AWS Solutions Architect Associate: Study Guide and Exam Tips (2026)
The AWS Certified Solutions Architect – Associate (SAA-C03) is the most widely held AWS certification, and for good reason — it validates the architectural knowledge you actually use on the job. This guide covers the exam format, domain-by-domain breakdown, the services that appear most frequently, common traps candidates fall into, and a realistic 8-week study plan.
1. Exam Format and Registration
The SAA-C03 exam (current version as of 2026) has the following specs:
| Questions | 65 (multiple choice and multiple response) |
| Duration | 130 minutes |
| Passing score | 720 out of 1000 |
| Cost | $150 USD |
| Delivery | Pearson VUE testing center or online proctored |
| Languages | English, Japanese, Korean, Simplified Chinese, Traditional Chinese, Bahasa Indonesia, Spanish, French, German, Italian, Portuguese |
| Validity | 3 years (recertify by passing a higher cert or retaking) |
| Prerequisites | None official, but 1+ year AWS hands-on experience recommended |
Register at aws.amazon.com/certification. Non-native English speakers can request a 30-minute exam accommodation at no extra cost.
2. Domain Breakdown
The SAA-C03 exam is organized into four domains. Knowing the weight of each domain helps you prioritize study time:
| Domain | Weight | Key Topics |
|---|---|---|
| Domain 1: Design Resilient Architectures | 26% | Multi-AZ, Multi-Region, fault tolerance, decoupling with SQS/SNS, Auto Scaling, backup and restore |
| Domain 2: Design High-Performing Architectures | 24% | EC2 instance types, caching (ElastiCache, CloudFront), storage tiers, ELB types, RDS read replicas, DynamoDB accelerator |
| Domain 3: Design Secure Architectures | 30% | IAM policies, resource-based policies, VPC security (security groups, NACLs), encryption (KMS, TLS), Secrets Manager, Shield, WAF |
| Domain 4: Design Cost-Optimized Architectures | 20% | Reserved vs On-Demand vs Spot, S3 storage tiers, serverless vs containers, right-sizing, Cost Explorer |
Domain 3 (Security) is the largest domain at 30% — most candidates underweight it. If you're coming from a developer background, spend extra time on IAM policy evaluation logic, VPC traffic flow, and encryption patterns.
3. Key Services by Domain
Compute
- EC2: Instance families (general purpose M/T, compute C, memory R/X, storage I/D, accelerated P/G), pricing models, placement groups (cluster/spread/partition), instance metadata, user data scripts
- Auto Scaling: Launch templates vs launch configurations (templates are newer — prefer them), scaling policies (target tracking, step, scheduled), cooldown periods, lifecycle hooks
- Lambda: Execution environment, concurrency limits, reserved vs provisioned concurrency, event source mappings, layers, destinations
- ECS/Fargate: Task definitions, services, cluster types (EC2 vs Fargate), service auto scaling
Storage
- S3: Storage classes, lifecycle policies, versioning, replication (CRR vs SRR), event notifications, access control (bucket policies, ACLs, presigned URLs, access points), S3 Transfer Acceleration, Multipart Upload
- EBS: Volume types (gp3, io2, st1, sc1), snapshots, encryption, multi-attach (io2 only), instance store vs EBS
- EFS: Performance modes (General Purpose vs Max I/O), throughput modes (Bursting, Provisioned, Elastic), storage classes, lifecycle management
- FSx: FSx for Windows (SMB protocol, Active Directory integration), FSx for Lustre (HPC, S3 integration)
Databases
- RDS: Multi-AZ (synchronous replication, automatic failover), Read Replicas (asynchronous, manual promotion), supported engines, automated backups, snapshots, encryption
- Aurora: Cluster architecture (writer + reader endpoints), Aurora Serverless v2, Aurora Global Database (cross-region), backtrack
- DynamoDB: Partition key design, GSI vs LSI, DynamoDB Streams, TTL, on-demand vs provisioned capacity, DAX (in-memory cache), point-in-time recovery
- ElastiCache: Redis vs Memcached (Redis has persistence, replication, cluster mode; Memcached is simpler, multi-threaded)
Networking
- VPC: Subnets, route tables, internet gateways, NAT gateways, security groups, NACLs, VPC peering, Transit Gateway, VPC endpoints (Gateway vs Interface)
- Route 53: Routing policies (Simple, Weighted, Latency, Failover, Geolocation, Geoproximity, Multivalue), health checks, alias records vs CNAME
- CloudFront: Origins (S3, ALB, custom), behaviors, cache policies, Lambda@Edge vs CloudFront Functions, signed URLs vs signed cookies, OAC for S3
- ELB: ALB (HTTP/HTTPS, path/host routing, Lambda targets), NLB (TCP/UDP, static IPs, extreme performance), GLB (third-party appliances)
4. High Availability: Multi-AZ vs Multi-Region
Understanding when to use Multi-AZ vs Multi-Region is a recurring exam theme. The choice depends on the type of failure you're protecting against and the cost/complexity tolerance:
| Aspect | Multi-AZ | Multi-Region |
|---|---|---|
| Protects against | Single AZ failure (hardware, power, networking) | Regional outage, compliance, latency for global users |
