RoleMath Study Track for AWS Certified Solutions Architect – Associate (SAA-C03)
A free study companion keyed to the officially published exam domains of AWS Certified Solutions Architect – Associate (SAA-C03): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. AWS Certified Solutions Architect – Associate (SAA-C03) exam guide
A free, source-cited study companion built on AWS's published SAA-C03 exam guide — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
A free SAA-C03 program blueprint that turns secure, resilient, high-performing, and cost-optimized AWS design into explicit requirements, alternatives, failure analysis, validation, and decision evidence through a no-account route without claiming instructional completeness or an exam, job, savings, or availability outcome.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
4
Labs
4
Concept checks
17
Resource mix
2 official / 1 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners who have selected SAA-C03 and need one design-reasoning sequence across all four current domains.
Completion emphasis: Complete all modules and no-account or controlled labs, the official Skill Builder plan where free, the architecture-review capstone, and a final objective gap review.
Required phases: Scope, foundation, evidence, and account route, Identity, data, network, and workload boundaries, Failure domains, recovery, decoupling, and change, Workload characteristics, scaling, caching, and data paths, Usage, pricing, efficiency, and cost governance, Well-Architected-style redesign capstone
Architecture decisions first
Cloud learners and practitioners who want reviewable evidence of requirements, service alternatives, security ownership, failure analysis, performance, cost, operations, migration, validation, and rollback reasoning.
Required phases: Scope, foundation, evidence, and account route, Identity, data, network, and workload boundaries, Failure domains, recovery, decoupling, and change, Workload characteristics, scaling, caching, and data paths, Usage, pricing, efficiency, and cost governance, Well-Architected-style redesign capstone
Architecture career-fit sprint
Learners deciding whether translating ambiguous requirements into cloud tradeoffs and reviewable architecture decisions fits their interests and current foundation.
Completion emphasis: Complete the diagnostic, secure-boundary map, Multi-AZ failure redesign, scale-up/scale-out estimate, and cost tradeoff; record whether to continue, bridge cloud foundations, or choose a more operational route.
Required phases: Scope, foundation, evidence, and account route, Identity, data, network, and workload boundaries, Failure domains, recovery, decoupling, and change, Workload characteristics, scaling, caching, and data paths, Usage, pricing, efficiency, and cost governance
Start safely
Prerequisite diagnostic
Verify cloud foundation, architecture reasoning, account/cost safety, and evidence practices before associate-level design work; this is not an AWS prerequisite or exam prediction.
Can you distinguish regions, Availability Zones, networks, identities, compute, storage, databases, load balancing, monitoring, pricing, and shared responsibility at a Cloud Practitioner or equivalent level?
Ready when: Yes, with service categories understood before product-specific design.
If not yet: Bridge through Cloud Practitioner or equivalent cloud foundations before treating SAA-C03 as the next exam target.
Can you ask about users, data, traffic, failure, recovery, security, operations, cost, migration, and constraints before choosing a service?
Ready when: Yes, and every recommendation will record alternatives and conditions that would change it.
If not yet: Complete the requirement-to-decision warm-up and avoid product memorization as a substitute for architecture reasoning.
Will you use the complete no-account design route or read only a personal AWS account whose billing, identity, regions, and resources you control?
Ready when: Either route is valid; no live account is required for full program completion.
If not yet: Use official documentation, diagrams, expected-state tables, and Pricing Calculator without creating an AWS account.
If inspecting a live account, are root MFA, non-root routine access, billing visibility, a low budget alert, region awareness, and a no-change rule in place?
Ready when: Yes, with read-only inspection and no default-VPC or security-rule creation required.
If not yet: Use the no-account architecture route; do not create or modify a VPC, subnet, route, security group, load balancer, instance, database, or other resource.
Can you distinguish component, zone, regional, dependency, deployment, capacity, data, and human failure and explain how a design detects and recovers from each?
Ready when: Yes, or you will complete the failure-mode warm-up before Multi-AZ design.
If not yet: Practice writing failure, impact, detection, mitigation, recovery, verification, and residual risk for a simple two-component system.
Can you label estimates and recovery/performance targets as assumptions with region, usage, scope, exclusions, uncertainty, and evidence rather than promises?
Ready when: Yes, with calculator output treated as planning evidence, not a bill or guarantee.
If not yet: Use a structured assumption log before presenting any price, capacity, latency, availability, RTO, RPO, or savings statement.
Plan, then adapt
Pace options
Steady
12 weeks 8-12 hours/week
A planning estimate for learners moving beyond cloud fundamentals: give each design domain several requirement, diagram, calculator, and review sessions before integration.
Standard
8 weeks 12-16 hours/week
A planning estimate that covers one design domain most weeks and reserves two weeks for the integrated architecture review, migration plan, validation, and gaps.
Intensive
5 weeks 18-22 hours/week
For learners with existing AWS architecture or implementation experience; do not compress unfamiliar service, failure, security, cost, operations, or migration tradeoffs.
Evidence-gated sequence
Program roadmap
1
Scope, foundation, evidence, and account route
Pin SAA-C03, assess cloud/design foundations, select no-account or read-only practice, and establish requirements, assumptions, decision, cost, and review records.
