Complete Breakdown of AWS SAA-C03 Exam Topics
The AWS Certified Solutions Architect – Associate (SAA-C03) exam tests your understanding across four major architectural domains. Understanding what topics fall within each domain helps you study efficiently and ensures you’re prepared for every section of the exam.
Domain 1: Design Secure Architectures (30%)
This domain, accounting for 30% of your exam score, focuses on building AWS solutions that protect data, control access, and maintain compliance.
Identity and Access Management (IAM)
IAM is fundamental to secure architecture. You must understand:
IAM Entities and Structure
- Users, groups, and roles: When to use each type
- Service principals and cross-account access
- Temporary credentials from AWS STS
- IAM federation and external identity providers
- Root account protection and best practices
IAM Policies
- Identity-based policies attached to users, groups, and roles
- Resource-based policies for S3, SNS, SQS, and other services
- Permission boundaries to limit maximum permissions
- IAM policy evaluation logic and implicit denies
- Condition operators for attribute-based access control
Advanced IAM Concepts
- Roles for federation with identity providers
- Cross-account roles and external IDs
- Service-linked roles for AWS-managed services
- IAM access analyzer for finding unintended access
Network Security
Network security controls govern how traffic flows through your architecture.
VPC Architecture
- VPC design and CIDR block planning
- Public, private, and protected subnets
- VPC peering and Transit Gateway for inter-VPC communication
- VPC endpoints (Gateway and Interface) for private service access
- VPC Flow Logs for network monitoring
Network Access Control
- Network ACLs (stateless, ordered rules)
- Security groups (stateful, allow-based)
- Security group rules and cross-region access
- WAF and Web ACL configuration
- Network segmentation and microsegmentation
Data Protection
Data protection ensures information security throughout its lifecycle.
Encryption at Rest
- S3 encryption options: SSE-S3, SSE-KMS, client-side encryption
- EBS volume encryption
- RDS encryption
- DynamoDB encryption
- AWS KMS: key management and key rotation
Encryption in Transit
- TLS/SSL certificates and AWS Certificate Manager (ACM)
- HTTPS enforcement for ALBs and API Gateway
- VPN connections for site-to-site communication
- TLS for database connections
- Encryption for AWS service communications
Key Management
- AWS KMS key policies and grants
- Customer-managed vs. AWS-managed keys
- Key rotation strategies
- Envelope encryption principles
- Multi-region key replication
Compliance and Auditing
Maintaining compliance and audit trails ensures accountability and regulatory adherence.
Logging and Monitoring
- CloudTrail for API call logging
- VPC Flow Logs for network monitoring
- ALB and S3 access logs
- CloudWatch Logs for application logging
- Config for resource compliance tracking
Secrets Management
- AWS Secrets Manager for database credentials and API keys
- Systems Manager Parameter Store for application configuration
- Rotation policies for regularly updated secrets
- Cross-region replication
Application Security
Protecting applications from attacks and unauthorized access.
Web Application Protection
- AWS WAF: web ACLs, rules, and rate-based rules
- Firewall Manager for centralized WAF management
- DDoS protection with AWS Shield Standard and Advanced
- API Gateway authorization and API keys
Additional Security Topics
- SSL/TLS certificate management
- Signed URLs and signed cookies for CloudFront and S3
- MFA and multi-factor authentication
- Security hub for centralized security posture
Domain 2: Design Resilient Architectures (26%)
This domain, representing 26% of the exam, emphasizes high availability, fault tolerance, and disaster recovery.
High Availability Architecture
High availability means your application continues functioning despite failures.
Auto Scaling
- Auto Scaling group policies: target tracking, step scaling, simple scaling
- Launch templates and launch configurations
- Scaling based on CPU, custom metrics, or schedules
- EC2 instance lifecycle and lifecycle hooks
- Combining Auto Scaling with load balancers
Load Balancing
- Application Load Balancer (ALB): path-based and host-based routing
- Network Load Balancer (NLB): ultra-high performance, UDP support
- Classic Load Balancer (CLB): legacy but still tested
- Target groups and health checks
- Sticky sessions and connection draining
- Cross-zone load balancing
Multi-AZ and Multi-Region
- Multi-AZ deployments for RDS and DynamoDB
- Cross-region replication for disaster recovery
- Route 53 health checks and failover routing
- Cross-region read replicas
Fault Tolerance and Recovery
Building systems that survive component failures.
Database Resilience
- RDS Multi-AZ with automatic failover
- RDS read replicas for scaling and recovery
- RDS backups: automated and manual snapshots
- Point-in-time recovery (PITR)
- DynamoDB backup and restore
- Aurora for enhanced availability
Storage Resilience
- S3 versioning for accidental deletion recovery
- S3 cross-region replication (CRR)
- S3 lifecycle policies for archival
- EBS snapshots and cross-region snapshots
- Glacier for long-term retention
Application Resilience
- Loose coupling with SQS and SNS
- Dead-letter queues for failed messages
- Circuit breaker patterns
- Lambda retry policies and DLQ
- SQS FIFO for ordered message processing
Disaster Recovery
Planning for and recovering from major failures.
RPO and RTO Concepts
- Recovery Point Objective (RPO): acceptable data loss
- Recovery Time Objective (RTO): acceptable downtime
- Backup strategies aligned with RPO/RTO requirements
- Testing recovery procedures regularly
Disaster Recovery Strategies
- Backup and restore: lowest cost, highest RTO
- Pilot light: minimal resources on standby
- Warm standby: scaled-down copies ready
- Multi-region active-active: zero downtime, highest cost
- Choosing strategy based on RPO/RTO and budget
Backup and Recovery
- AWS Backup for centralized backup management
- Cross-region backup replication
- Backup scheduling and retention policies
- Testing restores regularly
Domain 3: Design High-Performing Architectures (24%)
This domain, accounting for 24% of the exam, focuses on optimizing performance and responsiveness.
