AWS Solutions Architect SAA-C03 – Hands-On Projects

Adopt a multi-account AWS strategy to improve security, isolation, and cost control by separating production, non-production, and sandbox environments and distributing workloads across AWS accounts with governance via AWS Organizations.

Explore how AWS Organizations centralizes multi-account management, enforces security guardrails with service control policies and organization units, enables consolidated billing, and supports production versus non-production workloads.

Master AWS organizations and service control policies (SCPs) as guardrails to restrict services and regions across member accounts, learn their deny-by-default model, inheritance, and interaction with IAM policies.

Set up an AWS organization, create development and production OUs, invite the development account, and create and move the production account into the production OU.

Enable service control policies to create a deny policy that prevents root users in development and production accounts from leaving the organization, enforcing guardrails across the OUs.

Explore cross-account access in AWS organizations by using the organization account access role to assume roles across management, development, and production accounts, enabling seamless admin access without multiple credentials.

Discover how AWS Control Tower orchestrates a secure multi-account environment with a landing zone, guardrails, and an account factory, integrating IAM Identity Center, AWS organizations, and optional hands-on lab.

Deploy AWS Control Tower in an existing organization, enroll accounts under governance, and configure IAM Identity Center for cross-account access with a landing zone baseline.

Deploy AWS control tower to govern your organization with landing zone, OUs, and log archive and audit accounts. Enroll accounts via IAM identity center and enforce preventative and detective guardrails.

Explore AWS identity and access management options, including IAM, cross-account roles, Identity Center, and Cognito, to authenticate, authorize, and grant temporary credentials across accounts and apps.

Learn why the AWS root user holds full account access, why to avoid its use for daily tasks, and how to use IAM users and MFA to secure operations.

Configure IAM password policies in the AWS console, enforcing 12-character passwords with uppercase, lowercase, numbers, and non-alphanumeric characters, plus expiration and six-password reuse restrictions.

Create an IAM group and an IAM user in the development account, attach administrator access to the group, and add James to the senior admins group.

Explain IAM policy structure and types—AWS managed, customer managed, and inline—showing how allow, deny, and conditions control access via ARNs.

Create an IAM user and grant S3 access by crafting and attaching a policy in AWS Management Console that lists buckets and retrieves objects.

Learn to use the AWS CLI for multi-account access by configuring named profiles with access keys and securely managing long-term credentials for dev and prod environments.

Explore IAM permission boundaries, which cap the maximum permissions for users and roles and prevent privilege escalation by enforcing alignment with IAM policies in a practical hands-on demo.

Explore how to use the AWS IAM policy simulator in the management console to test permissions for users, groups, and roles, including S3 and EC2 actions, with targeted bucket controls.

Learn how resource-based policies, including bucket policies, attach to AWS resources like S3 buckets to grant cross-account access, defining principals and get/put actions without role switching.

Explore IAM policy evaluation logic across IAM, resource-based policies, permission boundaries, and SCPs, and learn how explicit denies, implicit denies, and policy intersections determine access.

Learn how IAM roles enable cross-account access, service roles, and service linked roles, using temporary credentials and passrole to securely access S3, DynamoDB, and SNS.

Explore how AWS directory services integrate with Microsoft Active Directory on AWS, comparing AWS managed AD, AD Connector, and Simple AD for authentication and hybrid access.

Learn AWS IAM security tools, including the credentials report and access advisor, to audit users and enforce least privileges. Use access analyzer to identify unused permissions and external access.

Explore AWS storage options, from block, file, and object storage to S3, EFS, and FSx, highlighting durability, metadata, erasure coding, and scalable, high-availability design.

Explore how Amazon S3 serves as a global object storage solution built on buckets and objects. Understand region, durability, access control options, and prefixes that organize and secure unstructured data.

Explore Amazon S3 storage classes from standard to glacier and intelligent-tiering, highlighting durability across three availability zones, instant access, infrequent and archival options, retrieval processes, and cost considerations.

Create an Amazon S3 bucket, configure bucket policies, and grant granular access using IAM users and CLI, while exploring public access blocks, encryption, and versioning.

Enable Amazon S3 bucket versioning to keep multiple versions of the same object, prevent accidental deletions with delete markers, and note you cannot revert to disabled.

