AWS Certified Solutions Architect – Associate (SAA-C03) Domain 1

Let’s take a closer look at the first domain of this new and improved (and most popular) AWS certification exam.

Here are the official details for this domain:

Domain 1: Design Secure Architectures
Task Statement 1: Design secure access to AWS resources.

Knowledge of:

  • Access controls and management across multiple accounts
  • AWS federated access and identity services (for example, AWS Identity and Access Management [IAM], AWS Single Sign-On [AWS SSO])
  • AWS global infrastructure (for example, Availability Zones, AWS Regions)
  • AWS security best practices (for example, the principle of least privilege)
  • The AWS shared responsibility model

Skills in:

  • Applying AWS security best practices to IAM users and root users (for example, multi-factor authentication [MFA])
  • Designing a flexible authorization model that includes IAM users, groups, roles, and policies
  • Designing a role-based access control strategy (for example, AWS Security Token Service [AWS STS], role switching, cross-account access)
  • Designing a security strategy for multiple AWS accounts (for example, AWS Control Tower, service control policies [SCPs])
  • Determining the appropriate use of resource policies for AWS services
  • Determining when to federate a directory service with IAM roles

Task Statement 2: Design secure workloads and applications.

Knowledge of:

  • Application configuration and credentials security
  • AWS service endpoints
  • Control ports, protocols, and network traffic on AWS
  • Secure application access
  • Security services with appropriate use cases (for example, Amazon Cognito, Amazon GuardDuty, Amazon Macie)
  • Threat vectors external to AWS (for example, DDoS, SQL injection)

Skills in:

  • Designing VPC architectures with security components (for example, security groups, route tables, network ACLs, NAT gateways)
  • Determining network segmentation strategies (for example, using public subnets and private subnets)
  • Integrating AWS services to secure applications (for example, AWS Shield, AWS WAF, AWS SSO, AWS Secrets Manager)
  • Securing external network connections to and from the AWS Cloud (for example, VPN, AWS Direct Connect)

Task Statement 3: Determine appropriate data security controls.

Knowledge of:

  • Data access and governance
  • Data recovery
  • Data retention and classification
  • Encryption and appropriate key management

Skills in:

  • Aligning AWS technologies to meet compliance requirements
  • Encrypting data at rest (for example, AWS Key Management Service [AWS KMS])
  • Encrypting data in transit (for example, AWS Certificate Manager [ACM] using TLS)
  • Implementing access policies for encryption keys
  • Implementing data backups and replications
  • Implementing policies for data access, lifecycle, and protection
  • Rotating encryption keys and renewing certificates