How to Pass AWS SAA-C03 in 30 Days — A No-BS Study Plan

Before you start: know your baseline

The SAA-C03 exam has 65 questions, a 130-minute time limit, and a passing score of 720/1000 (roughly 72%). It costs $300 USD. AWS tests your ability to choose the right architecture for a given scenario — not your ability to recite API names or service quotas.

If you have never touched AWS before, spend a week on the free Cloud Practitioner (CLF-C02) material first to learn the basic concepts: regions, AZs, the shared responsibility model, and the core service categories. You don’t need to sit the CLF-C02 exam, but its content is the foundation that the SAA-C03 assumes you already have.

If you already have some AWS experience or have passed CLF-C02, jump straight into Week 1 below.

The #1 mindset shift

The exam does not ask “what does S3 do?” It asks: “A company needs to store 500 TB of rarely accessed log files at the lowest possible cost, with retrieval within 12 hours. Which storage class is most appropriate?” Train on scenarios, not definitions.

Week 1 — The Foundation (35% of the exam)

IAM, VPC, EC2, Security Groups

This is the largest domain by weight, and it’s where most candidates make their first mistake: they skim it because they think they know it. You don’t. Go deep.

IAM: Users, roles, policies (identity vs resource), permission boundaries, SCP vs IAM, cross-account access with sts:AssumeRole, least-privilege design. Know the difference between an IAM role attached to a service and a resource-based policy.
VPC: Subnets (public vs private), route tables, Internet Gateway, NAT Gateway (not NAT Instance — know when to use which), VPC peering vs Transit Gateway. Peering is non-transitive; TGW is the hub-and-spoke answer for multi-VPC architectures.
EC2: Instance types (compute-optimized, memory-optimized, etc.), purchasing options (On-Demand vs Reserved vs Spot vs Savings Plans), placement groups (cluster vs spread vs partition), and the key cost-optimization scenarios.
Security Groups & NACLs: Stateful (SG) vs stateless (NACL). Inbound-only rules for SGs. Explicit deny only possible via NACL. The exam loves this distinction.
Load balancers: ALB (Layer 7, path/host routing, WebSockets) vs NLB (Layer 4, static IP, ultra-low latency, TCP/UDP) vs GWLB (inline inspection with third-party appliances). Know which one to recommend for each scenario cold.

Week 2 — Storage & Databases (25% of the exam)

S3, RDS, DynamoDB, EBS

S3 storage classes: Standard, Intelligent-Tiering, Standard-IA, One Zone-IA, Glacier Instant Retrieval, Glacier Flexible Retrieval, Glacier Deep Archive. You must be able to match a retrieval time + cost constraint to the right class instantly. Deep Archive = cheapest, 12–48h retrieval. Intelligent-Tiering = unknown access patterns.
S3 features: Versioning, MFA Delete, replication (CRR vs SRR), lifecycle policies, Object Lock (WORM), pre-signed URLs, Transfer Acceleration, Event Notifications.
RDS Multi-AZ vs Read Replicas: Multi-AZ is for high availability (synchronous standby, automatic failover, no read traffic). Read Replicas are for read scaling (asynchronous, can be promoted, can be cross-region). The exam deliberately conflates these in wrong answers.
Aurora: Up to 15 read replicas, shared storage, Aurora Serverless v2 for variable workloads, Global Database for cross-region DR with RPO <1s.
DynamoDB: Key-value + document, single-digit millisecond latency, on-demand vs provisioned capacity, DAX for in-memory caching, Global Tables for multi-region active-active, DynamoDB Streams for event-driven patterns.
EBS: gp3 (baseline 3000 IOPS, cheaper than gp2), io2 Block Express (64,000 IOPS, Multi-Attach), st1/sc1 for throughput-intensive sequential workloads. EBS is AZ-scoped; EFS is region-scoped.

Week 3 — Serverless & Containers (20% of the exam)

Lambda, API Gateway, SQS/SNS, ECS/EKS

Lambda: Event-driven compute, 15-minute max execution, up to 10 GB memory, concurrency (reserved vs provisioned), VPC attachment (adds ENI cold start), Layers for shared code, destinations for async invocation success/failure routing.
API Gateway: REST API vs HTTP API (cheaper, fewer features) vs WebSocket API. Caching, throttling, usage plans. Integration with Lambda proxy vs non-proxy.
SQS vs SNS vs EventBridge: SQS = queue (one consumer, pull-based, decoupling, dead-letter queues). SNS = pub/sub (push to multiple subscribers). EventBridge = event bus with routing rules (best for SaaS integrations and complex event routing). Kinesis = ordered, replay-able streaming data.
ECS vs EKS vs Fargate: ECS is AWS-native containers (simpler). EKS is managed Kubernetes (industry-standard, more complex). Fargate removes the need to manage EC2 nodes for both. The exam answer for “reduce operational overhead for containers” is almost always Fargate.
Step Functions: Orchestrate Lambda functions and AWS services into workflows. Express Workflows for high-volume short-duration; Standard Workflows for long-running, auditable processes.

