FlashGenius Logo FlashGenius
AWS SAA-C03 Exam Prep · Page 1 of Series

Design Secure Architectures

SAA-C03 · Domain 1 · 30% of Exam

Study with Practice Tests →

Design Secure Architectures

Domain 1 of the SAA-C03 exam — the largest domain at 30%. Covers IAM, multi-account governance, VPC security, application protection, and data encryption controls.

Domain 1 · 30% of Exam · ~20 Questions

Domain Task Statements

TaskFocus AreaKey Services
1.1 Secure Access to AWS ResourcesIAM, federated identity, multi-accountIAM, STS, Organizations, Control Tower, IAM Identity Center
1.2 Secure Workloads & ApplicationsVPC, WAF, Shield, Secrets Manager, CognitoVPC, SGs, NACLs, WAF, Shield, Cognito, Secrets Manager
1.3 Data Security ControlsKMS, ACM, encryption, data lifecycleKMS, ACM, CloudHSM, S3 encryption, Macie, GuardDuty

What You'll Master

IAM Deep Dive

Users, groups, roles, policies, permission boundaries, and STS. Understand identity-based vs resource-based policies. Master the policy evaluation logic — explicit DENY always wins.

Multi-Account Governance

AWS Organizations, SCPs (Service Control Policies), and Control Tower. SCPs set the MAXIMUM permissions for member accounts — they can only restrict, never grant beyond what SCPs allow.

VPC Security Architecture

Security Groups (stateful, instance-level) vs NACLs (stateless, subnet-level). Public/private subnets, NAT gateways, and VPC endpoints for private connectivity to AWS services.

Application Security

AWS WAF for Layer 7 SQL injection/XSS protection. Shield Standard (free) vs Advanced ($3K/mo). Amazon Cognito for user authentication. Secrets Manager for automatic secret rotation.

Data Protection

KMS (CMK vs AWS-managed keys), ACM for TLS/SSL certificates, S3 encryption options (SSE-S3, SSE-KMS, SSE-C), CloudHSM for dedicated FIPS 140-2 Level 3 hardware, and data lifecycle controls.

Shared Responsibility Model

AWS secures the cloud infrastructure (hardware, software, networking, facilities). Customers secure what's IN the cloud: IAM, OS patching, application security, network controls, and encryption.

Exam Tips

Biggest Domain — 30%

Domain 1 carries the most weight. Every question has security implications. Know the DIFFERENCE between resource-based policies vs identity-based policies and when each applies.

Roles vs Users

Always prefer IAM roles (temporary STS credentials) for EC2 instances, Lambda functions, and cross-account access. IAM users with long-term access keys are a last resort and a security risk.

Encryption Service Selection

KMS = managed, most use cases. CloudHSM = dedicated hardware, FIPS 140-2 Level 3, you control everything. ACM = TLS/SSL certificates for ALB, CloudFront, API Gateway. Match the service to the requirement.

Key Services Covered

IAM IAM Identity Center (SSO) AWS STS AWS Organizations Control Tower VPC Security Groups NACLs AWS WAF AWS Shield Amazon Cognito AWS Secrets Manager AWS KMS AWS ACM Amazon GuardDuty Amazon Macie AWS CloudHSM

Core Concepts

Eight concept areas covering every task statement in Domain 1. Click through each card to build deep understanding before the quiz.

1. IAM: Users, Groups, Roles & Policies

Identity and Access Management Fundamentals

  • IAM Users: long-term credentials; use for humans or apps needing permanent access; best practice = MFA + least privilege
  • IAM Groups: collection of users; attach policies to groups (not individual users) for manageability; groups cannot be nested
  • IAM Roles: temporary credentials via STS; used by EC2, Lambda, cross-account access, federated users; no long-term keys stored
  • Identity-based policies: attached to a principal (user, group, role); define what actions the principal can take
  • Resource-based policies: attached to the resource (e.g., S3 bucket policy); define who can access the resource; support cross-account without AssumeRole
  • Permission boundaries: set the MAXIMUM permissions an identity policy can grant to a principal; cannot grant more than the boundary allows
  • SCPs: set maximum permissions for an entire OU or account; act as a guardrail, not a grant
  • Policy evaluation order: Explicit DENY wins → SCPs → Resource-based → Identity-based → Permission Boundary
  • Root user: use ONLY for account setup tasks (billing, close account); lock with MFA; never use for daily tasks
  • Access keys: for CLI/SDK/API; rotate regularly; never embed in code; use Secrets Manager or IAM roles instead

