CertPrepNowFREE
AWSSAA-C03Updated 2026-05-27

SAA-C03 Study Guide

Everything you need to pass the AWS Certified Solutions Architect – Associate exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The SAA-C03 exam is passable with free and low-cost resources if you study consistently for 4–8 weeks:

  • AWS official exam guide and sample questions (free)
  • AWS Skill Builder free digital training courses
  • AWS documentation and whitepapers (free)
  • 1000+ free practice questions on this site

A paid course like Stephane Maarek or Adrian Cantrill can accelerate your learning, but free resources cover all exam topics.

Choose Your Study Path

You have AWS Cloud Practitioner or basic AWS experience. Need to learn architectural thinking.

Week 1Core networking and security: VPC design, subnets, security groups, NACLs, IAM roles and policies
Week 2Compute and storage: EC2 instance types, EBS vs EFS vs S3, Auto Scaling, load balancers
Week 3Databases and caching: RDS Multi-AZ, Aurora, DynamoDB, ElastiCache. Serverless: Lambda, API Gateway, SQS/SNS
Week 4High availability, DR strategies, cost optimization. Practice questions daily
Week 5Mock exams, review weak areas, focus on scenario-based reasoning
Week 6Final mock exams (target 80%+), review confusing service pairs, exam day prep

Exam Overview

Format

65 questions, 130 minutes. Multiple choice (4 options, 1 correct) and multiple response (5–6 options, 2–3 correct).

Scoring

Scaled score 100–1000. Passing: 720. No penalty for wrong answers — always guess if unsure.

Domains & Weights

  • Design Secure Architectures30%
  • Design Resilient Architectures26%
  • Design High-Performing Architectures24%
  • Design Cost-Optimized Architectures20%

Registration

$150 USD. Available at Pearson VUE testing centers or online proctored from home.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowCore services tested across all domains. Expect 5-15 questions involving each.
Tier 2: Should KnowImportant services that appear in specific scenarios. Expect 2-5 questions each.
Tier 3: Recognize OnlySpecialty services that appear in 1-2 specific scenarios. Know the use case.
Domain 130% of exam

Design Secure Architectures

The largest domain at 30%. Tests your ability to design secure access, application tiers, and data protection strategies. Every architecture must be secure by default — expect security considerations woven into questions from other domains too.

Key Topics

IAMKMSVPCSecurity GroupsNACLsWAFShieldCloudTrailSecrets ManagerACMOrganizationsIAM Identity Center

Must-Know Concepts

  • IAM policy evaluation: explicit Deny > explicit Allow > implicit Deny. Resource-based vs identity-based policies.
  • Cross-account access patterns: IAM roles with trust policies, resource-based policies (S3, KMS, SNS)
  • VPC security layers: Security Groups (instance), NACLs (subnet), WAF (application), Shield (DDoS)
  • Encryption at rest: KMS CMK for control, SSE-S3 for simplicity, client-side for maximum control
  • Encryption in transit: ACM for free TLS certs on ALB/CloudFront, HTTPS enforcement
  • Least privilege principle: use IAM roles over users, scope permissions with conditions, use service-linked roles
  • VPC endpoints: Gateway endpoints (S3, DynamoDB — free) vs Interface endpoints (other services — costs per hour + data)
  • AWS Organizations SCPs: restrict maximum permissions for member accounts, applied to OUs

Common Exam Traps

IAM roles provide TEMPORARY credentials — they don't have long-term access keys like IAM users
S3 bucket policies + ACLs + IAM policies all affect access. If ANY policy denies, access is denied regardless of other allows
VPC endpoints keep traffic within AWS network — data never traverses the public internet
KMS key policies are the PRIMARY authorization mechanism for KMS keys — IAM policies alone are not sufficient without key policy allowing it
Security Groups cannot DENY traffic — they only ALLOW. Use NACLs when you need to block specific IPs
Quick Check: Design Secure Architectures

Question 1 of 3

A company has an application running on EC2 instances in a private subnet that needs to access an S3 bucket. Security policy requires that no data traverses the public internet. What is the most cost-effective solution?

Domain 226% of exam

Design Resilient Architectures

Tests your ability to design highly available, fault-tolerant systems that can withstand component failures. Key themes: multi-AZ deployments, auto-scaling, loose coupling, disaster recovery strategies, and data backup/replication.

