Tutorials Logic, IN info@tutorialslogic.com
FAQs Support
AWS SAA-C03

AWS Solutions Architect Associate (SAA-C03) Guide

Beginner-friendly and experience-ready notes for learning AWS architecture, passing SAA-C03, and explaining cloud design decisions clearly with focused practice questions.

Beginner Friendly SAA-C03 Architecture Hands-on Notes Practice Questions

Published: Apr 2026 Updated: May 2026

Quick Summary

  • Certification name: AWS Certified Solutions Architect - Associate.
  • Exam code: SAA-C03.
  • Main skill: design AWS workloads that are secure, reliable, fast, cost-aware, and easy to operate.
  • Best for: beginners moving into cloud, developers, DevOps engineers, system admins, cloud support engineers, and architecture interview preparation.
  • Question style: scenario-based multiple choice and multiple response.
  • How to study: learn services by use case, draw architectures, build small labs, then practice scenario questions.
Simple idea: SAA-C03 is not about memorizing every AWS service. It is about choosing the right service for a real requirement.

Who Should Read This Guide?

LearnerUse this guide forFocus first
Absolute beginnerUnderstand cloud architecture words without getting lost.Regions, AZs, IAM, VPC, EC2, S3, RDS.
DeveloperLearn how applications run after code leaves your laptop.Load balancers, autoscaling, databases, queues, monitoring.
DevOps engineerConnect deployments, networking, security, and reliability decisions.VPC, IAM, CloudWatch, CloudFormation, ECS, Lambda.
Experienced engineerReview tradeoffs and interview answers quickly.DR, cost optimization, service selection, migration patterns.
Certification candidatePrepare for scenario questions and avoid common traps.Exam domains, wrong-answer patterns, hands-on labs.

SAA-C03 Exam Domains

DomainWeightYou must be able to choose
Design Secure Architectures30%IAM, encryption, private networking, secrets, logging, least privilege, and secure access.
Design Resilient Architectures26%Multi-AZ, load balancing, Auto Scaling, backups, queues, failover, and disaster recovery.
Design High-Performing Architectures24%Right compute, storage, database, CDN, cache, and scaling pattern for the workload.
Design Cost-Optimized Architectures20%Right sizing, pricing models, lifecycle rules, managed services, tagging, and cost monitoring.
  • Beginner tip: do not study domains separately only; most questions mix security, reliability, performance, and cost.
  • Experienced tip: identify the primary constraint first. If the question says "lowest latency," do not choose only the cheapest answer.

How an AWS Architect Thinks

  • Requirement: What must the system do?
  • Users: Where are users located, and how much latency can they tolerate?
  • Traffic: Is traffic steady, spiky, seasonal, or unpredictable?
  • Data: Is the data relational, object-based, key-value, analytical, temporary, or archival?
  • Failure: What happens if one instance, one Availability Zone, or one Region fails?
  • Security: Who can access the system, from where, and with what permissions?
  • Cost: Which resources run all the time, and which can scale down or use cheaper storage?
  • Operations: Who will patch, monitor, deploy, troubleshoot, and recover the system?
Exam habit: underline words like private, global, least operational overhead, highly available, real-time, archive, strict ordering, and cost-effective.

AWS Foundation Concepts

ConceptBeginner meaningExam / real-world note
RegionA geographic AWS area.Choose Regions near users or required by compliance.
Availability ZoneOne or more isolated data centers inside a Region.Use multiple AZs for high availability.
Edge locationA location closer to users for cached content.CloudFront uses edge locations to reduce latency.
VPCYour private network in AWS.Controls subnets, routing, gateways, endpoints, and network boundaries.
Public subnetSubnet with a route to an Internet Gateway.Place load balancers here, not databases.
Private subnetSubnet without direct inbound internet access.Place app servers, databases, workers, and internal services here.

