SAA-C03 — AWS Certified Solutions Architect – Associate Quick Reference

Last revised: June 29, 2026

Compact AWS SAA-C03 reference for service selection, architecture patterns, security, networking, storage, databases, resilience, and cost tradeoffs.

This Quick Reference is independent study support for candidates preparing for the AWS Certified Solutions Architect – Associate (SAA-C03). Use it to make fast architecture decisions: which AWS service fits, which pattern is more resilient, which security control applies, and which exam traps to avoid.

High-Yield SAA-C03 Decision Model

If the scenario emphasizes…	Prefer…	Watch for traps
Lowest operational overhead	Managed services: Lambda, Fargate, S3, DynamoDB, Aurora, API Gateway, EventBridge	Do not choose EC2 when the requirement says “no servers to manage” unless control/customization is required.
Multi-AZ resilience	ALB/NLB across AZs, Auto Scaling group, RDS Multi-AZ, EFS, S3, DynamoDB	Read replicas improve read scale; they are not the same as automatic Multi-AZ failover.
Global low-latency web delivery	CloudFront, Route 53 latency/geolocation routing, Global Accelerator	CloudFront caches HTTP(S) content; Global Accelerator improves global routing for TCP/UDP without caching.
Decoupling components	SQS, SNS, EventBridge, Step Functions	SQS is pull queueing; SNS is push pub/sub; EventBridge is event routing and SaaS integration.
Object storage	Amazon S3	Do not choose EBS or EFS for internet-scale object storage.
Shared POSIX file system	Amazon EFS for Linux, FSx for Windows File Server for SMB, FSx for Lustre for high-performance compute	EBS attaches to one AZ and is block storage, not shared file storage by default.
Relational transactions	Amazon RDS or Aurora	DynamoDB is not relational and does not support joins like an RDBMS.
Massive key-value scale	DynamoDB	DAX is for read caching; Global Tables are for multi-Region active-active.
Private access to AWS services	VPC endpoints	Gateway endpoints are for S3/DynamoDB; interface endpoints use AWS PrivateLink.
Centralized multi-account governance	AWS Organizations, SCPs, Control Tower, IAM Identity Center	SCPs set maximum permissions; they do not grant permissions by themselves.
Audit API activity	AWS CloudTrail	CloudWatch monitors metrics/logs; AWS Config tracks resource configuration and compliance.
Threat detection	GuardDuty, Inspector, Macie, Security Hub	GuardDuty detects threats; Inspector assesses vulnerabilities; Macie discovers sensitive data in S3.
Backup and restore	AWS Backup, service snapshots, lifecycle policies, cross-Region copies where needed	Snapshots are not a substitute for application-level DR design when strict RTO/RPO is required.

Service Selection Matrix

Compute and Application Hosting

Service / feature	Best fit	Avoid / consider alternative	Exam cues
EC2	Full OS control, custom agents, legacy apps, specialized networking/storage	If “serverless,” “no infrastructure management,” or event-driven	AMIs, instance families, user data, Auto Scaling, placement groups
Auto Scaling group	Horizontal scaling and self-healing EC2 fleets	Not for scaling RDS directly	Use across multiple AZs; combine with ELB health checks
Elastic Load Balancing	Distribute traffic and improve availability	Not a database failover mechanism	Choose ALB, NLB, GWLB based on protocol and use case
Lambda	Event-driven, short-running, stateless functions	Long-running processes, persistent local state, specialized OS control	Integrates with API Gateway, S3, SQS, EventBridge, Step Functions
ECS on EC2	Containers with EC2 control	If you want no host management, use Fargate	Good for containerized apps needing cluster-level control
ECS on Fargate	Serverless containers	If custom host configuration is required	Task-level sizing, no EC2 host management
EKS	Kubernetes workloads	If Kubernetes is not required, ECS is usually simpler	Managed control plane; worker nodes can be EC2 or Fargate
Elastic Beanstalk	Simple PaaS deployment for web apps	If you need fine-grained architecture control	Provisions underlying resources such as EC2, ELB, Auto Scaling
App Runner	Simple container/web app deployment from source or image	Complex networking or custom orchestration needs	Low-ops web service hosting
AWS Batch	Batch jobs, queues, compute environments	Interactive request/response workloads	Good for scheduled or queued compute-heavy jobs
Lightsail	Simple VPS-style workloads	Enterprise-scale, complex VPC, advanced AWS architecture	Usually not the SAA answer for scalable production designs

