SAA-C03 Service Decision Matrix

Concepts Covered

• SAA-C03 service selection
• High-yield decision triggers
• Security service boundaries
• Resilience service boundaries
• Performance and cost decisions
• Messaging and event choices
• Storage, database, and migration choices
• Observability and governance choices
• Common distractor mismatches
• Final-review comparison practice

1. Domain Mental Model

The exam does not reward knowing service names in isolation. It rewards knowing which boundary a service controls.

Think of every service choice as an architecture move:

IAM controls who can act
KMS controls who can use keys
VPC routing controls where traffic can go
SQS controls buffering
CloudFront controls edge delivery
Multi-AZ controls failover
DataSync controls file/object movement
Cost Explorer controls visibility into spend

This page is a decision matrix in prose form. Use it to practice mapping wording to service boundaries.

2. Official Task Map

The official SAA-C03 guide organizes the exam around secure, resilient, high-performing, and cost-optimized architecture. It also lists broad technologies that can appear, including compute, storage, database, networking, migration and data transfer, security, resiliency, serverless, event-driven design, cost management, and management/governance.

The guide also says the service list is non-exhaustive and subject to change. That matters. Do not treat the in-scope list as a rote checklist. Treat it as a map of services that support the four architecture domains.

This decision matrix is organized by the problem being solved, not by the service console category.

3. What AWS Is Testing

AWS is testing whether you can choose the most appropriate service for the requirement and reject plausible alternatives.

The wrong answer often belongs to the right category but the wrong pressure:

• SNS and SQS both involve messaging, but fanout and buffering are different.
• Multi-AZ and read replicas both involve databases, but failover and read scaling are different.
• CloudWatch and CloudTrail both involve visibility, but metrics/logs and API audit history are different.
• DataSync and DMS both involve migration, but file/object movement and database replication are different.
• WAF and Network Firewall both involve security, but layer 7 web protection and network traffic inspection are different.

When reviewing, name the problem each service actually solves.

4. Service And Concept Clusters

Use these service clusters for final comparison practice:

• Access and policy: IAM Foundations, Identity Policies vs Resource Policies, Service Control Policies
• Network and edge: ALB vs NLB vs GWLB, Amazon CloudFront, AWS Global Accelerator, VPC Endpoints And PrivateLink
• Data and storage: Amazon S3, S3 Lifecycle And Storage Classes, S3 vs EBS vs EFS vs Instance Store
• Database: Amazon RDS, Amazon Aurora, Amazon DynamoDB, Amazon ElastiCache
• Integration: Amazon SQS, Amazon SNS, Amazon EventBridge, AWS Step Functions
• Migration and operations: AWS DataSync, AWS Database Migration Service, AWS CloudTrail, AWS Config

5. Architecture Reasoning Patterns

Use this pattern for every service comparison:

trigger phrase -> architectural pressure -> service boundary -> rejected distractor

Example:

private subnet needs S3 without NAT
-> private service access and cost pressure
-> S3 gateway endpoint
-> NAT Gateway is broader outbound egress and can cost more for heavy S3 traffic

Do not stop at "the answer is S3 gateway endpoint." Say why. The why is what survives exam variations.

6. High-Yield Comparisons

S3 versus EBS versus EFS: object storage, block volume, and shared file system.

EFS versus FSx: general managed NFS file system versus specialized file systems for Windows, Lustre, NetApp ONTAP, or OpenZFS patterns.

RDS versus DynamoDB: relational schema and SQL versus key-value/document access with managed scale and access-pattern-first design.

Aurora versus RDS: AWS-built relational engine features and scaling options versus managed traditional database engines.

ElastiCache versus DynamoDB DAX: general in-memory cache versus DynamoDB-specific read-through cache.

SQS versus SNS versus EventBridge: durable queue, pub/sub fanout, and event bus routing.

Step Functions versus Lambda retry logic: explicit workflow orchestration versus hidden application code coordination.

Direct Connect versus Site-to-Site VPN: dedicated private connectivity versus encrypted internet-based connectivity.

Transit Gateway versus VPC peering versus PrivateLink: hub routing, point-to-point routing, and private service exposure.

GuardDuty versus Inspector versus Macie versus Security Hub: threat detection, vulnerability scanning, sensitive data discovery, and findings aggregation.

7. Scenario Triggers

"Exactly one worker should process each message" points to SQS.

"Multiple subscribers must receive the same notification" points to SNS or EventBridge.

"Route events by source, detail type, or pattern" points to EventBridge.

"Human approval or long-running ordered steps" points to Step Functions.

"Application needs shared Linux file storage" points to EFS.

"Windows file share requirement" often points to FSx for Windows File Server.

"NoSQL, low-latency, massive scale, known access patterns" points to DynamoDB.

"SQL joins, transactions, and relational compatibility" points to RDS or Aurora.

"Global static assets and cacheable HTTP content" points to CloudFront.

"Static public website with object storage" points to S3 static hosting or S3 origin plus CloudFront depending on security and edge requirements.

8. Common Traps

Do not use SNS as a work queue for a single consumer.

Do not use SQS when all subscribers need every message unless each subscriber has its own queue or fanout pattern.

Do not use EventBridge for ordered queue processing.

Do not choose EBS when multiple instances need simultaneous shared file access.

Do not choose EFS for object storage lifecycle and static website hosting.

Do not choose DynamoDB only because a workload is "large"; the access pattern and data model matter.

Do not choose CloudTrail when the question asks for resource configuration compliance over time. That points to Config.

Do not choose Trusted Advisor when the question asks for custom workload metrics. That points to CloudWatch.

Do not choose Security Hub as the source detector. It aggregates findings from other services.

9. Study Path

Use this page after the domain and trap drill pages.

1. Read one comparison cluster at a time.
2. Cover the answer and say the service boundary out loud.
3. Find the matching Arcflow service page for every comparison you miss.
4. Add one example scenario to your notes for each weak comparison.
5. Revisit this page after every practice exam.

The goal is not to memorize this page word for word. The goal is to make the decision shape familiar enough that exam wording feels slower and less slippery.

10. Related Topics

Review SAA-C03 Final Review Checklist, SAA-C03 Practice Exam Review Workflow, SQS vs SNS vs EventBridge, and Transit Gateway vs VPC Peering vs PrivateLink.

Official AWS references:

• SAA-C03 exam guide
• Mentions of AWS Services on the Exam
• In-scope AWS services and features
• AWS Well-Architected Framework