Performance Optimization
Building fast, responsive systems.
Caching Strategies
- ElastiCache for in-memory caching
- Memcached vs. Redis: use cases and differences
- CloudFront for edge caching
- API Gateway caching
- Database query caching
- Cache invalidation strategies
Database Performance
- RDS read replicas for scaling read-heavy workloads
- DynamoDB on-demand vs. provisioned capacity
- DynamoDB Global Secondary Indexes (GSI) and Local Secondary Indexes (LSI)
- Query optimization and scanning
- Database connection pooling
Content Delivery
- CloudFront distributions and behaviors
- Origin types: S3, HTTP endpoints, Application Load Balancer
- CloudFront caching policies and TTLs
- CloudFront security and signed URLs
Compute Optimization
Selecting and configuring compute resources for performance.
EC2 Instance Selection
- Instance families: general purpose, compute optimized, memory optimized, storage optimized
- Instance sizes and burstable performance
- Choosing instance types for workload requirements
- Placement groups for low latency
- Enhanced networking and instance attributes
Other Compute Services
- Lambda performance optimization
- Container optimization with ECS and EKS
- Batch processing with AWS Batch
Storage and Database Selection
Choosing the right storage and database technologies.
Storage Options
- S3: standard, intelligent-tiering, infrequent access
- S3 Transfer Acceleration for faster uploads
- EBS volume types: gp3, io2, st1
- Instance store for temporary high-performance storage
Database Selection
- Relational: RDS, Aurora
- NoSQL: DynamoDB, DynamoDB Streams
- Cache: ElastiCache
- Search: OpenSearch
- Time series: Timestream
- Graph: Neptune
Domain 4: Design Cost-Optimized Architectures (20%)
This domain, representing 20% of the exam, emphasizes building cost-effective solutions.
Cost Analysis and Tools
Understanding and managing AWS spending.
AWS Pricing Models
- On-demand instances: pay per second
- Reserved Instances: 1-year or 3-year commitments
- Savings Plans: compute savings plans, instance savings plans
- Spot instances: up to 90% discounts with interruption risk
- Dedicated hosts and dedicated instances
Cost Management Tools
- AWS Pricing Calculator for estimating costs
- AWS Cost Explorer for analyzing spending trends
- AWS Budgets for cost alerts
- Trusted Advisor for cost optimization recommendations
- Cost allocation tags for tracking expenses
Resource Optimization
Optimizing resource usage to reduce costs.
Compute Cost Optimization
- Right-sizing instances for actual requirements
- Using Auto Scaling to match demand
- Spot instances for fault-tolerant workloads
- Scheduled scaling for predictable patterns
Storage Cost Optimization
- S3 storage class transitions
- Deleting unnecessary snapshots and backups
- Using EBS-optimized instances
- Data transfer cost minimization
Database Cost Optimization
- Choosing between provisioned and on-demand capacity
- Reserved capacity discounts
- Multi-AZ costs vs. benefits
- Read replica costs
Economic Considerations
Understanding the business value of architectural decisions.
Total Cost of Ownership (TCO)
- Comparing on-premises vs. AWS costs
- License considerations
- Personnel and operational costs
- Capital expenditure vs. operational expenditure
Reserved Instances and Savings Plans
- When to purchase Reserved Instances
- Instance family flexibility
- Savings Plans for multiple services
- Capacity reservations vs. Reserved Instances
Cross-Domain Architectural Patterns
The exam tests not just individual services but how they work together:
Web Application Architecture
- CloudFront for static content
- ALB for routing
- Auto Scaling for capacity
- RDS Multi-AZ for database
- ElastiCache for session caching
Microservices Architecture
- Loose coupling with SQS/SNS
- ECS or EKS for containers
- Service discovery
- API Gateway for routing
- CloudWatch for monitoring
Data Pipeline Architecture
- S3 for data storage
- Kinesis for streaming
- Lambda for processing
- DynamoDB or RDS for results
- Cost optimization through storage classes
Practice with Real Exam Questions
Understanding these topics is essential, but applying them to real scenario-based questions is where the exam challenge lies. The best preparation combines studying these domains with practicing on realistic exam questions.
Sailor.sh’s AWS Certified Solutions Architect Associate certification-ready mock exams cover all these domains with scenario-based questions that test your understanding of how services work together, not just individual service knowledge.
Frequently Asked Questions
Q: Which domain is most heavily tested? A: Design Secure Architectures (30%) is the heaviest, followed by Design Resilient Architectures (26%).
Q: Do I need to know every AWS service? A: No. Focus on the core services mentioned in this breakdown. You don’t need deep knowledge of specialized services.
Q: How deep should I understand each topic? A: Understand enough to make architectural decisions, not necessarily to configure every detail. The exam tests architectural thinking, not operational details.
Q: Are there new services added to the exam? A: Yes, occasionally. AWS updates the exam periodically. Stay current with AWS announcements and your study materials.
Q: Which topics appear most frequently on practice exams? A: Security (IAM, VPC, encryption), load balancing, Auto Scaling, RDS, and cost optimization are heavily featured.
Conclusion
Mastering these four domains provides comprehensive coverage of what the SAA-C03 exam tests. Study each domain systematically, understand how services interconnect, and practice with realistic scenario-based questions. This combination ensures you’re ready to pass and become an AWS Certified Solutions Architect Associate.