering routing table entries
The exam tests architectural judgment, not implementation specifics.
Study Timeline
Recommended: 6-8 weeks for someone with 1+ years of AWS experience; 10-12 weeks for those starting from scratch.
| Week | Focus |
|---|---|
| 1-2 | VPC, EC2, IAM, S3, and core security services |
| 3-4 | Databases (RDS, Aurora, DynamoDB), messaging (SQS, SNS) |
| 5-6 | High availability patterns, Auto Scaling, CloudFront, caching |
| 7 | Cost optimization, billing, storage classes, serverless patterns |
| 8 | Practice exams, review all wrong answers against official docs |
Take a minimum of three full-length practice exams. The official AWS practice exam is worth purchasing as it uses the same question style as the real exam.
See also: AWS Solutions Architect Professional (SAP-C02) Study Guide: Advanced Architecture Patterns
References
- AWS. "AWS Certified Solutions Architect - Associate Exam Guide (SAA-C03)." https://d1.awsstatic.com/training-and-certification/docs-sa-assoc/AWS-Certified-Solutions-Architect-Associate_Exam-Guide.pdf
- AWS. "AWS Well-Architected Framework." https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
- AWS. "Amazon VPC Documentation." https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
- Cantrill, Adrian. "AWS Certified Solutions Architect - Associate (SAA-C03)." Adrian Cantrill Training, 2023.
- Roberts, Mark and Mclean, Biff. "AWS Certified Solutions Architect Study Guide: Associate SAA-C03 Exam." Sybex, 3rd edition, 2022.
- AWS. "Disaster Recovery of Workloads on AWS: Recovery in the Cloud." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-workloads-on-aws.html
- AWS. "Security Best Practices in AWS IAM." https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- AWS. "Amazon S3 Storage Classes." https://aws.amazon.com/s3/storage-classes/
Frequently Asked Questions
What are the four domains of the SAA-C03 exam?
The SAA-C03 domains are: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%).
What is the difference between Security Groups and Network ACLs in AWS?
Security Groups are stateful and apply at the instance level — return traffic is automatically allowed. Network ACLs are stateless and apply at the subnet level — both inbound and outbound rules must explicitly allow traffic.
What are the four disaster recovery strategies tested on SAA-C03?
Backup and Restore (lowest cost, highest RTO/RPO), Pilot Light (minimal resources running), Warm Standby (scaled-down full environment), and Multi-Site Active/Active (lowest RTO/RPO, highest cost).
How long should I study for the AWS Solutions Architect Associate exam?
Candidates with 1+ years of AWS experience typically need 6-8 weeks. Those starting with minimal cloud experience should plan for 10-12 weeks, including hands-on lab work.
What is the difference between SQS Standard and FIFO queues?
SQS Standard queues offer at-least-once delivery with best-effort ordering, supporting higher throughput. FIFO queues guarantee exactly-once processing and strict message ordering, with a limit of 300 transactions per second.