AWS Solutions Architect Associate (SAA-C03) 2025: Complete Exam Prep Guide with Real Scenarios

An interviewer presents a scenario: "Design a highly available web application with a MySQL database that can handle traffic spikes while minimizing costs." You respond: "Use an Auto Scaling Group with a Load Balancer." The interviewer nods. "What about the database? What if traffic increases 10x overnight? How do you handle session management?"

The AWS Solutions Architect Associate (SAA-C03) exam doesn't just test whether you know AWS services—it tests whether you can design complete, resilient, secure, and cost-effective solutions. Here's everything you need to pass.

What is SAA-C03?

The Solutions Architect Associate validates your ability to design and deploy AWS architectures based on customer requirements. It's the most popular AWS certification and opens doors to cloud architecture roles paying $120k-180k+.

Exam Details:

• 65 questions (50 scored + 15 unscored)
• 130 minutes
• Passing score: 720/1000
• Cost: $150 USD
• Prerequisites: None (but Cloud Practitioner recommended)

Exam Domains:

1. Design Secure Architectures (30%)
2. Design Resilient Architectures (26%)
3. Design High-Performing Architectures (24%)
4. Design Cost-Optimized Architectures (20%)

Prerequisites & Study Timeline

Before you start:

• Cloud Practitioner cert OR 6+ months AWS experience
• Basic understanding of networking (IP, subnets, DNS)
• Comfortable with command line

Study timeline:

• With Cloud Practitioner: 6-8 weeks (15-20 hours/week)
• Without: 10-12 weeks (20-25 hours/week)

Domain 1: Design Resilient Architectures (26%)

Multi-AZ vs Multi-Region

Question: "Design a web app with 99.99% uptime SLA."

Multi-AZ Architecture (99.95% uptime):

Internet → Route 53
  ↓
Application Load Balancer (multi-AZ)
  ↓
Auto Scaling Group (min 2 AZs)
  ├─ us-east-1a: EC2 instances
  └─ us-east-1b: EC2 instances
  ↓
Multi-AZ RDS (primary + standby)

Why this works:

• ALB automatically distributes traffic across healthy AZs
• If one AZ fails, traffic routes to remaining AZ
• RDS auto-fails over to standby (1-2 min downtime)
• Cost: ~$500-800/month for small app

Multi-Region for 99.99%+ (disaster recovery):

Route 53 (weighted routing)
  ├─ 70% → us-east-1 (primary region)
  └─ 30% → eu-west-1 (secondary region)

Each region:
  - Full ALB + Auto Scaling + RDS setup
  - RDS cross-region read replicas
  - S3 cross-region replication

Cost: 2-3x single-region architecture

Auto Scaling Strategies

Scenario-based question you'll see:

"Your e-commerce site has predictable traffic: 1000 RPS at 9am-9pm, 100 RPS at night. Peak sales on Black Friday reach 10,000 RPS. Design an Auto Scaling strategy."

Solution:

Scheduled Scaling:
- 8:50am: Scale to 10 instances (warm up before traffic)
- 9:10pm: Scale to 2 instances (handle remaining requests)

Target Tracking:
- Target: 70% CPU utilization
- Allows scaling within day based on actual load

Step Scaling (for Black Friday):
- CPU > 70% → add 5 instances
- CPU > 85% → add 10 instances
- CPU < 30% for 5min → remove 1 instance

Reserved Instances:
- 2 RIs for baseline load (always 2 instances minimum)
- Remaining instances: On-Demand or Spot (for cost savings)

Key concepts:

• Cooldown period: Wait 300s after scaling before next action
• Warm-up time: New instances need 60-120s to start handling traffic
• Health checks: Replace unhealthy instances automatically

RDS vs DynamoDB vs Aurora

"When should you use each database service?"

