Exam Overview
Exam Code
SAA-C03
Duration
130 Minutes
Questions
65 Questions
Passing Score
720 / 1000
Exam Fee
$150 USD
Validity
3 Years
The AWS Certified Solutions Architect – Associate (SAA-C03) is the most popular AWS certification globally. It validates your ability to design secure, resilient, high-performing, and cost-optimized architectures on AWS. Recommended for developers, sysops engineers, and cloud architects with at least 1 year of hands-on AWS experience.
New to AWS? Start with Cloud Practitioner first
CLF-C02 is the recommended prerequisite before SAA-C03.
Exam Domains & Weightage
Domain 1 — Design Secure Architectures
30%
IAM, encryption, VPC security, compliance, and protecting data at rest and in transit.
Domain 2 — Design Resilient Architectures
26%
High availability, fault tolerance, disaster recovery, decoupling, and multi-AZ/multi-region design.
Domain 3 — Design High-Performing Architectures
24%
Scalable compute, storage, databases, networking, and caching for performance at scale.
Domain 4 — Design Cost-Optimized Architectures
20%
Right-sizing, pricing models, storage tiers, serverless, and eliminating waste.
AWS Global Infrastructure
Regions
33+ geographic regions worldwide. Each region is fully independent — no data replication across regions by default. Choose based on latency, compliance, data residency, and service availability.
Availability Zones (AZs)
105+ AZs globally. Each AZ = one or more discrete data centers with redundant power, networking, and connectivity. AZs within a region are connected via low-latency private fiber. Deploy across ≥2 AZs for high availability.
Edge Locations / Points of Presence
400+ edge locations used by CloudFront (CDN) and Route 53. Cache content closer to end users for lower latency. Also used by AWS Global Accelerator.
Local Zones
Extensions of AWS Regions placed closer to large population centers. Run latency-sensitive workloads (gaming, media, ML inference) closer to users. Not all services available.
AWS Outposts
Fully managed AWS infrastructure delivered to your on-premises data center. Run AWS services locally. Ideal for low-latency requirements, data residency, and local data processing.
AWS Wavelength
AWS infrastructure embedded within telecom 5G networks. Ultra-low latency for mobile and connected devices. Use for real-time gaming, AR/VR, connected vehicles.
Domain 1 — Design Secure Architectures (30%)
IAM Advanced Concepts
IAM Policies — Identity vs Resource
Identity-based policies attach to users/roles/groups. Resource-based policies attach to resources (S3 bucket policy, KMS key policy). Both must allow for cross-account access.
IAM Permission Boundaries
Set the maximum permissions an IAM entity can have. Even if a policy grants more, the boundary limits it. Used to delegate permission management safely.
AWS STS — Security Token Service
Issues temporary, limited-privilege credentials. Used by IAM roles, federated users, and cross-account access. Tokens expire automatically.
IAM Roles for EC2
Attach a role to an EC2 instance instead of storing access keys. The instance retrieves temporary credentials via the Instance Metadata Service (IMDS). Best practice for all EC2 workloads.
AWS Organizations SCPs
Service Control Policies set the maximum permissions for member accounts. They do NOT grant permissions — they restrict what can be granted, even to the root user.
Attribute-Based Access Control (ABAC)
Use tags on resources and IAM principals to control access. Scale permissions without updating policies — just match tags. More scalable than RBAC for large environments.
VPC Security Design
VPC Design Best Practices
Use multiple AZs for high availability. Separate public (internet-facing) and private (internal) subnets. Place databases and app servers in private subnets. Use NAT Gateway for outbound internet from private subnets.
Security Groups vs NACLs
Security Groups: stateful, instance-level, allow-only rules, evaluated as a whole. NACLs: stateless, subnet-level, allow and deny rules, evaluated in order by rule number. Use both for defense in depth.
VPC Endpoints
Connect to AWS services (S3, DynamoDB) privately without internet gateway, NAT, or VPN. Gateway Endpoints (S3, DynamoDB — free). Interface Endpoints (most other services — powered by PrivateLink, hourly cost).
