What are the four domains of the SAA-C03 exam?
The SAA-C03 domains are: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%). Security Groups are stateful and apply at the instance level — return traffic is automatically allowed. Network ACLs are stateless and apply at the subnet level — both inbound and outbound rules must explicitly allow traffic.
The AWS Certified Solutions Architect - Associate (SAA-C03) is the most widely held AWS certification and one of the most recognized cloud credentials in the industry. It validates the ability to design cost-effective, resilient, and performant solutions using AWS services. The exam is scenario-heavy — most questions present an architecture problem and ask you to choose the best solution from four plausible options.
Passing SAA-C03 requires more than knowing service names. You need to understand when to use each service, how services integrate, and how trade-offs between cost, complexity, and availability affect design decisions.
Exam Overview
The SAA-C03 exam contains 65 questions (50 scored, 15 unscored) with a 130-minute time limit. The passing score is 720 out of 1000. Questions are multiple choice and multiple response. Multiple response questions specify how many answers to select; there is no partial credit.
Domain Weights
| Domain | Weight |
|---|---|
| Domain 1: Design Secure Architectures | 30% |
| Domain 2: Design Resilient Architectures | 26% |
| Domain 3: Design High-Performing Architectures | 24% |
| Domain 4: Design Cost-Optimized Architectures | 20% |
Domain 1: Design Secure Architectures (30%)
Security is the highest-weighted domain. Questions focus on IAM, network security, data protection, and service-level security controls.
IAM Design Patterns
Roles over access keys: Assign IAM roles to EC2 instances and Lambda functions rather than embedding credentials
Permission boundaries: Limit the maximum permissions a role or user can have, used in delegation scenarios
Service Control Policies (SCPs): Applied at the AWS Organizations level to restrict what accounts can do regardless of local IAM policies
Resource-based policies: Attached to resources like S3 buckets; allow cross-account access without role assumption
Cross-account access is a frequent scenario. The correct pattern is to create a role in the target account and have the source account assume it. Direct access via access keys is wrong for this scenario.
VPC Security
Understanding VPC security layers is critical for this domain.
| Layer | Component | Scope |
|---|---|---|
| Subnet boundary | Network ACL (NACL) | Stateless, applies to all traffic in/out of subnet |
| Instance boundary | Security Group | Stateful, applies per instance |
| Network monitoring | VPC Flow Logs | Records accepted and rejected traffic |
NACLs are stateless — return traffic must be explicitly allowed in the outbound rules. Security groups are stateful — if inbound traffic is allowed, the return traffic is automatically permitted.
Data Protection
Encryption at rest: S3 server-side encryption (SSE-S3, SSE-KMS, SSE-C), EBS encryption with KMS
Encryption in transit: TLS/SSL enforced via bucket policies, HTTPS-only endpoints
AWS KMS: Central key management; CMKs can be AWS-managed or customer-managed
AWS Secrets Manager: Stores and rotates credentials, RDS passwords, API keys
AWS Systems Manager Parameter Store: Lightweight alternative to Secrets Manager for non-rotating config values
Domain 2: Design Resilient Architectures (26%)
Resilience questions focus on high availability, fault tolerance, disaster recovery, and decoupled architectures.
Availability Zones and Regions
Designing for high availability means spreading resources across at least two Availability Zones. Key patterns:
Multi-AZ RDS: Synchronous replication to standby in another AZ; automatic failover on failure
Multi-AZ deployments for EC2: Use Auto Scaling Groups with subnets in multiple AZs, behind a load balancer
S3: Automatically stores data across multiple AZs within a region; 99.999999999% durability
Decoupling with SQS and SNS
Tight coupling creates fragile architectures. The exam tests decoupling patterns heavily.
Amazon SQS: Message queue; producers write messages, consumers poll. Standard queues offer at-least-once delivery; FIFO queues guarantee exactly-once ordering
Amazon SNS: Pub/sub; a single message fans out to multiple subscribers (SQS, Lambda, HTTP endpoints, email)
Fan-out pattern: SNS topic writes to multiple SQS queues for parallel independent processing
Disaster Recovery Tiers
The SAA-C03 expects you to know the four DR strategies and their trade-offs:
| Strategy | RTO | RPO | Cost |
|---|---|---|---|
| Backup and Restore | Hours | Hours | Lowest |
| Pilot Light | Tens of minutes | Minutes | Low |
| Warm Standby | Minutes | Seconds to minutes | Medium |
| Multi-Site Active/Active | Near zero | Near zero | Highest |
RTO (Recovery Time Objective) is how quickly you recover. RPO (Recovery Point Objective) is how much data you can afford to lose. Questions often state a business requirement and ask you to identify the appropriate DR strategy.
