AWS Solutions Architect Associate (SAA-C03): Complete Exam-Ready Masterclass

AWS Well-Architected Framework (definition)

The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.

List the six AWS Well-Architected Framework pillars in order.

Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability.

Security pillar (definition)

The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.

Reliability pillar (definition)

The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.

Performance efficiency pillar (definition)

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

Cost optimization pillar (definition)

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

AWS Region

A physically separate geographic area that contains multiple Availability Zones. Regions are isolated from each other for fault tolerance, security, compliance, and latency considerations.

Availability Zone (AZ)

One or more discrete data centers in a Region with independent power, cooling, and networking, connected to other AZs in the Region with high-speed, low-latency links. The basic unit for high availability designs.

Edge location

A site used by services like Amazon CloudFront to cache content and terminate connections closer to users, reducing latency. Part of AWS’s global edge network.

Amazon CloudFront

AWS’s content delivery network (CDN) that uses edge locations to cache and deliver content from origins such as S3, EC2, on-prem servers, or load balancers, improving global performance.

Amazon EC2

Amazon Elastic Compute Cloud (EC2) provides resizable virtual servers in the cloud, with different instance types, pricing models, and placement options across subnets and Availability Zones.

Amazon S3

Amazon Simple Storage Service (S3) is object storage that stores data as objects in buckets, with high durability and availability by replicating data across multiple Availability Zones in a Region.

AWS Well-Architected Framework (definition)

The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.

List the six AWS Well-Architected Framework pillars in order.

Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability.

Security pillar (definition)

The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.

Reliability pillar (definition)

The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.

Performance efficiency pillar (definition)

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

Cost optimization pillar (definition)

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

Canonical definition: shared responsibility model

The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.

Security of the cloud – one concrete example

Physical security of AWS data centers, including guards, access controls, and secure destruction of storage media.

Security in the cloud – one concrete example

Configuring IAM roles and policies so that only authorized users and services can access an S3 bucket.

Who patches the OS on an EC2 instance?

The customer. OS-level patching and hardening are part of security in the cloud.

Who manages database engine patching for Amazon RDS?

AWS. RDS is a managed database service where AWS patches and maintains the database engine.

Who controls public vs private access to an S3 bucket?

The customer, via bucket policies, ACLs, and Block Public Access settings.

IAM user

An identity in AWS that represents a person or application needing long-term credentials in a single account. Can have a console password and/or access keys, and receives permissions via identity-based policies.

IAM group

A collection of IAM users. You attach policies to the group, and all members inherit them. Groups cannot be logged into and do not have their own credentials.

IAM role

An AWS identity with permissions but no long-term credentials. Assumed by users, AWS services, or federated identities to obtain temporary STS credentials.

Identity-based policy

A JSON policy attached to a user, group, or role that specifies what actions are allowed or denied on which resources, optionally under certain conditions.

Resource-based policy

A policy attached directly to a resource like an S3 bucket or KMS key. Specifies which principals can access the resource and what actions they can perform.

Explicit Deny

A policy statement with Effect set to Deny. If it matches a request, it overrides any Allow in other policies, causing the request to be denied.

Amazon VPC

A logically isolated virtual network in an AWS Region where you define IP ranges, subnets, routing, and network security controls for your resources.

Public subnet (practical definition)

A subnet whose route table has a route to an Internet Gateway and that contains resources with public or Elastic IPs, making them directly reachable from the internet (subject to security controls).

Private subnet

A subnet without a direct route to an Internet Gateway. Resources typically access the internet through a NAT gateway or VPC endpoints and are not directly reachable from the internet.

Internet Gateway (IGW)

A horizontally scaled, redundant VPC component that allows communication between resources in your VPC and the internet.

NAT gateway

A managed service in a public subnet that allows instances in private subnets to initiate outbound internet connections while preventing unsolicited inbound connections.

Security group

A stateful, instance-level virtual firewall for controlling inbound and outbound traffic to AWS resources using allow rules only.

Application Load Balancer (ALB)

A Layer 7 load balancer that supports HTTP/HTTPS, host and path-based routing, WebSocket, security groups, AWS WAF integration, and TLS termination with ACM certificates. Ideal for web apps and APIs.

Network Load Balancer (NLB)

A Layer 4 load balancer for TCP/UDP/TLS with very high performance and static IPs. Does not support WAF directly and does not use a security group; you secure the targets instead.

Origin Access Control (OAC)

A mechanism for CloudFront to securely access S3 buckets so that the bucket can block public access and only trust requests coming from the CloudFront distribution.

