Domain 1 of 4

Design Secure Architectures

Domain · 30% of the SAA-C03 exam

Put each control at the layer that owns it

Designing a secure architecture on AWS is mostly about placement: sending each requirement to the layer that actually controls it. Three layers cover this whole domain. Identity decides who can do what, Network decides where traffic may flow, and Data decides how information is protected. Most exam questions are really asking "which layer owns this problem?", and the classic trap dresses an identity problem up in network clothing, or the other way around. Name the layer first and the right service usually follows.

The domain unfolds in three steps: access, then workloads, then data

Read this page as a map, then follow the three subtopics in order. Secure Access goes deep on the Identity layer: IAM, federation, and the policy-evaluation model that decides every API call. Secure Workloads covers the Network layer: security groups and network ACLs inside the VPC, plus the edge defenses WAF and Shield. Data Controls covers protecting the data itself: encryption with AWS KMS and where keys live. Each subtopic carries the mechanisms, the worked examples, and the traps; this overview just shows how they fit together.

When in doubt, choose the more managed, shorter-lived option

Across all three layers AWS rewards the same instinct: pick the most secure option that still meets the requirement. In practice that means roles and temporary credentials over long-lived access keys, encryption on by default, and the narrowest network path that works. You rarely need to memorise an exception. The managed, least-privilege default is the exam-correct answer far more often than not, and each subtopic shows where the genuine exceptions live.

The three security layers (and where each is covered)

LayerDecidesKey controlsDrill into
IdentityWho can do whatIAM policies & roles, federation, SCPsSecure Access to AWS Resources
NetworkWhere traffic can flowSecurity groups, NACLs, VPC endpoints, WAF, ShieldSecure Workloads and Applications
DataHow data is protectedEncryption at rest (KMS) & in transit (TLS)Data Security Controls

Subtopics in this domain