AWS SAA-C03: The Cert That Proves You Can Architect on AWS

SAA-C03 is the cloud certification that hiring managers use as a baseline signal.

AWS certifications span three tiers: Foundational (CLF-C02, AIF-C01), Associate (SAA-C03, DVA-C02, SOA-C02, DEA-C01, MLA-C01), and Professional/Specialty (SAP-C02, DOP-C02, SCS-C02, and others). SAA-C03 sits at the Associate tier but occupies a unique position: it is the most broadly referenced certification on cloud engineering job descriptions, the gateway to Professional-level AWS exams, and the exam that best reflects what a working cloud architect actually does—designing complete AWS solutions across compute, storage, networking, security, and data, then defending the trade-offs.

The exam was redesigned in 2022 (SAA-C02 → SAA-C03) to reflect how AWS is actually used at scale: serverless architectures built on Lambda and EventBridge, container workloads on ECS Fargate and EKS, event-driven data pipelines using Kinesis and SNS, and multi-region active-active patterns that were once considered advanced are now standard Associate-level knowledge. If you passed SAA-C02 years ago and are considering a refresh, the delta is material—particularly the serverless and event-driven domain coverage and the expanded cost-optimization questions around Savings Plans vs Spot vs Reserved Instance purchasing strategies.

What SAA-C03 tests: the four domains

Domain 1 — Secure Architectures (30%)

The heaviest domain by weight. Security is not a standalone layer in AWS architecture—it is embedded in every design decision. This domain tests whether you know which security control to apply at which layer.

IAM fundamentals: IAM users, groups, roles, and policies. The difference between identity-based policies (attached to principals) and resource-based policies (attached to resources like S3 buckets, SQS queues, Lambda functions, and KMS keys). Policy evaluation logic: explicit deny always wins; then look for an explicit allow; default is deny. Cross-account access via IAM roles and trust policies. AWS STS and AssumeRole for temporary credential issuance.
Service Control Policies (SCPs): Organisation-level guardrails applied to AWS accounts. SCPs do not grant permissions—they restrict the maximum permissions available within an account. Applied at the OU or account level in AWS Organizations. Critical for multi-account governance patterns tested in scenario questions.
VPC security: Security groups (stateful, instance-level, allow-only rules) vs Network ACLs (stateless, subnet-level, allow and deny rules). The exam tests which to use for blocking specific IP ranges (NACLs), restricting inbound traffic to a known port range (security groups), and building layered defence-in-depth for a web tier. VPC Flow Logs for traffic analysis. Interface endpoints (PrivateLink) vs Gateway endpoints (S3, DynamoDB) for keeping traffic within the AWS network.
Encryption: Server-side encryption options for S3—SSE-S3 (AWS-managed keys), SSE-KMS (customer-managed CMKs in KMS, with CloudTrail audit trail), SSE-C (customer-provided keys). Encryption in transit via TLS, managed through ACM certificates on ALB/CloudFront. EBS encryption with KMS CMKs and the implication for snapshots and cross-account sharing. RDS encryption at rest and the constraint that an unencrypted RDS instance cannot be encrypted in place (snapshot → encrypt snapshot → restore).
Secrets management: AWS Secrets Manager (automatic rotation via Lambda, cross-account access, tight integration with RDS, Redshift, and DocumentDB) vs AWS Systems Manager Parameter Store (cost-effective for non-rotating configs, SecureString tier for encrypted values). The exam consistently tests Secrets Manager for database credentials requiring automatic rotation and Parameter Store for application config values.
Threat detection: Amazon GuardDuty (ML-based threat detection analysing VPC Flow Logs, CloudTrail, and DNS logs—enable it everywhere, no agents required), AWS Shield Standard (automatic DDoS protection for all AWS customers) vs Shield Advanced (enhanced protection, DDoS cost protection, 24/7 DRT access), AWS WAF (Layer 7 firewall for ALB, CloudFront, and API Gateway—web ACLs with rules blocking SQL injection, XSS, and IP-based rate limiting).

Domain 2 — Resilient Architectures (26%)

Resilience in AWS means designing for failure at every layer. This domain tests multi-AZ and multi-region patterns, Auto Scaling, load balancing, and disaster recovery strategies with their respective RPO/RTO trade-offs.