AWS PrivateLink
Expose services to other VPCs or accounts privately without VPC peering or internet. Traffic stays on AWS network. Used for SaaS services and internal microservices.
VPC Peering
Direct network connection between two VPCs. Not transitive — if A peers B and B peers C, A cannot reach C. Works across accounts and regions.
AWS Transit Gateway
Hub-and-spoke model connecting thousands of VPCs and on-premises networks. Supports transitive routing. Replaces complex VPC peering meshes.
Bastion Host
A hardened EC2 instance in a public subnet used to SSH/RDP into instances in private subnets. Use Systems Manager Session Manager as a more secure, keyless alternative.
NAT Gateway vs NAT Instance
| Feature | NAT Gateway | NAT Instance |
|---|---|---|
| Management | Fully managed by AWS | Self-managed EC2 instance |
| Availability | Highly available within AZ | Single point of failure (unless scripted) |
| Bandwidth | Up to 100 Gbps | Depends on instance type |
| Security Groups | Cannot attach | Can attach security groups |
| Cost | Hourly + data processing fee | EC2 instance cost |
| Recommendation | Always prefer NAT Gateway | Legacy — avoid for new architectures |
Hybrid Connectivity
AWS Direct Connect
Dedicated private physical connection from on-premises to AWS. Consistent bandwidth, lower latency than internet. Takes weeks to provision. Use for large data transfers, compliance, or latency-sensitive workloads. Does NOT encrypt by default — add VPN over Direct Connect for encryption.
Site-to-Site VPN
Encrypted IPSec tunnel over the public internet between on-premises and AWS VPC. Quick to set up (minutes). Subject to internet variability. Use as backup for Direct Connect or for smaller offices.
Direct Connect + VPN
Run VPN over Direct Connect for encrypted, dedicated connectivity. Best of both worlds: private network + encryption. Used for compliance requirements.
AWS VPN CloudHub
Connect multiple on-premises sites to a single Virtual Private Gateway. Sites can communicate with each other through AWS. Hub-and-spoke model for branch offices.
AWS Storage Gateway
Hybrid storage bridge between on-premises and AWS. File Gateway (NFS/SMB → S3), Volume Gateway (iSCSI → EBS snapshots), Tape Gateway (virtual tape library → S3 Glacier). Use for backup, archiving, and tiered storage.
AWS DataSync
Online data transfer service. Migrate data from on-premises NFS/SMB/HDFS to S3, EFS, or FSx. Up to 10x faster than open-source tools. Automated scheduling, encryption, and integrity verification.
Encryption & Data Protection
AWS KMS
Key Management Service — create, manage, and rotate encryption keys. Integrates with S3, EBS, RDS, Lambda, and more. CMKs (Customer Managed Keys) give full control. AWS Managed Keys are free but less flexible.
S3 Encryption Options
SSE-S3 (AES-256, AWS manages keys), SSE-KMS (KMS keys, audit trail via CloudTrail), SSE-C (customer-provided keys), Client-Side Encryption (encrypt before upload). Default encryption can be enforced via bucket policy.
EBS Encryption
Encrypts data at rest, in transit between instance and volume, snapshots, and volumes created from snapshots. Uses KMS. Enable by default at account level. No performance impact.
RDS Encryption
Enable at creation time — cannot encrypt an existing unencrypted DB. Encrypts storage, automated backups, read replicas, and snapshots. Uses KMS. To encrypt existing DB: snapshot → copy with encryption → restore.
ACM — AWS Certificate Manager
Provision, manage, and deploy SSL/TLS certificates for HTTPS. Free for public certificates. Integrates with CloudFront, ALB, API Gateway. Certificates auto-renew.
AWS Secrets Manager
Store, rotate, and retrieve secrets (DB passwords, API keys). Automatic rotation via Lambda. Integrates with RDS, Redshift, DocumentDB. Charges per secret per month.
Security Services
AWS WAF
Protects web apps from SQL injection, XSS, and other OWASP Top 10 attacks. Works with CloudFront, ALB, API Gateway. Define rules using IP sets, geo-match, rate limiting.
