AWS · SAA-C03

Security And Governance Boundary — AWS Solutions Architect (SAA-C03)

8%of exam questions (16 of 200)

The threat model determines which security service fits

The scenario names a threat — unauthorized API calls, anomalous behavior, non-compliant resource configurations, or multi-account policy drift. Candidates often select the most familiar security service rather than the one whose scope matches the actual threat. GuardDuty detects active threats from behavioral signals; Security Hub aggregates findings across services; IAM enforces access policy; Config tracks configuration compliance over time. Each operates at a different layer. Matching service scope to threat model is the exam's test, not recognizing that all four are security services.

What This Pattern Tests

The exam describes a security requirement and tests which access control layer applies. IAM policies attach to principals (users, roles). Resource policies attach to resources (S3 bucket policies, KMS key policies). SCPs restrict what an entire AWS account can do. Permission boundaries cap what an IAM entity can be granted. The trap is applying EC2-level security group thinking to Lambda (which uses IAM execution roles), or writing an IAM policy when an SCP is needed for account-wide restriction. S3 Block Public Access, VPC endpoint policies, and Organizations tag policies each add another control plane the exam expects you to distinguish.

Decision Axis

Control scope determines the mechanism: principal-level (IAM), resource-level (resource policies), account-level (SCPs), or network-level (security groups, NACLs).

Associated Traps

Scope Overreach (8)CloudHSM with custom key stores for internal reports — when SSE-S3 is one checkbox.Near-Right Architecture (4)CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.Service Confusion (4)Kinesis Data Streams vs. Kinesis Data Firehose — one word apart, completely different delivery models.

Decision Rules

Whether external end-user authentication should be delegated to Amazon Cognito User Pools (federated identity boundary) or handled via IAM roles — the decision turns on whether the callers are AWS account principals or external human identities.

Amazon API GatewayAmazon Cognito

When all API callers are AWS-account-internal principals (Lambda execution roles), IAM authorization with an API Gateway resource policy satisfies least-privilege without the complexity of an external identity federation layer.

Amazon API GatewayAWS IAMAWS Lambda

Select Cognito User Pools (which federates SAML assertions and issues OIDC JWTs that API Gateway's Cognito Authorizer natively validates) over Cognito Identity Pools (which exchange tokens for temporary AWS IAM credentials intended for direct AWS service calls, not API Gateway bearer-token authorization).

Amazon API GatewayAmazon CognitoAWS Lambda

Which minimal combination of an IAM instance role, an S3 bucket policy with an aws:sourceVpce condition, and an S3 Gateway Endpoint satisfies both the identity-access grant and the network-isolation constraint — and why substituting an Interface Endpoint or layering AWS PrivateLink on top is unjustified scope overreach for this use case.

Amazon S3AWS Identity and Access ManagementAmazon Virtual Private Cloud

Domain Coverage

Design Secure Architectures

Difficulty Breakdown

Easy: 8Medium: 4Hard: 4

Build recognition speed →

See all SAA-C03 patterns →