TL;DR: The AWS SAA-C03 exam has 4 domains: Security (30%), Resilience (26%), Performance (24%), and Cost (20%). Security is the heaviest domain and most common failure point. Focus 35% of study time on Domain 1, master VPC networking and IAM policies, and complete 4+ practice exams for best results.
The AWS Certified Solutions Architect Associate (SAA-C03) exam tests your ability to design solutions using the AWS Well-Architected Framework. Understanding the exact weight and scope of each domain is critical for efficient exam preparation.
Exam Quick Facts
Why Domain Weights Matter
AWS uses a compensatory scoring model—you don't need to pass each domain individually, but you must pass overall. However, failing badly in the 30% Security domain is nearly impossible to recover from. Strategic study allocation based on domain weights dramatically improves pass rates.
SAA-C03 Domain Weight Overview
The SAA-C03 exam covers four domains, each testing different aspects of AWS solution design:
| Domain | Weight | Questions* | Focus Area |
|---|---|---|---|
| Domain 1: Design Secure Architectures | 30% | ~19-20 | IAM, VPC Security, Encryption, Compliance |
| Domain 2: Design Resilient Architectures | 26% | ~16-17 | High Availability, DR, Fault Tolerance |
| Domain 3: Design High-Performing Architectures | 24% | ~15-16 | Compute, Storage, Database, Caching |
| Domain 4: Design Cost-Optimized Architectures | 20% | ~12-13 | Pricing Models, Right-sizing, Optimization |
*Based on 50 scored questions. The exam includes 15 additional unscored questions distributed randomly.
Recommended Study Time Allocation
Optimal study time distribution based on domain weights:
- Domain 1 (Security): 35% of study time — Heaviest weight + most complex topics
- Domain 2 (Resilience): 25% of study time — Critical for real-world architecture
- Domain 3 (Performance): 25% of study time — Requires hands-on experience
- Domain 4 (Cost): 15% of study time — Most intuitive if you understand other domains
Preparing for SAA-C03? Practice with 390+ exam questions
Domain 1: Design Secure Architectures (30%)
This is the most heavily weighted domain and the #1 reason candidates fail. Security increased from 24% (SAA-C02) to 30% (SAA-C03), reflecting AWS's emphasis on secure-by-design architectures.
Core Topics
- •AWS IAM: Users, Groups, Roles, Policies, Permission Boundaries
- •Identity Federation: SAML 2.0, Web Identity, AWS SSO, Cognito
- •VPC Security: Security Groups, NACLs, VPC Endpoints, PrivateLink
- •Network Security: AWS WAF, Shield, Network Firewall, Firewall Manager
- •Encryption: KMS (CMK, AWS-managed), CloudHSM, ACM, S3 encryption
- •Secrets Management: Secrets Manager vs. Parameter Store
- •Monitoring & Detection: GuardDuty, Security Hub, Inspector, Macie
- •Cross-Account Access: Resource-based policies, STS AssumeRole
- •Compliance: AWS Artifact, Config Rules, CloudTrail
Skills Tested
Example Question Topics
- A company needs to grant a third-party auditor read-only access to specific S3 buckets. What is the MOST secure approach?
- An application in a private subnet needs to access DynamoDB without traversing the internet. Which solution should the architect recommend?
- How should sensitive database credentials be stored and rotated automatically for an application running on EC2?