Multi-AZ vs Multi-Region: Multi-AZ protects against a single data centre failure within a region. Multi-Region protects against regional outages and serves latency-sensitive global traffic. The exam tests which pattern to apply: Multi-AZ for high-availability within a region (RDS Multi-AZ standby, ELB distributing across AZs, Auto Scaling spanning AZs); Multi-Region for disaster recovery, data sovereignty, and global low-latency requirements.
Elastic Load Balancing: ALB (Application Load Balancer) routes HTTP/HTTPS traffic by path (/api/* → one target group), host header, or query string. NLB (Network Load Balancer) routes TCP/UDP traffic at Layer 4 with ultra-low latency and static IP addresses—used for gaming, financial trading, and IoT protocols. GWLB (Gateway Load Balancer) inserts third-party virtual appliances (firewalls, intrusion detection) transparently into traffic flows. The exam consistently asks which load balancer type to use given a scenario—know the Layer 4 vs Layer 7 distinction and when NLB’s static IP matters.
Auto Scaling Groups: EC2 Auto Scaling with target tracking policies (maintain CPU at 60%), step scaling (scale by 2 instances when CPU > 80%), scheduled scaling (pre-scale before known traffic peaks), and predictive scaling (ML-based, learns traffic patterns). Minimum, desired, and maximum capacity. Launch Templates vs launch configurations (Templates are the current standard, support mixed instances and Spot integration). Instance warm-up periods and cooldown to prevent thrashing.
RDS resilience: RDS Multi-AZ deploys a synchronous standby replica in a second AZ—automatic failover in 60–120 seconds, no read benefit (standby is passive). RDS Read Replicas are asynchronous copies that serve read traffic—they reduce load on the primary but are not automatic failover targets (promoting a read replica requires manual intervention or Aurora’s managed failover). Aurora clusters have a shared distributed storage layer and can promote read replicas in under 30 seconds—Aurora is the exam’s answer for minimal RTO without manual intervention.
Route 53 routing policies: Simple (single record, no health check routing), Weighted (percentage-based traffic splitting for A/B deployment or blue/green), Latency (route to the region with the lowest latency for the requesting user), Failover (active-passive with health check monitoring), Geolocation (route by the user’s country or continent—compliance use cases), Geoproximity (route based on geographic distance with bias adjustments), and Multivalue Answer (returns multiple healthy records, client-side load balancing). Health checks integrate with all routing policies except Simple.
Disaster recovery patterns: Backup & Restore (highest RPO/RTO, lowest cost—data backed up to S3, infrastructure rebuilt on recovery), Pilot Light (core infrastructure always running in DR region, scaled up on failover), Warm Standby (scaled-down but functional copy of production always running in DR region), and Active-Active (full production capacity in multiple regions, traffic split via Route 53 or Global Accelerator). The exam tests which pattern matches a given RPO/RTO requirement and cost constraint—know the inverse relationship between recovery speed and cost.

Domain 3 — High-Performing Architectures (24%)

Performance on AWS is about choosing the right service for the workload, not maximising raw compute. This domain tests service selection for compute, storage, database, and networking, and the caching and decoupling patterns that unlock scale.

Compute selection: EC2 instance families—general purpose (m-family), compute-optimised (c-family), memory-optimised (r/x-family), storage-optimised (i/d-family), accelerated computing (p/g-family for ML/GPU). Lambda for event-driven, short-duration functions with no server management. ECS Fargate for containerised workloads without managing EC2 hosts. EKS for Kubernetes when the team already operates Kubernetes tooling. The exam tests when Lambda’s 15-minute timeout or 10 GB memory limit rules it out and a containerised alternative is needed.
Storage tiers: S3 Standard (frequent access, low latency), S3 Intelligent-Tiering (automatic movement between access tiers based on access patterns—the right answer when access patterns are unknown), S3 Standard-IA and S3 One Zone-IA (infrequent access with retrieval fees), S3 Glacier Instant Retrieval / Flexible Retrieval / Deep Archive (archival with milliseconds-to-hours retrieval latency). EBS gp3 (general-purpose SSD, configurable IOPS and throughput independently) vs io2 Block Express (highest IOPS for databases, SAP, Oracle). EFS (managed NFS shared across multiple EC2 instances and Lambda) vs FSx for Windows File Server (SMB protocol, Active Directory integration) vs FSx for Lustre (HPC, ML training workloads, integrates with S3).
Database selection: RDS for relational workloads with ACID compliance and complex queries. DynamoDB for key-value and document workloads requiring single-digit millisecond latency at any scale—know the difference between partition key design (even distribution) and sort key queries. ElastiCache for in-memory caching—Redis (persistence, pub/sub, sorted sets, Lua scripting, cluster mode) vs Memcached (simpler, multi-threaded, no persistence). Redshift for OLAP data warehousing. Neptune for graph data. DocumentDB for MongoDB-compatible document storage at scale.
Caching patterns: CloudFront caches static and dynamic content at 450+ edge locations globally—origins can be S3, ALB, EC2, or custom HTTP. Cache-Control and TTL headers control caching behaviour. Invalidation clears cached content before expiry. ElastiCache as a database read cache—cache-aside pattern (application checks cache first, falls back to DB on miss and populates cache) vs write-through (application writes to cache and DB simultaneously). DynamoDB Accelerator (DAX) is an in-memory cache designed specifically for DynamoDB, reducing read latency from milliseconds to microseconds.
Messaging and decoupling: SQS (Standard queue—at-least-once delivery, best-effort ordering; FIFO queue—exactly-once delivery, strict ordering, lower throughput). SNS (pub/sub fan-out—one message to multiple subscribers including SQS queues, Lambda, HTTP endpoints, email). EventBridge (event bus connecting AWS services and SaaS sources to targets via event patterns—the modern, more flexible replacement for CloudWatch Events). Kinesis Data Streams for real-time streaming at high throughput; Kinesis Data Firehose for near-real-time delivery to S3, Redshift, OpenSearch. The classic exam pattern: SNS + SQS fan-out (SNS publishes to multiple SQS queues so multiple consumers can process independently).