Exit evidence
Confirm the four current domains and weights in the official SAA-C03 guide.
Choose the no-account route or document personal-account MFA, non-root access, budget, billing, regions, and read-only boundary.
Complete the cloud-foundation, requirements, failure-mode, estimate, and evidence diagnostic.
2
Identity, data, network, and workload boundaries
Design least privilege, data protection, trusted paths, network segmentation, secure service access, monitoring, and shared-responsibility controls from explicit requirements.
Retain a read-only VPC/subnet/route/security-group observation or no-account expected-state diagram labeled honestly.
Produce identity, data classification/encryption, network path, secrets, logging, admin access, and shared-responsibility matrices with owner and verification.
For one design choice, compare at least two secure alternatives and record threat, control, operational burden, cost, limitation, and condition that changes the choice.
3
Failure domains, recovery, decoupling, and change
Eliminate unjustified single points of failure, model component/dependency failures, and select availability, backup, replication, failover, decoupling, and recovery patterns with explicit assumptions.
Retain a region/AZ/subnet observation or no-account map plus a single-zone-to-Multi-AZ redesign.
Create a failure-mode table covering detection, impact, mitigation, recovery, test, rollback, residual risk, dependency, and cost for at least six failures.
Explain backup versus replication, availability versus durability, failover versus scale, synchronous/asynchronous tradeoffs, and assumed recovery objectives.
4
Workload characteristics, scaling, caching, and data paths
Select compute, storage, database, network, caching, integration, and scaling patterns from measured or assumed workload behavior while preserving security and resilience.
Retain scale-up and scale-out calculator scenarios with equivalent-capacity caveats, base/peak usage, region, assumptions, and uncertainty.
Create a performance hypothesis and validation plan for latency, throughput, concurrency, storage access, database patterns, cache behavior, and scaling signals.
Explain when caching, queues, read replicas, content delivery, serverless, containers, managed databases, or storage choices improve one dimension while adding another tradeoff.
5
Usage, pricing, efficiency, and cost governance
Estimate the complete design, identify cost drivers, match pricing and storage models to usage, right-size safely, and define cost controls without breaking requirements.
Retain overprovisioned, right-sized, steady, and variable estimates with region, time, usage, storage, transfer, support, exclusions, and uncertainty.
Produce a cost-driver and optimization backlog covering utilization, elasticity, commitments, storage lifecycle, transfer, managed-service tradeoffs, tags, budgets, anomaly review, and owner.
Reject any cost reduction that violates a stated security, resilience, performance, compliance, recovery, or operational requirement unless the tradeoff is explicitly accepted.
6
Well-Architected-style redesign capstone
Integrate requirements, alternatives, security, resilience, performance, cost, operations, migration, validation, rollback, and decision communication into one auditable fictional architecture review.
Complete the capstone and pass its requirements, alternatives, boundaries, failure, performance, cost, operations, migration, validation, rollback, and consistency review.
Crosswalk all four domains to at least one artifact and one corrected or confidently explained check.
Record remaining foundation/objective gaps and choose a continue, practice, defer, or exam-logistics-verification next decision.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A browser plus text, spreadsheet, and diagram tools for official documentation, requirements, architecture views, decision records, failure models, estimates, reviews, and reflections
The no-account AWS Pricing Calculator and official service/architecture documentation
A structured assumption and evidence log for region, traffic, data, failure, recovery, performance, cost, security, operations, and migration statements
Optional
A free AWS Skill Builder account for registered official SAA-C03 material where it remains free
A personally controlled AWS account secured with root MFA, non-root routine access, billing visibility, and a low budget alert for read-only console observation only
Free diagramming software such as diagrams.net and a local spreadsheet for an account-free workflow
Accounts and accessibility routes
Accounts
No AWS cloud account or payment method is required for full program completion.
AWS Skill Builder requires a free learning account for this registered SAA-C03 plan; verify each item remains in the free tier because enhanced content may be paid.
Optional console inspection uses a personal secured account and creates or changes nothing; a default VPC or other resource does not need to be created for this program.
Equivalent routes
Use official architecture descriptions, expected VPC/AZ/security-group state, diagrams, and review tables when account, region, device, motor, visual, or payment constraints block console inspection.
Use exported or transcribed calculator values with assumptions when interactive controls are inaccessible, and label every planned or observed artifact.
Split requirements, diagrams, failure analysis, estimates, decisions, validation, migration, and review across sessions without reducing evidence or safety requirements.
Safety baseline
Prefer the no-account route. Optional console work is read-only in a personal account with root MFA, non-root routine access, billing visibility, budget alert, region awareness, and no production resources in scope.
Do not create a default VPC, modify routes/security groups, launch compute/database/load-balancing resources, upload data, alter identities, or run failure tests in a live account for this program.
Never publish credentials, account IDs, resource names, architecture details from a real organization, billing data, console sessions, or security boundaries.
Treat calculator values and design targets as dated assumptions, not bills, benchmarks, service guarantees, or promised savings/availability.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A saved requirement, architecture, responsibility/control matrix, failure model, performance hypothesis, estimate, decision record, validation plan, or labeled no-account/read-only artifact tied to the domain map.