Core AWS Service Map

CategoryServicesWhen to think of it
ComputeEC2, Lambda, ECS, EKS, Elastic Beanstalk, Auto ScalingRun application code, containers, workers, or virtual servers.
StorageS3, EBS, EFS, FSx, Storage GatewayStore objects, disks, shared files, Windows file shares, or hybrid data.
DatabaseRDS, Aurora, DynamoDB, Redshift, ElastiCache, NeptuneStore relational, NoSQL, analytical, cached, or graph data.
NetworkingVPC, Route 53, CloudFront, ALB, NLB, NAT Gateway, Direct Connect, VPNControl traffic, DNS, global delivery, and hybrid connectivity.
SecurityIAM, KMS, ACM, Secrets Manager, WAF, Shield, GuardDuty, Security HubControl access, encrypt data, manage certificates, and detect threats.
OperationsCloudWatch, CloudTrail, Config, Systems Manager, CloudFormationMonitor, audit, patch, automate, and provision infrastructure.
IntegrationSQS, SNS, EventBridge, Step Functions, KinesisDecouple services, fan out events, coordinate workflows, and stream data.

Compute Decisions

Use caseGood AWS choiceWhy
You need full OS controlEC2You manage the instance, packages, runtime, and patching.
Traffic changes and tasks are short-livedLambdaServerless, event-driven, scales automatically, pay per execution.
You run Docker containers without Kubernetes requirementECS with FargateLess operational overhead than managing servers or Kubernetes.
Your company standardizes on KubernetesEKSManaged Kubernetes control plane with AWS integration.
Simple app deployment with less infrastructure setupElastic BeanstalkPlatform service that manages common deployment pieces.
  • Beginner trap: Lambda is not always best. Long-running jobs, special runtimes, and heavy OS control can point to EC2 or containers.
  • Experienced trap: Kubernetes is not automatically better. Choose EKS only when Kubernetes features or team standards justify it.

Storage Decisions

NeedChooseRemember
Store images, videos, backups, static files, logsS3Object storage, not a block disk or POSIX file system.
Attach a disk to one EC2 instanceEBSBlock storage for EC2.
Shared Linux file system for many instancesEFSElastic NFS-style shared file system.
Windows file sharesFSx for Windows File ServerManaged SMB file storage.
Low-cost archiveS3 Glacier classesCheaper storage, slower retrieval depending on class.
  • Use S3 lifecycle rules to move older data to cheaper storage classes.
  • Use S3 versioning when accidental overwrite or deletion is a risk.
  • Use S3 replication when data must be copied across Regions or accounts.
  • Use CloudFront in front of S3 for global content delivery.

Database Decisions

Data patternChooseWhy
Relational data, SQL, joins, transactionsRDS or AuroraManaged relational database options.
High-scale key-value or document accessDynamoDBServerless NoSQL with low-latency access when keys are designed well.
Data warehouse analyticsRedshiftColumnar warehouse for analytical queries.
Query data directly in S3AthenaServerless SQL over files in S3.
Cache frequent reads or sessionsElastiCacheRedis or Memcached-compatible in-memory cache.
  • RDS Multi-AZ: availability and failover.
  • RDS read replica: read scaling and some disaster recovery patterns.
  • DynamoDB global tables: multi-Region active-active NoSQL access.
  • DynamoDB DAX: microsecond read cache for DynamoDB.

Networking Decisions

RequirementService / featurePoint to remember
DNS and routing users to endpointsRoute 53Supports routing policies and health checks.
Global cached contentCloudFrontCDN for S3, ALB, API, and custom origins.
HTTP path or host routingApplication Load BalancerLayer 7 load balancing.
Static IP or high-performance TCP/UDPNetwork Load BalancerLayer 4 load balancing.
Private subnet outbound internetNAT GatewayOutbound only, not inbound access.
Private access to AWS servicesVPC endpointAvoids public internet path.
Office/data center to AWSVPN or Direct ConnectVPN is quicker; Direct Connect is more predictable.

Security Decisions

  • IAM users: human or long-term identities; avoid access keys unless required.
  • IAM roles: preferred for AWS services, applications, temporary access, and cross-account work.
  • Security groups: stateful firewall attached to network interfaces.
  • Network ACLs: stateless subnet-level controls.
  • KMS: create and control encryption keys.
  • ACM: provision and manage TLS certificates.
  • Secrets Manager: store and rotate passwords, tokens, and API secrets.
  • WAF: filter HTTP requests for web attacks and rate rules.
  • Shield: DDoS protection for public endpoints.
  • CloudTrail: records account API activity for auditing.
  • GuardDuty: threat detection from AWS account and workload signals.
Common trap: IAM permissions and KMS key policies both matter. IAM access alone may not be enough if the key policy blocks usage.

