How to pass the AWS Solutions Architect Associate exam - complete guide

Subscribe to my newsletter and never miss my upcoming articles

The number of courses and content that is available to study for one of the most popular exams: AWS Certified Solutions Architect Associate can be overwhelming. I've created a complete guide that makes sure you can study effectively and pass in one go!

Introduction

My goal is to write a guide on every AWS Certified exam that AWS offers. This is my second article on this series and will contain everything you need to know to successfully prepare you for the AWS Solutions Architect Associate exam [SAA-C02].

This guide will contain a bit more acronyms and is somewhat more targeted towards technical people. If you find that you're relatively new to AWS and the technical side of it. I would recommend having a look at the first guide that I wrote on preparing for the AWS Cloud Practitioner exam

For the AWS Solutions Architect Associate exam - complete guide, I've reviewed all the information that's relevant for this course and curated the content to help you get up to speed more efficiently! By following this guide you should get prepared to successfully pass the exam on the first attempt!

Table Of Contents

Prerequisites

This exam is intended for people who have one or more years of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS. You're required to be familiar with the AWS terminology and with the most common used AWS Services

If you want to start practicing with these AWS Services, it is important to create a free AWS account first. AWS offers a free tier to get familiar with its services without expenses so you can experiment with the exercises that are provided in this guide.

AWS recommends you to have the following experience and knowledge before attending the exam:

  • Hands-on experience using compute, networking, storage, and database AWS services
  • Hands-on experience with AWS deployment and management services
  • Ability to identify and define technical requirements for an AWS-based application
  • Ability to identify which AWS services meet a given technical requirement
  • Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
  • An understanding of the basic architectural principles of building on the AWS Cloud
  • An understanding of security features and tools that AWS provides and how they relate to traditional services

AWS Certified Solutions Architect Associate certification page

AWS Solutions Architect Associate exam overview

Some practical information that is interesting to know when you plan to schedule the exam:

  • The AWS Solutions Architect Associate exam consists of 65 multiple-choice, multiple-answer questions.
  • You have 130 minutes to complete the exam.
  • The exam costs $150,-
  • The official practice exam costs $20
  • The minimum passing score for this exam is 720 points
  • The exam is available in English, Japanese, Korean, and Simplified Chinese.

As explained in the official AWS Certified Solutions Architect exam guide. It covers the following topics including their weighted percentage:

AWS Solutions Architect content outline domains

AWS Solutions Architect content outline domains

Domain 1: Design Resilient Architectures - 30%

1.1 Design a multi-tier architecture solution 1.2 Design highly available and/or fault-tolerant architectures 1.3 Design decoupling mechanisms using AWS services 1.4 Choose appropriate resilient storage

(SAA-C02) Exam Guide

The first domain requires you to understand how to build effective architectures using fundamental AWS services like EC2, VPC, RDS, S3, etc. Best practices are important to know when building these architectures, so it's good to understand the AWS Well-Architected Framework.

Domain 2: Design High-Performing Architectures - 28%

2.1 Identify elastic and scalable compute solutions for a workload 2.2 Select high-performing and scalable storage solutions for a workload 2.3 Select high-performing networking solutions for a workload 2.4 Choose high-performing database solutions for a workload

(SAA-C02) Exam Guide

The focus in this domain lies in building resilient architectures that make use of Scalability and Elasticity. You need to be able to understand the purpose of implementing Multi-AZ and Auto-Scaling to drive costs down and improve fault tolerance.

Domain 3: Design Secure Applications and Architectures - 24%

3.1 Design secure access to AWS resources 3.2 Design secure application tiers 3.3 Select appropriate data security options

(SAA-C02) Exam Guide

For the third domain, you're required to understand how to add security measures on four different levels: AWS resources, network-, application- and data-layer. The data layer can be distinguished in two parts, data in transit and data at rest. For data-security encryption plays a primary role and for networking it's important to know access controls like Security groups, ACLs, etc.