A plain-language explanation of requirement, alternatives, selected design, owner, evidence, tradeoff, failure, cost, limitation, verification, rollback, and condition that changes the decision.
All authored checks attempted, with each miss corrected against its cited source and applied to a fresh architecture scenario.
After a missed check
Identify whether the question tests security, resilience, performance, or cost before reviewing the answer.
Write why the distractor was plausible and which requirement, responsibility boundary, failure mode, data/traffic pattern, pricing assumption, or operational constraint distinguishes it.
Change one fictional requirement or failure and explain whether the selected service/design remains appropriate or which alternative becomes better.
Completing this policy demonstrates SAA-C03 coverage and no-account architecture practice inside RoleMath; it does not predict a score, guarantee architecture quality/savings/availability, or establish professional cloud-architect experience.
Integrated practice
Seasonal event platform architecture redesign and migration review
Redesign a fragile fictional single-zone event platform into a secure, resilient, performant, cost-aware, operable AWS architecture and produce the evidence, migration, validation, rollback, and decision records needed for review across all four SAA-C03 domains.
Workflow
Write a fictional current-state brief for a seasonal event-registration platform running on one server and one database in one location, with public web traffic, private attendee aliases, payment-provider integration, email notifications, file assets, sharp demand spikes, and no real personal/payment data in the exercise.
Elicit and record functional, user, traffic, latency, throughput, data, security, privacy, availability, durability, recovery, deployment, observability, support, budget, skill, migration, and timeline requirements plus uncertainties and non-goals.
Draw current-state context, container/service, data-flow, trust-boundary, network, deployment, and dependency views. Identify single points of failure, public exposure, privilege, manual work, missing telemetry, data/recovery gaps, and unverified assumptions.
Create at least two AWS target options at service-category and named-service level. Compare identity, networking, compute, storage, database, caching, integration/queueing, content delivery, logging/monitoring, backup/recovery, deployment, and operational ownership.
Build a security/shared-responsibility model covering root/workforce/workload identity, least privilege, secrets, network paths, private/public subnets or managed boundaries, encryption, key ownership, data classification, logs, threat detection, updates, application security, third parties, and evidence.
Build a failure-mode and recovery table for instance/container/function, zone, database, queue, cache, DNS/content delivery, dependency, deployment, bad configuration, capacity, data corruption, credentials, monitoring, and regional scenarios. Record impact, detection, mitigation, recovery, test, rollback, residual risk, owner, and cost.
Define the scaling and performance design from traffic shape and data access: horizontal/vertical choices, load balancing, auto scaling, serverless/concurrency, caching, content delivery, storage/database pattern, replicas, asynchronous work, backpressure, throttling, and capacity limits.
Create a performance validation plan with synthetic workload, metrics, test environment, baseline, acceptance assumptions, load/soak/spike/failure cases, bottleneck evidence, observability, safety limits, and rollback. Do not claim unrun tests passed.
Build base, expected-event, and peak-event cost estimates in AWS Pricing Calculator. Include region, hours/requests, data/storage/transfer, redundancy, logs, backup, support assumptions, free-tier exclusions, uncertainty, and the cost of resilience and observability.
Create a cost and operational-governance plan covering ownership/tags, budgets/anomaly alerts, dashboards, log retention, backups/restore tests, patch/deployment responsibility, service quotas, health events, incident/change process, right-sizing, commitments, storage lifecycle, and monthly review.
Write architecture decision records for at least five major choices. Each needs context, requirements, options, decision, consequences, risks, cost, evidence, rejected alternatives, owner, date, and condition for reconsideration.
Create a phased migration plan with discovery, prerequisites, data movement/synchronization, shadow or parallel validation, security review, cutover, communication, rollback trigger, rollback steps, data reconciliation, monitoring, and post-cutover review.
Create a validation matrix covering identity/access, network paths, encryption, availability-zone failure, scaling, data durability/recovery, queues/retries, caching, performance, deployment, monitoring/alerts, cost, operations, and rollback. Label each check planned, modeled, read-only observed, or executed.
Run two tabletop changes: an Availability Zone impairment during peak demand and an unexpected cost increase after logging/transfer growth. Use the architecture evidence to diagnose, mitigate, verify, communicate, and update decisions without touching a live account.
Perform a structured architecture review across operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability considerations. Record finding, evidence, risk, recommendation, owner, priority, tradeoff, and validation rather than giving an unsupported score.
Write an executive decision memo and technical handoff that agree on current risks, selected design, alternatives, cost range, migration, validation gaps, residual risk, owner, and next decision.
Crosswalk every requirement, design, failure, performance, estimate, operation, migration, test, review, and decision artifact to the four SAA-C03 domain IDs; flag uncovered topics and record the next practice decision.
Retained artifacts
Fictional current-state brief, requirements, assumptions, and architecture/dependency views
Two target options plus security/shared-responsibility model
Failure/recovery table and performance/scaling validation plan
Base/event/peak estimates plus cost/operations governance plan
Architecture decision records and phased migration/rollback plan
Validation matrix, two tabletop-change records, and structured architecture review
Executive memo, technical handoff, four-domain crosswalk, and gap reflection
Review checklist
Requirements, current state, options, selected architecture, responsibilities, failures, performance, costs, operations, migration, tests, reviews, and communications describe one consistent fictional platform.
