SAA Exam Overview

  • Intended for people performing a Solutions Architect role.
  • Valid for 2 years.
  • Question Domains
    • Design Resilient Architectures
    • Define Performant Solutions
    • Specify Secure Applications and Architectures
    • Design Cost-optimized Architectures
    • Define Operationally Excellent Architectures
  • Multiple choice questions
    • single selection
    • multiple selection

Design Resilient Architectures

  • Choose reliable/resilient storage
  • Determine how to design decoupling mechanisms using AWS services
  • Determine how to design a multi-tier arhictecture solution
  • Determine how to design high availability and/or fault tolerant solutions

High Availability vs Fault Tolerance

  • High Availability means that system is up and available but it might perform in degraded state
  • Fault Tolerant is a higher bar - it means that the user does not experience any impact of the fault - the SLA is met


  • RTO - Recovery Time Objective
    • how long does it take for system to be back online
  • RPO - Recovery Point Objective
    • how much data is lost if the system fails

Design Performant Architectures

  • Choose performant storage and databases

  • Apply caching to improve performance

  • Design solutions for elasticity and scalability

  • EBS SSD volumes offer better performance then HDD

  • Static content can be offloaded to S3 instead of keeping them on web servers

  • Data Stored on EBS is automatically replicated within an AZ


  • Amazon RDS
    • Complex transactions or complex queries
  • Amazon DynamoDB
    • Massive read/write rates
    • Scalability
  • Amazon Redshift
      • Useful for analytic queries


  • CloudFront Edge Locations
  • ElasticCache
    • Memcached
      • Multithreading, Low maintenance, Horizontal scaling
    • Redis
      • Support for data structures, Persistence, Read replicas/failover, Cluster mode/sharded clusters


  • Can be used to serve dynamic content with TTL of 0
  • Improves security, integrates with AWS WAF and AWS Shield Advanced
  • Can serve static content and cache response on the Edge nodes


  • Launch Configuration
    • EC2 instance type and AMI
  • Auto Scaling Group
    • Defines Launch Configuration
    • Min, max and the desired size of the ASG
    • May reference an ELB
    • Health check type
    • Offers scale-in protection on instance level
  • Auto Scaling Policy
    • Scaling In / Out
    • Uses CloudWatch alarms take an Auto Scaling action
  • CloudWatch
    • Monitors CPU, Network, Queue Size
    • CloudWatch Logs, Metrics (Default / Custom)

Secure Architectures

Shared Responsibility Model

  • AWS Responsibility
    (Security of the Cloud)
    • AWS Global Infrastructure
    • AWS Foundation Services (Compute, Storage, Database, Networking)
  • Customer Responsibility
    (Their Security in the Cloud)
    • Client Side Encryption, Server Side Encryption, Network Traffic Protection
    • Operating System, Network and Firewall Configuration
    • Platform, Applications, Identity and Access Management
    • Customer Content

Principle of Least Privilege

Granting the minimum access and permissions to a person / system required to perform a certain task

    • central permission management in AWS
    • can be integrated with Active Directory and AWS Directory Service using SAML identity federation

VPC Security

  • Subnets
    • Private Subnet
      Route Table does not have an entry to the Internet Gateway, internet is accessed using the NAT Gateway
    • Public Subnet
      Route Table has an entry to the Internet Gateway
  • Security Groups (Apply to ENIs)
    • Use security group membership to grant access to members of the security group
  • Network ACLs (Apply to Subnets)
  • VPC Connections
    • Internet Gateway: Connect to the internet
    • Virtual private gateway: Connect to VPN
    • AWS Direct Connect: Dedicated pipe
    • VPC Peering: Connect to other VPCs
    • NAT gateways: Allow internet traffic from private subnets
  • Securing Data Tier
    • Securing data in transit
      • SSL over web
      • VPN for IPSec
      • IPSec over AWS Direct Connect
      • Import/Export/Snowball
        • AWS API calls use HTTPS/SSL by default
      • S3 supports ACL and policies
    • Securing data at rest
      • Server-side encryption
        • Amazon S3-Managed Keys (SSE-S3)
        • KMS-Managed Keys (SSE-KMS)
        • Customer Provided Keys (SSE-C)
      • Client-side encryption
        • KMS managed master encryption keys (CSE-KMS)
        • Customer managed master encryption keys (CSE-C)
  • Storing keys
    • Key Management Service
      • Customer software-based key management
      • Integrated with many AWS services
      • Use directly from application
      • Integrates with EBS, S3, RDS, RedShift, Elastic Transcoder, Workmail, EMR
    • AWS CloudHMS
      • Hardware based key management
      • Use directly from application
      • FIPS 140-2 compliance

Design Cost-Optimized Architectures

  • AWS Pricing
    • Pay as you go
    • Pay less when you reserve
    • Pay even less per unit using more
  • Fundamental Pricing Characteristics
    • Compute Pricing
      • Duration of using an instance
      • Machine configuration
      • Purchase type
      • Number of instances
      • Load balancing
      • Detailed monitoring
      • Auto Scaling
      • Elastic IP
      • Operating system and software packages
    • Storage Pricing
      • S3
        • Storage class
        • Storage
        • Requests
        • Data transfer
      • EBS
        • Volumes
        • Input/output operations per second (IOPS)
        • Snapshots
        • Data transfer
    • Data Transfer Pricing
  • Serverless Architecture
    • Reducing cost spent through using Lambda, S3, DynamoDB and API Gateway
    • CloudFront Pricing
      • Traffic distribution
      • Number of requests
      • Data transfer out

Operational Excellence

  • Cycle
    • Prepare
    • Operate
    • Evolve
  • Design Principles
    • Perform operations with code
    • Annotate documentation
    • Make frequent, small, reversible changes
    • Refine operations procedures frequently
    • Anticipate failure
    • Learn from all operational failures
  • Services
    • AWS Config
      Tracks resources such as EBS volumes and EC2 instances, verifies that resources comply with configuration rules
    • AWS CloudFormation
      Converts Yaml and Json templates into cloud resources
    • AWS Trusted Advisor
      Checks account for best practices on security, reliability, performance, cost and service limits
    • AWS Inspector
      Checks EC2 instances for security vulnerabilities
    • VPC Flow Logs
      Logs network traffic
    • AWS Cloud Trail
      Logs API calls
    • AWS CloudWatch
      Tracks metrics and triggers alarms when metrics are exceeded

Test Axioms

  • Design Resilient Architectures
    • Expect ‘Single AZ’ will never be a right answer
    • Using AWS managed services should always be preferred
    • Fault tolerant and high availability are not the same thing
    • Expect that everything will fail at some point and design accordingly
  • Design Performant Architectures
    • If data is unstructured, Amazon S3 is the storage solution
    • Use caching to strategically improve performance
    • Know when and why to use Auto Scaling
    • Choose the instance and database type that makes the most sense for your workload and performance need
  • Secure Architectures
    • Lock down the root user
    • Security groups only allow. Network ACLs allow explicit deny.
    • Prefer IAM Roles to access keys
  • Cost-optimized Architectures
    • Reserve resources to save costs
    • Any unused CPU time is a waste of money
    • Use the most cost-effective data storage service and class
    • Determine the most cost-effective EC2 pricing model and instance type for each workload
  • Operational Excellence
    • IAM roles are easier and safer than keys and passwords
    • Monitor metrics across the system
    • Automate responses to metrics where appropriate
    • Provide alerts for anomalous conditions