AWS Shield
DDoS protection. Standard (free, automatic for all). Advanced ($3,000/mo) adds 24/7 DRT support, cost protection, and advanced attack visibility.
Amazon GuardDuty
ML-based threat detection. Analyzes CloudTrail, VPC Flow Logs, DNS logs. Detects compromised instances, reconnaissance, and data exfiltration. Enable with one click.
AWS Inspector
Automated vulnerability scanning for EC2 and ECR container images. Checks for CVEs and network exposure. Integrates with Security Hub.
Amazon Macie
Uses ML to discover and protect sensitive data (PII, financial data) in S3. Generates findings for Security Hub.
AWS Security Hub
Centralized security findings from GuardDuty, Inspector, Macie, Firewall Manager, and third-party tools. Checks against CIS AWS Foundations Benchmark.
AWS CloudTrail
Records all API calls across your account. Enabled by default (90-day event history). Create a Trail to store logs in S3 indefinitely. Use for auditing, compliance, and forensics.
AWS Config
Tracks resource configuration changes over time. Evaluates compliance against Config Rules. Supports auto-remediation via SSM Automation.
Domain 2 — Design Resilient Architectures (26%)
High Availability & Fault Tolerance
Multi-AZ vs Multi-Region
Multi-AZ: protects against single data center failure within a region (HA). Multi-Region: protects against entire region failure (DR). Multi-AZ is cheaper and simpler; Multi-Region is for critical global apps.
RTO vs RPO
RTO (Recovery Time Objective): max acceptable downtime. RPO (Recovery Point Objective): max acceptable data loss. Lower RTO/RPO = more expensive solution. Drive architecture decisions.
Elastic Load Balancing
Distributes traffic across healthy targets in multiple AZs. ALB (Layer 7, HTTP/HTTPS, path/host routing), NLB (Layer 4, TCP/UDP, ultra-low latency, static IP), GWLB (Layer 3, virtual appliances).
Auto Scaling Groups
Maintain desired capacity, scale out on demand, replace unhealthy instances. Use with ALB for zero-downtime deployments. Scaling policies: Target Tracking, Step Scaling, Scheduled.
EC2 Health Checks
EC2 status checks (instance and system). ELB health checks (HTTP response). ASG replaces instances that fail health checks automatically.
Disaster Recovery Strategies
| Strategy | RTO | RPO | Cost | Description |
|---|---|---|---|---|
| Backup & Restore | Hours | Hours | $ | Cheapest. Backup data to S3/Glacier. Restore from scratch on disaster. No standby infrastructure. |
| Pilot Light | 10–30 min | Minutes | $$ | Core services (DB) always running. Scale up app servers on disaster. Like a pilot light ready to ignite. |
| Warm Standby | Minutes | Seconds | $$$ | Scaled-down but fully functional copy always running. Scale up to full capacity on disaster. |
| Multi-Site Active/Active | Seconds | Near zero | $$$$ | Full capacity running in multiple regions simultaneously. Route 53 routes traffic to both. Most expensive. |
Decoupling & Async Architectures
Amazon SQS
Decouple producers and consumers. Standard queue (at-least-once, best-effort ordering). FIFO queue (exactly-once, strict ordering, 3,000 msg/sec with batching). Visibility timeout prevents duplicate processing.
SQS Dead Letter Queue (DLQ)
Messages that fail processing N times are moved to a DLQ. Use for debugging and isolating problematic messages. Set maxReceiveCount on the source queue.
Amazon SNS
Pub/sub — one message to many subscribers (SQS, Lambda, HTTP, email, SMS). Fan-out pattern: SNS → multiple SQS queues for parallel processing.
Amazon EventBridge
Serverless event bus. Route events from AWS services, SaaS apps, and custom apps to targets (Lambda, SQS, Step Functions). Supports event filtering and transformation.
AWS Step Functions
Orchestrate multi-step workflows as state machines. Standard (long-running, exactly-once) and Express (high-volume, at-least-once). Visual workflow editor. Handles retries and error handling.