AWS WAF

A web application firewall that lets you monitor and control HTTP(S) requests based on rules, protecting against common web exploits like SQL injection and cross-site scripting.

AWS Shield Standard

Automatic, always-on DDoS protection for AWS services such as CloudFront, Route 53, and Elastic Load Balancing, included at no extra cost.

End-to-end TLS

A pattern where traffic is encrypted with TLS from the client through intermediate components (CloudFront, ALB) all the way to the backend targets, ensuring encryption in transit at every hop.

AWS KMS key (formerly CMK)

A logical key resource in AWS KMS whose plaintext key material never leaves KMS. Used for cryptographic operations like generating and protecting data keys for S3, EBS, and RDS encryption.

AWS managed key (for example, aws/s3)

A KMS key created and fully managed by AWS for a specific service. Limited customization, automatic rotation, and no detailed key policy control by the customer.

Customer managed key

A KMS key that you create and manage. You control key policies, aliases, tags, rotation (annual), and deletion. Preferred when you need fine-grained access control and compliance.

Envelope encryption

A pattern where KMS keys protect data keys, and the data keys encrypt the actual data. The encrypted data key is stored with the data, while the KMS key stays inside KMS.

SSE-S3 vs SSE-KMS

SSE-S3 uses S3-managed keys without KMS calls. SSE-KMS uses KMS keys (AWS or customer managed), incurs KMS API charges, and allows key-level access control and auditing.

EBS encryption behavior

EBS volumes use a data key from KMS to encrypt data at rest. You cannot change the KMS key of an existing volume directly; you must snapshot and restore with a new key.

Data in transit

Data that is actively moving from one location to another, such as across the internet, within a VPC, or between on‑premises and AWS.

TLS/SSL

A cryptographic protocol that provides confidentiality, integrity, and authentication for data in transit. Modern implementations use TLS; SSL is the older term still seen in labels.

VPC peering

A networking connection between two VPCs that enables private routing of traffic using IPv4 or IPv6 addresses. It is non‑transitive and provides broad VPC‑level connectivity.

AWS PrivateLink

A technology that provides private connectivity between VPCs, AWS services, and on‑premises networks by exposing specific services via interface endpoints using private IPs.

Site‑to‑Site VPN

An IPsec VPN connection between your on‑premises network and your AWS VPC (via a virtual private gateway or Transit Gateway) over the public internet.

AWS Direct Connect

A dedicated network connection from your premises to AWS that bypasses the public internet, offering more consistent performance but not automatic encryption.

High availability (HA)

Design approach that keeps a system operational for the maximum possible time, usually via redundancy and automated failover. Brief outages may occur during failover, but recovery is fast.

Fault tolerance (FT)

Ability of a system to continue operating without interruption when one or more components fail. Failures are masked from users through real-time redundancy and no single point of failure.

Durability

Likelihood that data remains intact and correct over time despite failures. Often expressed with many "nines" (for example, S3 Standard durability of 99.999999999%). It is about not losing data, not about availability.

RTO (Recovery Time Objective)

Maximum acceptable time that a system can be unavailable after a failure before it must be restored to operation.

RPO (Recovery Point Objective)

Maximum acceptable amount of data loss measured in time. It defines how far back in time data may be lost due to a failure.

Multi-AZ architecture

An AWS design that distributes resources (for example, EC2 instances, RDS) across multiple Availability Zones within a Region to protect against AZ-level failures.

Stateless application tier

An application layer where no user-specific or request-specific state is stored on individual instances between requests. State such as sessions, files, and queues is externalized to shared services like ElastiCache, DynamoDB, or S3, enabling safe horizontal scaling.

Loose coupling

A design approach where components minimize direct dependencies on each other, often by communicating via queues, topics, or events. Each component can evolve, scale, or fail independently without bringing down the whole system.

Amazon SQS Standard vs FIFO queues

Standard queues offer high throughput with at-least-once delivery and best-effort ordering. FIFO queues preserve strict first-in-first-out ordering with exactly-once processing semantics and support message groups, but with lower throughput.

Amazon SNS

A fully managed publish/subscribe messaging service where publishers send messages to a topic and SNS fans them out to multiple subscribers such as SQS queues, Lambda functions, HTTP endpoints, email, or SMS.

Amazon EventBridge

An event bus service that receives events from AWS services, SaaS partners, and custom applications, and uses rules to route events to targets like Lambda, SQS, SNS, Step Functions, and Kinesis based on event patterns.

Horizontal scaling

Increasing capacity by adding more instances of a resource, such as additional EC2 instances in an Auto Scaling group or more Lambda invocations, rather than increasing the size of a single instance.