Domain 1 Key Services to Master
| Service | Why It's Tested | Common Scenarios |
|---|---|---|
| IAM | Foundation of all AWS security | Cross-account access, least privilege, service roles |
| VPC | Network isolation and security | Private/public subnets, NACLs vs SGs, VPC endpoints |
| KMS | Encryption key management | CMK rotation, cross-region keys, key policies |
| Secrets Manager | Credential management | RDS credential rotation, Lambda integration |
| GuardDuty | Threat detection | Compromised credentials, crypto mining detection |
| WAF | Application layer protection | SQL injection, XSS, rate limiting |
Security Groups vs NACLs — Critical Comparison
Security Groups vs Network ACLs
| Feature | Security Groups | Network ACLs |
|---|---|---|
| Scope | Instance level | Subnet level |
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both directions) |
| Rules | Allow rules only | Allow AND Deny rules |
| Evaluation | All rules evaluated | Rules processed in order |
| Default | Denies all inbound, allows all outbound | Allows all traffic |
| Use Case | Primary instance protection | Subnet-level guardrails |
Common Exam Trap
"Block a specific IP address" = Network ACL (Security Groups can't deny) "Allow traffic from another security group" = Security Group (NACLs use CIDR only) "Stateless firewall needed" = Network ACL
IAM Policy Evaluation Logic
Understanding how AWS evaluates IAM policies is tested heavily:
- Explicit Deny → Always wins (policy evaluation stops)
- Organization SCPs → Must allow the action
- Resource-based policies → Can grant cross-account access
- IAM permissions boundaries → Sets maximum permissions
- Session policies → For assumed roles/federated users
- Identity-based policies → User/group/role policies
- Implicit Deny → Default if no explicit allow exists
Exam Strategy: Domain 1
When answering security questions, always consider:
- Least privilege — Never grant more access than needed
- Defense in depth — Multiple security layers
- Encryption everywhere — At rest AND in transit
- Centralized management — Use Organizations, Security Hub, SSO
Domain 2: Design Resilient Architectures (26%)
This domain tests your ability to design systems that survive failures and recover quickly. You must understand Multi-AZ vs Multi-Region patterns, disaster recovery strategies, and loosely coupled architectures.
Disaster Recovery Strategies — RTO/RPO Tradeoffs
| Strategy | RTO | RPO | Cost | Use Case |
|---|---|---|---|---|
| Backup & Restore | Hours | Hours | $ | Non-critical systems, compliance archives |
| Pilot Light | 10-30 min | Minutes | $$ | Core systems kept minimal, scale up on disaster |
| Warm Standby | Minutes | Seconds-Minutes | $$$ | Business-critical with low RTO requirements |
| Active-Active (Multi-Site) | Near-zero | Near-zero | $$$$ | Mission-critical, zero-downtime tolerance |
RTO vs RPO Explained
RPO (Recovery Point Objective): Maximum acceptable data loss measured in time. RPO of 1 hour = you can lose up to 1 hour of data.
RTO (Recovery Time Objective): Maximum acceptable downtime. RTO of 4 hours = system must be operational within 4 hours of failure.
Exam Tip: Lower RTO/RPO = Higher cost and complexity. Always match strategy to business requirements.
Load Balancer Selection Guide
| Load Balancer | Layer | Protocol | Best For |
|---|---|---|---|
| ALB | 7 (Application) | HTTP/HTTPS, gRPC | Web apps, microservices, path-based routing |
| NLB | 4 (Transport) | TCP, UDP, TLS | Ultra-low latency, static IPs, gaming, IoT |
| GLB | 3 (Gateway) | IP | Third-party virtual appliances, firewalls |
| CLB | 4 & 7 | TCP, SSL, HTTP | Legacy (avoid for new architectures) |
Decoupling Patterns
SQS vs SNS vs EventBridge
| Feature | SQS | SNS | EventBridge |
|---|---|---|---|
| Pattern | Queue (pull-based) | Pub/Sub (push-based) | Event Bus (rule-based) |
| Delivery | At-least-once or exactly-once (FIFO) | At-least-once | At-least-once |
| Consumers | Single consumer group | Multiple subscribers | Multiple targets with filtering |
| Use Case | Decouple microservices, buffer requests | Fan-out notifications | Event-driven architectures, SaaS integration |
| Retention | 1-14 days | Immediate (no retention) | 24 hours (archive to S3) |
Domain 3: Design High-Performing Architectures (24%)
This domain tests your ability to select the right service for the right workload. You must understand compute options, storage types, database selection, and caching strategies.