Domain 4: Design Cost-Optimized Architectures - 18%

4.1 Identify cost-effective storage solutions 4.2 Identify cost-effective compute and database services 4.3 Design cost-optimized network architectures

(SAA-C02) Exam Guide

In the last domain, you need to know how to build cost-efficient architectures with scalability and resiliency taken into consideration. You'll also need to know how to select the right type of any resource to effectively do the task at hand. And at last, it's important to know how to optimize your network design to transfer data the most efficiently from on-premise to the Cloud.

How to prepare for the exam?

In this section, I've bundled up some notes which can be of use when preparing for the AWS Solutions Architect Associates exam. Prior to this Blogpost, I've also released a guide for the AWS Cloud Practitioner exam technical preparation notes. This contains the foundational information which also helps for this exam, so I highly recommend to read the notes from there as well.

Moving on to the preparation, I’ve written some technical notes which highlight import details which are worth remembering. Next to that, I’ll be sharing seven practice questions that give a good indication of what to expect on the real exam. At last, I’ll be sharing my AWS Solutions Architect learning material list which contains a curated collection of high-quality content to help you study efficiently.

The learning material is divided into two parts:

  • Reading material
  • Visual material

For the readers, I'll be sharing my recommended books to read. For the visual learners, I'll provide the videos that will help you prepare for the exam.

Technical Preparation notes

The technical notes are a bundled package of dense information that helps you get insight into what technical services and details are being treated at the exams. I've divided it into the domains that you'll see at the exam.

Domain 1: Design Resilient Architectures

EC2 Storage types

  • Amazon Elastic Block Store (Amazon EBS) provides block-level storage volumes for use with Amazon EC2 instances. Three flavors: Magnetic, General purpose SSD, provisioned IOPS SSD. Snapshots can be created and are saved in S3.
  • Ephemeral storage (legacy) is temporary storage for your EC2 instance. Good to use as a scratch disk, not storing data! Data will be removed after the instance shuts down.

Elastic File System (EFS) It's a highly durable storage that can be shared with EC2 instance (NFS protocol). A good use case for former stateful applications that need block storage but aren't scalable yet. This provides a good solution to make your application scalable whilst keeping the data intact.

Amazon Simple Storage Service (S3)

S3 is object storage which is highly durable 99.999999999% with virtually unlimited capacity. It contains different storage classes:

  • S3 standard
  • S3 Intelligent-Tiering
  • S3 Standard-Infrequent Access
  • S3 One Zone-Infrequent Access
  • S3 Glacier
  • S3 Glacier Deep Archive

Design decoupling systems using AWS services

Decoupling components becomes important when you're architecting in the cloud. Loose coupling isolates the layers and components of your application so that each component interacts asynchronously with the others. This is necessary if you want to enable scalability and want your system to become stateless.

Order dispatcher example decoupled system

Example of a decoupled system using SQS + Autoscaling

Elastic Load Balancer (ELB)

ELB's are a trivial part of high availability and scalability. It comes in 3 flavors:

Sources Amazon EBS FAQs EFS FAQs S3 FAQs AWS Storage Services whitepaper

Domain 2: Design High-Performing Architectures

Amazon RDS

For relational databases, Amazon RDS is the appropriate fit. The perks of RDS is to that in can scale vertically (larger instance type + increase storage). Use RDS if you need complex queries or complex transactions.

RDS database engines:

  • Aurora
  • PostgreSQL
  • MySQL
  • MariaDB
  • Oracle
  • MsSQL

RDS backup features:

  • You can have up to 5 read replicas for MySQL and PostgreSQL
  • you can have read replicas in different regions for MySQL only
  • replication is asynchronous only
  • read replicas can be built off multi-az databases
  • you can have read replicas of read replicas but only for MySQL and will further increase latency
  • DB snapshots and automated backups cannot be taken off read replicas
  • synchronous replication is used for multi-az

DynamoDB

DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with scalability. Use DynamoDB if you have applications that need consistent, single-digit millisecond latency at any scale, such as mobile, web, gaming, ad tech, IoT, and many other applications

DynamoDB provisioned throughput:

  • Eventual consistent reads (default)
    • Consistency across all copies of data is usually reached within a second. Repeating a read after a short time should return the updated data (best read performance)
  • Strongly consistent reads
    • A strongly consistent read returns a result that reflects all writes that received a successful response prior to the read.