Reliability and Disaster Recovery

PatternMeaningCost / recovery tradeoff
Multi-AZRun across more than one Availability Zone.Good regional availability, moderate cost.
Backup and restoreRestore from backups after failure.Lowest cost, slowest recovery.
Pilot lightKeep critical pieces ready in another Region.Lower cost than warm standby, faster than restore-only.
Warm standbySmall full environment runs continuously.Higher cost, faster recovery.
Active-activeMultiple Regions serve live traffic.Highest cost and complexity, lowest downtime.
  • RTO: how long the business can wait for recovery.
  • RPO: how much data loss the business can accept.
  • Loose coupling: use SQS, SNS, EventBridge, and Step Functions to reduce direct dependency failures.
  • Health checks: use ELB, Route 53, and application-level checks to route around failures.

Performance Decisions

  • Use CloudFront when users are global and static or cacheable content should be closer to them.
  • Use Auto Scaling when compute demand changes over time.
  • Use read replicas when relational read traffic grows beyond the primary database.
  • Use ElastiCache when repeated reads or session lookup need very low latency.
  • Use DynamoDB when access patterns are known and key-based scale is required.
  • Use SQS to absorb spikes so backend workers can process at a controlled rate.
  • Use Kinesis when streaming data must be processed continuously at high volume.
  • Choose instance families based on CPU, memory, storage, network, or GPU needs.

Cost Optimization

Cost needUseBe careful
Flexible compute with no commitmentOn-DemandSimple but often more expensive.
Predictable compute usageSavings PlansRequires commitment.
Interruptible workloadsSpot InstancesCan be interrupted; not for every workload.
Old or rarely accessed objectsS3 lifecycle rulesRetrieval time and fees vary by storage class.
Cost visibilityTags, Cost Explorer, BudgetsTags must be planned and applied consistently.
Multi-account billingAWS OrganizationsUse account separation and governance carefully.
  • The cheapest option is wrong if it fails security, availability, latency, or durability requirements.
  • Managed services may cost more per unit but reduce operational work.
  • Serverless can be very cost-effective for spiky workloads but expensive for heavy constant usage.

Architecture Patterns

Basic 3-tier web app

  • Route 53 points users to CloudFront or an Application Load Balancer.
  • ALB lives in public subnets across at least two AZs.
  • Application servers run in private subnets with Auto Scaling.
  • RDS runs in private database subnets with Multi-AZ enabled.
  • S3 stores static assets, uploads, logs, or backups.
  • CloudWatch monitors metrics, logs, and alarms.

Serverless API

  • API Gateway receives HTTP requests.
  • Lambda runs business logic.
  • DynamoDB stores low-latency NoSQL data.
  • SQS buffers background work.
  • EventBridge routes domain events.
  • CloudWatch stores logs and metrics.

Decoupled order processing

  • Frontend submits an order to an API.
  • API writes the request and sends a message to SQS.
  • Workers process messages independently.
  • Dead-letter queue stores failed messages for investigation.
  • SNS or EventBridge notifies inventory, payment, and email systems.

Beginner Roadmap

  1. Learn AWS global infrastructure: Region, AZ, edge location.
  2. Learn IAM basics: user, group, role, policy, MFA, least privilege.
  3. Build a VPC with public and private subnets.
  4. Launch an EC2 instance and connect it to a security group.
  5. Create an S3 bucket, upload files, enable versioning, and test lifecycle rules.
  6. Create an RDS database and understand Multi-AZ vs read replica.
  7. Create a simple Lambda function behind API Gateway.
  8. Use CloudWatch logs and alarms.
  9. Draw a 3-tier architecture from memory.
  10. Start practice questions only after you can explain why each service is used.

Experienced Engineer Roadmap

  • Review VPC routing, security groups, NACLs, endpoints, peering, Transit Gateway, VPN, and Direct Connect.
  • Compare ALB, NLB, API Gateway, CloudFront, and Route 53 routing policies by exact use case.
  • Practice RDS Multi-AZ, read replicas, Aurora replicas, DynamoDB global tables, and backup choices.
  • Map every security scenario to IAM, KMS, Secrets Manager, WAF, Shield, CloudTrail, GuardDuty, or Config.
  • Practice DR decisions using RTO and RPO instead of memorized patterns.
  • Review cost tradeoffs: On-Demand, Spot, Savings Plans, storage classes, NAT cost, data transfer, and managed service overhead.
  • Explain architecture choices out loud in interview format: requirement, design, tradeoff, failure handling, cost risk.

