SAA-C03 — AWS Certified Solutions Architect – Associate Exam Blueprint

Last revised: June 29, 2026

A practical SAA-C03 exam blueprint for AWS Certified Solutions Architect – Associate candidates reviewing architecture, security, resiliency, cost, and operations.

How to Use This Exam Blueprint

Use this independent Exam Blueprint as a practical study map for the AWS Certified Solutions Architect – Associate (SAA-C03) exam. It is designed to help you turn broad exam areas into specific readiness checks: what you should recognize, compare, design, troubleshoot, and eliminate in scenario questions.

Do not treat this as a list of exact exam weights or guaranteed question coverage. Instead, use it to find weak areas before final review.

For each section:

  • Mark items as ready, needs review, or uncertain.
  • For every uncertain item, write one sentence explaining when to use it and one sentence explaining when not to use it.
  • Practice mixed scenarios where security, availability, performance, cost, and operations compete.
  • Avoid memorizing service names without understanding the architecture tradeoff.

SAA-C03 Readiness Area Map

Readiness areaWhat you should be able to decideAWS services, features, or artifacts to reviewReady signal
Secure access designWho should access what, from where, and under which conditionsIAM users, groups, roles, policies, resource policies, STS, Organizations, SCPs, KMS, Secrets ManagerYou can choose role-based access over static credentials and explain policy evaluation at a high level
Network architectureHow traffic enters, leaves, and stays private inside AWSVPC, subnets, route tables, internet gateway, NAT gateway, security groups, network ACLs, VPC endpoints, peering, Transit Gateway, VPN, Direct ConnectYou can trace packet flow from client to workload and identify the control that allows or blocks traffic
Compute selectionWhich compute model fits the workload and operating responsibilityEC2, Auto Scaling, AMIs, launch templates, Lambda, ECS, EKS, Fargate, Elastic Beanstalk, BatchYou can choose between server-based, container-based, and serverless designs from scenario cues
Load balancing and scalingHow to distribute traffic and scale safelyALB, NLB, Gateway Load Balancer, Auto Scaling groups, target groups, health checks, CloudFront, Route 53You can match the load balancer and scaling pattern to protocol, latency, and availability needs
Storage architectureWhich storage service fits access pattern, durability, sharing, and lifecycle needsS3, EBS, EFS, FSx, S3 lifecycle, S3 replication, S3 Object Lock, Storage Gateway, DataSyncYou can distinguish object, block, and file storage quickly
Database and data servicesWhich data platform fits consistency, access pattern, scale, and operationsRDS, Aurora, DynamoDB, ElastiCache, Redshift, OpenSearch Service, Neptune, DMSYou can explain why a scenario needs relational, key-value, cache, search, warehouse, or graph capabilities
Resiliency and disaster recoveryHow to recover from component, AZ, Region, or data failureMulti-AZ, backups, snapshots, replication, Route 53 routing, CloudFront, S3 versioning, cross-Region patternsYou can align designs to RTO/RPO language without overengineering
Application integrationHow to decouple, buffer, fan out, orchestrate, and streamSQS, SNS, EventBridge, Step Functions, Kinesis, Amazon MQ, API GatewayYou can choose queue vs notification vs event bus vs workflow vs stream
Monitoring and operationsHow to detect, audit, automate, and respondCloudWatch, CloudTrail, AWS Config, Systems Manager, X-Ray, EventBridge, AWS Health, Trusted AdvisorYou can separate metrics, logs, traces, audit events, configuration history, and operational automation
Cost optimizationHow to reduce waste while preserving requirementsCost Explorer, Budgets, Trusted Advisor, Savings Plans, Reserved Instances, Spot, S3 storage classes, lifecycle policiesYou can select cost levers that do not violate availability, durability, or performance needs
Governance and account strategyHow to organize accounts, apply guardrails, and centralize controlAWS Organizations, SCPs, IAM Identity Center, Control Tower concepts, tagging, Config, CloudTrailYou can distinguish guardrails from permissions and monitoring
Hybrid and migrationHow to connect or move workloads and dataSite-to-Site VPN, Direct Connect, Transit Gateway, Storage Gateway, DataSync, DMS, Snow Family, Transfer FamilyYou can choose migration tools based on data type, downtime tolerance, and connectivity

High-Value “Can You Do This?” Checklist

Before you sit for SAA-C03, you should be able to do the following without relying on notes.

