ExpertCheat Sheet
AWS SAA-C03
AWS SAA-C03AWS SAA-C03 Cheat Sheet: The Services That Appear on the Exam
A structured reference covering every AWS service category tested on the SAA-C03 — with the one-line use case that distinguishes each service under exam conditions.
ExpertMinds Editorial·14 January 2026·8 min read
The SAA-C03 does not test memorisation — it tests your ability to pick the right service for a given set of constraints. The questions are scenario-based: a company needs X, has constraint Y, at the lowest cost. Your job is to eliminate wrong answers quickly. This reference is structured by constraint, not alphabetically.
Key fact:65 questions · 130 minutes · Pass score 720/1000. Roughly 15% of questions are unscored pilot questions — you will not know which ones.
Compute
| Service | What it is | Exam trigger phrase |
|---|---|---|
| EC2 | Virtual machines in the cloud | "full control", "custom OS", "persistent compute" |
| Lambda | Serverless function execution (max 15 min) | "event-driven", "no servers to manage", "short-lived" |
| ECS | Run Docker containers on managed clusters | "containers", "microservices" (with EC2 or Fargate) |
| EKS | Managed Kubernetes | "Kubernetes", "container orchestration at scale" |
| Fargate | Serverless compute for ECS/EKS — no EC2 management | "serverless containers", "no EC2 provisioning" |
| Elastic Beanstalk | PaaS — deploy code, AWS manages infrastructure | "developers don't want to manage infrastructure" |
| App Runner | Fully managed container/web app deployment | "simplest container deployment", "no infra knowledge" |
| Batch | Run batch jobs at scale | "batch processing", "HPC", "job queues" |
| Lightsail | Simple VPS for small workloads | "simple web app", "predictable low cost", "no AWS expertise" |
Tip:EC2 vs Lambda decision: if the task runs longer than 15 minutes, cannot be Lambda. If it needs persistent state or a specific OS configuration, choose EC2.
Storage
| Service / Class | What it is | Exam trigger phrase |
|---|---|---|
| S3 Standard | General-purpose object storage, 11 9s durability | "frequently accessed", "default" |
| S3 Intelligent-Tiering | Auto-moves objects between tiers based on access | "unknown or changing access patterns" |
| S3 Standard-IA | Lower cost, but retrieval fee; min 30-day charge | "infrequently accessed", "backup", "DR" |
| S3 One Zone-IA | Like Standard-IA but single AZ only | "cost savings acceptable", "re-creatable data" |
| S3 Glacier Instant | Archive with millisecond retrieval | "archive", "immediate access needed" |
| S3 Glacier Flexible | Archive, retrieval in minutes to hours | "archive", "hours retrieval acceptable" |
| S3 Glacier Deep Archive | Lowest cost storage, retrieval 12–48 hours | "7–10 year retention", "regulatory archive" |
| EBS | Block storage attached to a single EC2 instance | "persistent disk", "database volume", "single instance" |
| EFS | Managed NFS, shared across multiple EC2 instances | "shared file system", "multiple instances" |
| FSx for Windows | Managed Windows file system (SMB) | "Windows workloads", "Active Directory integration" |
| FSx for Lustre | High-performance file system for HPC/ML | "HPC", "machine learning", "high throughput" |
| Storage Gateway | Hybrid cloud storage connector | "on-premises to AWS", "hybrid", "local cache" |
| Snow Family | Physical devices for bulk data transfer or edge compute | "petabytes of data", "limited bandwidth", "offline transfer" |
Watch out:S3 is not a file system — it is object storage. Questions asking for a "shared file system mounted across EC2 instances" want EFS, not S3.
Databases
| Service | Type | Exam trigger phrase |
|---|---|---|
| RDS | Managed relational DB (MySQL, Postgres, Oracle, SQL Server, MariaDB) | "relational", "SQL", "OLTP" |
| Aurora | AWS relational DB — up to 5× faster than MySQL, auto-scales storage | "relational", "high performance", "serverless option" |
| Aurora Serverless | Aurora that scales compute to zero | "unpredictable workloads", "dev/test", "infrequent use" |
| DynamoDB | Managed NoSQL, single-digit millisecond at any scale | "NoSQL", "key-value", "massive scale", "millisecond latency" |
| DynamoDB Accelerator (DAX) | In-memory cache for DynamoDB | "microsecond latency", "DynamoDB caching" |
| ElastiCache (Redis) | In-memory cache, supports persistence and pub/sub | "session data", "leaderboard", "real-time" |
| ElastiCache (Memcached) | Simple distributed cache, no persistence | "simple caching", "stateless" |
| Redshift | Managed data warehouse — columnar, OLAP | "analytics", "data warehouse", "OLAP", "petabyte-scale" |
| Neptune | Managed graph database | "graph", "relationships", "social network", "fraud detection" |
| DocumentDB | Managed MongoDB-compatible document database | "MongoDB compatible", "document store" |
| Keyspaces | Managed Apache Cassandra | "Cassandra compatible" |
| Timestream | Time-series database | "IoT", "time-series", "metrics over time" |
Test yourself on these services
The SAA-C03 gives you a scenario and asks you to pick the right service. Reading this is not enough — Practice eliminating wrong answers under time pressure.
