Cloud/ AWS / AWS Certified Solutions Architect โ€” Associate (SAA-C03) / AWS Security, Monitoring & Architecture: SAA-C03 Step 5 Final Guide

AWS Amazon Web Services Associate Step 5 of 5 106 guides ยท updated 2026

Hands-on guides to compute, storage, databases, networking, and serverless on the world's most widely adopted cloud platform.

Step 5 โ€” Security, Monitoring & Architecture

This final step covers the layers that protect, observe, and govern your AWS workloads โ€” plus the architectural patterns that tie everything together. Security and the Well-Architected Framework appear throughout the entire exam, not just in their dedicated domains.


AWS Security Services

KMS โ€” Key Management Service

KMS manages encryption keys used to protect data across AWS services. Itโ€™s the answer to almost every โ€œhow do you encrypt data at rest?โ€ exam question.

Customer Managed Keys (CMK)
โ”œโ”€โ”€ You create and manage the key
โ”œโ”€โ”€ Full audit trail in CloudTrail
โ”œโ”€โ”€ Rotate automatically once per year
โ””โ”€โ”€ ~$1/month per key + $0.03/10,000 API calls
AWS Managed Keys
โ”œโ”€โ”€ Created by AWS on your behalf (e.g., "aws/s3", "aws/rds")
โ”œโ”€โ”€ Cannot use directly โ€” only via integrated services
โ””โ”€โ”€ Free, rotated every year automatically
AWS Owned Keys
โ””โ”€โ”€ Fully controlled by AWS. You have no visibility. Free.

Envelope Encryption โ€” The pattern KMS uses:

1. Generate a Data Encryption Key (DEK) from KMS
2. Use DEK to encrypt your data (fast, local)
3. KMS encrypts the DEK with your CMK (key-encrypting-key)
4. Store encrypted DEK alongside encrypted data
5. To decrypt: KMS decrypts the DEK, then DEK decrypts the data

This way KMS never sees your raw data. Only the small DEK passes through KMS.

KMS Multi-Region Keys โ€” Replicate a key to secondary regions. Decryption in region B works with ciphertext encrypted in region A. Used for global Aurora databases and cross-region data compliance.

Secrets Manager vs SSM Parameter Store

Secrets Manager โ”‚ SSM Parameter Store
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
Specifically for secrets โ”‚ General config + secrets
Auto-rotation built-in (RDS, Redshift)โ”‚ Rotation via Lambda (manual setup)
~$0.40/secret/month โ”‚ Free (Standard); $0.05/advanced
Cross-account access via resource โ”‚ Limited cross-account
Better for database credentials โ”‚ Better for non-secret config

Exam pattern: โ€œRDS credentials need to rotate automaticallyโ€ โ†’ Secrets Manager. โ€œStore EC2 configuration valuesโ€ โ†’ SSM Parameter Store.

WAF, Shield, and GuardDuty

AWS WAF (Web Application Firewall) โ€” Filters HTTP/HTTPS traffic based on rules: block SQL injection, XSS, specific IPs, geo locations, rate limits. Deploys in front of ALB, API Gateway, or CloudFront.

AWS Shield

Amazon GuardDuty โ€” Threat detection service. Analyzes CloudTrail logs, VPC Flow Logs, DNS logs for suspicious patterns (crypto mining, credential theft, unusual API calls). No agents required. Findings sent to EventBridge.

Amazon Inspector โ€” Automated vulnerability scanning for EC2 instances and container images (ECR). Scans for CVEs, network reachability issues. Integrates with Security Hub.

Amazon Macie โ€” Uses ML to discover and protect sensitive data in S3 (PII, financial data, credentials). Sends findings to Security Hub and EventBridge.

IAM Advanced Concepts

Permission Boundaries โ€” Maximum permissions a user or role can have, regardless of what their policies allow. Use to delegate administration: โ€œAllow a developer to create IAM roles, but only with permissions that donโ€™t exceed X.โ€

Service Control Policies (SCPs) โ€” Applied at the AWS Organizations account or OU level. Cap maximum permissions for all principals in that account. Even the root user is subject to SCPs.

IAM Access Analyzer โ€” Identifies resources (S3 buckets, IAM roles, KMS keys) that are accessible from outside your account or organization. Run before every production deployment.

ABAC (Attribute-Based Access Control) โ€” Tag-based permissions: โ€œAllow EC2 actions if the resource tag Project matches the userโ€™s tag Project.โ€ Scales better than RBAC for large teams.


