How to pass AWS Certified Solutions Architect - Associate (SAA-C03)
23 min read4 domains coveredFree practice, no sign-up
The AWS Certified Solutions Architect - Associate (SAA-C03) tests one skill above feature recall: choosing the AWS service and design pattern that best fits a scenario. Amazon hands you a business situation with constraints on security, resilience, performance, and cost, then asks which architecture meets every one. The hard part is rarely knowing what a service does. It is knowing which option wins when three of the four answers could plausibly work and only one matches all the stated requirements at the lowest operational and cost overhead.
It suits practitioners who already build or operate on AWS: developers, sysadmins, and architects who need to prove they can assemble secure, highly available, well-performing, and cost-aware designs from managed AWS services. The exam draws across four weighted domains, with secure architecture carrying the most marks, followed by resilient, high-performing, and cost-optimised design. There is no enforced prerequisite, but the questions assume real exposure to the core building blocks: IAM, VPC networking, EC2, S3, the managed databases, and the decoupling services.
The exam rewards decision rules, not memorised datasheets. Most questions are short scenarios where two or three answers are technically capable and only one is the best fit once you weigh the constraint that was named: least privilege, surviving an Availability Zone failure, the lowest latency, or the lowest cost with no application change. The skill being tested is choosing correctly under that pressure, which is why practising on scenario questions with a worked explanation, and a reason every wrong option is wrong, beats reading service overviews.
SAA-C03 is a pick-the-right-design exam: almost every question is a scenario with security, resilience, performance, and cost constraints, and the right answer is the managed AWS service or pattern that satisfies all of them with the least operational overhead.
Difficulty
Intermediate
Best for
Working AWS practitioners: developers, systems administrators, and solutions architects who design and run workloads on AWS and need to prove they can choose secure, resilient, high-performing, and cost-optimised architectures under real constraints.
Prerequisites
None enforced. AWS recommends around one year of hands-on experience designing on AWS across compute, networking, storage, and databases. Practical exposure to IAM, VPC, EC2, S3, and the managed databases is what actually carries you through the scenarios.
65
Questions
130 min
Time allowed
720 / 1000
Pass mark
$150
Exam cost (USD)
307
Practice questions
How this exam thinks
One habit decides this exam: read the scenario for its constraint, then pick the design that fits it. Almost every question is a short business situation with a stated limit on security posture, availability, performance, or cost, and the answer is the AWS service or pattern that meets that limit. Several options will be technically capable. Only one is the best fit once you weigh what the scenario actually asked for.
The default tie-breaker is the managed, requirement-fit, least-operational-overhead option. AWS designs the exam around its own preference for managed services and well-architected defaults, so when two answers both work, the one with less to run and operate usually wins: an IAM role over stored access keys, a managed queue over a self-built buffer, S3 Intelligent-Tiering over a hand-written access tracker, Aurora Serverless over a Lambda that stops and starts an instance. Reach for the manual or less managed option only when the scenario names a reason, such as an existing engine to preserve or a hard compliance control. That reason is the signal that the obvious managed answer is the trap.
The rest is a handful of discriminations the exam leans on, each driven by the constraint in the scenario. For access, IAM roles give temporary scoped credentials; resource-based policies and cross-account roles share across accounts; least privilege beats broad managed policies every time. For resilience, Multi-AZ buys you survival of a zone failure, decoupling with SQS absorbs spikes, and the disaster-recovery tier (backup and restore, pilot light, warm standby, multi-site) is chosen by the RTO and RPO named. For performance, the access pattern picks the storage and database, and edge or caching services cut latency. For cost, the lever built for the pattern wins: the right S3 class, Spot with an On-Demand base, or serverless for idle-heavy work. Name the constraint, then choose the service or setting built for it.
What each domain tests and how to study it
The SAA-C03 blueprint is split across 4 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.
What you must be able to do. Given a scenario with access, network, secret, or data-protection requirements, choose the IAM model, edge and network controls, secret store, and encryption approach that grant least privilege and meet the security requirement with managed AWS services.
In one sentenceThe biggest domain: building least-privilege access, segmented networks, managed secrets, and encryption so the design is secure by construction rather than by exception.
