SAA-C03 Syllabus — Objectives by Domain

Use this syllabus as your source of truth for SAA-C03. Work through each domain in order and drill targeted sets after every section.

What’s covered

• Domain 1: Design Secure Architectures (30%)
• Domain 2: Design Resilient Architectures (26%)
• Domain 3: Design High-Performing Architectures (24%)
• Domain 4: Design Cost-Optimized Architectures (20%)

Domain 1: Design Secure Architectures (30%)

Practice this topic →

Task 1.1 - Design secure access to AWS resources

• Explain access control strategies and management patterns across multiple AWS accounts.
• Describe how AWS federated access and identity services such as IAM and IAM Identity Center enable secure access.
• Relate AWS global infrastructure components like Availability Zones and Regions to access design decisions.
• Apply AWS security best practices, including the principle of least privilege, to access architectures.
• Interpret the AWS shared responsibility model when defining access controls and ownership.
• Enforce security controls for IAM users and root accounts, including MFA and credential hygiene.
• Design flexible authorization models that combine IAM users, groups, roles, and policies.
• Architect role-based access control strategies leveraging AWS STS, role switching, and cross-account patterns.
• Define multi-account security strategies with AWS Control Tower and service control policies.
• Decide whether a resource-based, identity-based or SCP policy best meets the access-control requirement.
• Design a federation strategy that uses IAM roles for centralized authentication from an external directory service (on-premise or cloud).
• Share resources across accounts with AWS Resource Access Manager (AWS RAM) and govern with AWS Organizations and service control policies (SCPs).

Task 1.2 - Design secure workloads and applications

• Secure application configurations and credential management across workloads.
• Differentiate AWS service endpoint options and their security implications.
• Control ports, protocols, and network traffic flows to protect AWS workloads.
• Design secure application access patterns for users, services, and APIs.
• Select appropriate AWS security services (for example Cognito, GuardDuty, Macie, Shield, WAF, Secrets Manager) to protect applications.
• Explain mitigation options for external threat vectors such as DDoS or SQL injection.
• Design VPC architectures that incorporate security groups, route tables, network ACLs, and NAT gateways.
• Choose network segmentation strategies using public and private subnets.
• Secure connectivity to and from AWS through VPN, AWS Direct Connect, and related external network options.
• Decide when AWS Network Firewall or AWS Firewall Manager is required in a design.
• Choose services such as Amazon Detective, Inspector or Security Hub to aggregate and surface security findings.

Task 1.3 - Determine appropriate data security controls

• Define data access governance models and controls for AWS workloads.
• Plan data recovery mechanisms to meet business requirements.
• Establish data retention and classification approaches for regulated workloads.
• Select appropriate encryption techniques and key management strategies.
• Align AWS services and configurations to meet compliance obligations.
• Implement encryption at rest with AWS KMS across storage and database services.
• Enforce encryption in transit using AWS Certificate Manager and TLS.
• Design and enforce access policies for encryption keys.
• Implement data backup and replication strategies to protect critical information.
• Create policies for data access, lifecycle management, and protection.
• Plan key rotation and certificate renewal processes that satisfy compliance and availability requirements.
• Automate backups and retention across services with AWS Backup.
• Discover and classify sensitive data with Amazon Macie to inform protective controls.

Domain 2: Design Resilient Architectures (26%)

Practice this topic →

Task 2.1 - Design scalable and loosely coupled architectures

• Design APIs with Amazon API Gateway and related services to enable scalable interfaces.
• Select managed AWS services such as AWS Transfer Family, Amazon SQS, and AWS Secrets Manager for decoupled workloads.
• Apply caching strategies to improve scalability and reduce latency.
• Differentiate microservices design principles, including stateless versus stateful workloads.
• Architect event-driven solutions using AWS messaging and streaming services.
• Evaluate horizontal and vertical scaling approaches for workload components.
• Use edge acceleration options like Amazon CloudFront to improve user performance.
• Plan containerization strategies when migrating applications into containers.
• Choose appropriate load balancing options such as Application Load Balancer.
• Design multi-tier architectures that separate presentation, application, and data layers.
• Implement queuing and messaging patterns, including publish/subscribe.
• Adopt serverless technologies and patterns with AWS Fargate and AWS Lambda.
• Match storage types (object, file, block) to workload characteristics.
• Select container orchestration platforms like Amazon ECS and Amazon EKS.
• Determine when to use read replicas to offload workloads and increase scalability.
• When GraphQL fits, design APIs with AWS AppSync in addition to Amazon API Gateway.
• Orchestrate multi-step business workflows with AWS Step Functions.
• Route and normalize application events with Amazon EventBridge.
• Decide when to use AWS Global Accelerator versus Amazon CloudFront or Route 53 latency-based routing.

