AWS Solutions Architect Associate (SAA-C03) — Security Domain Deep Dive
A practitioner's breakdown of the SAA-C03 security domain — what's in scope, what isn't, the question patterns AWS reuses, and a 4-week focused prep slice for the 30% that makes or breaks the exam.

The SAA-C03 security domain is the single largest part of the AWS Certified Solutions Architect Associate exam — roughly 30% of the scored questions are explicit security design questions, and another chunk of the architecture and resilience domains lean on security primitives. If you understand this domain cold, you've passed a third of the test before you've thought about anything else. If you skim it, no amount of VPC peering trivia will save you. This deep dive walks the exact security surface SAA-C03 tests, the question patterns AWS recycles, what's deliberately out of scope compared to the deeper SCS-C03, and a 4-week prep slice you can run alongside your broader SAA study.
If you're searching for SAA-C03 security domain material and you already work in cloud security, the framing here will feel familiar — the difference is that SAA-C03 wants design-level fluency across many services, where SCS-C03 wants operational depth in fewer services. We'll point out the gap throughout, because plenty of SAA candidates are people who'll later sit SCS-C03 and the boundary between the two matters.
The SAA-C03 security domain at a glance
The current SAA-C03 blueprint has four domains. The official domain weights are: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), and Design Cost-Optimized Architectures (20%). The security domain is the heaviest. The exam itself is 65 questions, 130 minutes, scored 100–1000 with 720 to pass — slightly shorter and slightly more forgiving than SCS-C03.
- Format: 65 questions, 130 minutes
- Passing score: 720 / 1000
- Cost: USD 150
- Validity: 3 years
- Security domain weight: ~30% (around 20 of the 65 questions)
What's in scope for SAA-C03 security
The security domain covers six broad areas, all at a design level. You need to be able to pick the right service for a given scenario and explain how it fits the rest of the architecture — you do NOT need to know finding-type strings, JSON policy syntax to the depth of SCS-C03, or operational runbooks for incident response. Expect questions like: 'Which combination of services BEST protects the application from common web exploits while minimizing operational overhead?' The right answer is usually a managed service combined with a sensible default.
- IAM fundamentals: users, groups, roles, identity vs resource policies, the difference between an IAM user and an IAM role, federation with SAML and Identity Center, MFA enforcement, instance profiles
- Data protection: S3 encryption (SSE-S3 vs SSE-KMS vs SSE-C — when each is appropriate), EBS encryption defaults, RDS encryption at rest and in transit, KMS basics (customer-managed vs AWS-managed keys, when you'd choose each), Secrets Manager vs Parameter Store
- Network security: VPC structure (public/private/isolated subnets), security groups vs NACLs, NAT gateways, VPC endpoints (gateway for S3/DynamoDB, interface for the rest), VPC peering vs Transit Gateway, AWS PrivateLink
- Edge protection: AWS WAF on CloudFront / ALB / API Gateway, AWS Shield Standard vs Advanced, CloudFront signed URLs and signed cookies, geo restriction
- Detection and compliance awareness: GuardDuty (what it does, where findings appear), AWS Config (rules, conformance packs at a high level), CloudTrail (management vs data events at a high level), Security Hub as an aggregator
- Governance: AWS Organizations, SCPs as a guardrail concept, Control Tower as a landing-zone tool, cross-account access patterns using IAM roles
What's deliberately OUT of scope
Knowing what SAA-C03 doesn't test saves you weeks. The exam will not ask you to: write or debug a multi-statement IAM policy with NotAction, NotResource, and three Condition keys; walk through a CloudTrail Lake SQL query; choose between KMS grants, key policies, and IAM for cross-account encryption; design a Network Firewall stateful rule set; remediate a specific GuardDuty finding by name; build a multi-account logging architecture with centralized subscription destinations and Kinesis Firehose. All of that is SCS-C03 territory.
If a SAA-C03 practice question reads like an SCS-C03 question (long JSON policy, named finding types, three-control combinations), it's either out-of-date material or from a prep vendor over-shooting. The real SAA-C03 stays at the level of 'pick the right service combination.'
SAA-C03 vs SCS-C03 — the security depth comparison
Side-by-side, the boundary is clear. Use this as your filter when you're choosing study material.