Architecture judgment

  • Convert business requirements into architecture qualities: security, reliability, performance, cost, and operational simplicity.
  • Identify the managed AWS service that reduces operational burden compared with self-managed infrastructure.
  • Decide when a workload should be stateless, stateful, event-driven, batch-oriented, or streaming.
  • Separate high availability, disaster recovery, backup, replication, and scaling.
  • Recognize when “lowest cost” conflicts with “highest availability” or “lowest latency.”
  • Explain why a design should use multiple Availability Zones.
  • Explain when a multi-Region design is justified and when it is unnecessary.
  • Choose an edge service when users are globally distributed or static content must be cached close to users.
  • Identify single points of failure in compute, networking, storage, and database designs.
  • Choose the simplest architecture that satisfies the stated requirements.

AWS service selection

  • Choose between EC2, Lambda, containers, and managed platforms.
  • Choose between S3, EBS, EFS, and FSx.
  • Choose between RDS/Aurora, DynamoDB, ElastiCache, Redshift, OpenSearch Service, and Neptune.
  • Choose between ALB, NLB, Gateway Load Balancer, CloudFront, and Route 53.
  • Choose between SQS, SNS, EventBridge, Step Functions, and Kinesis.
  • Choose between NAT gateway, internet gateway, VPC endpoint, VPN, Direct Connect, VPC peering, and Transit Gateway.
  • Choose between CloudWatch, CloudTrail, AWS Config, X-Ray, and Systems Manager for an operational scenario.
  • Choose between KMS, Secrets Manager, Systems Manager Parameter Store, IAM policies, and resource policies.

Scenario elimination

  • Eliminate answers that expose private resources directly to the internet.
  • Eliminate answers that use long-term credentials where roles or temporary credentials are more appropriate.
  • Eliminate answers that scale only vertically when horizontal scaling is required.
  • Eliminate answers that use a database read replica as a substitute for Multi-AZ availability.
  • Eliminate answers that solve asynchronous decoupling with synchronous service calls.
  • Eliminate answers that require excessive custom operations when a managed AWS service fits.
  • Eliminate answers that improve cost by breaking a stated durability, security, or availability requirement.
  • Eliminate answers that use public connectivity when private connectivity is explicitly required.

Core Architecture Decision Points

Scenario cueAsk yourselfStrong candidate response
“Highly available web application”Are compute, database, and load balancer spread across failure boundaries?Use multiple AZs, load balancing, Auto Scaling, and managed database availability features
“Unpredictable traffic”Can capacity scale automatically and safely?Use Auto Scaling, serverless options, queues, or managed scaling depending on workload type
“Global users with static assets”Is edge caching appropriate?Use CloudFront with an appropriate origin such as S3 or an application load balancer
“Private application instances need software updates”Do they need inbound internet access?Use private subnets with controlled outbound access or private endpoints where possible
“Loose coupling between services”Is the caller waiting for the callee?Use SQS, SNS, EventBridge, or Step Functions based on queueing, fanout, event routing, or orchestration needs
“Strict audit requirements”Are management events, configuration changes, and access attempts visible?Use CloudTrail, AWS Config, CloudWatch, and centralized logging patterns
“Minimize operational overhead”Is there a managed service that handles scaling, patching, backups, or failover?Prefer managed AWS services where they meet the requirement
“Large data migration”What is the data source, transfer path, and downtime tolerance?Consider DataSync, DMS, Storage Gateway, Snow Family, or network connectivity choices
“Cost must be reduced”Which cost lever preserves the stated requirement?Use right sizing, lifecycle policies, purchase options, Spot for interruptible work, and managed scaling

Secure Architecture Checklist

IAM and access control

TopicReview focusReady check
IAM identitiesUsers, groups, roles, and temporary credentialsYou know why applications should usually use roles instead of embedded access keys
IAM policiesAllow, deny, action, resource, principal, conditionYou can interpret a policy fragment and identify what is allowed or denied
Resource policiesBucket policies, key policies, queue policies, trust policiesYou can tell when access is controlled by the resource rather than only by identity policy
Role assumptionTrust policy, permissions policy, STSYou can explain cross-account access at a high level
Least privilegeNarrow actions, resources, and conditionsYou can identify overly broad permissions in a scenario
AWS OrganizationsAccounts, organizational units, SCPsYou know SCPs set guardrails but do not grant permissions by themselves
FederationExternal identity provider and temporary accessYou can choose federation over creating many long-term IAM users
Permission boundariesMaximum permissions for a principalYou can recognize when boundaries limit delegated administration

Can you do these?

  • Explain the difference between an IAM identity policy and an S3 bucket policy.
  • Explain why an explicit deny overrides an allow.
  • Identify the purpose of a role trust policy.
  • Choose IAM roles for EC2, Lambda, ECS tasks, and cross-account access.
  • Identify when to use temporary credentials.
  • Recognize that SCPs restrict maximum permissions for accounts or organizational units.
  • Use conditions conceptually, such as source VPC endpoint, MFA, encryption, or organization membership.
  • Avoid using root credentials for routine administrative work.

