Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
Cheat sheet

AWS Solutions Architect Cheat Sheet

Practice QuestionsStudy Guide

Secure Architectures

30%of exam

Secure AccessData SecurityNetwork SecurityIAM Role vs UserKMS vs Secrets

Resilient Architectures

26%of exam

Resilient PatternsDisaster RecoveryDecouplingMulti-AZ vs Multi-RegionSQS vs SNS

High-Performing Architectures

24%of exam

ComputeStorageDatabaseNetworkingPerformance Picker

Cost-Optimized Architectures

20%of exam

Pricing ModelsStorage CostCompute CostCost ToolsCost Picker

Quick Facts

Exam
SAA-C03
Credential
Solutions Architect Associate
Questions
65 total
Scored
50 questions
Time
130 min
Pass
720/1000
Cost
$150 USD
Level
Associate
Experience
1 year recommended
Validity
3 years

Domain Weights

Secure leads; cost finishes

Secure 30Resilient 26Performance 24Cost 20

IAM User vs Role

IAM user

  • Long-term credentials
  • Human or workload
  • Avoid shared keys

IAM role

  • Temporary credentials
  • Assumed access
  • Preferred pattern

Permanent vs temporary

Security Picker

  1. Human AWS accessIdentity Center(SSO)
  2. Temporary app accessIAM role(STS)
  3. Cross-account accessIAM role(Trust policy)
  4. Account guardrailsSCP(Organizations)
  5. Encrypt S3 objectsSSE-KMS(Audit keys)
  6. Rotate database secretSecrets Manager(Managed rotation)
  7. Find PII in S3Macie(Discovery)
  8. Block SQL injectionWAF(Layer 7)

Secure Access

Root user
Break-glass only
MFA
Extra factor
IAM user
Long-term identity
IAM role
Temporary access
Policy
JSON permissions
STS
Temporary credentials
SCP
Account guardrail
Identity Center
Workforce SSO
Resource policy
Service-side access

SG vs NACL

Security group

  • Instance level
  • Stateful
  • Allow only

NACL

  • Subnet level
  • Stateless
  • Allow and deny

Instance vs subnet

Data Security

KMS
Key management
SSE-S3
S3-managed keys
SSE-KMS
KMS-managed keys
SSE-C
Customer-provided keys
Client encryption
Encrypt before upload
ACM
TLS certificates
Secrets Manager
Rotating secrets
Macie
Sensitive data discovery
Object Lock
WORM retention

KMS vs Secrets Manager

KMS

  • Encrypt keys
  • Envelope encryption
  • Key policies

Secrets Manager

  • Store secrets
  • Rotate credentials
  • Retrieve values

Keys vs secrets

Network Security

Security group
Stateful instance firewall
NACL
Stateless subnet firewall
Public subnet
Route to IGW
Private subnet
No inbound internet
NAT gateway
Outbound private internet
VPC endpoint
Private AWS access
WAF
Layer 7 filtering
Shield
DDoS protection
Network Firewall
Managed VPC firewall

DR Ladder

Backup, pilot, warm, active

CheapestCoreScaledFastest

Multi-AZ vs Multi-Region

Multi-AZ

  • One Region
  • Fast failover
  • Lower complexity

Multi-Region

  • Region outage
  • Higher cost
  • DR strategy

Local vs regional

Resilience Picker

  1. Remove instance SPOFALB + ASG(Multi-AZ)
  2. Relational failoverRDS Multi-AZ(Standby)
  3. Loose couplingSQS(Buffer)
  4. Fanout messagesSNS(Pub/sub)
  5. Event routingEventBridge(Bus)
  6. Ordered workflowStep Functions(State machine)
  7. Low-cost DRBackup restore(Slowest)
  8. Lowest RTOActive-active(Costliest)

