AWS SAA-C03: where most people lose points.
The SAA-C03 covers four design domains. On paper they're weighted 30/26/24/20, but in practice two of them are where most candidates leak points: Security and Cost-Optimized. Here's why, and what to drill.
Domain 1: Design Secure Architectures (30%).
Biggest domain, and the one with the most traps. Candidates lose points on:
- IAM roles vs IAM users on EC2 (always roles, never long-lived access keys on an instance)
- Least privilege with tag-based conditions (ABAC)
- Security group chaining (SG references other SGs, not CIDR ranges)
- KMS customer-managed keys vs AWS-managed keys
- S3 encryption options: SSE-S3 vs SSE-KMS vs SSE-C, and when each one applies
Domain 2: Design Resilient Architectures (26%).
The domain that tests whether you can read a scenario and pick the right disaster-recovery tier. Four DR patterns, in rising cost order:
- Backup and restore (hours RTO, cheapest)
- Pilot light (warm the DB, keep a minimal stack)
- Warm standby (full stack at smaller scale, always running)
- Multi-site active/active (two Regions serving live)
If the scenario says "keep cost low but restore within a few hours, data must be replicated", that's pilot light. Get this wrong once on the exam and you'll get it wrong ten times.
Domain 3: Design High-Performing Architectures (24%).
Easier domain if you know the compute and storage catalog. The gotcha is picking the right storage class:
- Instance store: fastest, ephemeral
- EBS gp3: general purpose, most workloads default here
- EBS io2: latency-sensitive databases
- EFS vs FSx for Windows vs FSx for Lustre (the first is POSIX Linux, the second is SMB Windows, the third is HPC)
Domain 4: Design Cost-Optimized Architectures (20%).
Smallest domain but often the most careless mistakes. Spot vs Reserved vs Savings Plans vs On-Demand is a frequent question pattern:
- Interruptible batch workload: Spot
- Steady-state workload for 1 or 3 years: Reserved or Savings Plans
- Variable workload, unpredictable patterns: On-Demand with Auto Scaling
- Mixed workloads: Compute Savings Plans (flexible across Lambda, Fargate, EC2)
What to practice, in order.
If you only have two weeks, skip cost for the last 3 days. Security and Resilience will make or break your score. Drill IAM policy writing, S3 encryption choice, Multi-AZ vs Read Replica, and DR tier matching until you can do them in your sleep.
Where we fit in.
Cert Prep Platform covers SAA-C03 with 300+ questions distributed by AWS's own domain weights. Your free 5 questions per day will be weighted the same way as the exam.