SAA-C03 Cheatsheet — High-Yield Patterns & Quick Diagrams

About Fuad Efendi, MSc Mathematics — Mastery Exam Prep

Sep 17, 2025 7 min read Cloud Computing Information Technology Amazon Web Services (AWS) Certification Exam Prep Aws Cloud Saa-C03 Cheatsheet

Fast, exam-focused reference for AWS Solutions Architect Associate (SAA-C03): core patterns, service trade-offs, security and networking checklists, HA/DR strategies, storage/database choices, and cost levers.

On this page

Keep this page open while drilling questions. Prioritize trade-offs: availability, performance, cost, operations, and security.

1) VPC and Networking — Patterns That Win

Subnets and Routing

Public subnets route to IGW; private subnets route to NAT Gateway (one per AZ for resilience).
Separate route tables by tier (web, app, data). Avoid one shared RT across tiers.
Prefer VPC Endpoints to reduce NAT egress:
- Gateway endpoints: S3, DynamoDB (RT entries, $0).
- Interface endpoints (PrivateLink): per-AZ ENIs, billed per hour and data.

Security Layers

Security Groups = stateful, ENI-level; NACLs = stateless, subnet-level.
Prefer SG-to-SG references; keep NACLs permissive unless compliance needs otherwise.
Restrict egress: allow-list destinations; use Endpoint Policies and DNS for control.

Hybrid and Multi-VPC

Site-to-Site VPN for quick setup; DX for predictable throughput; combine (DX + VPN) for HA.
Transit Gateway over many mesh peering connections for scale.

    flowchart LR
	  A["ALB (Public Subnets)"] --> B1["EC2/ECS (Private AZ1)"]
	  A --> B2["EC2/ECS (Private AZ2)"]
	  B1 & B2 --> C["RDS/Aurora (Multi-AZ)"]
	  B1 & B2 --> D["S3 via Gateway VPC Endpoint"]
	  B1 & B2 --> E["DynamoDB via Gateway VPC Endpoint"]
	  B1 & B2 --> F["NAT GW per AZ for egress"]

2) Identity, Access, and Encryption

IAM and Organizations

Prefer roles and temporary credentials; attach policies to roles/groups, not users.
Cross-account: resource policies (S3/KMS/SQS/etc.) + role assumption with a tight trust policy.
Guardrails via SCPs (deny beats allow). Add condition keys like aws:PrincipalOrgID.

KMS and Data Protection

S3 encryption choices:
- SSE-S3: simplest, managed by S3.
- SSE-KMS: auditability and key control (mind key policy principals).
- Client-side: app-managed keys for strict compliance.
Use grants for service integrations; consider multi-Region keys when needed.

Secrets and Certificates

Secrets Manager for secrets + rotation; SSM Parameter Store for parameters/config.
ACM issues public certs (auto renew); ACM Private CA for internal PKI.

Copy-ready snippets

Minimal S3 bucket policy to require VPC endpoint usage:

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "DenyNonVPCE",
 6      "Effect": "Deny",
 7      "Principal": "*",
 8      "Action": "s3:*",
 9      "Resource": [
10        "arn:aws:s3:::my-bucket",
11        "arn:aws:s3:::my-bucket/*"
12      ],
13      "Condition": {
14        "StringNotEquals": {
15          "aws:sourceVpce": "vpce-1234567890abcdef0"
16        }
17      }
18    }
19  ]
20}

Tight KMS key policy principal example:

 1{
 2  "Version": "2012-10-17",
 3  "Statement": [
 4    {
 5      "Sid": "KeyAdmins",
 6      "Effect": "Allow",
 7      "Principal": { "AWS": "arn:aws:iam::111122223333:role/SecOpsKmsAdmin" },
 8      "Action": ["kms:*"],
 9      "Resource": "*"
10    },
11    {
12      "Sid": "UseKeyFromAppRole",
13      "Effect": "Allow",
14      "Principal": { "AWS": "arn:aws:iam::111122223333:role/AppProdRole" },
15      "Action": ["kms:Encrypt","kms:Decrypt","kms:GenerateDataKey*","kms:DescribeKey"],
16      "Resource": "*",
17      "Condition": {
18        "StringEquals": { "kms:ViaService": "ec2.us-east-1.amazonaws.com" }
19      }
20    }
21  ]
22}

3) Compute, Containers, and Serverless

EC2 and Auto Scaling

Multi-AZ ASGs; launch templates; mixed instances (On-Demand + Spot); warm pools for faster scaling.
Health checks at ELB and instance; lifecycle hooks for graceful draining.