CloudWatch โ€” Observability

CloudWatch is the unified monitoring platform for AWS. It covers metrics, logs, alarms, dashboards, and synthetic monitoring.

CloudWatch Metrics

Every AWS service publishes metrics automatically (EC2 CPU, RDS connections, Lambda errors). Key details:

CloudWatch Alarms

Metric โ”€โ”€โ–บ Alarm Threshold โ”€โ”€โ–บ State Change โ”€โ”€โ–บ Action
โ”‚
โ”œโ”€โ”€ OK (metric within threshold)
โ”œโ”€โ”€ ALARM (metric breached threshold)
โ””โ”€โ”€ INSUFFICIENT_DATA (not enough data)
Actions:
โ”œโ”€โ”€ SNS notification (email, SMS, Lambda trigger)
โ”œโ”€โ”€ Auto Scaling action (add/remove instances)
โ””โ”€โ”€ EC2 action (stop, terminate, reboot)

Composite Alarms โ€” Combine multiple alarms with AND/OR logic. Suppress alarm noise: โ€œonly alert if CPU > 80% AND disk > 90%.โ€

CloudWatch Logs

Collect, store, and search log data from any source:

Log Group (e.g., /aws/lambda/my-function)
โ””โ”€โ”€ Log Streams (one per function instance or EC2 instance)
โ””โ”€โ”€ Log Events (individual log lines with timestamp)

Log Insights โ€” SQL-like query language to analyze logs. Search across multiple log groups in a single query.

Subscription Filters โ€” Stream log data in real-time to Kinesis Data Streams, Kinesis Firehose, or Lambda for processing/archiving.

Metric Filters โ€” Extract numeric values from log lines and turn them into CloudWatch metrics. Example: count โ€œERRORโ€ occurrences per minute โ†’ alarm when > 5.

Log Retention โ€” Default: never expires. Set explicit retention (7 days to 10 years) to control cost. Logs that expire are automatically deleted.


CloudTrail โ€” Audit and Compliance

CloudTrail records every API call made in your AWS account โ€” who did what, from where, and when.

API Call: "alice@company.com deleted S3 bucket my-bucket at 14:32:07 UTC from IP 203.0.113.5"
โ”‚ โ”‚
CloudTrail Management Event Recorded in
CloudTrail Event History
(90-day free retention)
CloudTrail Trail โ†’ S3 bucket
(unlimited, you pay for S3)

Trail Types

Management Events โ€” Control plane operations (create/delete/modify resources). Logged by default. Free for first copy.

Data Events โ€” Data plane operations (S3 object-level: GetObject, PutObject; Lambda invocations). Must be explicitly enabled. Additional cost.

Insights Events โ€” Automatically detects unusual write API activity. Alerts when call rates deviate from baseline.

CloudTrail Lake โ€” Managed audit log storage with SQL query capability. Retention up to 7 years. Replaces the old pattern of CloudTrail โ†’ S3 โ†’ Athena.

Multi-Region Trail โ€” A single trail that captures events from all regions. Best practice for compliance. Enable โ€œInclude global service eventsโ€ to capture IAM, STS, CloudFront events (which always log to us-east-1).


Cost Optimization Deep Dive

EC2 Cost Strategies

On-Demand Best for: unpredictable, short-term workloads. No discount.
Reserved Instances Best for: steady-state 24/7 workloads. 30โ€“60% savings.
Savings Plans Best for: flexible compute across EC2/Fargate/Lambda. 20โ€“66% savings.
Spot Instances Best for: fault-tolerant batch/ML. Up to 90% savings.

Rightsizing โ€” Use Compute Optimizer (free) to identify oversized instances. A t3.large running at 5% CPU average is burning money. Rightsizing alone typically saves 20โ€“30% of EC2 costs.

Cost Allocation Tags โ€” Tag resources with Project, Team, Environment. Enable cost allocation tags in the Billing console. Then filter Cost Explorer by tag to see which team is spending what.

AWS Budgets โ€” Set budgets for cost, usage, reservations, or Savings Plans. Alert via email or SNS when forecasted spend exceeds threshold.

Trusted Advisor โ€” Automated checks across cost optimization, security, fault tolerance, performance, service limits. Free tier has 7 checks; Business/Enterprise support unlocks all 115+.