Task 2.2 - Design highly available and fault-tolerant architectures

• Explain AWS global infrastructure components, including Availability Zones, Regions, and Amazon Route 53, when designing resilience.
• Match AWS managed services to use cases that increase availability and fault tolerance.
• Apply networking fundamentals such as route tables to resilient architectures.
• Evaluate disaster recovery strategies like backup and restore, pilot light, warm standby, and multi-site active-active with defined RPO and RTO targets.
• Use distributed design patterns to avoid single points of failure.
• Plan failover strategies and automation for workload continuity.
• Adopt immutable infrastructure approaches to speed recovery and consistency.
• Select and configure load balancing options such as Application Load Balancer.
• Incorporate proxy capabilities, including Amazon RDS Proxy, to improve failover handling.
• Incorporate service-quota and throttling limits into the resilient architecture design.
• Choose storage services with durability and replication characteristics that meet availability goals.
• Map workload KPIs to CloudWatch metrics, alarms and, when needed, AWS X-Ray traces to validate availability targets.
• Automate infrastructure deployment to maintain integrity during failover events.
• Implement designs that mitigate single points of failure across components.
• Ensure data durability and availability with backup and replication workflows.
• Choose disaster recovery approaches aligned to business requirements and constraints.
• Enhance reliability for legacy or non-cloud-native applications using AWS services when refactoring is not possible.
• Leverage purpose-built AWS services to meet resilience goals efficiently.
• Design throttling or retry strategies that protect back-end services during failover and regional evacuation.

Domain 3: Design High-Performing Architectures (24%)

Practice this topic →

Task 3.1 - Determine high-performing and scalable storage solutions

• Compare hybrid storage solutions (e.g., AWS Storage Gateway) and cloud-native services based on business, performance, and cost requirements.
• Select the appropriate AWS storage service (e.g., Amazon S3, Amazon EFS, Amazon EBS) by evaluating a workload's access patterns against the characteristics of object, file, and block storage.
• Design scalable storage configurations (e.g., S3 performance tiers, EBS volume types, EFS performance modes) to meet specific throughput, IOPS, and future growth projections.

Task 3.2 - Design high-performing and elastic compute solutions

• Match AWS compute services such as AWS Batch, Amazon EMR, and AWS Fargate to workload patterns.
• Apply distributed computing concepts supported by AWS global and edge services.
• Incorporate queuing and messaging concepts to decouple compute components.
• Use scalability capabilities like Amazon EC2 Auto Scaling and AWS Auto Scaling in appropriate scenarios.
• Adopt serverless technologies and patterns with AWS Lambda and AWS Fargate for elastic compute.
• Select container orchestration options such as Amazon ECS and Amazon EKS.
• Decouple workloads so that components can scale independently.
• Identify metrics and conditions that trigger scaling actions.
• Choose compute options and features, including EC2 instance types, to meet business requirements.
• Select resource sizes, such as Lambda memory allocations, aligned to performance objectives.

Task 3.3 - Determine high-performing database solutions

• Relate AWS global infrastructure choices to database deployment strategies.
• Apply caching strategies with services like Amazon ElastiCache to improve database performance.
• Differentiate data access patterns such as read-intensive versus write-intensive workloads.
• Plan database capacity using capacity units, instance classes, and Provisioned IOPS.
• Design secure and efficient database connectivity, including the use of proxies.
• Select database engines for heterogeneous and homogeneous migration scenarios.
• Configure database replication, including read replicas, to satisfy performance and availability goals.
• Choose between relational, non-relational, serverless, and in-memory database services based on requirements.
• Design database architectures that support performance targets.
• Select suitable database engines such as MySQL or PostgreSQL.
• Determine appropriate database services like Amazon Aurora or Amazon DynamoDB.
• Integrate caching layers to meet latency objectives.

Task 3.4 - Determine high-performing and scalable network architectures

• Match edge networking services such as Amazon CloudFront and AWS Global Accelerator to use cases.
• Design network architectures that include subnet tiers, routing, and IP addressing.
• Apply load balancing concepts, including Application Load Balancer, to meet performance needs.
• Evaluate network connectivity options like AWS VPN, AWS Direct Connect, and AWS PrivateLink.
• Create network topologies for global, hybrid, and multi-tier architectures.
• Plan network configurations that scale with future demand.
• Determine optimal resource placement across networks to meet business requirements.
• Select appropriate load balancing strategies for different traffic patterns.

Task 3.5 - Determine high-performing data ingestion and transformation solutions

• Match data analytics and visualization services such as Amazon Athena, AWS Lake Formation, and Amazon QuickSight to use cases.
• Assess data ingestion patterns, including frequency and volume, for performance impact.
• Select data transfer services like AWS DataSync and AWS Storage Gateway for pipeline requirements.
• Choose data transformation services such as AWS Glue for processing workloads.
• Secure access to ingestion endpoints and pipelines.
• Size and scale ingestion pipelines to meet business throughput and latency needs.
• Apply streaming data services like Amazon Kinesis to high-velocity workloads.
• Build and secure data lakes on AWS.
• Design data streaming architectures for durable and timely processing.
• Implement data transfer solutions that balance performance and cost.
• Develop visualization strategies that surface operational insights.
• Select compute options such as Amazon EMR for data processing tasks.
• Configure ingestion services to align with workload characteristics.
• Transform data between formats such as CSV and Parquet to optimize performance.
• Choose Amazon MSK (Managed Streaming for Apache Kafka) vs Amazon Kinesis based on compatibility, operational control and throughput requirements.

