The SAA-C03 has a reputation problem. People hear "Associate" and assume it's a vocabulary test — memorize the services, pass the exam. It isn't. Nearly every question gives you two or three technically correct answers and asks which one is best given a specific constraint. Understanding that distinction early is the difference between passing in six weeks and failing twice.
TL;DR
- 65 questions, 130 minutes, $150 USD. Pass mark is 720/1000 (roughly 70–75% correct, scaled). You need 50 scored questions right — 15 are unscored pretest items you can't identify.
- This is a trade-off judgment exam. The last sentence of each question tells you the optimization goal ("least operational overhead," "most cost-effective," "minimal downtime"). That keyword decides the answer.
- Four domains, unequal weight: Secure Architectures (30%), Resilient Architectures (26%), High-Performing Architectures (24%), Cost-Optimized Architectures (20%). One weak domain can sink an otherwise good overall score.
- No generative AI content. No Amazon Bedrock, no foundation models. None of that is on SAA-C03 — don't study it for this exam.
- Study hours range from 40 to 150+, depending on your background. Experienced cloud practitioners can be ready in weeks; people new to IT need several months.
- Hands-on labs matter. People who build things in the AWS Free Tier consistently perform better than those who only watched videos.
- Aim for 80–85% on realistic practice questions before booking. The official free sample questions are easier than the real exam.
- Renews every 3 years. Passing the Solutions Architect Professional (SAP-C02) also renews this cert automatically.
What This Exam Is Actually Testing
The SAA-C03 is not asking you to recite what Lambda is. It's asking you to read a 100-word scenario about a company's workload, identify the constraint keyword buried at the end, and select the AWS architecture that satisfies that specific constraint and no other.
Consider the difference between these two answers to a question about database high availability: "Multi-AZ RDS" and "an RDS read replica." Both involve RDS. Both involve replication. But Multi-AZ gives you synchronous standby with automatic failover — it handles "minimal downtime" and "HA." A read replica is asynchronous, serves reads, and requires manual promotion. One satisfies "automatic failover." The other doesn't. If you don't know the operational difference cold, you'll pick wrong under time pressure.
The exam is validating whether you can make architectural decisions the same way a working Solutions Architect does: against constraints. Not "which service does this?" but "which combination of services, with which configuration, solves this problem most efficiently?" The questions reward people who have thought through actual trade-offs. They punish people who memorized bullet points.
Exam at a Glance
| Item | Detail |
|---|---|
| Exam code | SAA-C03 |
| Cost | $150 USD |
| Duration | 130 minutes |
| Questions | 65 total (50 scored, 15 unscored pretest — unmarked) |
| Question types | Multiple choice (1 of 4) and multiple response (2+ of 5+) |
| Passing score | 720/1000 (scaled 100–1,000) |
| Scoring model | Compensatory — overall score only; no per-domain minimum |
| Guessing penalty | None — never leave a blank |
| Validity | 3 years |
| Languages | English, Japanese, Korean, Simplified Chinese |
| Delivery | Pearson VUE test center or online proctored |
| Retake policy | 14-day wait after a failed attempt |
| ESL accommodation | +30 minutes available when taking the English exam |
The 50/15 scored/unscored split is important to internalize: you're being tested on 50 questions, but you can't tell which 15 are pretest items. Don't skip questions assuming they won't count.
The compensatory scoring model matters too. You don't need to pass each domain separately — only your overall scaled score counts. But in practice, one badly weak domain (networking trips up the most people) will drag your total below 720 even if everything else is solid. Aim for no single domain being a disaster.
Questions run long. Expect 100–150 words per scenario. Reading comprehension is a real factor here, not a side note. The exam rewards people who read the last sentence first, identify the constraint, and then evaluate answers against it rather than against their general AWS knowledge.
Who Should Take This Exam
The official AWS exam guide describes the target candidate as someone with at least one year of hands-on experience designing cost-effective and resilient solutions on AWS. That's a reasonable description of who passes comfortably — not the minimum required to attempt it.
In practice, this exam suits cloud engineers, DevOps engineers, and infrastructure engineers who work with AWS day-to-day and want formal validation of their architectural judgment. It's also a strong move for sysadmins transitioning to cloud roles, backend developers who regularly integrate AWS services, and IT consultants who need credible AWS credentials for client work.
Who should wait: if you've never touched the AWS console, don't start here. The AWS Cloud Practitioner (CLF-C02) exists for a reason. It gives you the mental map of how AWS services relate before you're asked to make trade-offs between them. Starting SAA-C03 without any hands-on time means you'll spend your first 60 study hours building context that the exam assumes you already have.