Recall check: answer these from memory first
An application on EC2 must read one S3 bucket and nothing else. What grants it access with no stored credentials, and what is wrong with attaching a broad managed policy or embedding keys?
Name the managed service that answers each: detect threats from account activity, find sensitive data sitting in S3, and report resources shared with external accounts through a policy.
When does a scenario need Secrets Manager rather than Parameter Store SecureString, and what does Secrets Manager add that Parameter Store does not?
What it tests. Designing security in from the start across the whole stack. Building least-privilege access with IAM users, groups, roles and policies, and instance profiles instead of long-lived keys; designing multi-account access with AWS Organizations, IAM Identity Center, and federation; choosing resource-based policies, permission boundaries, and cross-account roles for shared resources; segmenting networks and protecting the edge with security groups, network ACLs, AWS WAF, and AWS Shield; managing secrets with AWS Secrets Manager, Systems Manager Parameter Store, and Amazon Cognito; selecting managed detection services such as Amazon GuardDuty, Amazon Inspector, AWS Security Hub, Amazon Macie, and IAM Access Analyzer; encrypting at rest with AWS KMS, envelope encryption, and AWS CloudHSM; protecting data in transit with TLS and AWS Certificate Manager; and applying S3 access controls and data classification.
How to study it. Make least privilege your reflex, because it is the single most-tested idea here. Whenever a workload on EC2 or Lambda needs to reach another service, the answer is an IAM role scoped to the exact action and resource, never stored access keys and never a broad managed policy like AdministratorAccess. Learn the secret-store split: Secrets Manager when you need built-in rotation and multi-Region replication, Parameter Store SecureString for shared static config encrypted with KMS and read at runtime. Map each managed service to the threat it answers: GuardDuty for threat detection from logs, Inspector for vulnerability scanning, Macie for finding sensitive data in S3, IAM Access Analyzer for detecting external or public access through resource policies. For network defence, know the layers: security groups are stateful instance firewalls, network ACLs are stateless subnet filters, WAF inspects HTTP at layer 7, Shield defends against DDoS. For encryption, learn envelope encryption and when customer-managed KMS keys are required over AWS-managed ones.
Easy to confuse
IAM role versus stored IAM user access keys. An IAM role attached through an instance profile delivers short-lived, automatically rotated credentials from the instance metadata service; stored user access keys are long-lived and must be embedded, which the exam always treats as the insecure option. Workloads use roles, not keys.
Secrets Manager versus Parameter Store SecureString. Secrets Manager has built-in automatic rotation and multi-Region replication and costs per secret; Parameter Store SecureString encrypts a value with KMS and is read at runtime but has no native rotation. Choose Secrets Manager when the scenario needs managed rotation or cross-Region replication; otherwise SecureString is the cheaper fit for static shared config.
Security group versus network ACL. A security group is a stateful firewall attached to an instance or elastic network interface, where return traffic is allowed automatically; a network ACL is a stateless filter on a subnet that evaluates inbound and outbound rules separately. Security groups for instance-level allow rules, network ACLs for explicit subnet-level deny rules.
GuardDuty versus IAM Access Analyzer. GuardDuty detects malicious or anomalous activity from logs and threat intelligence; IAM Access Analyzer uses automated reasoning over resource-based policies to flag access granted outside your account or organisation. One watches behaviour, the other evaluates who your policies expose resources to.
A company runs an application on Amazon EC2 instances that must read objects from a specific Amazon S3 bucket. Developers currently store long-lived IAM user access keys in the application configuration file. A solutions architect must remove the static credentials while granting only the access the application needs. Which approach best meets these requirements?
AAttach an IAM role to the EC2 instances with a policy that allows the s3:GetObject action on the specific bucket, and have the application use the role credentials.check_circle Correct
BCreate an IAM user with an S3 read-only managed policy and embed its access key and secret key in the EC2 instance user data at launch.
CAttach an IAM role to the EC2 instances that grants the AdministratorAccess managed policy so the application can reach the bucket without stored keys.
DStore the IAM user access keys in AWS Secrets Manager and have the running application retrieve the same long-lived keys at startup.
Use IAM roles with instance profiles to give EC2 workloads scoped temporary credentials instead of storing long-lived access keys. An IAM role attached through an instance profile delivers short-lived credentials retrieved from the instance metadata service and rotated automatically, eliminating static keys, while a resource-scoped s3:GetObject policy enforces least privilege.
