IAM Policy Evaluation Logic:
1. Explicit Deny → DENY (always wins)
2. SCP boundary check → DENY if not allowed
3. Resource-based policy → ALLOW if grants cross-account access
4. Identity-based policy → ALLOW if grants permission
5. Permissions boundary → DENY if not within boundary
6. Session policy → DENY if not within session scope
7. Default → DENY (implicit deny)

Build these in a real AWS account (free tier covers everything):

• Create an IAM user with programmatic access, attach ReadOnlyAccess, then write a custom policy that denies s3:DeleteObject on a specific bucket. Test it with the AWS CLI. Verify the explicit deny wins even though ReadOnlyAccess does not grant delete.
• Create an IAM role for EC2 with an instance profile. Launch an EC2 instance, SSH in, and run aws sts get-caller-identity to confirm the role is assumed. Then call aws s3 ls and verify the role's permissions work.
• Write a resource-based policy on an S3 bucket that grants cross-account access. Use a second AWS account (or a different IAM user simulating cross-account) to verify access.

VPC Architecture (Days 5-10):

Every SAA-C04 exam has 8-10 VPC questions. Build this topology by hand — not with CloudFormation, by hand, clicking through the console:

VPC: 10.0.0.0/16
├── Public Subnet (10.0.1.0/24, AZ-a)
│   ├── Internet Gateway attached
│   ├── Route table: 0.0.0.0/0 → IGW
│   └── NAT Gateway (for private subnet egress)
├── Private Subnet (10.0.2.0/24, AZ-a)
│   ├── Route table: 0.0.0.0/0 → NAT Gateway
│   └── Application servers here
├── Public Subnet (10.0.3.0/24, AZ-b)
│   ├── Route table: 0.0.0.0/0 → IGW
│   └── Second NAT Gateway (HA)
├── Private Subnet (10.0.4.0/24, AZ-b)
│   ├── Route table: 0.0.0.0/0 → NAT Gateway (AZ-b)
│   └── Application servers here
└── Database Subnet Group
    ├── DB Subnet (10.0.5.0/24, AZ-a)
    └── DB Subnet (10.0.6.0/24, AZ-b)
    └── No internet route (isolated)

Understand why each component exists. The exam will describe a scenario where a private subnet application cannot reach the internet and ask you to identify the missing component. It will be the NAT Gateway, or the route table entry, or the security group egress rule. You need to diagnose this from a text description.

Security Services (Days 11-14):

Know these services at the "when to use it" level:

• AWS KMS: Envelope encryption, CMK vs AWS-managed keys, key rotation, cross-region key replication. Know that S3 SSE-KMS has a 5,500/10,000/30,000 requests-per-second limit depending on region.
• AWS Certificate Manager: Free TLS certificates for CloudFront and ALB. Cannot use ACM certs on EC2 directly.
• AWS WAF: Layer 7 firewall on CloudFront, ALB, API Gateway. Know the difference between WAF (application layer) and Security Groups (transport layer) and NACLs (subnet level, stateless).
• AWS Shield: Standard is automatic and free. Advanced costs $3,000/month and provides DDoS response team and cost protection.
• AWS GuardDuty: Threat detection using CloudTrail, VPC Flow Logs, and DNS logs. Know that it is a detective control, not preventive.

Weeks 3-4: Compute, Containers, and Serverless

EC2 Fundamentals (Days 15-18):

The exam expects you to select the right instance family for a workload:

Know the purchasing options cold:

• On-Demand: Full price, no commitment. Use for unpredictable workloads.
• Reserved Instances (1 or 3 year): Up to 72% discount. Standard RIs can be sold on the RI Marketplace. Convertible RIs allow changing instance family but have lower discount (up to 66%).
• Savings Plans: Compute Savings Plans apply to EC2, Fargate, and Lambda. More flexible than RIs. Exam loves these.
• Spot Instances: Up to 90% discount. AWS can reclaim with 2-minute warning. Use for fault-tolerant batch jobs, not stateful applications.
• Dedicated Hosts: Physical server. Use for licensing requirements (Windows Server, Oracle) or compliance (HIPAA, FedRAMP single-tenancy).

Lambda and Serverless (Days 19-22):

Lambda questions on SAA-C04 are substantial. Know these limits and patterns:

Lambda Limits (2026):
- Memory: 128 MB to 10,240 MB (10 GB)
- Timeout: 900 seconds (15 minutes)
- Deployment package: 50 MB zipped, 250 MB unzipped
- Container image: 10 GB
- Concurrent executions: 1,000 default (soft limit, can increase)
- /tmp storage: 512 MB to 10,240 MB

The exam will present scenarios where Lambda is the right answer (event-driven, short-duration, variable load) and where it is wrong (15+ minute processing, GPU required, persistent connections). Know both.