Key Topics

Auto ScalingELBRoute 53RDS Multi-AZAuroraS3 ReplicationSQSDynamoDB Global TablesAWS BackupCloudFormation

Must-Know Concepts

  • Multi-AZ vs Multi-Region: Multi-AZ for HA within a Region (automatic). Multi-Region for DR and global users (requires design).
  • Auto Scaling policies: target tracking (simplest), step scaling (granular), scheduled (predictable patterns)
  • DR strategies ordered by cost/RTO: Backup & Restore > Pilot Light > Warm Standby > Active-Active
  • Loose coupling patterns: SQS between tiers, SNS for fan-out, EventBridge for event-driven
  • Stateless design: store session state in ElastiCache/DynamoDB, not on the instance
  • Database HA: RDS Multi-AZ (sync standby), Aurora (6 copies across 3 AZs), DynamoDB Global Tables (multi-Region)
  • S3 durability (11 nines) vs availability (4 nines for Standard). Cross-Region Replication for DR.

Common Exam Traps

An Auto Scaling Group across 2 AZs with min=2 means 1 instance per AZ — if one AZ fails, you have only 1 instance until ASG launches more
RDS Multi-AZ standby cannot serve read traffic — it's ONLY for failover. Use Read Replicas for read scaling
Aurora automatic failover promotes a read replica in <30 seconds. RDS Multi-AZ failover takes 60-120 seconds
SQS visibility timeout must be longer than processing time — otherwise messages get processed twice
Route 53 health checks evaluate endpoint health independently of the load balancer health checks
Quick Check: Design Resilient Architectures

Question 1 of 3

A company runs a stateful web application on EC2 instances behind an ALB. Users report losing their session data when instances are replaced during Auto Scaling events. How should a solutions architect fix this with MINIMAL code changes?

Domain 324% of exam

Design High-Performing Architectures

Tests your ability to select the right compute, storage, database, and networking services for performance requirements. Key themes: caching strategies, database selection, storage performance, content delivery, and auto-scaling for performance.

Key Topics

CloudFrontElastiCacheDynamoDB DAXAuroraEBS io2EFSS3 Transfer AccelerationGlobal AcceleratorKinesisAPI Gateway

Must-Know Concepts

  • Caching layers: CloudFront (edge), ElastiCache (application), DAX (DynamoDB), API Gateway caching
  • EBS volume types: gp3 (general), io2 (high IOPS), st1 (throughput HDD), sc1 (cold HDD). Know IOPS limits.
  • Database performance: Aurora (5x MySQL), DynamoDB (single-digit ms), ElastiCache Redis (<1ms), Redshift (analytics)
  • EC2 placement groups: Cluster (low latency, same AZ), Spread (max HA, different racks), Partition (large distributed workloads)
  • S3 performance: multi-part upload for large files, S3 Transfer Acceleration for global uploads, byte-range fetches for parallel downloads
  • Read-heavy optimization: Read Replicas, ElastiCache, CloudFront, DAX — know when to use which
  • Serverless scaling: Lambda auto-scales per request, API Gateway handles throttling, DynamoDB on-demand scales instantly

Common Exam Traps

gp3 provides 3000 IOPS baseline regardless of volume size. gp2 scales IOPS with size (3 IOPS/GB)
CloudFront caches at edge locations — if content changes frequently (seconds), caching may not help. Use TTL=0 with origin shield instead
ElastiCache Redis cluster mode enables sharding across nodes for >100GB data. Non-cluster mode limited to single node memory
DynamoDB auto-scaling has a delay (minutes) — use on-demand mode for truly unpredictable spiky workloads
S3 can handle 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix
Quick Check: Design High-Performing Architectures

Question 1 of 3

A social media application reads user profiles from an RDS MySQL database. The database is at 90% CPU due to repeated reads of popular profiles. The data changes infrequently. Which solution provides the BEST read performance improvement?

Domain 420% of exam

Design Cost-Optimized Architectures

Tests your ability to design architectures that minimize cost while meeting requirements. Key themes: choosing the right pricing model, right-sizing resources, using serverless, storage tiering, and identifying waste.

Key Topics

EC2 Pricing ModelsS3 Storage ClassesLambdaFargateSavings PlansCost ExplorerBudgetsCompute OptimizerSpot Fleet

Must-Know Concepts

  • EC2 pricing: On-Demand > Reserved (Standard/Convertible) > Savings Plans > Spot. Know when to use each.
  • S3 cost optimization: Lifecycle policies to transition data, Intelligent-Tiering for unknown patterns, delete incomplete multipart uploads
  • Serverless cost advantages: Lambda, Fargate, DynamoDB on-demand, Aurora Serverless — zero cost when idle
  • Right-sizing: use AWS Compute Optimizer recommendations, downsize overprovisioned instances
  • Data transfer costs: same-AZ free, cross-AZ costs money, cross-Region costs more, internet egress most expensive
  • Spot best practices: use for stateless, fault-tolerant workloads. Diversify instance types. Use Spot Fleet for availability.
  • Reserved capacity: RDS Reserved Instances, ElastiCache Reserved Nodes, DynamoDB Reserved Capacity, Redshift Reserved Nodes

