Domain 1 · 30% of Exam

Design Secure Architectures

Domain 1 tests your ability to design secure access to AWS resources, secure workloads and applications, and determine appropriate data security controls.

About This Domain

Domain 1 — Design Secure Architectures — accounts for 30% of the SAA-C03 certification exam. This domain evaluates your understanding of secure access to aws resources using iam policies, roles, and federation, encryption at rest and in transit (kms, acm, s3 sse), vpc security: security groups, nacls, vpc endpoints, and related concepts. Domain 1 tests your ability to design secure access to AWS resources, secure workloads and applications, and determine appropriate data security controls. To pass this section you need practical knowledge of how these services and patterns work together in real-world architectures.

What You'll Be Tested On

  • Secure access to AWS resources using IAM policies, roles, and federation
  • Encryption at rest and in transit (KMS, ACM, S3 SSE)
  • VPC security: security groups, NACLs, VPC endpoints
  • Data protection strategies and compliance
  • Identity federation and SSO (AWS SSO, SAML, Cognito)
  • AWS CloudTrail, Config, and GuardDuty for auditing

Key AWS Services in This Domain

🔐IAM🔑KMS🌐VPC🔍CloudTrail📋AWS Config🛡️WAF & Shield👤Cognito🗝️Secrets Manager🏢Organizations

Study Strategy for Domain 1

At 30% of the exam, this is the highest-weighted domain — invest proportionally more study time here. Focus on hands-on labs and scenario-based questions. Aim to answer at least 80% of Domain 1 questions correctly in practice tests before sitting the real exam.

Exam Tips for Domain 1

💡

Always apply the principle of least privilege when designing IAM policies.

💡

Know when to use IAM roles vs users — prefer roles for cross-account and services.

💡

Understand envelope encryption and how KMS integrates with S3, EBS, and RDS.

💡

Security groups are stateful, NACLs are stateless — know the difference.

Frequently Asked Questions

How many questions on the SAA-C03 exam come from Domain 1?

Domain 1 (Design Secure Architectures) makes up 30% of the SAA-C03 exam. The exam has 65 scored questions, so approximately 20 questions will come from this domain.

What services should I focus on for Domain 1?

The key services for this domain include IAM, KMS, VPC, CloudTrail, AWS Config, WAF & Shield, Cognito, Secrets Manager, Organizations. Make sure you understand how each service works, its use cases, and how they integrate with one another.

How should I prepare for Design Secure Architectures questions?

Start by reviewing the key topics listed above, then practice with domain-specific questions. Focus on understanding real-world scenarios rather than memorizing facts. Use our practice quizzes to test your knowledge and review explanations for any questions you get wrong.

What's the best order to study the SAA-C03 domains?

Many candidates start with the highest-weighted domains first. For the SAA-C03 exam, the domains in order of weight are: Design Secure Architectures (30%), Design Resilient Architectures (26%), Design High-Performing Architectures (24%), Design Cost-Optimized Architectures (20%). However, start with whichever domain aligns best with your existing experience.

Practice Domain 1 Questions

Test your knowledge of Design Secure Architectures with practice questions from our SAA-C03 question bank.

Start Practice Quiz →

Other SAA-C03 Domains

Domain 2Design Resilient Architectures26%Domain 3Design High-Performing Architectures24%Domain 4Design Cost-Optimized Architectures20%
← SAA-C03 Study HubFree Mock Exam30-Day Study Plan