Load Balancer Selection

Load balancer	Layer / protocols	Choose when	Common trap
Application Load Balancer	Layer 7 HTTP/HTTPS/gRPC	Path-based routing, host-based routing, HTTP headers, containers, WebSockets	Not for static IP requirement by itself
Network Load Balancer	Layer 4 TCP/UDP/TLS	Extreme performance, static IP support, preserve source IP, non-HTTP protocols	Does not perform advanced HTTP routing
Gateway Load Balancer	Layer 3 transparent appliance insertion	Deploy firewalls, IDS/IPS, network appliances	Not a general web app load balancer
Classic Load Balancer	Legacy	Existing older architectures	Prefer ALB or NLB for new designs

EC2 Purchasing and Capacity

Option	Use when	Key point
On-Demand	Unpredictable, short-term, no commitment	Highest flexibility
Savings Plans	Steady compute usage	Flexible discount model based on committed spend
Reserved Instances	Predictable instance usage	Capacity/discount characteristics vary by type
Spot Instances	Fault-tolerant, interruptible workloads	Design for interruption; use mixed instance policies
Dedicated Hosts	License-bound workloads, host-level visibility	Useful for compliance or software licensing constraints
Dedicated Instances	Physical isolation at instance level	Less host-level control than Dedicated Hosts
Capacity Reservations	Need capacity assurance in an AZ	Capacity assurance does not automatically reduce cost

Storage Reference

Storage Service Selection

Requirement	Choose	Why
Durable object storage, static assets, data lake	S3	Object storage, lifecycle policies, replication, event notifications
Block storage for EC2	EBS	Persistent block volumes in an AZ
Temporary high-performance local disk	Instance store	Ephemeral storage tied to instance lifecycle
Shared Linux file system	EFS	Managed NFS, multi-AZ regional file system
Windows SMB file shares	FSx for Windows File Server	Managed Windows-native file storage
High-performance file system for HPC/ML	FSx for Lustre	High-throughput file processing, integrates with S3
NetApp ONTAP-compatible features	FSx for NetApp ONTAP	Enterprise file workloads, snapshots, multiprotocol access
Long-term archival object storage	S3 Glacier storage classes	Archive cost optimization with retrieval tradeoffs
On-premises file gateway to cloud-backed storage	AWS Storage Gateway	Hybrid access to AWS-backed storage

Amazon S3 Quick Decisions

Feature	Use for	Notes
Versioning	Protect against overwrite/delete	Often paired with lifecycle and replication
Lifecycle policies	Move/expire objects by age or prefix/tag	Common cost-optimization answer
S3 Intelligent-Tiering	Unknown or changing access patterns	Optimizes tiering without manual class selection
S3 Standard-IA	Infrequently accessed but rapid retrieval needed	Has retrieval cost considerations
S3 One Zone-IA	Re-creatable infrequently accessed data	Lower resilience than multi-AZ storage classes
S3 Glacier Instant Retrieval	Archive data needing immediate access	Higher access speed than deeper archive classes
S3 Glacier Flexible Retrieval / Deep Archive	Long-term archive	Retrieval time and access frequency matter
Cross-Region Replication	Region-level resilience, compliance, lower-latency reads	Requires versioning; plan KMS permissions if encrypted
Same-Region Replication	Same-Region copies, log aggregation, account separation	Not a Region-level DR solution
S3 Object Lock	WORM retention and legal hold patterns	Requires careful bucket/versioning design
S3 Transfer Acceleration	Faster long-distance uploads to S3	Uses AWS edge network
S3 presigned URLs	Temporary object access	Access limited by signing credentials and expiration
S3 access points	Manage access at scale for shared buckets	Useful for different apps/teams needing distinct policies

EBS, EFS, and Instance Store

Choice	Persistence	Scope	Best for	Trap
EBS	Persistent	AZ	EC2 boot/data volumes, databases on EC2	Volume is AZ-scoped; snapshots support restore/copy workflows
EFS	Persistent	Regional, multi-AZ	Shared Linux file storage	Not block storage; use NFS-compatible clients
Instance store	Ephemeral	Instance hardware	Caches, scratch data, temporary buffers	Data lost on stop/terminate or hardware failure events
FSx	Persistent	Service-dependent	Specialized file workloads	Choose the FSx family based on protocol/application