RDS (Relational):

• Use for: Complex queries, JOINs, transactions, existing SQL apps
• Engines: MySQL, PostgreSQL, Oracle, SQL Server, MariaDB
• Multi-AZ: Auto-failover to standby (1-2 min downtime)
• Read Replicas: Up to 15, async replication, read-heavy workloads
• Backup: Automated daily backups (1-35 days), point-in-time recovery
• Cost: $100-500/month for db.t3.medium

DynamoDB (NoSQL):

• Use for: Key-value lookups, document storage, mobile/gaming apps
• Performance: Single-digit millisecond latency
• Scaling: Auto-scales up/down based on traffic
• Global Tables: Multi-region, active-active replication
• Cost: Pay per request or provisioned capacity
• Best for: High-traffic apps with simple queries

Aurora (AWS's MySQL/PostgreSQL):

• Use for: High-performance, mission-critical apps
• Performance: 5x faster than MySQL, 3x faster than PostgreSQL
• Storage: Auto-scales from 10GB to 128TB
• Replicas: Up to 15, with auto-failover in 30 seconds
• Cost: 20% more than RDS, but better performance
• Aurora Serverless: Auto-scales compute, pay per second

Decision tree:

Need ACID transactions + SQL? → Yes → RDS/Aurora
  Performance critical? → Yes → Aurora
  Standard SQL app? → Yes → RDS

Simple key-value lookups? → Yes → DynamoDB
Need millisecond latency? → Yes → DynamoDB
Mobile/gaming app? → Yes → DynamoDB

Domain 2: Design Secure Architectures (30%)

VPC Design Patterns

Essential VPC scenario:

"Design a VPC for a 3-tier web app (web, app, database) with internet access for web tier only."

Architecture:

VPC (10.0.0.0/16)
├─ Public Subnet (10.0.1.0/24) - AZ-1
│  ├─ ALB (internet-facing)
│  └─ NAT Gateway
├─ Public Subnet (10.0.2.0/24) - AZ-2
│  ├─ ALB (internet-facing)
│  └─ NAT Gateway
├─ Private Subnet - App (10.0.10.0/24) - AZ-1
│  └─ EC2 instances (app servers)
├─ Private Subnet - App (10.0.11.0/24) - AZ-2
│  └─ EC2 instances (app servers)
├─ Private Subnet - DB (10.0.20.0/24) - AZ-1
│  └─ RDS primary
└─ Private Subnet - DB (10.0.21.0/24) - AZ-2
   └─ RDS standby

Security Groups:

ALB Security Group:
- Inbound: 443 from 0.0.0.0/0 (internet HTTPS)
- Outbound: 8080 to App-SG

App Security Group:
- Inbound: 8080 from ALB-SG only
- Outbound: 3306 to DB-SG

DB Security Group:
- Inbound: 3306 from App-SG only
- Outbound: None

Route Tables:

Public Subnet Route Table:
- 10.0.0.0/16 → local (VPC traffic)
- 0.0.0.0/0 → IGW (internet gateway)

Private Subnet Route Table:
- 10.0.0.0/16 → local
- 0.0.0.0/0 → NAT Gateway (for outbound only)

Why this design:

• ✅ Web tier accessible from internet
• ✅ App/DB tiers isolated from internet
• ✅ Multi-AZ for high availability
• ✅ NAT Gateway for outbound (patches, updates)
• ✅ Principle of least privilege with Security Groups

IAM Roles and Policies

Scenario: "An EC2 instance needs to upload files to S3 and send SNS notifications."

Wrong approach: Store AWS access keys in application code Problems: Keys can be leaked, stolen, or hardcoded in Git

Correct approach: IAM Role attached to EC2

Create Policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::my-bucket/*"
    },
    {
      "Effect": "Allow",
      "Action": "sns:Publish",
      "Resource": "arn:aws:sns:us-east-1:123456789:my-topic"
    }
  ]
}

Attach to Role → Attach Role to EC2

Benefits:

• No credentials in code
• Temporary credentials auto-rotated by AWS
• Easy to modify permissions
• Works with AWS SDK automatically

Encryption at Rest vs In Transit

Exam loves this distinction:

At Rest (data stored):

• S3: Server-Side Encryption (SSE-S3, SSE-KMS, SSE-C)
• EBS: Enable encryption when creating volume
• RDS: Enable encryption at creation (can't encrypt after)
• DynamoDB: Encryption enabled by default

In Transit (data moving):

• HTTPS/TLS: For API calls, web traffic
• VPN: Site-to-site or client VPN
• SSL/TLS: For database connections

Common question: "How do you ensure data is encrypted end-to-end?" Answer: Enable encryption at rest (S3/RDS/EBS) AND use HTTPS/TLS for all connections.