Amazon Kinesis Data Streams
Real-time data streaming. Shards determine throughput (1 MB/s in, 2 MB/s out per shard). Data retained 24 hrs (up to 365 days). Use for real-time analytics, log ingestion.
S3 Resilience & Replication
S3 Durability & Availability
11 nines (99.999999999%) durability — data replicated across minimum 3 AZs. 99.99% availability for S3 Standard. One Zone-IA stores in single AZ (cheaper, less resilient).
S3 Cross-Region Replication (CRR)
Asynchronously replicate objects to a bucket in a different region. Requires versioning on both buckets. Use for compliance, lower latency, or DR. Does not replicate existing objects retroactively.
S3 Versioning
Keeps all versions of an object. Protects against accidental deletes (delete marker) and overwrites. Required for CRR and SRR. MFA Delete adds extra protection.
S3 Object Lock
WORM (Write Once Read Many) protection. Compliance mode: no one can delete, even root. Governance mode: users with special permissions can override. Used for regulatory compliance.
Domain 3 — Design High-Performing Architectures (24%)
⚡ Compute for Performance
EC2 Instance Types for Performance
Compute Optimized (C-series): CPU-intensive workloads, batch processing, HPC. Memory Optimized (R/X-series): in-memory databases, real-time big data. Storage Optimized (I/D-series): high IOPS, NoSQL databases. GPU (P/G-series): ML training, video rendering.
EC2 Placement Groups
Cluster: instances in same AZ, low latency, high throughput (HPC, big data). Spread: instances on different hardware, max 7 per AZ (critical apps). Partition: groups of instances on separate racks (Hadoop, Kafka, Cassandra).
AWS Lambda Performance
Allocate more memory (128MB–10GB) to get proportionally more CPU. Provisioned Concurrency eliminates cold starts for latency-sensitive apps. Lambda@Edge runs code at CloudFront edge locations.
AWS Fargate
Serverless containers — no EC2 management. Right-size CPU and memory per task. Scales instantly. Use for unpredictable or spiky container workloads.
Amazon ECS vs EKS
ECS: AWS-native container orchestration, simpler, tighter AWS integration. EKS: managed Kubernetes, more complex, portable across clouds, better for existing K8s workloads.
🗄️ Storage Performance
EBS Volume Types
gp3 (General Purpose SSD): baseline 3,000 IOPS, up to 16,000 IOPS — best default choice. io2 Block Express: up to 256,000 IOPS — for critical databases. st1 (Throughput HDD): big data, log processing. sc1 (Cold HDD): lowest cost, infrequent access.
EBS vs Instance Store
EBS: persistent, survives stop/terminate (if configured), network-attached. Instance Store: ephemeral, physically attached to host, highest IOPS, lost on stop/terminate. Use Instance Store for temp data, buffers, caches.
Amazon EFS Performance Modes
General Purpose (default, low latency). Max I/O (higher throughput, slightly higher latency — for big data). Throughput modes: Bursting (scales with storage size) or Provisioned (fixed throughput regardless of size).
S3 Performance
Prefix-based parallelism: 3,500 PUT/COPY/POST/DELETE and 5,500 GET/HEAD requests per second per prefix. Use multiple prefixes for high-throughput workloads. S3 Transfer Acceleration uses CloudFront edge for faster uploads.
Amazon FSx for Lustre
High-performance parallel file system for HPC, ML, and big data. Sub-millisecond latency, hundreds of GB/s throughput. Can be linked to S3 for seamless data processing.
🗃️ Database Performance
RDS Read Replicas
Offload read traffic from the primary DB. Up to 15 read replicas for Aurora, 5 for RDS. Async replication — slight lag. Can be promoted to standalone DB. Cross-region read replicas for global read performance.
Amazon Aurora
MySQL/PostgreSQL-compatible. 5x faster than MySQL, 3x faster than PostgreSQL. Storage auto-scales up to 128TB. Aurora Global Database: primary region + up to 5 secondary regions, <1 second replication lag.