Hands-on Labs

LabWhat to buildWhat you learn
Static websiteS3 + CloudFront + Route 53 + ACMGlobal delivery, TLS, DNS, private origin access.
Private web appALB + EC2 Auto Scaling + private subnetsSubnets, load balancing, scaling, health checks.
Relational appApp server + RDS Multi-AZDatabase subnets, security groups, failover concept.
Serverless APIAPI Gateway + Lambda + DynamoDBEvent-driven compute, IAM roles, NoSQL access.
Queue workerSQS + Lambda worker + DLQDecoupling, retries, visibility timeout, failed messages.
MonitoringCloudWatch dashboard + alarms + logsOperational visibility and alerting.

Common Exam Traps

  • Multi-AZ vs read replica: Multi-AZ is for availability; read replica is for read scaling.
  • S3 vs EFS: S3 is object storage; EFS is shared file storage.
  • ALB vs NLB: ALB is HTTP Layer 7; NLB is TCP/UDP/TLS Layer 4.
  • CloudWatch vs CloudTrail: CloudWatch monitors metrics/logs; CloudTrail records API activity.
  • SNS vs SQS: SNS pushes messages to subscribers; SQS stores messages for consumers.
  • WAF vs Shield: WAF filters web requests; Shield protects against DDoS.
  • NAT Gateway vs Internet Gateway: NAT gives private resources outbound access; Internet Gateway enables public internet routing.
  • Least operational overhead: managed or serverless services often beat self-managed EC2.
  • Lowest cost: still must satisfy reliability, security, and performance requirements.

Final Revision Checklist

  • I can explain Region, AZ, edge location, VPC, subnet, route table, Internet Gateway, and NAT Gateway.
  • I can choose between EC2, Lambda, ECS, EKS, and Elastic Beanstalk.
  • I can choose between S3, EBS, EFS, and FSx.
  • I can choose between RDS, Aurora, DynamoDB, Redshift, Athena, and ElastiCache.
  • I can explain IAM roles, least privilege, KMS, Secrets Manager, WAF, Shield, CloudTrail, and GuardDuty.
  • I can explain ALB vs NLB, SNS vs SQS, CloudWatch vs CloudTrail, Multi-AZ vs read replica.
  • I can design a 3-tier app, a serverless API, and a queue-based worker flow.
  • I can compare backup and restore, pilot light, warm standby, and active-active DR.
  • I can explain cost choices without ignoring security or reliability.