Database and Analytics Selection

Database Decision Table

Requirement	Choose	Why	Watch for
Managed relational database	RDS	MySQL, PostgreSQL, MariaDB, Oracle, SQL Server options	You still choose instance/storage/scaling patterns
Higher-performance managed relational, cloud-native	Aurora	Compatible with MySQL/PostgreSQL, managed replication/storage	Aurora Replicas help read scale and availability
Serverless relational scaling	Aurora Serverless	Variable or intermittent relational workloads	Confirm relational requirement; otherwise DynamoDB may fit
Multi-AZ relational failover	RDS Multi-AZ or Aurora HA design	Availability and automatic failover	Not primarily for read scaling
Read-heavy relational workload	Read replicas	Offload reads	Replication lag can occur; not synchronous failover by default
Key-value or document access at massive scale	DynamoDB	Serverless NoSQL, predictable access patterns	Model access patterns first; avoid relational joins
Microsecond read cache for DynamoDB	DAX	Read-heavy DynamoDB workloads	DAX is not a general cache for RDS
In-memory cache/session store	ElastiCache	Redis OSS or Memcached-compatible caching	Cache invalidation and persistence differ by engine
Data warehouse / BI analytics	Redshift	Columnar analytics and SQL over large datasets	Not for OLTP transactional workloads
Search and log analytics	OpenSearch Service	Full-text search, observability analytics	Not a primary relational database
Graph relationships	Neptune	Highly connected data	Choose only when graph queries are central
Time-series data	Timestream	Metrics, IoT, time-series workloads	Not a general-purpose OLTP database
MongoDB-compatible managed database	DocumentDB	Document workloads needing MongoDB compatibility	Check compatibility requirements conceptually
Ledger / immutable journal	QLDB	Verifiable transaction log	Not a general blockchain network

RDS and Aurora Exam Traps

Concept	Correct distinction
Multi-AZ	High availability/failover across AZs; standby is not normally used for application reads in traditional RDS Multi-AZ designs.
Read replica	Read scaling and some DR patterns; asynchronous replication; can be promoted.
Automated backups	Point-in-time restore capability within configured retention; separate from manual snapshots.
Manual snapshot	User-managed backup artifact; persists until deleted.
Storage autoscaling	Handles storage growth; does not replace compute scaling decisions.
Aurora cluster endpoint	Writer endpoint for primary instance.
Aurora reader endpoint	Load-balances read connections across replicas.
Aurora Global Database	Cross-Region read scaling and DR pattern for Aurora workloads.

DynamoDB Quick Reference

Feature	Use when	Notes
Partition key	Direct key-value lookups	Good key design prevents hot partitions
Sort key	Range queries and item collections	Enables composite primary key patterns
Global secondary index	Query by alternative partition/sort key	Separate throughput/capacity considerations depending on mode
Local secondary index	Alternate sort key with same partition key	Defined at table creation
On-demand capacity	Unpredictable or spiky traffic	Simpler capacity management
Provisioned capacity	Predictable traffic	Can use auto scaling
DynamoDB Streams	React to item-level changes	Often paired with Lambda
TTL	Expire items automatically	Expiration is not guaranteed to be immediate
Global Tables	Multi-Region active-active table replication	Conflict handling and application design matter
Transactions	ACID operations across items	Useful when multi-item consistency is required
DAX	Read-through cache	Best for read-heavy, eventually consistent access patterns

Networking and Connectivity

VPC Building Blocks

Component	Purpose	Exam notes
VPC	Isolated virtual network	CIDR planning matters; avoid overlap for peering/VPN/TGW
Public subnet	Subnet with route to internet gateway	Public IP plus route enables inbound internet path
Private subnet	No direct route to internet gateway	Outbound internet usually through NAT for IPv4
Internet gateway	VPC internet connectivity	Horizontally scaled AWS-managed gateway
NAT gateway	Outbound IPv4 internet from private subnets	Place per-AZ for AZ resilience; route private subnets appropriately
Egress-only internet gateway	Outbound-only IPv6	IPv6 does not use NAT in the same way
Route table	Determines traffic path	Most specific route wins
Security group	Stateful instance/ENI firewall	Allows only; return traffic automatically allowed
Network ACL	Stateless subnet firewall	Allow and deny; inbound and outbound rules evaluated separately
VPC Flow Logs	Network metadata logs	Useful for traffic troubleshooting, not packet payload capture