Domain 3: Design High-Performing Architectures (24%)
Performance questions focus on caching, compute scaling, database performance, and network acceleration.
Caching Strategies
Amazon CloudFront: CDN for static content, API responses, and dynamic content. Use with S3 origins for static sites
Amazon ElastiCache (Redis): In-memory cache for database query results, session data
Amazon ElastiCache (Memcached): Simple caching for multithreaded applications
DAX (DynamoDB Accelerator): Microsecond read latency for DynamoDB; fully managed, no application code changes required
A common question pattern: "An application experiences slow database reads at peak times." The answer involves ElastiCache or DAX depending on whether the database is relational or DynamoDB.
Compute Scaling
Auto Scaling Groups: Scale EC2 capacity based on CloudWatch metrics, schedules, or predictive scaling
Target tracking scaling: The simplest policy; maintain a metric at a target value (e.g., 50% CPU)
Step scaling: Scale in steps based on metric thresholds
Lambda: Scales automatically; no capacity planning required
Storage Performance
EBS volume types: gp3 for general purpose, io2/io2 Block Express for high IOPS databases, st1 for sequential throughput (log processing), sc1 for cold archives
Instance store: Ephemeral storage physically attached to the host; highest performance but data is lost when the instance stops
S3 Transfer Acceleration: Uses CloudFront edge locations to accelerate uploads to S3
Domain 4: Design Cost-Optimized Architectures (20%)
Cost optimization questions ask you to identify the right pricing model, right-sizing opportunity, or architectural change that reduces spend.
Compute Cost Optimization
Spot Instances: Up to 90% discount; appropriate for fault-tolerant batch processing, stateless web servers
Reserved Instances: 1- or 3-year commitment; best for predictable baseline workloads
Savings Plans: More flexible than RIs; cover EC2, Lambda, and Fargate usage
On-Demand: Use only when workload duration is unknown or very short
Storage Cost Optimization
S3 lifecycle policies are a key exam topic. Transition objects between storage classes based on age:
| Class | Use Case | Retrieval |
|---|---|---|
| S3 Standard | Frequently accessed | Milliseconds |
| S3 Standard-IA | Infrequent access, retrieval fee | Milliseconds |
| S3 One Zone-IA | Non-critical, single AZ | Milliseconds |
| S3 Glacier Instant | Rarely accessed archives | Milliseconds |
| S3 Glacier Flexible | Archives, minutes to hours | Minutes to hours |
| S3 Glacier Deep Archive | Long-term archives | Up to 12 hours |
Common Cost Mistakes
Running oversized EC2 instances: use AWS Compute Optimizer for right-sizing recommendations
Storing all data in S3 Standard when access patterns allow tiering
Running NAT Gateway when all traffic could route through an internet gateway with proper subnet design
Not using VPC endpoints for S3 or DynamoDB access from EC2 (avoid NAT Gateway data charges)
Key Services to Know Cold
Beyond the services mentioned in each domain, these services appear frequently in scenario questions:
AWS Lambda: Event-driven compute; know triggers (S3, DynamoDB Streams, SQS, API Gateway, EventBridge)
Amazon API Gateway: Managed REST and WebSocket APIs; integrates with Lambda, EC2, HTTP backends
Amazon ECS and EKS: Container orchestration; understand Fargate vs. EC2 launch types
Amazon Aurora: MySQL/PostgreSQL-compatible, higher throughput than RDS; Aurora Serverless v2 scales automatically
AWS Step Functions: Orchestrates multi-step workflows; replaces complex Lambda chaining with state machines
"The SAA-C03 is fundamentally a trade-off exam. Almost every question has four plausible answers. Passing requires knowing not just what a service does but when it is the right choice over a cheaper or simpler alternative — and being able to reason through that in 90 seconds." — Adrian Cantrill, AWS instructor and author of the SAA-C03 course used by over 150,000 candidates
What to Skip
Do not spend time on:
Specific CLI syntax or SDK code
Deep CloudFormation template structure
Fine-grained DynamoDB capacity calculation formulas
Detailed VPC peering routing table entries
The exam tests architectural judgment, not implementation specifics.
