Domain 1 · 30% of Exam

Design Secure Architectures

Domain 1 tests your ability to design secure access to AWS resources, secure workloads and applications, and determine appropriate data security controls.

What You'll Be Tested On

  • Secure access to AWS resources using IAM policies, roles, and federation
  • Encryption at rest and in transit (KMS, ACM, S3 SSE)
  • VPC security: security groups, NACLs, VPC endpoints
  • Data protection strategies and compliance
  • Identity federation and SSO (AWS SSO, SAML, Cognito)
  • AWS CloudTrail, Config, and GuardDuty for auditing

Key AWS Services in This Domain

🔐IAM🔑KMS🌐VPC🔍CloudTrail📋AWS Config🛡️WAF & Shield👤Cognito🗝️Secrets Manager🏢Organizations

Exam Tips for Domain 1

💡

Always apply the principle of least privilege when designing IAM policies.

💡

Know when to use IAM roles vs users — prefer roles for cross-account and services.

💡

Understand envelope encryption and how KMS integrates with S3, EBS, and RDS.

💡

Security groups are stateful, NACLs are stateless — know the difference.

Practice Domain 1 Questions

Test your knowledge of Design Secure Architectures with practice questions from our SAA-C03 question bank.

Start Practice Quiz →

Other SAA-C03 Domains

Domain 2Design Resilient Architectures26%Domain 3Design High-Performing Architectures24%Domain 4Design Cost-Optimized Architectures20%
← SAA-C03 Study HubFree Mock Exam30-Day Study Plan