AWS Solutions Architect Associate (SAA-C03) Study Guide — 2026

The AWS Certified Solutions Architect — Associate (SAA-C03) is, by job-posting volume, the highest-leverage cloud certification in the United States. It's the credential that gets non-cloud engineers past resume filters at AWS-stack employers, and the one that consistently lifts mid-level engineer salaries by $15-30k.

It's also the cert that more candidates fail than they admit, because AWS scenario questions are subtle in a way that 30-second YouTube summaries can't prepare you for.

Exam structure

• 65 questions in 130 minutes
• Multiple choice (single answer) and multiple response (pick 2 or 3)
• Passing score: 720 / 1000 (scaled — not a literal percentage)
• Cost: $150 USD
• Delivered online (Pearson VUE OnVUE) or at testing centers

There are no performance-based questions on SAA-C03 — every question is multiple choice or multiple response. But the multiple-choice questions are scenario-heavy and frequently have two plausibly-correct answers, with the right one being the most cost-effective, most operationally efficient, or best aligned to the AWS Well-Architected Framework.

Domain weights

Domain	Weight
1. Design Secure Architectures	30%
2. Design Resilient Architectures	26%
3. Design High-Performing Architectures	24%
4. Design Cost-Optimized Architectures	20%

Notice that "secure" is the heaviest domain. IAM and KMS questions show up everywhere — even in questions ostensibly about other topics.

The 12 service families that dominate the exam

About 80% of your questions reference these. Master them and the rest is filler.

1. Compute: EC2 (instance families, AMIs, EBS, instance store), Auto Scaling, ELB (ALB vs NLB vs GWLB), Lambda, ECS, EKS, Fargate.
2. Storage: S3 (storage classes — Standard, IA, One Zone-IA, Glacier Instant/Flexible/Deep Archive, Intelligent-Tiering), EBS (gp3, io2, st1, sc1), EFS, FSx, Storage Gateway.
3. Database: RDS (Multi-AZ vs Read Replicas), Aurora (Global Database, Serverless v2), DynamoDB (on-demand vs provisioned, DAX, Streams, Global Tables), ElastiCache (Redis vs Memcached), Redshift.
4. Networking: VPC (subnets, route tables, NAT Gateway vs NAT Instance, VPC Endpoints — Gateway and Interface), CloudFront, Route 53 (routing policies — simple, weighted, latency, failover, geolocation, geoproximity, multivalue), Direct Connect, Site-to-Site VPN, Transit Gateway.
5. Identity & Access: IAM (users, groups, roles, policies — identity vs resource-based), AWS SSO / IAM Identity Center, Cognito (User Pools vs Identity Pools), STS, AWS Organizations + SCPs.
6. Security: KMS (CMKs — customer-managed vs AWS-managed, envelope encryption), Secrets Manager vs Parameter Store, ACM, WAF, Shield Standard vs Advanced, GuardDuty, Macie, Inspector, Security Hub.
7. Application Integration: SQS (Standard vs FIFO, DLQ, visibility timeout), SNS (topics, fan-out), EventBridge, Step Functions.
8. Monitoring & Logging: CloudWatch (metrics, logs, alarms, dashboards), CloudTrail (management vs data events), AWS Config, X-Ray.
9. Migration & Transfer: DataSync, Snow family (Snowcone, Snowball, Snowmobile), Database Migration Service (DMS), Application Migration Service (MGN).
10. Analytics: Athena, Glue, Kinesis (Data Streams vs Firehose vs Data Analytics).
11. Cost Management: Trusted Advisor, Cost Explorer, AWS Budgets, Savings Plans vs Reserved Instances.
12. Disaster Recovery: RTO vs RPO, four DR strategies (Backup & Restore, Pilot Light, Warm Standby, Multi-Site Active/Active).

The "AWS-isms" that turn 50% confidence into 90%

When two answers both seem correct, AWS questions reward these patterns:

1. Managed services beat self-managed. When the question lists "operational overhead" as a constraint, pick RDS over self-installed PostgreSQL on EC2, ElastiCache over Redis on EC2, etc.
2. Use the highest-level service that fits. Lambda > Fargate > ECS > EKS > EC2 for the same workload. Pick the one that satisfies the requirement with the least undifferentiated heavy lifting.
3. Multi-AZ is for HA. Multi-Region is for DR. Don't confuse them.
4. Read Replicas don't fail over. They're for read scaling. Multi-AZ is for failover.
5. VPC Endpoints keep traffic private. When a question says "must not traverse the internet," it almost always wants VPC Endpoints (Gateway for S3/DynamoDB, Interface for everything else).
6. NAT Gateway > NAT Instance. Always, unless cost is the only factor and traffic is light.
7. S3 Intelligent-Tiering for unknown access patterns. Lifecycle policies for predictable patterns.
8. CloudFront for global low-latency static + API origin acceleration. Not just static.
9. Route 53 latency-based routing for global apps. Geolocation for compliance / regional rules.
10. Use IAM roles, not access keys. The phrase "store credentials" is almost always a wrong answer.