Security Group vs NACL

Feature	Security group	Network ACL
Scope	ENI/instance level	Subnet level
State	Stateful	Stateless
Rules	Allow rules only	Allow and deny rules
Return traffic	Automatically allowed	Must be explicitly allowed
Evaluation	All rules considered	Ordered by rule number
Common use	Application access control	Broad subnet guardrails or explicit deny patterns

VPC Endpoint Selection

Endpoint type	Supports	Choose when
Gateway endpoint	S3, DynamoDB	Private access from VPC without internet/NAT for these services
Interface endpoint	Many AWS services and partner/private services	PrivateLink-powered ENI with private IPs
Gateway Load Balancer endpoint	Network appliances	Transparent traffic inspection through GWLB
Endpoint policy	Access control at endpoint	Restrict which principals/actions/resources can use endpoint

Hybrid and Multi-VPC Connectivity

Requirement	Choose	Notes
Simple private connection between two VPCs	VPC peering	Non-transitive; CIDRs cannot overlap
Many VPCs/accounts needing hub-and-spoke routing	Transit Gateway	Centralized routing at scale
Private service exposure without VPC peering	AWS PrivateLink	Provider exposes endpoint service; consumer uses interface endpoint
Encrypted connection over internet to on-premises	Site-to-Site VPN	Faster to deploy than dedicated private connectivity
Dedicated private connectivity	AWS Direct Connect	Often paired with VPN for encryption/backup patterns
Client remote access to VPC	AWS Client VPN	User-to-VPC VPN access
Central DNS resolution hybrid	Route 53 Resolver endpoints	Inbound/outbound DNS between VPC and on-premises

Edge and DNS

Service / feature	Choose for	Key distinction
Route 53 simple routing	Single target	No advanced routing logic
Route 53 weighted routing	Controlled traffic split	Blue/green, canary, gradual migrations
Route 53 latency routing	Lowest-latency Region	Based on user location and latency measurements
Route 53 failover routing	Active-passive DNS failover	Uses health checks
Route 53 geolocation routing	Route by user geography	Compliance/localization patterns
Route 53 geoproximity routing	Route based on location with bias	Requires traffic flow concepts
CloudFront	Cache HTTP(S), edge delivery, TLS, WAF integration	Content distribution and origin protection
Global Accelerator	Static anycast IPs, global routing for TCP/UDP	No content caching
AWS WAF	Layer 7 web filtering	Attach to CloudFront, ALB, API Gateway, AppSync where supported
AWS Shield	DDoS protection	Standard protection is automatic; advanced protection is for higher-level needs

Application Integration and Messaging

Service	Pattern	Choose when	Trap
SQS Standard	Queue, at-least-once delivery	Decouple producers/consumers, maximize throughput	Order is best-effort; duplicates possible
SQS FIFO	Ordered queue	Strict ordering and deduplication are required	Throughput and design differ from Standard
SQS dead-letter queue	Failure isolation	Capture messages after repeated processing failures	DLQ does not fix root cause; monitor it
SNS	Pub/sub push notifications	Fanout to many subscribers	Subscribers receive pushed messages; not a pull queue
EventBridge	Event bus/routing	SaaS/AWS/app events, rules, event-driven architectures	More routing semantics than SNS
Step Functions	Workflow orchestration	Multi-step processes, retries, branching, human/task integration	Better than custom retry-state code in Lambda
Kinesis Data Streams	Real-time streaming ingestion	Custom consumers, ordered shard processing	Consumer app manages stream processing
Kinesis Data Firehose	Delivery stream	Load streaming data to S3, Redshift, OpenSearch, third-party targets	Less custom consumer control than Data Streams
Amazon MQ	Managed message broker	Need ActiveMQ/RabbitMQ compatibility	Prefer SQS/SNS for cloud-native decoupling
API Gateway	Managed API front door	Auth, throttling, usage plans, Lambda/private integrations	ALB may be simpler for HTTP routing to containers/EC2
AppSync	GraphQL APIs	Real-time/mobile GraphQL patterns	Not a generic REST API gateway