2. Multi-Account Security: Organizations, SCPs & Control Tower

Governance at Scale

  • AWS Organizations: manages multiple accounts under a single management account; enables consolidated billing and SCPs; organized into OUs (Organizational Units)
  • SCPs: applied to OUs or accounts; set MAXIMUM permissions (even if identity policy allows, SCP can deny); do NOT affect management account; do NOT grant permissions by themselves
  • AWS Control Tower: automated multi-account setup with guardrails; preventive guardrails (SCPs) stop non-compliant actions; detective guardrails (Config rules) detect violations; uses a Landing Zone
  • AWS IAM Identity Center (SSO): centralized SSO for all accounts; integrates with AD/SAML IdPs; preferred over per-account IAM users; uses permission sets instead of IAM policies per account
  • Cross-account access: use IAM roles + STS AssumeRole; define trust policy on role in target account; assume role from source account; no need to create IAM users in target account
  • AWS RAM (Resource Access Manager): share resources (subnets, Transit Gateways, Route 53 Resolver rules) across accounts without separate copies

3. VPC Security Architecture

Network Perimeter Controls

  • Security Groups (SGs): stateful (return traffic auto-allowed); operate at instance/ENI level; allow rules only (no explicit deny); can reference other SGs by ID
  • Network ACLs (NACLs): stateless (must allow both inbound and outbound explicitly); operate at subnet level; ordered rule evaluation (lowest number wins); support ALLOW and DENY rules
  • Public vs Private subnets: public = route table has Internet Gateway (IGW) route; private = no direct IGW; use NAT Gateway (in public subnet) for private outbound internet
  • NAT Gateway: managed, highly available per-AZ; ~$0.045/hr + data processing; for HA deploy one NAT GW per AZ; NAT Instance = cheaper, self-managed, single point of failure
  • Gateway VPC Endpoints: S3 and DynamoDB only; free; added to route table; traffic stays on AWS network
  • Interface VPC Endpoints: 150+ services via PrivateLink; creates an ENI in your subnet; costs ~$0.01/hr per AZ; DNS resolution directs traffic privately
  • AWS PrivateLink: expose services privately across VPCs/accounts; consumer uses Interface endpoint; provider creates endpoint service; no VPC peering, no route table changes needed

4. Application Security: WAF, Shield & Cognito

Protecting Your Applications

  • AWS WAF: Layer 7 (HTTP/HTTPS) firewall; attaches to ALB, CloudFront, API Gateway, AppSync; rules include IP sets, rate limiting, managed rule groups (OWASP Top 10, bot control); protects against SQL injection and XSS
  • AWS Shield Standard: automatic, free DDoS protection for ALL AWS customers; protects L3/L4 attacks (SYN floods, UDP reflection); always on, no configuration needed
  • AWS Shield Advanced: paid (~$3,000/mo); enhanced DDoS protection for L3/L4/L7; 24/7 DDoS Response Team (DRT); cost protection for scaling during attacks; detailed attack diagnostics; recommended for internet-facing critical workloads
  • Amazon Cognito User Pools: user directory for web/mobile apps; handles sign up, sign in, MFA; returns JWT tokens; integrates with social IdPs (Google, Facebook)
  • Amazon Cognito Identity Pools: grants temporary AWS credentials using STS; federates with User Pools, social IdPs, SAML providers; enables unauthenticated guest access too
  • AWS Secrets Manager: store, rotate, and retrieve secrets (DB passwords, API keys); automatic rotation via Lambda; native integration with RDS, Redshift, DocumentDB; costs per secret/month
  • SSM Parameter Store: store config data and secrets; free tier for Standard parameters; SecureString type uses KMS encryption; no auto-rotation (must implement manually); simpler than Secrets Manager