Every major choice records requirement, alternatives, decision, owner, tradeoff, failure behavior, cost driver, evidence, verification, rollback or reconsideration condition, and residual risk.
Every numeric target or estimate states source/date, region, scope, usage, assumptions, exclusions, uncertainty, and whether it is planned, modeled, observed, or tested.
No live AWS resource creation/change, production data, failure injection, credential, account ID, billing detail, real organization architecture, or unredacted console session occurred or appears.
Security, resilience, performance, cost, operations, migration, and sustainability recommendations do not silently violate one another; accepted tradeoffs are explicit.
All four SAA-C03 domains map to at least one artifact; uncovered topics remain explicit gaps rather than implied completion.
The packet does not claim exam success, official AWS architecture approval, guaranteed savings/availability/performance, professional architect experience, or a RoleMath credential.
Safety boundary: The complete capstone is no-account design and tabletop work. Optional AWS console observation must remain read-only in a personally controlled secured account and create or change nothing. Do not launch services, modify networks/security, upload data, run load/failure tests, or expose credentials, account IDs, billing, or real organizational architecture. Treat estimates and targets as assumptions, not guarantees.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All four current SAA-C03 domain modules have been covered and checked against the official AWS exam guide.
Every domain lab has a saved no-account/read-only artifact or clearly labeled accessibility alternative.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh architecture scenario.
The registered official Skill Builder material has been used only where it remains free and within access/reuse limits.
The architecture capstone passes requirements, alternatives, security, resilience, performance, cost, operations, migration, validation, rollback, privacy, consistency, and four-domain coverage review.
The learner has recorded remaining foundation/objective gaps and a next decision; completion is not represented as an exam result, credential, architecture approval, job readiness, savings/availability guarantee, or professional experience.
Portfolio candidates
A sanitized multi-view architecture and requirement packet
A shared-responsibility/security matrix and failure model
A performance hypothesis/test plan and three-scenario cost model
Selected architecture decision records
A migration/rollback and validation matrix
A structured architecture review and decision memo
A reflection explaining one corrected architecture assumption
Present the packet as self-directed SAA-C03 architecture lab work. Do not call it a production architecture, AWS approval, guaranteed cost/performance/availability, professional cloud-architect experience, or a RoleMath credential.
Freshness controls
Objective source checked 2026-07-10. Recheck objectives every 30 days and resources every 60 days.
Stop and re-verify when
AWS changes the active Solutions Architect Associate exam code, SAA-C03 guide, domain, published weight, lifecycle, or official target-candidate guidance.
AWS Skill Builder, an official guide, service, Well-Architected guidance, Pricing Calculator, pricing/support label, Free Tier, console path, or resource changes URL, access, behavior, or authority.
A no-account route no longer covers the objective, or optional console work cannot remain read-only, secure, cost-safe, private, and account-independent.
A service capability, failure behavior, security model, architecture pattern, estimate, migration, validation, or review assumption materially changes.
Any module, lab, check, resource mapping, phase, decision, estimate, or capstone fails technical, source, architecture, beginner/intermediate, cost-safety, security, privacy, accessibility, or claims review.
Our default advice is to study the heaviest-weighted domain first, because the published weights tell you where the exam spends its questions. For the Solutions Architect – Associate exam the published weights already run in descending order, so weight-first and outline order happen to agree: Design Secure Architectures (30%) first, then Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%). There is a design logic to that order too. Security is the widest lens — identity, network boundaries, and encryption touch every later topic — so establishing it first means the resilience, performance, and cost domains all read against a security backdrop you already understand. Resilience comes next because 'what happens when a component fails' is the question that most shapes an architecture. Performance and cost then become tuning decisions layered on a design that is already secure and durable. This is sequencing advice based on the published weights and how the topics build on each other, not a claim about the science of learning — if a different order fits how you think, use it. Unlike the Cloud Practitioner exam, SAA rewards genuine design reasoning, so expect to spend real time turning each domain's ideas into judgment about trade-offs, not just recognition of terms.
Start here — it is the heaviest domain at 30% and the widest lens on the exam. Identity, network boundaries, and encryption reappear inside every other domain, so time spent here pays off three more times as you study resilience, performance, and cost.
This is the 'who is allowed to do what, and how do you keep data and networks protected' domain, and at 30% it is the largest single slice of the Solutions Architect – Associate exam. It is worth being clear about how it differs from the security material on the entry-level Cloud Practitioner exam: there, you recognized security concepts and named the right control. Here, you are asked to design — to look at a described system and choose an identity model, a network layout, and an encryption approach that hold together as a whole. The exam is testing architectural judgment about security, not memory of service names.
