Browse Exams — Mock Exams & Practice Tests

SAA-C03 Syllabus — Objectives by Domain

About Fuad Efendi, MSc Mathematics — Mastery Exam Prep Sep 17, 2025 6 min read Cloud Computing Information Technology Amazon Web Services (AWS) Certification Exam Prep Aws Cloud Saa-C03 Syllabus

Blueprint-aligned learning objectives for AWS Solutions Architect Associate (SAA-C03), organized by domain with quick links to targeted practice.

Use this syllabus as your source of truth for SAA-C03. Work through each domain in order and drill targeted sets after every section.

What’s covered

Design Secure Architectures (30%)

Practice this topic →

Identity Foundations: IAM, Federation & Cross-Account

  • Choose users vs roles vs groups vs resource policies for a given access need.
  • Design SSO/federation with IdP + IAM roles and define trust boundaries.
  • Implement least privilege using managed policies, boundaries, and condition keys.
  • Structure multi-account access with AWS Organizations and SCP guardrails.
  • Plan cross-account access using resource-based policies and role assumption.
  • Document access review cadence and break-glass procedures.

Network Security: VPC, Segmentation, WAF/Shield

  • Place public/private subnets, route tables, and NAT/IGW for secure reachability.
  • Harden network paths with security groups vs NACLs and stateful/stateless rules.
  • Protect web apps with AWS WAF managed rules and custom conditions.
  • Mitigate DDoS with AWS Shield (Standard/Advanced) and architecture choices.
  • Use VPC flow logs to identify anomalous traffic and refine controls.
  • Design bastion/SSM Session Manager access patterns for administrators.

Data Protection & Encryption with KMS

  • Select SSE-S3 vs SSE-KMS vs CSE for S3 objects in a scenario.
  • Enable EBS/RDS/EFS encryption at rest and understand CMK choices.
  • Design KMS multi-Region keys, key rotation, and grants for services.
  • Enforce TLS in transit and choose ALB/ELB/CloudFront termination points.
  • Integrate envelope encryption in applications at a high level.
  • Plan key access, audit, and deletion/disable workflows.

Secrets, Parameters & Certificates

  • Choose AWS Secrets Manager vs Systems Manager Parameter Store for a use case.
  • Rotate database/app secrets automatically and integrate with IAM roles.
  • Use ACM to provision and renew public/private certificates.
  • Restrict secret access via resource policies and condition contexts.
  • Design secret usage for containers/serverless without embedding in code.
  • Audit secret access with CloudTrail and set alarms for anomalies.

Detection & Governance: CloudTrail, Config, GuardDuty

  • Enable organization-wide CloudTrail with log integrity validation.
  • Track configuration drift and compliance with AWS Config rules.
  • Detect threats with GuardDuty and plan response integrations.
  • Consolidate findings in Security Hub and prioritize remediation.
  • Add graph-based investigations with Amazon Detective (overview).
  • Design log retention and centralization in a security account.

Private Connectivity & Service Access Controls

  • Select Gateway vs Interface VPC Endpoints and PrivateLink patterns.
  • Secure hybrid links with Site-to-Site VPN and Direct Connect options.
  • Prevent data exfiltration by restricting S3 to VPC endpoints and VPC-only access.
  • Use AWS Resource Access Manager (RAM) to share subnets and services safely.
  • Apply SCPs and service control boundaries to limit risky actions.
  • Model egress controls with NAT, proxy, and DNS policies.

Design Resilient Architectures (26%)

Practice this topic →

High Availability: Multi-AZ & Auto Scaling

  • Design stateless web tiers with ALB/NLB and multi-AZ targets.
  • Use Auto Scaling groups with health checks and warm pools.
  • Eliminate single points of failure in compute and databases.
  • Plan maintenance and failover behaviors in managed services.
  • Select appropriate load balancer types for protocols and scale.
  • Validate resilience with chaos/failure testing checklists.

Decoupling & Event-Driven Patterns

  • Choose SQS vs SNS vs EventBridge for messaging needs.
  • Implement retries, backoff, and DLQs for robust processing.
  • Ensure idempotency and exactly-once effects at the application layer.
  • Use Step Functions to orchestrate resilient workflows.
  • Cache reads with CloudFront/ElastiCache to reduce dependency risk.
  • Design producer-consumer scaling with asynchronous pipelines.

Stateful Services Resilience

  • Configure RDS/Aurora Multi-AZ and reader endpoints.
  • Plan cross-Region read replicas and global database patterns.
  • Scale DynamoDB with on-demand/provisioned modes and auto scaling.
  • Enable DynamoDB global tables for multi-Region active-active.
  • Cluster ElastiCache (Redis/Memcached) for HA and failover.
  • Select FSx/EFS patterns for shared storage durability.

Backup, Versioning & Replication

  • Apply S3 versioning, lifecycle, and cross-Region replication.
  • Automate EBS snapshots and copy to alternate Regions.
  • Use AWS Backup vaults, plans, and copy jobs for policy-driven backups.
  • Back up RDS/Aurora and test restores to meet RTO/RPO.
  • Design immutable backups (Write-Once-Read-Many) for ransomware resilience.
  • Document restore runbooks and validation steps.

Disaster Recovery Strategies & Global Routing

  • Select backup-restore, pilot light, warm standby, or multi-site active-active.
  • Map RTO/RPO targets to replication and data protection techniques.
  • Use Route 53 health checks and failover/latency/geolocation policies.
  • Leverage Global Accelerator for anycast and health-based routing.
  • Plan Region evacuation and data sovereignty considerations.
  • Run DR tests and record corrective actions.

