SAA-C03 Final Review Checklist

Concepts Covered

• SAA-C03 final review planning
• Current exam format and scored domain weights
• Last-week study order
• Domain weighting and prioritization
• Service decision triggers
• Mixed scenario reasoning
• Exam distractor patterns
• Practice exam review method
• Readiness signals
• Exam-day reasoning habits

1. Domain Mental Model

The final review is not the time to reread everything from the beginning. It is the time to turn knowledge into fast, reliable architecture decisions.

SAA-C03 is an Associate-level architecture exam. The official AWS certification page currently lists the exam as 130 minutes with 65 multiple-choice or multiple-response questions. The official exam guide explains that 50 questions affect the score and 15 are unscored, that unanswered questions are scored as incorrect, and that the passing scaled score is 720.

The practical mental model is:

scenario -> requirement pressure -> AWS boundary -> service choice -> reason distractors fail

If you can explain why the wrong answers are wrong, you are much closer to exam readiness than someone who only remembers the right option.

2. Official Task Map

The current SAA-C03 guide weights scored content this way:

• Domain 1: Design Secure Architectures - 30 percent
• Domain 2: Design Resilient Architectures - 26 percent
• Domain 3: Design High-Performing Architectures - 24 percent
• Domain 4: Design Cost-Optimized Architectures - 20 percent

This does not mean cost is optional. It means security and resilience deserve disproportionate final-review time, while performance and cost must still be practiced because they often appear inside mixed scenarios.

The official task map also confirms the exam is not just about naming services. It tests whether you can design secure, resilient, high-performing, and cost-optimized architectures based on business requirements and future needs.

3. What AWS Is Testing

AWS is testing the ability to reason as a solutions architect.

That means you should recognize:

• whether the problem is identity, resource policy, encryption, network path, or detection
• whether the workload needs loose coupling, high availability, disaster recovery, or durability
• whether the bottleneck is compute, storage, database, network latency, or data ingestion
• whether cost pressure is about storage class, compute purchase option, data transfer, database capacity, or unused resources
• whether a requirement is preventive, detective, operational, or governance-oriented

The final review should make these distinctions automatic.

Do not spend the last week memorizing every edge case equally. Spend it on high-frequency architecture choices and on the traps that repeatedly cost you practice questions.

4. Service And Concept Clusters

Use this final-review cluster order:

• Security first: IAM Policy Types And Evaluation Traps, KMS Key Policies vs IAM Policies, S3 Bucket Policies vs ACLs vs Access Points, Security Groups vs NACLs vs Route Tables
• Resilience second: RDS Multi-AZ vs Read Replicas, RDS And Aurora Recovery Choices, AWS Backup, Multi-Region Disaster Recovery On AWS
• Performance third: ALB vs NLB vs GWLB, Amazon CloudFront, Amazon ElastiCache, Amazon DynamoDB
• Cost fourth: S3 Lifecycle And Storage Classes, AWS Savings Plans, AWS Compute Optimizer, NAT Gateway vs VPC Endpoints
• Integration and migration: SQS vs SNS vs EventBridge, AWS Step Functions, AWS DataSync, AWS Database Migration Service

5. Architecture Reasoning Patterns

Use a four-pass reading method on long scenario questions.

First pass: identify the business requirement. Look for words like "least operational overhead," "most cost-effective," "highly available," "fault tolerant," "private," "near real time," "minimal downtime," or "global users."

Second pass: identify the constraint. The constraint might be compliance, no public internet path, cannot modify application code, must keep relational semantics, unpredictable access pattern, or strict RTO/RPO.

Third pass: classify the AWS boundary. Is this an IAM boundary, VPC boundary, account boundary, Region boundary, storage boundary, database boundary, or service integration boundary?

Fourth pass: reject distractors by naming their mismatch. A read replica does not satisfy automatic Multi-AZ failover. GuardDuty does not prevent SQL injection. Cost Explorer does not automatically reduce spend. DataSync does not provide persistent hybrid file access.

6. High-Yield Comparisons

IAM role versus IAM user: temporary assumable credentials versus long-term credentials.

Identity policy versus resource policy: what a principal can do versus who a resource trusts.

KMS key policy versus IAM policy: key authorization versus identity authorization.

Security group versus NACL: stateful resource firewall versus stateless subnet guardrail.

NAT Gateway versus VPC endpoint: broad outbound path versus private service-specific path.

Multi-AZ versus read replica: failover and availability versus read scaling.

SQS versus SNS versus EventBridge: queue, fanout notification, and event routing.

CloudFront versus Global Accelerator: HTTP content distribution and caching versus network acceleration for supported endpoints.

DataSync versus DMS: file/object transfer versus database migration and replication.

Savings Plans versus Spot: commitment for steady usage versus discounted interruptible capacity.

7. Scenario Triggers

"Avoid long-term credentials" points to roles, STS, federation, or IAM Identity Center.

"Encrypted object access denied" points to KMS key policy and decrypt permission.

"Private subnet needs S3 without NAT" points to an S3 gateway endpoint.

"Survive an Availability Zone database failure" points to Multi-AZ.

"Read-heavy relational database" points to read replicas or caching depending on freshness.

"Fan out to many subscribers" points to SNS or EventBridge depending on routing semantics.

"Decouple a slow or fragile worker" points to SQS.

"Coordinate ordered workflow steps" points to Step Functions.

"Unknown S3 access pattern" points to Intelligent-Tiering.

"Database migration with low downtime" points to DMS and schema conversion when needed.

8. Common Traps

Do not choose the newest or largest service when a simpler managed service satisfies the requirement.

Do not confuse detection with prevention. GuardDuty, Config, CloudTrail, and Security Hub do not all solve the same problem.

Do not choose read replicas for high availability when Multi-AZ is the requirement.

Do not use public access as a shortcut when the requirement says private, least privilege, or secure.

Do not ignore KMS just because the S3, EBS, RDS, or backup permission looks correct.

Do not overbuild active-active Multi-Region when backup and restore, pilot light, or warm standby matches the RTO/RPO and cost constraint.

Do not study only service pages. SAA-C03 asks service choices inside scenarios.

9. Study Path

Use this last-week order:

1. Re-read the four domain review pages in weight order.
2. Complete the four trap drill pages and write down every missed service comparison.
3. Complete the three mixed drill pages to practice cross-domain wording.
4. Review the service decision matrix and turn weak comparisons into flashcards.
5. Take one practice exam under timed conditions.
6. Review every missed question by architecture pressure, not just by answer key.
7. Do a short final pass through IAM, VPC, S3, KMS, RDS, DynamoDB, CloudFront, SQS/SNS/EventBridge, Lambda, Step Functions, migration, and cost services.

The final day should be light. Review triggers, not entire courses.

10. Related Topics

Review SAA-C03 Service Decision Matrix, SAA-C03 Practice Exam Review Workflow, Security And Resilience Mixed Drills, and Performance And Cost Mixed Drills.

Official AWS references:

• AWS Certified Solutions Architect - Associate certification page
• SAA-C03 exam guide
• AWS Certification exam guides
• AWS Well-Architected Framework