The AWS Solutions Architect Associate exam, identified by the code SAA-C03, is one of the most respected and widely pursued cloud certifications in the technology industry. It validates your ability to design secure, resilient, high-performing, and cost-optimized architectures on Amazon Web Services. Whether you are a cloud engineer, a developer moving into architecture, or an IT professional expanding your skill set, this cheat sheet is designed to give you a consolidated reference of the most important concepts, services, and design principles you need to carry into your exam and your career.
This cheat sheet does not replace a full study course but serves as a powerful companion document that you can return to repeatedly throughout your preparation. It condenses the broad landscape of AWS services and architectural principles into focused, digestible sections that mirror the domains covered in the SAA-C03 exam. Use it to reinforce what you have already learned, identify gaps in your knowledge, and do a final review before sitting your exam.
Core Cloud Computing Concepts Every Candidate Must Internalize
Cloud computing is the on-demand delivery of computing power, storage, databases, networking, software, and other resources through the internet with pay-as-you-go pricing. AWS operates on a shared responsibility model where AWS manages security of the cloud infrastructure and customers are responsible for security within the cloud. Understanding where this boundary lies for different service types is essential for answering exam questions correctly.
The three primary cloud service models are infrastructure as a service, platform as a service, and software as a service. Deployment models include public cloud, private cloud, hybrid cloud, and multi-cloud environments. The six advantages of cloud computing according to AWS include trading capital expense for variable expense, benefiting from massive economies of scale, eliminating guessing about capacity, increasing speed and agility, eliminating data center maintenance overhead, and going global in minutes.
Amazon EC2 and Compute Fundamentals Worth Remembering
Amazon Elastic Compute Cloud, or EC2, is the foundational compute service in AWS. It provides resizable virtual servers called instances. Instance types are grouped into families including general purpose, compute optimized, memory optimized, storage optimized, and accelerated computing. Choosing the right instance type for a workload is a common exam scenario. General purpose instances like T3 and M6i suit balanced workloads while C-series instances are best for compute-heavy tasks.
EC2 pricing models are critically important for the exam. On-demand instances are billed per second or per hour with no commitment. Reserved instances offer up to 72 percent savings for one or three year commitments. Spot instances allow you to bid for unused capacity at up to 90 percent discount but can be interrupted. Dedicated hosts provide physical servers for compliance and licensing needs. Savings Plans offer flexible pricing commitments across compute usage. Knowing when to recommend each pricing model based on a scenario is a frequent exam requirement.
Elastic Load Balancing and Auto Scaling Architecture Patterns
Elastic Load Balancing distributes incoming traffic across multiple targets such as EC2 instances, containers, and IP addresses across one or more availability zones. There are three main types of load balancers. The Application Load Balancer operates at layer 7 and is ideal for HTTP and HTTPS traffic with host-based or path-based routing. The Network Load Balancer operates at layer 4 and handles millions of requests per second with ultra-low latency. The Gateway Load Balancer is used for deploying and managing third-party virtual network appliances.
Auto Scaling ensures your application has the right amount of compute capacity at all times. EC2 Auto Scaling groups automatically launch or terminate instances based on demand using scaling policies. Dynamic scaling responds to real-time metrics while scheduled scaling handles predictable load patterns. Target tracking scaling is the simplest approach where you set a desired metric value and AWS manages the rest. Always pair Auto Scaling groups with load balancers to ensure traffic is distributed only to healthy instances.
Amazon S3 Storage Classes and Data Management Strategies
Amazon Simple Storage Service is an object storage service offering industry-leading scalability, availability, and durability. S3 stores data as objects within buckets and each object can be up to 5 terabytes in size. S3 storage classes are designed to help you optimize costs based on how frequently you access your data. S3 Standard is for frequently accessed data. S3 Standard-Infrequent Access and S3 One Zone-Infrequent Access suit less frequently accessed data. S3 Glacier Instant Retrieval, Glacier Flexible Retrieval, and Glacier Deep Archive are for archival use cases with varying retrieval times.
S3 Lifecycle policies automate the transition of objects between storage classes based on age or other criteria. S3 Versioning keeps multiple versions of an object to protect against accidental deletion. S3 Replication includes cross-region replication and same-region replication for redundancy and compliance. S3 Transfer Acceleration uses CloudFront edge locations to speed up uploads. Server-side encryption options include SSE-S3, SSE-KMS, and SSE-C. Block public access settings at the bucket and account level help prevent accidental data exposure.