Why A is correct: An instance profile role supplies automatically rotated temporary credentials and a scoped GetObject policy on one bucket grants least privilege without any static keys.
Why B is wrong: Moving the key to user data still relies on long-lived static credentials that can leak, so it fails the requirement to remove static credentials entirely.
Why C is wrong: A role does remove static keys, but AdministratorAccess grants far more than the read access needed and violates the least-privilege requirement badly.
Why D is wrong: Secrets Manager protects the keys at rest, but the application still authenticates with long-lived IAM user credentials rather than removing them as required.
What you must be able to do. Given availability and recovery requirements with stated RTO and RPO, choose the decoupling pattern, scaling configuration, Multi-AZ or cross-Region design, and disaster-recovery tier that meet the target with the least operational effort.
In one sentenceThe resilience domain: decoupling components, scaling elastically, and choosing the Multi-AZ, failover, and disaster-recovery design that meets the availability target.
Recall check: answer these from memory first
Workers are overwhelmed during traffic spikes and orders are being dropped. Which decoupling service buffers the work so nothing is lost, and why not SNS or EventBridge?
Order the four disaster-recovery strategies from cheapest and slowest to dearest and fastest, and say which one the exam picks when RTO and RPO are near zero.
What Auto Scaling health-check type makes the group replace instances the load balancer marks unhealthy, and why is the default not enough?
What it tests. Designing for failure so the workload stays up and loses no work. Loosely coupling components with Amazon SQS, Amazon SNS, and Amazon EventBridge; building scalable integration with Amazon API Gateway, load balancers, and container orchestration; designing elastic capacity with EC2 Auto Scaling, scaling policies, and serverless scaling; orchestrating decoupled serverless workflows with AWS Step Functions, Lambda, and asynchronous fan-out; designing high availability with Multi-AZ deployments, cross-Region replication, and automatic failover; selecting disaster-recovery strategies (backup and restore, pilot light, warm standby, multi-site) to meet RTO and RPO; and building fault tolerance with load balancer health checks, redundancy, and durable storage.
How to study it. Anchor on two ideas: decouple to absorb spikes, and match the recovery design to the named RTO and RPO. For decoupling, fix the three-way split: SQS is a pull-based durable buffer for spiky producer-to-consumer work, SNS is push-based pub/sub fan-out, EventBridge routes events by rules to many targets. When workers are overwhelmed and orders are lost, the answer is almost always an SQS queue. Learn the disaster-recovery ladder by its cost and recovery time: backup and restore is cheapest and slowest, pilot light keeps a minimal core warm, warm standby runs a scaled-down live copy, multi-site (active-active) is fastest and dearest. Map the named RTO and RPO to the right tier. Know the Auto Scaling health-check detail: set the health check type to ELB so the group replaces instances the load balancer reports unhealthy, not just ones failing EC2 status. For long-running or human steps, the Step Functions wait-for-callback pattern with a task token is the answer, not a fixed Wait state or polling.
Easy to confuse
Amazon SQS versus Amazon SNS. SQS is a pull-based, durable queue where one consumer processes each message and bursts are buffered until a worker is free; SNS is push-based pub/sub that fans the same message out to many subscribers at once. Use SQS to absorb spikes and decouple at the consumer's pace, SNS to broadcast to multiple endpoints.
Pilot light versus warm standby. Pilot light keeps only the core (such as a replicated database) running while the rest is dormant and must be started on failover; warm standby runs a scaled-down but fully functional copy that just needs scaling up. Warm standby has a lower RTO at higher steady cost; pilot light is cheaper but slower to recover.
Auto Scaling EC2 health check versus ELB health check. The default EC2 health check only sees instance and system status, so an instance that fails the application-level check stays in service; the ELB health check type lets the group act on the load balancer's target health and replace instances the application is failing. Use ELB when application health, not just the hypervisor, must trigger replacement.
Step Functions wait-for-callback versus a Wait state. The wait-for-callback pattern with a task token pauses a workflow until an external system calls SendTaskSuccess or SendTaskFailure, resuming exactly when the real result arrives; a Wait state only delays a fixed amount of time and then continues blindly. Use the callback token for asynchronous, long-running, or human steps of unknown duration.
