On this page
- Why most people study for this exam wrong
- What the exam actually tests
- The 8-week plan
- The services that appear most (and what to know cold)
- What to skip (yes, seriously)
- The one distinction that fails the most candidates: Multi-AZ vs Read Replica
- The mindset shift that changes everything
- Takeaways
- Where to go next
Why most people study for this exam wrong
Most people fail the AWS Solutions Architect Associate exam not because they don't know AWS, but because they studied it like a glossary. They can recite what every service does. Then the exam hands them four architectures that all technically work, and asks which one is optimal for these specific constraints, and they freeze. The SAA-C03 doesn't test recall. It tests judgement under trade-offs.
I've sat with 350+ engineers preparing for this exam. The ones who pass on the first try aren't the ones who studied the most services, they're the ones who built a decision model. This guide is the 8-week plan I give them: what the exam actually weights, the services that show up over and over, what you can safely ignore, and the one mindset shift that turns guessing into reasoning.
Who this is for
You have roughly 6–12 months of hands-on AWS (or you've finished a foundations path) and you can give 8–10 focused hours a week. You want to pass the **SAA-C03** on the first attempt without grinding 200 hours of video. If you've never touched the console, do the [networking lab](/labs/networking) and [Terraform lab](/labs/terraform) first, the exam assumes you've built things, not just watched them.
What the exam actually tests
The SAA-C03 is 65 questions in 130 minutes, with a passing score of 720 out of 1000 (scaled, so it's not a flat 72%). About 15 of those questions are unscored research items, you won't know which, so treat all 65 as real. Every question is scenario-based: a paragraph of business requirements, then four candidate designs.
| Domain | Weight | What it really asks |
|---|---|---|
| Design Secure Architectures | 30% | IAM least-privilege, encryption at rest/in transit, network isolation, who-can-do-what |
| Design Resilient Architectures | 26% | Multi-AZ, decoupling, failover, recovery objectives (RTO/RPO) |
| Design High-Performing Architectures | 24% | Right storage/compute/database for the access pattern, caching, scaling |
| Design Cost-Optimized Architectures | 20% | Cheapest option that still meets the requirement, pricing models, storage tiers |
Notice that security is the single heaviest domain, and resilience is right behind it. Together they're more than half the exam. If you only had time to master two things, you'd master IAM and Multi-AZ patterns and still clear the bar on a good day.
Watch out
The most common failure mode is memorizing services instead of understanding trade-offs. Every wrong answer is engineered to be plausible, often it's a service that *works* but is more expensive, less available, or solves a slightly different problem. You have to know *why* the right answer is right, not just that the service exists.
The 8-week plan
This plan front-loads the foundation, layers data and scale on top, then spends the final two weeks doing nothing but practice exams and gap-closing. Each week is one step, do the reading, then build the thing in the console or with Terraform so it sticks.
- 1
Weeks 1–2, The non-negotiable foundation
IAM, VPC, EC2, S3. Every single question touches one of these. Get IAM policies, roles vs users, public vs private subnets, security groups vs NACLs, and S3 storage classes truly solid before moving on. This is the bedrock everything else sits on.
- 2
Weeks 3–4, Data and messaging
RDS, DynamoDB, ElastiCache, SQS, SNS. Learn when a relational store beats a key-value store, when to cache, and how queues decouple producers from consumers. The Multi-AZ vs Read Replica distinction (covered below) lives here, nail it.
- 3
Weeks 5–6, Scale and availability
CloudFront, Route 53, ELB, Auto Scaling, Lambda. This is where resilience and performance questions are won: edge caching, DNS routing policies, health-check-based failover, and event-driven compute.
- 4
Week 7, Practice exams only
No new content. Take full-length timed practice exams, Tutorials Dojo has the best question bank. After each one, review every question you got wrong AND every one you guessed right, and tag which domain it belonged to. Patterns of weakness will emerge fast.
- 5
Week 8, Targeted review and taper
Revisit only your flagged weak domains. Light revision, re-read your own notes, no cramming new services. The day before, rest. Sharp beats stuffed.
Pro tip
On exam day: read **all four options before answering**, eliminate the obviously wrong ones first, and flag anything you're unsure of to revisit. With ~2 minutes per question you have time for one careful pass plus a review of flagged items.
The services that appear most (and what to know cold)
A handful of services carry the majority of the exam. Don't try to know everything about each, know the specific decisions and distinctions the exam tests. This table is the 80/20.