Amazon DynamoDB Performance
Single-digit millisecond at any scale. On-Demand mode (pay per request) or Provisioned mode (set RCU/WCU). DynamoDB Accelerator (DAX): in-memory cache, microsecond reads. Global Tables: multi-region, multi-active replication.
Amazon ElastiCache
Redis: supports data structures, persistence, pub/sub, Lua scripting, cluster mode. Memcached: simpler, multi-threaded, no persistence. Use for session storage, leaderboards, real-time analytics, DB query caching.
Amazon Redshift
Columnar storage, massively parallel processing (MPP). Redshift Spectrum: query S3 data directly without loading. Enhanced VPC Routing: forces COPY/UNLOAD traffic through VPC. Use for OLAP, not OLTP.
Database Caching Strategies
Cache-aside (lazy loading): app checks cache first, loads from DB on miss. Write-through: write to cache and DB simultaneously. TTL: expire stale data. Use ElastiCache in front of RDS for read-heavy workloads.
🌐 Networking & Content Delivery
Amazon CloudFront
CDN with 400+ edge locations. Cache static and dynamic content. Supports HTTPS, custom SSL, signed URLs/cookies for private content. Lambda@Edge for request/response manipulation at the edge.
CloudFront Signed URLs vs Signed Cookies
Signed URL: access to a single file, for clients that don't support cookies. Signed Cookie: access to multiple files, for premium content subscriptions. Both use a key pair to sign.
Route 53 Routing Policies
Simple (single resource), Weighted (A/B testing, gradual migration), Latency (lowest latency region), Failover (active-passive DR), Geolocation (route by user location), Geoproximity (route by resource location with bias), Multi-Value (multiple healthy records).
AWS Global Accelerator
Routes traffic through AWS global network to optimal endpoints. Provides 2 static anycast IPs. Improves performance for TCP/UDP apps. Unlike CloudFront, no caching — proxies traffic to origin.
Enhanced Networking
SR-IOV for higher bandwidth, lower latency, lower CPU utilization. Elastic Network Adapter (ENA): up to 100 Gbps. Elastic Fabric Adapter (EFA): for HPC and ML — OS-bypass for ultra-low latency.
🔌 API Gateway & Application Services
Amazon API Gateway
Fully managed service to create, publish, and secure REST, HTTP, and WebSocket APIs. Integrates with Lambda (serverless backend), EC2, and any HTTP endpoint. Handles throttling, caching, auth (Cognito, IAM, Lambda authorizer), and API versioning.
API Gateway — REST vs HTTP API
REST API: full features (usage plans, API keys, request/response transformation, WAF integration). HTTP API: lower cost (70% cheaper), lower latency, simpler — best for Lambda and HTTP backends. WebSocket API: real-time two-way communication.
API Gateway Caching
Cache responses at the API Gateway level (TTL 0–3600s). Reduces backend calls and improves latency. Cache can be invalidated per-request with Cache-Control: max-age=0 header.
Amazon Cognito
User Pools: user directory for sign-up/sign-in, MFA, social identity providers (Google, Facebook). Identity Pools: grant temporary AWS credentials to authenticated/unauthenticated users to access AWS services directly (S3, DynamoDB).
AWS AppSync
Managed GraphQL service. Real-time data sync with subscriptions. Integrates with DynamoDB, Lambda, RDS, HTTP APIs. Use for mobile/web apps needing real-time updates.
📊 Monitoring, Logging & Management
Amazon CloudWatch
Metrics: collect and track metrics for AWS services and custom apps. Alarms: trigger actions (SNS, Auto Scaling, EC2 actions) when thresholds are breached. Logs: centralized log storage and analysis. Dashboards: visualize metrics. Events/EventBridge: respond to state changes.
CloudWatch Logs Insights
Interactive query service for CloudWatch Logs. Use SQL-like syntax to search and analyze log data. Useful for debugging Lambda, ECS, and application logs.
AWS CloudTrail
Records every API call made in your account (who, what, when, from where). Enabled by default with 90-day history. Create a Trail to persist logs to S3 indefinitely. Use for security auditing, compliance, and incident investigation.
