AWS Certified Solutions Architect Associate
275 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
The AWS Certified Solutions Architect Associate (SAA-C03) is the most popular AWS certification and the de facto baseline for cloud-architect roles in AWS-centric organizations. It validates the ability to design secure, resilient, performant, and cost-optimized architectures across the major AWS service families. The exam targets architects, senior developers, DevOps engineers, and technical leads with 1+ year of hands-on AWS experience. Expect scenario-heavy questions where multiple valid answers exist and the exam asks for the BEST one given constraints β usually some combination of cost, operational overhead, security, and resilience. SAA-C03 is conceptual rather than hands-on (no labs) and consistently ranks among the highest-ROI cloud credentials.
The largest domain at 30%. IAM (roles, policies, permission boundaries, SCPs), VPC security (security groups, NACLs, endpoints), KMS, Secrets Manager, and data-protection patterns. Expect heavy emphasis on least-privilege and cross-account access.
Multi-AZ vs. multi-region tradeoffs, decoupling with SQS/SNS/EventBridge, RTO/RPO scenarios, Aurora Global, S3 cross-region replication, and Route 53 failover. Common stumbling block: knowing which compute service (EC2, ECS, Lambda) is most resilient for a given pattern.
Caching layers (CloudFront, ElastiCache, DAX), storage performance tiers, read replicas, autoscaling, and choosing between EBS volume types. Tests practical performance reasoning more than memorization.
Spot vs. Reserved vs. Savings Plans, S3 Intelligent-Tiering and lifecycle policies, right-sizing, S3 Storage Lens, and Compute Optimizer. Candidates often miss Savings Plans nuances or forget that Lambda billed-duration is its own cost lever.
Services you'll encounter on the exam and why each one matters.
Resizable virtual machine compute with instance families, purchase options (On-Demand, Reserved, Savings Plans, Spot), placement groups, and AMIs.
Why it's on the exam: EC2 anchors compute selection across all four SAA-C03 domains β instance-type sizing in Design High-Performing Architectures and pricing-model selection in Design Cost-Optimized Architectures are guaranteed exam topics.
Object storage with storage classes (Standard, Intelligent-Tiering, Glacier tiers), versioning, lifecycle policies, replication, and event notifications.
Why it's on the exam: S3 storage-class selection and lifecycle transitions show up in Design Cost-Optimized Architectures; encryption, block public access, and bucket policies sit in Design Secure Architectures.
Isolated virtual network with subnets, route tables, security groups, NACLs, NAT gateways, VPC endpoints, and peering / Transit Gateway connectivity.
Why it's on the exam: VPC design (public/private subnets, NAT, endpoints, peering vs. Transit Gateway) is foundational to Design Secure Architectures and a recurring scenario across Design High-Performing Architectures.
Managed relational databases (PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, Aurora) with Multi-AZ failover, read replicas, automated backups, and snapshots.
Why it's on the exam: RDS Multi-AZ vs. read replicas is the canonical Design Resilient Architectures question; choosing Aurora over RDS shows up in Design High-Performing Architectures scenarios.
Serverless NoSQL key-value/document database with on-demand or provisioned capacity, global tables, DynamoDB Streams, TTL, and DAX caching.
Why it's on the exam: DynamoDB vs. RDS selection (single-digit-millisecond reads, horizontal scale) is the standard Design High-Performing Architectures distractor; global tables anchor Design Resilient Architectures multi-region scenarios.
Serverless event-driven compute with sub-second billing, integrations to API Gateway, S3, SQS, EventBridge, and provisioned concurrency for cold-start control.
Why it's on the exam: Lambda is the default "serverless / event-driven" answer in Design Cost-Optimized Architectures and the lightweight processing layer in countless Design High-Performing Architectures pipelines.
Managed container orchestration β ECS for AWS-native task scheduling, EKS for managed Kubernetes β both runnable on EC2, Fargate (serverless containers), or hybrid.
Why it's on the exam: Distinguishing ECS vs. EKS vs. Lambda for a workload, and choosing Fargate over EC2 launch type, is a recurring scenario across the High-Performing and Cost-Optimized domains.
