{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::production-data/*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    }
  ]
}

• Understand IAM Roles for cross-account access using sts:AssumeRole. The exam frequently tests scenarios where Account A needs to access resources in Account B.
• Know the difference between AWS Organizations SCPs and IAM policies. SCPs set the maximum permissions boundary; they do not grant permissions.

VPC Networking:

Build a complete VPC from scratch using the AWS CLI, not the console wizard:

# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=exam-prep-vpc}]'

# Create public and private subnets across two AZs
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.2.0/24 --availability-zone us-east-1b
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.3.0/24 --availability-zone us-east-1a
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.4.0/24 --availability-zone us-east-1b

# Create and attach Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-xxx --vpc-id vpc-xxx

# Create NAT Gateway for private subnet outbound access
aws ec2 create-nat-gateway --subnet-id subnet-public-xxx --allocation-id eipalloc-xxx

Understand when to use NAT Gateways versus NAT Instances, VPC Endpoints (Gateway for S3/DynamoDB, Interface for everything else), and VPC Peering versus Transit Gateway.

EC2 Fundamentals:

• Know all instance families: General Purpose (M/T), Compute Optimized (C), Memory Optimized (R/X), Storage Optimized (I/D), and Accelerated Computing (P/G for GPU).
• Understand placement groups: Cluster (low latency, same rack), Spread (max 7 per AZ, separate hardware), and Partition (large distributed workloads like HDFS/Cassandra).
• Master EBS volume types: gp3 (baseline 3,000 IOPS, 125 MiB/s), io2 Block Express (up to 256,000 IOPS), st1 (throughput-optimized HDD), sc1 (cold HDD).

Weeks 3-4: Storage and Databases

S3 Mastery (appears in 40%+ of exam questions):

S3 is arguably the most tested service. You need to know:

• Storage classes: S3 Standard, S3 Intelligent-Tiering, S3 Standard-IA, S3 One Zone-IA, S3 Glacier Instant Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive.
• Lifecycle policies: Automate transitions between storage classes. A common exam scenario involves minimizing cost for data accessed frequently for 30 days, then rarely for 1 year, then retained for compliance for 7 years.
• Replication: Cross-Region Replication (CRR) for disaster recovery, Same-Region Replication (SRR) for log aggregation. Both require versioning enabled on source and destination.
• Encryption: SSE-S3 (AWS managed keys), SSE-KMS (customer managed keys with audit trail via CloudTrail), SSE-C (customer-provided keys), and client-side encryption.
• Access control: Bucket policies, ACLs (legacy, mostly disabled by default now), S3 Access Points for simplified multi-application access, and Object Lock for WORM compliance.

Database Selection Framework:

The exam tests your ability to choose the right database for a given scenario:

RDS and Aurora specifics:

• RDS supports Multi-AZ deployments with synchronous replication for high availability. Read replicas use asynchronous replication for read scaling.
• Aurora Global Database provides cross-region replication with sub-second RPO. Aurora Serverless v2 scales capacity in fine-grained increments for variable workloads.
• Know the difference between RDS Proxy (connection pooling, IAM authentication) and standard RDS endpoints.

Weeks 5-6: High Availability and Resilience

Elastic Load Balancing:

• ALB (Layer 7): HTTP/HTTPS, path-based routing, host-based routing, authentication via Cognito or OIDC. Use for microservices and container-based applications.
• NLB (Layer 4): TCP/UDP/TLS, static IP per AZ, extreme performance (millions of requests per second). Use for real-time gaming, IoT, or when you need a static IP.
• GWLB (Layer 3): Transparent network gateway for third-party virtual appliances (firewalls, IDS/IPS). Operates at the network layer using GENEVE protocol.

Auto Scaling strategies:

Target Tracking:    Set target (e.g., 70% CPU) → ASG adjusts automatically
Step Scaling:       Define thresholds → different scaling actions per threshold
Scheduled Scaling:  Predictable patterns → scale based on time schedule
Predictive Scaling: ML-based → forecast traffic patterns from historical data

Know the scaling cooldown period (default 300 seconds), instance warm-up time configuration, and lifecycle hooks for custom initialization scripts.