Domain 4 — Cost-Optimized Architectures (20%)

Cost optimisation in AWS is not about using the cheapest service—it is about matching the right pricing model to the right workload. This domain tests EC2 purchasing decisions, storage lifecycle management, and network traffic cost reduction.

EC2 pricing models: On-Demand (no commitment, pay per second, highest unit cost—use for unpredictable workloads). Reserved Instances (1- or 3-year commitment, up to 72% savings vs On-Demand; Standard RIs lock to instance family and region; Convertible RIs allow exchange for different instance types). Savings Plans (flexible commitment to a $/hour spend for 1 or 3 years; Compute Savings Plans apply across EC2, Lambda, and Fargate; EC2 Instance Savings Plans apply to a specific instance family in a region for the deepest discounts). Spot Instances (use spare EC2 capacity at up to 90% savings; subject to interruption with 2-minute notice; ideal for fault-tolerant batch processing, CI/CD runners, and stateless web tiers). The exam tests which model fits a workload description—know that Savings Plans are the modern replacement for most Reserved Instance use cases.
S3 storage classes and lifecycle policies: S3 Lifecycle configurations move objects between storage classes automatically based on age or prefix. The classic cost optimisation pattern: objects in Standard for 30 days, transition to Standard-IA after 30 days, transition to Glacier Instant Retrieval after 90 days, expire after 365 days. S3 Intelligent-Tiering eliminates manual lifecycle management for data with unpredictable access patterns at the cost of a per-object monitoring fee.
Data transfer costs: Data transfer into AWS is free. Data transfer between AZs within the same region incurs per-GB charges (both ways). Data transfer out to the internet is the most expensive. VPC endpoints for S3 and DynamoDB (Gateway endpoints) eliminate data transfer charges for traffic that would otherwise traverse a NAT Gateway—a significant saving for workloads with heavy S3 access from private subnets. NAT Gateway has both hourly costs and per-GB data processing charges; replacing NAT Gateway with VPC endpoints where possible is a common exam optimisation answer.
Right-sizing and visibility tools: AWS Compute Optimizer analyses CloudWatch metrics and recommends right-sized EC2 and Lambda configurations. AWS Cost Explorer provides cost and usage visualisation with Reserved Instance and Savings Plan recommendations. AWS Budgets triggers alerts and actions when cost or usage thresholds are crossed. Trusted Advisor checks for underutilised EC2 instances, idle load balancers, unassociated Elastic IPs, and over-provisioned EBS volumes.

The most common mistake on SAA-C03 scenario questions: choosing a solution that works technically but is not the best fit for the stated constraint. If the question says “most cost-effective,” a Multi-AZ RDS with Read Replicas is not the answer when a Single-AZ RDS with automated backups meets the RPO. If the question says “minimum operational overhead,” a self-managed EC2 cluster is never the right answer when a managed service (RDS, ElastiCache, Aurora Serverless) exists. Read the constraint in the question before the answer choices.

Exam format and what to expect

SAA-C03 consists of 65 scored questions plus up to 15 unscored experimental questions (indistinguishable from scored ones), taken in 130 minutes at a Pearson VUE testing centre or via online proctoring. The passing score is 720 out of 1000 on AWS’s scaled scoring model. The question types are multiple-choice (one correct answer from four options) and multiple-response (two or three correct answers from five options—all must be selected for credit, no partial scoring). There are no simulation labs or hands-on tasks; the exam is entirely scenario-based.

AWS allows a 30-minute testing accommodation extension for non-native English speakers—request it when registering. The exam can be retaken after 14 days with no limit on attempts, but full exam fees apply each time. AWS certifications are valid for three years; renewal is by passing the current version of the exam or a higher-level cert in the same domain.