Elasticache

Amazon ElastiCache is a web service that makes it easy to set up, manage, and scale distributed in-memory cache environments in the cloud. It allows you to improve the performance of applications and databases be offloading read-intensive requests to the in-memory stored cache of Elasticache. This improves latency and throughput of your workloads.

Elasticache supports two engines: Redis & Memcached, here is a screenshot with the differences between both:

Difference between Redis and Memcached

CloudFront

CloudFront is a global Content Delivery Network (CDN) that's good for serving static content to the end-user through its global edge locations. YOu can deliver videos, images, etc.. with the lowest latency and high transfer speeds.

Some of the key features:

  • Caching content
  • Compatible origins: S3, EC2 + on-prem servers, and ELB.
  • DDOS mitigation (AWS Shield Standard and Advanced)
  • Lambda@edge

The following example shows how you can cache WordPress static content which originates from an S3 bucket. Depending on the request header, in this example /wp-admin, CloudFront is able to send your request to the ELB.

CloudFront caching example with WordPress

Sources

Domain 3: Design Secure Applications and Architectures

Shared responsibility model

You should be familiar with the shared responsibility model, the diagram can be found in the security domain of the AWS Cloud Practitioner guide, Domain 2: Security

AWS Identity and Access Management (IAM)

IAM Identities:

  • Users: That's an entity you create in AWS which you can use to login to the AWS console or access APIs through the AWS CLI using Access keys.
  • groups: That's a collection of IAM users.
  • Roles: This is an entity that can be assumed by another task, role, or person. It doesn't need a password or access key. The policy assigned to it can decide who or what services get permission to do the actions which you described. Roles are always better to manage than IAM users.
  • Policies: Is where you set the permission which gets assigned to a role or user, example:
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "s3:List*",
      "s3:Get*"
    ],
    "Resource": [
      "arn:aws:s3:eu-west-1:123456789012:my_bucket",
      "arn:aws:s3:eu-west-1:123456789012:my_bucket/*",
    ]
  }
}

AWS Key Management Service

AWS KMS Allows you to encrypt data within your own application using keys you create and control. There are three types of keys:

  • AWS Managed
  • Customer Managed
  • Customer Managed, imported key material

Key rotation for AWS managed keys:

  • Rotates automatically every 3 years
  • you cannot manage rotation yourself
  • managed keys cannot be deleted

Key rotation for Customer Managed Keys (CMK):

  • Once a year automatically (disabled by default)
  • on-demand manually
  • Create new CMK and manually change your applications or aliases to use the new CMK
  • You control the rotation frequency
  • Keys can be deleted

Key rotation for imported key material:

  • No automatic rotation
  • You need to handle the rotation yourself
  • Create new CMK and update your applications to use the new CMK or key Alias

AWS CloudHSM

The AWS CloudHSM service is using a dedicated Hardware Security Module (HSM) instances within the AWS cloud to encrypt and protect your data.

AWS VPC

This video gives a great walkthrough of the fundamentals of Amazon VPC. I highly recommend you watch it.

Sources AWS IAM Identities AWS IAM Permissions and Policies AWS Security Best Practices whitepaper AWS KMS best practices AWS CloudHSM

Domain 4: Design Cost-Optimized Architectures

You should know how to take cost into consideration when building your architectures in the Cloud.

