Cloud/ AWS / AWS Certified Solutions Architect โ€” Associate (SAA-C03) / AWS Cloud Foundations: Global Infrastructure, IAM & Billing for SAA-C03

AWS Amazon Web Services Associate Step 1 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 1 โ€” AWS Cloud Foundations

Before you touch a single EC2 instance or S3 bucket, the exam wants to know whether you understand why AWS is built the way it is. This step covers the mental model behind everything else.


What Cloud Computing Actually Means

AWS sells three things: compute, storage, and networking โ€” rented by the second, scaled automatically, billed only for what you use. The three service models map onto how much responsibility you keep:

IaaS (EC2, VPC) โ€” You manage OS, runtime, app. AWS manages hardware.
PaaS (Elastic Beanstalk, RDS) โ€” You manage app + data. AWS manages everything else.
SaaS (WorkMail, Chime) โ€” You just use it. AWS manages all layers.

The Shared Responsibility Model is tested constantly. The clean split:

AWS RESPONSIBILITY โ”‚ YOUR RESPONSIBILITY
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Physical hardware โ”‚ IAM users, roles, policies
Hypervisor / virtualization โ”‚ OS patching (on EC2)
Network hardware โ”‚ Application code
Data center facilities โ”‚ Data encryption choices
Managed service internals โ”‚ S3 bucket policies, public ACLs

If AWS manages the service end-to-end (like DynamoDB), AWS handles more. If you spin up an EC2 instance, you own the OS layer and above.


AWS Global Infrastructure (2026)

AWS runs across 34 geographic Regions, 108 Availability Zones, and 600+ Points of Presence globally. Each piece solves a different problem:

Region (us-east-1)
โ”œโ”€โ”€ AZ 1 (us-east-1a) โ”€โ”€โ”€โ”€ Data Center A
โ”‚ โ””โ”€โ”€โ”€ Data Center B
โ”œโ”€โ”€ AZ 2 (us-east-1b) โ”€โ”€โ”€โ”€ Data Center C
โ””โ”€โ”€ AZ 3 (us-east-1c) โ”€โ”€โ”€โ”€ Data Center D
Edge Location (New York, London, Tokyo...)
โ””โ”€โ”€ CloudFront cache / Route 53 resolver

Region โ€” A geographic cluster of at least 2 AZs (most have 3โ€“4). You choose a Region when you deploy resources. Data stays in the Region unless you explicitly move it.

Availability Zone โ€” One or more physically separate data centers with independent power, cooling, and networking. The key word: isolated. A natural disaster that hits AZ-a wonโ€™t take down AZ-b.

Edge Location / Point of Presence โ€” Used by CloudFront (CDN) and Route 53 (DNS). These are not full Regions โ€” they cache content closer to end users.

Local Zones โ€” Mini Regions that extend into metro areas (Los Angeles, Dallas, etc.) for single-digit millisecond latency to specific cities.

How to choose a Region:

  1. Compliance โ€” Does your data have to stay in a specific country?
  2. Latency โ€” Where are your users?
  3. Feature availability โ€” Not all services launch in every Region simultaneously
  4. Pricing โ€” Cost varies slightly between Regions

IAM โ€” Identity and Access Management

IAM is the access control system for your entire AWS account. No IAM understanding = no exam pass. The key objects:

Account Root User
โ””โ”€โ”€ (never use for daily work โ€” lock it down with MFA)
IAM User (alice@company.com)
โ”œโ”€โ”€ Attached Policy: ReadOnlyAccess
โ””โ”€โ”€ Member of: Developers Group
IAM Group (Developers)
โ””โ”€โ”€ Attached Policy: AmazonEC2FullAccess
IAM Role (EC2-S3-Read-Role)
โ”œโ”€โ”€ Trust Policy: "EC2 service can assume this role"
โ””โ”€โ”€ Permission Policy: "s3:GetObject on my-bucket/*"

Policy types ranked by priority:

  1. SCPs (Service Control Policies) โ€” AWS Organizations level, caps max permissions
  2. Permission Boundaries โ€” Max permissions an IAM entity can ever have
  3. Identity-based policies โ€” What a user/role is allowed to do
  4. Resource-based policies โ€” Who can access this specific resource (S3 bucket policy, Lambda resource policy)

Exam rule: AWS uses explicit deny wins logic. If any policy says Deny, the request is denied regardless of other Allow statements. Default is implicit deny โ€” nothing is allowed unless explicitly granted.

MFA (Multi-Factor Authentication) โ€” Always enable it on the root account. The exam will never recommend doing anything as root. Questions about โ€œmost secure way to allow cross-account accessโ€ always point to IAM Roles, not sharing credentials.

IAM Best Practices the Exam Loves


AWS Billing & Pricing Models

Understanding pricing isnโ€™t just for the cost-optimization domain โ€” it appears in almost every architectural question because the right architecture balances cost against performance.

Pay-as-You-Go Pricing

Most services: pay per second (EC2), per request (Lambda), per GB (S3). No upfront commitment.

Reserved Instances / Savings Plans

Commit to 1 or 3 years of usage โ†’ save 30โ€“70% vs on-demand.

On-Demand: $0.096/hr for m5.large (no commitment)
1-yr Reserved: $0.057/hr (40% savings)
3-yr Reserved: $0.038/hr (60% savings)
Savings Plans: Similar discount, more flexibility across instance types

Compute Savings Plans are the 2026 preferred option โ€” they apply across EC2, Fargate, and Lambda automatically, unlike old RIs that were tied to a specific instance type and region.

Spot Instances

AWS sells unused capacity at up to 90% discount. The catch: AWS can reclaim with 2-minute warning. Best for fault-tolerant batch jobs, machine learning training, and stateless workloads.

AWS Free Tier

Three types:

Key Billing Tools


The Six Pillars of the Well-Architected Framework

This framework shows up in every domain of the exam. Memorize the pillars:

PillarFocus
Operational ExcellenceAutomate operations, learn from failure
SecurityProtect data, systems, and assets
ReliabilityRecover from failures automatically
Performance EfficiencyUse resources efficiently, adapt to demand
Cost OptimizationEliminate waste, right-size resources
SustainabilityMinimize environmental impact

When an exam question asks โ€œwhich design principleโ€ฆโ€ or โ€œaccording to the Well-Architected Frameworkโ€ฆโ€, map your answer to the pillar the question is targeting.


Exam Focus: What Questions Test From This Step