Common Exam Traps

Convertible Reserved Instances cost more than Standard but allow changing instance family/OS — choose based on flexibility need
Savings Plans (Compute) are more flexible than EC2 RIs — they apply across EC2, Fargate, and Lambda
Data transfer between AZs costs $0.01/GB each direction. Minimize cross-AZ traffic for cost-sensitive workloads
S3 Glacier retrieval costs money AND time. Factor in retrieval costs when choosing archival tier
NAT Gateway charges per hour ($0.045) AND per GB processed ($0.045). High-traffic scenarios get expensive
Quick Check: Design Cost-Optimized Architectures

Question 1 of 3

A company runs a predictable workload on 20 EC2 instances 24/7 in us-east-1. The instances are m5.xlarge running Linux. The company is committed to this capacity for 3 years. Which purchasing option provides the MAXIMUM cost savings?

Confusing AWS Services Compared

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

Multi-AZ RDS vs Read Replicas

Use Multi-AZ RDS when…

You need high availability with automatic failover. The standby is synchronously replicated and promoted on failure. No read traffic served from standby.

Use Read Replicas when…

You need to scale read-heavy workloads across multiple copies. Asynchronously replicated. Can be promoted manually but no auto-failover.

Exam trap

Multi-AZ = availability (failover). Read Replicas = scalability (read performance). If the question says 'minimize downtime during failure,' it's Multi-AZ. If it says 'improve read performance,' it's Read Replicas.

ALB (Application Load Balancer) vs NLB (Network Load Balancer)

Use ALB (Application Load Balancer) when…

You need Layer 7 routing: path-based, host-based, HTTP header routing. Supports WebSocket, gRPC, and sticky sessions.

Use NLB (Network Load Balancer) when…

You need Layer 4 (TCP/UDP), ultra-low latency, millions of requests/sec, or static IPs. Required for non-HTTP protocols.

Exam trap

If the question mentions 'static IP,' 'extreme performance,' 'TCP/UDP,' or 'non-HTTP protocol' → NLB. If it mentions 'path routing,' 'microservices,' or 'multiple domains' → ALB.

SQS vs SNS

Use SQS when…

You need to decouple a producer from a consumer, buffer messages, and process them asynchronously. Pull-based — consumers poll for messages.

Use SNS when…

You need to fan-out messages to multiple subscribers simultaneously (email, Lambda, SQS, HTTP). Push-based — SNS pushes to subscribers.

Exam trap

Use SNS + SQS together (fanout pattern) when you need one event to trigger multiple independent processing pipelines. This is a very common SAA pattern.

S3 Lifecycle Policies vs S3 Intelligent-Tiering

Use S3 Lifecycle Policies when…

You know the access pattern — e.g., 'after 30 days move to IA, after 90 days to Glacier.' Deterministic transitions based on age.

Use S3 Intelligent-Tiering when…

Access patterns are unpredictable. Intelligent-Tiering automatically moves objects between tiers based on actual usage with no retrieval fees.

Exam trap

If the question says 'unpredictable access patterns' or 'unknown access frequency' → Intelligent-Tiering. If it says 'data not accessed after X days' → Lifecycle Policy.

VPC Peering vs Transit Gateway

Use VPC Peering when…

You need to connect a small number of VPCs directly. Simple, no hourly charge (cross-AZ data transfer at $0.01/GB applies), no transitive routing.

Use Transit Gateway when…

You need to connect many VPCs (10+), on-premises networks via VPN/Direct Connect, or need centralized routing. Hub-and-spoke model.

Exam trap

VPC Peering is NOT transitive — if A peers with B and B peers with C, A cannot reach C through B. Transit Gateway solves this with centralized routing.

AWS VPN vs AWS Direct Connect

Use AWS VPN when…

You need encrypted connectivity to AWS quickly (minutes to set up). Traffic goes over public internet. Good for backup connectivity.

Use AWS Direct Connect when…

You need consistent, low-latency, high-bandwidth private connectivity. Takes weeks to provision. Does NOT encrypt by default.

Exam trap

Direct Connect + VPN gives you both private dedicated link AND encryption. Common pattern: use VPN immediately while Direct Connect is being provisioned.

Pilot Light DR vs Warm Standby DR

Use Pilot Light DR when…

Minimal cost DR: only critical core (database) runs in DR Region. Other resources are off/stopped. RTO: minutes to hours.

Use Warm Standby DR when…

A scaled-down but fully functional version runs in DR Region. Can serve traffic immediately, then scale up. RTO: minutes.

Exam trap

Cost order: Backup & Restore < Pilot Light < Warm Standby < Active-Active. The exam tests whether you can pick the cheapest DR that meets the RTO/RPO requirement.

