Design Secure Architectures for SAA-C03

Work through the IAM, workload-isolation, network-security, and data-protection decisions that anchor the heaviest SAA-C03 domain.

This chapter covers the heaviest domain on SAA-C03. AWS is not just testing whether you recognize IAM, KMS, or security groups. It is testing whether you can choose the right access model, segment workloads safely, and protect data without creating unnecessary operational friction.

IAM: Identity and Access Management for AWS users, roles, policies, and permission boundaries.

KMS: Key Management Service for controlling encryption keys and how workloads may use them.

SCP: Service control policy, the AWS Organizations guardrail that limits the maximum permissions accounts or OUs can use.

What this domain is really testing

Expect questions that mix identity, network placement, encryption, compliance, and data-access policy into one scenario. Strong candidates separate those layers instead of treating “security” as one generic control plane.

Current weight in the exam guide

AWS currently weights this domain at 30% of scored content, making it the single largest SAA-C03 area.

Work this domain in order

Start with 1.1 Secure Access, then move to 1.2 Secure Workloads & Applications, and finish with 1.3 Data Security Controls.

Fast routing inside this chapter

If the scenario is really about…	Go first to…
federation, roles, temporary credentials, cross-account access, SCPs	1.1 Secure Access
private subnets, endpoints, ALB placement, WAF, Cognito, secret handling	1.2 Secure Workloads & Applications
KMS, TLS, versioning, Object Lock, backups, replication, retention	1.3 Data Security Controls

What strong answers usually do

prefer temporary credentials over long-term keys
keep the minimum necessary surface public
match the control layer to the problem: identity, resource policy, endpoint path, or key policy
layer encryption, transport protection, and recovery controls instead of treating one of them as “complete security”

Common SAA-C03 traps

choosing long-term IAM users where role assumption is cleaner
using public networking when a private endpoint pattern fits better
forgetting that KMS key policy can still block access
treating backup, replication, encryption, and lifecycle policy as unrelated topics

Best review order late in prep

Revisit this chapter when:

you keep missing questions that include the phrase most secure
answer choices differ only by access path or policy layer
you are confusing resource policy, trust policy, SCP, and KMS key policy

If the wording starts to blur, use the glossary before you continue. Many misses in this domain are label confusion before they are design confusion.

In this section

Design Secure Access to AWS Resources for SAA-C03
Understand IAM roles, federation, cross-account access, root-user controls, and least-privilege patterns for the secure-access questions on SAA-C03.
Design Secure Workloads and Applications for SAA-C03
Learn the subnet, endpoint, security-group, WAF, Shield, and secure-application-access patterns that show up in SAA-C03 workload-security scenarios.
Determine Appropriate Data Security Controls for SAA-C03
Cover encryption, KMS policy, TLS, backups, replication, and data-access controls for the SAA-C03 data-protection objective.

Study Plan

2. Resilient Architectures