Resilient Patterns

Multi-AZ
Local failover
Multi-Region
Regional disaster tolerance
Auto Scaling
Fleet elasticity
ELB
Traffic distribution
Route 53
DNS failover
Health checks
Route around failure
Immutable deploy
Replace, not patch
Pilot light
Minimal standby
Warm standby
Scaled-down standby

SQS vs SNS

SQS

  • Queue
  • Pull consumers
  • Buffer spikes

SNS

  • Topic
  • Push fanout
  • Many subscribers

Queue vs broadcast

Disaster Recovery

RPO
Maximum data loss
RTO
Maximum downtime
Backup restore
Lowest cost DR
Pilot light
Core always running
Warm standby
Reduced live stack
Active-active
Two live Regions
AWS Backup
Central backup policies
S3 CRR
Cross-Region object copy

Decoupling

SQS
Message queue
SNS
Pub/sub fanout
EventBridge
Event routing
Step Functions
Workflow orchestration
API Gateway
Managed API front
Lambda
Event functions
DLQ
Failed message capture
RDS Proxy
Connection pooling

Storage Types

S3 objects, EBS blocks, EFS files

ObjectBlockFile

ALB vs NLB

ALB

  • HTTP routing
  • Path rules
  • Layer 7

NLB

  • TCP/UDP
  • Static IPs
  • Layer 4

HTTP vs TCP

Performance Picker

  1. Need OS tuningEC2(Instances)
  2. Short event workLambda(Serverless)
  3. Container no serversFargate(Managed compute)
  4. Static global contentCloudFront(Cache)
  5. TCP low latencyNLB(Layer 4)
  6. HTTP path routingALB(Layer 7)
  7. Read-heavy SQLRead replicas(Scale reads)
  8. Hot key-value readsDAX(DynamoDB cache)

Compute

EC2
OS control
Lambda
Short event code
Fargate
Serverless containers
ECS
AWS container orchestration
EKS
Managed Kubernetes
Batch
Batch scheduling
EMR
Big data clusters
Beanstalk
Managed app platform
Outposts
AWS on-premises

Well-Architected

OPSERS frames better choices

OperationsSecurityReliabilityPerformanceCostSustainability

S3 vs EBS

S3

  • Object storage
  • Regional durability
  • HTTP access

EBS

  • Block volume
  • AZ scoped
  • Attach EC2

Objects vs blocks

Storage

S3
Object storage
EBS
AZ block volume
EFS
Regional Linux file
FSx
Managed file systems
Glacier
Archive storage
Storage Gateway
Hybrid storage
DataSync
Online transfer
Transfer Family
Managed SFTP
Snow Family
Offline transfer

RDS vs DynamoDB

RDS

  • Relational SQL
  • Joins
  • Instance sizing

DynamoDB

  • Key-value
  • Serverless scale
  • Single-digit ms

SQL vs NoSQL

Database

RDS
Managed relational
Aurora
AWS relational engine
DynamoDB
Serverless key-value
ElastiCache
In-memory cache
Redshift
Data warehouse
DocumentDB
Document database
Neptune
Graph database
RDS replica
Read scaling
DynamoDB DAX
Microsecond cache

CloudFront vs Global Accelerator

CloudFront

  • Caches content
  • HTTP workloads
  • Edge TTL

Global Accelerator

  • No caching
  • Anycast ingress
  • TCP/UDP

Cache vs accelerate

Networking

ALB
Layer 7 routing
NLB
Layer 4 speed
GWLB
Appliance insertion
CloudFront
CDN cache
Global Accelerator
Anycast acceleration
Direct Connect
Private circuit
Site VPN
Encrypted internet
Transit Gateway
Network hub
PrivateLink
Private service access

Analytics Ingest

Kinesis Streams
Real-time records
Firehose
Managed delivery
Glue
ETL catalog
Athena
SQL on S3
Lake Formation
Data lake governance
OpenSearch
Search analytics
QuickSuite
BI dashboards
MSK
Managed Kafka