Domain 3: Design High-Performing Architectures (24%)

Caching Strategies

Scenario: "Your API has 1000 reads/second but only 10 writes/second. Response time is slow."

Solution: Implement caching at multiple levels

CloudFront (CDN):

• Cache static assets (images, CSS, JS) at Edge Locations
• 80% reduction in origin requests
• TTL: 24 hours for rarely-changing content

API Gateway Caching:

• Cache API responses (300s-3600s TTL)
• Reduce Lambda/backend invocations
• Per-key caching for dynamic content

ElastiCache:

• Redis: For complex data structures, pub/sub, sorted sets
• Memcached: Simple key-value caching
• Cache database query results
• Session storage for stateless apps

Example architecture:

User → CloudFront (cached static assets)
  ↓
API Gateway (cached API responses)
  ↓
Lambda/EC2 → ElastiCache (check cache)
  ↓ (cache miss)
RDS/DynamoDB (fetch from database)

Result: 95% requests served from cache, 20x faster response times.

Storage Performance

"Compare EBS volume types for different workloads."

gp3 (General Purpose SSD):

• Use for: Boot volumes, dev/test, low-latency apps
• Performance: 3,000 IOPS baseline, up to 16,000 IOPS
• Cost: $0.08/GB-month + $0.005/IOPS over 3000
• Best for: 99% of workloads

io2 Block Express (Provisioned IOPS):

• Use for: Mission-critical databases (Oracle, SQL Server)
• Performance: Up to 64,000 IOPS, 1,000 MB/s throughput
• Cost: $0.125/GB-month + $0.065/IOPS
• Best for: I/O intensive workloads

st1 (Throughput Optimized HDD):

• Use for: Big data, data warehouses, log processing
• Performance: 500 MB/s throughput, 500 IOPS
• Cost: $0.045/GB-month (cheapest)
• Best for: Sequential access, large files

Decision: Database? → io2. Boot volume? → gp3. Big data? → st1.

Domain 4: Design Cost-Optimized Architectures (20%)

S3 Lifecycle Policies

Scenario: "You have 100TB of logs. Frequently accessed for 30 days, occasionally for 90 days, archived after 1 year."

Lifecycle Policy:

Day 0-30: S3 Standard
  ↓ (after 30 days)
Day 31-90: S3 Standard-IA (50% cheaper)
  ↓ (after 90 days)
Day 91-365: S3 Glacier Flexible Retrieval (80% cheaper)
  ↓ (after 365 days)
Year 1+: S3 Glacier Deep Archive (95% cheaper)
  ↓ (after 7 years)
Delete

Cost savings:

• Standard only: $2,300/month
• With lifecycle: $400/month
• Savings: 83%

Reserved Instances vs Savings Plans

"Your app runs 24/7 on m5.large instances. How do you optimize costs?"

Reserved Instances (RI):

• 1-year: 40% savings
• 3-year: 60% savings
• Payment: All Upfront (max discount), Partial, No Upfront
• Locked to: instance family, region, OS

Compute Savings Plans:

• 1-year: 42% savings
• 3-year: 54% savings
• Flexible: Can change instance family, region, OS
• Applies to: EC2, Lambda, Fargate

Recommendation: Use Savings Plans for flexibility. Use RIs only if you're certain about instance type/region.

Tip: Set up Cost Explorer → Compute Optimizer recommendations.