Security Groups vs NACLs

Use Security Groups when…

Instance-level firewall, stateful (return traffic auto-allowed), supports Allow rules only. Evaluated as a whole (all rules apply).

Use NACLs when…

Subnet-level firewall, stateless (must define inbound AND outbound), supports Allow AND Deny. Rules evaluated in number order (first match wins).

Exam trap

Need to BLOCK a specific IP? → NACL (Security Groups can't deny). Need instance-level control with automatic return traffic? → Security Group.

Kinesis Data Streams vs Amazon Data Firehose

Use Kinesis Data Streams when…

You need custom consumers, sub-second processing, or replay capability. You manage shard scaling manually.

Use Amazon Data Firehose when…

You want managed delivery to S3, Redshift, OpenSearch Service, or HTTP endpoints with automatic scaling. Near real-time with configurable buffering.

Exam trap

If the question says 'real-time analytics with custom processing' → Kinesis Data Streams. If it says 'deliver streaming data to S3' → Firehose.

Reserved Instances vs Spot Instances

Use Reserved Instances when…

Predictable, steady-state workloads running 24/7. Commit 1 or 3 years for up to 72% savings. Cannot be interrupted.

Use Spot Instances when…

Fault-tolerant, flexible workloads (batch processing, CI/CD, big data). Up to 90% savings but can be reclaimed with 2-min notice.

Exam trap

Spot + On-Demand + Reserved mixed fleet is the cost-optimal pattern for variable workloads. Spot is NEVER the answer for stateful or time-critical workloads.

Top Mistakes to Avoid

Confusing Multi-AZ (high availability, automatic failover) with Read Replicas (read scaling, manual promotion)
Choosing NAT Gateway when a VPC endpoint would work — VPC Gateway endpoints for S3/DynamoDB are free
Forgetting that Security Groups are stateful but NACLs are stateless — you need both inbound and outbound NACL rules
Selecting Glacier when the question requires immediate data access — Glacier retrieval takes minutes to hours
Picking CloudFront when the question is about TCP/UDP optimization — that's Global Accelerator
Using IAM users with access keys for EC2 applications — always use IAM roles for services
Confusing Kinesis Data Streams (custom consumers, manual shards) with Amazon Data Firehose (managed delivery to S3/Redshift/OpenSearch)
Overcomplicating answers: if S3 Transfer Acceleration or CloudFront solves the problem, don't pick Snowball or DataSync
Mixing up VPC Peering (non-transitive, simple) with Transit Gateway (transitive, complex, cost)
Forgetting that EBS is single-AZ — you cannot attach an EBS volume to an instance in a different AZ

Exam-Ready Checklist

Can design a secure, multi-tier VPC with public/private subnets, NAT, and security layers
Know all DR strategies (Backup/Restore, Pilot Light, Warm Standby, Active-Active) and their RTO/RPO trade-offs
Can select the right database (RDS, Aurora, DynamoDB, ElastiCache, Redshift) for any given scenario
Understand all EC2 pricing models and can recommend the cheapest option for a given workload pattern
Can design event-driven and serverless architectures with Lambda, API Gateway, SQS, SNS, and EventBridge
Know when to use caching (CloudFront, ElastiCache, DAX) and which layer to cache at
Understand S3 storage classes and can design lifecycle policies for cost optimization
Can design cross-Region DR and multi-Region active-active architectures
Scored 80%+ on at least two full mock exams consistently
Can eliminate wrong answers using the 'operational overhead' and 'most cost-effective' filters

Recommended Resources

Free & Official Resources

AWS SAA-C03 Official Exam Guide

Official exam domains, sample questions, and registration. Start here.

Official

AWS Well-Architected Framework

The design philosophy behind every SAA question. Understand all 6 pillars.

Official

AWS Architecture Center

Reference architectures and best practices for common patterns.

Official

AWS Skill Builder Free Tier

Free courses including 'Architecting on AWS' basics and exam readiness.

Official

AWS Free Tier + Hands-On Labs

Build real architectures — VPC, EC2, RDS, S3, Lambda. Nothing beats hands-on practice.

Official

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Stephane Maarek — AWS Solutions Architect Associate (Udemy)

Bestselling SAA course with 27+ hours. Covers all domains with hands-on demos.

Paid

Adrian Cantrill — AWS SAA-C03 Course

Deep technical course with production-grade labs. Excellent for hands-on learners.

Paid

Tutorials Dojo — SAA-C03 Practice Exams

High-quality practice exams with detailed explanations. Closest to real exam difficulty.

Paid

A Cloud Guru (Pluralsight) — AWS Solutions Architect Associate

Structured course with cloud sandbox environments for risk-free hands-on practice.

Paid

Frequently Asked Questions