Performance-based question prep (you don't need it, but here's what to do instead)

SAA-C03 doesn't have PBQs. But the scenario questions reward hands-on muscle memory. Spend at least 15-20 hours building real things:

• Build a 3-tier VPC: public ALB → private app subnet → private DB subnet with NAT Gateway.
• Spin up an Auto Scaling Group behind an ALB with health checks and a CloudWatch CPU policy.
• Set up Multi-AZ RDS + a Read Replica. Watch failover behavior in the console.
• Configure S3 lifecycle policies moving objects to Glacier after 90 days.
• Make an IAM policy with conditions that only allow access from a specific VPC endpoint.

An 8-week study plan

This assumes ~10 hours/week. Cut to 5–6 weeks if you have AWS experience; stretch to 12 weeks if you're new to cloud.

Week 1: Cloud + AWS fundamentals

Stephane Maarek's or Adrian Cantrill's SAA-C03 course start. AWS regions, AZs, edge locations. Shared responsibility model. AWS Well-Architected Framework — five pillars. Skim CLF-C02 (Cloud Practitioner) topics if you've never touched AWS.

Week 2: Compute + storage

EC2 deep dive (instance types, EBS volume types, AMIs, Spot vs On-Demand vs Reserved vs Savings Plans), Auto Scaling, ELB types, Lambda. S3 storage classes, lifecycle, encryption, transfer acceleration. EFS vs FSx vs S3 vs EBS — when to use which.

Week 3: Networking

VPC, subnets, route tables, IGW, NAT Gateway, VPC peering vs Transit Gateway, VPC endpoints. Route 53 routing policies (memorize all 7). CloudFront caching behaviors. Direct Connect vs VPN.

Week 4: Databases + caching

RDS, Aurora (especially Aurora Serverless v2 and Global Database), DynamoDB (capacity modes, GSI vs LSI, Streams). ElastiCache use cases. Redshift vs RDS vs DynamoDB — pick-the-right-database scenarios. DocumentDB, Neptune (just enough to recognize them).

Week 5: IAM + security

IAM policy structure (Effect, Action, Resource, Condition). Identity-based vs resource-based policies. STS and assume-role. KMS (envelope encryption explicitly). Secrets Manager vs SSM Parameter Store. Cognito User Pools vs Identity Pools.

Week 6: Integration, monitoring, DR

SQS vs SNS vs EventBridge. Step Functions. CloudWatch metrics + Logs + Alarms. CloudTrail. The four DR strategies and their RTO/RPO trade-offs.

Week 7: First full-length practice + targeted review

Take a Tutorials Dojo or Stephane Maarek practice exam cold. Score around 60-65% your first time is normal. Spend the rest of the week drilling weak domains.

Week 8: Mixed practice + book the exam

Two more full-length practices, both timed. By end of week 8, score 75%+ on practices to be safe at the real exam. Book the real test for the end of the week.

Common pitfalls

• Studying only the official AWS courses. They're solid but skew easy. Tutorials Dojo and Stephane Maarek practice exams are notoriously harder than the real test — and that's exactly what makes them good prep.
• Memorizing service names without use-cases. Every AWS service has a "use this when…" — that's the actual exam content.
• Skipping math questions. "If RTO is 4 hours, which DR strategy fits?" appears repeatedly. Know the ranges.
• Underestimating CloudFront. It shows up in 5-8 questions across security, performance, and cost domains.
• Treating Multi-AZ and Multi-Region as interchangeable. They aren't. Multi-AZ = high availability (within region). Multi-Region = disaster recovery + latency reduction.

After SAA-C03

The natural next moves:

• Stay on AWS, go developer → AWS Certified Developer Associate (DVA-C02). Substantial overlap with SAA — many candidates pass DVA within 4 weeks of SAA.
• Stay on AWS, go ops → AWS Certified SysOps Administrator (SOA-C02). Includes a hands-on lab section.
• Step up → AWS Certified Solutions Architect — Professional (SAP-C02). Notoriously brutal but the highest-paying AWS cert.
• Cross-cloud → Microsoft Azure Administrator (AZ-104). Combined AWS + Azure certs cover ~80% of cloud hiring filters.
• Specialize → AWS Security Specialty (SCS-C02), Database Specialty, Networking Specialty.

Frequently asked questions

How hard is SAA-C03 compared to other AWS certs?

Harder than Cloud Practitioner (entry-level), easier than the Professional-tier certs. About on par with Azure AZ-104 but with broader service coverage. Most candidates rate it ~7/10 in difficulty.

How long does SAA-C03 take to study for?

6–10 weeks for someone with prior IT/sysadmin experience. 10–14 weeks for a true beginner. Most successful candidates put in 80–120 hours of study.

How much does the AWS Solutions Architect Associate exam cost?

$150 USD. AWS occasionally provides 50% discount vouchers via free events (re:Invent, AWS Skills Centers, Cloud Quest completions).

Is the SAA-C03 exam delivered remotely?

Yes. Pearson VUE OnVUE proctors the exam from your home with a webcam-based environment scan. Same exam, same 130 minutes.

How long is the AWS Solutions Architect cert valid?

3 years. Renewable by passing the latest version of SAA, the Professional-level SAP, or any AWS Specialty exam.

Should I take CLF-C02 before SAA-C03?

If you're entirely new to cloud, yes — Cloud Practitioner builds the vocabulary that makes SAA-C03 less painful. If you've used AWS at any level professionally, skip Cloud Practitioner.

---

Test yourself. Run 30 free questions on AWS Solutions Architect Associate — no card, no email-trap, written by people who passed.