Domain 1: Design Secure Architectures
Weight: 30% of Scored Content
This is the highest-weighted domain on the SAA-C03 exam. It covers designing secure access to AWS resources, securing workloads and applications, and implementing appropriate data security controls.
Task Statements
| Task | Description |
|---|
| Task 1.1 | Design secure access to AWS resources |
| Task 1.2 | Design secure workloads and applications |
| Task 1.3 | Determine appropriate data security controls |
Key AWS Services in This Domain
- AWS Identity and Access Management (IAM)
- AWS IAM Identity Center (SSO)
- AWS Security Token Service (STS)
- AWS Organizations and Control Tower
- Amazon VPC (Security Groups, NACLs, NAT Gateways)
- AWS Shield and AWS WAF
- Amazon Cognito, GuardDuty, Macie
- AWS KMS, ACM, Secrets Manager
- AWS VPN and Direct Connect
Key Concepts
- Principle of least privilege
- AWS Shared Responsibility Model
- Defense in depth
- Encryption at rest and in transit
- Network segmentation
- Federation and identity management