AWS Systems Manager (SSM)
Session Manager: browser-based shell access to EC2 without SSH keys or bastion hosts. Parameter Store: secure storage for config data and secrets (free tier available). Patch Manager: automate OS patching. Run Command: execute scripts on EC2 at scale.
AWS X-Ray
Distributed tracing for microservices and serverless apps. Visualize request flows, identify bottlenecks, and debug errors across Lambda, API Gateway, ECS, and EC2.
Amazon EventBridge
Serverless event bus. Route events from AWS services, SaaS apps (Zendesk, Datadog), and custom apps to targets. Supports content-based filtering, event transformation, and scheduled rules (cron).
Domain 4 — Design Cost-Optimized Architectures (20%)
EC2 Cost Optimization
| Pricing Model | Discount | Commitment | Best For |
|---|---|---|---|
| On-Demand | Baseline | None | Short-term, unpredictable, dev/test |
| Reserved Instances (Standard) | Up to 72% | 1 or 3 years | Steady-state, specific instance type/region |
| Reserved Instances (Convertible) | Up to 66% | 1 or 3 years | Steady-state, flexibility to change instance type |
| Savings Plans (Compute) | Up to 66% | 1 or 3 years | Flexible — EC2, Lambda, Fargate across any region |
| Savings Plans (EC2 Instance) | Up to 72% | 1 or 3 years | Specific instance family in a region |
| Spot Instances | Up to 90% | None (interruptible) | Fault-tolerant: batch, big data, CI/CD, stateless |
| Dedicated Hosts | Varies | On-Demand or Reserved | BYOL, compliance, per-socket/core licensing |
Storage Cost Optimization
S3 Storage Classes & Cost
Standard ($0.023/GB) → Standard-IA ($0.0125/GB, min 30 days) → One Zone-IA ($0.01/GB) → Glacier Instant ($0.004/GB) → Glacier Flexible ($0.0036/GB, 3–5 hrs retrieval) → Glacier Deep Archive ($0.00099/GB, 12 hrs retrieval). Use Lifecycle Policies to automate transitions.
S3 Intelligent-Tiering
Automatically moves objects between access tiers based on usage patterns. No retrieval fees. Small monthly monitoring fee per object. Best for unpredictable access patterns.
EBS Cost Optimization
Delete unattached EBS volumes. Use gp3 instead of gp2 (20% cheaper, better performance). Take snapshots and delete old volumes. Use EBS Snapshot Archive for long-term retention (75% cheaper).
EFS vs FSx Cost
EFS Standard: $0.30/GB/month. EFS-IA: $0.025/GB/month (auto-tiering with Lifecycle Management). FSx for Windows: more expensive but needed for Windows workloads. FSx for Lustre: for HPC only.
Serverless & Managed Services for Cost
AWS Lambda
Pay only for execution time (per 1ms). No idle cost. First 1M requests/month free. Use for event-driven, infrequent, or unpredictable workloads where EC2 would sit idle.
DynamoDB On-Demand
Pay per read/write request. No capacity planning. More expensive per request than Provisioned but no waste. Use for unpredictable traffic. Switch to Provisioned once traffic is predictable.
Aurora Serverless v2
Scales compute capacity in fine-grained increments (0.5 ACU steps). Scales to zero when idle. Pay per ACU-hour. Ideal for dev/test, infrequent, or variable workloads.
AWS Fargate Spot
Up to 70% discount for Fargate tasks. Can be interrupted. Use for batch jobs, CI/CD pipelines, and fault-tolerant container workloads.
Cost Management Tools
AWS Cost Explorer
Visualize and analyze costs and usage. Identify trends, cost drivers, and anomalies. Rightsizing recommendations for EC2. Savings Plans recommendations.
AWS Budgets
Set cost, usage, and reservation budgets. Alert via email or SNS when thresholds are breached or forecasted to be breached.
AWS Trusted Advisor
Cost optimization checks: idle EC2, underutilized EBS, unassociated Elastic IPs, low-utilization RDS. Business/Enterprise plans get full checks.