ECS and Fargate (Days 23-26):

The container questions test your ability to choose between ECS on EC2, ECS on Fargate, and EKS:

• Fargate: No server management, pay per vCPU/memory per second. Right answer when the scenario says "minimize operational overhead" for containers.
• ECS on EC2: You manage the instances. Right answer when you need GPU, specific instance types, or higher density.
• EKS: Kubernetes. Right answer when the scenario mentions "existing Kubernetes workloads" or "portability across clouds."

Weeks 5-6: Storage, Databases, and Caching

S3 Storage Classes (Days 27-30):

S3 questions are a guaranteed 6-8 questions. Memorize these transition rules:

S3 Storage Class Hierarchy (by cost, descending):
S3 Standard → S3 Intelligent-Tiering → S3 Standard-IA → S3 One Zone-IA → S3 Glacier Instant Retrieval → S3 Glacier Flexible Retrieval → S3 Glacier Deep Archive

Key Rules:
- Minimum storage duration: Standard-IA/One Zone-IA = 30 days, Glacier = 90 days, Deep Archive = 180 days
- Minimum object size: IA classes = 128 KB (smaller objects billed as 128 KB)
- Retrieval fees: Standard = free, IA = per-GB fee, Glacier = per-GB + per-request
- One Zone-IA: 20% cheaper than Standard-IA, but data lost if AZ destroyed
- S3 Lifecycle policies automate transitions

Database Selection (Days 31-36):

The exam tests your ability to choose the right database engine:

Aurora Deep Dive (Days 37-38):

Aurora appears in 4-6 questions. Key facts:

• Storage auto-scales from 10 GB to 128 TB in 10 GB increments
• 6 copies of data across 3 AZs (can lose 2 copies for writes, 3 for reads)
• Aurora Serverless v2 scales to zero and handles variable workloads — the answer when "unpredictable database traffic" appears
• Aurora Global Database: 1-second replication lag across regions, promotes a secondary region in under 1 minute for disaster recovery
• Read replicas: up to 15, with automatic failover based on priority tiers

Weeks 7-8: High Availability, Disaster Recovery, and Cost Optimization

Disaster Recovery Strategies (Days 39-42):

The exam tests four DR strategies. Know their RTO/RPO and relative cost:

DR Strategies (cheapest to most expensive):
1. Backup & Restore
   - RTO: Hours | RPO: Hours
   - S3 cross-region replication + AMIs + DB snapshots
   - Cheapest, slowest recovery

2. Pilot Light
   - RTO: 10s of minutes | RPO: Minutes
   - Core infrastructure running (DB replication), compute off
   - Start EC2/ECS when disaster occurs

3. Warm Standby
   - RTO: Minutes | RPO: Seconds
   - Scaled-down but fully functional copy in DR region
   - Scale up during failover

4. Multi-Site Active/Active
   - RTO: Near zero | RPO: Near zero
   - Full production in both regions, Route 53 health checks
   - Most expensive, fastest recovery

Cost Optimization Patterns (Days 43-46):

20% of the exam. The exam will present architectures and ask you to reduce cost:

• Replace On-Demand EC2 with Savings Plans or Reserved Instances for steady-state workloads
• Use Spot Instances for fault-tolerant batch processing
• Move infrequently accessed S3 objects to S3 Intelligent-Tiering or Glacier
• Replace NAT Gateway ($0.045/GB processed) with VPC endpoints for S3 and DynamoDB ($0/GB)
• Use Aurora Serverless v2 instead of provisioned Aurora for variable traffic
• Enable S3 Lifecycle policies to automatically transition and expire objects
• Use AWS Compute Optimizer for right-sizing recommendations

Practice Exams (Days 47-56):

Do not take practice exams before week 7. You need the knowledge foundation first. Then:

1. Take a full 65-question practice exam under timed conditions (130 minutes)
2. Score it. Target: 80% or above before sitting the real exam
3. For every wrong answer, write down: which service you confused, what the correct reasoning was, and the AWS documentation page that explains it
4. Take 3-4 practice exams total. AWS Skill Builder official practice exam is closest to the real thing
5. Review the AWS Well-Architected Framework whitepaper — at least the pillars summary

Hands-On Labs That Map Directly to Exam Questions

Do not just read about services. Build them. Every lab below maps to a common exam scenario:

Lab 1: Multi-Tier Web Application Deploy a VPC with public/private subnets, an ALB in public subnets, EC2 instances in private subnets running a web app, and an RDS Multi-AZ database in isolated subnets. Configure Auto Scaling to add instances when CPU exceeds 70%. This single lab covers 15-20 exam questions.