The AWS certification stack and where SAA-C03 fits

AWS Certification Paths from SAA-C03

AWS Certified Solutions Architect – Professional (SAP-C02) — The hardest generalist AWS exam. 75 questions, 180 minutes, enterprise architecture at scale: migrations, cost optimisation across complex multi-account environments, hybrid connectivity, and advanced security architecture. Most candidates target 12–18 months of AWS experience after SAA-C03 before sitting SAP-C02.
AWS Certified DevOps Engineer – Professional (DOP-C02) — CI/CD pipelines, infrastructure as code (CloudFormation, CDK), monitoring, incident response, and high-availability deployment patterns. The Professional cert for engineers on the operations and automation track.
AWS Certified Security – Specialty (SCS-C02) — Deep dive into threat detection, IAM fine-grained permissions, data protection strategies, and compliance automation. The most popular AWS Specialty cert; pairs naturally with SAA-C03 for cloud security roles.
AWS Certified Machine Learning Engineer – Associate (MLA-C01) — SageMaker end-to-end ML workflows, model deployment, monitoring, and MLOps pipelines. For engineers deploying and operating production ML systems on AWS rather than designing general architectures.
AWS Certified Data Engineer – Associate (DEA-C01) — Glue ETL, Kinesis streaming, Redshift, Lake Formation, and Athena. The dedicated data engineering track launched in 2024; SAA-C03 provides the foundational AWS services context.

SAA-C03 salary data and job market context (2026)

AWS Certified Solutions Architects with SAA-C03 earn $130k–$160k at the Associate level in 2026 in North American markets. The range reflects experience level more than the certification itself: candidates at 1–2 years of cloud experience with SAA-C03 land at $110k–$130k; those at 3–5 years with project experience designing multi-tier AWS architectures land at $140k–$160k; senior solutions architects and cloud architects with SAP-C02 on top of SAA-C03 reach $155k–$195k. In European markets, the equivalent range is €80k–€130k depending on country. In Australian markets, AU$120k–AU$170k for Associate-level certified architects.

SAA-C03 is the single most frequently listed certification requirement on cloud engineering and solutions architect job descriptions in 2026. AWS maintains approximately 32% of global cloud infrastructure market share, and the number of AWS-certified professionals has not kept pace with employer demand. Candidates with SAA-C03 plus a complementary certification—SCS-C02 for security-focused roles, DEA-C01 for data engineering roles, or CKA for Kubernetes-heavy platform engineering roles—consistently outperform in salary negotiation compared to single-cert candidates.

How to prepare for SAA-C03

The AWS certification team publishes the official exam guide, sample questions, and a preparation plan. Beyond official resources, the preparation path that produces consistent first-attempt passes combines conceptual study with hands-on labs:

AWS Skill Builder: The official AWS learning platform. The “AWS Certified Solutions Architect – Associate Official Practice Question Set” (20 questions, free) and the “Official Practice Exam” (65 questions, included in Skill Builder Individual subscription) are the most accurate indicators of actual exam difficulty. AWS Skill Builder courses cover all four domains with video instruction from AWS subject matter experts.
Hands-on labs: SAA-C03 scenario questions become dramatically easier once you have built what the questions describe. AWS Free Tier provides 12 months of free access to core services. Priority labs: VPC with public and private subnets, NAT Gateway, and security groups; S3 bucket policies and pre-signed URLs; RDS Multi-AZ deployment and failover test; Lambda function triggered by S3 event; CloudFront distribution in front of S3 and ALB; Auto Scaling group with target tracking policy. Labs take 30–90 minutes each and produce the architectural intuition that exam questions reward.
Practice exams: Commercial practice exam providers (Tutorials Dojo, Whizlabs, Jon Bonso) produce SAA-C03 question banks that closely match the scenario style and difficulty of the real exam. Aim for consistent scores of 80%+ on practice exams before sitting the real thing—the 720/1000 passing score translates to approximately 72% correct answers on the scaled model.
AWS documentation and whitepapers: The AWS Well-Architected Framework whitepaper (the five pillars—Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimisation—map directly to SAA-C03 domains). The AWS Architecture Center contains reference architectures for common patterns. These are heavy reading but contain the authoritative answers to “which service should I use when” questions.

Study time estimate for SAA-C03

Candidates with active AWS usage at work typically need 4–8 weeks of focused study (1–2 hours per day). Candidates new to AWS or coming from on-premises backgrounds typically need 8–14 weeks. The two most commonly underestimated areas for first-attempt failures: IAM policy evaluation logic (the interaction between SCPs, permission boundaries, identity-based policies, and resource-based policies) and the nuanced differences between messaging services (SQS Standard vs FIFO vs SNS vs EventBridge vs Kinesis). Both areas reward hands-on experimentation over passive reading.

Practice AWS SAA-C03 scenario questions with CertQuests — adaptive quizzing built for the exam’s scenario format.

Browse AWS Practice Packs →