Example policy-reading readiness:

{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::example-bucket/*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-example"
    }
  }
}

You should be able to say: this allows object reads from a bucket only when the principal meets the organization condition, assuming no other policy blocks the request.

Network security

ControlWhat it doesCommon exam trap
Security groupStateful instance or ENI-level traffic controlConfusing it with a network ACL
Network ACLStateless subnet-level traffic controlForgetting return traffic must be allowed
Route tableDetermines where traffic is sentAssuming a subnet is public without a route to an internet gateway
Internet gatewayEnables internet routing for public subnetsPlacing private resources in a public subnet unnecessarily
NAT gatewayAllows private subnet resources to initiate outbound internet accessAssuming it supports inbound internet access to private instances
VPC endpointPrivate access to supported AWS servicesChoosing NAT when the scenario asks to avoid internet traversal
WAFWeb-layer protection for HTTP/S trafficUsing it for non-web network filtering
ShieldDDoS protection contextConfusing it with application authorization
KMSKey management and encryption integrationAssuming encryption and access authorization are the same thing

Checklist:

  • Design public and private subnets correctly.
  • Place load balancers, NAT gateways, and application instances in appropriate subnet types.
  • Keep databases private unless the scenario explicitly requires otherwise.
  • Use security groups for instance-level allow rules.
  • Use network ACLs when subnet-level stateless filtering is required.
  • Use VPC endpoints to keep supported service traffic private.
  • Choose AWS WAF for web request filtering.
  • Choose AWS KMS where encryption key control or auditability is required.
  • Use Secrets Manager or Parameter Store instead of hardcoded secrets.
  • Recognize when CloudTrail is required for API audit visibility.

Encryption, secrets, and auditability

NeedLikely AWS capability to reviewReady signal
Encrypt data at restKMS-integrated encryption, service-managed or customer-managed keysYou can distinguish encryption from access permission
Encrypt data in transitTLS, HTTPS listeners, certificatesYou know where TLS is terminated in common architectures
Rotate database credentialsSecrets ManagerYou can choose managed secret storage over application config files
Store application parametersSystems Manager Parameter Store or Secrets ManagerYou can choose based on sensitivity and rotation needs
Audit API activityCloudTrailYou know CloudTrail is for account/API activity, not application performance metrics
Track resource configurationAWS ConfigYou can use Config for compliance and configuration history
Detect threatsGuardDuty and related security servicesYou can recognize threat detection versus preventive access control
Inspect vulnerabilitiesInspectorYou can distinguish vulnerability assessment from logging
Discover sensitive dataMacieYou can connect Macie with sensitive data discovery in S3

Network and Connectivity Readiness

VPC fundamentals

ConceptYou should know
VPCLogical network boundary for AWS resources
SubnetAZ-scoped segment inside a VPC
Public subnetHas route path to the internet through an internet gateway and resources with appropriate public addressing
Private subnetNo direct inbound internet route
Route tableControls traffic destination
Security groupStateful allow rules associated with resources
Network ACLStateless subnet boundary rules
NAT gatewayOutbound internet path for private resources
VPC endpointPrivate path to supported AWS services
PeeringDirect private connectivity between VPCs with routing considerations
Transit GatewayHub-style connectivity for multiple networks
VPNEncrypted connectivity over the internet
Direct ConnectDedicated network connectivity pattern
Route 53DNS, routing policies, and health-check-aware patterns

Can you trace this?

  • A user reaches a public ALB.
  • The ALB sends traffic to private application instances.
  • Application instances connect to a private database.
  • Application instances retrieve objects from S3 without public internet exposure when required.
  • Operations teams access instances without opening broad inbound SSH/RDP access.
  • Logs and metrics are sent to monitoring services.
  • Failed instances are replaced automatically.

Connectivity decision table

RequirementConsider firstWatch for
Private access from VPC to supported AWS serviceVPC endpointGateway vs interface endpoint fit
Many VPCs and on-premises networks need hub connectivityTransit GatewayRouting, segmentation, and governance
Two VPCs need direct private connectivityVPC peeringNon-transitive routing considerations
Encrypted on-premises connectivity over internetSite-to-Site VPNBandwidth and resilience expectations in the scenario
Dedicated private connectivityDirect ConnectOften paired with resilient design choices
Private resources need outbound updatesNAT gateway or endpointsDo not confuse outbound access with inbound exposure
Global DNS routing or failoverRoute 53 routing policiesMatch routing policy to latency, failover, weighted, or geolocation needs
Global acceleration for application endpointsGlobal Accelerator or CloudFront depending on use caseDo not use CDN-only thinking for all global routing needs

