AWS Exam Review

Secure Architecture Trap Drills

Practice SAA-C03 secure architecture traps around IAM, resource policies, SCPs, VPC security, KMS, S3 access, WAF, Shield, GuardDuty, Macie, and cross-account access.

intermediate5 min readUpdated 2026-06-05CloudCertificationSecurityNetworkingOperationsTradeoffs
IAM EvaluationResource PolicyService Control PolicyVPC EndpointKMS Key PolicyS3 Block Public AccessAWS WAFSecurity Detection

After this, you will understand

These drills teach the exact move secure-architecture questions demand: identify the control plane, data plane, network path, and key policy before choosing an answer.

Plain version

Each drill starts with a plausible exam scenario and forces you to separate identity, resource, network, encryption, and detection controls.

Decision pressure

Learners pick the security service mentioned in the wording and miss the actual blocker, such as KMS key policy, SCP guardrail, or missing resource policy.

Exam-ready model

Trace who is calling, what owns the resource, how traffic reaches it, which key decrypts it, and what detects or prevents misuse.

Think before readingWhat is the fastest way to avoid secure-architecture distractors?
Name the security layer being tested before choosing a service: identity, resource policy, network path, encryption key, edge defense, or detection.

Reading in progress

This page is saved in your local study history so you can continue later.

Next: Design Resilient Architectures

Study path

Read these in order

Start with the mechanics, then move into the patterns that explain why the system is shaped this way.

  1. 1Resilient Architecture Trap DrillsAWS Review
  2. 2KMS Key Policies vs IAM Policiesaws-services

Concepts Covered

  • Secure architecture practice drills
  • IAM identity and resource policies
  • SCP and permission-boundary traps
  • KMS and encrypted data failures
  • S3 bucket policy and access point traps
  • VPC endpoint and NAT decisions
  • WAF, Shield, Network Firewall, and DNS Firewall
  • GuardDuty, Inspector, Macie, and Security Hub
  • Cross-account security reasoning
  • SAA-C03 distractor patterns

1. Domain Mental Model

Secure architecture traps usually ask one question while showing you several security nouns.

The drill habit is:

identify the security layer first, then choose the control

If the problem is a missing decrypt permission, WAF is irrelevant. If the problem is internet exposure to a database, GuardDuty is too late. If the problem is broad account permission, a security group does not help. If the problem is organization-wide prevention, an IAM policy in one account is too local.

Use these drills to practice layer recognition.

2. Official Task Map

This drill page maps to the three secure architecture task areas:

  • secure access to AWS resources
  • secure workloads and applications
  • appropriate data security controls

The recurring pressure is least privilege across multiple policy and network surfaces.

Expect AWS to mix human access, workload roles, service access, data protection, encryption, public exposure, and detection tools in the same scenario. The correct answer is often the least dramatic control placed at the right boundary.

3. What AWS Is Testing

AWS is testing whether you can reject plausible but wrong security services.

GuardDuty detects suspicious behavior, but it does not grant permission, block SQL injection, or encrypt data. WAF inspects web requests, but it does not filter DNS queries or protect arbitrary TCP flows. KMS controls key usage, but it does not store secret values. Secrets Manager stores and rotates secrets, but it does not replace IAM roles. SCPs constrain permissions, but they do not grant access.

The exam wants you to ask:

is this preventive, detective, identity-based, resource-based, network-based, or key-based?

That one question eliminates many distractors.

4. Service And Concept Clusters

Use this cluster map while drilling:

5. Architecture Reasoning Patterns

Use this drill checklist:

1. Who is the principal?
2. Which account owns the resource?
3. Is the missing control identity-side or resource-side?
4. Is traffic public, private, hybrid, or endpoint-based?
5. Is encrypted data involved?
6. Is the question asking to prevent, detect, alert, audit, or remediate?

Then identify the most specific control.

If one account needs another account's encrypted S3 object, you need caller-side IAM permission, bucket-side permission, and KMS key permission.

If private subnet workloads need S3 without NAT, a gateway endpoint is the networking answer. If the bucket must accept only that path, add a bucket policy condition.

If every member account must be prevented from disabling CloudTrail, the organization-level guardrail is an SCP. CloudTrail itself records events; it does not prevent its own deletion.

6. High-Yield Comparisons

Drill 1: EC2 app needs S3.

Wrong instinct: create an IAM user and store keys.

Better answer: attach an IAM role through an instance profile and scope S3 permissions.

Drill 2: S3 read allowed, encrypted object denied.

Wrong instinct: add more S3 actions.

Better answer: check KMS key policy and kms:Decrypt.

Drill 3: deny unapproved Regions for all member accounts.

Wrong instinct: update every admin role.

Better answer: use SCPs with testing and exceptions for global services where needed.

Drill 4: block SQL injection against public web app.

Wrong instinct: security group rule.

Better answer: AWS WAF on CloudFront, ALB, or supported web endpoint.

Drill 5: discover sensitive data in S3.

Wrong instinct: GuardDuty.

Better answer: Amazon Macie.

Drill 6: block DNS queries to malicious domains.

Wrong instinct: WAF.

Better answer: Route 53 Resolver DNS Firewall.

7. Scenario Triggers

"Avoid long-term credentials" points to roles, STS, federation, or IAM Identity Center.

"Who changed this resource" points to CloudTrail.

"Was this resource compliant over time" points to AWS Config.

"Detect compromised credentials or suspicious activity" points to GuardDuty.

"Scan workloads for vulnerabilities" points to Inspector.

"Aggregate findings across accounts" points to Security Hub with organization integration.

"Classify sensitive S3 data" points to Macie.

"Protect public web app from layer 7 attacks" points to WAF.

"DDoS protection" points to Shield and edge architecture.

"Restrict bucket to private endpoint path" points to VPC endpoint plus bucket policy.

8. Common Traps

Do not confuse a role trust policy with a role permissions policy.

Do not assume resource policies and identity policies are interchangeable.

Do not use SCPs to grant access.

Do not forget KMS when encrypted data is involved.

Do not choose ACLs for new S3 bucket access unless the question forces a legacy ownership case.

Do not choose NAT Gateway for private S3 access if a gateway endpoint satisfies the requirement.

Do not choose WAF for non-HTTP network inspection.

Do not choose GuardDuty as a prevention control.

Do not expose RDS publicly for convenience.

Do not ignore logging protection in centralized security designs.

9. Study Path

Study and drill in this order:

  1. Design Secure Architectures
  2. IAM Policy Types And Evaluation Traps
  3. Cross-Account Access Patterns
  4. Security Groups vs NACLs vs Route Tables
  5. S3 Bucket Policies vs ACLs vs Access Points
  6. KMS Key Policies vs IAM Policies
  7. Secrets Manager vs Parameter Store
  8. GuardDuty vs Inspector vs Macie vs Security Hub
  9. Secure Cross-Account CloudTrail Logging
  10. Centralized Security Findings And Incident Triage

Repeat the drills until each distractor tells you which layer it belongs to.

Review Design Secure Architectures, Resilient Architecture Trap Drills, High-Performing Architecture Trap Drills, and Cost-Optimized Architecture Trap Drills.

Official AWS references:

What to study next

These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.