AWS Solutions Architect Associate (SAA‑C03) Exam Prep Blueprint

SAA‑C03: Number of questions and duration

65 questions in 130 minutes. About 50 are scored and 15 are unscored experimental items.

SAA‑C03: Passing score and scale

Scaled score from 100 to 1000. Passing score is 720.

Highest-weighted domain in SAA‑C03

Design Secure Architectures at about 30% of the exam weight.

Four domains of SAA‑C03 (names only)

Design Secure Architectures; Design Resilient Architectures; Design High-Performing Architectures; Design Cost-Optimized Architectures.

Architect mindset vs button-clicker mindset

Architects start from requirements and tradeoffs, think in patterns, and design for failure. Button-clickers focus on steps and isolated services.

First step when reading a scenario question

Identify the non-negotiable requirements (e.g., security, availability, compliance) before considering services or cost.

Region vs Availability Zone (AZ)

A Region is a geographic area (for example, `us-east-1`). An AZ is one or more data centers within a Region. Use **multiple AZs** for high availability; use **multiple Regions** for disaster recovery or compliance.

Edge location

A site used by services like CloudFront and Route 53 to cache and serve content closer to users. Key for **low latency** content delivery and DNS.

Amazon EC2

Virtual servers in the cloud. You manage OS and runtime. Use Auto Scaling and load balancers across AZs for **reliability**, **performance**, and **cost optimization**.

Amazon S3

Highly durable object storage across multiple AZs in a Region. Common for backups, logs, and static assets. Supports lifecycle policies and multiple storage classes for **cost optimization**.

Amazon RDS

Managed relational database service with Multi-AZ and read replicas. Use when you need SQL, joins, and transactions. Strong for **reliability** and **operational excellence**.

Amazon DynamoDB

Fully managed NoSQL key-value/document database with single-digit millisecond latency and automatic scaling. Ideal for high-scale, low-latency workloads.

IAM Role vs IAM User

IAM user has long-lived credentials, usually for people. IAM role has temporary credentials and is assumed by principals (apps, users, services). Prefer roles for applications and cross-account access.

Security Group

Stateful, instance-level virtual firewall. Supports allow rules only. Automatically allows return traffic. Used to control traffic to EC2, RDS, and other ENI-attached resources.

Network ACL (NACL)

Stateless, subnet-level control list. Supports allow and deny rules. Must explicitly allow both inbound and outbound traffic. Good for coarse subnet filtering.

VPC Endpoint

Enables private connectivity to AWS services without using the internet. Gateway endpoints for S3 and DynamoDB; interface endpoints (PrivateLink) for many other services.

SSE-S3 vs SSE-KMS

SSE-S3: AWS manages keys, simple default. SSE-KMS: uses KMS keys, supports fine-grained access control, key rotation, and detailed audit via CloudTrail.

KMS Key Policy

Resource-based policy attached to a KMS key that defines who can use or manage the key. If the key policy does not allow a principal, IAM policies alone are not enough.

High availability (HA)

Designing systems to remain operational for a very high percentage of time, often using redundancy within a Region (for example, multi-AZ, load balancing, health checks).

Fault tolerance (FT)

The ability of a system to continue operating without interruption when one or more components fail, often via N+1 redundancy and self-healing designs.

Disaster recovery (DR)

Processes and architectures that allow a system to be restored after a major event such as a Region outage or large-scale data loss, guided by RTO and RPO.

Recovery Time Objective (RTO)

The maximum acceptable amount of time that an application can be unavailable after a disruption before it must be fully restored.

Recovery Point Objective (RPO)

The maximum acceptable amount of data loss measured in time, indicating how far back in time you may need to recover data.

Multi-AZ

Deploying resources across multiple Availability Zones in a single Region to improve high availability and fault tolerance against AZ failures.

When to choose General Purpose EC2 (M/T/A)?

When the workload has balanced CPU, memory, and networking needs, such as standard web/app servers and small databases, and no special optimization requirement is mentioned.

Key clue for Memory Optimized EC2 (R/X)?

Keywords like "in-memory", "large cache", "big analytics datasets in RAM", or very memory-heavy databases.

Best pricing model for steady 24/7 production workloads?

Reserved Instances or Savings Plans (often Compute Savings Plans for flexibility), because they trade long-term commitment for significant discounts.

When are Spot Instances appropriate?

For fault-tolerant, stateless, or batch workloads that can handle interruptions and flexible start/end times, such as offline processing or background jobs.