Important takeaways:

  • Pricing is calculated based on Compute, Storage, and Data transfer.
  • Know the EC2 pricing model for instances including types e.g. Compute-optimized, Memory-optimized, Storage-optimized, etc.
  • You should know when to use reserved instances over on-demand or spot instances.
  • Workloads that don't need constant uptime can be changed to AWS Lambda for example
  • Know which data storage service (EBS, S3, RDS) and class to use.
  • Have a look at the pricing overview whitepaper below to see how prices are being calculated for the most used AWS services.

Source: AWS Pricing overview whitepaper

Practice exam questions

The following practice exam questions for the AWS Solutions Architect Associate course will give you a good idea of what to expect on the real exam.

Practice question #1

  • A requirement from your company is to encrypt data to external storage before it is being sent to Amazon S3. Which encryption solution will meet this requirement?
    • A. Server-Side Encryption with AWS-managed keys (SSE-S3)
    • B. Client-side encryption with customer-managed keys
    • C. Server-side encryption with customer-provided keys (SSE-C)
    • D. Server-side encryption with AWS KMS keys (SSE-KMS)
  • Answer: B. The data needs to be encrypted before sending it to Amazon S3 so it requires client-side encryption.

Practice question #2

  • Which 3 characteristics best describe Auto Scaling on AWS?
    • A. Sends traffic to healthy instances
    • B. Responds to changing conditions by adding or terminating Amazon EC2 instances
    • C. Delivers push notifications
    • D. Launches instances from a specified AMI
    • E. Enforces a minimum number of running Amazon EC2 instances
  • Answer: B, D, E. The launch configuration of the Auto Scaling Group allows you to set up the minimum amount of running instances including the association of the AMI.

Practice question #3

  • When you configure Amazon Route 53 for an existing domain. Which step do you perform first?
    • A. Create hosted zones.
    • B. Create resource record sets.
    • C. Register a domain with Amazon Route 53.
    • D. Transfer domain registration from the current registrar to Amazon Route 53.
  • Answer: A. You create a hosted zone that has the same name as your domain, and then you create records in the hosted zone.

Practice question #4

  • Which AWS service records API calls made on your account and delivers log files to your S3 bucket?
    • A. AWS CloudTrail
    • B. Amazon CloudWatch
    • C. Amazon Kinesis
    • D. AWS Glue
  • Answer: A With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

Practice question #5

  • Which 2 options will help increase the availability of the webserver layer?
    • A. Use Amazon CloudFront to cache static content with low latency.
    • B. Deploy the webserver instances Multi-AZ.
    • C. Leverage Auto Scaling to recover from failed instances.
    • D. Deploy the instances in an Amazon VPC.
    • E. Upgrade to a higher instance type.
  • Answer: B, C. Deploying instances with Multi-AZ allows you to keep availability up when a single AZ fails. Use Auto Scaling to detect impaired EC2 instances and unhealthy applications and replace them automatically without intervention.

Practice question #6

  • Which 2 AWS Cloud services are designed according to the Multi-AZ principle?
    • A. Amazon DynamoDB
    • B. Amazon ElastiCache
    • C. Amazon RDS
    • D. Amazon VPC
    • E. Amazon S3
  • Answer: A, E. Both DynamoDB and S3 built with high availability in mind. DynamoDB replicates data across Multi-AZ to provide fault tolerance against an Availability Zone outage. S3 provides durable infrastructure to store important data and is designed for 99.999999999% durability of objects.

Practice question #7

  • You need to implement a service to scan API calls and related events’ history to your AWS account. It will detect things like unused permissions, overuse of privileged accounts, and anomalous logins. Which 3 AWS services can be used to implement this service as per the above requirement?
    • A. AWS CloudTrail
    • B. Amazon S3
    • C. Amazon Route 53
    • D. Auto Scaling
    • E. AWS Lambda
    • F. Amazon VPC
  • Answer: A, B, E. AWS CloudTrail can be used to get logs of API calls and related events’ history in your AWS account. The logs can be stored in S3 and you can leverage the S3's bucket notification to publish object-created events. This can trigger AWS Lambda, which processes the object stored by CloudTrail.