An order-processing web tier writes directly to a fleet of EC2 worker instances over HTTP. During flash sales the workers are overwhelmed and requests are dropped, but at night the workers sit idle. The team wants to absorb traffic spikes, let the workers pull work at their own pace, and stop losing orders, with the least operational effort. Which change best meets these requirements?
APlace an Application Load Balancer in front of the worker fleet and enable connection draining so that surplus order requests queue at the load balancer until a worker becomes available.
BSend each order to an Amazon SQS standard queue and have the worker instances poll the queue, so messages persist until a worker is free to process them.check_circle Correct
CPublish each order to an Amazon SNS topic and subscribe every worker instance so that all workers receive the same order and the fastest worker processes it first.
DRoute every order through an Amazon EventBridge bus with a rule that invokes the worker fleet directly, relying on EventBridge to retain orders the workers cannot yet accept.
Use an Amazon SQS queue to decouple a producer from consumers so that traffic spikes are buffered and work is pulled at the consumer's pace. SQS is a pull-based, durable message buffer. Producers enqueue messages that persist for the retention period, and consumers poll and delete them when processed, which absorbs bursts and decouples the tiers so no work is lost when consumers are saturated.
Why A is wrong: An ALB distributes synchronous requests but does not durably buffer them; when no healthy target can respond the requests time out, so orders are still lost during a spike.
Why B is correct: An SQS queue durably buffers messages and lets consumers poll at their own rate, smoothing spikes and preventing dropped orders with minimal operational effort.
Why C is wrong: SNS pushes a copy to every subscriber, so all workers would process the same order, and it does not buffer messages for slow consumers to pull later.
Why D is wrong: EventBridge routes and filters events to targets but is built for push-style delivery, not for letting a worker pool pull buffered work at its own pace.
What you must be able to do. Given an access pattern with stated latency, throughput, IOPS, or scale needs, select the storage, compute, database, caching, edge, and network services that deliver the performance the scenario requires.
In one sentenceThe performance domain: reading the access pattern and choosing the storage, compute, database, caching, and edge service built for it.
Recall check: answer these from memory first
Match each to the right service: shared POSIX file access across a Linux fleet; analytical block storage on one instance; spiky relational workload that idles overnight; high-throughput key-value lookups at scale.
A workload concentrates very high request rates on a single S3 key prefix and gets 503 slow-down. What raises the achievable request rate without leaving S3, and why?
Which EFS throughput mode suits unpredictable bursts billed for what you use, and why is Provisioned or Bursting the wrong fit there?
What it tests. Matching each layer to its performance requirement. Choosing object and file storage with Amazon S3, Amazon EFS, and Amazon FSx; selecting EBS volume types for IOPS and throughput; designing elastic compute with EC2 instance types, Lambda, and containers; distributing load with Elastic Load Balancing, Auto Scaling, and placement groups; selecting relational and purpose-built databases such as Amazon RDS, Amazon Aurora, and Amazon DynamoDB; improving database performance with Amazon ElastiCache, read replicas, and DynamoDB Accelerator; accelerating delivery with Amazon CloudFront and AWS Global Accelerator; designing performant networks with VPC design, AWS Direct Connect, and AWS Transit Gateway; and building data ingestion and transformation with Amazon Kinesis, AWS Glue, and Amazon Athena.
How to study it. Build a decision tree per layer and drill it from the access pattern, because this domain is selection above all. For storage, let the workload pick: S3 for object access, EFS for shared POSIX file access across Linux instances, FSx for Windows or high-performance file systems, EBS for single-instance block storage. Learn the S3 throughput rule (3,500 PUT and 5,500 GET per second per prefix) so you reach for spreading keys across prefixes when a workload hits 503 slow-down on one prefix. For databases, the access pattern decides: RDS or Aurora for relational SQL, Aurora Serverless v2 for spiky relational workloads that idle, DynamoDB for key-value at scale, DocumentDB to keep a MongoDB API, ElastiCache or DAX for caching hot reads. For files, learn the EFS throughput modes: Elastic for unpredictable bursts billed per use, Bursting for steady baselines, Provisioned for a fixed high rate. For delivery, CloudFront caches content at the edge while Global Accelerator routes TCP and UDP traffic over the AWS backbone.