Domain Breakdown
Domain 1 — Design Secure Architectures (30%)30%
This is the heaviest domain on the exam. The official guide scopes it across three areas: secure access to AWS resources, secure workloads and applications, and data security controls.
In practice, that means IAM. Policies, roles, permission boundaries, SCPs in AWS Organizations, cross-account access via roles rather than embedded credentials, MFA enforcement, and STS. The IAM policy evaluation logic is genuinely tricky: explicit deny always wins, SCPs restrict what even a root user can do in a member account, and permission boundaries constrain the maximum permissions a principal can have even if the identity policy would grant more. Multiple sources with high confidence rate this domain medium-high difficulty. IAM policy logic is one of the two topics most consistently cited as hard.
VPC security is the other. Security Groups are stateful, operate at the instance/ENI level, and only support allow rules. NACLs are stateless, operate at the subnet level, support both allow and deny rules, and process in numbered order with first-match wins. The practical implication: if a question asks you to block a specific IP address, the answer is a NACL deny rule, because SGs can't deny. Get that wrong once on exam day and you'll remember it forever.
Encryption questions split between at-rest and in-transit, and confusing the two is a common mistake. KMS handles at-rest encryption for EBS, RDS, S3, EFS, and most managed services. TLS/HTTPS/ACM handles in-transit. Secrets Manager gives you built-in automatic rotation for RDS/Redshift/DocumentDB credentials with least operational overhead. Parameter Store is the cheaper option for config parameters, but there's no built-in rotation — you need a custom Lambda function.
Other high-frequency security services: GuardDuty for threat detection from CloudTrail/VPC Flow Logs/DNS logs; Macie for PII discovery in S3; Inspector for vulnerability scanning on EC2/ECR/Lambda; WAF for L7 exploit protection and rate limiting; Shield Standard (free, automatic) and Shield Advanced (paid, DDoS response team).
AWS SSO has been renamed to AWS IAM Identity Center. If you see "SSO" in a question, know what it is — but if you're studying from older materials, verify you're learning the current service names.
Domain 2 — Design Resilient Architectures (26%)26%
This domain covers two broad areas: scalable and loosely coupled architectures, and highly available or fault-tolerant architectures.
The foundational concept is the difference between Multi-AZ and Multi-Region, and between high availability and disaster recovery. Multi-AZ gives you synchronous replication and automatic failover within a single region. It handles AZ failures. Multi-Region covers regional failures, data residency requirements, and globally distributed users. The exam tests when to use each — and which specific services enable which pattern.
For RDS: Multi-AZ uses a synchronous standby with automatic failover (same endpoint, no performance benefit, HA-only). Read replicas use asynchronous replication, serve reads, and can be promoted manually — they're for scaling read workloads, not for HA. Aurora goes further: six copies of data across three AZs by default, up to 15 read replicas sharing the same storage, with Aurora Global Database for cross-region replication. Aurora Serverless v2 scales to near-zero for intermittent workloads.
Decoupling is a major theme. SQS, SNS, EventBridge, and Kinesis each appear in resilient architecture questions. The pattern across community experience threads points to service selection as the real challenge: SQS decouples and buffers for single consumers; SNS fans out to multiple subscribers; Kinesis handles high-volume real-time streaming with replay; EventBridge routes events from AWS services, SaaS sources, and custom apps based on rules. An SQS+SNS fan-out pattern (SNS topic with multiple SQS subscriptions) is a canonical answer for "decouple and fan out."
Disaster recovery strategies run from cheapest/slowest (backup and restore) to fastest/most expensive (multi-site active/active). Know the RTO/RPO definitions and how each DR pattern maps to them. Questions will give you an RTO/RPO requirement and ask which architecture meets it.
Some community experience suggests this domain runs medium difficulty overall, but that reflects limited data — treat the community notes on this domain with appropriate skepticism and don't underestimate the HA/DR pattern questions.
Domain 3 — Design High-Performing Architectures (24%)24%
This domain covers storage, compute, databases, networking, and data ingestion — which means most of the exam's service-selection questions land here.
The challenge isn't understanding individual services. It's the decision tree between similar ones. EBS vs EFS vs FSx vs S3 vs instance store: each has a specific use case, and the exam tests whether you know which constraint points to which answer. Single instance, block storage, persistent → EBS (gp3 by default). Shared file system, multiple Linux instances → EFS. Windows/SMB/Active Directory integration → FSx for Windows File Server. HPC or ML with S3 integration → FSx for Lustre. Ephemeral scratch space that doesn't need to survive a stop → instance store. Object storage and data lakes → S3.