The spine of the domain is identity and access management done at design scale. You still start from least privilege — granting each identity only the access it genuinely needs — but as an architect you decide the shape of the whole access model. The key move is designing with roles instead of long-lived credentials: an IAM role hands out temporary, automatically expiring permissions that a service, an application, or a federated user assumes when it needs them, so there are no static keys to leak. The exam repeatedly favors this pattern — an EC2 instance that needs to read a storage bucket should assume a role, not carry an embedded access key. You also design how outside identities get in: rather than creating a login per person, you federate an existing corporate directory or identity provider so people use credentials they already have, and you centralize guardrails across many accounts so no single team can grant itself more than policy allows.
The second pillar is network security — designing the boundaries data moves within. The private virtual network (the VPC) is the canvas: inside it you place subnets, and the crucial design decision is public versus private. Resources that must be reachable from the internet (a load balancer, say) sit in public subnets; databases and application servers that should never be directly exposed sit in private subnets and reach the internet only outbound, through a controlled gateway, if at all. Two layers of filtering enforce this: security groups act as stateful firewalls attached to individual resources, allowing specific inbound and outbound traffic, while network ACLs act as a coarser, stateless filter at the subnet edge. The architect's instinct the exam rewards is to expose the minimum — put nothing in a public subnet that does not need to be there, and let each tier talk only to the tier it must.
The third pillar is protecting data itself, in two states. Encryption at rest scrambles stored data so a stolen disk or snapshot is useless without the key; on AWS this is designed around a key-management service that creates, stores, and controls access to encryption keys, and most storage and database services can be told to encrypt with a key you govern. Encryption in transit protects data as it crosses the network, typically with TLS, so it cannot be read if intercepted. The design skill is knowing that these are largely configuration choices you make deliberately — turning on encryption for a bucket, a volume, or a database, and deciding who is allowed to use the key — rather than afterthoughts. Managing secrets (passwords, API keys) through a dedicated secrets service, instead of hard-coding them, belongs to the same instinct: never let sensitive material sit in plaintext where it can leak.
Tying the three pillars together is a defense-in-depth mindset: no single control is trusted to be enough, so you layer them. A well-designed system might keep its database in a private subnet (network layer), reachable only by the application's security group (resource firewall), authenticated by an IAM role rather than a password (identity layer), with its storage encrypted by a governed key (data layer) — so that a failure or misconfiguration in any one layer does not by itself expose the data. The exam loves scenarios where you must spot the weakest layer or add the missing one. It also expects you to design for visibility: logging API activity and monitoring for anomalies so that if something does go wrong, there is an audit trail and an alert rather than silence.
Study this domain by redesigning systems you already understand through a security lens: for any application, ask where each component should sit (public or private subnet), how each part should prove its identity (role, not key), what data must be encrypted and who holds the key, and which layer you would be most embarrassed to have left open. The account-free worksheet below turns those network-boundary ideas into a requirements-to-control evidence packet. Read the official SAA-C03 exam guide for AWS's authoritative published scope, domain weights, and task statements; AWS notes that the guide is not a comprehensive list of every exam topic, and this explanation deliberately paraphrases rather than reproduces it.
Turn a fictional workload's requirements into identity, network, encryption, secrets, and logging boundaries without embedding credentials or granting broad access Adversarially review a layered security design, identify its weakest unverified control, and retain a requirements-to-control evidence packet
Copy the fixture, record at least five fictional requirements, and draw or describe the internet, entry, application, data, identity, and logging trust boundaries.
Replace the embedded key with a workload role, write a least-privilege statement, and complete the public-entry, application, and database control rows.
Complete the encryption-at-rest, encryption-in-transit, secrets, and API/activity-logging rows, including one verification method per control.
Answer all five adversarial questions, identify the weakest unverified control, and record one rejected alternative plus a concrete revision.
What you should see
Confirm the packet contains at least five requirements, all named boundaries, seven control rows with verification, five adversarial answers, and one revision without real credentials or organization data.
Practice evidence maps to exam_domain_aws_solutions_architect_associate_01
Stay safe & legal: Work only with the RoleMath fictional scenario, learner-owned local files, and public AWS documentation; no cloud account or external system is in scope. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 4 · domain 2 · 26% of the exam
Design Resilient Architectures
Second in our suggested order, matching its 26% weight. Study it after security: resilience is about surviving failure, and the single most important resilience decision — spreading a workload across Availability Zones — builds directly on the subnet-and-zone map you inspected in Domain 1.
This is the 'what happens when something breaks, and how do you keep running anyway' domain, and at 26% it is the second-largest slice of the exam. Resilience is arguably the heart of what a solutions architect does: the guiding assumption is that any single component will eventually fail, so you design so that no single failure takes the whole system down. The exam is dense with scenarios that describe an outage — an instance dies, a data center loses power, a region becomes unreachable — and ask you to choose the design that survives it. Getting comfortable with 'assume it fails, then remove the single point of failure' is the mindset to build here.
The most important resilience concept on AWS is the Availability Zone. A Region is divided into multiple Availability Zones — physically separate data-center clusters with independent power and networking, close enough to replicate data quickly but isolated enough that one failing does not take the others with it. The foundational design pattern, which the exam returns to constantly, is Multi-AZ: run your workload in at least two zones so that if one zone fails, the other keeps serving. A managed database configured for Multi-AZ, for example, keeps a synchronized standby copy in a second zone and fails over to it automatically. When a scenario says 'high availability' or 'survive a data-center failure', the answer almost always involves spreading across Availability Zones.