Enable MFA delete on an s3 bucket with versioning to require root user authentication and MFA codes for delete operations, then practice deleting versions via the cli.

Explore Amazon S3 bucket replication, which automatically replicates new objects across buckets in the same or cross-region setups, with versioning, replication rules, IAM roles, and optional RTC or on-demand replication.

Demonstrates configuring cross-account Amazon S3 replication from a source bucket in one account to a destination bucket in another, including enabling versioning, setting a replication rule, and applying bucket policies.

Explore Amazon S3 performance strategies, including using prefixes to parallelize reads and writes, employing multi-part uploads for large objects, and enabling transfer acceleration via edge locations to speed uploads.

Explore aws s3 lifecycle management: create rules to transition data between storage classes and expire old data, using a waterfall model from standard to glacier while considering limits and versions.

Host the front end of web apps with Amazon S3 static website hosting, delivering html, css, images, and javascript with public access, bucket policies, and region-specific URLs.

Explore cross-origin resource sharing (CORS) concepts and hands-on steps to enable cross-origin requests with S3 buckets, JSON policies, and preflight handling.

Configure Amazon S3 event notifications to trigger actions on bucket events like object created or deleted. Route these notifications to Lambda, SNS, SQS, or EventBridge using resource-based policies.

Explore Amazon S3 encryption options at rest and in transit, including SSE-S3, SSE-KMS with customer master keys, and SSE-C; learn per-object keys, key lifecycle, and role separation.

Explore how to encrypt S3 objects with KMS, enforce a single encryption policy via bucket policies, and boost scalability and reduce costs with bucket keys for data encryption keys.

Explore applying S3 and KMS encryption, enable bucket versioning, upload an object, and compare S3 vs KMS encryption via two object versions, plus simulate role-based access with an IAM policy.

Learn how Amazon S3 presigned URLs grant secure, temporary access to bucket objects for users or applications, with configurable expiration and real-world use cases.

Enable server access logging for S3 buckets to log all source bucket activities to a destination bucket, using proper permissions, log formats, and lifecycle rules to manage costs.

Enable Amazon S3 object lock to enforce a worm model on object versions with retention periods or legal holds, protecting against deletion or overwriting and supporting compliance or governance modes.

Learn how to use Amazon S3 select and Glacier select to filter data with SQL expressions, reducing data transfer, lowering costs, and speeding retrieval for S3 and Glacier data.

Learn how AWS Storage Gateway enables hybrid cloud storage by linking on-prem workloads to cloud storage via file, volume, FSX file gateway, and tape gateways.

Explore how the AWS Snowball Edge enables offline data transfer from on-premises to the cloud using rugged edge compute and storage devices, with data encrypted at rest and in transit.

Explore how to design secure AWS VPCs with IP addressing, DHCP, and gateways, covering IPv4 vs IPv6, public and private addresses, and how networks cross boundaries.

Explore private IP ranges and NAT gateways for internal networks, then learn port numbers and their ranges (well-known, registered, and ephemeral) with examples like 80, 443, and 3389.

Master ip addressing and subnetting to create multiple isolated networks within a larger network, using slash 24 to define network and host portions in IPv4, and explore routing between networks.

Discover how CIDR notation defines IP networks and subnet masks in cloud environments, and use bitwise AND to reveal the network and host portions, enabling scalable subnets.

Explore deploying Amazon VPCs in AWS, including default and custom VPCs, region-wide scope, and subnet layouts. Grasp private IP spaces, internet access, and the basics of security groups and NACLs.

Plan and design custom AWS VPCs by sizing CIDR blocks, allocating subnets across availability zones, and separating development, testing, and production environments while avoiding overlapping IP ranges.

Build an end-to-end custom VPC in the London region using a manual approach, configuring subnets, route tables, NAT gateways, security groups, and DNS features, then automate with CloudFormation or Terraform.

Configure 12 non overlapping subnets across four availability zones in a VPC, using IPv4 /20 and IPv6 /64s, for public, web, app, and database tiers, with default DHCP option set.

Deploy and attach an internet gateway to your VPC to enable internet access, then configure route tables and focused subnets for a two availability zones minimum viable product.

Create a separate public route table for public subnets that routes traffic to the internet gateway, keep private subnets on the main route table with a local route.