Automatic capacity adjustment for EC2 Auto Scaling groups, ECS services, DynamoDB tables, and Aurora replicas using target tracking, step, or scheduled policies.
Why it's on the exam: Auto Scaling is the named answer for elasticity questions in Design High-Performing Architectures and pay-only-for-what-you-use scenarios in Design Cost-Optimized Architectures.
Global CDN with edge caching, origin shielding, Lambda@Edge / CloudFront Functions, signed URLs, OAC for S3, and field-level encryption.
Why it's on the exam: CloudFront is the canonical answer to "reduce global latency" (Design High-Performing) and "offload origin traffic" (Design Cost-Optimized) questions.
Authoritative DNS with routing policies (simple, weighted, latency, geolocation, failover, multi-value), health checks, and domain registration.
Why it's on the exam: Routing-policy selection (latency vs. geolocation vs. failover) is a frequent Design Resilient Architectures and Design High-Performing Architectures distractor.
Layer-4/7 load balancing β Application LB (HTTP/HTTPS, path/host rules), Network LB (TCP/UDP, static IP), Gateway LB (third-party appliances), classic ELB legacy.
Why it's on the exam: ALB vs. NLB selection (HTTP routing vs. extreme throughput / static IP) shows up in Design Resilient Architectures and Design High-Performing Architectures every exam.
Managed message queues with Standard (at-least-once, high throughput) and FIFO (exactly-once, ordered) variants, plus dead-letter queues and long polling.
Why it's on the exam: SQS is the canonical decoupling answer in Design Resilient Architectures; FIFO vs. Standard selection is a frequent distractor.
Pub/sub messaging with topics and subscriptions (SQS, Lambda, HTTPS, email, SMS, mobile push) and FIFO topic support for ordered fan-out.
Why it's on the exam: SNS+SQS fan-out is the textbook Design Resilient Architectures pattern; expect questions distinguishing SNS (push) from SQS (pull) and EventBridge (event-bus routing).
Fully managed elastic NFS file system, mountable from EC2 / ECS / EKS / Lambda across AZs, with Standard and Infrequent Access storage classes.
Why it's on the exam: EFS vs. EBS vs. FSx selection is a recurring Design High-Performing Architectures question; EFS is the named choice when multiple instances need shared POSIX storage.
Anycast static IPs that route traffic over the AWS global backbone to the optimal regional endpoint (ALB, NLB, EC2, EIP) with automatic failover.
Why it's on the exam: Global Accelerator vs. CloudFront is the canonical Design High-Performing Architectures distractor β CloudFront caches HTTP, Global Accelerator accelerates non-HTTP and gives static anycast IPs.
Dedicated 1/10/100 Gbps private network connections between an on-premises data center and AWS, with VLAN-based virtual interfaces.
Why it's on the exam: Direct Connect vs. Site-to-Site VPN is the canonical hybrid-connectivity question β Direct Connect for consistent throughput / regulated traffic, VPN for fast / cheaper setup.
Account-wide access control: users, groups, IAM roles, identity-based and resource-based policies, IAM Identity Center (SSO), and SAML/OIDC federation.
Why it's on the exam: Design Secure Architectures (30% β the largest domain) is built on IAM least-privilege, role assumption, cross-account access, and federation patterns.
Managed cryptographic key creation, rotation, and access control for encrypting EBS, S3, RDS, Secrets Manager, and any service that supports envelope encryption.
Why it's on the exam: KMS-backed encryption-at-rest with customer-managed keys is the standard Design Secure Architectures answer for protecting data in S3, RDS, EBS, and SQS.
Immutable account-wide API audit log covering management events, S3 data events, and Lambda invokes β deliverable to S3 and queryable via Athena / CloudWatch Logs Insights.
Why it's on the exam: Compliance and audit scenarios in Design Secure Architectures cite CloudTrail as the named service for the "who did what, when" trail.
Metrics, logs, alarms, dashboards, Synthetics canaries, and CloudWatch Logs Insights for cross-service observability and event-driven remediation.
