AWS Solutions Architect Associate Cheat Sheet: Quick Reference Guide

AWS Solutions Architect Associate Cheat Sheet

This cheat sheet is your quick-reference guide for the AWS SAA-C03 exam. It covers the most important facts, numbers, limits, and decision points you need to know. Bookmark this page and use it for final review before your exam.

This is not a replacement for deep study. Use it alongside a structured study plan and practice exams to solidify your knowledge. For a comprehensive preparation approach, see our complete guide.

Compute Services

Amazon EC2

Instance families to remember:

• T (T3, T3a, T4g): Burstable, general purpose, good for variable workloads
• M (M5, M6g, M7g): General purpose, balanced compute/memory/networking
• C (C5, C6g, C7g): Compute optimized, CPU-intensive workloads
• R (R5, R6g, R7g): Memory optimized, in-memory databases and caching
• I (I3, I4i): Storage optimized, high sequential read/write
• D (D2, D3): Dense storage, data warehousing
• P, G (P4, G5): Accelerated computing, ML training and graphics
• Graviton (g suffix): ARM-based, better price-performance (e.g., M6g, C7g)

EC2 pricing models:

Model	Use Case	Savings	Key Detail
On-Demand	Short-term, unpredictable	0%	Pay by the second/hour
Reserved (1yr/3yr)	Steady-state workloads	Up to 72%	All Upfront = max savings
Savings Plans	Flexible commitment	Up to 72%	$/hour commitment, any instance
Spot	Fault-tolerant, flexible	Up to 90%	Can be interrupted with 2-min notice
Dedicated Hosts	Licensing/compliance	Varies	Physical server dedicated to you

Key EC2 facts:

• Default limit: 20 On-Demand instances per region (soft limit, can be increased)
• Placement groups: Cluster (low latency), Spread (max 7 instances per AZ), Partition (large distributed workloads)
• User data runs at instance launch (bootstrapping)
• Instance metadata available at: http://169.254.169.254/latest/meta-data/
• Hibernation: Saves RAM contents to EBS root volume

AWS Lambda

• Max execution time: 15 minutes (900 seconds)
• Max memory: 10,240 MB (10 GB)
• Max deployment package: 50 MB zipped, 250 MB unzipped
• Concurrent executions: 1,000 per region (soft limit)
• Temporary storage (/tmp): 10,240 MB
• Pricing: Per request + per GB-second of compute
• Triggers: S3, DynamoDB Streams, Kinesis, SQS, API Gateway, EventBridge, SNS, CloudWatch Events, and more
• Runs in a VPC: Optional, required for accessing private resources like RDS
• Cold starts: Latency on first invocation; use Provisioned Concurrency to eliminate

Amazon ECS and Fargate

• ECS: Container orchestration service
• Fargate: Serverless compute for containers (no EC2 management)
• EC2 launch type: You manage the EC2 instances running containers
• Fargate launch type: AWS manages infrastructure, you define CPU/memory per task
• When to choose Fargate: Want serverless containers, no instance management
• When to choose EC2 launch type: Need GPU, larger instance types, or more control

Elastic Beanstalk

• PaaS for deploying web applications
• Supports: Java, .NET, PHP, Node.js, Python, Ruby, Go, Docker
• Handles: Provisioning, load balancing, auto scaling, monitoring
• You retain full control over underlying resources
• Great for quick deployments when you do not need fine-grained infrastructure control

Storage Services

Amazon S3

Storage classes:

Class	Use Case	Availability	Min Duration	Retrieval
S3 Standard	Frequently accessed	99.99%	None	Instant
S3 Intelligent-Tiering	Unknown access patterns	99.9%	None	Instant
S3 Standard-IA	Infrequent access	99.9%	30 days	Instant
S3 One Zone-IA	Infrequent, non-critical	99.5%	30 days	Instant
S3 Glacier Instant	Archive, instant access	99.9%	90 days	Instant
S3 Glacier Flexible	Archive, minutes to hours	99.99%	90 days	1-12 hours
S3 Glacier Deep Archive	Long-term archive	99.99%	180 days	12-48 hours

Key S3 facts:

• Object size: 0 bytes to 5 TB (use multipart upload for objects > 100 MB)
• Durability: 99.999999999% (11 nines) across all storage classes
• Bucket names: Globally unique
• Versioning: Once enabled, can only be suspended (not disabled)
• Encryption options: SSE-S3 (default), SSE-KMS, SSE-C, client-side
• S3 Transfer Acceleration: Uses CloudFront edge locations for faster uploads
• S3 Select / Glacier Select: Query data in place using SQL
• S3 Object Lock: WORM (Write Once Read Many) compliance
• S3 Replication: CRR (Cross-Region) and SRR (Same-Region), requires versioning
• S3 Event Notifications: Trigger Lambda, SQS, or SNS on object events
• Pre-signed URLs: Temporary access to private objects
• Lifecycle rules: Automatically transition or expire objects

Amazon EBS (Elastic Block Store)

Volume types:

Type	Use Case	Max IOPS	Max Throughput
gp3	General purpose SSD	16,000	1,000 MB/s
gp2	General purpose SSD	16,000	250 MB/s
io2 Block Express	High-performance SSD	256,000	4,000 MB/s
io2/io1	Provisioned IOPS SSD	64,000	1,000 MB/s
st1	Throughput HDD	500	500 MB/s
sc1	Cold HDD	250	250 MB/s

Key EBS facts:

• AZ-locked: EBS volumes are tied to a single Availability Zone
• Snapshots: Stored in S3 (managed by AWS), incremental, can be copied cross-region
• Encryption: Uses KMS, encrypts data at rest, in transit, and snapshots
• Multi-Attach: io1/io2 volumes can attach to up to 16 EC2 instances in the same AZ
• Boot volume: Only gp2, gp3, io1, io2 can be boot volumes (not st1/sc1)

Amazon EFS (Elastic File System)

• NFS-based: Shared file storage, accessible by multiple EC2 instances simultaneously
• Multi-AZ: Automatically replicates across Availability Zones
• Auto-scaling: Grows and shrinks automatically, no capacity provisioning
• Performance modes: General Purpose (default) and Max I/O
• Throughput modes: Bursting, Provisioned, and Elastic
• Storage classes: Standard, Infrequent Access, One Zone, One Zone-IA
• Use case: Content management, web serving, data sharing across instances
• Linux only: Not supported on Windows instances (use FSx for Windows)

Amazon FSx

• FSx for Windows File Server: SMB protocol, Active Directory integration, Windows workloads
• FSx for Lustre: High-performance computing, ML training, big data (integrates with S3)
• FSx for NetApp ONTAP: Multi-protocol (NFS, SMB, iSCSI), hybrid deployments
• FSx for OpenZFS: High-performance file storage, migration from on-premises ZFS

AWS Storage Gateway

• S3 File Gateway: NFS/SMB interface to S3, on-premises file access to cloud storage
• FSx File Gateway: Low-latency access to FSx for Windows File Server
• Volume Gateway (Stored): Full volumes on-premises, async backup to S3
• Volume Gateway (Cached): Primary data in S3, frequently accessed data cached locally
• Tape Gateway: Virtual tape library backed by S3 and Glacier

Database Services

Amazon RDS

• Engines: MySQL, PostgreSQL, MariaDB, Oracle, SQL Server, and Aurora
• Multi-AZ: Synchronous standby replica for high availability, automatic failover
• Read Replicas: Asynchronous replication for read scaling (up to 15 for Aurora, 5 for others)
• Automated backups: Daily snapshots + transaction logs, 0-35 day retention
• Max storage: 64 TB (most engines)
• Encryption: KMS at rest, SSL in transit; must be enabled at creation (cannot encrypt existing unencrypted DB)
• RDS Proxy: Connection pooling for Lambda and application scaling

Amazon Aurora

• MySQL and PostgreSQL compatible (up to 5x MySQL, 3x PostgreSQL performance)
• Storage: Auto-scales up to 128 TB, 6 copies across 3 AZs
• Read Replicas: Up to 15 (with auto-failover)
• Aurora Serverless: Auto-scaling capacity, pay per ACU-second, great for variable workloads
• Aurora Global Database: Cross-region replication with sub-second latency
• Aurora Multi-Master: Multiple write nodes for write high availability

Amazon DynamoDB

• NoSQL: Key-value and document database
• Performance: Single-digit millisecond latency at any scale
• Capacity modes: On-Demand (pay per request) or Provisioned (specify RCU/WCU)
• Global Tables: Multi-region, multi-active replication
• DynamoDB Streams: Ordered sequence of item-level changes (triggers Lambda)
• DAX: In-memory cache, microsecond latency for reads
• TTL: Automatically delete expired items at no cost
• Max item size: 400 KB
• Transactions: ACID transactions across multiple items and tables