Target tracking scaling vs scheduled scaling?

Target tracking keeps a metric (e.g., CPU) near a target for unpredictable traffic. Scheduled scaling adjusts capacity based on known time-based patterns (e.g., business hours).

ALB vs NLB – exam keywords?

ALB: HTTP/HTTPS, path/host routing, microservices, WebSockets. NLB: TCP/UDP, static IPs, extremely high performance or low latency, non-HTTP protocols.

S3 (Simple Storage Service)

AWS object storage service. Stores objects in buckets, accessed by key over HTTP/S. Great for large files, backups, logs, and data lakes with high durability and scalability.

EBS (Elastic Block Store)

Block storage volumes for a single EC2 instance. Low-latency random I/O, ideal for databases and OS disks. Performance depends on volume type, size, and provisioned IOPS.

EFS (Elastic File System)

Managed NFS file system for Linux instances. Shared, elastic, and scalable file storage with POSIX semantics, mounted by many instances at once.

FSx

Family of managed high-performance file systems (e.g., Lustre, NetApp ONTAP, Windows File Server, OpenZFS) for specialized workloads and shared storage.

RDS (Relational Database Service)

Managed relational database service supporting engines like MySQL and PostgreSQL. Handles backups, patching, and provides Multi-AZ and read replicas.

Aurora

AWS-built high-performance relational database compatible with MySQL and PostgreSQL. Uses distributed storage, supports many replicas, and offers strong performance and resilience.

Public subnet

A subnet whose route table has a route to an Internet Gateway. Instances with public IPs in this subnet can receive inbound internet traffic.

Private subnet

A subnet with no direct route to an Internet Gateway. Instances typically reach the internet via a NAT Gateway or do not have internet access at all.

NAT Gateway

A managed, AZ‑specific service that allows instances in a private subnet to initiate outbound internet connections while blocking unsolicited inbound connections.

VPC endpoint (gateway)

A VPC endpoint type that uses route tables to provide private access to S3 or DynamoDB without traversing the public internet.

VPC endpoint (interface)

An elastic network interface powered by PrivateLink that provides private access to many AWS services and SaaS services over the AWS network.

Site‑to‑Site VPN

An IPsec VPN connection between your on‑premises network and AWS over the public internet. Quick to set up but with internet‑level latency and jitter.

Right-sizing

Adjusting resource types and sizes (compute, storage, databases) so they closely match actual usage, reducing waste while still meeting performance and availability requirements.

Savings Plans

A flexible discount model where you commit to a consistent $/hour of compute usage for 1 or 3 years in exchange for lower prices on EC2, Fargate, and Lambda (Compute) or specific EC2 families (EC2 Instance).

Spot Instances

EC2 capacity offered at deep discounts using spare AWS capacity. Instances can be interrupted, so they are best for fault-tolerant, flexible workloads like batch jobs and stateless processing.

AWS Cost Explorer

A tool to visualize and analyze AWS spending over time, break down costs by service, account, region, and tags, and forecast future spending.

AWS Budgets

A service that lets you set custom cost or usage budgets and receive alerts when your actual or forecasted usage exceeds thresholds.

Cost Anomaly Detection

An AWS service that uses machine learning to automatically detect unusual cost spikes and send alerts, helping you catch unexpected spending quickly.

Signal: On‑prem app must keep using NFS, no code changes, move storage to AWS.

Use AWS Storage Gateway **file gateway** with NFS shares backed by S3. Add S3 lifecycle for cost optimization when access becomes infrequent.

Signal: Global users, slow static content, want better performance and offload EC2.

Use **Amazon CloudFront** with ALB or S3 as origin. Cache static content at edge locations to reduce latency and server load.

Signal: Read‑heavy RDS workload, slow reads, minimal app changes, tight budget.

Consider **RDS read replicas** and/or **ElastiCache** for read scaling. Also consider right‑sizing RDS before more complex changes.

Optimization word: "Most secure" or "meet compliance requirements".

Favor private subnets, least‑privilege IAM, encryption with KMS, VPC endpoints, and blocking direct public access even if cost or complexity increases.

Optimization word: "Highest availability" or "minimize downtime".

Use **Multi‑AZ** architectures (and sometimes Multi‑Region). Avoid single EC2 instances, single‑AZ RDS, or single NAT instances.

Optimization word: "Least operational overhead".

Prefer **managed services** (RDS, DynamoDB, CloudWatch, Systems Manager, AWS Backup) over self‑managed EC2 solutions.