Study Timeline
Recommended: 6-8 weeks for someone with 1+ years of AWS experience; 10-12 weeks for those starting from scratch.
| Week | Focus |
|---|---|
| 1-2 | VPC, EC2, IAM, S3, and core security services |
| 3-4 | Databases (RDS, Aurora, DynamoDB), messaging (SQS, SNS) |
| 5-6 | High availability patterns, Auto Scaling, CloudFront, caching |
| 7 | Cost optimization, billing, storage classes, serverless patterns |
| 8 | Practice exams, review all wrong answers against official docs |
Take a minimum of three full-length practice exams. The official AWS practice exam is worth purchasing as it uses the same question style as the real exam.
See also: AWS Solutions Architect Professional (SAP-C02) Study Guide: Advanced Architecture Patterns
SAA-C03 career positioning and salary impact
The AWS Solutions Architect Associate is the most broadly valued AWS credential in the market. It is priced at $150 with a 130-minute duration and 65 questions. First-time pass rates range from 60-70% for candidates with relevant AWS experience.
| Role | Seniority | US salary range (2024-2025) [1] | SAA-C03 impact |
|---|---|---|---|
| Cloud Engineer | Entry-Mid | $85,000-$130,000 | $8,000-$15,000 uplift |
| Senior Cloud Engineer | Senior | $135,000-$190,000 | $10,000-$18,000 uplift |
| Solutions Architect | Mid | $120,000-$170,000 | Strong market signal |
| Senior Solutions Architect | Senior | $155,000-$215,000 | Near-required credential |
| Cloud Consultant | Mid-Senior | $130,000-$190,000 | Partner program requirement |
| Pre-sales Solutions Consultant | Senior | $140,000-$200,000 | Required at many AWS Partners |
AWS certification portfolio strategy
| Certification | Current exam code | Fee | Position in portfolio |
|---|---|---|---|
| AWS Cloud Practitioner | CLF-C02 | $100 | Optional foundation |
| AWS SAA-C03 | SAA-C03 | $150 | The core mid-tier cert |
| AWS Developer Associate | DVA-C02 | $150 | Developer-track complement |
| AWS SysOps Administrator | SOA-C02 | $150 | Ops-track complement |
| AWS SAP-C02 | SAP-C02 | $300 | Senior upgrade path |
| AWS DOP-C02 | DOP-C02 | $300 | DevOps Professional path |
| AWS Security Specialty | SCS-C02 | $300 | Security specialty |
| AWS Advanced Networking | ANS-C01 | $300 | Networking specialty |
Candidates following the associate-to-professional path typically progress SAA -> SAP within 12-18 months, with the SAA serving as the foundation for deeper scenario-based learning.
"The SAA-C03 is where most engineers start feeling genuinely comfortable discussing AWS architecture at a professional level. It is not the deepest cert, but it is the one that defines whether you can think architecturally about AWS - which is the single most marketable cloud skill in the 2024-2025 hiring market." - Adrian Cantrill, AWS instructor to over 150,000 students [2].
Service decision tables for exam-day speed
The SAA-C03 rewards quick pattern matching. Memorize these decision tables for the most common service selection scenarios.
Storage selection
| Requirement | Correct choice |
|---|---|
| Shared file system across Linux EC2 | EFS |
| Shared file system across Windows EC2 | FSx for Windows |
| High-throughput HPC file system | FSx for Lustre |
| Object storage with 11 nines durability | S3 Standard |
| Infrequently accessed objects | S3 Standard-IA or Glacier Instant |
| Archive with flexible retrieval | S3 Glacier Flexible |
| Long-term archive (7+ years) | S3 Glacier Deep Archive |
| Block storage attached to one EC2 | EBS |
| Hybrid cloud storage gateway | Storage Gateway |
Database selection
| Requirement | Correct choice |
|---|---|
| Relational database with AWS-specific performance | Aurora |
| Relational database with broad engine support | RDS |
| NoSQL key-value at massive scale | DynamoDB |
| In-memory caching | ElastiCache |
| Data warehouse for analytics | Redshift |
| Graph database | Neptune |
| Time-series data | Timestream |
| Ledger / immutable records | QLDB |
| Document-oriented (MongoDB-compatible) | DocumentDB |
Messaging selection
| Requirement | Correct choice |
|---|---|
| Point-to-point message queue | SQS |
| Pub/sub fanout | SNS |
| Event bus with routing rules | EventBridge |
| Streaming data ingestion | Kinesis Data Streams |
| Managed Kafka | MSK |
| Long-running workflow orchestration | Step Functions |
Scenario-question patterns on SAA-C03
The exam is dominated by scenarios that ask "what is the MOST cost-effective / MOST resilient / BEST performing / LEAST operational overhead" solution. Candidates must recognize the optimization dimension and choose accordingly.
