SAA-C03 Glossary — High-Confusion AWS Terms for Architecture Scenarios
A practical SAA-C03 glossary focused on the AWS terms and design distinctions candidates most often confuse under exam pressure.
On this page
Use this glossary when SAA-C03 questions feel wrong mostly because the AWS terms are too close to each other. The exam is full of options that are technically related but architecturally different.
RTO: Recovery Time Objective, the maximum acceptable time to restore service after a disruption.
RPO: Recovery Point Objective, the maximum acceptable amount of data loss measured in time.
SCP: Service control policy, the AWS Organizations guardrail that limits the maximum permissions accounts or OUs can use.
Core terms
- Active-active: Disaster recovery pattern where workloads run live in more than one Region and both environments can serve production traffic.
- Availability Zone (AZ): One or more discrete data centers within a Region. Multi-AZ design protects against one-AZ failure, not full-Region failure.
- AWS Backup: Central backup service that can coordinate backup plans across supported AWS resources. It is about recovery and retention, not live failover.
- AWS Config: Service for recording configuration state and evaluating resource compliance over time. It is not the same thing as request metrics or API audit history.
- AWS Direct Connect: Private connectivity from on-premises environments to AWS with more predictable bandwidth and latency than internet-based VPN.
- Gateway endpoint: Private access path for S3 or DynamoDB from a VPC without using a NAT gateway.
- Interface endpoint / PrivateLink: Private access path to many AWS or partner services by placing ENIs in your subnets.
- IAM role: Temporary-credential identity used by people, services, or workloads. In architecture scenarios, roles are usually stronger than long-term access keys.
- IAM Identity Center: Workforce identity and SSO service for access to AWS accounts and supported applications. It is not the same thing as end-user identity for your customer-facing app.
- Intelligent-Tiering: S3 storage-class option that automatically moves objects between access tiers when the access pattern is uncertain.
- KMS key policy: Resource policy on a KMS key. IAM permission alone might still not be enough if the key policy blocks use.
- Lake Formation: Governance layer for S3-based data lakes. It manages permissions, sharing, and data-lake controls rather than doing the data transformation itself.
- Least privilege: Grant only the permissions required for the task, at the narrowest workable scope.
- Multi-AZ: High-availability deployment pattern inside one Region. It is not the same thing as global disaster recovery.
- NAT gateway: Managed outbound internet path for private subnets. One-per-AZ is the usual resilient architecture choice.
- Origin Access Control (OAC): CloudFront mechanism for private access to S3 origins without making the bucket public.
- Requester Pays: S3 access option that shifts request and data-transfer charges to the requester, useful only when the business model fits.
- Pilot light: Disaster recovery pattern where core components stay ready in a secondary Region, but full scale is activated only during failover.
- Read replica: Database copy used mainly for read scaling and sometimes DR. It is not a direct substitute for synchronous Multi-AZ protection.
- Recovery Point Objective (RPO): Maximum acceptable data loss measured in time.
- Recovery Time Objective (RTO): Maximum acceptable time to restore service after disruption.
- Route table: VPC routing rule set that decides where traffic goes next.
- Site-to-Site VPN: Encrypted hybrid network connection over the internet between on-premises environments and AWS.
- Service control policy (SCP): AWS Organizations guardrail that sets an upper permission boundary for accounts or OUs.
- Savings Plans: Flexible pricing commitment that reduces compute cost across supported usage patterns.
- Security group: Stateful virtual firewall applied to ENIs and resources such as EC2 or ALB.
- SQS: Queue service used to buffer work and decouple producers from consumers.
- STS: AWS Security Token Service. Frequently appears in cross-account and assumed-role patterns.
- Transit Gateway: Hub service for connecting multiple VPCs and on-premises networks with transitive routing.
- Warm standby: Disaster recovery pattern with a scaled-down but running copy in another Region, faster to promote than pilot light.
Commonly confused pairs
| Pair | What actually differs |
|---|---|
| Multi-AZ vs read replica | Multi-AZ protects availability. Read replicas primarily scale reads and can support DR patterns. |
| Pilot light vs warm standby | Pilot light keeps only the core pieces warm. Warm standby runs a smaller but already functional environment. |
| Gateway endpoint vs interface endpoint | Gateway endpoints are only for S3 and DynamoDB. Interface endpoints are broader and cost differently. |
| Security group vs network ACL | Security groups are stateful and usually the primary control. NACLs are stateless subnet-level filters. |
| CloudFront vs Global Accelerator | CloudFront is HTTP-focused edge caching and acceleration. Global Accelerator is static anycast entry for TCP or UDP style paths. |
| ALB vs NLB | ALB is Layer 7 and supports host or path routing. NLB is Layer 4 and fits high-throughput or static-IP style needs. |
| RDS Proxy vs read replica | RDS Proxy manages database connections. A read replica handles read scaling or some DR use cases. |
| SCP vs IAM policy | SCP defines the maximum allowed permissions for the account context. IAM policy grants or denies permissions to a principal within that boundary. |
| Spot vs Savings Plans | Spot is unused-capacity pricing with interruption risk. Savings Plans are commitment discounts for predictable usage. |
| SQS vs SNS vs EventBridge | SQS buffers work, SNS fans out notifications, and EventBridge routes events between producers and consumers. |
| Cognito vs IAM Identity Center | Cognito is for end-user application identity. IAM Identity Center is for workforce SSO into AWS accounts and supported apps. |
| CloudWatch vs CloudTrail vs Config | CloudWatch is metrics, logs, and alarms. CloudTrail is API activity history. Config records resource configuration state and compliance. |
| DataSync vs Storage Gateway | DataSync is managed transfer and sync. Storage Gateway presents hybrid storage interfaces tied to AWS storage backends. |
| Athena vs Glue vs EMR | Athena queries data in place, Glue transforms and catalogs it, and EMR is the heavier distributed-processing cluster answer. |
| AWS Backup vs snapshot | AWS Backup coordinates policy and retention across supported services. A snapshot is one service-level recovery artifact. |
| Intelligent-Tiering vs Standard-IA | Intelligent-Tiering adapts when access is uncertain. Standard-IA is better when you already know the access pattern has cooled. |
| EBS vs EFS vs FSx | EBS is block storage for one instance pattern, EFS is shared elastic file storage, and FSx is managed file-system families for specific workloads. |
| Direct Connect vs Site-to-Site VPN | Direct Connect is the more predictable private-link answer. Site-to-Site VPN is the faster encrypted-over-internet answer. |
| Backup and restore vs active-active | Backup and restore minimizes steady-state cost. Active-active maximizes continuity but costs and complexity rise sharply. |
Fast reminders for exam day
- If the option says private subnets need S3 or DynamoDB, think gateway endpoint before NAT.
- If the option says cross-account access, think role assumption before access keys.
- If the option says organization-wide restriction, think SCP before only editing one IAM policy.
- If the option says employee SSO into AWS accounts, think IAM Identity Center. If it says customer sign-in to the app, think Cognito.
- If the option says must survive AZ failure, think Multi-AZ or multi-AZ service placement before only adding a read replica.
- If the option says public web routing with host or path rules, think ALB.
- If the option says static IPs, TCP/UDP, or extreme throughput, think NLB.
- If the option says uncertain S3 access pattern, think Intelligent-Tiering before guessing one colder class.
- If the option says governed shared data lake, think Lake Formation before treating Athena or Glue as the permission system.
When the terms still feel noisy, go back to the domain chapters and ask a simpler question: what problem is this service actually solving in the architecture?