Amazon ElastiCache

• Redis: Complex data types, replication, persistence, pub/sub, geospatial
• Memcached: Simple caching, multi-threaded, no persistence
• Use Redis when: You need persistence, replication, complex data structures, or pub/sub
• Use Memcached when: You need simplest caching, multi-threaded performance

Amazon Redshift

• Data warehouse: Columnar storage, petabyte-scale analytics
• Not for OLTP: Use for OLAP (analytical queries)
• Redshift Spectrum: Query data directly in S3 without loading
• Concurrency Scaling: Automatically scales for burst read queries
• Single-AZ deployment: No Multi-AZ (use snapshots for DR)

Networking

Amazon VPC

Core components:

• VPC: Logically isolated virtual network (max CIDR: /16, min: /28)
• Subnets: Tied to a single AZ; public (route to IGW) or private (no route to IGW)
• Internet Gateway (IGW): Enables internet access for public subnets (one per VPC)
• NAT Gateway: Allows private subnet instances to access the internet (outbound only)
• Route Tables: Control traffic routing between subnets and gateways
• Elastic IP: Static public IPv4 address

Security:

• Security Groups: Stateful, instance-level, allow rules only, default deny inbound
• NACLs: Stateless, subnet-level, allow and deny rules, default allow all
• VPC Flow Logs: Capture IP traffic information (VPC, subnet, or ENI level)

Connectivity:

• VPC Peering: Connect two VPCs (no transitive peering)
• Transit Gateway: Hub-and-spoke model, connect multiple VPCs and on-premises networks
• VPN (Site-to-Site): Encrypted connection over the internet to on-premises
• AWS Direct Connect: Dedicated private connection to on-premises (1 Gbps or 10 Gbps)
• Direct Connect + VPN: Encrypted connection over Direct Connect
• VPC Endpoints:
  • Gateway Endpoint: S3 and DynamoDB only, free, uses route tables
  • Interface Endpoint (PrivateLink): Most other services, uses ENI, costs per hour + per GB

Amazon Route 53

Routing policies:

• Simple: Single resource, no health checks
• Weighted: Distribute traffic by percentage (e.g., 70/30 split)
• Latency: Route to lowest-latency region
• Failover: Active-passive with health checks
• Geolocation: Route based on user’s geographic location
• Geoproximity: Route based on geographic distance with bias
• Multivalue Answer: Return multiple healthy records (basic load balancing)

Key facts:

• Supports public and private hosted zones
• Health checks can monitor endpoints, other health checks, or CloudWatch alarms
• Alias records: Free, support zone apex (naked domain), point to AWS resources

Amazon CloudFront

• CDN: Caches content at 400+ edge locations worldwide
• Origins: S3, ALB, EC2, custom HTTP servers
• Origin Access Control (OAC): Restrict S3 access to CloudFront only
• SSL/TLS: Free certificates via ACM (must be in us-east-1 for CloudFront)
• Signed URLs/Cookies: Restrict access to content for paid or authenticated users
• Lambda@Edge / CloudFront Functions: Run code at edge locations
• Cache invalidation: Force removal of cached content (costs per path)
• Geographic restrictions: Block or allow access by country

Elastic Load Balancing

Feature	ALB	NLB	CLB
Layer	7 (HTTP/HTTPS)	4 (TCP/UDP)	4 and 7
Use case	Web apps, microservices	Extreme performance, static IP	Legacy only
Targets	IP, instance, Lambda	IP, instance, ALB	Instance
Path/host routing	Yes	No	No
WebSocket	Yes	Yes	No
Static IP	No (use Global Accelerator)	Yes	No
Performance	Millions of requests/sec	Millions of requests/sec	Thousands

Key facts:

• Cross-zone load balancing: ALB (always on), NLB (off by default)
• Sticky sessions: ALB (application cookie), CLB (duration cookie)
• Connection draining / deregistration delay: Allows in-flight requests to complete
• Health checks: HTTP, HTTPS, TCP

Security Services

IAM (Identity and Access Management)

• Users: Individual identities
• Groups: Collection of users (cannot nest groups)
• Roles: Temporary credentials for AWS services, cross-account access, federation
• Policies: JSON documents defining permissions (Effect, Action, Resource, Condition)
• Policy types: AWS managed, customer managed, inline
• Policy evaluation: Explicit Deny > Explicit Allow > Implicit Deny
• STS (Security Token Service): Provides temporary credentials for role assumption
• Identity federation: SAML 2.0, Web Identity (Cognito), SSO

AWS KMS (Key Management Service)

