AWS · SAA-C03
Validates the ability to design and implement distributed systems on AWS, covering secure architectures, resilient architectures, high-performing architectures, and cost-optimized architectures.
Questions
600
Duration
130 minutes
Passing Score
720/1000
Difficulty
AssociateLast Updated
Jan 2025
Use this SAA-C03 practice exam to prepare for AWS Certified Solutions Architect - Associate (SAA-C03) with realistic questions, detailed explanations, and focused study modes. The practice bank includes 600 questions for AWS SAA-C03, so you can review the exam steadily instead of relying on one long cram session.
As you practice, pay extra attention to recurring topics such as Design Secure Architectures, Design Resilient Architectures, Design High-Performing Architectures, and Design Cost-Optimized Architectures. Start with short sessions to identify weak areas, then move into timed quizzes once your accuracy is consistent.
The explanations are especially useful when you want to connect exam wording to the responsibilities and scenarios described in the official certification guidance. Use the free preview first, then unlock the full question bank when you are ready to build a complete study routine.
The AWS Certified Solutions Architect – Associate (SAA-C03) is an intermediate-level credential that validates a candidate's ability to design well-architected cloud solutions on Amazon Web Services. The exam covers the four pillars of the AWS Well-Architected Framework as they apply to solution design: security, resiliency, high performance, and cost optimization. Candidates are tested on their ability to select appropriate AWS services and configurations to meet both current business requirements and future projected needs across a wide range of architectures—from simple single-tier applications to complex, distributed, multi-account environments.
The SAA-C03 version of the exam was introduced in 2022 and reflects the current AWS service landscape, including modern serverless, container-based, and hybrid cloud patterns. It does not require deep hands-on coding experience but does expect familiarity with core AWS services such as EC2, S3, RDS, VPC, IAM, Lambda, CloudFront, Route 53, and many others. The certification is valid for three years and can be renewed by retaking the exam or by earning the AWS Certified Solutions Architect – Professional, which automatically recertifies this associate-level credential.
This certification is designed for individuals who work in or aspire to a solutions architect role, typically with at least one year of hands-on experience designing cloud solutions using AWS services. It is well-suited for cloud engineers, systems architects, DevOps engineers, and infrastructure professionals who regularly make decisions about AWS service selection, architecture patterns, and deployment strategies.
Candidates with 1–3 years of general IT experience (networking, systems administration, or software development) who are transitioning into cloud roles also pursue this certification as a foundational cloud credential. Those with no prior IT experience are generally advised to first complete the AWS Certified Cloud Practitioner exam before attempting the SAA-C03.
AWS does not enforce any formal prerequisites for the SAA-C03 exam, but strongly recommends at least one year of hands-on experience designing distributed systems on AWS. Candidates should be comfortable navigating the AWS Management Console and AWS CLI, and should have practical familiarity with core service categories including compute (EC2, Lambda), storage (S3, EBS, EFS), databases (RDS, DynamoDB), networking (VPC, Route 53, CloudFront), and identity and access management (IAM).
A working understanding of general IT concepts—such as DNS, TCP/IP networking, relational vs. NoSQL databases, and load balancing—is also important. Candidates who are new to AWS should consider completing AWS Skill Builder's foundational courses or the AWS Cloud Practitioner certification before sitting for this exam. Basic familiarity with programming concepts is helpful but not required.
The SAA-C03 exam consists of 65 questions delivered in 130 minutes, of which 50 are scored and 15 are unscored pilot questions used by AWS to evaluate future exam content. The unscored questions are not identified during the exam, so all questions should be treated equally. Question types include single-response multiple choice (one correct answer from four options) and multiple-response questions (two or more correct answers from five or more options).
The exam is available through Pearson VUE, either at a physical testing center or via online proctoring. It is offered in ten languages: English, French (France), Italian, Japanese, Korean, Portuguese (Brazil), Spanish (Latin America), Spanish (Spain), Simplified Chinese, and Traditional Chinese. Scores are reported on a scale of 100–1,000 using a compensatory scoring model, meaning candidates do not need to achieve a passing score in each individual domain. The minimum passing score is 720. The exam fee is $150 USD.
The AWS Certified Solutions Architect – Associate is consistently ranked among the highest-value IT certifications globally. It is the most widely held AWS credential, with approximately 54% of AWS professionals holding it according to Jefferson Frank's annual survey. Common job titles pursued by SAA-C03 holders include Cloud Solutions Architect, Cloud Engineer, DevOps Engineer, and Cloud Infrastructure Engineer. In the United States, professionals with this certification report average salaries ranging from approximately $125,000 to over $155,000 per year depending on experience, geography, and employer, with some senior roles reaching $175,000 or more.
The certification is recognized across industries including financial services, healthcare, government, and technology, and is frequently listed as a preferred or required qualification in cloud job postings. It serves as a strong foundation for advancing to more specialized AWS certifications such as the Solutions Architect – Professional, DevOps Engineer – Professional, or specialty-level exams in areas like security, networking, or machine learning. Relative to comparable cloud credentials from Microsoft (AZ-104) and Google (Professional Cloud Architect), the SAA-C03 is broadly considered the most recognized associate-level cloud architecture certification in the market.