Amazon VPC Networking and Connectivity Architecture
Amazon Virtual Private Cloud allows you to provision a logically isolated section of the AWS cloud where you can launch resources in a virtual network you define. A VPC spans all availability zones in a region and is divided into subnets. Public subnets have a route to an internet gateway while private subnets do not. NAT gateways allow instances in private subnets to initiate outbound internet connections without exposing them to inbound traffic from the internet.
Security groups act as virtual firewalls at the instance level and are stateful, meaning return traffic is automatically allowed. Network access control lists operate at the subnet level and are stateless, requiring explicit rules for both inbound and outbound traffic. VPC peering connects two VPCs privately. AWS Transit Gateway acts as a central hub to connect multiple VPCs and on-premises networks. VPN connections and AWS Direct Connect provide secure connectivity between on-premises environments and AWS. VPC endpoints allow private connections to AWS services without using the internet.
Amazon RDS and Database Services for Architect Decisions
Amazon Relational Database Service simplifies the setup, operation, and scaling of relational databases in the cloud. Supported database engines include MySQL, PostgreSQL, MariaDB, Oracle, Microsoft SQL Server, and Amazon Aurora. RDS handles routine database tasks such as provisioning, patching, backup, recovery, failure detection, and repair. Multi-AZ deployments provide high availability through synchronous replication to a standby instance in a different availability zone, with automatic failover.
Amazon Aurora is a MySQL and PostgreSQL-compatible relational database built for the cloud that delivers up to five times the performance of MySQL and three times the performance of PostgreSQL. Aurora automatically replicates data six ways across three availability zones. Aurora Serverless automatically adjusts capacity based on application demand. For read-heavy workloads, RDS Read Replicas allow you to scale read operations. Knowing when to use RDS Multi-AZ versus Read Replicas is a key architectural decision point in the exam.
Amazon DynamoDB and NoSQL Data Architecture Considerations
Amazon DynamoDB is a fully managed, serverless, key-value and document database that delivers single-digit millisecond performance at any scale. It is designed for applications that require consistent, low-latency data access regardless of how large the dataset grows. DynamoDB automatically spreads data across multiple partitions and replicates it across three availability zones. Tables consist of items and each item is identified by a primary key that can be a simple partition key or a composite partition and sort key.
DynamoDB on-demand capacity mode is ideal for unpredictable workloads while provisioned capacity mode is better for predictable traffic patterns with auto scaling enabled. DynamoDB Streams capture a time-ordered sequence of item-level changes and can trigger AWS Lambda functions. Global Tables provide multi-region, multi-active replication for globally distributed applications. DynamoDB Accelerator, known as DAX, is an in-memory caching layer that reduces read response times from milliseconds to microseconds for read-intensive workloads.
AWS IAM Security Principles and Access Management Concepts
AWS Identity and Access Management is the service that controls who can do what within your AWS account. IAM users represent individual people or applications. IAM groups are collections of users who share the same permissions. IAM roles are assumed by services, users, or external identities to gain temporary permissions. IAM policies are JSON documents that define permissions and are attached to users, groups, or roles. Always follow the principle of least privilege by granting only the permissions necessary to perform a task.
The root account should never be used for daily tasks and must be protected with multi-factor authentication. Service control policies in AWS Organizations apply permission guardrails across multiple accounts. IAM Access Analyzer helps identify resources shared with external entities. Permission boundaries define the maximum permissions a user or role can have. For cross-account access, use IAM roles rather than sharing credentials. AWS Security Token Service issues temporary credentials for role assumption. Understanding the evaluation logic of IAM policies including explicit deny, explicit allow, and implicit deny is essential for the exam.
Amazon CloudFront and Content Delivery Network Design
Amazon CloudFront is a fast content delivery network service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. CloudFront uses a global network of edge locations and regional edge caches to serve content closer to end users. Origins can be S3 buckets, Application Load Balancers, EC2 instances, or any custom HTTP server. Distributions define how CloudFront should retrieve and serve content from the origin.