Easy to confuse
Aurora Serverless v2 versus DynamoDB on-demand. Aurora Serverless v2 is a relational, SQL-compatible engine that scales capacity to load and contracts when idle while preserving the relational model; DynamoDB on-demand is a key-value store that also costs nothing when idle but requires a non-relational access pattern. Choose Aurora Serverless v2 when the scenario keeps the relational model and SQL; DynamoDB only when the data model is key-value.
Amazon DocumentDB versus Amazon DynamoDB. DocumentDB is MongoDB-API compatible, so existing MongoDB drivers, queries, and the document model move with little change; DynamoDB is a different API that needs the access layer rewritten to key-based single-table patterns. When the scenario wants to keep the MongoDB API and least re-architecture, it is DocumentDB.
EFS Elastic versus Provisioned Throughput. Elastic Throughput scales performance up and down automatically and bills only for throughput driven, fitting unpredictable spiky workloads; Provisioned Throughput fixes a constant rate you pay for whether used or not, fitting steady high demand known in advance. The deciding constraint is whether the load is unpredictable or steady.
Amazon CloudFront versus AWS Global Accelerator. CloudFront is a content delivery network that caches HTTP content at edge locations to cut latency for cacheable web traffic; Global Accelerator routes any TCP or UDP traffic to the nearest healthy endpoint over the AWS backbone with static anycast IPs. CloudFront for cacheable content, Global Accelerator for non-HTTP or fast global failover to regional endpoints.
A media company stores millions of objects in a single Amazon S3 bucket. A new batch pipeline issues a very high volume of concurrent GET and PUT requests against objects that all share the key prefix uploads/2026/, and the team observes elevated latency and HTTP 503 slow-down responses. They need the request throughput to scale higher without moving to a different storage service. Which change best increases the achievable request rate for this workload?
AEnable S3 Versioning on the bucket so each request targets a distinct object version and the additional version metadata spreads the load.
BSwitch the bucket to the S3 Intelligent-Tiering storage class so frequently accessed objects move to a tier that serves a higher request rate.
CTurn on S3 Transfer Acceleration so requests route through edge locations and the bucket sustains a higher concurrent request rate per prefix.
DSpread the objects and requests across several key prefixes, since S3 scales to thousands of requests per second per prefix and parallel prefixes multiply the throughput.check_circle Correct
Amazon S3 scales request throughput per key prefix, so distributing keys across multiple prefixes multiplies the achievable request rate. Amazon S3 automatically scales to at least 3,500 PUT and 5,500 GET requests per second per prefix, and this limit applies independently to each prefix in a bucket. When a workload concentrates requests on one prefix it hits that single ceiling and receives 503 slow-down responses, so spreading keys across many prefixes lets requests run against many prefix limits in parallel and raises the aggregate throughput without leaving S3.
Why A is wrong: Versioning keeps prior copies of an object for recovery, but it does not change how S3 partitions request capacity by prefix, so the throughput ceiling on the hot prefix is unchanged.
Why B is wrong: Intelligent-Tiering moves objects between access tiers to optimise storage cost, but all tiers share the same per-prefix request model, so it does not lift the throughput limit on a hot prefix.
Why C is wrong: Transfer Acceleration speeds long-distance transfers over the AWS edge network, but it does not raise the per-prefix request rate, so the 503 slow-down responses on the hot prefix persist.
Why D is correct: S3 request capacity scales per prefix, so distributing keys across many prefixes lets the workload run many parallel prefix limits at once and removes the single-prefix bottleneck causing the slow-down responses.
What you must be able to do. Given a workload with a cost constraint, choose the storage class, pricing model, right-sizing, data-transfer reduction, and cost-governance approach that cuts spend while still meeting availability, durability, and performance requirements.
In one sentenceThe cost domain: cutting spend with the right S3 class, compute pricing model, and data-transfer design without breaking the availability or durability the scenario still demands.
Recall check: answer these from memory first
Per-object S3 access is unpredictable, no retrieval fees are acceptable, and no application change is allowed. Which storage class fits, and why not a single fixed infrequent-access class?
Irreplaceable data must survive the loss of a whole Availability Zone at the lowest infrequent-access cost. Which class is correct, and why is One Zone-IA the trap?
