AWS SAA-C03 Domain 1: Design Secure Architectures (30% of the Exam)

Domain 1 is the largest single domain on SAA-C03. AWS weights it at 30%, which works out to roughly 20 of the 65 scored questions. If you score evenly across the other three domains and bomb Domain 1, you fail. The good news: it is also the most predictable domain on the exam. AWS reuses a small set of question patterns to test the same handful of ideas.

This post walks through what Domain 1 actually tests, the patterns to recognize, and where most candidates waste study time.

What AWS says Domain 1 tests#

The official exam guide breaks Domain 1 into three task statements:

1. Design secure access to AWS resources. Authentication, authorization, federation, credential management.
2. Design secure workloads and applications. Network controls, service-level controls, secrets, application identity.
3. Determine appropriate data security controls. Encryption at rest, encryption in transit, key management, data lifecycle and classification.

These three carve the domain cleanly. Every Domain 1 question is, ultimately, a question about one of those three. When you read a scenario and your brain says "I don't know," ask yourself which task statement it belongs to first. That alone narrows the answer space.

Identity and access: the most-tested cluster#

If Domain 1 is 30% of the exam, identity and access is roughly half of Domain 1. Expect a heavy IAM presence.

The services you must be fluent in:

• IAM users, groups, roles, policies. Trust policies vs identity policies vs resource policies. The difference between a user with long-lived keys and a role assumed via STS.
• IAM Identity Center (the service formerly known as AWS SSO). Workforce identity across multiple AWS accounts. Permission sets. Federation with external identity providers (Okta, Azure AD, Google Workspace).
• AWS STS. AssumeRole, AssumeRoleWithWebIdentity, AssumeRoleWithSAML. Temporary credentials are a recurring correct answer.
• Amazon Cognito. User pools (your application's user directory) vs identity pools (federated AWS credentials for end users). Most candidates conflate these. Get them straight.
• Resource-based policies on S3, KMS, Lambda, SNS, SQS. Cross-account access patterns.

The single most tested pattern in this cluster: an application running on EC2 (or Lambda, or ECS) needs to access another AWS service. The correct answer is almost always attach an IAM role to the compute resource. Long-lived access keys stored on the instance is wrong, environment variables holding secrets is wrong, hardcoded credentials in code is wrong. If you see any of those in the answer choices, eliminate them on sight.

The second most tested pattern: cross-account access. A user in account A needs to read an S3 bucket in account B. Two valid patterns: bucket policy in account B granting access to the IAM principal in account A, or an IAM role in account B that the principal in account A assumes via STS. AWS tends to prefer the role-assumption answer when the access is ongoing.

Data protection: KMS, Secrets Manager, encryption everywhere#

The KMS questions on SAA-C03 are mostly conceptual. You will not be asked to implement a grant. You will be asked which type of key to use.

The decision tree to internalize:

• AWS managed keys. Free, AWS rotates them, you cannot delete them, you cannot use them across accounts. Default for most services.
• Customer managed keys (CMK / KMS keys). You control the key policy, rotation, deletion, and cross-account usage. Required when the scenario mentions "centralized audit," "compliance," "cross-account encryption," or "control over rotation schedule."
• AWS owned keys. Invisible to you. AWS uses them internally. You will not pick this answer.
• Customer-supplied keys via AWS CloudHSM. Required when the scenario mentions FIPS 140-2 Level 3, dedicated hardware, or single-tenant key storage.

The pattern: if the scenario says "we need to rotate keys on our own schedule" or "we need to use the same key across multiple accounts" or "we need an audit trail of every key usage," the answer involves a customer managed KMS key. If the scenario says nothing of the kind, the default (AWS managed) is fine.

For secrets specifically:

• AWS Secrets Manager rotates secrets automatically and is the right answer when the scenario mentions "rotate database credentials every 30 days" or "rotate API keys without downtime."
• AWS Systems Manager Parameter Store stores configuration values. It can store secrets as SecureString, but it does not rotate. Right answer when cost matters and rotation does not.

The exam will give you a scenario with rotation as the deciding factor. Parameter Store is cheaper, Secrets Manager rotates. Pick accordingly.

Encryption in transit is simpler. TLS everywhere. ACM for managing certificates on ELB and CloudFront. End of story.

Network security: a few services do most of the work#

The network-security service list looks long, but each one answers a different question.