Load Balancers

ALB: HTTP/S (L7), path/host routing, WAF attach.
NLB: TCP/UDP (L4), static IP, TLS pass-through/termination.
GWLB: third-party appliances insertion.

Containers and Serverless

ECS vs EKS vs Fargate:
- Fargate to avoid server management.
- EKS for Kubernetes feature sets (ops overhead).
Lambda: set reserved concurrency to isolate critical functions; VPC-enable only if needed for private access.

4) Storage — What to Choose When

Object vs Block vs File

S3 for object, EBS for block, EFS/FSx for shared file.
Lifecycle to S3 IA/Glacier; enable versioning and Object Lock (WORM) for ransomware compliance.

Quick picks

Requirement	Service/Class	Notes
Application shared POSIX across AZs	EFS	Use EFS-IA for cold directories
High IOPS per instance	EBS io2/io1	gp3 is default; tune IOPS/throughput
Hot object storage	S3 Standard	Default class
Variable/unknown access patterns	S3 Intelligent-Tiering	Small monitoring fee
Infrequent access, multi-AZ durability	S3 Standard-IA	Retrieval fee
Infrequent access, single AZ	S3 One Zone-IA	Cheaper; not multi-AZ
Archive	S3 Glacier/Deep Archive	Retrieval time trade-offs

Throughput hints

S3: multipart upload, prefix distribution, Transfer Acceleration for cross-geography.
EBS: gp3 tuning, consider RAID 0 for throughput (accept single-volume risk).

5) Databases and Caching

Relational

RDS Multi-AZ for HA; read replicas for read scale; Aurora for higher throughput and rapid failover; Aurora Global Database for multi-Region reads.

NoSQL (DynamoDB)

On-Demand for spiky/unknown traffic; Provisioned + Auto Scaling for predictable workloads.
Good partition key to avoid hot shards; GSIs for new access patterns; Global Tables for multi-Region active-active.

Caching

ElastiCache (Redis/Memcached) for latency and hot keys.
DAX for DynamoDB read-heavy use.

6) Resilience and Disaster Recovery

HA patterns

Stateless app tier behind ALB; ASG across AZs; NAT Gateway per AZ; Multi-AZ databases.

Backup and Replication

EBS snapshots and cross-Region copy; AWS Backup policies and vaults.
S3 versioning, CRR/SRR; test restores; document runbooks.

DR strategies

Strategy	RTO	RPO	Cost	Notes
Backup/Restore	High	Hours	Low	Cheapest; slowest recovery
Pilot Light	Medium	Minutes	Med	Minimal core running in DR
Warm Standby	Low	Minutes	Med+	Scaled-down prod in DR
Multi-Site Active	Very Low	Seconds	High	Active-active, complex

    
	flowchart TD
	  P["Primary Region"] -->| Async Replication | S["Secondary Region"]
	  P --> B["Backups (AWS Backup / Snapshots)"]
	  S --> R53["Route 53 Failover/Latency"]

7) Observability and Operations

CloudWatch: metrics/logs/alarms/dashboards; alert on saturation (CPU, memory via agent, queue depth, throttling, 5xx).
CloudTrail: org-wide trails; integrity validation; centralize to security account.
X-Ray: distributed tracing; find high-latency segments.
Config: rules and conformance packs; drift detection.
GuardDuty/Security Hub: threat findings and prioritization.