You need substantial savings on a fault-tolerant fleet but a guaranteed minimum capacity that survives Spot reclaims. What Auto Scaling configuration delivers both?
What it tests. Reducing cost while honouring the other requirements. Optimising object storage with S3 storage classes, lifecycle policies, and S3 Intelligent-Tiering; right-sizing block, file, and backup storage and managing snapshots; selecting compute pricing models including Spot Instances, Reserved Instances, and Savings Plans; reducing compute cost through right-sizing, serverless adoption, and AWS Compute Optimizer; cost-optimising databases by right-sizing, choosing serverless, and managing storage; reducing data-transfer cost with VPC endpoints, Amazon CloudFront, and Region and Availability Zone aware design; and monitoring and governing cost with AWS Cost Explorer, AWS Budgets, and cost allocation tags.
How to study it. Learn each cost lever as the answer to a named constraint, and watch for the trap where the cheapest option quietly breaks durability or availability. For S3, fix the class decision: Intelligent-Tiering for unpredictable per-object access with no retrieval fees or code, Standard-IA for infrequent access that must still survive an Availability Zone loss, One Zone-IA only when the data is reproducible, Glacier classes for archival. The exam's favourite trap is offering One Zone-IA for irreplaceable data that must survive a zone failure; the answer is Standard-IA. For compute, match the pricing model: Spot for interruptible fault-tolerant work, Reserved Instances or Savings Plans for steady predictable baselines, and a mixed instances policy with an On-Demand base plus Spot when you need a guaranteed capacity floor and savings together. For idle-heavy workloads willing to refactor, serverless removes idle cost. For data transfer, VPC endpoints and CloudFront cut egress charges. Know the governance trio: Cost Explorer analyses, Budgets alerts, allocation tags attribute.
Easy to confuse
S3 Standard-IA versus S3 One Zone-IA. Standard-IA replicates across at least three Availability Zones, so it survives a zone failure; One Zone-IA keeps a single copy in one zone for a lower rate but loses the data if that zone fails. Use One Zone-IA only for reproducible data; for irreplaceable data that must survive a zone loss, Standard-IA is the answer.
S3 Intelligent-Tiering versus a lifecycle rule to a fixed class. Intelligent-Tiering moves each object between access tiers automatically based on its own observed usage with no retrieval fee, ideal when per-object access is unpredictable; a lifecycle rule moves every object on a fixed schedule regardless of whether it is still hot. Use Intelligent-Tiering when access is unpredictable and per object, lifecycle rules when the cold-down pattern is known and uniform.
Spot Instances versus Reserved Instances or Savings Plans. Spot offers the deepest discount but can be reclaimed with short notice, so it suits fault-tolerant interruptible work; Reserved Instances and Savings Plans give a committed-use discount on capacity that must stay running. Spot for interruptible, commitments for steady baseline that cannot disappear.
Mixed instances policy versus all-Spot Auto Scaling. A mixed instances policy holds an On-Demand base capacity that survives Spot reclaims plus a Spot portion across instance types, guaranteeing an availability floor while still saving; an all-Spot group has no protected floor and can lose its whole capacity in a reclaim. When the scenario needs both savings and a guaranteed minimum, use the mixed policy with an On-Demand base.
A SaaS company stores user-uploaded documents in Amazon S3. Some objects are downloaded many times in the first week, others are never touched again, and the access pattern for any given object is impossible to predict. The team wants to minimise storage cost without writing code to track access, and it cannot accept per-object retrieval fees or any change to how the application reads objects. Which storage approach meets these requirements?
AKeep every object in S3 Standard and rely on volume discounts to reduce the monthly storage charge as the bucket grows over time.
BPlace all objects in S3 Standard-Infrequent Access on upload, accepting the lower storage rate in exchange for the per-gigabyte retrieval charge on each read.
CWrite a lifecycle rule that moves every object to S3 Glacier Flexible Retrieval seven days after upload to capture the lowest possible storage price.
DStore all objects in S3 Intelligent-Tiering so the service automatically moves each object between access tiers based on its observed usage.check_circle Correct
Choose S3 Intelligent-Tiering when per-object access is unpredictable and you need automatic cost optimisation without retrieval fees or application changes. S3 Intelligent-Tiering automatically moves each object between a frequent-access tier and an infrequent-access tier based on its own monitored access, charging only a small monitoring fee and no retrieval fee. Because the tiering is per object and transparent to readers, it handles an unpredictable mix of hot and cold objects without code or retrieval penalties, which a single fixed storage class cannot do.