| Typical RTO | 60–120 seconds (automatic failover) | Minutes to hours (depends on DR strategy) |
| Typical RPO | Near-zero (synchronous replication) | Seconds to minutes (asynchronous replication) |
| Cost | 2x resource cost | 2x+ resource cost + data transfer + operational overhead |
| Complexity | Low — AWS manages failover automatically | High — requires traffic routing, data sync, runbooks |
| RDS support | Yes — built-in, synchronous standby | Yes — Aurora Global Database, RDS cross-region read replicas |
| Best for | Production databases, stateful services | Regulated industries, global SLAs, disaster recovery |
5. Disaster Recovery Patterns
The four DR strategies form a spectrum from cheapest/slowest to most expensive/fastest. The exam tests both the definitions and when to choose each:
| Pattern | Description | RTO | RPO | Cost | When to Use |
|---|---|---|---|---|---|
| Backup & Restore | Regular backups to S3/Glacier. Restore from scratch on failure. No standby running. | Hours | Hours | Lowest | Non-critical systems, long RTO acceptable, cost-sensitive |
| Pilot Light | Minimal core system running in DR region (DB replicated). Scale up app servers on failure. | 30–60 min | Minutes | Low | Core business systems, moderate RTO acceptable |
| Warm Standby | Scaled-down but fully functional system running in DR region. Scale out on failure. | Minutes | Seconds | Medium | Business-critical apps, RTO < 30 min required |
| Multi-Site Active/Active | Full production capacity in multiple regions simultaneously. Traffic split between regions. | Near-zero | Near-zero | Highest (2x+) | Mission-critical, financial, healthcare, zero downtime SLA |
Key AWS Services for DR
- AWS Backup: Centralized backup management across EC2, RDS, EFS, DynamoDB, FSx, S3
- AWS Elastic Disaster Recovery (DRS): Continuous block-level replication of on-premises or cloud servers to AWS; sub-second RPO
- Aurora Global Database: Cross-region replication with <1 second RPO, <1 minute RTO for Warm Standby; can run as active-active with write forwarding
- S3 Cross-Region Replication: Async replication of S3 objects to a second region
- Route 53 Failover Routing: Automatic DNS failover to secondary endpoint when health check fails
6. Well-Architected Framework: 6 Pillars
AWS's Well-Architected Framework defines the design principles for good cloud architecture. The exam references these pillars frequently — you need to know each pillar's focus and key questions:
| Pillar | Focus | Key Services/Concepts |
|---|---|---|
| Operational Excellence | Run and monitor systems, improve processes | CloudWatch, CloudTrail, Config, Systems Manager, runbooks, IaC, small frequent changes |
| Security | Protect information, systems, assets | IAM, KMS, Shield, WAF, GuardDuty, Security Hub, encryption at rest and in transit |
| Reliability | Recover from failures, meet demand dynamically | Auto Scaling, Multi-AZ, backups, health checks, Route 53, loose coupling (SQS) |
| Performance Efficiency | Use computing resources efficiently as demand changes | Right-sizing, serverless, caching (CloudFront, ElastiCache), global edge (CloudFront) |
| Cost Optimization | Deliver business value at the lowest price point | Reserved/Spot, lifecycle policies, Cost Explorer, Trusted Advisor, serverless, right-sizing |
| Sustainability | Minimize environmental impact | Managed services, serverless, rightsizing, Graviton processors, efficient storage tiers |
7. Storage Options Comparison
Storage choice questions are everywhere on the exam. The key is understanding access patterns, sharing requirements, and durability/availability characteristics:
| Service | Type | Access | Best For | Key Limits |
|---|---|---|---|---|
| S3 | Object | HTTP/HTTPS (REST API) | Static assets, backups, data lake, logs | Max 5TB per object, 5GB single PUT |
| EBS | Block | Single EC2 instance (io2 supports multi-attach) | OS volumes, databases requiring low latency | 16TB max (gp3/io2), AZ-locked |
| EFS | File (NFS) | Multiple EC2 instances simultaneously | Shared file storage, CMS, home directories | Linux only (NFSv4.1), higher cost than EBS |
| FSx for Windows | File (SMB) | Windows EC2, on-prem via VPN/DX | Windows apps, Active Directory integration | Windows only, higher cost |
| Instance Store | Block (ephemeral) | Single EC2 (physical host storage) | Temp files, buffers, caches, scratch space | Data lost on stop/terminate/failure |
| S3 Glacier | Object (archive) | HTTP (minutes to hours retrieval) | Long-term archival, compliance records | Minimum storage duration: 90 days (Glacier), 180 days (Deep Archive) |
8. Common Exam Traps
These are the questions that trip up candidates who know the material but haven't seen the specific gotcha:
Trap 1: Multi-AZ vs Read Replicas
Multi-AZ is for availability (standby not readable, automatic failover). Read Replicas are for performance (readable, must be manually promoted). A question asking "how to improve read performance" wants Read Replicas, not Multi-AZ. A question asking "how to ensure automatic failover" wants Multi-AZ, not Read Replicas.