Cost-optimization scenarios - typically lead to S3 Intelligent-Tiering, Spot Instances, Savings Plans, Reserved Instances, or VPC Endpoints to avoid NAT charges.
High-availability scenarios - Multi-AZ RDS, Aurora Multi-Master, Auto Scaling Groups across AZs, Route 53 health checks with failover.
Performance scenarios - ElastiCache for read-heavy workloads, DynamoDB Accelerator (DAX), CloudFront for static assets, Aurora Read Replicas.
Resilience scenarios - Cross-region backup (AWS Backup), S3 Cross-Region Replication, DynamoDB Global Tables, Route 53 DNS failover.
Operational simplicity scenarios - managed services (Aurora Serverless, Lambda, Fargate), AWS Backup, AWS Config for drift detection.
Security scenarios - IAM roles (not users) for application access, KMS encryption, VPC endpoints to avoid internet, S3 Block Public Access.
References
[1] Robert Half. (2024). 2024 Technology Salary Guide. https://www.roberthalf.com/us/en/insights/salary-guide/technology
[2] Cantrill, Adrian. "AWS Certified Solutions Architect - Associate (SAA-C03)." Adrian Cantrill Training, 2024.
AWS. "AWS Certified Solutions Architect - Associate Exam Guide (SAA-C03)." https://d1.awsstatic.com/training-and-certification/docs-sa-assoc/AWS-Certified-Solutions-Architect-Associate_Exam-Guide.pdf
AWS. "AWS Well-Architected Framework." https://docs.aws.amazon.com/wellarchitected/latest/framework/welcome.html
AWS. "Amazon VPC Documentation." https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
Payscale. (2024). AWS Certified Solutions Architect Associate Salary Data. https://www.payscale.com/research/US/Certification=AWS_Certified_Solutions_Architect_-_Associate
Tutorials Dojo. (2024). AWS Certified Solutions Architect Associate Practice Exams Methodology. https://tutorialsdojo.com/aws-certified-solutions-architect-associate-saa-c03/
Maarek, Stephane. (2024). Ultimate AWS Certified Solutions Architect Associate SAA-C03. Udemy published course supplementary material.
Amazon Web Services. (2024). AWS Architecture Center: Reference Architectures. https://aws.amazon.com/architecture/
Roberts, Mark and Mclean, Biff. "AWS Certified Solutions Architect Study Guide: Associate SAA-C03 Exam." Sybex, 3rd edition, 2022.
AWS. "Disaster Recovery of Workloads on AWS: Recovery in the Cloud." AWS Whitepaper. https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-workloads-on-aws.html
AWS. "Security Best Practices in AWS IAM." https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
AWS. "Amazon S3 Storage Classes." https://aws.amazon.com/s3/storage-classes/
Frequently Asked Questions
What are the four domains of the SAA-C03 exam?
The SAA-C03 domains are: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%).
What is the difference between Security Groups and Network ACLs in AWS?
Security Groups are stateful and apply at the instance level — return traffic is automatically allowed. Network ACLs are stateless and apply at the subnet level — both inbound and outbound rules must explicitly allow traffic.
What are the four disaster recovery strategies tested on SAA-C03?
Backup and Restore (lowest cost, highest RTO/RPO), Pilot Light (minimal resources running), Warm Standby (scaled-down full environment), and Multi-Site Active/Active (lowest RTO/RPO, highest cost).
How long should I study for the AWS Solutions Architect Associate exam?
Candidates with 1+ years of AWS experience typically need 6-8 weeks. Those starting with minimal cloud experience should plan for 10-12 weeks, including hands-on lab work.
What is the difference between SQS Standard and FIFO queues?
SQS Standard queues offer at-least-once delivery with best-effort ordering, supporting higher throughput. FIFO queues guarantee exactly-once processing and strict message ordering, with a limit of 300 transactions per second.