5. Data Encryption: KMS, ACM & CloudHSM

Protecting Data at Rest and in Transit

  • AWS KMS CMK (Customer Managed Key): full control; optional annual rotation; you set key policy; audit usage via CloudTrail; can be used cross-account
  • AWS Managed Key: auto-rotated every year by AWS; used by default by AWS services (S3, EBS, RDS); you can view but not manage key policy
  • S3 SSE-S3: AES-256, managed entirely by AWS; default since Jan 2023 for all new buckets; lowest overhead
  • S3 SSE-KMS: uses KMS CMK; CloudTrail logs every key use; allows per-object key control; requires IAM permission to both S3 and KMS
  • S3 SSE-C: customer-provided key; AWS performs encryption but you manage and provide the key per request; key never stored by AWS
  • EBS encryption: uses KMS; must enable at creation time (cannot encrypt an existing unencrypted volume — must snapshot + copy + enable encryption)
  • RDS encryption: uses KMS; must enable at DB creation; encrypted read replicas from encrypted source; cannot enable on existing unencrypted instance (must snapshot + restore)
  • AWS ACM: provisions and auto-renews TLS/SSL certificates; use with ALB, CloudFront, API Gateway; public certificates are free; certificates cannot be exported (private key stays in ACM)
  • AWS CloudHSM: dedicated hardware security module (FIPS 140-2 Level 3); you control keys exclusively (AWS has ZERO access); more expensive; use for regulatory requirements mandating dedicated HSM
  • Key rotation: CMK annual auto-rotation retains old key material for decrypting existing data; ACM certs auto-renewed 60 days before expiry

6. Identity Federation & STS

Temporary Credentials and Federation

  • AWS STS (Security Token Service): issues temporary security credentials (access key + secret access key + session token); duration 15 min to 12 hours
  • AssumeRole: for cross-account access, EC2 instance profiles, Lambda execution roles; requires trust policy on the role allowing the principal to assume it
  • AssumeRoleWithWebIdentity: federation with web IdPs (Google, Facebook, Amazon Cognito); returns temp credentials; Cognito Identity Pools use this under the hood
  • AssumeRoleWithSAML: enterprise federation with SAML 2.0 IdPs (AD FS, Okta, Azure AD); enables SSO to AWS Console and APIs without IAM users
  • AWS Managed Microsoft AD: full Active Directory; supports MFA, trust relationships with on-prem AD
  • AD Connector: directory proxy redirecting auth requests to on-prem AD; no directory data stored in AWS; requires network connectivity to on-prem
  • Simple AD: Samba-based, lightweight; low cost; limited AD features; no MFA, no trust relationships
  • IAM Identity Center: recommended for multi-account SSO; integrates with external IdPs via SCIM for user provisioning; manages permission sets across accounts; preferred over per-account IAM users

7. Securing S3 & Data Lifecycle

Object Storage Protection

  • S3 Bucket Policy: resource-based policy; grants cross-account access; use aws:SecureTransport: false in Deny to enforce HTTPS; use aws:SourceVpc to restrict to specific VPC
  • S3 Block Public Access: account-level or bucket-level; always enable unless intentionally public; overrides bucket policies and ACLs that grant public access
  • S3 ACLs: legacy access control; recommend disabling via Bucket Owner Enforced (Object Ownership setting); use bucket policies instead
  • Amazon Macie: ML-powered service to discover and protect sensitive data (PII, financial data, credentials) in S3; generates findings for sensitive data exposure; integrates with Security Hub
  • S3 Object Lock — Governance mode: WORM protection with override option; users with special permissions (s3:BypassGovernanceRetention) can override; useful for most compliance scenarios
  • S3 Object Lock — Compliance mode: strict WORM; NO ONE can delete or modify — not even the root account — until retention period expires; for strict regulatory requirements
  • S3 Lifecycle rules: automatically transition objects between storage classes or expire after specified days; e.g., move to Glacier after 30 days, delete after 365 days
  • Amazon GuardDuty: threat detection using ML + VPC Flow Logs + CloudTrail + DNS logs; detects crypto mining, credential compromise, unusual API calls; enable per-region; 30-day free trial