Security, Identity, and Governance

IAM Policy Evaluation Essentials

Control	What it does	Exam distinction
Identity-based policy	Grants permissions to IAM users/groups/roles	Attached to identity
Resource-based policy	Grants access on a resource	Common for S3, KMS, SQS, SNS, Lambda
IAM role	Temporary credentials assumed by trusted principal	Best for EC2/Lambda/service access; avoid long-term keys
Trust policy	Defines who can assume a role	Does not define what the role can do after assumption
Permissions boundary	Maximum permissions for an identity	Does not grant permissions
SCP	Maximum permissions for accounts/OUs in AWS Organizations	Does not grant permissions; affects member accounts
Session policy	Limits temporary session permissions	Further restricts role session
Explicit deny	Overrides allows	Key policy evaluation rule
ABAC	Attribute/tag-based access control	Useful for scalable team/project access

Security Service Selection

Need	Choose	Why
API activity audit	CloudTrail	Management events, data events where enabled
Resource configuration history/compliance	AWS Config	Tracks configuration changes and rules
Threat detection	GuardDuty	Analyzes logs/signals for suspicious activity
Vulnerability assessment	Inspector	EC2, container image, and Lambda vulnerability findings where supported
Sensitive data discovery in S3	Macie	Identifies and classifies sensitive data
Security findings aggregation	Security Hub	Central view mapped to standards
Investigation and behavior analysis	Detective	Helps analyze relationships behind findings
Web request filtering	AWS WAF	SQL injection/XSS rules, IP sets, rate-based rules
DDoS protection	AWS Shield	Protects against DDoS; advanced tier for enhanced protections
Central firewall policy	Firewall Manager	Multi-account security policy management
Network firewalling	AWS Network Firewall	Managed network traffic filtering
Certificate provisioning	ACM	Public/private TLS certificates for supported integrations
Key management	KMS	Managed keys, envelope encryption, audit integration
Dedicated HSM control	CloudHSM	Single-tenant hardware security modules
Secrets rotation	Secrets Manager	Secrets storage with rotation support
Parameter/config storage	Systems Manager Parameter Store	Config values and simple secure strings
Workforce federation	IAM Identity Center	Centralized access to AWS accounts/apps
App user identity	Cognito	User pools and identity pools for applications

Encryption and Key Management

Scenario	Preferred pattern
Encrypt S3 with AWS-managed simplicity	SSE-S3
Need KMS audit/control/key policies	SSE-KMS
Client controls encryption before upload	Client-side encryption
Database encryption at rest	Enable service-native KMS integration
TLS for public endpoint	ACM certificate on ALB, CloudFront, API Gateway, etc.
Rotate database credentials	Secrets Manager rotation where supported
Cross-account KMS use	Key policy plus IAM permission; both sides must allow

Minimal Policy Pattern Examples

Deny non-TLS access to an S3 bucket:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": [
    "arn:aws:s3:::example-bucket",
    "arn:aws:s3:::example-bucket/*"
  ],
  "Condition": {
    "Bool": {
      "aws:SecureTransport": "false"
    }
  }
}

Role trust policy concept for an AWS service assuming a role:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "ec2.amazonaws.com"
  },
  "Action": "sts:AssumeRole"
}

Resilience, High Availability, and Disaster Recovery

Resilience Pattern Selection

Requirement	Architecture pattern
Survive instance failure	Auto Scaling group, ELB health checks, stateless app design
Survive AZ failure	Multi-AZ subnets, load balancer across AZs, replicated data tier
Survive Region failure	Multi-Region DR: backup/restore, pilot light, warm standby, or active-active
Stateless web tier	Store session state outside instances: DynamoDB, ElastiCache, external identity/session store
Relational HA	RDS Multi-AZ, Aurora replicas/cluster design
Global read performance	CloudFront, DynamoDB Global Tables, Aurora Global Database, multi-Region read replicas where appropriate
Async task resilience	SQS with DLQ, idempotent consumers, retries with backoff
Workflow resilience	Step Functions retries/catches/timeouts
Object durability and recovery	S3 versioning, replication, Object Lock, lifecycle policies

