AWS · SAA-C03

Service Confusion — AWS Solutions Architect (SAA-C03)

You picked the right service category but the wrong specific service. The exam tests precise service selection, not general knowledge.

Two services with overlapping names, different jobs

CloudFront and Global Accelerator both accelerate traffic to AWS. S3 and EFS both store files. SQS and SNS both involve messaging. The exam exploits surface-level similarity by placing a real but wrong service in the distractor. Read for the dominant need: static content caching, TCP/UDP routing, object storage, distributed file access, fan-out notification, or decoupled queue. The correct service is the one whose primary design purpose matches that need — not the one with overlapping capabilities.

8%of exam questions affected (16 of 200)

The Scenario

The scenario needs a message queue for decoupling microservices with exactly-once processing. You see SQS Standard and SQS FIFO in the options. Standard gives you at-least-once with best-effort ordering — good for most workloads and 120,000 messages per second. But "exactly-once" is the constraint that eliminates Standard. FIFO is the only SQS option that guarantees exactly-once via deduplication IDs. The trap is picking Standard because it handles higher throughput. Same service family, different processing guarantees.

How to Spot It

  • AWS has overlapping services in every category. Kinesis Data Streams gives you real-time with custom consumers; Kinesis Data Firehose auto-delivers to S3/Redshift/OpenSearch with no consumer code. The names sound interchangeable but the delivery models are fundamentally different.
  • When the answer feels right because the service name matches the use case description, check the non-functional requirement. "Exactly-once" eliminates SQS Standard. "Serverless delivery to S3" eliminates Kinesis Data Streams. "Custom processing with replay" eliminates Firehose.
  • SQS FIFO vs Standard, Kinesis Streams vs Firehose, Step Functions Standard vs Express, Lambda vs Fargate — each pair shares a name but differs on a specific axis the exam tests.

Decision Rules

Should the architect configure SSE-S3 (AWS-managed AES-256 key) or SSE-KMS with a customer-managed key (CMK) — both encrypt at rest, but only SSE-KMS with a CMK delivers customer key-policy control and per-usage CloudTrail visibility required by the auditability and customer-controlled-key-policy constraints.

AWS Key Management ServiceAmazon S3

Whether the access pattern shape — pure key-value lookup with no JOINs at extreme horizontal RPS — disqualifies relational read-replica scaling and mandates migration to a natively partitioned key-value store.

Amazon DynamoDBAmazon RDSAmazon DynamoDB Accelerator (DAX)

Determine whether the stated read-replica count and failover-speed requirements exceed the RDS Multi-AZ ceilings, mandating Amazon Aurora over Amazon RDS Multi-AZ.

Amazon AuroraAmazon RDSAmazon RDS Proxy

Select Cognito User Pools (which federates SAML assertions and issues OIDC JWTs that API Gateway's Cognito Authorizer natively validates) over Cognito Identity Pools (which exchange tokens for temporary AWS IAM credentials intended for direct AWS service calls, not API Gateway bearer-token authorization).

Amazon API GatewayAmazon CognitoAWS Lambda

Domain Coverage

Design Secure ArchitecturesDesign High-Performing Architectures

Difficulty Breakdown

Hard: 4Medium: 12

Related Patterns

Security And Governance Boundary8% of examDatabase And Compute Performance Scaling8% of examData Protection And Encryption Design4% of exam
Start training this trap →

See all SAA-C03 traps →

SAA-C03 service confusion refresher →