AWS · SAA-C03

Security Default Assumption — AWS Solutions Architect (SAA-C03)

You assumed a default security configuration that doesn't exist. Services often start permissive — know what you need to configure.

AWS secures the platform; you secure everything else

The scenario describes a data breach, unauthorized access, or misconfigured resource. Candidates sometimes select options that add more AWS infrastructure when the gap is actually in customer-controlled settings: S3 bucket policies, IAM resource policies, KMS key grants, or VPC security groups. AWS's shared responsibility model draws a hard line. Encryption at rest, access control to data, and network policy decisions are always on the customer side of that line, regardless of how managed the underlying service is.

2%of exam questions affected (4 of 200)

The Scenario

The question asks how to ensure an existing S3 bucket does not allow public access. You answer "S3 Block Public Access is enabled by default, so no action is needed." True for buckets created after April 2023. But the scenario describes a bucket created in 2019 with existing bucket policies. Pre-2023 buckets may have public access enabled, and existing bucket policies that grant public read are not retroactively blocked. The correct answer is to explicitly enable S3 Block Public Access at the account level and review existing bucket policies for public access grants. The exam tests whether you know that new defaults do not apply retroactively to existing resources.

How to Spot It

  • AWS security defaults have changed over time. EBS volumes are now encrypted by default in new accounts (since 2024), but existing accounts need to enable the "EBS encryption by default" setting. New Security Groups allow all outbound traffic by default. Default VPC subnets auto-assign public IPs. Know what "default" actually means for each service.
  • Lambda functions have no VPC attachment by default — they run in AWS-managed VPCs with internet access. When you attach Lambda to your VPC, it loses internet access unless you add a NAT Gateway. The exam tests whether you know this default changes behavior when you add VPC configuration.
  • When the question says "existing" infrastructure, assume nothing about current configuration. Legacy resources have legacy defaults. The answer always involves explicit verification and configuration, not reliance on defaults.

Decision Rules

Whether the Lambda execution role's permission policy must be a narrow customer-managed policy scoped to s3:PutObject on the exact bucket-prefix ARN, or whether attaching the AWS managed AmazonS3FullAccess policy is acceptable because the cross-account trust policy already restricts which principal can assume the role.

AWS Identity and Access Management (IAM)AWS Security Token Service (AWS STS)Amazon S3

Domain Coverage

Design Secure Architectures

Difficulty Breakdown

Hard: 4

Related Patterns

Identity And Access Governance8% of examServerless Vs Container Cost Tradeoff10% of examSecurity And Governance Boundary8% of exam
Start training this trap →

See all SAA-C03 traps →