5 sample questions with answers and explanations. Start a practice session to test yourself across all 600 questions.
Preview — answers shown1. OnlineRetail Analytics has over 50 million active customers, receiving 25,000+ daily orders. Purchase data is stored in S3, additional customer data in RDS. They want to make all data available to various teams for analytics, needing fine-grained permissions and minimal operational overhead. Which solution is best?
Explanation
AWS Lake Formation simplifies building, securing, and managing data lakes. It allows you to define and enforce fine-grained access controls (table, column, row-level) for data stored in S3 and cataloged in AWS Glue Data Catalog. By registering the S3 bucket and connecting to RDS (via Glue crawlers/connections), Lake Formation provides a central place to manage permissions for various teams with minimal operational overhead for data access governance.
2. ImageProcessing Co. runs a highly available application on EC2 instances in a single VPC, across multiple Availability Zones. These instances, in private subnets, download and upload images from/to Amazon S3 via a single NAT gateway. The company is concerned about data transfer charges associated with the NAT gateway. What is the MOST cost-effective method to avoid Regional data transfer charges for S3 access?
Explanation
A gateway VPC endpoint for Amazon S3 allows EC2 instances in private subnets to access S3 without traffic traversing a NAT gateway or the internet. Traffic to S3 through a gateway endpoint stays within the AWS network and does not incur NAT gateway processing charges or data transfer charges as if it were going over the internet. This is the most cost-effective way to privately access S3 from within a VPC.
3. EKSControlPlaneSecure is building an application on Amazon Elastic Kubernetes Service (Amazon EKS). A strict security compliance requirement dictates that the EKS cluster must be configured with its control plane endpoint private access set to true and its endpoint public access set to false. This means the Kubernetes API server endpoint will not be accessible from the public internet. Additionally, the data plane (worker nodes) must reside in private subnets. However, during setup, the company has encountered error notifications indicating that the worker nodes are unable to join the EKS cluster. Which networking solution will allow the worker nodes in private subnets to successfully join the privately accessible EKS control plane?
Explanation
When the Amazon EKS control plane endpoint is configured for private access only (public access disabled), worker nodes residing in private subnets cannot reach the Kubernetes API server endpoint via the public internet. To enable this communication privately within the AWS network, you must create interface VPC endpoints (powered by AWS PrivateLink) for the Amazon EKS service within your VPC. These endpoints create Elastic Network Interfaces (ENIs) in your specified subnets, providing private IP addresses that your worker nodes can use to communicate directly with the EKS control plane without requiring internet access or NAT Gateways for this specific control plane communication.
4. RDSDataEncryption Co. is planning to store sensitive data on Amazon RDS DB instances. A fundamental security requirement is that all data stored within these RDS DB instances must be encrypted at rest. What should a solutions architect do to ensure this requirement is met for new and existing RDS DB instances?
Explanation
Amazon RDS supports encryption at rest for all its available database engines. To enable this, you must select the encryption option when creating a new RDS DB instance or when creating a snapshot copy of an existing unencrypted instance (as direct encryption of an existing unencrypted instance is not always possible and often requires a snapshot-restore process with encryption enabled). This encryption process uses AWS Key Management Service (AWS KMS) to manage the encryption keys. You can choose to use an AWS-managed KMS key (default for the service) or a customer-managed KMS key that you create and control. This ensures that the underlying storage for the DB instance, as well as its automated backups, read replicas, and any manual snapshots, are all encrypted at rest.
5. ErrorWatch Inc.'s HTTP application runs behind a Network Load Balancer (NLB), targeting an EC2 Auto Scaling group. The NLB fails to detect HTTP-level application errors, necessitating manual restarts of EC2 instances. They need to improve application availability by automatically handling unhealthy instances without custom scripting. What change should be made?
Explanation
Network Load Balancers (NLBs) perform Layer 4 health checks (TCP/port level) and don't understand HTTP application status. Application Load Balancers (ALBs) operate at Layer 7 and can perform HTTP/HTTPS health checks against a specific path, expecting certain HTTP success codes. Replacing the NLB with an ALB and configuring appropriate HTTP health checks allows the ALB to identify unhealthy application instances. The Auto Scaling group can then automatically replace these unhealthy instances.
AWS Certified CloudOps Engineer - Associate (SOA-C03)
SOA-C03 · 2141 questions
AWS Certified SysOps Administrator - Associate (SOA-C02)
SOA-C02 · 2141 questions
AWS Certified Security - Specialty (SCS-C03)
SCS-C03 · 2069 questions
AWS Certified Generative AI Developer - Professional (AIP-C01)
AIP-C01 · 1978 questions
AWS Certified Advanced Networking - Specialty (ANS-C01)
ANS-C01 · 1453 questions
AWS Certified Data Engineer - Associate (DEA-C01)
DEA-C01 · 1120 questions
$17.99
One-time access to this exam