AWS Compute Optimizer
ML-based rightsizing recommendations for EC2, Auto Scaling Groups, Lambda, and EBS. Identifies over-provisioned and under-provisioned resources.
S3 Storage Lens
Organization-wide visibility into S3 usage and activity. Identifies cost-saving opportunities like incomplete multipart uploads and non-current versions.
Cost Allocation Tags
Tag resources (e.g., Project, Team, Environment). Activate tags in Billing console. Break down costs by tag in Cost Explorer and CUR reports.
Key Architecture Patterns
3-Tier Web Architecture
Presentation (CloudFront + ALB), Application (EC2 ASG in private subnets), Data (RDS Multi-AZ in isolated subnets). Each tier in separate subnets across multiple AZs. Security groups restrict traffic between tiers.
Serverless Web Application
Route 53 → CloudFront → S3 (static assets) + API Gateway → Lambda → DynamoDB. No servers to manage. Scales automatically. Pay per use. Use Cognito for authentication.
Event-Driven Architecture
S3 event → Lambda → SQS/SNS → downstream services. Decoupled, scalable, resilient. Use EventBridge for complex routing. Dead Letter Queues for failed events.
Microservices on ECS/EKS
Each service in its own container, independent deployment. ALB path-based routing to different services. Service discovery via AWS Cloud Map. Centralized logging with CloudWatch Container Insights.
Data Lake Architecture
Ingest → S3 (raw/processed/curated zones). Process with Glue ETL or EMR. Query with Athena (serverless SQL). Visualize with QuickSight. Catalog with Glue Data Catalog.
Hybrid Cloud Architecture
On-premises ↔ AWS via Direct Connect (dedicated) or Site-to-Site VPN (encrypted over internet). Storage Gateway bridges on-premises apps to S3. Outposts for AWS infrastructure on-premises.
Deployment, IaC & Migration Services
Infrastructure as Code & Deployment
AWS CloudFormation
IaC service — define AWS infrastructure in JSON or YAML templates. Stacks: a collection of resources managed as a unit. StackSets: deploy stacks across multiple accounts and regions. Change Sets: preview changes before applying. Drift detection: identify manual changes.
AWS Elastic Beanstalk
PaaS — deploy web apps without managing infrastructure. Supports Java, .NET, PHP, Node.js, Python, Ruby, Go, Docker. Automatically handles EC2, ALB, Auto Scaling, RDS. You retain full control of underlying resources. Use for quick deployments with minimal config.
AWS CodeDeploy
Automate application deployments to EC2, Lambda, and ECS. Deployment strategies: In-Place (rolling update on EC2), Blue/Green (new environment, then switch traffic). Integrates with CodePipeline for CI/CD.
AWS CodePipeline
Fully managed CI/CD pipeline. Orchestrates source (CodeCommit, GitHub), build (CodeBuild), test, and deploy (CodeDeploy, Elastic Beanstalk, ECS) stages. Triggers on code changes automatically.
AWS SAM — Serverless Application Model
Extension of CloudFormation for serverless apps. Simplified syntax for Lambda, API Gateway, DynamoDB. Local testing with SAM CLI. Transforms to CloudFormation at deploy time.
Data Migration Services
AWS Snow Family
Physical devices for offline data migration. Snowcone (8TB, smallest, edge computing). Snowball Edge Storage Optimized (80TB, petabyte-scale migration). Snowmobile (100PB, exabyte-scale, shipping container). Use when network transfer would take weeks or months.
AWS DMS — Database Migration Service
Migrate databases to AWS with minimal downtime. Homogeneous (MySQL → RDS MySQL) and heterogeneous (Oracle → Aurora) migrations. Continuous replication (CDC) keeps source and target in sync. Schema Conversion Tool (SCT) for heterogeneous migrations.
AWS DataSync
Online data transfer — migrate NFS, SMB, HDFS, S3-compatible storage to AWS. Up to 10x faster than open-source tools. Automated scheduling, encryption, integrity checks. Use for ongoing replication or one-time migration.
