AWS Certified Solutions Architect - Associate
Validates ability to design and implement distributed systems and architectures on AWS. Covers secure, resilient, high-performing, and cost-optimized architecture design using AWS services. Recommended for those with one or more years of hands-on experience designing solutions on AWS.
Exam domains
- Design Secure Architectures30%
Design secure access to AWS resources (IAM users/groups/roles, IAM policies - identity-based vs resource-based, IAM permissions boundaries, IAM Access Analyzer, IAM Identity Center - SSO, SAML 2.0 federation, OIDC, AWS STS for temporary credentials, cross-account access via assume-role, root user MFA, secrets - AWS Secrets Manager vs Systems Manager Parameter Store; AWS Organizations - SCPs, OUs, consolidated billing). Design secure workloads and applications (VPC security - security groups, NACLs, VPC endpoints, VPC peering, AWS PrivateLink; web application firewall - AWS WAF rules and managed rule groups; AWS Shield - Standard vs Advanced for DDoS; AWS Network Firewall; AWS Firewall Manager for centralized policy management; bastion hosts vs Session Manager; container security - ECR image scanning, EKS pod security, IAM for service accounts - IRSA). Determine appropriate data security controls (encryption at rest - AWS KMS customer-managed keys vs AWS-managed keys, envelope encryption, AWS CloudHSM, AWS Key Management Service key rotation; encryption in transit - TLS termination at ELB/CloudFront, ACM certificate provisioning; S3 bucket policies vs ACLs, S3 Block Public Access, S3 Object Lock for WORM compliance; Macie for data classification and PII discovery; data masking strategies).
- Design Resilient Architectures26%
Design scalable and loosely coupled architectures (decoupling with SNS pub/sub fan-out, SQS Standard vs FIFO queues, EventBridge event buses and rules, Step Functions for workflow orchestration; auto scaling - EC2 Auto Scaling Groups, target tracking vs step scaling, predictive scaling, Application Auto Scaling for ECS/DynamoDB/Aurora; load balancing - ALB path/host-based routing, NLB for TCP/UDP, GLB for third-party appliances; AWS API Gateway throttling and caching; CloudFront origin failover). Design highly available and/or fault-tolerant architectures (multi-AZ deployments - RDS Multi-AZ, ElastiCache Multi-AZ, EFS regional, FSx Multi-AZ; multi-region patterns - active-active vs active-passive, Route 53 routing policies - latency/failover/geolocation/weighted, S3 Cross-Region Replication, DynamoDB Global Tables, Aurora Global Database, AWS Backup cross-region; disaster recovery - backup and restore, pilot light, warm standby, multi-site active-active, RTO/RPO targets; chaos engineering with AWS Fault Injection Simulator).
Sources
Questions are grounded in 150 references from official and authoritative materials.