AWS Certified Solutions Architect Associate Study material

I've divided this section into two parts. The first part contains reading material for people who like to study while reading. In the second part, I'll provide the best videos that'll help you prepare for the exam for the visual learners.

Reading material

For reading enthusiasts, I definitely recommend the official AWS Certified Solutions Architect Study Guide: AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam.

AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam

AWS Certified Solutions Architect Study Guide: Associate SAA-C01 Exam

Every topic in the exam is covered in this book and explained thoroughly. It contains hands-on exercises to get you practical experience in the AWS console + there are over hundreds of mock exam questions to help you prepare for the exam.

If you feel that you need some extra exam practice I suggest you to get this book as well: AWS Certified Solutions Architect Practice Tests: Associate SAA-C01 Exam.

AWS Certified Solutions Architect Practice Tests: Associate SAA-C01 Exam

AWS Certified Solutions Architect Practice Tests: Associate SAA-C01 Exam

It contains over 1000 mock questions that give a good indication of what to expect on the real exam. The concepts that were added in the updated SAA-C02 exam are also added to the online test bank.

Video material

For the visual learner I recommend the following free online course:

This course is developed by Andrew Brown and contains an information-dense course that'll guide you through all the AWS services that will popup at the exam and gives great explanations using slide decks, architecture diagrams, and AWS console walkthroughs.

The AWS Certified Solutions Architect Associate SAA-C02 course from a Cloud Guru is also great, but you have to purchase a monthly subscription if you want to access the content.

You should now be fully prepared for the AWS Certified Solutions Architect Associate exam!

If you've followed my guide, you should be fully prepared to successfully pass the exam in one go!

So if you’ve followed up this guide, you should be fully prepared to pass this exam in one go. To summarize what you've gone through; You know which topics and domains are covered in the exam. Studied the notes including the sources to get familiar with the AWS services that are covered in the exam. Tested yourself with the example questions and went over the provided study material (split into reading and visual material).

If you enjoyed this AWS Solutions Architect Associate guide please consider sharing it!


AWS Certified Solutions Architect Associate exam – FAQ

Is the AWS Certified Solutions Architect Associate exam easy?

This is the most popular AWS exam and can be a little daunting if you're unfamiliar with AWS. If you feel that you need more training I consider doing the AWS Cloud Practitioner exam. This is the foundational exam and I've written another guide which will prepare you for that exam.

How long does it take to prepare for the AWS Certified Solutions Architect Associate certification?

This depends heavily on your learning style and your technical background. I would say that it can take at least 40 to 50 hours to get fully prepared, this includes watching the videos, doing mock exams, reading the documentation, and whitepapers.

I’m ready to do the AWS Certified Solutions Architect Associate exam, how do I schedule it?

I've written a walkthrough on how to schedule the AWS Certification exam. It also shows you how you can permanently request 30 minutes extra for each AWS exam!


👋 Liked this article? Follow me on Twitter to stay updated!

Iain Samuel McLean Elder's photo

Thanks, Danny! I'm preparing to renew my associate certification, and this guide is just what I was looking for. It's a relief to see that the basics haven't changed too much in three years, I haven't missed anything major ;-)

Sourabh Cheedella's photo

Great article! I'm looking forward to a guide on the DevOps Engineer Exam, Professional Level.

Tom Harrison's photo

Question 6: How is it that RDS is not just as Multi-AZ-aware as DynamoDB and S3?

And VPCs are also designed to support multi-AZ insofar as a subnet can span multiple AZs, load balancers are multi-AZ, Autoscaling is multi-az, etc.

Is there some nuance I have missed?

Danny Steenman's photo

DynamoDB and S3 are designed by default to be fault tolerant and use Multi-AZ design principles to accomplish that. All the other services are applicable to be deployed Multi-AZ but by default are deployed in a Single-AZ unless specified otherwise.