- IAM — SAA-C03: read a simple policy, know roles vs users, federation concepts. SCS-C03: read multi-statement policies fluently, know policy evaluation logic (explicit deny > explicit allow > implicit deny), trust policies, permissions boundaries, session policies, ABAC, all the privilege-escalation paths
- Encryption — SAA-C03: know that SSE-KMS exists and when to use a CMK. SCS-C03: KMS key policy vs IAM vs grants, kms:ViaService and kms:EncryptionContext, multi-region keys, cross-account encrypted S3 access requiring all three of bucket policy + IAM + key policy
- Networking — SAA-C03: SGs vs NACLs at a conceptual level, VPC endpoints, basic WAF awareness. SCS-C03: VPC endpoint policies as a third control after bucket policy and IAM, Network Firewall Suricata rules, WAF rule groups and rate-based rules in detail
- Detection — SAA-C03: 'GuardDuty exists, findings go to Security Hub.' SCS-C03: which GuardDuty finding types are high-fidelity, suppression rules without blinding yourself, EventBridge → Lambda auto-containment patterns
- Governance — SAA-C03: SCPs exist as a guardrail. SCS-C03: SCP patterns for region restriction, denying CloudTrail tampering, blocking IMDSv1, with concrete JSON
Common SAA-C03 security question patterns
AWS recycles a handful of question shapes. Recognising the pattern shaves time and surfaces the right answer faster. Here are the patterns that show up most often in the security domain.
Pattern 1 — 'private connectivity to S3.' The setup involves EC2 in a private subnet needing to reach S3 without going over the internet. The right answer is always an S3 gateway endpoint with a route table entry. The distractors are a NAT gateway, an interface endpoint (correct service but billed per ENI when gateway is free), or a VPN. Memorise: S3 and DynamoDB get gateway endpoints; everything else uses interface endpoints (PrivateLink).
Pattern 2 — 'protect a web app from OWASP top 10.' The right answer pairs AWS WAF with a managed rule group on CloudFront or ALB. Distractors include security groups (wrong layer), Shield Advanced (does DDoS, not L7 inspection), or a Lambda@Edge custom function (re-implements WAF). Pattern variant: 'and protect from DDoS' → add Shield Standard (free, automatic) or Shield Advanced (paid, with the DDoS Response Team).
Pattern 3 — 'encrypt RDS with a customer-managed key.' Always: SSE-KMS with a customer-managed CMK. The distractor is SSE-S3 (which doesn't apply to RDS) or 'encrypt at the application layer' (over-engineered, exam dislikes it). Whenever a question mentions 'we must rotate the key on our schedule' or 'we must audit who used the key,' it's a customer-managed CMK.
Pattern 4 — 'application needs database credentials.' Always: Secrets Manager (with rotation) over Parameter Store, unless the question mentions cost-sensitivity for non-rotating configuration, in which case Parameter Store SecureString. The third distractor is usually 'store in an environment variable' (wrong) or 'hard-code in the AMI' (very wrong).
Pattern 5 — 'cross-account access.' Always: assume a role in the target account via sts:AssumeRole. Distractors include sharing IAM access keys (wrong, never), publishing data via cross-region replication (over-engineered), or using resource-based policies alone (doesn't address most service patterns). When the question adds a SaaS provider, the answer is a role with sts:ExternalId.
Pattern 6 — 'audit all API activity across all accounts.' Always: an organization-wide CloudTrail trail to a centralized S3 bucket in a logging account. Distractors are per-account trails (operational overhead), CloudWatch Logs subscription only (incomplete), or AWS Config alone (covers state, not API activity).
4-week prep slice focused on security alone
If you're studying for SAA-C03 broadly, this is the 4-week chunk to allocate to the security domain. Run it in parallel with the rest of your prep — don't sequence it as 'security only for 4 weeks then everything else.'
- Week 1 — IAM and identity. Read the IAM User Guide sections on users, groups, roles, federation, and Identity Center. Set up an Identity Center instance in a free-tier account, create two permission sets, assign yourself, and switch between roles. Do the free S3 misconfiguration lab at labs.shieldsyncsecurity.com end to end — it cements IAM and S3 together. Target 8 hours.
- Week 2 — Data protection. Cover S3 encryption options, EBS / RDS encryption, KMS at a conceptual level (no key policy syntax depth needed), Secrets Manager. Create a customer-managed KMS key in the console and use it to encrypt an S3 bucket and an RDS instance, just to see the workflow. Target 8 hours.
- Week 3 — Network and edge security. VPC layouts (public, private, isolated), SGs vs NACLs (memorise: SGs stateful, NACLs stateless), VPC endpoints (gateway vs interface), AWS WAF on CloudFront / ALB, Shield Standard vs Advanced. Build a VPC by hand with a private subnet, an S3 gateway endpoint, and a restrictive endpoint policy. Target 10 hours.