| Service | What to know cold |
|---|---|
| S3 | Storage classes (Standard, IA, One Zone-IA, Glacier tiers), lifecycle policies, cross-region replication, presigned URLs, bucket policies vs ACLs, encryption (SSE-S3 vs SSE-KMS) |
| VPC | Public vs private subnets, NAT Gateway vs NAT Instance, Security Groups (stateful) vs NACLs (stateless), VPC Peering vs Transit Gateway vs Site-to-Site VPN |
| IAM | Roles vs users, least privilege, policy evaluation (explicit deny wins), instance profiles, cross-account roles, identity federation |
| RDS | Multi-AZ vs Read Replicas (almost every exam), Aurora and Aurora Serverless, automated backups vs snapshots, parameter/option groups |
| Lambda | Concurrency and reserved concurrency, cold starts, execution role vs resource policy, supported event sources, the 15-minute limit |
| Route 53 + CloudFront | Routing policies (failover, latency, weighted, geolocation), health checks, CloudFront as a cache and TLS terminator, OAC for private S3 origins |
| ELB + Auto Scaling | ALB (layer 7) vs NLB (layer 4) vs GWLB, target groups, scaling policies, health checks driving replacement |
What to skip (yes, seriously)
Study time is a fixed budget, and the niche services have a brutal opportunity cost: every hour on Outposts is an hour not spent on IAM and VPC, which together appear in 40%+ of questions. Recognise these at a surface level so you can eliminate them when they're the *wrong* answer, but do not deep-dive them.
- Outposts, rarely appears; know it's "AWS hardware in your data center" and move on.
- Snow Family (Snowball/Snowmobile), surface level only: bulk offline data transfer.
- Wavelength / Local Zones, very rare; "ultra-low latency at the 5G/metro edge."
- AppSync, one or two questions at most; managed GraphQL.
- WorkSpaces / AppStream, non-core end-user computing; recognise, don't study.
- Detailed pricing math, you'll never compute a bill; you only compare *relative* cost between options.
The one distinction that fails the most candidates: Multi-AZ vs Read Replica
If you take one table away from this guide, take this one. Mixing up Multi-AZ and Read Replicas is the single most common reason people lose database questions, and database scenarios are everywhere. They sound similar and they're both "extra copies of your database," but they solve completely different problems.
| Multi-AZ | Read Replica | |
|---|---|---|
| Solves for | High availability | Read performance / scaling |
| Copy is | Standby (not readable) | Readable (serves read traffic) |
| Replication | Synchronous | Asynchronous (can lag) |
| On failure | Automatic failover to standby | No automatic failover (it's not for HA) |
| Pick when the scenario says | "survive an AZ outage," "automatic failover," "minimize downtime" | "offload reporting," "scale reads," "too many read queries" |
Pro tip
Quick rule: **Multi-AZ = availability (a hot standby that auto-fails-over). Read Replica = performance (extra readable copies you can scale to many regions).** If the keyword is "failover" or "downtime," it's Multi-AZ. If it's "read traffic" or "reporting load," it's a Read Replica. Some scenarios want both.
The mindset shift that changes everything
Here's the reframe that separates a pass from a fail. Stop asking *"what does this service do?"* and start asking *"when would I choose this service over a similar one, and why?"* The exam always gives you four options where three of them would work, your job is to find the one that's optimal for the constraints in the scenario.
That means reading the scenario for the constraint keyword first. The keyword tells you which axis the question is grading, cost, latency, availability, or operational simplicity, and that collapses four options down to one.
- Constraint is cost for rarely-accessed data → S3 Standard-IA or Glacier, not Standard.
- Constraint is low-latency reads at massive scale → DynamoDB, not RDS.
- Constraint is event-driven, spiky, short-running → Lambda, not an always-on EC2 instance.
- Constraint is multi-region failover → Route 53 health checks + CloudFront, not a single-region setup.
- Constraint is decouple a slow consumer → SQS between the services, not a synchronous call.
Build a decision tree, not a glossary. The glossary tells you what exists. The decision tree tells you what to pick.
Takeaways
The whole guide in seven lines
- 65 questions, 130 minutes, pass at 720/1000, and it's all scenario-based judgement, not recall.
- Security (30%) and Resilience (26%) are more than half the exam, weight your study accordingly.
- Weeks 1–2 foundation (IAM/VPC/EC2/S3), 3–4 data, 5–6 scale, 7–8 practice exams and gap-closing.
- Master the high-frequency services cold; recognise-but-skip the niche ones (Outposts, Snow, Wavelength).
- Multi-AZ = availability with auto-failover; Read Replica = read scaling. Never confuse them.
- Read for the **constraint keyword**, cost, latency, availability, to collapse four options to one.
- Think in decision trees: not "what does it do?" but "when would I pick it over the alternative?"
Where to go next
The exam rewards people who've actually built things, because the trade-off intuition only comes from doing. The fastest way to turn this study plan into real fluency is to build the patterns with your own hands.
- Cloud Engineer career path, the full role track: IAM, VPC, resilience, and cost are all covered as concepts with labs, which maps almost one-to-one onto the four exam domains.
- Networking lab, get subnets, routing, security groups vs NACLs into your fingers; this is where the heaviest exam domain lives.
- Terraform lab, provision VPCs, RDS Multi-AZ, and Auto Scaling groups in code so the architecture patterns become muscle memory, not flashcards.
Do the labs alongside the 8-week plan, not after it. By the time you hit Week 7's practice exams, you'll be recognising patterns you've actually built, and that's exactly the judgement the SAA-C03 is grading.
Want to go deeper?
This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.