Compute, Scaling, and Load Balancing Checklist

Compute selection

Workload cueBetter-fit option to considerWhy
Full OS control, custom agents, legacy softwareEC2Maximum control over instance environment
Predictable fleet of web/app serversEC2 Auto ScalingHorizontal scaling and replacement
Event-driven short tasksLambdaServerless execution with reduced infrastructure management
Containerized applicationECS, EKS, or FargateContainer orchestration and deployment flexibility
Containers without managing serversFargateReduced host management
Simple managed application deploymentElastic BeanstalkPlatform abstraction while retaining AWS resource visibility
Batch jobsAWS BatchManaged batch scheduling pattern
Interruptible, flexible computeSpot-capable designsCost optimization when interruption is acceptable

Checklist:

  • Choose EC2 when the workload requires server-level control.
  • Choose Auto Scaling groups for elastic fleets and self-healing instance replacement.
  • Choose Lambda for event-driven workloads when execution model fits.
  • Choose containers when packaging, portability, or microservice deployment matters.
  • Choose Fargate when the scenario emphasizes avoiding server management.
  • Choose Spot only for workloads that tolerate interruption.
  • Use launch templates or reusable configuration patterns for repeatable EC2 deployments.
  • Store state outside ephemeral compute when instances may be replaced.
  • Recognize when a queue protects compute from traffic spikes.

Load balancer selection

ServiceBest-fit scenario cuesAvoid confusing with
Application Load BalancerHTTP/HTTPS, path-based or host-based routing, web applicationsNetwork-level ultra-low-latency TCP routing
Network Load BalancerTCP/UDP/TLS, static IP-style needs, high-performance network trafficLayer 7 web routing
Gateway Load BalancerThird-party virtual appliances, traffic inspectionStandard web application load balancing
CloudFrontGlobal content delivery, edge caching, TLS at edgeRegional load balancing only
Route 53DNS routing and failover patternsReplacing application-level health and scaling design

Ready checks:

  • Match ALB to HTTP/S application routing.
  • Match NLB to transport-level traffic.
  • Match CloudFront to edge caching and global delivery.
  • Use health checks to remove unhealthy targets.
  • Design target groups and scaling together.
  • Know that load balancing does not replace application or database resiliency.

Storage Architecture Checklist

Storage service selection

RequirementService to considerWhy
Object storage, static content, backups, data lake storageS3Durable object storage with lifecycle and policy controls
Block storage for EC2 instanceEBSAttached block volume for instance workloads
Shared Linux file systemEFSManaged elastic file storage for multiple clients
Windows file shares or specialized file systemsFSx familyManaged file systems for specific workload needs
Hybrid file access to cloud-backed storageStorage GatewayIntegrates on-premises environments with AWS storage
Data transfer between locations or servicesDataSyncManaged data movement
Long-term archive or infrequent access patternS3 storage classes and lifecycleCost optimization through access-pattern alignment

Checklist:

  • Distinguish object, block, and file storage.
  • Choose S3 for object storage, static websites, backups, logs, and data lakes.
  • Choose EBS for EC2-attached block storage.
  • Choose EFS when multiple compute resources need shared file access.
  • Choose FSx when the scenario names Windows file shares or a specific file system requirement.
  • Use S3 lifecycle policies to transition or expire objects based on access and retention needs.
  • Use S3 versioning when accidental overwrite or deletion protection is needed.
  • Use replication when data must be copied across buckets or Regions for a stated purpose.
  • Use Object Lock only when write-once-read-many or retention enforcement is required.
  • Use S3 event notifications or EventBridge when object changes should trigger processing.

S3 access and protection readiness

TopicReady if you can explain
Bucket policyResource-based access control for bucket and objects
IAM policyIdentity-based permissions for principals
Block Public AccessGuardrail against unintended public exposure
VersioningRetains multiple versions of objects
LifecycleAutomates transition or expiration
ReplicationCopies objects to another bucket based on configured rules
EncryptionProtects data at rest using appropriate key management
Pre-signed URLTime-limited delegated object access pattern
Static website hostingPublic website pattern with routing and access considerations
CloudFront origin accessEdge distribution pattern that can reduce direct S3 exposure

Common S3 traps:

  • Assuming encryption automatically grants access.
  • Assuming public access is required for CloudFront-backed delivery.
  • Confusing lifecycle transition with replication.
  • Confusing versioning with backup strategy.
  • Forgetting that object storage is not block storage for an EC2 boot volume.
  • Choosing EFS or EBS when the scenario clearly describes object storage.