Trap 2: Default VPC vs Custom VPC
The default VPC has all public subnets. EC2 instances launched in the default VPC get a public IP by default. In a custom VPC, subnets are private by default and instances do NOT get public IPs unless you explicitly enable it at the subnet level or via launch settings. Exam questions about "instances can't reach the internet" almost always involve a custom VPC missing an Internet Gateway, a route table missing a route to igw-*, or a subnet missing auto-assign public IP.
Trap 3: S3 Consistency Model
S3 provides strong read-after-write consistency for all operations since December 2020. This is a common trap — older study materials say S3 is eventually consistent for overwrite PUTs, but that is no longer true. Any question stating eventual consistency for S3 is outdated. All GET, PUT, DELETE, LIST operations are strongly consistent.
Trap 4: NAT Gateway vs NAT Instance
NAT Gateway is managed by AWS, highly available within an AZ, scales automatically. NAT Instance is an EC2 instance you manage — requires disabling source/destination check, you manage HA yourself. The exam almost always wants NAT Gateway for production. NAT Instance answers exist as distractors — they're cheaper but require management.
Trap 5: SQS Standard vs FIFO
Standard queues: unlimited throughput, at-least-once delivery, best-effort ordering. FIFO queues: 3,000 messages/second with batching, exactly-once processing, strict ordering. Questions about "duplicate message processing" or "messages processed out of order" want FIFO. FIFO queue names must end in .fifo.
Trap 6: Alias Record vs CNAME in Route 53
CNAME records cannot be created for a zone apex (root domain, e.g., example.com). Alias records can — and they're free (no charge per query for alias records pointing to AWS resources). Alias records can point to ALBs, CloudFront distributions, S3 static websites, and other Route 53 records. For "root domain pointing to ALB," the answer is always an Alias record.
Trap 7: Security Group — No Deny Rules
Security groups are stateful and only support Allow rules — there are no Deny rules. To block specific traffic, you must use NACLs (which support both Allow and Deny). Questions about "blocking a specific IP address from accessing an EC2 instance" require a NACL deny rule, not a security group rule.
Trap 8: CloudFront — S3 Origin Access
To restrict an S3 bucket so it's only accessible via CloudFront (not directly via S3 URL), use Origin Access Control (OAC) — the newer replacement for OAI (Origin Access Identity). Set the bucket policy to allow s3:GetObject only from the CloudFront distribution's service principal. Exam questions about "preventing direct S3 URL access" want OAC + bucket policy.