For compute: Lambda for event-driven serverless (15-minute max, 10,240 MB max memory); ECS/EKS on Fargate for containerized workloads without managing EC2; Auto Scaling groups with ELB across multiple AZs for elasticity and HA. The "least operational overhead" keyword almost always points to a managed/serverless option.
Load balancers come up repeatedly. ALB handles L7 HTTP/HTTPS with path-based and host-based routing and can target Lambda functions. NLB handles L4 TCP/UDP/TLS with a static IP per AZ — this is the answer for static IP requirements, extreme performance, and PrivateLink source. GWLB is for inserting third-party security appliances (firewalls, intrusion detection) into traffic flow.
For caching: ElastiCache Redis for persistence, replication, Multi-AZ, and complex data structures. ElastiCache Memcached for simple, no-persistence caching. CloudFront at the edge for static and dynamic content. DynamoDB Accelerator (DAX) for microsecond read latency on DynamoDB tables.
Limited community data suggests this domain is medium difficulty overall. The consistent challenge is service selection under a constraint — not knowing services in isolation, but knowing when one is better than a similar one.
Domain 4 — Design Cost-Optimized Architectures (20%)20%
This is the lightest domain by weight and, based on limited community reports, generally considered the most approachable. It covers cost-optimized storage, compute, databases, and networking.
EC2 purchasing options are a Domain 4 staple. On-Demand is for short-term or unpredictable workloads; Reserved Instances (1/3-year commitment) for steady-state 24/7 workloads like database tiers, saving up to ~72%; Savings Plans for committed $/hour spend with more flexibility across instance families, regions, and even Fargate/Lambda; Spot for interruptible, fault-tolerant batch workloads at up to ~90% off (with a 2-minute reclamation warning); Dedicated Hosts for bring-your-own-license (Oracle, Windows per-socket/core) and compliance requirements.
S3 storage class selection is the other Domain 4 domain. Know the minimum storage durations (Standard-IA and One Zone-IA: 30 days; Glacier Instant Retrieval: 90 days; Glacier Flexible: 90 days; Glacier Deep Archive: 180 days), the retrieval latency/cost trade-offs, and which class Intelligent-Tiering replaces when access patterns are unknown.
gp3 EBS volumes are almost always preferred over gp2: ~20% cheaper, with a baseline of 3,000 IOPS and 125 MB/s regardless of volume size, scalable to 16,000 IOPS without size coupling.
Right-sizing and cost visibility questions also appear: AWS Compute Optimizer for right-sizing recommendations, AWS Cost Explorer for trend analysis, Trusted Advisor for cost checks, and Budgets for alerts.
What Trips Candidates Up
Memorizing services instead of understanding trade-offs. This is the most consistent failure pattern across community experience reports. You can know that SQS is a queue and still pick the wrong answer when the question asks whether SQS or Kinesis is appropriate for a real-time analytics pipeline that needs replay capability. The exam doesn't test definitions. It tests decisions.
Not reading the full question, specifically the last sentence. The optimization constraint is almost always in the final clause. "…with the LEAST operational overhead." "…in the MOST cost-effective manner." "…while maintaining HIGH AVAILABILITY." Candidates who skim to the answer choices and evaluate on general AWS knowledge miss this and pick valid-but-wrong answers consistently.
Networking. VPC routing, NACLs and their stateless rule order, gateway endpoints vs interface endpoints, Direct Connect vs Site-to-Site VPN, Transit Gateway vs VPC Peering, and hybrid connectivity patterns. The failure reports are consistent on this point: people underestimate networking complexity, cram it last, and it shows in their scores. Give networking disproportionate study time relative to its presence in Domain 1.
Confusing Multi-AZ with read replicas. Multi-AZ: synchronous, automatic failover, same endpoint, HA only. Read replicas: asynchronous, read scaling, manual promotion. These are not interchangeable. "Automatic failover with minimal downtime" means Multi-AZ. "Scale read traffic for reporting" means read replicas. Every time.
Underestimating the reading load. Scenarios run 100–150 words. Under time pressure (roughly 2 minutes per question), poor time management compounds into skipped reviews and blank answers at the end. People who've written up their experience consistently note that the reading volume surprised them more than the technical difficulty.
Gauging readiness off easy material. The official free sample questions are easier than the real exam. Finishing a course doesn't mean you're ready. The readiness signal is consistently scoring 80–85% on fresh, full-length practice exams under timed conditions.