25 Most Important Practice Questions

Important: these are original practice questions, not leaked or copied real exam questions. Use them to practice the same decision patterns tested in SAA-C03.
1. A web app must run across two Availability Zones and replace unhealthy instances automatically. Which design fits best?
Answer: Application Load Balancer + Auto Scaling group across two AZs.
Why: ALB distributes traffic and health checks targets; Auto Scaling replaces unhealthy instances and maintains desired capacity.
2. A private EC2 instance needs to download operating system updates from the internet. It must not accept inbound internet traffic. What should you use?
Answer: NAT Gateway in a public subnet with routes from private subnets.
Why: NAT Gateway supports outbound internet access for private resources while blocking inbound sessions initiated from the internet.
3. An application needs shared Linux file storage mounted by multiple EC2 instances at the same time. Which service should you choose?
Answer: Amazon EFS.
Why: EFS is managed shared file storage for Linux workloads. EBS attaches to one instance at a time in most normal use cases; S3 is object storage.
4. A company stores old audit logs that are rarely accessed but must be retained for years at low cost. Which option is best?
Answer: S3 lifecycle transition to an S3 Glacier storage class.
Why: Glacier classes are designed for low-cost archival storage with different retrieval-time tradeoffs.
5. A database needs automatic failover inside one Region. Read scaling is not the main goal. What should you enable?
Answer: RDS Multi-AZ.
Why: Multi-AZ improves availability and failover. Read replicas are mainly for read scaling.
6. A workload has millions of predictable key-value lookups per second and does not require SQL joins. Which database is usually best?
Answer: DynamoDB.
Why: DynamoDB is serverless NoSQL built for high-scale key-value and document access patterns.
7. Users worldwide download static images and JavaScript files. Latency must be reduced. What should be added?
Answer: CloudFront.
Why: CloudFront caches content at edge locations close to users and reduces origin load.
8. A team needs HTTP path-based routing such as /api and /images. Which load balancer should be used?
Answer: Application Load Balancer.
Why: ALB supports Layer 7 HTTP/HTTPS routing by path, host, headers, and more.
9. A TCP application needs very high performance and static IP support. Which load balancer fits best?
Answer: Network Load Balancer.
Why: NLB works at Layer 4 and is designed for high-performance TCP, UDP, and TLS workloads.
10. An EC2 application must access S3 securely without storing access keys on the instance. What is the best approach?
Answer: Attach an IAM role to the EC2 instance.
Why: IAM roles provide temporary credentials and avoid long-term keys in code or on servers.
11. A company wants to know who changed a security group rule last night. Which service should they check?
Answer: CloudTrail.
Why: CloudTrail records AWS API activity, including security group changes.
12. An operations team wants CPU alarms, application logs, and dashboards. Which service is the primary choice?
Answer: CloudWatch.
Why: CloudWatch handles metrics, logs, alarms, dashboards, and operational events.
13. A public web app needs protection from SQL injection and request rate abuse. Which service helps most directly?
Answer: AWS WAF.
Why: WAF filters Layer 7 web requests with managed rules, custom rules, and rate-based rules.
14. A system must decouple order intake from order processing because traffic arrives in spikes. Which service should buffer work?
Answer: Amazon SQS.
Why: SQS stores messages durably so workers can process them at their own pace.
15. One event must notify email, inventory, and analytics systems at the same time. Which service pattern is best?
Answer: SNS fanout, often to SQS queues or Lambda functions.
Why: SNS publishes one message to multiple subscribers.
16. A workflow has multiple steps, retries, approvals, and branching logic. Which service should coordinate it?
Answer: Step Functions.
Why: Step Functions orchestrates workflows with state, retries, branching, and service integrations.
17. A company needs private connectivity from a VPC to S3 without using the public internet path. What should be used?
Answer: VPC endpoint for S3.
Why: VPC endpoints provide private connectivity to supported AWS services.
18. A business wants the lowest-cost disaster recovery option and can tolerate hours of recovery time. Which DR strategy fits?
Answer: Backup and restore.
Why: It has the lowest standby cost but usually the highest RTO.
19. A workload needs a small but running copy in another Region for faster recovery than backup-only. Which DR strategy fits?
Answer: Warm standby.
Why: A scaled-down full environment runs continuously and can scale up during disaster.
20. A company needs centralized billing and policy guardrails across many AWS accounts. Which service should be used?
Answer: AWS Organizations.
Why: Organizations supports consolidated billing, organizational units, and service control policies.
21. A database password must be stored securely and rotated automatically. Which service is best?
Answer: AWS Secrets Manager.
Why: Secrets Manager stores, encrypts, retrieves, and rotates secrets.
22. A serverless API needs an HTTPS front door, throttling, and Lambda integration. Which service should receive client requests?
Answer: API Gateway.
Why: API Gateway provides managed API endpoints, throttling, authorization options, stages, and Lambda integration.
23. A company wants SQL queries directly over CSV and Parquet files stored in S3 without managing servers. Which service should be used?
Answer: Athena.
Why: Athena is serverless SQL query service for data stored in S3.
24. A read-heavy application repeatedly queries the same data from a relational database. Latency must be reduced. Which option can help?
Answer: ElastiCache or RDS read replicas, depending on the access pattern.
Why: ElastiCache reduces repeated read latency with in-memory caching; read replicas offload relational read queries.
25. A question asks for "least operational overhead" for running containers without managing servers. Which option usually fits?
Answer: ECS with Fargate.
Why: Fargate runs containers without managing EC2 worker nodes. EKS may be right when Kubernetes is required, but it adds platform complexity.
Previous Next

Ready to Level Up Your Skills?

Explore 500+ free tutorials across 20+ languages and frameworks.

Browse Tutorials Contact Us