• CMK types: AWS managed, customer managed, AWS owned
• Key rotation: Automatic annual rotation for customer-managed keys (optional)
• Envelope encryption: Data key encrypts data, CMK encrypts data key
• Key policies: Resource-based policies controlling key access
• Multi-region keys: Same key material replicated across regions
• CloudHSM: Dedicated hardware security module for regulatory requirements

Other Security Services

• AWS WAF: Layer 7 firewall, protects against SQL injection, XSS, rate limiting
• AWS Shield Standard: Free DDoS protection for all AWS customers
• AWS Shield Advanced: Enhanced DDoS protection with 24/7 DRT access ($3,000/month)
• Amazon GuardDuty: ML-based threat detection, analyzes CloudTrail, VPC Flow Logs, DNS logs
• Amazon Inspector: Automated vulnerability assessment for EC2 and ECR images
• Amazon Macie: S3 data classification, finds PII and sensitive data
• AWS Secrets Manager: Rotate, manage, and retrieve secrets (database credentials, API keys)
• AWS Systems Manager Parameter Store: Free parameter storage (less features than Secrets Manager)

Application Integration

Amazon SQS (Simple Queue Service)

• Standard queue: Unlimited throughput, at-least-once delivery, best-effort ordering
• FIFO queue: 300 msg/s (3,000 with batching), exactly-once, strict ordering
• Visibility timeout: Default 30 seconds (0 sec to 12 hours)
• Message retention: Default 4 days (1 minute to 14 days)
• Max message size: 256 KB (use Extended Client Library + S3 for larger)
• Long polling: Reduces empty responses and cost (set WaitTimeSeconds 1-20s)
• Dead letter queue (DLQ): Capture messages that fail processing after max receives
• Use case: Decoupling services, buffering writes, handling traffic spikes

Amazon SNS (Simple Notification Service)

• Pub/sub model: One-to-many message delivery
• Subscribers: SQS, Lambda, HTTP/HTTPS, email, SMS, mobile push
• Fanout pattern: SNS topic sends to multiple SQS queues simultaneously
• FIFO topics: Ordered, deduplicated delivery (requires FIFO SQS subscribers)
• Message filtering: Subscribers receive only messages matching filter policies

Amazon EventBridge

• Serverless event bus: Route events from AWS services, SaaS apps, custom apps
• Rules: Match events and route to targets (Lambda, SQS, Step Functions, etc.)
• Schema registry: Discover and manage event schemas
• Replaces CloudWatch Events (same underlying service, more features)

SQS vs. SNS vs. EventBridge Decision Guide

Need	Use
Queue messages between two services	SQS
Fan out one message to many subscribers	SNS (+ SQS for durability)
Route events based on content/source	EventBridge
Decouple a producer from consumers	SQS or SNS
React to AWS service events	EventBridge

Monitoring and Management

Amazon CloudWatch

• Metrics: Built-in and custom metrics for AWS services
• Alarms: Trigger actions based on metric thresholds (Auto Scaling, SNS)
• Logs: Centralized log collection and analysis
• Dashboards: Visualize metrics in real time
• Default monitoring: 5-minute intervals (free)
• Detailed monitoring: 1-minute intervals (paid)
• Custom metrics: Minimum resolution 1 second (high-resolution)

AWS CloudTrail

• API auditing: Logs all API calls made in your account
• Management events: Enabled by default (free for 90 days)
• Data events: S3 object-level and Lambda invocations (not default, additional cost)
• Multi-region trail: Single trail captures events across all regions
• Integrity validation: Verify log files have not been tampered with

AWS Config

• Configuration tracking: Records resource configurations over time
• Compliance rules: Evaluate resources against desired configurations
• Remediation: Auto-remediate non-compliant resources using SSM Automation
• Aggregator: Multi-account, multi-region compliance view

Common Architecture Patterns

Three-Tier Web Architecture

Route 53 → CloudFront → ALB → EC2 Auto Scaling (web tier) → ALB → EC2 Auto Scaling (app tier) → RDS Multi-AZ (data tier)

Serverless Web Application

Route 53 → CloudFront → S3 (static content) + API Gateway → Lambda → DynamoDB

Event-Driven Processing

S3 event → SNS → SQS (multiple queues) → Lambda (processing) → DynamoDB/S3

Decoupled Architecture

Producers → SQS queue → Consumer Auto Scaling group (scales based on queue depth)

Hybrid Cloud

On-premises ↔ Direct Connect / VPN ↔ VPC (Transit Gateway for multiple VPCs)

