8.4 SAA-C03 Scenario Practice — Putting It All Together
Key Takeaways
- The SAA-C03 exam is 65 questions in 130 minutes; 50 are scored and 15 are unscored pretest items, and the passing score is 720 on a 100–1,000 scale.
- Read the LAST sentence first to find the key constraint — cost, availability, performance, security, operational overhead, or compliance — then match services to it.
- When several answers work, pick the one that BEST satisfies ALL stated constraints; the exam tests optimization, not mere functionality.
- Managed/serverless services (Aurora, Lambda, Fargate, DynamoDB) usually win 'least operational overhead'; steady workloads favor Reserved/Savings Plans, variable favors serverless, interruptible favors Spot.
- Security answers almost always reduce to least privilege, encryption with KMS, IAM roles over long-lived access keys, and preventive controls (SCPs, Object Lock) over detective ones (Config, CloudWatch).
Exam Logistics: The SAA-C03 exam is 65 questions in 130 minutes — 50 scored plus 15 unscored pretest items. You need a scaled score of 720 out of 1,000 to pass; AWS does not publish a fixed percentage because scaling varies by form. The registration fee is 150 USD (Associate tier), and Amazon is the vendor (Pearson VUE / online proctoring). Question types are multiple choice (one correct of four) and multiple response (two or more of five+).
How to Approach Scenario Questions
Step 1 — Read the last sentence first
The final sentence states what is being optimized. Map the keyword to a domain:
| Phrase in the question | Optimize for | Domain lens |
|---|---|---|
| 'most cost-effective' | Cost | Domain 4 |
| 'highly available / fault tolerant' | Availability | Domain 2 (Resilient) |
| 'most secure / least privilege' | Security | Domain 1 |
| 'best / highest performance' | Performance | Domain 3 |
| 'least operational overhead' | Managed/serverless | All domains |
Step 2 — Extract hard requirements
Hunt for numbers and absolutes: RPO/RTO values drive the disaster-recovery strategy (Backup & Restore → Pilot Light → Warm Standby → Multi-Site Active/Active, cheapest to most expensive). Traffic shape drives pricing (steady → Reserved/Savings Plans; spiky → On-Demand/serverless; interruptible → Spot). Access frequency drives the S3 storage class. The words 'cannot be deleted' or 'WORM' signal S3 Object Lock.
Step 3 — Eliminate the obviously wrong
Usually one or two options misuse a service (NLB for content/path-based routing — that is the ALB's job), violate a stated constraint (On-Demand in a 'most cost-effective' steady workload), or over/under-engineer (Multi-Region when the question only needs Multi-AZ).
Step 4 — Choose the BEST remaining answer
'Most cost-effective' means best value for the requirement, not absolute cheapest. 'Least operational overhead' means prefer managed/serverless. Prefer preventive controls (SCP, Object Lock, security groups) over detective ones (Config, CloudWatch, GuardDuty) when the goal is to stop something rather than detect it.
Common Service Pairings
Examiners reuse a small set of canonical architectures. Recognizing the pattern often answers the question before you finish reading the options.
| Scenario | Canonical combination |
|---|---|
| Serverless REST API | API Gateway + Lambda + DynamoDB |
| Highly available web tier | ALB + EC2 Auto Scaling + Multi-AZ RDS |
| Streaming ingest + real time | Kinesis Data Streams + Lambda |
| Stream → durable store | Kinesis Data Firehose → S3 |
| Data lake analytics | S3 + Glue + Athena |
| Global low-latency site | CloudFront + S3/ALB origin + Route 53 |
| Decoupled fan-out | SNS → multiple SQS queues → Lambda |
| Orchestrated multi-step workflow | Step Functions + Lambda (built-in retries/catch) |
| Container microservices | ECS/EKS on Fargate + ALB |
| Hybrid file/block storage | Storage Gateway + S3 |
| Multi-account governance | Organizations + SCPs + Control Tower |
| WORM compliance retention | S3 Object Lock (Compliance mode) |
Decoupling Tells
- SQS = buffer/queue, one consumer group pulls, smooths spikes, decouples producer from consumer.