What Not to Study
Some community reports suggest these areas are out of scope for SAA-C03 — treat this as directional rather than authoritative, since the official guide is the final word:
- Amazon Lightsail (simplified compute, not in the architecture-level scope)
- IoT services in depth
- AR/VR services
- Blockchain solutions
- Specialized industry-vertical tools
More importantly: don't study generative AI or Amazon Bedrock for this exam. The AI additions were made to the Security Specialty (SCS-C03), not SAA-C03. As of 2026, no generative AI service appears in the SAA-C03 scope. Machine learning services (SageMaker, Comprehend, Rekognition, Textract, Transcribe, Translate, Polly, Lex, Kendra) are in scope at the level of "which managed AI service fits this use case" — not model building or fine-tuning.
The Preparation Path
The official learning path. AWS provides free training through AWS Skill Builder, including a structured learning path for SAA-C03. It covers the core services and domain content. The limitation is depth: the official materials are good for building familiarity with the service catalog, but they tend to be gentler than the actual exam. Don't mistake finishing the official path for being ready.
The official exam guide. Download or bookmark the current HTML version at docs.aws.amazon.com. The HTML guide is more up-to-date than the PDF (which is labeled Version 1.0 with no calendar date). Use it as your domain checklist and specifically review the in-scope and out-of-scope service appendix before studying — it prevents wasted time on services that won't appear.
Hands-on labs. This is not optional. The pattern across pass reports shows that candidates who built things in the AWS Free Tier during their prep performed meaningfully better than those who only consumed content. You don't need a large setup: spin up EC2 instances, configure VPC subnets and security groups, create S3 buckets with different storage classes and lifecycle rules, attach EBS volumes, test IAM policies. The architecture decisions become concrete when you've actually made them.
Practice questions. Use CertCompanion's SAA-C03 practice exams as your primary drill tool. Aim for a consistent 80–90% on fresh, timed sessions before booking. Never re-take the same questions as a readiness check — you're testing memory, not understanding.
Official tools:
- AWS Skill Builder free tier — official digital training and sample questions
- AWS Well-Architected Framework — required reading; the six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability) frame many exam questions
- AWS Free Tier — hands-on lab environment; essential, not optional
- AWS documentation for specific services — when a practice question reveals a gap, go to the source
Discount note: AWS offers exam voucher discounts through various programs (including AWS re/Start and AWS Academy for students/educators). Check the official AWS Training and Certification site for current eligibility.
Study Timeline
| Background | Estimated hours | What drives the range |
|---|---|---|
| Experienced (5+ years IT, active AWS use) | 40–80 hours over 3–6 weeks | Focused on gaps, service comparisons, and exam mechanics; most concepts already practical |
| Intermediate (2–5 years IT, limited cloud) | 60–90 hours over 6–8 weeks | Needs to build cloud-specific mental models and hands-on familiarity alongside core study |
| Beginner (no cloud or limited IT background) | 120–300 hours over 10–12 weeks or longer | Requires foundational IT context, full service coverage, and extended hands-on time before scenarios click |
These ranges come from multiple community sources and are consistently reported across experience levels. The beginner range is wide because the upper end (300 hours) reflects people who had to build IT foundations alongside AWS knowledge — not just study the exam.
On Exam Day
Read the last sentence first. Every time. The constraint keyword is almost always there, and it changes the answer.
Flag and move. If a question runs past 2–3 minutes without resolution, flag it and keep moving. You have roughly 2 minutes per question. Running out of time without answering is worse than flagging for review.
No blank answers. There's no penalty for guessing. If you're out of time, answer every flagged question even if you're choosing at random. A guess has positive expected value.
Use the Help button. Some candidates report that the exam interface includes a Help button giving you access to a list of AWS service short names and full names. This is useful if you encounter a service name you don't recognize in its formal version.
Multiple-response questions. Treat each option as an independent true/false. Don't look for "the right pair" — evaluate each option on its own merits. Eliminate clearly wrong options first.
Online proctoring specifics. If testing from home, be aware that suspicious behavior (looking away from the screen, talking, leaving the camera view) can result in exam invalidation. Stay still, stay silent, eyes on screen.
Score posting. AWS's official timeline states results within five business days. In practice, many candidates report receiving their Credly badge notification within hours. Don't panic if yours takes longer — both outcomes happen.
After You Pass
The SAA-C03 is one of the most widely recognized AWS credentials in the market. Solutions Architect, Cloud Architect, Cloud Engineer, and DevOps Engineer roles regularly list it as a requirement or a strong preference. The certification signals that you can make architectural decisions, not just operate services — that distinction is meaningful to hiring managers evaluating cloud generalists vs specialists.