The “AWS way” heuristic: always prefer managed over self-hosted, and serverless over EC2 when the question is about cost or operational overhead. If you’re choosing between running your own message broker on EC2 or using SQS — the exam answer is SQS.

Week 4 — Networking, Monitoring & Review (20% of the exam)

CloudFront, Route 53, CloudWatch, Cost Optimization + Practice Exams

CloudFront: CDN with edge locations, Origin Access Control (OAC) for private S3, signed URLs vs signed cookies (signed URL = single file, signed cookies = multiple files), cache behaviors, Lambda@Edge vs CloudFront Functions (Functions = lightweight JS at edge, <1ms; Lambda@Edge = full Lambda at regional edge, heavier logic).
Route 53: Routing policies — Simple, Weighted, Latency-based, Failover, Geolocation, Geoproximity, Multi-Value. Know when to use Failover (active-passive DR) vs Latency (performance routing to closest region). Health checks are required for failover to work.
CloudWatch: Metrics, Logs, Alarms, Dashboards. CloudWatch agent for custom metrics and logs from EC2. CloudTrail for API audit logs (who did what, when). Config for resource compliance drift.
Cost optimization: Compute Savings Plans (most flexible), EC2 Instance Savings Plans, Reserved Instances (convertible vs standard). Spot Instances for fault-tolerant workloads with interruption handling. S3 Intelligent-Tiering for unknown access patterns. Right-sizing recommendations from Compute Optimizer.

Spend the last 3–4 days of Week 4 purely on timed practice exams. Aim for 65 questions in 130 minutes. Review every wrong answer and understand why the correct answer is correct — not just what it is.

The services you must know cold

These are the topics the exam returns to again and again. If you can answer every scenario involving these pairs without hesitation, you will pass:

VPC Peering vs Transit Gateway: Peering = direct 1:1, non-transitive, no bandwidth bottleneck. TGW = hub-and-spoke, transitive routing, centralized, supports thousands of VPCs and VPN connections.
ALB vs NLB: ALB for HTTP/HTTPS with path/host routing. NLB for TCP/UDP, static IP, lowest latency, or when you need to preserve the client IP at the network level.
S3 storage class decision tree: Frequent access = Standard. Unknown access = Intelligent-Tiering. Infrequent but must retrieve in milliseconds = Standard-IA. Infrequent + okay with one AZ risk = One Zone-IA. Archive + milliseconds retrieval = Glacier Instant. Archive + minutes to hours = Glacier Flexible. Archive + hours + cheapest possible = Glacier Deep Archive.
RDS Multi-AZ vs Read Replicas: Multi-AZ = HA/failover. Read Replicas = read scaling. Multi-AZ does not serve read traffic. Read Replicas do not auto-failover (unless promoted manually, or Aurora).
SQS vs SNS vs Kinesis: SQS for decoupling + guaranteed delivery. SNS for fan-out to multiple consumers. Kinesis Data Streams for ordered, replayable real-time data with multiple consumers reading the same shard.

Practice tip

Do not binge-read. Study one domain per day, then immediately do 10–15 timed scenario questions on that domain before moving on. Spaced repetition on wrong answers beats passive re-reading every time.

What to do if you’re short on time

If 30 days feels tight, ruthlessly prioritize. The exam domain weights are not evenly distributed: the networking and compute foundation (Week 1) represents roughly 35% of your score on its own. Get that right first. Storage and databases (Week 2) adds another 25%. That means 60% of the exam is covered by just two weeks of focused study.

Do not spend equal time on all services. You will not be asked to configure an AWS Wavelength Zone. You will be asked what happens to connections when an RDS Multi-AZ failover occurs.

What comes after SAA-C03?

Passing SAA-C03 opens two natural paths depending on your role:

SysOps Administrator (SOA-C02): Operational depth — CloudFormation, Systems Manager, monitoring, patching. The operations-focused sibling of the SAA-C03. Great if you work in platform or SRE roles.
Developer Associate (DVA-C02): Application-layer depth — Lambda, DynamoDB, CodeDeploy, CI/CD pipelines, X-Ray. Best if you write code that runs on AWS.

Both are Associate-level exams that build directly on the architecture knowledge you gained for the SAA-C03. Many candidates complete the full Associate trifecta within 90–120 days of passing their first Associate exam.

Ready to test yourself? We have 60 scenario-based SAA-C03 practice questions covering all four exam domains — timed, randomized, and free.

Start SAA-C03 Practice Questions →