DR Strategy Comparison

Strategy	Cost	RTO/RPO posture	Use when
Backup and restore	Lowest	Slowest recovery	Non-critical workloads, cost-sensitive DR
Pilot light	Low to moderate	Faster than restore	Core infrastructure replicated; scale up during disaster
Warm standby	Moderate	Faster recovery	Scaled-down full environment always running
Active-active	Highest	Fastest failover	Mission-critical global workloads needing continuous service

Common Availability Traps

Trap	Correct reasoning
“Use one larger EC2 instance for reliability”	Use multiple instances across AZs behind a load balancer.
“Use read replica for automatic HA”	Use Multi-AZ for automatic relational failover; replicas are mainly for read scale and DR options.
“Put NAT gateway in one AZ for all private subnets”	Works, but creates cross-AZ dependency; prefer AZ-aligned NAT for resilient designs.
“Store sessions on EC2 local disk”	Breaks stateless scaling and replacement; externalize session state.
“Only snapshots meet strict DR”	Strict RTO/RPO may require warm standby or active-active design.

Monitoring, Logging, and Operations

Need	Choose	Notes
Metrics and alarms	CloudWatch Metrics and Alarms	CPU, latency, errors, custom metrics
Application/system logs	CloudWatch Logs	Central log storage, metric filters, insights queries
Event routing from AWS services	EventBridge	Former CloudWatch Events patterns now generally EventBridge
Distributed tracing	X-Ray	Trace requests across services
API audit	CloudTrail	Who did what, when, from where
Configuration compliance	AWS Config	Rules, conformance packs, change history
Network traffic metadata	VPC Flow Logs	ENI/subnet/VPC-level flow records
Load balancer request logs	ELB access logs	Request-level traffic analysis
S3 object-level access audit	CloudTrail data events, S3 server access logs where appropriate	Know difference from management events
Patch/config management	Systems Manager	Run Command, Patch Manager, Session Manager, Inventory
No-SSH instance access	Systems Manager Session Manager	Avoids opening inbound SSH when configured properly
Infrastructure as code	CloudFormation, CDK	Repeatable deployments and drift management

Migration and Hybrid Architecture

Requirement	Service / pattern	Notes
Database migration with minimal downtime	AWS DMS	Homogeneous or heterogeneous migrations; use SCT for schema conversion where needed
Schema conversion	AWS Schema Conversion Tool	Helps convert database schemas between engines
Online file/data transfer	DataSync	Moves data between on-premises, AWS storage services, and edge locations
Large offline/edge data movement	AWS Snow Family	Physical devices for migration, edge compute, disconnected environments
SFTP/FTPS/FTP managed transfer	AWS Transfer Family	Managed file transfer backed by S3 or EFS
Hybrid storage cache/gateway	Storage Gateway	File, volume, and tape gateway patterns
App discovery for migration	AWS Application Discovery Service	Inventory and dependency data
Migration tracking	AWS Migration Hub	Central migration progress visibility
VMware workloads in AWS	VMware Cloud on AWS	Rehost VMware-based environments
Mainframe modernization	AWS Mainframe Modernization	Specialized modernization use cases

Cost Optimization Reference

Area	High-yield choices
Compute purchasing	Match steady usage to Savings Plans/Reserved Instances; use Spot for fault-tolerant work; use On-Demand for flexibility.
EC2 sizing	Use Auto Scaling, Compute Optimizer, metrics, and right-sizing.
Storage	S3 lifecycle policies, Intelligent-Tiering for unknown access, delete unused EBS volumes/snapshots, choose correct EBS type.
Data transfer	Keep chatty components in same AZ when appropriate, use CloudFront for cacheable content, understand NAT/data processing implications conceptually.
Databases	Use read replicas/caching for read pressure, right-size instances, use Aurora/DynamoDB scaling features when suitable.
Serverless	Good for variable workloads; monitor duration, memory, requests, and downstream costs.
Governance	AWS Budgets, Cost Explorer, cost allocation tags, Organizations consolidated billing, CUR for detailed reporting.
Trusted Advisor	Cost, security, fault tolerance, performance, and service quota checks depending on support plan features.