- Week 4 — Detection, compliance, governance. GuardDuty (enable in a free-tier account, look at the findings UI), Security Hub as the aggregator, AWS Config rules, CloudTrail trail to S3 + a quick Athena query, AWS Organizations + SCPs at a conceptual level. Then run two timed practice exam sections focused on the security domain. Target 10 hours.
Console time matters less for SAA-C03 than for SCS-C03, but it still beats reading. An hour clicking through the actual GuardDuty console will teach you more than five hours of video about what GuardDuty does.
Resources we recommend for the security domain
- AWS Certified Solutions Architect – Associate Exam Guide (free PDF from AWS) — the only canonical source for the blueprint
- AWS Well-Architected Security Pillar whitepaper (free) — covers the design-thinking the exam rewards
- AWS Skill Builder SAA-C03 learning plan (free) — AWS-authored, closest match to exam phrasing
- Tutorials Dojo SAA-C03 practice exams — the standard for timed full-length practice in the final two weeks
- Stephane Maarek's Ultimate AWS Solutions Architect Associate course on Udemy — most popular paid course, strong on the security domain
Hands-on labs that double-dip for SAA and SCS-C03
If you intend to sit SCS-C03 after SAA-C03 (a common pairing for cloud security engineers), choose hands-on labs now that cover both. The free S3 misconfiguration audit is the obvious one — at SAA depth it teaches bucket policies, IAM, and Block Public Access; at SCS-C03 depth the same lab adds KMS key policy nuance. Pay-per-lab options on labs.shieldsyncsecurity.com extend into IAM privilege escalation (Domain 4 of SCS-C03) and detection workflows (Domain 1).
Common mistakes SAA-C03 candidates make on security questions
- Reading the question too quickly and picking the security service mentioned, not the one that fits the scenario. WAF is for L7 web exploits, NOT for DDoS (that's Shield) and NOT for IP-based blocking inside a VPC (that's NACL/SG)
- Treating IAM users and IAM roles interchangeably. EC2 instances and Lambda functions assume roles via instance profiles or service roles, NEVER use embedded user credentials
- Picking S3 ACLs as an answer. They're effectively deprecated for new buckets — the right answer in 2025/2026 is always bucket policy + Block Public Access
- Forgetting that gateway endpoints for S3/DynamoDB are free while interface endpoints cost per ENI-hour — cost-optimization questions hinge on this
- Confusing SCPs with IAM policies. SCPs are guardrails that can only restrict, never grant. IAM policies are what actually grant access
Should you go on to SCS-C03 next?
If you came to SAA-C03 because you want to specialise in cloud security, the answer is yes. SCS-C03 is the natural next step and the credential most hiring managers in Indian and global cloud security teams actually look for. The SAA-C03 security domain you just studied is essentially the surface-level layer of every SCS-C03 domain — the deeper material is the gap between them, and the 6-week SCS-C03 study plan in our companion guide takes you the rest of the way.
If you came to SAA-C03 as a general architect and security is one of four domains for you, you don't need SCS-C03. Use this depth for SAA, sit the exam, then expand into the Networking Specialty or DevOps Pro paths depending on your direction. The SCS-C03 study guide on the blog is the most-read sibling article to this one if you want to see what the next level looks like before deciding.
Day-of strategy for security questions on SAA-C03
- Read the stem twice before looking at the options. The qualifier words — MOST cost-effective, LEAST operational overhead, BEST practice — change which right-feeling answer is actually correct
- When two answers both technically work, the managed AWS service almost always wins over the do-it-yourself approach
- When the question mentions 'public-facing web application' assume the answer involves WAF + CloudFront + Shield at the edge
- When it mentions 'PII' or 'compliance' the answer involves KMS encryption with customer-managed keys and CloudTrail logging
- When it mentions 'cross-account' the answer is sts:AssumeRole, period
- Flag any question you spend more than 2 minutes on and move on. SAA-C03 gives you exactly 2 minutes per question on average — banked time on easy ones is what lets you think on the hard ones
Start with one free lab
The single most useful hour you can spend on SAA-C03 security prep is running the free S3 misconfiguration audit lab end to end. It exercises IAM, bucket policies, encryption, and Block Public Access — four of the most-tested concepts — in a real isolated AWS account in your browser. Pair it with a read of the AWS Exam Guide and the 4-week plan above and you've covered the security domain to the depth SAA-C03 actually rewards. The full AWS Security Certification page on shieldsyncsecurity.com lists every lab mapped to both SAA-C03 security and SCS-C03 domains if you're planning to ladder up.