Database and Data Platform Checklist

Database service selection

Scenario cueService to considerReadiness point
Managed relational databaseRDSSQL engine, backups, patching, Multi-AZ patterns
High-performance managed relational architectureAuroraManaged relational option with AWS-specific architecture
Key-value or document access at scaleDynamoDBPartition key design, indexes, capacity model concepts, global tables concepts
Microsecond-style cache layer or session cacheElastiCacheRedis or Memcached fit, cache-aside patterns
Data warehouse and analytics queriesRedshiftAnalytical workloads, not OLTP replacement
Search and log analyticsOpenSearch ServiceSearch indexing and analysis
Graph relationshipsNeptuneHighly connected graph data
Database migrationDMSHomogeneous or heterogeneous migration patterns
Schema conversionSchema Conversion Tool conceptsUsed when database engines differ

Checklist:

  • Choose RDS/Aurora for relational requirements and SQL transactions.
  • Choose DynamoDB for key-value access patterns and serverless-style NoSQL needs.
  • Identify partition key and access pattern importance for DynamoDB.
  • Choose read replicas for read scaling where appropriate.
  • Choose Multi-AZ patterns for availability and failover.
  • Choose ElastiCache to reduce repeated database reads or handle session/cache needs.
  • Choose Redshift for analytical queries over large datasets.
  • Choose OpenSearch Service for search use cases.
  • Choose DMS when migrating databases with minimal disruption requirements.
  • Use backups, snapshots, point-in-time concepts, and restore testing as part of resilience planning.

Database decision traps

TrapCorrect reasoning
“Read replica means high availability”Read replicas primarily address read scaling and can support some recovery patterns; Multi-AZ is the common availability cue
“DynamoDB works without data modeling”Access patterns and key design are central
“Cache fixes all database problems”Cache helps repeated reads but does not replace correct database design
“Redshift is for transactional app writes”Redshift is a data warehouse pattern
“Backups equal zero downtime”Backups help recovery; they do not automatically provide continuous availability
“Multi-Region is always better”It adds complexity and cost; use it when requirements justify it
“Encryption handles authorization”Encryption protects data; IAM, resource policies, and application controls authorize access

Application Integration and Event-Driven Design

Service selection

RequirementService to considerKey distinction
Decouple producers and consumers with bufferingSQSQueue-based asynchronous processing
Fan out messages to multiple subscribersSNSPub/sub notification pattern
Route events from many sources to targetsEventBridgeEvent bus and rule-based routing
Coordinate multi-step workflowsStep FunctionsState machine orchestration
Process high-volume ordered event streamsKinesisStreaming data ingestion and processing
Managed message broker compatibilityAmazon MQBroker-based migration or protocol compatibility
Build managed APIsAPI GatewayFront door for APIs, often with Lambda or private integrations

Can you do this?

  • Choose SQS when work should wait in a queue until a consumer processes it.
  • Choose SNS when one message should notify multiple subscribers.
  • Choose EventBridge when events need routing, filtering, or SaaS/service integration patterns.
  • Choose Step Functions when business logic requires explicit workflow states and retries.
  • Choose Kinesis when the scenario describes streaming data records.
  • Choose DLQs for failed asynchronous processing paths.
  • Add idempotency when retries may cause duplicate processing.
  • Use queues to absorb traffic spikes and protect downstream services.
  • Avoid tightly coupling synchronous services when the scenario asks for resiliency.

Event pattern cues

Cue in questionThink
“Order processing has multiple steps and compensation logic”Step Functions
“Image uploads trigger thumbnail generation”S3 event notification/EventBridge plus Lambda or queue
“Payment service must not be overwhelmed”SQS buffer and controlled consumers
“Multiple systems need the same update”SNS fanout or EventBridge routing
“Clickstream or telemetry ingestion”Kinesis-style streaming
“Legacy application uses standard broker protocols”Amazon MQ

Resilient Architecture Checklist

Availability and recovery design

Requirement languageArchitecture thinking
“Highly available”Remove single points of failure; use multiple AZs and managed failover where suitable
“Fault tolerant”Continue operating despite component failure
“Disaster recovery”Define recovery strategy for larger failures, including Region-level events when required
“Backup and restore”Recovery depends on backup frequency, restore process, and validation
“Low RTO”Favor warm, active, or automated failover patterns over manual rebuilds
“Low RPO”Favor frequent replication or continuous data protection patterns
“Stateless web tier”Store session/data outside replaceable instances
“Self-healing”Use health checks, Auto Scaling, managed services, and automation

Checklist:

  • Design web/application tiers across multiple AZs.
  • Use load balancer health checks and Auto Scaling replacement.
  • Keep application state out of individual instances.
  • Use managed database availability features where requirements call for them.
  • Use backups and snapshots for recoverability.
  • Use S3 versioning and replication when object recovery or geographic copy is required.
  • Use Route 53 routing policies for DNS-level failover or routing scenarios.
  • Use CloudFront to improve availability and performance for cacheable global content.
  • Test whether a design has a single NAT, single instance, single database, or single network dependency.
  • Match DR pattern complexity to stated business requirements.