Data Lake

Multiple data sources → Kinesis / DMS → S3 (raw) → Glue (ETL) → S3 (processed) → Athena / Redshift (analytics)

Key Numbers to Remember

Fact	Value
S3 object max size	5 TB
S3 multipart upload threshold	100 MB recommended, required for >5 GB
S3 durability	99.999999999% (11 nines)
EBS io2 max IOPS	64,000 (256,000 for Block Express)
Lambda max timeout	15 minutes
Lambda max memory	10 GB
SQS message max size	256 KB
SQS max retention	14 days
DynamoDB item max size	400 KB
RDS max storage	64 TB
Aurora max storage	128 TB
VPC max CIDR	/16 (65,536 IPs)
VPC min CIDR	/28 (16 IPs)
Security groups per ENI	5 (default)
Rules per security group	60 inbound + 60 outbound
Spread placement group max	7 instances per AZ
Direct Connect speeds	1 Gbps, 10 Gbps, 100 Gbps
Route 53 alias record cost	Free (no charge for queries)
CloudFront SSL cert region	Must be in us-east-1
SAA-C03 passing score	720 / 1000

Encryption Quick Reference

At Rest

Service	Default Encryption	KMS Support	Notes
S3	SSE-S3 (default since Jan 2023)	Yes (SSE-KMS)	Also supports SSE-C
EBS	Optional (recommended)	Yes	Enable at volume creation
RDS	Optional	Yes	Must enable at DB creation
DynamoDB	AWS owned key (default)	Yes (customer managed)	Automatic
EFS	Optional	Yes	Enable at creation
Redshift	Optional	Yes	AES-256

In Transit

• Use HTTPS/TLS for all API calls (AWS SDK does this by default)
• Enable SSL connections for RDS databases
• Use VPN or Direct Connect for on-premises to AWS
• VPC endpoints keep traffic within AWS network
• ACM (Certificate Manager) provides free SSL/TLS certificates

Final Exam Tips

1. Read every word of the question — qualifiers like “most cost-effective” or “least operational overhead” determine the correct answer
2. Eliminate wrong answers first — usually 1-2 options are clearly incorrect
3. Managed > Self-managed when the question asks for “least operational overhead”
4. Serverless > Provisioned when the question mentions variable or unpredictable workloads
5. Multi-AZ = High Availability, Multi-Region = Disaster Recovery
6. Security Groups = Stateful (return traffic automatically allowed), NACLs = Stateless (must explicitly allow return traffic)
7. S3 for objects, EBS for block storage (single EC2), EFS for shared file storage (multiple EC2)
8. SQS for decoupling, SNS for fan-out, EventBridge for event routing

For more detailed tips and strategies, read our exam tips guide.

Test Your Knowledge

The best way to know if you are ready is to take practice exams under realistic conditions. Our SAA-C03 Mock Exam Bundle provides hundreds of scenario-based questions with detailed explanations covering every topic on this cheat sheet and more. Use it alongside this quick reference to identify and fill your remaining knowledge gaps.

Frequently Asked Questions

Should I memorize all the numbers in this cheat sheet?

Focus on the most commonly tested numbers: S3 object size limit (5 TB), Lambda timeout (15 minutes), SQS max message size (256 KB), DynamoDB item size (400 KB), and the VPC CIDR range (/16 to /28). These appear frequently in exam questions.

How do I know which storage class to choose on the exam?

Look for keywords in the question: “frequently accessed” = Standard, “infrequent” = IA, “archive” = Glacier, “unknown pattern” = Intelligent-Tiering. Also check for retrieval time requirements — Glacier Deep Archive takes 12-48 hours.

What is the most important section of this cheat sheet?

Networking (VPC, security groups, NACLs) and storage (S3, EBS) come up most frequently on the exam. Security (IAM, KMS, encryption) is the largest domain. Focus on these three areas if time is limited.

How often should I review this cheat sheet?

Review it once during your initial study, periodically as you progress, and thoroughly in the final 2-3 days before your exam. Pair it with practice exam reviews to reinforce the concepts you find most challenging.

Is this cheat sheet updated for the SAA-C03?

Yes. This cheat sheet covers services, limits, and architectural patterns relevant to the current SAA-C03 exam. AWS occasionally updates service limits, so verify critical numbers against the official AWS documentation if your exam is several months away.

Can I bring a cheat sheet into the exam?

No. You cannot bring any reference materials into the testing center or have them visible during online proctoring. The purpose of this cheat sheet is for study and review before exam day, not during the exam itself.