EBS Volume Types — Performance Comparison
| Volume Type | IOPS (max) | Throughput (max) | Use Case |
|---|---|---|---|
| gp3 | 16,000 | 1,000 MiB/s | General purpose, boot volumes, dev/test |
| gp2 | 16,000 | 250 MiB/s | Legacy general purpose (prefer gp3) |
| io2 Block Express | 256,000 | 4,000 MiB/s | Mission-critical databases, SAP HANA |
| io2 | 64,000 | 1,000 MiB/s | High-performance databases |
| st1 | 500 | 500 MiB/s | Big data, data warehouses, log processing |
| sc1 | 250 | 250 MiB/s | Cold data, infrequent access |
EBS Selection Quick Rules
- Need max IOPS? → io2 Block Express (256K IOPS)
- Cost-effective general purpose? → gp3 (cheaper than gp2, higher baseline)
- Sequential large reads? → st1 (throughput optimized)
- Lowest cost archive? → sc1 (cold HDD)
Database Selection Matrix
| Requirement | Best Choice | Why |
|---|---|---|
| Relational + High Availability | Aurora | Multi-AZ by default, 5x throughput of MySQL |
| Key-value at any scale | DynamoDB | Single-digit ms latency, auto-scaling |
| Caching for RDS | ElastiCache Redis | Sub-millisecond reads, persistence options |
| Caching for DynamoDB | DAX | Microsecond latency, seamless integration |
| Document database | DocumentDB | MongoDB-compatible, fully managed |
| Data warehouse (PB scale) | Redshift | Columnar storage, SQL analytics |
| Graph database | Neptune | Relationships and connections |
| Time-series data | Timestream | IoT, metrics, time-based queries |
Caching Strategy Layers
Layer-by-layer breakdown:
- CloudFront (Edge) — Caches static assets and dynamic API responses at 400+ edge locations globally
- API Gateway — Caches API responses to reduce backend calls (TTL configurable)
- ElastiCache Redis — Caches database query results for RDS/Aurora workloads
- DAX — In-memory cache specifically for DynamoDB (microsecond latency)
Domain 4: Design Cost-Optimized Architectures (20%)
This domain tests your ability to design solutions that minimize cost while meeting requirements. You must understand pricing models, right-sizing, and cost monitoring tools.
EC2 Purchasing Options Comparison
| Option | Discount | Commitment | Best For |
|---|---|---|---|
| On-Demand | 0% | None | Unpredictable workloads, testing |
| Savings Plans (Compute) | Up to 66% | 1 or 3 years | Flexible across instance families |
| Savings Plans (EC2) | Up to 72% | 1 or 3 years | Specific instance family |
| Reserved Instances | Up to 72% | 1 or 3 years | Steady-state, predictable usage |
| Spot Instances | Up to 90% | None | Fault-tolerant, flexible timing |
| Dedicated Hosts | Varies | None or Reserved | Licensing, compliance requirements |
Savings Plans vs Reserved Instances
Choose Savings Plans when: You want flexibility to change instance types, sizes, OS, or tenancy.
Choose Reserved Instances when: You need capacity reservation in specific AZ, or have legacy billing requirements.
