AWS · SAA-C03

Scope Overreach — AWS Solutions Architect (SAA-C03)

You solved a broader problem than what was asked. The scenario had specific constraints — you addressed requirements that weren't there.

The requirement is simpler than your instinct

Architecture requirement: fulfill a specific, bounded need. Competing choices: a minimal AWS-native option versus a more capable but heavyweight service. Deciding constraint: does the scenario mention complexity tolerance, scale requirements, or operational maturity that justifies the advanced choice? When none of those signals appear, the simpler option wins. The exam rewards recognizing when the problem does not need solving at a higher level.

16%of exam questions affected (32 of 200)

The Scenario

A company needs to encrypt data at rest in an S3 bucket used for internal analytics reports. You recommend AWS CloudHSM with a custom key store, customer-managed KMS key with automatic rotation, and a key policy restricting access to specific IAM roles. The correct answer is SSE-S3 (Amazon S3-managed keys) — one setting, zero key management, meets the requirement. The scenario said "encrypt at rest." It did not say "FIPS 140-2 Level 3 compliance," "customer-managed key lifecycle," or "cross-account key sharing." CloudHSM is for organizations with regulatory requirements to control their own hardware security modules. You answered a compliance question that was not asked.

How to Spot It

  • Encryption at rest has three levels on S3: SSE-S3 (zero management), SSE-KMS (key policies and rotation control), SSE-C/client-side (you manage everything). The exam gives you a simple encryption requirement and tests whether you select the simplest option. Only escalate to KMS or CloudHSM when the scenario mentions compliance, audit requirements, or cross-account key access.
  • When your answer includes services the scenario never mentioned (CloudTrail for auditing, Config for compliance checking, GuardDuty for threat detection), verify the scenario asked for those capabilities. Solving adjacent problems is over-reaching.
  • VPC endpoints come in two types: Gateway (free, for S3 and DynamoDB) and Interface (costs $0.01/hour per AZ, for everything else). If the scenario asks for private access to S3, a Gateway endpoint is free. Recommending PrivateLink Interface endpoints for S3 is scope overreach and adds unnecessary cost.

Decision Rules

When custom iterative Spark logic, strict SLA completion windows, and team-owned Spark expertise are all present, choose EMR over Glue because per-executor tuning and instance fleet selection directly map to the time constraint in a way that Glue's DPU model cannot guarantee.

Amazon EMRAWS GlueAmazon Simple Storage Service (Amazon S3)

Whether to attach an AWS-managed S3 read policy whose Resource element covers all buckets (wildcard), or to create a customer-managed policy that restricts both the allowed actions and the Resource ARN to the specific bucket name and key prefix stated in the requirement.

AWS Identity and Access Management (IAM)Amazon S3

Whether to apply a minimum-sufficient org-level preventive guardrail (SCP plus S3 Block Public Access at the organization level) versus deploying per-account detective controls such as Amazon Macie that exceed the stated requirement, add per-account scan costs, and cannot guarantee prevention.

AWS OrganizationsAmazon S3

Whether an SCP deny attached at the OU level is the correct ceiling control to enforce a blanket restriction across all principals in all member accounts, versus applying IAM permission boundaries per role (per-principal overhead, same OU scope only when exhaustively applied) or AWS Config rules with automated remediation (reactive, not preventive, and over-engineered for a single prohibit requirement).

AWS OrganizationsAWS Identity and Access Management (IAM)AWS Config

When all API callers are AWS-account-internal principals (Lambda execution roles), IAM authorization with an API Gateway resource policy satisfies least-privilege without the complexity of an external identity federation layer.

Amazon API GatewayAWS IAMAWS Lambda

Which minimal combination of an IAM instance role, an S3 bucket policy with an aws:sourceVpce condition, and an S3 Gateway Endpoint satisfies both the identity-access grant and the network-isolation constraint — and why substituting an Interface Endpoint or layering AWS PrivateLink on top is unjustified scope overreach for this use case.

Amazon S3AWS Identity and Access ManagementAmazon Virtual Private Cloud

Given explicit Linux/NFS semantics and no Windows or hybrid dependency, does the team select Amazon EFS (purpose-fit, cost-effective Bursting mode) over Amazon FSx for Windows File Server (scope overreach: SMB-only protocol incompatible with Linux NFS) or Amazon S3 (no filesystem mount semantics)?

Amazon EFSAmazon FSx for Windows File ServerAmazon S3

Whether to enforce CIDR-range denial using a stateless subnet-level control (VPC NACL) versus an L7 content-inspection service (AWS WAF) — the decision turns on matching the enforcement layer (subnet boundary, stateless) to the stated requirement (IP-range block before instances are reached).

Amazon VPCAWS WAFAmazon EC2

Domain Coverage

Design Secure ArchitecturesDesign High-Performing ArchitecturesDesign Cost-Optimized Architectures

Difficulty Breakdown

Medium: 24Easy: 4Hard: 4

Related Patterns

Identity And Access Governance8% of examSecurity And Governance Boundary8% of examMulti-Account Governance6% of exam
Start training this trap →

See all SAA-C03 traps →