Domain 4: Design Cost-Optimized Architectures (20%)

Practice this topic →

Task 4.1 - Design cost-optimized storage solutions

• Evaluate access options such as S3 Requester Pays when optimizing storage costs.
• Use AWS cost management features like cost allocation tags and consolidated billing to manage storage spend.
• Leverage AWS cost management tools including AWS Cost Explorer, AWS Budgets, and the Cost and Usage Report.
• Match storage services such as Amazon FSx, Amazon EFS, Amazon S3, and Amazon EBS to cost and performance requirements.
• Plan backup strategies that balance durability needs with budget constraints.
• Select between SSD and HDD block storage volumes based on workload characteristics.
• Design data lifecycles that align storage classes to access patterns.
• Incorporate hybrid storage options like AWS DataSync, AWS Transfer Family, and AWS Storage Gateway.
• Analyze storage access patterns to choose efficient architectures.
• Apply storage tiering strategies for cold and archival data.
• Choose storage types such as object, file, and block to meet cost goals.
• Design storage strategies that right-size performance and throughput.
• Size storage solutions appropriately for workload demand.
• Determine the most economical data transfer methods into AWS storage.
• Identify when storage auto scaling features are required.
• Manage S3 object lifecycles to control retention costs.
• Select backup or archival solutions that fit compliance and cost needs.
• Choose services for data migration into storage platforms.
• Select the right storage tier for data access patterns.
• Define data lifecycle policies that minimize waste.
• Select the most cost-effective storage service for each workload.

Task 4.2 - Design cost-optimized compute solutions

• Apply AWS cost management features such as cost allocation tags and consolidated billing to compute workloads.
• Use AWS cost management tools like Cost Explorer, AWS Budgets, and the Cost and Usage Report to track compute spend.
• Factor AWS global infrastructure choices into cost-optimized compute designs.
• Select purchasing options including Spot Instances, Reserved Instances, and Savings Plans for workload patterns.
• Incorporate distributed compute strategies such as edge processing where appropriate.
• Adopt hybrid compute options like AWS Outposts and AWS Snowball Edge when required.
• Choose instance families, types, and sizes that balance price and performance.
• Optimize compute utilization through containers, serverless computing, and microservices.
• Apply scaling strategies such as auto scaling and hibernation to manage spend.
• Determine load balancing strategies across Application, Network, and Gateway Load Balancers.
• Select scaling methods for elastic workloads, including horizontal versus vertical approaches.
• Choose cost-effective compute services like AWS Lambda, Amazon EC2, and AWS Fargate for given use cases.
• Set availability targets for production and non-production workloads while controlling costs.
• Select appropriate instance families for workload characteristics.
• Right-size instance selections to match resource demand.

Task 4.3 - Design cost-optimized database solutions

• Apply AWS cost management features and consolidated billing practices to database workloads.
• Track database spending with AWS Cost Explorer, AWS Budgets, and the Cost and Usage Report.
• Use caching strategies to reduce database cost and improve performance.
• Align data retention policies with cost optimization goals.
• Plan database capacity, including capacity units and sizing, to avoid overprovisioning.
• Design secure and efficient database connectivity with proxies when required.
• Match database engines to migration scenarios and workload characteristics.
• Implement replication patterns such as read replicas to meet demand cost-effectively.
• Select relational, non-relational, serverless, or in-memory database services based on cost and use case.
• Define backup and retention policies that balance resilience with spend.
• Choose database engines such as MySQL or PostgreSQL according to requirements.
• Select cost-effective AWS database services like Amazon RDS, Amazon Aurora, or Amazon DynamoDB.
• Evaluate specialised data formats such as time-series or columnar when selecting analytics solutions.
• Plan migrations of database schemas and data across engines or locations while controlling costs.

Task 4.4 - Design cost-optimized network architectures

• Use AWS cost management features and tools to monitor network-related spend.
• Apply load balancing concepts when evaluating cost impacts.
• Compare NAT instance and NAT gateway approaches for cost efficiency.
• Select network connectivity options such as private lines, dedicated lines, and VPNs based on budget and requirements.
• Plan network routing, topology, and peering with services like AWS Transit Gateway and VPC peering to control costs.
• Match AWS network services such as Amazon Route 53 (DNS) to economically meet workload needs.
• Configure NAT gateway placements to balance redundancy with expense.
• Select connection methods among AWS Direct Connect, VPN, and internet-based access for cost efficiency.
• Optimize network routes, including the use of Global Accelerator and VPC endpoints, to minimize transfer charges.
• Determine when to use content delivery networks and edge caching for cost and performance benefits.
• Review existing workloads for network cost optimization opportunities.
• Select throttling strategies that limit unnecessary data transfer.
• Allocate bandwidth across network devices, such as single versus multiple VPNs or Direct Connect speeds, to meet demand cost-effectively.

Tip: After finishing a domain, take a 20–25 question drill focused on that domain, then revisit any weak objectives before moving on.