Auto Scaling group (ASG)

A service that manages a fleet of EC2 instances, maintaining a specified minimum, desired, and maximum capacity, and optionally scaling capacity automatically based on policies and health checks.

Multi-AZ EC2 architecture

An EC2 deployment pattern where instances are distributed across at least two Availability Zones in a Region to improve availability and fault tolerance.

Application Load Balancer (ALB)

A Layer 7 load balancer that distributes HTTP/HTTPS and gRPC traffic, supports advanced routing (host/path-based), and integrates with target groups and health checks.

Target tracking scaling policy

An Auto Scaling policy type where you define a target value for a metric (such as CPU utilization), and the ASG automatically adjusts capacity to keep the metric near that value.

Scheduled scaling

An Auto Scaling feature that changes the minimum, maximum, or desired capacity of an Auto Scaling group at specific times based on a schedule.

Stateless application server

An EC2-based application component that does not store user session or critical data locally, allowing instances to be freely terminated and replaced without data loss.

Durability (in the context of S3)

The probability that data is not lost over time. S3 Standard provides 99.999999999% (11 9s) durability by redundantly storing objects across multiple devices in multiple AZs.

Availability (in the context of S3)

The percentage of time that data is accessible on demand. S3 Standard provides 99.99% availability in a given year.

RDS Multi-AZ deployment

An RDS configuration where AWS maintains a synchronous standby in another AZ for high availability and automatic failover. It is not used for read scaling.

RDS read replica

An asynchronously replicated copy of an RDS database used for read scaling and as a building block for disaster recovery. Failover to it is not automatic in the same way as Multi-AZ.

Point-in-time recovery (RDS)

The ability to restore a new RDS instance to an exact time within the automated backup retention window using snapshots and transaction logs.

Backup and restore DR pattern

A low-cost DR strategy where only backups are stored in the DR Region. Infrastructure is recreated and data restored after a disaster, leading to high RPO and RTO.

Hosted zone

A container for DNS records for a specific domain, such as example.com. Public hosted zones are visible on the internet; private hosted zones are visible only within one or more VPCs.

Alias record

An AWS-specific record type that lets you map a DNS name to certain AWS resources (like ALBs, CloudFront, S3 websites) and can be used at the zone apex. Alias targets automatically track IP changes and incur no extra DNS query charge.

Failover routing policy

A Route 53 routing policy that uses primary and secondary records. Combined with health checks, it routes traffic to the secondary when the primary becomes unhealthy, enabling active-passive architectures.

Latency-based routing (LBR)

A routing policy that directs users to the AWS Region with the lowest network latency, based on Route 53 measurements. Commonly used for active-active multi-Region architectures.

Geolocation routing

A routing policy that directs traffic based on the geographic location of the user’s DNS resolver IP (continent, country, or state). Useful for data residency, compliance, and localization.

Active-active multi-Region

An architecture where multiple Regions actively serve production traffic at the same time, often using latency-based or weighted routing. Improves global performance and resilience but increases cost and complexity.

Performance efficiency pillar (definition)

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

Best S3 class for frequently accessed, latency-sensitive data

S3 Standard – optimized for frequent access with low latency and high throughput across multiple Availability Zones.

Best EBS type for critical OLTP databases needing very high IOPS

Provisioned IOPS SSD (io2) – offers high, consistent IOPS and low latency suitable for mission-critical transactional databases.

Best EBS type for big, sequential analytics workloads

Throughput Optimized HDD (st1) – designed for large, sequential I/O with high throughput at lower cost than SSD.

Service: Managed NFS file system for Linux with elastic scaling

Amazon EFS – a managed, elastic NFS file system that can be mounted concurrently by many Linux-based clients in the same Region.

Service: High-performance file system for HPC and ML, integrated with S3

Amazon FSx for Lustre – provides very high throughput and low latency for compute-intensive workloads and can import/export data to S3.

General purpose instances (A, T, M)

EC2 families that provide a balance of compute, memory, and networking resources. Suitable for a wide range of workloads including web servers, application servers, and small databases.

Compute optimized instances (C)

EC2 families with a high ratio of CPU to memory, ideal for compute-bound applications like high-performance web servers, batch processing, and scientific modeling.

Memory optimized instances (R, X)

EC2 families designed to deliver fast performance for workloads that process large data sets in memory, such as in-memory databases and real-time big data analytics.

Storage optimized instances (I, D, H)

EC2 families optimized for workloads that require high, sequential read and write access to very large data sets on local storage, such as NoSQL databases and data warehousing.

Accelerated computing instances (P, G, Trn, Inf, F)

EC2 families that use hardware accelerators like GPUs, FPGAs, or custom ASICs for tasks such as machine learning, graphics rendering, and high-performance computing.