Route 53 Routing Policies:

• Simple: Single resource, no health checks
• Weighted: Split traffic by percentage (blue-green deployments)
• Latency-based: Route to lowest-latency region
• Failover: Active-passive with health checks
• Geolocation: Route by user country/continent
• Geoproximity: Route by geographic distance with bias
• Multivalue Answer: Return multiple healthy records (not a substitute for a load balancer)

Weeks 7-8: Security Services and Encryption

This domain is 30% of the exam. Do not rush through it.

AWS KMS:

• Symmetric keys (AES-256) versus asymmetric keys (RSA, ECC). Most AWS services use symmetric KMS keys.
• Key policies control access to KMS keys. Unlike most AWS resources, KMS key policies are the primary access control mechanism (IAM policies alone are not sufficient without the key policy granting access).
• Automatic key rotation: enabled per key, rotates every year, old key material retained for decryption.
• Envelope encryption: KMS generates a data key, you use the plaintext data key to encrypt data locally, store the encrypted data key alongside the ciphertext. This is how S3 SSE-KMS works internally.

AWS WAF and Shield:

• WAF attaches to CloudFront, ALB, API Gateway, or AppSync. Create rules based on IP, geographic location, request rate, or SQL injection/XSS patterns.
• Shield Standard: Free, protects against common DDoS attacks at layers 3/4.
• Shield Advanced: $3,000/month, 24/7 DDoS Response Team, cost protection for scaling during attacks, detailed attack diagnostics.

Other security services to know:

• GuardDuty: Threat detection using VPC Flow Logs, DNS logs, CloudTrail logs. No agents to install.
• Inspector: Vulnerability scanning for EC2 instances and ECR container images. Automated, continuous scanning.
• Macie: S3 data classification and PII detection using machine learning.
• Security Hub: Aggregates findings from GuardDuty, Inspector, Macie, and third-party tools. Compliance checks against CIS, PCI-DSS, AWS Foundational Security Best Practices.

Weeks 9-10: Serverless and Application Integration

Lambda architecture patterns:

• API Gateway + Lambda + DynamoDB: Serverless REST API
• S3 event + Lambda: File processing pipeline
• SQS + Lambda: Decoupled message processing
• EventBridge + Lambda: Event-driven microservices
• Step Functions + Lambda: Complex workflow orchestration

Lambda limits to remember: 15-minute execution timeout, 10 GB memory, 512 MB ephemeral storage (configurable up to 10 GB), 1,000 default concurrent executions per region.

Application Integration Services:

Weeks 11-12: Cost Optimization and Final Review

EC2 Pricing Models:

• On-Demand: Full price, no commitment. Use for unpredictable workloads.
• Reserved Instances (1-year or 3-year): Up to 72% discount. Standard RIs can change AZ/instance size within family. Convertible RIs can change instance family/OS/tenancy.
• Savings Plans: Compute Savings Plans apply to EC2, Fargate, and Lambda. EC2 Instance Savings Plans are cheaper but locked to instance family and region.
• Spot Instances: Up to 90% discount. Use for fault-tolerant workloads: batch processing, CI/CD, data analysis. Handle interruptions with 2-minute warning.
• Dedicated Hosts: Physical servers. Required for certain compliance requirements or server-bound software licenses (Oracle, Windows Server with BYOL).

Cost management tools:

• Cost Explorer: Visualize spending, forecast future costs, identify savings opportunities.
• AWS Budgets: Set spending alerts with thresholds. Supports cost, usage, reservation, and Savings Plan budgets.
• Compute Optimizer: ML-based recommendations for EC2, EBS, Lambda, and ECS on Fargate right-sizing.
• Trusted Advisor: Checks across cost optimization, performance, security, fault tolerance, and service limits.

Hands-On Lab Strategy

Reading documentation is not enough. For every major service, build something in your AWS Free Tier account.