Resiliency scenario checks

ScenarioPoor answer patternBetter direction
EC2-hosted web app fails when one instance diesSingle instanceALB plus Auto Scaling across AZs
Database outage causes application outageSingle database instanceManaged Multi-AZ or replicated architecture depending on service
Users lose session on instance replacementLocal session storageExternal session store or stateless design
Queue consumers fail during spikeDirect synchronous calls onlySQS buffering and scalable consumers
Accidental object deletionNo object protectionVersioning, retention controls, backups, or replication as required
Region-level recovery requiredSingle-Region onlyCross-Region backup, replication, or active patterns as requirements justify

High-Performing Architecture Checklist

Performance selection areas

AreaReviewReady signal
Compute performanceInstance families conceptually, Auto Scaling, serverless concurrency conceptsYou choose scaling pattern before tuning individual servers
Storage performanceS3 request patterns, EBS fit, EFS fit, cachingYou select storage based on workload access pattern
Database performanceRead replicas, caching, partitioning, indexes, query patternYou know when the bottleneck is read load, write design, or query model
Network performancePlacement, edge caching, Direct Connect, Global Accelerator, CloudFrontYou reduce latency using the correct network or edge service
Application performanceDecoupling, async processing, batching, cachingYou reduce synchronous bottlenecks
Analytics performanceRedshift, Athena, OpenSearch Service, data lake patternsYou avoid using OLTP stores for heavy analytics when inappropriate

Checklist:

  • Add caching when repeated reads are slowing the system and freshness requirements allow it.
  • Use CloudFront for cacheable content close to users.
  • Use read replicas or caching for read-heavy relational workloads when appropriate.
  • Use DynamoDB access-pattern design rather than relational thinking for key-value workloads.
  • Use SQS to smooth bursts and prevent overload.
  • Use asynchronous processing when users do not need to wait for background work.
  • Choose the right storage class and storage type for latency and throughput needs.
  • Avoid assuming bigger instances are always the best performance answer.
  • Recognize when a managed service automatically handles scaling dimensions that would otherwise be operational work.

Cost-Optimized Architecture Checklist

Cost levers to know

Cost leverUse whenBe careful not to
Right sizingCompute or database is overprovisionedUndersize and violate performance requirements
Auto ScalingDemand variesTreat scaling as only a performance feature
Savings Plans or Reserved Instances conceptsUsage is predictableApply to workloads that may disappear or change significantly
SpotWorkload is fault-tolerant and interruptibleUse for critical non-interruptible stateful work
S3 lifecycleAccess frequency changes over timeMove data to a class that violates retrieval needs
Managed servicesOperations cost and complexity matterIgnore feature fit or workload constraints
CachingRepeated expensive readsCache stale data when freshness is critical
ServerlessEvent-driven or variable demandForce-fit serverless where workload model does not fit
Budgets and Cost ExplorerVisibility and cost monitoringTreat monitoring as optimization by itself
TaggingAllocation and governanceAssume tags reduce cost without policy or action

Checklist:

  • Choose Spot only for workloads designed for interruption.
  • Use lifecycle policies for storage cost optimization.
  • Use managed scaling to avoid paying for idle fixed capacity.
  • Choose serverless for spiky event-driven workloads when requirements fit.
  • Use purchase options conceptually for steady-state workloads.
  • Identify NAT, data transfer, idle resources, and overprovisioned compute as cost-review areas.
  • Use budgets and cost tools for visibility, not as substitutes for architecture changes.
  • Avoid selecting the cheapest answer if it violates durability, availability, or security.