Observability for Resilience

  • Instrument apps with CloudWatch metrics/logs/alarms and dashboards.
  • Add distributed tracing with X-Ray for dependency bottlenecks.
  • Correlate load balancer logs and target health for issue isolation.
  • Define SLOs/SLIs and error budgets for critical services.
  • Alert on saturation indicators (queue depth, latency, throttling).
  • Feed incident learnings into architecture improvements.

Design High-Performing Architectures (24%)

Practice this topic →

Compute Selection & Scaling

  • Choose EC2 families for general, compute, memory, and storage optimization.
  • Use launch templates, mixed instance policies, and ASG scaling policies.
  • Apply Graviton and right-size instances based on metrics.
  • Select Spot/On-Demand/RI/Savings Plans based on workload traits.
  • Use placement groups (cluster/spread/partition) appropriately.
  • Profile performance and tune kernel/network features (ENA).

Containers & Serverless Performance

  • Compare ECS vs EKS vs Fargate for deployment and scaling needs.
  • Tune container resources, autoscaling, and horizontal pod autoscaling.
  • Optimize Lambda concurrency, reserved concurrency, and cold-start impact.
  • Streamline image delivery with ECR and multi-arch images.
  • Design sidecar patterns for logging, metrics, and proxies.
  • Choose event sources that minimize latency and retries.

Storage Performance & Throughput

  • Pick EBS types (gp3/io1/io2/st1/sc1) for IOPS/throughput needs.
  • Tune EBS performance with block size, RAID 0, and throughput settings.
  • Select EFS throughput/bursting modes and access patterns.
  • Use S3 multipart upload, transfer acceleration, and prefixing for scale.
  • Choose FSx for Windows/Lustre/OpenZFS for specialized performance.
  • Eliminate bottlenecks with caching layers and read/write splitting.

Database Performance & Caching

  • Right-size RDS engines and use read replicas for scale-out.
  • Leverage Aurora features (serverless v2, global DB, parallel query).
  • Optimize DynamoDB RCUs/WCUs, partition keys, and adaptive capacity.
  • Place ElastiCache (Redis/Memcached) for hot keys and session data.
  • Use DAX for read-heavy DynamoDB workloads.
  • Profile queries and add indexes/materialized views where supported.

Streaming, Analytics & Edge

  • Choose Kinesis Data Streams vs Firehose vs SQS for ingestion patterns.
  • Query data lakes with Athena and partition/prune efficiently.
  • Use Glue for schema/catalog and ETL orchestration basics.
  • Scale EMR or managed Spark options for batch/stream processing.
  • Accelerate delivery with CloudFront and cache key tuning.
  • Select Global Accelerator vs CloudFront depending on protocol/latency.

Network Optimization

  • Design VPC architectures to minimize cross-AZ data processing bottlenecks.
  • Use jumbo frames and enhanced networking for throughput gains.
  • Pick NAT Gateway/TGW patterns that limit latency and cost.
  • Plan hybrid links capacity and BGP route preferences.
  • Optimize DNS resolution and connection reuse for microservices.
  • Instrument end-to-end latency and remove chatty dependencies.

Design Cost-Optimized Architectures (20%)

Practice this topic →

Pricing Models & Commitments

  • Compare On-Demand, Reserved Instances, and Savings Plans tradeoffs.
  • Use Spot for interruptible workloads with diversification and checkpoints.
  • Align commitment levels to baseline usage and growth forecasts.
  • Leverage Graviton and right-sizing to reduce compute costs.
  • Plan purchase strategies across accounts with consolidated billing.
  • Track utilization of commitments and adjust over time.

Storage Cost Optimization

  • Choose S3 classes (Standard, IA, One Zone-IA, Glacier tiers) with lifecycle rules.
  • Right-size EBS volumes (gp3 baseline/IOPS/throughput) and clean up snapshots.
  • Adopt EFS IA and lifecycle policies for cold directories.
  • Select cost-effective FSx options for workload characteristics.
  • Minimize duplicate data using compression and deduplication where supported.
  • Automate archival and deletion policies with tagging.

Data Transfer & Egress Controls

  • Reduce egress with CloudFront caching and origin shield.
  • Prefer Gateway/Interface Endpoints and PrivateLink over NAT where possible.
  • Minimize cross-AZ data transfer with placement and caching.
  • Plan Direct Connect for steady hybrid flows vs VPN.
  • Use S3 multipart and regional strategies for cost-effective movement.
  • Measure and alert on transfer-heavy patterns.

Database & Analytics Cost Levers

  • Select RDS instance families/classes for price-performance balance.
  • Adopt Aurora Serverless v2 for variable workloads and scale-to-zero behavior.
  • Choose DynamoDB on-demand vs provisioned with auto scaling.
  • Optimize Kinesis shard counts vs batching with Firehose.
  • Use Athena partitioning/compression to cut scan costs.
  • Park non-critical analytics clusters off-hours automatically.

Visibility & Optimization Tooling

  • Enable Cost Explorer and Budgets with alerts by tag/account.
  • Publish the Cost & Usage Report (CUR) and build allocation models.
  • Use Compute Optimizer and Trusted Advisor recommendations.
  • Implement cost anomaly detection and triage routines.
  • Standardize tagging for owners, env, and cost centers.
  • Report KPIs (unit cost, cost per transaction) to stakeholders.

Governance, Quotas & Guardrails for Cost

  • Set service quotas and budget guardrails for high-risk services.
  • Use SCPs to restrict expensive operations and Regions where appropriate.
  • Segment workloads into accounts (prod/test/dev) for blast-radius and billing clarity.
  • Automate cleanup of idle resources with schedules and policies.
  • Adopt IaC review gates to prevent over-provisioning.
  • Run periodic cost reviews and backlog optimization sprints.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit any weak objectives before moving on.

Overview
Cheatsheet