2026 Update: AWS now recommends Savings Plans over RIs for most workloads due to greater flexibility.
S3 Storage Class Decision Tree
Quick selection guide:
| Access Pattern | Storage Class | Retrieval Time | Cost (relative) |
|---|---|---|---|
| Multiple times/month | S3 Standard | Milliseconds | $$$ |
| Once/month (multi-AZ) | S3 Standard-IA | Milliseconds | $$ |
| Once/month (single-AZ OK) | S3 One Zone-IA | Milliseconds | $ |
| Once/quarter | Glacier Instant | Milliseconds | $ |
| Once/year | Glacier Flexible | Minutes-hours | ¢ |
| Compliance (7+ years) | Glacier Deep Archive | 12-48 hours | ¢ |
Cost Optimization Checklist
SAA-C03 Cost Optimization Topics
0/8 completedMaster These Concepts with Practice
Our SAA-C03 practice bundle includes:
- 6 full practice exams (390+ questions)
- Detailed explanations for every answer
- Domain-by-domain performance tracking
30-day money-back guarantee
Most Tested AWS Services on SAA-C03
Based on exam feedback and domain analysis, these services appear most frequently:
Tier 1: Master These (Appear in 60%+ of Questions)
| Service | Primary Domain | Must-Know Topics |
|---|---|---|
| VPC | Domain 1 | Subnets, route tables, NAT, endpoints, peering |
| IAM | Domain 1 | Policies, roles, federation, cross-account |
| S3 | Domain 3 & 4 | Storage classes, encryption, replication, lifecycle |
| EC2 | Domain 2 & 3 | Instance types, Auto Scaling, placement groups |
| RDS/Aurora | Domain 2 & 3 | Multi-AZ, read replicas, encryption, backups |
Tier 2: Know Well (Appear in 30-60% of Questions)
| Service | Primary Domain | Must-Know Topics |
|---|---|---|
| Lambda | Domain 3 | Triggers, concurrency, VPC access, layers |
| DynamoDB | Domain 3 | Partition keys, GSI/LSI, capacity modes |
| CloudFront | Domain 3 | Origins, cache behaviors, signed URLs |
| Route 53 | Domain 2 | Routing policies, health checks, failover |
| ELB | Domain 2 | ALB vs NLB, target groups, health checks |
| SQS/SNS | Domain 2 | Decoupling patterns, dead-letter queues |
| KMS | Domain 1 | CMKs, key policies, envelope encryption |
Tier 3: Understand Basics (Appear in 10-30% of Questions)
ElastiCache, EFS, EBS, CloudWatch, CloudTrail, AWS Config, GuardDuty, Secrets Manager, Step Functions, API Gateway, Direct Connect, Transit Gateway, EventBridge
Exam Day Strategies
Question Approach Framework
For every question, identify:
- What domain? Security, Resilience, Performance, or Cost
- What's the constraint? (Cost, latency, availability, compliance)
- Eliminate wrong answers — Usually 2 are obviously incorrect
- Choose most AWS-native solution — AWS prefers managed services
Time Management
- 130 minutes for 65 questions = ~2 minutes per question
- Flag difficult questions and return later
- Don't spend more than 3 minutes on any single question
- Review flagged questions in final 20 minutes
Common Exam Traps
Practice Resources
Recommended Study Path
- Week 1-2: Learn core concepts with video courses
- Week 3-6: Hands-on labs with AWS Free Tier
- Week 7-8: Take practice exams, identify weak areas
- Week 9-10: Deep dive into weak domains
- Week 11-12: Final practice exams, review incorrect answers
Official AWS Resources (Free)
Preporato Practice Exams
Our SAA-C03 practice exam bundle includes 390 questions across 6 full-length exams, updated for 2026 with the latest services and scenario-based questions. Students report an average 23% score improvement from first to final practice exam.
Frequently Asked Questions
Summary: Domain Focus Priority
| Priority | Domain | Weight | Key Focus |
|---|---|---|---|
| 1 | Design Secure Architectures | 30% | IAM policies, VPC security, encryption |
| 2 | Design Resilient Architectures | 26% | Multi-AZ, Auto Scaling, DR strategies |
| 3 | Design High-Performing Architectures | 24% | Service selection, caching, storage types |
| 4 | Design Cost-Optimized Architectures | 20% | Pricing models, lifecycle policies |
Ready to Practice?
Test your knowledge of all four SAA-C03 domains with Preporato's practice exams. Our questions mirror real exam difficulty and include detailed explanations with links to official AWS documentation.
Last updated: February 2026. Information based on the official AWS SAA-C03 Exam Guide and current exam feedback.
Ready to Pass the SAA-C03 Exam?
Join thousands who passed with Preporato practice tests