8. Compliance & Governance Controls

Visibility, Auditing, and Compliance

  • AWS Config: records resource configuration history over time; evaluates compliance via Config Rules (managed or custom Lambda); supports auto-remediation via SSM Automation; retains configuration history for audits
  • AWS CloudTrail: logs ALL API calls (who, what, when, from where); management events free; data events (S3 object ops, Lambda invokes) cost extra; Insights for unusual activity patterns; encrypt logs with KMS; store in S3
  • AWS Artifact: self-service portal for AWS compliance reports (SOC 1/2/3, PCI DSS, ISO 27001); download for your own audit purposes; demonstrates AWS compliance posture
  • AWS Security Hub: aggregates findings from GuardDuty, Macie, Inspector, Config, IAM Access Analyzer; single pane of glass for security posture; CIS AWS Foundations Benchmark checks; cross-account aggregation
  • Amazon Inspector: automated vulnerability assessment; scans EC2 (via SSM agent) and ECR container images; checks CVEs, network exposure, software vulnerabilities; generates risk scores
  • IAM Access Analyzer: identifies resources shared externally (S3, IAM roles, KMS keys, Lambda functions, SQS queues) using automated policy analysis; validates IAM policies before deployment; generates findings for unintended access

Memory Hooks

Six sticky mental models to burn the key distinctions into memory. Read them, say them out loud, then hit the Quiz.

🚫
Policy Evaluation
DENY Wins Always
Evaluation order: Explicit DENY → SCPs → Resource-based → Identity-based → Permission Boundary. One DENY anywhere in the chain = access denied, period. Even if five other policies allow it.
🧠
Network Controls
SG = Smart · NACL = Naive
Security Groups are Stateful (Smart — remember return traffic) at instance level. NACLs are Stateless (Naive — you set BOTH directions) at subnet level. Also: SGs allow only; NACLs allow AND deny.
🔑
Key Management
KMS vs CloudHSM
KMS = AWS manages the HSM hardware, you manage keys. CloudHSM = YOU manage the dedicated HSM (FIPS 140-2 Level 3), AWS has zero access. Need dedicated hardware or regulatory mandate? CloudHSM. Otherwise, KMS.
🎭
Credentials
Roles Not Users
Give EC2, Lambda, and cross-account access IAM Roles (temporary STS creds) — never long-term IAM user access keys. Roles = no credentials to leak, no rotation burden, automatically expired.
🛣️
VPC Endpoints
Gateway = Free Two · Interface = Everything Else
Gateway endpoints: S3 + DynamoDB only, completely free, uses a route table entry. Interface endpoints (PrivateLink): 150+ services, costs ~$0.01/hr per AZ, creates an ENI in your subnet. Know the two by heart.
🛡️
DDoS Protection
Shield Tiers: Free vs $3K
Shield Standard = free, automatic, L3/L4 only. Shield Advanced = ~$3,000/mo, L3/L4/L7 DDoS, 24/7 DRT, cost protection for scaling. WAF sits on top of both for Layer 7 custom rules.

Practice Quiz

10 scenario-based questions reflecting real SAA-C03 exam style. Select your answer for each question, then click Submit to see your score.

1. A company needs to allow an EC2 instance to access an S3 bucket without embedding credentials in the application. What is the MOST secure approach?
2. A security team needs to ensure that no account in their AWS Organization can disable AWS CloudTrail, even if an account administrator tries to do so. What should they implement?
3. A web application behind an Application Load Balancer is experiencing SQL injection attacks. Which service should be used to block these attacks?
4. A company must store database passwords and automatically rotate them every 30 days. Which service is BEST suited for this?
5. An application in a private subnet needs to call the S3 API without traffic traversing the internet. What is the MOST cost-effective solution?
6. A Solutions Architect needs to enforce MFA for all IAM users in an account when they attempt to use the AWS Console. What is the CORRECT approach?
7. A company needs to encrypt data at rest in RDS using customer-managed keys and have the ability to audit key usage. Which combination meets this requirement?
8. Which security service uses machine learning to analyze VPC Flow Logs, CloudTrail events, and DNS logs to detect threats such as cryptocurrency mining and credential compromise?
9. A company has multiple AWS accounts and wants to provide employees with single sign-on access to all accounts using their existing Active Directory credentials. What is the recommended solution?
10. A company wants to allow only encrypted connections to an S3 bucket and block all unencrypted HTTP requests. Which bucket policy condition correctly enforces this?

Flashcards

8 cards covering the most exam-critical distinctions. Click any card to flip it and reveal the answer.