Pricing Fit

Steady commits; interruptible spots

ReservedSavings PlansSpotOn-Demand

Reserved vs Savings Plans

Reserved

  • Instance attributes
  • RDS supported
  • Capacity option

Savings Plans

  • Spend commitment
  • Compute flexible
  • No capacity

Specific vs flexible

Cost Picker

  1. Steady EC2 useReserved(Commitment)
  2. Flexible compute useSavings Plans(Commitment)
  3. Interruptible jobsSpot(Cheapest)
  4. Unknown trafficOn-Demand(Flexible)
  5. Rare S3 accessGlacier(Archive)
  6. Unknown S3 accessIntelligent-Tiering(Automatic)
  7. Find wasteCost Explorer(Analysis)
  8. Alert overspendBudgets(Thresholds)

Cost Optimization

On-Demand
No commitment
Reserved
Steady instances
Savings Plans
Flexible commitment
Spot
Interruptible savings
Compute Optimizer
Rightsizing recommendations
Cost Explorer
Spend analysis
Budgets
Spend alerts
CUR
Detailed cost data
Lifecycle
Automatic tiering
Intelligent-Tiering
Access-based S3 tiers

Common Traps

Shared responsibility

AWS secures infrastructure Customer secures data

Private subnet outbound

NAT for internet Endpoint for AWS APIs

SG vs NACL

SG is stateful NACL is stateless

Multi-AZ reads

Standby not readable Replica scales reads

SQS vs SNS

SQS buffers SNS fans out

Object lock modes

Compliance blocks root Governance permits bypass

Spot workloads

Spot can interrupt On-Demand stays available

Cost tools

Explorer analyzes Budgets alerts

CloudFront vs S3 TA

CloudFront downloads TA accelerates uploads

VPN vs Direct Connect

VPN uses internet DX uses private circuit

Last Minute

  1. 1.Weights: 30/26/24/20
  2. 2.720 pass; 50 scored
  3. 3.Role beats shared keys
  4. 4.SCP limits accounts
  5. 5.SG stateful; NACL stateless
  6. 6.NAT outbound; IGW inbound
  7. 7.S3 objects; EBS blocks
  8. 8.EFS spans multiple AZs
  9. 9.RDS Multi-AZ is standby
  10. 10.Read replicas scale reads
  11. 11.SQS buffers; SNS fans out
  12. 12.Spot fits interruptible jobs
  13. 13.Budgets alert; Explorer analyzes
  14. 14.CloudFront caches at edge

AWS Solutions Architect

Practice QuestionsStudy GuideCheat SheetFlashcards
3 blogs

AWS Certified Solutions Architect Study Guide with 900 Practice Test Questions: Associate (SAA-C03) Exam (Sybex Study Guide)

$37.05 · Buy on Amazon

Take courses on UdemyLearning path on Pluralsight
Same family resources

Explore More AWS Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

AWS Cloud Practitioner

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 video3 blogs

AWS Certified AI Practitioner

Cheat SheetPractice QuestionsStudy GuideFlashcards
1 blog

AWS Developer

Practice Questions
2 blogs

AWS Data Engineer

Practice Questions
1 blog

AWS Certified Security – Specialty (SCS-C03)

Practice Questions
1 blog

AWS Database

Practice Questions

More From This Family

Videos and articles for deeper review.

VideoPass AWS Cloud Practitioner CLF-C02 First Try (2026)ArticleFREE AWS Solutions Architect Associate SAA-C03 Exam Guide 2026: Blueprint, Study Plan, Pass Rate28 min readArticleAWS Certified AI Practitioner (AIF-C01) Exam Guide 2026: FREE Study Plan, Bedrock Deep Dive, Pass Rate32 min readArticleAWS Security Specialty SCS-C03 Exam Guide 2026: What Changed and How to Study18 min readArticleAzure vs AWS Certification 2026: Which Cloud Cert Should You Get First?19 min read