- SNS = pub/sub fan-out, push to many subscribers at once.
- EventBridge = event bus with content-based routing, schema registry, and SaaS/partner event sources.
- Step Functions = visual workflow with per-step retries, catch, and failure marking.
Final Readiness Checklist
Before exam day, be able to explain on demand:
- Security groups (stateful, instance-level) vs NACLs (stateless, subnet-level)
- ALB (Layer 7, path/host routing) vs NLB (Layer 4, static IP, extreme throughput) vs GWLB (inline appliances)
- Multi-AZ (HA, synchronous standby) vs Multi-Region (DR, latency) vs read replicas (read scaling, async)
- The four DR strategies ranked by RPO/RTO and cost
- S3 storage classes mapped to access patterns; lifecycle transitions
- EC2 vs Lambda (15-min cap) vs Fargate vs ECS/EKS selection
- RDS vs Aurora vs DynamoDB vs ElastiCache vs Redshift by workload
- SQS vs SNS vs EventBridge vs Step Functions
- EC2 pricing: On-Demand vs Reserved/Savings Plans vs Spot vs Dedicated
- Cross-account roles, permission boundaries, SCPs, and IAM Access Analyzer
- VPC peering vs Transit Gateway vs Direct Connect vs Site-to-Site VPN
Common Trap: Watch for stale per-service limits. For example, RDS for Oracle now supports up to 15 read replicas (the same as MySQL/MariaDB/PostgreSQL), though AWS still recommends keeping replicas low to limit replication lag — do not assume Oracle is capped at 5.
Time Management and Pacing
With 65 questions in 130 minutes you have roughly two minutes per question. Scenarios are wordy, so a practical tactic is to read the final sentence, scan the options, then read the body only for the details that decide between surviving options. Flag and skip any question that would take more than ~3 minutes; the exam lets you mark items for review and return. Because there is no penalty for wrong answers, never leave a blank — eliminate the clearly wrong choices and guess among the rest. Aim to finish the first pass with 15–20 minutes left for flagged items.
Domain Weighting (SAA-C03)
Knowing where the points are guides your final review:
| Domain | Focus | Weight |
|---|---|---|
| 1 — Secure Architectures | IAM, encryption/KMS, network security | 30% |
| 2 — Resilient Architectures | HA, decoupling, DR, fault tolerance | 26% |
| 3 — High-Performing Architectures | Caching, storage/DB selection, scaling | 24% |
| 4 — Cost-Optimized Architectures | Pricing models, storage classes, right-sizing | 20% |
Security and resilience together are more than half the exam, so weight your last-minute review toward IAM mechanisms, encryption defaults, Multi-AZ vs Multi-Region, and the DR strategy ladder.
Final Tips
- Prefer managed/serverless when 'operational overhead' appears.
- Prefer preventive controls (SCP, Object Lock, security groups) when the goal is to stop an action; prefer detective services (Config, GuardDuty, CloudWatch) when the goal is to detect or alert.
- 'Decouple', 'absorb spikes', or 'process independently' → SQS; 'notify many subscribers' → SNS; 'route events by content from many sources' → EventBridge.
- Encryption is expected by default: KMS for keys, encryption at rest for EBS/RDS/S3, TLS in transit.
A web app on EC2 behind an ALB stores session data on each instance, so users lose their carts when routed to a different instance. The fix must keep high availability with the LEAST operational overhead. What should the architect recommend?
A company migrating from on-premises Oracle wants a fully managed AWS database that preserves Oracle-specific SQL, supports Multi-AZ failover, and can add many read replicas to scale reads. Which is the BEST choice?
Regulators require that objects in an S3 bucket cannot be deleted or altered by ANYONE — including the root user — for 5 years. What should be configured?
A nightly batch job runs about 4 hours, is fault-tolerant, and can restart if interrupted, with input in S3. Which compute option is MOST cost-effective?
You've completed this section
Continue exploring other exams