Right-sizing

The process of matching EC2 instance types and sizes to workload performance and utilization characteristics, aiming to use the smallest instance that still meets requirements.

Amazon RDS

A managed relational database service that handles provisioning, patching, backups, and basic monitoring for engines like MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Amazon Aurora.

Read replica

A read-only copy of a database instance that uses asynchronous replication from the primary to offload read traffic and improve read scalability.

Multi-AZ deployment (standard RDS engines)

A high-availability configuration where data is synchronously replicated to a standby instance in another Availability Zone. It improves availability and durability but does not increase read capacity.

Amazon Aurora reader endpoint

A cluster endpoint in Aurora that automatically load-balances read-only connections across available reader instances to scale read throughput.

RDS Proxy

A fully managed database proxy for RDS and Aurora that pools and shares database connections, improving scalability, resilience, and performance for applications with many short-lived connections.

Amazon ElastiCache

A managed in-memory data store service compatible with Redis and Memcached, commonly used as a caching layer to reduce database load and improve latency.

Performance efficiency pillar

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

Public subnet

A subnet associated with a route table that has a route to an internet gateway, allowing resources in the subnet to communicate directly with the internet.

Private subnet

A subnet that does not have a direct route to an internet gateway. Instances typically reach the internet via a NAT gateway or NAT instance in a public subnet.

VPC gateway endpoint

A VPC endpoint type that uses route table entries to provide private connectivity to S3 or DynamoDB without requiring an internet gateway or NAT gateway.

VPC interface endpoint (PrivateLink)

A VPC endpoint type that creates elastic network interfaces with private IPs in your subnets to privately connect to supported AWS or SaaS services.

Application Load Balancer (ALB)

A Layer 7 load balancer optimized for HTTP/HTTPS and gRPC that supports advanced routing, TLS termination, and features like WebSockets and WAF integration.

Batch ingestion

A data ingestion approach where data is collected over a period of time (minutes, hours, days) and processed together, typically using services like AWS Glue, EMR, or scheduled jobs over S3 data.

Streaming ingestion

A continuous data ingestion approach where events are processed with low latency (seconds or less), commonly using Kinesis Data Streams, Kinesis Data Firehose, or Amazon MSK.

Kinesis Data Streams

A scalable, real-time streaming service that uses shards to provide ordered, replayable streams and supports multiple custom consumer applications.

Kinesis Data Firehose

A fully managed service that reliably loads streaming data into destinations such as Amazon S3, Amazon Redshift, and Amazon OpenSearch Service, handling buffering, scaling, and retries for you.

AWS Glue

A serverless data integration service based on Apache Spark that simplifies discovering, preparing, and combining data for analytics, machine learning, and application development.

AWS DMS (Database Migration Service)

A managed service that helps migrate and replicate databases to AWS with minimal downtime, including ongoing change data capture from source databases.

Cost optimization pillar (definition)

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

AWS Well-Architected Framework (definition)

The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.

Main AWS cost drivers

Compute (instance hours, vCPU/memory), storage (GB-months, storage class), requests and I/O, data transfer (especially out to the internet and cross-Region), and managed service features (e.g., RDS replicas, DynamoDB capacity).

AWS Cost Explorer

A tool that provides visualizations and reports of your AWS costs and usage, allowing you to break down spend by service, account, Region, tag, and more.

AWS Budgets

A service that lets you set custom cost and usage budgets and receive alerts via email or SNS when your usage approaches or exceeds those thresholds.

Cost allocation tags

User-defined tags (for example, Project, Environment, CostCenter) that you activate for cost allocation so you can attribute AWS costs to specific projects, teams, or applications.

Durability vs Availability in S3

Durability is the probability that data is not lost (S3 commonly offers 11 9s). Availability is the percentage of time data is accessible. Cheaper S3 classes usually trade availability or retrieval characteristics, not durability.

S3 Standard-IA

A multi-AZ storage class with lower storage cost but higher retrieval cost and a minimum storage duration. Used for infrequently accessed data that still requires rapid access when needed.

S3 One Zone-IA

A single-AZ infrequent access class with lower cost than Standard-IA. Suitable for re-creatable or non-critical data where loss of an AZ is acceptable.

S3 Intelligent-Tiering

A storage class that automatically moves objects between access tiers based on access patterns, for a small monitoring fee, to optimize cost when access patterns are unpredictable.

S3 Glacier Instant Retrieval

Archive storage with millisecond retrieval but higher per-GB retrieval cost and minimum storage duration. Used for rarely accessed data that must still be retrieved immediately.