Sitting on top of the zone concept are the two services that make a stateless tier self-healing: load balancers and auto scaling. A load balancer spreads incoming traffic across many instances in multiple zones and stops sending traffic to any instance that fails its health check, so a dead instance is quietly bypassed rather than serving errors. Auto scaling groups keep a target number of instances running: if one fails or a whole zone drops out, the group launches replacements in a healthy zone automatically, and it can also add and remove instances as load changes. Together they turn a fixed set of servers into a fleet that repairs itself — the exam expects you to reach for this pairing whenever a workload must stay available without someone watching it by hand.
Resilience also comes from decoupling — designing components so they do not depend on each other being healthy at the same instant. The classic tools are queues and notification services that sit between parts of a system: instead of a web tier calling a processing tier directly (so that if the processor is down, requests are lost), the web tier drops messages onto a queue, and the processor pulls from the queue whenever it is ready. If the processor fails, messages wait safely in the queue instead of disappearing, and when it recovers it catches up. This loose coupling means a slow or failed component degrades gracefully rather than cascading. The exam rewards recognizing when a tightly coupled, synchronous design should be broken apart with a queue or an event-driven pattern to make it fault-tolerant.
Beyond a single Region, the domain reaches into data durability and disaster recovery. Object storage is designed for very high durability by replicating data across zones automatically, and you make data more resilient still with backups, snapshots, and versioning so that a deletion or corruption can be undone. For rare but serious events — a whole Region becoming unavailable — architects design disaster-recovery strategies that trade cost against recovery speed: at one end, simply backing data up to another Region and rebuilding slowly if needed; at the other, running a fully live copy in a second Region ready to take over in seconds. The exam wants you to match a stated recovery requirement (how much data loss and downtime is acceptable) to the appropriately sized strategy, understanding that faster recovery costs more to keep warm.
Study this domain by taking any architecture and playing 'kill the component': for each piece, ask what happens if it dies, and redesign until no single death is fatal — add a second zone, put a load balancer and auto scaling in front, insert a queue between tightly coupled tiers, add backups and cross-Region copies for the data. The account-free tabletop below makes those choices explicit in failure, recovery, and evidence rows. Read the official SAA-C03 exam guide for AWS's authoritative published scope, domain weights, and task statements; AWS notes that the guide is not a comprehensive list of every exam topic.
Learn it free
Official · Official exam objectives
AWS Certified Solutions Architect – Associate (SAA-C03) exam guideAWS's authoritative published domain scope, weight, and task statements for resilience, high availability, and disaster recovery; the guide is not a comprehensive list of every exam topic. (captured 2026-06-14)
Build a failure-mode matrix that distinguishes availability, durability, backup, replication, scaling, and failover for a fictional multi-tier workload Run two account-free tabletop scenarios and retain detection, recovery, validation, rollback, residual-risk, owner, and tradeoff decisions
Copy the fixture and record fictional outage, data-loss, peak-traffic, dependency, and stakeholder-confirmation assumptions without presenting them as guarantees.
Complete all eight failure rows with user impact, detection, design mitigation, recovery action, evidence/test, and residual risk.
Run the zone-impairment and retry-storm scenarios on paper, recording detection, behavior, operator decision, communication, validation, rollback, and remaining risk.
Record an uncovered failure, a mitigation cost/complexity tradeoff, a recovery metric, a required exercise, and one decision that changes with the assumptions.
What you should see
Confirm all eight failure rows and both scenarios include detection, mitigation/recovery, evidence or validation, rollback where relevant, and residual risk using fictional values only.
Practice evidence maps to exam_domain_aws_solutions_architect_associate_02
Stay safe & legal: This is a tabletop using a fictional RoleMath workload, learner-owned local files, and public documentation; no live system or failure injection is authorized. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
5RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 4 · domain 3 · 24% of the exam
Design High-Performing Architectures
Third in our suggested order, matching its 24% weight. Study it after resilience: performance choices — caching, scaling, picking the right storage or database — assume the secure, multi-zone foundation the first two domains established, and layer speed on top of it.
This is the 'how do you make it fast and keep it fast as load grows' domain, and at 24% it is a substantial slice of the exam. Where resilience asks how a system survives failure, performance asks how it stays responsive under load — and the two are related, because the same elasticity that lets a system heal also lets it scale. The exam presents workloads with performance pressure (a spike in users, a slow database, latency for distant customers) and asks you to choose the design that meets it efficiently. The recurring skill is picking the right tool and the right scaling strategy for a described access pattern, rather than throwing bigger hardware at every problem.
The first idea to internalize is the difference between scaling up and scaling out. Scaling up (vertical scaling) means moving to a larger, more powerful instance — simple, but bounded by the biggest machine available and a single point of failure. Scaling out (horizontal scaling) means adding more instances and spreading work across them — the cloud-native default, because it has almost no ceiling and pairs naturally with the load balancing and auto scaling from the resilience domain. The exam strongly favors designs that scale out and adjust automatically to demand, so that capacity tracks load instead of being sized for a peak that is idle most of the time. When a scenario describes unpredictable or spiky traffic, the high-performing answer is almost always elastic, horizontal, and automatic.