Monitoring, Logging, and Operations Checklist

Observability and governance services

NeedAWS service or feature to reviewReady distinction
Infrastructure metrics and alarmsCloudWatch metrics and alarmsPerformance/health signals
Application and system logsCloudWatch LogsLog collection and search
Distributed tracingX-RayRequest path and latency analysis
API activity auditCloudTrailWho did what through AWS APIs
Configuration history/complianceAWS ConfigWhat changed in resource configuration
Automated operational tasksSystems ManagerPatch, run command, inventory, session access concepts
Event-driven operationsEventBridgeReact to service events or scheduled rules
Service health visibilityAWS HealthAWS service event awareness
Cost and best-practice checksTrusted Advisor conceptsRecommendations, not enforcement by itself
Security findings aggregationSecurity HubCentralized security posture findings

Checklist:

  • Choose CloudWatch for metrics, logs, and alarms.
  • Choose CloudTrail for API audit trails.
  • Choose AWS Config for configuration history and compliance rules.
  • Choose X-Ray when tracing application requests is required.
  • Choose Systems Manager for operational management without opening broad inbound access.
  • Use EventBridge to react to operational events.
  • Centralize logs for multi-account or compliance scenarios.
  • Alarm on symptoms that affect users, not only infrastructure internals.
  • Know the difference between detection, alerting, audit, and remediation.

Migration and Hybrid Architecture Checklist

RequirementService or pattern to considerReady check
Move files or objects efficientlyDataSyncYou know it is for managed data transfer workflows
Connect on-premises applications to AWS storageStorage GatewayYou can match file, volume, or tape-style concepts at a high level
Migrate databasesDMSYou can identify database migration and replication scenarios
Transfer data when network is constrainedSnow FamilyYou recognize offline or edge data movement patterns
Secure managed file transferTransfer FamilyYou can identify SFTP/FTPS/FTP-style managed transfer needs
Hybrid private connectivityVPN or Direct ConnectYou can choose based on dedicated connectivity and encryption requirements
Many networks need centralized routingTransit GatewayYou understand hub-style routing
Migrate DNS or route usersRoute 53You can apply routing policies conceptually
Rehost, replatform, refactor discussionMigration strategy conceptsYou can identify operational tradeoffs without overcomplicating

Can you do this?

  • Choose DMS for database migration rather than general file transfer.
  • Choose DataSync for file/object transfer rather than application messaging.
  • Choose Storage Gateway for hybrid storage access patterns.
  • Choose VPN for encrypted internet-based connectivity.
  • Choose Direct Connect when dedicated connectivity is the key requirement.
  • Choose Transit Gateway when many VPCs and networks need centralized connectivity.
  • Identify migration answers that minimize downtime when the scenario requires it.
  • Avoid choosing a complex migration tool when a managed service import/export or replication feature directly fits.

Service Selection Quick Reference

Compute and application front end

If the scenario says…Think first
“HTTP path-based routing”ALB
“TCP/UDP high-performance traffic”NLB
“Third-party firewall appliance insertion”Gateway Load Balancer
“Global static content delivery”CloudFront
“DNS failover or weighted routing”Route 53
“No server management for events”Lambda
“Container orchestration”ECS or EKS
“Containers without managing hosts”Fargate
“Self-healing fleet of instances”Auto Scaling group
“Custom OS dependencies”EC2

Data and storage

If the scenario says…Think first
“Object storage”S3
“Shared file system for Linux workloads”EFS
“Block volume attached to EC2”EBS
“Windows file share”FSx for Windows File Server
“Relational database”RDS or Aurora
“Key-value at scale”DynamoDB
“Read-heavy relational workload”Read replicas or cache, depending on context
“Session store or repeated reads”ElastiCache or DynamoDB, depending on access pattern
“Analytics warehouse”Redshift
“Search”OpenSearch Service
“Graph relationships”Neptune

Integration

If the scenario says…Think first
“Buffer work”SQS
“Fan out to subscribers”SNS
“Route events by rules”EventBridge
“Orchestrate steps”Step Functions
“Streaming records”Kinesis
“Legacy broker compatibility”Amazon MQ
“Dead-letter handling”DLQ with SQS/SNS-supported patterns