Essential labs to complete:

1. Build a multi-tier VPC with public/private subnets, NAT gateway, and VPC endpoints
2. Deploy an Auto Scaling group behind an ALB with a target tracking scaling policy
3. Create an S3 bucket with lifecycle policies, versioning, replication, and server-side encryption
4. Set up a DynamoDB table with on-demand capacity, global secondary indexes, and DynamoDB Streams
5. Build a serverless API with API Gateway, Lambda, and DynamoDB
6. Configure CloudFront distribution with S3 origin and custom cache behaviors
7. Implement a CI/CD pipeline with CodePipeline, CodeBuild, and CodeDeploy
8. Set up CloudWatch alarms, dashboards, and CloudWatch Logs Insights queries

Destroy all resources after each lab session using aws cloudformation delete-stack or manual cleanup to avoid unexpected charges.

Practice Exam Strategy

Start taking practice exams in week 8, not earlier. You need sufficient knowledge before practice exams become productive.

Recommended approach:

1. Take a full 65-question practice exam under timed conditions (130 minutes)
2. Score it. Do not look at answers during the exam.
3. Review every question, including ones you got right. Understand why each wrong answer is wrong.
4. Track weak domains. If you score below 70% in any domain, dedicate extra study time there.
5. Repeat with a different practice exam set. Aim for 80%+ consistently before scheduling the real exam.

Reading exam questions effectively:

• Read the last sentence first (it tells you what they are actually asking).
• Identify keywords: "most cost-effective," "highest availability," "least operational overhead," "minimize latency."
• Eliminate obviously wrong answers. Usually two answers are clearly wrong, leaving a 50/50 between two plausible options.
• "Least operational overhead" almost always means a managed/serverless service over a self-managed one.

Exam Day Logistics

• Schedule at a Pearson VUE testing center or take the proctored online exam from home.
• Online proctoring requires a clean desk, no second monitors, a working webcam, and a stable internet connection.
• The exam costs $150 USD. If you fail, you can retake after 14 days.
• Results are available within 1-5 business days (usually within a few hours for the scored pass/fail result).

Common Mistakes to Avoid

Mistake 1: Memorizing services without understanding when to use them. The exam tests architectural judgment, not service feature lists. For every service, ask: "When would I choose this over the alternatives?"

Mistake 2: Ignoring the Well-Architected Framework. The six pillars (Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, Sustainability) map directly to how exam questions are structured.

Mistake 3: Skipping hands-on practice. Reading about a NAT Gateway is different from debugging why your private subnet instances cannot reach the internet. The hands-on experience creates the mental models needed to answer scenario questions.

Mistake 4: Over-studying niche services. Focus on EC2, S3, VPC, IAM, RDS/Aurora, DynamoDB, Lambda, CloudFront, Route 53, and SQS/SNS. These cover 80% of the exam. Services like AppFlow, DataSync, or Snow Family appear in 1-2 questions at most.

What Comes After SAA-C04

Passing SAA-C04 opens pathways to:

• AWS Solutions Architect Professional (SAP-C02): The most respected AWS certification. Covers complex multi-account, hybrid cloud, and migration scenarios.
• AWS Security Specialty: Deep security focus. Pairs well with SAA for security architect roles.
• AWS DevOps Engineer Professional: CI/CD, automation, monitoring at scale. Natural next step if you work in DevOps.

For a structured learning path covering all AWS services from fundamentals through advanced architecture, explore the AWS Cloud Practitioner to Architect course on our platform, which includes hands-on labs and exam-aligned modules.

Resources and Next Steps

Building your AWS expertise goes beyond a single certification. The Cloud Toolkits collection includes Terraform modules, CloudFormation templates, and architecture reference patterns that reinforce hands-on learning. For career-specific guidance on leveraging your certification for job placement and salary negotiation, check the Career Resources collection.

The SAA-C04 is achievable in 12 weeks with focused daily study of 1-2 hours. The key is consistent hands-on practice combined with targeted domain review. Start building in your AWS account today, and schedule your exam date now to create accountability.

Your cloud career starts with this certification. Make the commitment, follow the plan, and pass on your first attempt.