9. An 8-Week Study Plan
This plan assumes 8–10 hours per week (roughly 1–1.5 hours per weekday + longer weekend sessions):
| Week | Focus | Goal |
|---|---|---|
| Week 1 | AWS Fundamentals: IAM, VPC, EC2, S3 basics | Understand the core services from first principles. Create a free-tier account and deploy a VPC with EC2. |
| Week 2 | Compute deep dive: EC2 types, Auto Scaling, ELB, Lambda | Know all ELB types, Auto Scaling policies, and Lambda invocation models. Build a simple ALB + Auto Scaling group. |
| Week 3 | Storage: S3, EBS, EFS, FSx, Glacier | Memorize storage class characteristics and transition rules. Practice S3 lifecycle policy creation. |
| Week 4 | Databases: RDS, Aurora, DynamoDB, ElastiCache | Master Multi-AZ vs Read Replicas. Understand DynamoDB partition key design and GSI/LSI differences. |
| Week 5 | Networking: VPC advanced (Transit Gateway, endpoints), Route 53, CloudFront | Draw VPC architectures from memory. Practice all Route 53 routing policy scenarios. |
| Week 6 | Security: IAM deep dive, KMS, Secrets Manager, VPC security | Read IAM policy evaluation logic documentation. Understand all encryption options per service. |
| Week 7 | Architecture patterns: HA, DR, decoupling (SQS/SNS/EventBridge), Well-Architected | Memorize DR pattern RTO/RPO table. Practice drawing Multi-AZ and Multi-Region architectures. |
| Week 8 | Practice exams + weak area review | Take 3 full practice exams (65 questions each). Score >80% consistently before booking the real exam. |
10. Free and Paid Resources
Free Resources
- AWS Skill Builder (skillbuilder.aws): Official AWS learning paths, including a free SAA-C03 exam prep course with 20 practice questions
- AWS Documentation: FAQs for each service are written by the teams that write the exam questions — read them for your top 15 services
- AWS whitepapers: "AWS Well-Architected Framework," "Disaster Recovery of Workloads on AWS," and "AWS Storage Services Overview" are all exam-relevant
- freeCodeCamp YouTube: Full SAA-C03 course (16 hours) — solid free option for video learners
- AWS Free Tier: Hands-on practice without cost — EC2 t2.micro, S3 5GB, RDS t3.micro (750 hrs/month free for 12 months)
Paid Resources
- Stephane Maarek's SAA-C03 course (Udemy): The most recommended course — updated frequently, $12–$15 on sale. 27 hours of video + practice exams.
- Adrian Cantrill's SAA-C03 course: More technical depth, better architecture diagrams. $40. Preferred by engineers who want to actually understand the material.
- Jon Bonso practice exams (Tutorials Dojo): 6 full-length practice exams with detailed explanations. The closest to actual exam difficulty. $13 on Udemy.
- AWS Skill Builder Individual subscription ($29/month): Official practice exams (20 questions) + AWS Builder Labs for hands-on guided labs
FAQ: AWS Solutions Architect Associate
Q: How long does it take to prepare for the SAA-C03 if I have some cloud experience?
With 6–12 months of hands-on AWS experience, most people need 6–8 weeks of focused study (8–10 hours/week). Without prior AWS experience, plan for 10–12 weeks. The exam tests judgment on architectural trade-offs, not memorization — so time spent building real things on AWS (even free-tier) is more valuable than additional video watching. If you're already working with AWS daily in a solutions architect or senior developer role, 3–4 weeks of targeted study focusing on less-familiar services (FSx, Transit Gateway, AWS Backup, Elastic Disaster Recovery) is often enough.
Q: What is the difference between the Associate and Professional Solutions Architect exams?
The Professional (SAP-C02) is significantly harder. It has 75 questions in 180 minutes, costs $300, and requires a 750/1000 to pass. The scenarios are longer and more complex — often 200+ word case studies requiring you to evaluate 4 architectures that are all plausible. The Professional exam assumes you've passed the Associate and tests deeper service knowledge, migration strategies, hybrid architectures (Direct Connect, Site-to-Site VPN), and more complex cost/performance trade-offs. Most candidates take 3–6 months between Associate and Professional, gaining real-world AWS experience in between.
Q: Can I use the AWS console or documentation during the exam?
No. The exam is closed-book with no access to any external resources. You cannot use the AWS console, documentation, notes, or any external tools. Online proctored exams use camera monitoring and screen sharing — the proctor can see your screen and room. Have water available (no food), a clean desk, and no secondary monitors connected.
Q: Which domain should I study first if I'm short on time?
Domain 3 (Security, 30%) first, then Domain 1 (Resilient Architectures, 26%). Together they make up 56% of the exam. Security covers IAM policy evaluation, VPC traffic flow, and encryption — topics that appear as components of questions in all other domains too. Resilient Architectures covers Multi-AZ, disaster recovery patterns, and decoupling — also cross-domain concepts. Domains 2 and 4 are more service-specific and easier to cram in the final week.
Q: What happens if I fail the exam?
You can retake the exam after 14 days. There is no limit on retake attempts, but each attempt costs $150. AWS provides a score report showing your performance by domain (not by individual question) — use this to focus your re-study. Most candidates who fail score between 650–710, usually weak in Security or missing specific service knowledge (e.g., Transit Gateway, Storage Gateway, Direct Connect vs VPN trade-offs). Don't book a retake until you're consistently scoring above 800 on practice exams.