Hands-On Labs You MUST Do

The exam is scenario-based. You need practical experience:

Week 1-2: Core Services

1. Launch EC2 in VPC with public/private subnets
2. Create ALB with Auto Scaling Group
3. Set up Multi-AZ RDS and perform failover test

Week 3-4: Security & Networking 4. Configure VPC with public/private subnets, NAT Gateway 5. Set up Security Groups, NACLs, VPN 6. Create IAM roles, policies, test with EC2/Lambda

Week 5-6: High Availability 7. Implement Route 53 health checks with failover 8. Create S3 static website with CloudFront 9. Set up ElastiCache with Redis

Week 7-8: Advanced & Review 10. Build serverless API with API Gateway + Lambda + DynamoDB 11. Create CloudFormation template for entire stack 12. Take practice exams, review weak areas

Common Exam Traps

Trap: "What's the MOST cost-effective solution?"

• AWS wants you to choose cheapest option that still meets requirements
• Look for: Reserved Instances, S3 Glacier, Spot Instances, right-sizing

Trap: "What's the FASTEST way to migrate 10TB to AWS?"

• ❌ Internet upload (10TB ÷ 100Mbps = 9+ days)
• ✅ AWS Snowball (1-week delivery + transfer)
• ✅✅ AWS Direct Connect (if already set up)

Trap: "Design highly available architecture."

• They want: Multi-AZ
• NOT Multi-Region (unless specifically asked or disaster recovery mentioned)

Practice Questions

Q1: Your RDS database runs out of storage weekly. You manually increase it. What's the best long-term solution?

A) Scheduled Lambda to increase storage B) Enable Auto Scaling storage C) Use Aurora (auto-scales to 128TB) D) Archive old data to S3

Answer: B - RDS Auto Scaling storage automatically increases when reaching threshold.

Q2: Your Lambda function processes S3 uploads but times out after 15 minutes. What should you do?

A) Increase Lambda timeout to 30 minutes B) Increase Lambda memory C) Use Step Functions with multiple Lambda functions D) Move to EC2

Answer: C - Lambda max timeout is 15 minutes. Use Step Functions to chain multiple functions for long-running tasks.

Q3: How do you ensure EC2 instances have latest security patches?

A) Manually SSH and run apt-get update B) Use Systems Manager Patch Manager C) Create new AMI monthly with patches D) Run User Data script on launch

Answer: B - Systems Manager Patch Manager automatically patches instances on schedule.

Recommended Study Resources

Official AWS:

• AWS Certified Solutions Architect Study Guide (Ben Piper & David Clinton)
• AWS Skill Builder: Solutions Architect path
• AWS Whitepapers: Well-Architected Framework, Disaster Recovery

Practice Exams ($):

• Tutorials Dojo (6 practice exams, $15)
• Whizlabs (7 practice exams, $20)
• AWS Official Practice Exam ($40)

Hands-On Labs:

• AWS Free Tier (12 months free)
• A Cloud Guru Labs
• CloudAcademy playgrounds

Exam Day Strategy

Before:

• Review flash cards (Shared Responsibility Model, EBS types, RDS engines)
• Sleep well (exam is mentally exhausting)
• Arrive 15 min early for online exam

During:

• Flag hard questions, come back later
• Eliminate obviously wrong answers
• Watch for "MOST cost-effective" vs "FASTEST"
• 130 minutes = 2 minutes per question (manage time)

After:

• Results immediate (pass/fail)
• Detailed score report in 5 business days

Next Steps After Passing

Career paths:

• Cloud Architect ($140k-180k)
• Solutions Engineer ($130k-170k)
• DevOps Engineer ($120k-160k)

Next certifications:

• Solutions Architect Professional (advanced architecture)
• DevOps Engineer Professional (CI/CD, automation)
• Security Specialty (security in-depth)

Keep learning:

• Build real projects on AWS
• Contribute to open-source AWS tools
• Stay updated with AWS re:Invent announcements

Ready to put your knowledge to the test? Practice with our AWS Solutions Architect Interview Prep featuring AI-powered scenario-based questions.