8) Security Posture — Quick Checks

S3: Block Public Access; restrictive bucket policies; VPC endpoints where possible; server access logs if required.
KMS: explicit principals; least-priv grants; rotate keys as appropriate; scope kms:Decrypt with conditions.
IAM: principle of least privilege; permission boundaries for builders; review IAM Access Analyzer.
Network: deny-by-default egress + allow-list; PrivateLink or Gateway endpoints for service access, not public Internet.
Secrets: rotate automatically; never store in AMIs, images, or user data.

9) Cost Optimization — Fast Wins

Right-size and prefer Graviton where supported.
Commit steady baselines with Savings Plans or RIs; keep some On-Demand/Spot mix for bursty workloads.
Replace NAT egress with Gateway/Interface Endpoints for AWS services where practical.
Lifecycle S3 to IA/Glacier; EFS-IA for cold; delete unused EBS snapshots.
Watch data transfer (cross-AZ, NAT, inter-Region); add CloudFront/ElastiCache.
Enable Budgets, Cost Anomaly Detection, and Compute Optimizer.

Cost levers by area

Area	Lever	Example
Compute	Graviton, right-size, Spot	ASG with OD+Spot mixed policy
Storage	S3 lifecycle, EFS-IA, gp3 tuning	Move logs to IA/Glacier
Network	Endpoints over NAT where possible	S3/DDB via Gateway endpoints
Analytics	Partitioning, compression	Athena scans reduced by partitions

10) Decision Cheats

Load Balancer Choice

Need	Pick	Notes
HTTP/HTTPS, L7 routing	ALB	WAF attach, path/host routing
TCP/UDP, static IP, low latency	NLB	TLS pass-through/termination
Inline appliances	GWLB	Transparent insertion

EC2 Purchase Option

Pattern	Option	Notes
Steady baseline	Savings Plan	Flexible instance families
Predictable steady	Reserved Inst	Zonal/Regional scope
Bursty/interruptible	Spot	Diversify pools + capacity-optimized

DynamoDB Mode

Traffic Profile	Mode	Notes
Spiky/unknown	On-Demand	Pay-per-request
Predictable/steady	Provisioned+AS	Lower cost at scale

11) Common Pitfalls (Exam Bait)

Single NAT Gateway in one AZ for all private subnets (SPOF + cross-AZ charges).
Assuming PrivateLink exists for S3/DynamoDB (use Gateway endpoints instead).
KMS key policy missing explicit principals; service cannot use key.
ALB targets only in one AZ; ASG not multi-AZ.
DynamoDB hot partitions due to skewed partition key.
Overly strict NACLs breaking stateful flows; prefer SG-first.
S3 bucket public due to permissive policy; forgot to enable Block Public Access.

12) Mini Runbooks (Copy-Paste)

Private S3-only access (VPC endpoint)

 1{
 2  "Version":"2012-10-17",
 3  "Statement":[{
 4    "Sid":"DenyNotFromVPCE",
 5    "Effect":"Deny",
 6    "Principal":"*",
 7    "Action":"s3:*",
 8    "Resource":[
 9      "arn:aws:s3:::my-bucket",
10      "arn:aws:s3:::my-bucket/*"
11    ],
12    "Condition":{"StringNotEquals":{"aws:sourceVpce":"vpce-1234567890abcdef0"}}
13  }]
14}

Cross-account role assumption (trust policy)

1{
2  "Version":"2012-10-17",
3  "Statement":[{
4    "Effect":"Allow",
5    "Principal":{"AWS":"arn:aws:iam::222233334444:role/TeamRole"},
6    "Action":"sts:AssumeRole",
7    "Condition":{"StringEquals":{"aws:PrincipalOrgID":"o-abc123"}}
8  }]
9}

Route 53 Failover records (pseudo steps)

11) Create primary A/AAAA alias to ALB in Region A with Health Check.
22) Create secondary A/AAAA alias to ALB in Region B with Health Check.
33) Set Failover: Primary / Secondary. Verify health checks and simulate failover.

Final Tip

Read the last sentence of each scenario first. If multiple answers work, pick the one that best satisfies the explicit constraint (e.g., “lowest cost,” “highest availability,” “least operational effort”).

Syllabus

Practice

Browse Exams — Mock Exams & Practice Tests