Click a card to flip · Click again to flip back
IAM Policy Evaluation
What always wins regardless of other policies?
Explicit DENY wins over everything — SCPs, resource policies, identity policies, permission boundaries. One deny anywhere in the evaluation chain = access denied, full stop.
Security Group vs NACL
Which is stateful? Which is stateless?
Security Groups are stateful — return traffic automatically allowed, instance level.
NACLs are stateless — must explicitly allow both inbound AND outbound, subnet level.
Gateway vs Interface VPC Endpoint
Which services? What's the cost?
Gateway: S3 + DynamoDB only, free, uses route table entry.
Interface: 150+ services via PrivateLink, ENI in subnet, ~$0.01/hr per AZ.
KMS CMK Key Rotation
What happens to data encrypted with the old key?
Old key material is retained for decrypting existing data. New key material encrypts new data. Rotation does not automatically re-encrypt existing data.
SCPs & the Management Account
Do SCPs apply to the management account?
No — SCPs never apply to the management (master) account, only to member accounts and OUs below the root. The management account always has full permissions.
Shield Standard vs Shield Advanced
Cost, coverage, and key differences?
Standard: free, automatic, L3/L4 only.
Advanced: ~$3,000/month, L3/L4/L7, 24/7 DRT, cost protection for scaling caused by DDoS attacks.
Cognito User Pool vs Identity Pool
Authentication vs Authorization?
User Pool: user directory, handles sign up/sign in, returns JWT tokens — authentication.
Identity Pool: grants temporary AWS credentials via STS — authorization for AWS resources.
KMS vs CloudHSM
When do you choose CloudHSM over KMS?
Choose CloudHSM when you need dedicated hardware (FIPS 140-2 Level 3), exclusive key control (AWS has zero access), or regulatory requirements mandate a dedicated HSM. KMS for everything else.

Study Advisor

Personalized guidance based on where you are in your preparation. Select your stage.

Beginners

  • Start with the Shared Responsibility Model — understand what AWS secures vs what you secure
  • Learn the IAM policy JSON structure: Effect, Action, Resource, Condition; create a few policies in the AWS Console
  • Understand the difference between an IAM user (long-term credentials) and an IAM role (temporary credentials via STS)
  • Build a simple VPC from scratch: public subnet with IGW, private subnet with NAT Gateway; attach security groups and NACLs
  • Enable GuardDuty and CloudTrail in a test account to see what they log
  • AWS free tier is your friend — hands-on labs cement concepts far faster than reading alone

Resources & Further Reading

Curated resources to deepen your understanding of Domain 1 topics beyond the flashcards.

Official AWS Resources

SAA-C03 Exam Guide

Official exam guide listing all task statements, in-scope services, and example question types for the Solutions Architect Associate exam.

aws.amazon.com/certification →

AWS IAM Documentation

Comprehensive reference for IAM policies, roles, users, groups, STS, and federation. The policy evaluation logic section is essential exam reading.

docs.aws.amazon.com/iam →

AWS Security Best Practices Whitepaper

AWS's official security best practices whitepaper covering IAM, data protection, infrastructure security, detection, and incident response at scale.

Read whitepaper →

Well-Architected Framework — Security Pillar

Deep dive into the Security Pillar covering identity, detection, infrastructure protection, data protection, and incident response with design principles.

Security Pillar →

AWS re:Inforce Sessions

Annual AWS security conference sessions on IAM, VPC security, KMS, and compliance. The IAM deep-dive sessions are particularly valuable for exam prep.

AWS Events YouTube →

AWS KMS Developer Guide

Complete reference for KMS key types, key policies, grants, and encryption context. Understand CMK vs AWS-managed key distinctions thoroughly.

KMS documentation →

Key Topics to Review

TopicPriorityWhy It Matters
IAM Policy Evaluation LogicCriticalAppears in many scenario questions; understanding DENY propagation is essential
Security Groups vs NACLsCriticalStateful vs stateless distinction is a classic exam trap
VPC Endpoints (Gateway vs Interface)HighCost-effective private connectivity; common cost-optimization question
KMS vs CloudHSMHighMatching encryption service to requirement is tested frequently
Secrets Manager vs Parameter StoreHighAuto-rotation capability is the key differentiator
Shield Standard vs Advanced + WAFMediumLayer distinction (L3/L4 vs L7) and cost are common question elements
Cognito User Pool vs Identity PoolMediumAuthentication vs authorization distinction trips up many candidates
SCPs and Management AccountMediumSCPs not applying to management account is a frequent distractor

Ready to Ace the SAA-C03?

Build on Domain 1 with full-length practice exams and timed study sessions.

Start Free Practice Tests →