Salary data for roles listing this certification varies significantly by region, seniority, and company size. Specific figures were not available from verified sources at time of writing. Glassdoor's AWS Solutions Architect salary data is a reasonable starting point for your market and role level.
Renewal: The cert is valid for three years. You can recertify by retaking the current SAA exam or by passing a higher-level exam. Passing the Solutions Architect Professional (SAP-C02) automatically renews the Associate cert and cascades renewal to AWS Cloud Practitioner if you hold it. The three-year clock restarts from your recertification pass date.
Logical next certifications:
- AWS Certified Solutions Architect – Professional (SAP-C02): the direct advancement; deeper, harder, and more scenario-intensive. Validates enterprise-scale architectural judgment.
- AWS Certified DevOps Engineer – Professional (DOP-C02): strong for engineers who work across CI/CD, automation, and operations.
- AWS Certified Developer – Associate (DVA-C02): broadens your AWS credential set if your work is more application development than infrastructure design.
- AWS Certified SysOps Administrator – Associate (SOA-C02): practical operations focus; complements SAA-C03 well for people managing running systems.
Frequently Asked Questions
How hard is the SAA-C03 compared to other Associate-level exams?
Harder than Cloud Practitioner, meaningfully so. The question style shifts from "what does this service do" to "which service should you use here, and why." The scenarios are long and require reading comprehension under time pressure. Multiple community sources estimate difficulty at 6–8 out of 10. People who've passed both CCP and SAA-C03 consistently describe the jump as larger than expected. That said, it's entirely passable with focused preparation.
How many hours do I need to study?
Depends heavily on your starting point. People with five or more years of IT experience and active AWS use typically report 40–80 hours. Intermediate backgrounds (a few years of IT, limited cloud) typically need 60–90 hours. Beginners to cloud with limited IT background report anywhere from 120 to 300 hours. These figures come from multiple community sources. The honest answer: you're ready when you're consistently scoring 80–85% on fresh practice questions, not when a timer runs out.
Does the SAA-C03 expire?
Yes. The certification is valid for three years from your pass date. You recertify by retaking the current SAA exam or passing a higher-level AWS exam (Solutions Architect Professional recertifies SAA automatically). The clock restarts from your recertification date.
Are there any prerequisites?
No formal prerequisites. AWS recommends at least one year of hands-on experience designing solutions on AWS, but this is guidance, not a gate. You can book and sit the exam without any prior certification.
What's the retake policy if I fail?
You must wait 14 days before retaking. There's no cap on the number of attempts, but you pay the $150 exam fee each time. Some candidates report sitting it as a "first look" attempt — this is expensive. Better to delay and be genuinely ready.
What's the actual pass rate?
AWS doesn't publish official pass rates. Some community sources estimate 65–75% on first attempts, but this comes from limited data and should be treated as approximate. What the community agrees on is that the failure rate is meaningful — preparation quality matters more than AWS familiarity.
Can I use the AWS Free Tier to prepare?
Yes, and you should. The Free Tier gives you access to EC2 (750 hours/month t2.micro or t3.micro), S3 (5 GB), RDS (750 hours), Lambda (1 million requests/month), and dozens of other services at no cost within limits. Building the architectures you're studying about changes how you reason through exam questions.
I work with AWS daily. Do I still need to study?
Almost certainly yes. Daily work tends to deepen knowledge of the services you use and leave blind spots everywhere else. The exam covers breadth: networking services you might not touch, DR patterns you haven't had to implement, cost optimization trade-offs you haven't needed to make. The pattern across pass reports shows that even experienced engineers who skipped structured review got caught by IAM policy logic, VPC nuances, or service comparisons outside their daily work.
What It Actually Takes
The SAA-C03 rewards a specific kind of preparation: understanding trade-offs rather than accumulating facts. The candidates who struggle most are the ones who watched hours of content and never built anything, or who drilled questions until they recognized the phrasing instead of the underlying logic. The candidates who pass cleanly are the ones who know why one architecture is better than another given a specific constraint — and who've built enough things in a real AWS account to have actual intuition about what "least operational overhead" means in practice.
The exam is genuinely achievable. It's not a credential that requires elite background or years of specialist experience. But it does require that you actually understand what you're recommending and why. Study the service comparisons until the decision tree is automatic, build in the Free Tier until the concepts are concrete, and practice under timed conditions until 2 minutes per question feels comfortable.
When you're ready to test your preparation with realistic, scenario-based practice questions, CertCompanion's SAA-C03 practice exams are the place to start.