CloudFront signed URLs and signed cookies restrict access to content for authorized users. Origin Access Control replaces Origin Access Identity and ensures that S3 content can only be accessed through CloudFront. CloudFront functions and Lambda at the edge allow you to run code at edge locations to customize the content delivery experience. Cache behaviors define how CloudFront handles requests based on URL path patterns. Using CloudFront in front of S3 for static website hosting improves performance and adds a security layer between public users and your origin.
AWS Lambda and Serverless Architecture Building Blocks
AWS Lambda is a serverless compute service that runs your code in response to events without requiring you to provision or manage servers. You pay only for the compute time consumed during execution. Lambda functions support multiple runtimes including Node.js, Python, Java, Go, and custom runtimes. Each function has a configurable memory allocation between 128 megabytes and 10 gigabytes, and execution timeout up to 15 minutes. Lambda scales automatically by running multiple instances of your function in parallel.
Lambda integrates with a wide range of AWS services as event sources including API Gateway, S3, DynamoDB Streams, Kinesis, SNS, SQS, and EventBridge. Lambda layers allow you to package and share common libraries across multiple functions. Environment variables store configuration settings and secrets securely. Lambda destinations route asynchronous invocation results to SQS, SNS, EventBridge, or another Lambda function. Understanding when to use Lambda versus EC2 or containers based on workload characteristics such as duration, frequency, and state requirements is important for architecture decisions.
Amazon SQS and SNS Messaging for Decoupled Systems
Amazon Simple Queue Service is a fully managed message queuing service that enables decoupling of microservices, distributed systems, and serverless applications. SQS offers two types of queues. Standard queues offer maximum throughput with at-least-once delivery and best-effort ordering. FIFO queues guarantee exactly-once processing and strict message ordering, making them suitable for financial transactions and order processing. The visibility timeout prevents other consumers from processing a message while it is being handled by one consumer.
Amazon Simple Notification Service is a fully managed publish-subscribe messaging service that enables you to send messages to a large number of subscribers. SNS topics act as communication channels where publishers send messages and subscribers receive them. Supported subscription types include SQS, Lambda, HTTP endpoints, email, and SMS. The fan-out pattern combines SNS with multiple SQS queues to deliver the same message to multiple systems simultaneously. Dead-letter queues in both SQS and SNS capture messages that cannot be processed successfully for later analysis and reprocessing.
Amazon Route 53 and DNS Routing Policy Architecture
Amazon Route 53 is a highly available and scalable domain name system web service. It performs three main functions: domain registration, DNS routing, and health checking. Route 53 supports several routing policies that are frequently tested in the exam. Simple routing returns a single value for a DNS query. Weighted routing splits traffic across multiple resources according to specified proportions. Latency-based routing directs users to the AWS region with the lowest network latency. Failover routing automatically redirects traffic to a healthy resource when the primary resource fails.
Geolocation routing directs traffic based on the geographic location of the user. Geoproximity routing shifts traffic between resources based on their geographic location and can be biased toward or away from a resource. Multivalue answer routing returns multiple healthy values to DNS queries and can be used as a simple load balancing mechanism. Route 53 health checks monitor the availability and performance of resources and integrate with routing policies to enable automatic failover. Alias records allow you to map a domain name to AWS resources like CloudFront distributions, load balancers, and S3 websites without additional charges.
AWS Storage Gateway and Hybrid Cloud Data Solutions
AWS Storage Gateway is a hybrid cloud storage service that connects on-premises environments to AWS cloud storage. It enables seamless integration between on-premises infrastructure and AWS storage services for backup, archiving, disaster recovery, and data migration use cases. There are four gateway types. File Gateway provides file-based access to S3 using NFS or SMB protocols. Volume Gateway presents block storage volumes to on-premises applications and stores data in S3. Tape Gateway replaces physical tape libraries with virtual tapes stored in S3 and Glacier.
FSx File Gateway provides low-latency access to Amazon FSx for Windows File Server from on-premises environments. AWS DataSync is a separate but related service that automates and accelerates data transfer between on-premises storage systems and AWS storage services. AWS Snowball, Snowball Edge, and Snowcone are physical devices used for large-scale data migration when network transfer is impractical due to data volume or bandwidth constraints. Knowing which hybrid storage or migration service to recommend for a given scenario is a recurring theme in the Solutions Architect exam.