• Security Groups. Stateful, allow-only, applied at the instance level. Default deny inbound, default allow outbound.
• Network ACLs. Stateless, allow and deny, applied at the subnet level. Used when you need to explicitly block an IP range.
• AWS WAF. Application-layer (Layer 7) protection. SQL injection, XSS, rate limiting, geo-blocking on HTTP traffic. Attaches to ALB, CloudFront, API Gateway, AppSync.
• AWS Shield Standard. Free, DDoS protection for Layer 3 and 4. Always on.
• AWS Shield Advanced. Paid, adds Layer 7 DDoS protection, cost protection during attacks, a 24/7 response team. Right answer when the scenario mentions DDoS in a regulated or high-revenue context.
• Amazon GuardDuty. Threat detection across VPC Flow Logs, CloudTrail, DNS logs, S3, EKS audit logs. Right answer when the scenario says "detect compromised instances" or "detect anomalous API calls."
• AWS Network Firewall. Managed stateful firewall at the VPC level. Right answer for centralized egress filtering across multiple VPCs.
• VPC endpoints (interface and gateway). Keep traffic to AWS services off the public internet. Right answer when the scenario says "Lambda must access S3 without traversing the public internet" or "S3 access from a private subnet without a NAT gateway."

The exam pattern: a scenario describes a symptom (compromised instance, DDoS, SQL injection, anomalous API calls, traffic flowing over the internet). Match the symptom to one of these services. Do not pick two of them. AWS scenarios reward the single most precise tool, not a layered defense answer.

Question patterns to recognize#

After 20 sample Domain 1 questions, the patterns repeat. Train yourself to spot them on first read:

• "Most secure" or "best practice." Eliminate any answer that hardcodes credentials, uses long-lived access keys, or stores secrets in environment variables. Prefer IAM roles, KMS, and managed services.
• "Cost-effective" combined with security. Parameter Store often beats Secrets Manager. AWS managed KMS keys often beat customer managed. Default to free or cheaper until the scenario forces an upgrade.
• "Cross-account." STS AssumeRole almost always wins.
• "Compliance" or "audit." CloudTrail is mandatory in the answer. Customer managed KMS keys come into play. AWS Config for resource state.
• "Detect" or "anomalous." GuardDuty. Sometimes Macie if the scenario specifically mentions S3 and PII.
• "Without public internet." VPC endpoint. PrivateLink for third-party services.
• "Rotate." Secrets Manager.

When two answers both look right, the more specific one usually wins. AWS rarely rewards over-engineering on the exam.

What to skip#

Some Domain 1 content shows up in the exam guide but rarely on the exam itself. Spending hours here is wasted time:

• CloudHSM internals. Know it exists, know it is FIPS 140-2 Level 3, move on.
• AWS Firewall Manager. Multi-account WAF / Shield orchestration. One question, maybe.
• AWS Network Access Analyzer. Specialized tool. Rarely tested at the associate level.
• Detailed Cognito flow diagrams. Know user pool vs identity pool. Do not memorize the OAuth handshake.
• Specific WAF rule syntax. Know what WAF blocks at a high level. The exam will not ask you to write a rule.

The mistake most candidates make is to spend an extra week on these obscure corners while skipping a third pass on IAM. IAM is half the domain. Treat it accordingly.

A working study sequence for Domain 1#

If you have two weeks for Domain 1, this works:

• Days 1 to 3. IAM end-to-end. Build it in a free-tier account. Create users, groups, roles, attach managed policies, write a custom policy, set up cross-account access between two of your own accounts.
• Days 4 to 5. KMS and Secrets Manager. Create a customer managed key. Encrypt an S3 bucket with it. Store a database credential in Secrets Manager and rotate it.
• Days 6 to 8. Network security. Spin up a VPC with public and private subnets, attach a security group, deny inbound at a NACL, put a Lambda in the private subnet and use a VPC endpoint to reach S3.
• Days 9 to 11. Detection and protection. Enable GuardDuty in a sandbox account. Attach WAF to an ALB. Read one CloudTrail event log end to end.
• Days 12 to 14. Domain 1 practice questions only. Sixty questions minimum. Score by sub-domain. Anything under 70% in a sub-domain gets a half-day review.

The hands-on portion is what makes the service names stick. Reading the exam guide will not.

The mindset shift#

Most candidates approach Domain 1 like a security textbook. They study every service in depth, memorize feature lists, and walk into the exam unsure why their score is mediocre. The exam does not test depth. It tests recognition.

Train pattern recognition first, depth second. Read a scenario, name the pattern, eliminate two answers in 15 seconds. Then evaluate the remaining two. You will finish Domain 1 questions faster, more accurately, and with bandwidth left for the harder domains.

Ready to put this into practice? Generate a domain-weighted SAA-C03 practice set on ExamCoachAI and target your weakest Domain 1 sub-area first.