Lab 2: Serverless API Build an API Gateway + Lambda + DynamoDB stack. Add Cognito for authentication. Configure API Gateway throttling. Enable DynamoDB point-in-time recovery. Enable CloudWatch alarms on Lambda errors and DynamoDB throttling events.

Lab 3: Static Website with CDN Host a static site on S3, front it with CloudFront, configure Route 53 with an alias record, and add an ACM certificate for HTTPS. Enable S3 versioning and configure a lifecycle policy to move old versions to Glacier after 90 days.

Lab 4: Cross-Region Disaster Recovery Set up S3 cross-region replication. Create an Aurora Global Database with a secondary region. Configure Route 53 health checks with failover routing policy. This lab teaches you multi-region architecture that appears in 5-8 exam questions.

Common Traps and How to Avoid Them

After coaching 40+ candidates, these are the mistakes I see repeatedly:

Trap 1: Choosing the most technically impressive answer. The exam rewards simplicity. If a scenario can be solved with S3 + CloudFront, do not choose a solution involving EC2 + Nginx + custom caching. AWS wants you to choose managed services over self-managed.

Trap 2: Ignoring the word "cost-effective." When a question says "most cost-effective," it is telling you to pick the cheapest option that meets all requirements. Spot Instances for batch processing, S3 Intelligent-Tiering instead of Standard, Fargate instead of EC2 for containers when the workload is variable.

Trap 3: Confusing HA with DR. High availability (Multi-AZ) protects against single-AZ failure within a region. Disaster recovery (multi-region) protects against regional failures. The exam will specify which one is needed. Read carefully.

Trap 4: Forgetting that NACLs are stateless. If a NACL allows inbound traffic on port 443, you must also allow outbound traffic on ephemeral ports (1024-65535) for the response. Security groups are stateful — return traffic is automatically allowed.

Trap 5: Mixing up S3 encryption options. SSE-S3 uses Amazon-managed keys (simplest). SSE-KMS uses KMS keys (audit trail via CloudTrail). SSE-C means you manage the keys and send them with every request. Client-side encryption means you encrypt before uploading. The exam specifies constraints ("must audit key usage" = SSE-KMS, "customer manages keys" = SSE-C or client-side).

Exam Day Logistics

• Registration: Schedule at aws.training. Cost is $150 USD. Online proctored (Pearson VUE at home) or test center.
• ID Requirements: Two forms of ID for test centers. Government-issued photo ID required for online proctoring.
• Time Management: 130 minutes for 65 questions. Flag difficult questions and return to them. Do not spend more than 3 minutes on any single question in your first pass.
• Elimination Strategy: Most questions have 1-2 obviously wrong answers. Eliminate those first. Then compare the remaining options against the specific requirements stated in the question.
• Review Period: You will have time to review flagged questions. Use it. I have caught 3-4 mistakes per exam during review.

What to Do After Passing

The SAA-C04 opens doors, but it is a mid-level certification. Your next steps depend on your career path:

• Architecture track: AWS Solutions Architect Professional (SAP-C02). This is the gold standard. Six-month study timeline.
• Security track: AWS Security Specialty (SCS-C02). Pairs well with the SAA for security engineering roles.
• DevOps track: AWS DevOps Engineer Professional (DOP-C02). Focus on CI/CD, automation, and infrastructure as code.
• Data track: AWS Data Engineer Associate (DEA-C01). New exam launched 2024, covers data pipelines and analytics.

Build projects. The certification proves you studied. A project portfolio proves you can build. Deploy a production-grade three-tier application on AWS, write a blog post about the architecture decisions, and put it on your resume.

Start Your AWS Certification Journey

The AWS Cloud Engineering course on Citadel Cloud Management covers every domain tested on the SAA-C04, with 65 hours of content, 19 lessons, and hands-on labs aligned to the exam objectives. It is completely free.

For architecture reference materials you can use alongside your study — VPC templates, IAM policy generators, Well-Architected review checklists — browse the Cloud Architecture Toolkits collection.

If you are mapping out your full cloud career path beyond the SAA, the Career Resources collection includes role-specific study plans, interview preparation guides, and salary negotiation frameworks for cloud engineering roles across the US, UK, and Africa markets.

The SAA-C04 is passable in 8-12 weeks of focused study. The key is building real infrastructure, not just reading about it. Open your AWS console, build the labs, break things, fix them, and take practice exams until you consistently score above 80%. Then book the exam.