Networking & Content Delivery
Test yourself on AWS SAA-C03
Practice questions graded with detailed guidance.
| Service | What it is | Exam trigger phrase |
|---|---|---|
| VPC | Isolated virtual network; subnets, route tables, NACLs, security groups | "network isolation", "private subnet" |
| CloudFront | Global CDN with edge caching | "low latency globally", "cache", "static + dynamic content" |
| Route 53 | DNS service with health checks and routing policies | "DNS", "failover", "latency routing", "geolocation" |
| API Gateway | Managed REST/WebSocket/HTTP API endpoint | "expose Lambda via HTTP", "API management" |
| ELB — ALB | Layer 7 load balancer, path/host-based routing | "HTTP/HTTPS", "path-based routing", "WebSocket" |
| ELB — NLB | Layer 4 load balancer, extreme performance | "TCP/UDP", "static IP", "millions of requests per second" |
| ELB — GLB | Routes traffic to third-party network appliances | "firewall appliance", "inline inspection" |
| Transit Gateway | Hub connecting VPCs and on-premises networks at scale | "many VPCs", "hub-and-spoke", "centralized routing" |
| VPN Gateway | IPsec VPN from on-premises to AWS | "on-premises to VPC", "encrypted", "internet-based" |
| Direct Connect | Dedicated private connection from on-premises to AWS | "dedicated", "consistent bandwidth", "not over internet" |
| PrivateLink | Expose services to other VPCs without traversing internet | "private access", "no internet routing", "service endpoint" |
| Global Accelerator | Anycast IPs that route to closest AWS edge; TCP/UDP | "global static IPs", "non-HTTP", "low latency globally" |
Key fact:CloudFront vs Global Accelerator: CloudFront caches content at the edge. Global Accelerator proxies TCP/UDP traffic to your endpoints without caching. If the question mentions caching or static content, CloudFront. If it mentions TCP, UDP, or gaming — Global Accelerator.
Security, Identity & Compliance
| Service | What it is | Exam trigger phrase |
|---|---|---|
| IAM | Users, roles, groups, policies — access control | "who can access what", "permissions", "least privilege" |
| STS | Temporary security credentials via AssumeRole | "cross-account access", "temporary credentials", "federation" |
| Cognito | User authentication for web/mobile apps | "sign in for app users", "user pool", "social login" |
| KMS | Managed encryption key storage and usage | "encrypt at rest", "manage keys", "customer managed keys" |
| ACM | Managed TLS/SSL certificates | "HTTPS certificate", "free cert for CloudFront/ALB" |
| WAF | Web application firewall, L7 rules | "SQL injection", "XSS", "block by IP/country", "rate limiting" |
| Shield | DDoS protection | "DDoS protection" — Standard (free) or Advanced (paid, $$) |
| GuardDuty | Threat detection using ML on CloudTrail/DNS/VPC logs | "detect threats", "anomalous behaviour", "no agents" |
| Inspector | Automated security assessment for EC2/containers | "vulnerability scanning", "CVE detection" |
| Macie | ML-based sensitive data discovery in S3 | "PII in S3", "data classification", "GDPR" |
| Secrets Manager | Store and auto-rotate secrets (API keys, DB passwords) | "rotate credentials", "store secrets" |
| Parameter Store | Configuration store, simpler than Secrets Manager, free tier | "config values", "no rotation needed", "lower cost" |
| Organizations + SCP | Multi-account management; SCPs restrict what accounts can do | "multi-account", "prevent accounts from...", "guardrails" |
Application Integration
| Service | What it is | Exam trigger phrase |
|---|---|---|
| SQS | Managed message queue — decouples producers from consumers | "decouple", "buffer", "async processing", "queue" |
| SNS | Pub/sub messaging — one-to-many fan-out | "fan-out", "notify multiple", "push notification" |
| EventBridge | Event bus for routing events between AWS services and SaaS | "event-driven", "schedule", "SaaS integration" |
| Step Functions | Visual workflow orchestration for Lambda and services | "workflow", "orchestrate", "long-running process", "state" |
| Kinesis Data Streams | Real-time data streaming, sub-second latency | "real-time analytics", "streaming", "custom consumers" |
| Kinesis Data Firehose | Load streaming data to S3/Redshift/OpenSearch | "stream to S3", "no custom code needed", "near real-time" |
| MSK (Kafka) | Managed Apache Kafka | "Kafka", "existing Kafka workload" |
| AppSync | Managed GraphQL API | "GraphQL" |
Tip:SQS vs SNS vs EventBridge: SQS queues one-to-one (pull). SNS broadcasts one-to-many (push). EventBridge routes events by rules to multiple targets. Questions about "decoupling" almost always want SQS.
High Availability & Resilience Patterns
- Multi-AZ RDS: synchronous standby replica — automatic failover, same region
- Read Replicas: asynchronous — for read scaling, not failover (can be cross-region)
- Auto Scaling Groups: replace unhealthy instances, scale in/out based on metrics
- Multi-region active-active: Route 53 latency routing + data replication required
- S3 Cross-Region Replication: must enable versioning on both buckets first
- DynamoDB Global Tables: multi-region active-active NoSQL
- RTO vs RPO: RTO = time to recover; RPO = data loss tolerance. Lower both = higher cost
- Pilot Light: minimal standby (just DB replication). Warm Standby: scaled-down running copy. Multi-site Active-Active: full capacity in all regions
Cost Optimisation Quick Reference
| Scenario | Right choice |
|---|---|
| Steady, predictable workload (1–3 years) | Reserved Instances or Savings Plans |
| Fault-tolerant, interruptible workloads | Spot Instances (up to 90% cheaper) |
| Infrequent batch jobs | Spot or On-Demand — no commitment |
| Data rarely accessed | S3 Glacier Deep Archive |
| Reduce data transfer costs | CloudFront in front of S3 (transfers to CF edge are free) |
| Rightsize EC2 | AWS Compute Optimizer recommendations |
| Shut down unused resources | AWS Cost Explorer + Budgets alerts |
Key fact:Savings Plans vs Reserved Instances: Savings Plans are more flexible (commit to $/hour spend, not specific instance type). Compute Savings Plans apply across EC2, Lambda, and Fargate.
Ready to Practice the full AWS SAA-C03?
Graded results, exam simulation, and detailed guidance on every question.