AWS Transfer Family
Fully managed SFTP, FTPS, and FTP service for transferring files directly into/out of S3 and EFS. No infrastructure to manage. Integrates with existing authentication systems (Active Directory, LDAP).
AWS Application Migration Service (MGN)
Lift-and-shift migration of physical, virtual, and cloud servers to AWS. Continuous block-level replication. Minimal downtime cutover. Replaces the older CloudEndure Migration service.
SAA-C03 Exam Strategy & Tips
Read for constraint keywords
Every question has a constraint: "most cost-effective", "least operational overhead", "highest availability", "most secure". The right answer satisfies the constraint, not just the requirement.
Managed > Self-managed
AWS prefers managed services (RDS over EC2+MySQL, ECS/Fargate over self-managed Docker). "Least operational overhead" almost always means a managed or serverless service.
Multi-AZ = HA, Multi-Region = DR
High availability questions → Multi-AZ. Disaster recovery questions → Multi-Region. Don't confuse the two. Multi-AZ RDS is synchronous; Read Replicas are asynchronous.
Spot = fault-tolerant workloads
Spot Instances are for workloads that can be interrupted: batch jobs, big data, CI/CD, rendering. Never use Spot for databases, critical apps, or anything that can't handle interruption.
VPC Endpoints save cost & improve security
When a question mentions EC2 accessing S3 or DynamoDB, VPC Endpoints avoid internet traffic, reduce data transfer costs, and improve security. Gateway Endpoints are free.
SQS decouples, SNS fans out
SQS = decouple producer/consumer (async, queue). SNS = one-to-many broadcast. Fan-out pattern = SNS → multiple SQS queues. Use SQS DLQ for failed message handling.
Top 25 AWS SAA-C03 Exam Q&A
Scenario-based questions that mirror the real exam style — focus on the constraint keyword in each answer.
Quick Reference Cheatsheet
EC2 Spot
Up to 90% off, fault-tolerant workloads
EC2 Reserved
Up to 72% off, 1–3 year commitment
Savings Plans
Up to 72% off, flexible compute
Auto Scaling
Maintain capacity, scale on demand
ALB
Layer 7, path/host-based routing
NLB
Layer 4, static IP, ultra-low latency
CloudFront
CDN, 400+ edge locations, signed URLs
Global Accelerator
Static IPs, AWS backbone routing
Route 53
DNS, 7 routing policies, health checks
VPC Endpoint
Private S3/DynamoDB access, no NAT
PrivateLink
Private service exposure across VPCs
Transit Gateway
Hub-and-spoke, transitive VPC routing
Direct Connect
Dedicated private connection to AWS
Site-to-Site VPN
Encrypted tunnel over internet
Aurora
5x MySQL speed, auto-scales to 128TB
DynamoDB DAX
Microsecond read cache for DynamoDB
ElastiCache Redis
Session store, leaderboards, pub/sub
RDS Read Replica
Async read offload, up to 15 (Aurora)
RDS Multi-AZ
Sync standby, automatic failover
S3 Object Lock
WORM compliance/governance mode
S3 Intelligent-Tiering
Auto cost-optimize unpredictable access
EBS gp3
Best default SSD, 3K IOPS baseline
EBS io2
Up to 256K IOPS, critical databases
Instance Store
Ephemeral, highest IOPS, lost on stop
SQS FIFO
Exactly-once, strict ordering
SQS DLQ
Failed message isolation & debugging
SNS Fan-out
SNS → multiple SQS queues
EventBridge
Event routing with content-based rules
Step Functions
Serverless workflow orchestration
Kinesis Streams
Real-time data streaming, shards
Lambda@Edge
Run code at CloudFront edge locations
Fargate Spot
Up to 70% off serverless containers
KMS CMK
Customer-managed encryption keys
Secrets Manager
Auto-rotate DB credentials & API keys
CloudTrail
API audit log, store in S3 indefinitely
Config
Track config changes, compliance rules
GuardDuty
ML threat detection, one-click enable
Security Hub
Centralized findings, CIS benchmark
WAF + Shield
DDoS + OWASP Top 10 protection
Athena
Serverless SQL on S3, pay per query