Caching is the highest-leverage performance tool, and the domain treats it at several layers. A content delivery network caches static content (images, files, whole pages) at edge locations physically close to users, so a visitor in another part of the world is served from nearby instead of waiting on a round trip to the origin — the standard answer to 'reduce latency for a global audience'. Closer to the application, an in-memory cache stores the results of expensive database queries or computations so repeated requests are answered from fast memory instead of hitting the database every time, which both speeds responses and relieves load on the data tier. The exam wants you to recognize where a cache belongs: static assets at the edge, hot query results in memory in front of the database.
Choosing the right storage and database for the access pattern is the domain's largest theme, because a mismatch is a common and expensive performance mistake. On storage, object storage suits large files and static content served or archived at scale, block storage (disk-like volumes) suits databases and applications that need low-latency random access, and shared file storage suits many machines needing the same files — and within these, different performance tiers trade speed for cost. On databases, the split is relational versus non-relational: a managed relational database fits structured, related data with complex queries, while a non-relational database is built for massive scale, high request rates, and flexible data shapes with predictable low latency. Read-heavy relational workloads can add read replicas to spread query load. The exam repeatedly asks you to match a described data pattern — huge scale and simple lookups, or rich relational queries, or shared files, or streaming media — to the storage or database designed for it.
Underlying all of this is a decoupled, elastic mindset that lets each part scale independently. Serverless compute that runs only when an event fires scales automatically from zero to very high volume without you managing servers, which fits spiky or event-driven workloads well. Queues and streaming services absorb bursts so a downstream component is not overwhelmed, smoothing spikes into a steady flow the system can handle. Designing tiers that can each scale on their own — web, application, and data — means you add capacity exactly where the bottleneck is rather than scaling everything at once. The exam rewards recognizing the bottleneck in a scenario and applying the narrowest effective fix: cache the repeated reads, add replicas for read load, put a queue in front of a burst, scale out the tier that is actually saturated.
Study this domain by profiling systems in your head: for any workload, ask where the latency and load actually are, what the access pattern looks like (read-heavy or write-heavy, structured or flexible, global or local), and what the smallest change is that would relieve the real bottleneck. The account-free decision-matrix lab below compares alternatives only after workload, capacity, latency, and reversal assumptions are normalized. Read the official SAA-C03 exam guide for AWS's authoritative published scope, domain weights, and task statements; AWS notes that the guide is not a comprehensive list of every exam topic.
Learn it free
Official · Official exam objectives
AWS Certified Solutions Architect – Associate (SAA-C03) exam guideAWS's authoritative published domain scope, weight, and task statements for performance, scaling, caching, and storage selection; the guide is not a comprehensive list of every exam topic. (captured 2026-06-14)
Storage services overview (AWS documentation)A cited reference for matching object, block, and file storage to an access pattern — the storage-selection skill this domain tests. (captured 2026-06-14)
Profile a fictional workload's traffic, concurrency, data, latency, background work, geography, and growth before selecting compute, storage, database, cache, integration, and network patterns Create a safe validation plan and revise architecture choices when five workload assumptions change, without claiming an unrun benchmark passed
Copy the fixture and record base, peak, and evidence-needed values for all eight fictional workload characteristics, labeling assumptions separately from measurements.
Complete all eight architecture rows with at least two options, the deciding requirement, tradeoff/risk, and a validation method.
Evaluate all five changed assumptions and revise at least one architecture choice while preserving security and resilience requirements.
What you should see
Confirm all eight workload and decision rows, the validation plan, and five changed-assumption answers are complete, use fictional values, and label planned tests separately from observed results.
Practice evidence maps to exam_domain_aws_solutions_architect_associate_03
Stay safe & legal: Use only the fictional RoleMath workload, learner-owned local files, and public documentation; no load test, cloud account, or external target is authorized. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 4 of 4 · domain 4 · 20% of the exam
Design Cost-Optimized Architectures
Last in our suggested order, per its 20% weight — the lightest domain, and the most concrete. It reads best at the end because cost optimization is a lens you apply to designs you already know how to make secure, resilient, and fast: now you make them affordable without breaking those properties.
This is the 'how do you deliver the same secure, resilient, fast design for less money' domain, and at 20% it is the lightest of the four — but it is where architecture meets the bill, and it is the most immediately practical. The Cloud Practitioner exam tested whether you could recognize the billing tools; here you are asked to design for cost, weighing pricing models, storage tiers, and right-sizing against the other three domains' requirements. The honest framing the exam expects is that cost optimization is a trade-off, not a race to zero: you rarely make something cheaper for free, so the skill is knowing which savings cost you nothing important and which quietly sacrifice resilience or performance you actually need.