Keyword Decoder for Exam Questions

Keywords in question	Likely answer direction
“Decouple,” “buffer,” “consumer unavailable”	SQS
“Fanout to multiple subscribers”	SNS, often SNS to SQS queues
“Route events from SaaS/AWS services”	EventBridge
“Coordinate multiple steps with retries”	Step Functions
“No servers,” “event-driven function”	Lambda
“Containers without managing instances”	ECS on Fargate
“Kubernetes”	EKS
“Shared file system for Linux EC2 instances”	EFS
“SMB file shares / Windows users”	FSx for Windows File Server
“Static website hosting”	S3 plus CloudFront if edge/cache/TLS/custom domain patterns apply
“Global content cache”	CloudFront
“Static anycast IPs, TCP/UDP acceleration”	Global Accelerator
“Private access to S3 without NAT”	S3 gateway endpoint
“Private access to AWS APIs in VPC”	Interface endpoint
“Central hub for many VPCs”	Transit Gateway
“Non-transitive VPC connection”	VPC peering
“Audit user/API actions”	CloudTrail
“Configuration drift/compliance”	AWS Config
“Detect compromised credentials or suspicious traffic”	GuardDuty
“Find sensitive data in S3”	Macie
“Managed Microsoft AD”	AWS Directory Service
“Temporary AWS credentials”	IAM role / STS
“Maximum permissions guardrail across accounts”	SCP
“Web SQL injection/XSS protection”	AWS WAF
“DDoS protection”	AWS Shield
“Encrypt and control keys”	KMS
“Rotate database password”	Secrets Manager

Common SAA-C03 Architecture Traps

Trap	Better exam answer
Choosing EC2 for every workload	Prefer managed/serverless when the requirement values low operations.
Confusing horizontal and vertical scaling	Horizontal adds instances/tasks; vertical changes instance size.
Assuming Multi-AZ means multi-Region	AZs are inside a Region; Region failure needs multi-Region design.
Using NACLs as primary app security	Security groups are usually primary workload firewalls; NACLs are subnet-level guardrails.
Opening SSH/RDP to the internet	Prefer Session Manager, bastion with restrictions, VPN, or private access patterns.
Storing credentials in code/user data	Use IAM roles, Secrets Manager, Parameter Store.
Using NAT gateway for private access to S3/DynamoDB	Gateway endpoints can avoid public internet/NAT for S3/DynamoDB access.
Using CloudTrail for performance metrics	Use CloudWatch for metrics/logs; CloudTrail for API audit.
Using Config for threat detection	Use GuardDuty for threat detection; Config for resource compliance/history.
Using S3 as a mounted POSIX file system	Use EFS/FSx for file semantics; S3 is object storage.
Using EBS for multi-instance shared storage	Use EFS/FSx unless the scenario specifically supports a clustered block design.
Treating SQS as synchronous messaging	SQS is asynchronous pull-based decoupling.
Ignoring idempotency	Retries and at-least-once delivery require idempotent processing.
Picking active-active DR for all systems	Match DR strategy to RTO/RPO and cost constraints.

Last-Minute Review Checklist

Can you choose between ALB, NLB, and GWLB from protocol and routing requirements?
Can you explain public vs private subnet routing, NAT gateway, internet gateway, and VPC endpoints?
Can you distinguish security groups from NACLs without hesitation?
Can you select S3, EBS, EFS, FSx, or instance store from storage semantics?
Can you distinguish RDS Multi-AZ, read replicas, Aurora replicas, and Aurora Global Database?
Can you choose DynamoDB, DAX, ElastiCache, Redshift, OpenSearch, and Neptune by workload type?
Can you pick SQS, SNS, EventBridge, Kinesis, and Step Functions by integration pattern?
Can you identify when IAM roles, resource policies, permission boundaries, and SCPs apply?
Can you map CloudWatch, CloudTrail, Config, GuardDuty, Inspector, Macie, and Security Hub to their jobs?
Can you select backup/restore, pilot light, warm standby, or active-active based on DR requirements?
Can you spot cost-optimization cues without sacrificing required availability or security?

Practical Next Step

Use this Quick Reference to drill scenario questions: for each practice item, identify the required quality attribute first, eliminate services that violate it, then choose the simplest managed AWS design that satisfies security, resilience, performance, and cost constraints for the AWS Certified Solutions Architect – Associate (SAA-C03).

Scenario Guide

Design Secure Architectures