SAA-C03: AWS Solutions Architect Associate — Study Guide

Exam Overview#

Domain Weightings#

---

Domain 1: Resilient Architectures (26%)#

High Availability with EC2#

• Availability Zones — deploy across ≥2 AZs for HA.
• Auto Scaling Groups (ASG) — maintain desired capacity; replace unhealthy instances; scale in/out based on policies.
• Elastic Load Balancers — distribute traffic across healthy instances.

Database resilience#

• RDS Multi-AZ — synchronous standby replica; automatic failover in ~1 minute; for HA (not read scaling).
• RDS Read Replicas — asynchronous copies; for read scaling; can be in different regions.
• Aurora — up to 6 copies across 3 AZs, auto-repair; up to 15 read replicas; Global Database for cross-region.
• DynamoDB — serverless NoSQL; multi-AZ by default; Global Tables for active-active multi-region.

Decoupling with messaging#

• SQS (Simple Queue Service) — message queue; decouple producers and consumers; at-least-once delivery. Standard (unordered) vs FIFO (ordered, exactly-once).
• SNS (Simple Notification Service) — pub/sub fan-out; sends to multiple subscribers (SQS, Lambda, email, HTTP).
• EventBridge — event bus; route events from AWS services to targets.

Disaster recovery strategies#

---

Domain 2: High-Performing Architectures (24%)#

Caching#

• ElastiCache (Redis/Memcached) — in-memory cache for database query results, session store.
• CloudFront — CDN; cache static and dynamic content at edge locations globally; TTL-based invalidation.
• DynamoDB Accelerator (DAX) — in-memory cache specifically for DynamoDB; microsecond latency.

Storage performance#

Serverless and event-driven#

• Lambda — run code without servers; up to 15 minutes; triggers: API Gateway, S3, DynamoDB Streams, SQS, SNS.
• Fargate — serverless containers; no cluster management.
• API Gateway — managed API endpoint; integrate with Lambda, HTTP backends, AWS services.

---

Domain 3: Secure Architectures (30%)#

IAM deep dive#

• Policies — identity-based (attached to user/role), resource-based (attached to resource like S3 bucket), session policies.
• Evaluation logic: explicit Deny > explicit Allow > implicit Deny.
• Cross-account access — role in Account B; Account A assumes it via STS AssumeRole.
• Service roles — IAM roles assumed by AWS services (EC2 instance profile, Lambda execution role).
• Permission boundaries — set max permissions; even if policy grants more, boundary caps it.

Network security#

• Security Groups — stateful, instance-level, allow-only rules.
• NACLs — stateless, subnet-level, allow + deny rules; rule number evaluated in order.
• VPC Flow Logs — capture IP traffic for audit and troubleshooting.
• AWS WAF — Layer 7 web application firewall (ALB, CloudFront, API Gateway).
• AWS Shield — DDoS protection. Standard (free) + Advanced.
• AWS Network Firewall — stateful, managed firewall for VPC perimeter.

Encryption#

• KMS — managed key service; CMKs for fine-grained control.
• S3 encryption — SSE-S3 (AWS manages), SSE-KMS (CMK), SSE-C (customer key), client-side.
• EBS encryption — encrypt at rest with KMS; encrypted snapshots; cannot convert unencrypted to encrypted in-place (copy + encrypt).
• RDS encryption — enable at creation; cannot encrypt existing unencrypted DB (snapshot → copy encrypted → restore).

S3 security#

• Block Public Access — account-level guardrail overrides any permissive policy/ACL.
• Bucket policies — resource-based JSON policies; apply to any principal.
• VPC endpoints — S3 gateway endpoint keeps traffic within AWS network.
• MFA Delete — requires root account MFA to permanently delete versioned objects.

---

Domain 4: Cost-Optimised Architectures (20%)#

EC2 pricing models#

Storage cost optimisation#

• S3 Intelligent-Tiering — auto-tier based on access patterns; no retrieval fee; monitoring fee per object.
• S3 Lifecycle policies — automate tier transitions.
• EBS — use gp3 over gp2 (same performance, 20% cheaper); delete unattached volumes.
• Snapshots — incremental; use Data Lifecycle Manager for automated rotation.

Architecture cost patterns#

• Lambda + API Gateway vs EC2 — Lambda can be cheaper for irregular traffic; EC2 better for constant load.
• NAT Gateway — charged per GB; for very high egress, consider NAT Instance.
• Data transfer — egress to internet charged; within same AZ free; between AZs charged.
• Reserved Capacity — commit to RDS, ElastiCache, Redshift instances for 1–3 years.

---

Must-Know Services for SAA-C03#

Route 53 routing policies#

S3 essentials#

• Versioning — preserve all object versions; MFA delete for extra protection.
• Replication — CRR (cross-region) and SRR (same-region); requires versioning on both buckets.
• Pre-signed URLs — time-limited access without making bucket public.
• Transfer Acceleration — uses CloudFront edge locations to accelerate uploads.

VPC essentials#

• Subnets: public (route to IGW) vs private (route to NAT Gateway).
• VPC Peering: connect two VPCs (no transitive routing).
• VPC Endpoints: gateway (S3, DynamoDB — free) and interface (all others — charged).
• Transit Gateway: hub-and-spoke; connect many VPCs and on-premises.

---

Study Plan (8–10 Weeks)#

---

Key Resources#

---

Common Exam Traps#

• Multi-AZ vs Read Replica — Multi-AZ = HA/failover (synchronous). Read Replica = read scaling (asynchronous). Multi-AZ does NOT help with read performance.
• S3 encryption — SSE-S3 = AWS managed, SSE-KMS = you manage the CMK, SSE-C = you provide the key.
• Spot Instance interruption — 2-minute warning. Design for interruptions (checkpointing, SQS queue).
• SQS vs SNS — SQS = one consumer per message (pull). SNS = fan-out to multiple subscribers (push).
• NACL vs Security Group — NACLs are stateless (must allow return traffic explicitly). SGs are stateful.
• RDS encryption — cannot enable encryption on an existing unencrypted RDS instance. Must snapshot → copy (encrypt) → restore.