High Availability and Disaster Recovery Design Patterns
High availability refers to designing systems that remain operational despite component failures by eliminating single points of failure. Disaster recovery focuses on restoring operations after a significant outage or data loss event. The four DR strategies in AWS are backup and restore, pilot light, warm standby, and multi-site active-active. Backup and restore has the lowest cost but the highest recovery time objective. Multi-site active-active has the highest cost but the lowest recovery time objective and recovery point objective.
Recovery time objective defines the maximum acceptable time to restore a service after a disruption. Recovery point objective defines the maximum acceptable amount of data loss measured in time. Designing for high availability typically involves deploying resources across multiple availability zones, using managed services with built-in redundancy, implementing health checks and automatic failover, and maintaining stateless application tiers wherever possible. Understanding how to match a DR strategy to business requirements based on cost and tolerance for downtime is a key architectural skill tested throughout the exam.
AWS Cost Optimization Strategies and Financial Architecture
Cost optimization is one of the five pillars of the AWS Well-Architected Framework and the exam frequently tests your ability to recommend the most cost-effective architecture for a given scenario. Right-sizing involves selecting the most appropriate instance type and size for your workload to avoid over-provisioning. Using Auto Scaling ensures you only pay for the compute capacity you actually need. Spot instances provide dramatic savings for fault-tolerant and flexible workloads. Reserved instances and Savings Plans reduce costs for predictable, steady-state workloads.
AWS Trusted Advisor provides real-time recommendations across five categories including cost optimization, performance, security, fault tolerance, and service limits. AWS Cost Explorer visualizes, understands, and manages your AWS costs and usage over time. Consolidated billing through AWS Organizations combines usage from multiple accounts to reach volume pricing thresholds faster. Choosing S3 Intelligent-Tiering for data with unpredictable access patterns automates cost savings without performance impact. Always consider data transfer costs when designing architectures since outbound data transfer from AWS to the internet incurs charges while transfers between services within the same region are generally free.
AWS Well-Architected Framework Pillars and Design Principles
The AWS Well-Architected Framework provides a consistent approach for evaluating architectures and implementing designs that scale over time. It is organized around six pillars. Operational excellence focuses on running and monitoring systems to deliver business value. Security encompasses protecting information and systems. Reliability ensures a workload performs its intended function correctly and consistently. Performance efficiency involves using computing resources efficiently to meet system requirements. Cost optimization focuses on avoiding unnecessary costs. Sustainability minimizes the environmental impact of running cloud workloads.
Each pillar contains design principles and best practices that guide architectural decisions. For the exam, understanding how these pillars translate into real architectural choices is more valuable than memorizing their definitions. For example, the reliability pillar manifests in practices like using multiple availability zones, implementing health checks, and designing for automatic failure recovery. The security pillar translates into always enabling encryption at rest and in transit, using IAM roles instead of long-term credentials, and enabling AWS CloudTrail for audit logging across all accounts and regions.
Conclusion
This cheat sheet has covered the most essential domains and service concepts you need to succeed in the AWS Solutions Architect Associate SAA-C03 exam. From compute and storage fundamentals to networking, security, databases, serverless architecture, and the Well-Architected Framework, every section has been crafted to give you a sharp and practical understanding of how AWS services work together to solve real architectural challenges.
Passing the SAA-C03 exam requires more than just knowing what each service is called. It demands that you understand why you would choose one service over another, how services integrate to form complete solutions, and how to balance the competing priorities of cost, performance, security, and availability in a given scenario. The exam is scenario-driven, which means the depth of your conceptual understanding will always outperform surface-level memorization.
As you move into the final stages of your preparation, use this cheat sheet as a rapid review tool rather than a primary study source. Return to areas where you feel less confident and cross-reference with official AWS documentation or your primary study course. Take multiple practice exams to identify the topics where your reasoning needs sharpening, and review every wrong answer thoroughly until you understand the logic behind the correct choice.
The AWS Solutions Architect Associate certification is a globally recognized credential that signals your ability to design robust, scalable, and cost-effective cloud solutions. Earning it places you among a respected community of cloud professionals and opens pathways to more advanced certifications and higher-level architecture roles. The knowledge you build preparing for this exam will serve you in real-world cloud projects far beyond the test itself.
Approach your final review with confidence, trust the preparation you have invested in, and remember that every architectural decision on the exam has a logical reasoning behind it rooted in the principles covered throughout this cheat sheet. You have the knowledge, the strategies, and the framework to walk into this exam and come out successful.