Why it's on the exam: CloudWatch alarms drive Auto Scaling actions in Design Resilient Architectures; metric-based capacity decisions thread through all four SAA-C03 domains.
$110kβ$155kβ$220k USD annual
Range covers US-based mid-to-senior architect roles where SAA is required or preferred. Senior staff and principal architects at FAANG / large enterprise frequently exceed $300k TC. Entry roles and non-coastal markets trend lower. SAA-C03 is widely considered the highest-ROI single cert for breaking into AWS-focused careers β but salaries reflect demonstrated architecture experience, not the cert alone.
Source: levels.fyi 2025β2026 cloud architect roles, U.S. BLS OEWS May 2024 (15-1244 network and computer systems architects, 15-1252 software developers). Figures are approximate; actual compensation depends on role, region, and experience.
SAA-C03 is the single most-requested AWS certification on US job listings and the most common required or preferred credential in cloud-architect job descriptions. Recruiters use it as a fast filter β its absence on a resume is often disqualifying for AWS-focused architect roles, even when candidates have equivalent experience. The cert pairs naturally with the Developer Associate (DVA-C02) and CloudOps Engineer Associate (SOA-C03) to complete the "associate trifecta", and is the standard prerequisite-by-convention for the Solutions Architect Professional (SAP-C02). It does NOT by itself qualify candidates for senior-architect titles, professional-services consulting, or specialty roles in security or networking β those expect SAP-C02 or specialty certs plus shipped enterprise work.
There are no formal prerequisites. AWS recommends at least one year of hands-on experience designing AWS solutions, including familiarity with compute, networking, storage, databases, and the AWS shared-responsibility model.
Most candidates either start with SAA-C03 directly (if they already have AWS exposure) or pass the Cloud Practitioner (CLF-C02) first to absorb terminology. CLF-C02 is highly recommended for career changers without prior AWS experience β it cuts SAA-C03 prep time substantially. Candidates from a software-engineering background who have deployed even one production AWS workload usually find SAA-C03 attainable; pure on-prem or non-cloud backgrounds should plan extra time on networking (VPC, subnets, route tables, NAT/IGW), IAM, and the major storage classes.
SAA-C03 is rated Associate and sits in the middle of the AWS difficulty spectrum β accessible with focused study but unforgiving of shallow preparation. Plan 60β90 hours over 6β10 weeks for candidates with some AWS exposure; 120+ hours over 12β16 weeks for those starting from scratch. The exam is 65 scored questions in 130 minutes β multiple-choice and multiple-response, no hands-on labs.
The most common stumbling block is scenario interpretation: questions frequently present three or four technically valid solutions and require choosing the BEST one against constraints (cost, operational overhead, latency, durability). Heavy practice with full-length scenario question banks is more valuable than re-reading service documentation. Other recurring pitfalls include nuanced VPC traffic flows (gateway vs. interface endpoints, transit gateway routing), Aurora vs. RDS feature differences, and S3 storage-class lifecycle math.
Current version. Updated to include broader coverage of serverless (Lambda, API Gateway, Step Functions), data services, and modern security patterns. Minor exam-guide refresh in 2024 added GenAI-adjacent service awareness.
Retired in mid-2022. Expanded resilience and data-protection coverage relative to C01.
Original associate-level revision after the 2018 exam restructure. Long retired.
SAA-C03 (AWS Certified Solutions Architect Associate) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SAA-C03 is a recognized credential in the AWS ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with AWS day-to-day or want to move into roles that do.
The passing score for SAA-C03 is 720 / 1000. The exam contains 65 questions and lasts 2 hr 10 min.
The SAA-C03 exam fee is $150 USD. Fees are set by AWS and may vary by region; always confirm the current price on the official AWS certification page before booking.
AWS certifications are valid for 3 years. Recertify by passing the current version of the same exam, or by passing a higher-level exam in the same path before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SAA-C03. The exam-simulation mode mirrors the real exam: 65 questions in 2 hr 10 min, with the same passing threshold of 720 / 1000. Browse mode lets you read every Q&A statically.