Why A is wrong: Tempting because S3 Standard needs no changes and avoids retrieval fees, but it applies the full frequent-access price to cold objects, so it does not minimise cost for data that is rarely read.
Why B is wrong: Tempting because Standard-IA is cheaper to store, but objects read many times in the first week incur per-gigabyte retrieval fees, which the requirement explicitly forbids.
Why C is wrong: Tempting because Glacier storage is cheap, but objects still read after seven days would need a retrieval job and wait, breaking the no-retrieval-fee and no-application-change constraints.
Why D is correct: Intelligent-Tiering monitors each object and shifts it between frequent and infrequent tiers automatically with no retrieval fees and no application change, which fits an unpredictable per-object access pattern.
A study plan that works
Map the blueprint and book a date
Day 1
Read the official AWS exam guide and the four domains with their weights. Book a provisional date now: a fixed date turns open-ended study into a plan and is the strongest predictor of actually sitting. Note that Secure Architectures at 30 percent and Resilient Architectures at 26 percent are over half the exam between them, so plan the heaviest study there.
Build the service-selection maps
Week 1
Before drilling any domain, build the decision trees the whole exam rests on: access and security (roles versus keys, the secret stores, the network layers, the detection services), decoupling (SQS versus SNS versus EventBridge), storage and database selection by access pattern, and the cost levers. Use the recall prompts in this guide: cover the answer, choose the service from the constraint, then reveal. If you cannot pick from the requirement alone, you do not own it yet.
Go deep on secure and resilient design (Domains 1 and 2)
Weeks 1 to 3
These two are over half the exam, so they get the most time. Drill least privilege until an IAM role scoped to one action is automatic, learn the secret-store and detection-service splits, and fix the decoupling three-way and the disaster-recovery ladder against RTO and RPO. Practise on scenario questions and read the worked explanation on every one, including the ones you got right, watching for the named constraint that picks the answer.
Lock storage, database, and performance selection (Domain 3)
Weeks 3 to 4
High-performing design is reliable marks if you drill it as decision trees from the access pattern. Fix the storage split (S3, EFS, FSx, EBS), the database split (RDS, Aurora, Aurora Serverless v2, DynamoDB, DocumentDB), the caching options, and the edge choice between CloudFront and Global Accelerator. Do the Aurora-Serverless-versus-DynamoDB and CloudFront-versus-Global-Accelerator calls by hand until the constraint alone decides them.
Cover cost optimisation and its traps (Domain 4)
Week 4
Cost is learnable and dependable marks once you know the levers. Drill the S3 class decision and the durability trap (Standard-IA versus One Zone-IA for irreplaceable data), the compute pricing models, the mixed instances policy for a guaranteed floor with savings, and the data-transfer and governance tools. Tie every choice back to the cost constraint named while checking it does not break availability or durability.
Drill weak domains, then space the review
Week 5
Use your per-domain accuracy to attack the two domains dragging you down, not to re-read what you already know. Then space it: revisit each domain's recall prompts after a few days and again a week later. Spacing roughly doubles what sticks compared with cramming, and it is the cheapest gain available before the exam.
Sit a timed mock and calibrate
Weeks 5 to 6
Take at least one full timed mock under exam conditions to rehearse pacing and the flag-and-return habit across the full question set in the time allowed. Treat the score as a per-domain readiness signal, not a single number, and review every missed question, naming the constraint you misread, before you book or sit.
Know when you're ready
Readiness for the AWS Certified Solutions Architect - Associate is a score on scenario questions you have not seen before, not a feeling that the services are familiar. Those are different things, and the gap between them is where people fail. Re-reading the docs builds fluency, and fluency feels like knowledge, so confidence rises while real recall does not. The fix is to test yourself: if you can read a fresh scenario, name the constraint, and pick the right design while explaining why each other option is wrong, you know it; if you can only nod along to an explanation, you do not yet.