The largest cost lever is choosing the right pricing model for each workload's usage shape, because the same compute can cost dramatically different amounts depending on how you buy it. On-demand pricing charges by the second or hour with no commitment — the flexible default for unpredictable or short-lived work. If you can commit to steady baseline usage for one or three years, you trade that commitment for a large discount through savings plans or reserved capacity, which is the right choice for the always-on core of a system. For interruptible, fault-tolerant work — batch jobs, rendering, anything that can be restarted — spare capacity offered at a deep discount can cut costs sharply, as long as the design tolerates being reclaimed. The exam's recurring move is to describe a workload's predictability and interruptibility and ask which pricing model fits: steady baseline points to a commitment, spiky points to on-demand, restartable points to the discounted spare capacity.
Right-sizing is the discipline of matching resources to actual need instead of over-provisioning out of caution. Teams routinely run instances larger than their workload requires, keep volumes and databases bigger than the data justifies, and leave idle resources running. Designing for cost means choosing the smallest resource that meets the performance and resilience requirement, scaling out with many small elastic instances rather than paying for a large box that sits mostly idle, and using auto scaling so capacity follows demand down as well as up — you stop paying for the night-time peak you sized for but never use. Serverless compute, which charges only when code runs and nothing when idle, is often the most cost-efficient choice for spiky or low-volume workloads precisely because there is no idle capacity to pay for.
Storage and data transfer are the quiet, cumulative costs the domain wants you to design around. Object storage offers tiers that trade retrieval speed and access frequency for price — frequently accessed data sits in a standard tier, while data touched rarely can live in far cheaper infrequent-access or archival tiers — and lifecycle rules can move data down the tiers automatically as it ages, so you are not paying premium rates to store logs from three years ago. A tool that automatically shifts objects to the cheapest appropriate tier based on how they are actually used takes the guesswork out. Data transfer is the cost most beginners miss: moving data out of AWS to the internet, and sometimes between Regions or zones, carries charges, so a cost-aware design keeps chatty traffic local, uses caching at the edge to cut repeated egress, and avoids needless cross-Region movement. The exam expects you to spot a design that will rack up transfer or premium-storage costs and choose the cheaper equivalent that still meets the requirement.
Finally, the domain expects you to design in the tools that make cost visible and controllable, because you cannot optimize what you cannot see. Budgets can monitor spending and trigger alerts or scoped actions, but they are not a universal real-time hard cap and costs can continue beyond a threshold. Cost-analysis tools that break the bill down by service and tag, consolidated billing, attribution tags, and recommendation services all support cost governance. Treat those controls as part of the architecture, not an afterthought.
Study this domain by taking a design you would build for the other three domains and asking, component by component, 'what is the cheapest way to meet this exact requirement without losing the security, resilience, or performance I need?' The account-free cost-model lab below requires normalized assumptions, uncertainty, tradeoffs, and reversal conditions instead of a predetermined savings result. Read the official SAA-C03 exam guide for AWS's authoritative published scope, domain weights, and task statements; AWS notes that the guide is not a comprehensive list of every exam topic.
Learn it free
Official · Official exam objectives
AWS Certified Solutions Architect – Associate (SAA-C03) exam guideAWS's authoritative published domain scope, weight, and task statements for cost optimization, pricing models, and right sizing; the guide is not a comprehensive list of every exam topic. (captured 2026-06-14)
Official · Official documentation
AWS Pricing (official pricing overview)AWS's own description of on-demand, savings plans, reserved, and spare-capacity pricing — the source behind this domain's pricing-model paraphrase. (captured 2026-06-14)
Build three dated no-account AWS Pricing Calculator scenarios with explicit region, usage, data, resilience, exclusions, drivers, and uncertainty Evaluate eight optimization candidates against security, resilience, performance, compliance, and operations requirements and define a cost-governance cadence
Free tools
RoleMath-owned cost-model and governance worksheet
AWS Pricing Calculator without sign-in
Public AWS pricing and Well-Architected documentation
Steps
Copy the fixture and record region, monthly usage, base/peak demand, storage/transfer, backups/logs, resilience, exclusions, date, and uncertainty for one fictional workload.
Create or transcribe overprovisioned, right-sized-base, and elastic-base-plus-peak estimates for identical fictional requirements in the no-login calculator.
Complete all eight optimization rows, identifying why a change may save, which requirement it can violate, evidence needed, and the condition that reverses it.
Assign an owner and cadence to the governance topics, then change one usage assumption and explain which estimate and optimization decisions must be revisited.
What you should see
Confirm three comparable scenarios and eight optimization rows include assumptions, exclusions, drivers, cross-domain tradeoffs, evidence, uncertainty, reversal conditions, and no claim of guaranteed cost or savings.
Practice evidence maps to exam_domain_aws_solutions_architect_associate_04
Stay safe & legal: Use only the public no-login AWS Pricing Calculator, public documentation, fictional workload assumptions, and learner-owned local files; no AWS account is needed. Account required: no; payment required: no; maximum designed cost: $0.
Check yourself
4RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying AWS Certified Solutions Architect – Associatebuilds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Recertification cost: No maintenance fee — recertify by re-passing the current exam; check the AWS recertification page for any additional recertification options that apply to this credential AWS recertification page
A free, source-cited study companion built on AWS's published SAA-C03 exam guide — not official training, not a pass guarantee. Verify the current objectives on the official page before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Amazon Web Services.