S3 Glacier Flexible Retrieval

Low-cost archive storage with retrieval in minutes to hours using retrieval jobs. Suitable for data accessed a few times per year where some delay is acceptable.

Cost optimization pillar

"The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs."

Steady-state workload

A workload with relatively constant, predictable resource usage over time (for example, an always-on production API). Best served by discounted capacity such as Savings Plans or Reserved Instances.

Spiky workload

A workload with low or moderate baseline usage and occasional large peaks (for example, retail during holidays). Typically uses a combination of discounted baseline capacity and Auto Scaling for bursts.

Spot Instance

An EC2 instance that uses spare AWS capacity at a steep discount but can be interrupted by AWS with a 2-minute warning. Best for fault-tolerant, flexible workloads.

Target tracking scaling policy

An Auto Scaling policy type that automatically adjusts the number of instances to keep a specified metric (such as average CPU utilization) near a target value.

Right-sizing

The process of selecting the most appropriate instance family and size based on actual utilization metrics so that resources are neither significantly underused nor overloaded.

Cost optimization pillar

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

Burstable RDS instance class (T family)

An RDS instance type that uses a CPU credit model, offering low baseline performance with the ability to burst. Ideal for dev/test and low-average-load workloads at low cost, but can throttle under sustained high CPU.

General Purpose SSD (gp3) for RDS

The current general-purpose SSD storage type where you provision storage size, IOPS, and throughput separately. Suitable for most workloads, with a good balance of price and performance.

Provisioned IOPS SSD (io1/io2) for RDS

High-performance SSD storage where you provision both capacity and a fixed IOPS level. Designed for I/O-intensive, latency-sensitive workloads, but more expensive and must be sized carefully.

Multi-AZ RDS deployment

An RDS configuration that maintains a synchronous standby in a different Availability Zone and can fail over automatically, roughly doubling instance and storage cost but improving availability.

RDS read replica

An asynchronously replicated copy of an RDS database used to offload read traffic or support cross-region reads and DR. Each replica incurs its own instance and storage costs.

AWS Well-Architected Framework pillars (list all six in order)

Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability

Sustainability pillar (canonical definition)

The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads by maximizing utilization and minimizing the resources required, and by reducing the energy required to deliver business value.

Cost optimization pillar (canonical definition)

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

Performance efficiency pillar (canonical definition)

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

How does Auto Scaling support sustainability?

Auto Scaling adjusts capacity to match demand, reducing idle resources and increasing utilization. This lowers cost and energy use while maintaining performance.

Example of an operational practice that improves sustainability

Using Infrastructure as Code and scheduled automation to spin up dev/test environments during work hours and tear them down afterward, avoiding long-lived idle resources.

AWS Well-Architected Framework

The AWS Well-Architected Framework provides a consistent set of best practices for customers and partners to evaluate architectures, and a set of questions you can use to evaluate how well an architecture is aligned to AWS best practices.

Security pillar

The security pillar describes how to take advantage of cloud technologies to protect data, systems, and assets in a way that can improve your security posture.

Reliability pillar

The reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle.

Performance efficiency pillar

The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements and maintain that efficiency as demand changes and technologies evolve.

Cost optimization pillar

The cost optimization pillar includes the continual process of refinement and improvement of a system over its entire lifecycle to build and operate cost-aware systems that achieve business outcomes and minimize costs.

Sustainability pillar

The sustainability pillar focuses on minimizing the environmental impacts of running cloud workloads by maximizing utilization and minimizing the resources required, and by reducing the energy required to deliver business value.

6-step question dissection: what is the first thing you read?

Read the last sentence (the stem) first to identify the explicit ask, such as "lowest cost", "most secure", or "most operationally efficient".

What is the shared responsibility model?

The AWS shared responsibility model describes how AWS is responsible for security of the cloud, while customers are responsible for security in the cloud, including the configuration of their services and data.

List the 6 pillars of the AWS Well-Architected Framework in order.

Operational excellence, Security, Reliability, Performance efficiency, Cost optimization, Sustainability.

What is a key sign that an answer is overengineered?

It uses many services, custom scripts, or multi-region complexity when the question asks for the simplest, lowest-cost, or most operationally efficient solution for a relatively simple requirement.

How should you handle a question where you are still stuck after ~90 seconds?

Use elimination to remove clearly wrong options, make your best guess from the remaining choices, mark the question, and move on to protect your overall pacing.

What is the purpose of a first pass versus a second pass through the exam?

First pass: bank easy and medium points quickly, guessing and marking hard questions. Second pass: return to marked questions and spend more time on the trickiest items if time allows.