Data Transfer Costs (Often Overlooked)

Inbound to AWS: FREE
Within same AZ (same region): FREE (between EC2 and other services)
Between AZs (same region): $0.01/GB each direction
Between Regions: $0.02โ€“0.09/GB
To the internet: $0.09/GB (first 10 TB/month)

Design implication: If your application has high cross-AZ data transfer, consolidating hot data access within one AZ can save meaningfully. EFS, S3, and managed services are regional by design and donโ€™t incur AZ-crossing costs.


Well-Architected Framework โ€” Design Patterns

The Well-Architected Framework provides architectural best practices across six pillars. The exam maps many questions directly to these principles.

Reliability Design Patterns

Multi-AZ Everything โ€” RDS Multi-AZ, ALB spanning AZs, ASG across subnets in multiple AZs. Single-AZ is a single point of failure.

Circuit Breaker โ€” If downstream service fails, stop calling it temporarily. Prevents cascading failures. Implemented via Application Load Balancer health checks or service mesh.

Bulkhead โ€” Isolate resources to prevent one failing component from consuming all capacity. Separate thread pools, separate queues, separate Lambda concurrency reservations per function.

Performance Efficiency Patterns

Caching Architecture:

User โ”€โ”€โ–บ CloudFront โ”€โ”€โ–บ API Gateway โ”€โ”€โ–บ Lambda โ”€โ”€โ–บ ElastiCache โ”€โ”€โ–บ RDS
(CDN cache) (API cache) (data cache) (source of truth)

Each cache layer reduces calls to the next, expensive layer.

Serverless First โ€” Lambda + DynamoDB scales from 0 to millions of requests automatically. No idle EC2 costs. Default choice for event-driven, API, and scheduled workloads.

Security Design Patterns

Defence in Depth:

Internet โ”€โ”€โ–บ WAF โ”€โ”€โ–บ CloudFront โ”€โ”€โ–บ ALB (Security Group) โ”€โ”€โ–บ EC2 (Security Group)
โ””โ”€โ”€ Private Subnet
(NACL, No IGW)
โ””โ”€โ”€ RDS (Security Group)

Zero Trust Networking โ€” Never trust, always verify. Use IAM roles for service-to-service auth. Use VPC endpoints to keep traffic off the public internet. Enable PrivateLink for SaaS integrations.

Operational Excellence Patterns

Infrastructure as Code โ€” CloudFormation or CDK. Every resource created in console manually is a risk. Reproducible, version-controlled infrastructure is a first-class exam answer for โ€œhow to manage environments consistently.โ€

Runbooks as Lambda Functions โ€” Automate operational tasks (rotate keys, restart failed services, clear cache) via Lambda triggered by CloudWatch alarms. Reduces mean time to resolution (MTTR).

Cost Optimization Patterns

Serverless for Bursty Workloads โ€” Lambda is free at zero load; EC2 isnโ€™t. Match billing model to workload shape.

S3 Intelligent-Tiering + Lifecycle โ€” Let AWS manage storage class transitions instead of manually predicting access patterns.

Spot + On-Demand Hybrid ASG โ€” Base capacity on On-Demand Reserved Instances, overflow on Spot. This architecture achieves 50โ€“70% cost reduction vs all-on-demand at high scale.


SAA-C03 Exam Summary: The Pattern Library

The SAA-C03 exam is a pattern recognition test. Here are the most frequently tested mappings:

RequirementSolution
High availability for web appALB + ASG across 2+ AZs
Relational DB failoverRDS Multi-AZ
Read-heavy relational workloadRDS Read Replica
Cross-region relational DRAurora Global Database
Millions of small items, single-digit msDynamoDB
Serverless APIAPI Gateway + Lambda
Decouple and retrySQS with DLQ
Fan-out to multiple servicesSNS + SQS
React to AWS eventsEventBridge
Serve static site globallyS3 + CloudFront
Block DDoS attacksAWS Shield + WAF
Detect threats automaticallyGuardDuty
Audit API callsCloudTrail
Monitor metrics + alertsCloudWatch
Encrypt data at restKMS + SSE
Rotate database credentialsSecrets Manager
Private EC2 downloads from internetNAT Gateway
Connect two VPCsVPC Peering
Connect many VPCs and on-premisesTransit Gateway
Block specific IP at subnet levelNACL Deny rule

Study these patterns until you can answer in under 10 seconds. Thatโ€™s the pace the exam requires.