Common Weak Areas and Exam Traps

Weak areaWhy candidates miss itHow to fix it
Security group vs network ACLBoth filter network trafficMemorize stateful resource-level vs stateless subnet-level behavior
Public vs private subnetCandidates focus on subnet name instead of route pathDetermine whether there is a route to an internet gateway and appropriate addressing
NAT gateway vs internet gatewayBoth relate to internet accessNAT supports outbound from private resources; internet gateway enables internet routing for public resources
VPC endpoint vs NATBoth can reach AWS servicesEndpoint keeps supported service traffic private without general internet traversal
IAM role vs IAM userStatic credentials feel simplerPrefer roles and temporary credentials for AWS services and cross-account access
SCP vs IAM policyBoth mention permissionsSCPs set guardrails; IAM/resource policies grant or deny access
KMS vs Secrets ManagerBoth appear in security scenariosKMS manages encryption keys; Secrets Manager stores and can rotate secrets
CloudTrail vs CloudWatchBoth are monitoring-relatedCloudTrail audits API activity; CloudWatch handles metrics, logs, and alarms
AWS Config vs CloudTrailBoth track changesConfig records resource configuration state; CloudTrail records API calls
Multi-AZ vs read replicaBoth improve database architectureMulti-AZ is availability-focused; read replicas are read-scaling-focused
Backup vs replicationBoth protect dataBackup supports restore; replication keeps another copy synchronized according to configuration
SQS vs SNSBoth are messaging servicesSQS queues work; SNS publishes notifications to subscribers
EventBridge vs SNSBoth distribute eventsEventBridge adds event bus routing and filtering patterns
Step Functions vs Lambda chainBoth can coordinate tasksStep Functions makes workflow state, retries, and branching explicit
DynamoDB vs RDSBoth store application dataDynamoDB requires key/access-pattern design; RDS supports relational SQL patterns
EBS vs EFS vs S3All are storageEBS is block, EFS is file, S3 is object
CloudFront vs Route 53Both affect user trafficCloudFront caches/delivers content; Route 53 resolves and routes DNS
Cost-first answersLowest cost may violate requirementsRe-check security, durability, availability, and performance constraints before choosing
OverengineeringCandidates choose the most advanced servicePrefer the simplest managed design that satisfies all stated requirements

Scenario Practice Prompts

Use these prompts to test whether you can reason like a solutions architect instead of recalling isolated facts.

Secure design prompts

  • A Lambda function needs to read from an S3 bucket. What identity should it use, and where are permissions defined?
  • An application in a private subnet needs to call AWS APIs without traversing the public internet. What network pattern should you consider?
  • A company needs to prevent accounts in an organization from using disallowed services. Is this an IAM policy or an SCP use case?
  • A database password is currently stored in application code. Which service pattern improves this?
  • Auditors ask who changed a security group. Which logging or audit service is most relevant?

Resilient design prompts

  • A web tier runs on one EC2 instance and must survive instance failure. What changes are required?
  • A relational database must remain available during an AZ issue. Which managed availability pattern applies?
  • A queue consumer occasionally fails after receiving a message. What retry and failure-handling pattern should you review?
  • Users in different parts of the world report slow static content downloads. Which edge service should you consider?
  • An accidental S3 object delete must be recoverable. Which S3 features should you review?

Performance and cost prompts

  • A read-heavy application is overloading its database. Should you consider cache, read replica, data model change, or all of these depending on the scenario?
  • A nightly batch job can be restarted if interrupted. Which compute purchase or capacity pattern might reduce cost?
  • A workload has unpredictable traffic and spends much of the day idle. Which serverless or scaling options fit?
  • Old S3 data is rarely accessed but must be retained. Which lifecycle decision is likely?
  • An application performs long synchronous tasks during user checkout. How can decoupling improve performance and reliability?

Final-Week Review Checklist

TimeframeFocusActions
7 days outIdentify weak domainsTake a mixed practice set, tag every miss by topic, and list the top five recurring causes
6 days outSecurity and IAMRework IAM, KMS, S3 access, VPC security, CloudTrail, and Config scenarios
5 days outNetworkingDraw VPC flows, route tables, subnet types, NAT, endpoints, peering, Transit Gateway, VPN, and Direct Connect decisions
4 days outCompute and scalingReview EC2, Auto Scaling, load balancers, Lambda, containers, and event-driven scaling
3 days outStorage and databasesCompare S3/EBS/EFS/FSx and RDS/Aurora/DynamoDB/ElastiCache/Redshift/OpenSearch
2 days outResiliency and costReview Multi-AZ, backup, replication, DR cues, Spot, lifecycle, right sizing, and managed scaling
1 day outMixed scenario judgmentDo light review only; focus on eliminating bad answers and explaining why the best answer satisfies all requirements

Final checks:

  • I can explain the difference between security, reliability, performance, cost, and operations requirements in a scenario.
  • I can choose a service because of a requirement, not because it sounds familiar.
  • I can identify when AWS managed services reduce operational overhead.
  • I can read policy, network, and architecture descriptions carefully before answering.
  • I can eliminate answers that violate private networking, least privilege, or high availability requirements.
  • I can explain why the correct answer is better than the second-best answer.
  • I have practiced mixed questions, not only single-service flashcards.

Practical Next Step

Turn every unchecked item into a targeted practice task. For each weak topic, review the AWS service decision points, then answer several scenario-based questions that force you to choose between similar services. Focus especially on IAM, VPC networking, storage selection, database availability, decoupling, monitoring, and cost tradeoffs, because these areas often separate memorization from architect-level readiness for SAA-C03.

Study Plan
Scenario Guide
Browse Certification Practice Tests by Exam Family