Be especially wary of early confidence on the service map. Knowing what IAM, SQS, S3, and the managed databases each do is the easy half; choosing between them under a security, availability, or cost constraint, when two of them would work, is the half the exam actually tests. Trust your measured per-domain accuracy over your gut, and set the bar at clearing every domain comfortably on unseen questions across more than one session, not scraping a single pass on the marked pass score.
This guide gives you the map. The practice bank is where you find out whether you can navigate it, with a worked explanation and a reason every distractor is wrong on every question. Readiness scoring tells you when you are there. Not before.
Ready to put this into practice?
Free SAA-C03 questions with worked explanations. No sign-up.
Read the scenario for its constraint first. The security, availability, performance, or cost limit named in the question is what picks the answer, so find it before you judge the options.
When two services both work, default to the managed, least-overhead one. AWS prefers managed services and well-architected defaults; reach for the manual option only when the scenario names a reason such as an existing engine to preserve.
Treat broad permissions as a wrong answer. Any option granting AdministratorAccess or embedding long-lived keys is the trap; least privilege through a scoped IAM role almost always wins the security questions.
Let the access pattern pick storage and databases. Shared file access means EFS, object means S3, key-value at scale means DynamoDB, relational that idles means Aurora Serverless v2; do not default to the service you know best.
Watch the cost-versus-durability trap. When a question stresses lowest cost but the data is irreplaceable or must survive a zone failure, the cheapest class (One Zone-IA) is usually the wrong answer; Standard-IA is the fit.
Match the disaster-recovery tier to the stated RTO and RPO. Near-zero recovery time points to warm standby or multi-site; relaxed targets allow pilot light or backup and restore for less cost.
Flag and move on. Cover every question once before you spend time on a hard one; collecting the clear marks first protects the ones you actually know within the time limit.
Frequently asked questions
Is the AWS Certified Solutions Architect - Associate hard?
It is an associate-level exam, and the difficulty is judgement rather than recall. Most questions are scenarios where several AWS services could work and only one fits the stated security, resilience, performance, or cost constraint. Scenario practice with worked explanations matters far more than memorising what each service does.
How long should I study for the SAA-C03?
Most candidates with around a year of hands-on AWS experience are ready in six to eight weeks of steady study. Less hands-on exposure means more time on the two heavy domains, Secure and Resilient Architectures, and on the service-selection decisions the whole exam rests on.
Do I need deep networking or coding knowledge for this exam?
You need to read and reason about VPC design, IAM policies, and how services connect, but the exam is about choosing and configuring services, not writing code or memorising every CLI flag. Comfort with IAM, VPC networking, and the core storage and database services is what carries you.
Which domains should I focus on?
Design Secure Architectures at 30 percent and Design Resilient Architectures at 26 percent are over half the exam, so they deserve the most time. Design High-Performing Architectures at 24 percent is close behind and rewards clean storage and database selection trees, so do not leave it short.
What is the difference between SQS, SNS, and EventBridge on this exam?
SQS is a pull-based durable queue that buffers work so a producer and consumer decouple and spikes are absorbed; SNS is push-based pub/sub that fans one message out to many subscribers; EventBridge routes events by rules to many targets and integrates with AWS services. When workers are overwhelmed and work is lost, the answer is usually SQS.
How should I think about IAM questions?
Default to least privilege through an IAM role. When a workload on EC2 or Lambda needs to reach another service, attach a role scoped to the exact action and resource rather than storing access keys or attaching a broad managed policy. Any option with AdministratorAccess or embedded long-lived credentials is the trap.
How many practice questions should I do before booking?
Enough that every domain clears comfortably on questions you have not seen, and a full timed mock feels comfortable on pacing. Quality of review beats raw volume: on every question, read the explanation and name the constraint that picked the answer, including on the ones you got right.
Is the AWS Solutions Architect Associate certification worth it?
SAA-C03 is one of the most widely recognised associate-level cloud credentials and is worth it for anyone working in or moving into cloud architecture, development, or infrastructure roles on AWS. It demonstrates a well-rounded understanding of designing resilient, secure, and cost-effective architectures, which are skills that apply across most cloud projects rather than in a narrow specialism. It is also a natural stepping stone toward the professional-level SAP-C02 for those aiming higher.
Examworthy is not affiliated with or endorsed by Amazon Web Services. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. SAA-C03 and related marks belong to their respective owners.