Learn how nat gateways provide internet access for private subnets via a 1-to-many natting service, elastic IPs, and route tables, and compare them with nat instances.

Deploy a nat gateway in a public subnet, allocate an elastic ip, and update the route table so private subnets access the internet through the nat gateway; then delete it.

Explain how network access control lists protect subnets as stateless firewalls with inbound and outbound rules, handling ephemeral ports and port 443, and default versus custom behavior with security groups.

Security groups provide stateful firewalls with implicit deny and allow rules. They control inbound traffic on ports 80 and 443 and enable self-referencing SG access for databases on port 3006.

Configure security groups in a VPC—load balancer, web app, and database—with inbound port 80 from internet to the load balancer and port 3306 opened from web app to database.

VPC peering connects two VPCs across regions or accounts using the AWS backbone with private IPs, enabling traffic flow once routes are configured and CIDR ranges do not overlap.

Learn to create a two VPC peering connection with NAT gateways and proper route tables, enabling private subnet access and cross-VPC ping tests via session manager.

Discover how AWS Transit Gateway simplifies inter‑VPC and on‑premises connectivity with a hub‑and‑spoke model, reducing overhead and enabling scalable routing for a global network.

Learn how AWS VPC endpoints enable private access to S3 and DynamoDB inside a VPC, avoiding internet gateways. Compare gateway and interface endpoints, including pricing and region constraints.

Set up VPC endpoints to connect private EC2 instances to S3 using an interface endpoint and a gateway endpoint, with IAM roles and EC2 Instance Connect endpoint for private access.

Explore site-to-site VPN tunneling on AWS, enabling encrypted IPsec connections between your VPC and on-premises networks. Includes two tunnels for redundancy and supports static or dynamic routing.

Discover how AWS client VPN lets individual devices securely connect to a VPC via encrypted TLS connections, using OpenVPN, client VPN endpoints, and non-overlapping CIDR blocks.

Discover how AWS Direct Connect provides a private, high-bandwidth link from on-premises to the AWS backbone, enabling access to VPC resources and public services via private and public virtual interfaces.

Leverage the AWS Direct Connect Gateway to access multiple VPCs across regions from a single Direct Connect location, using private virtual interfaces and virtual private gateway associations.

Explore how IPv6 changes AWS network security by using an egress only internet gateway to allow private subnet access via route tables and ACLs, without inbound exposure, unlike IPv4 NAT.

Explore AWS VPC flow logs to monitor IP traffic on network interfaces, diagnose security group rules, and audit traffic, with logs published to CloudWatch, S3, or Firehose.

Explore how EC2 provides on-demand, scalable compute capacity to deploy virtual machines in the cloud, with security, networking, and elastic block storage inside a VPC to support autoscaling.

Explore EC2 instance types, their compute, memory, network, and storage profiles, including instance store versus EBS and naming conventions for AI-optimized chips like Trainium and Inferentia.

Launch and configure EC2 bastion host in a VPC public subnet, selecting an AMI, attaching EBS volumes, and securing with a security group, elastic IP, IAM role, and user data.

Set up a private EC2 instance behind a bastion host, restrict SSH to the bastion security group, and connect from the bastion to the app server, with session manager recommended.

Explore EC2 pricing options, including on-demand, reserved, spot, and dedicated hosts, plus capacity reservation and savings plans to optimize cost and performance.

Discover how Elastic Block Store (EBS) provides block storage for EC2, with AZ-specific volumes, detach/attach across instances, multi-attach options, and snapshots in S3 enabling cross-region disaster recovery.

Explore EC2 instance store volumes, ephemeral, physically attached to the host, accessible only at launch for high-performance storage; unlike EBS, they vanish if the instance stops or moves.

this lecture compares GP2 and GP3 general purpose EBS volumes, detailing bootable SSD storage, IOPS, IO credits, burst behavior, and GP3's consistent 3000 IOPS with higher throughput and lower cost.

Compare provisioned IOPs in EBS: Io1 vs Io2 block express, their IOP ranges and throughput, bootable support, nitro system performance, and multi-attach capability for high-demand databases.

Learn to work with AWS EBS volumes in the AWS Management Console by creating and attaching GP3 volumes, mounting them on Linux and Windows, and using snapshots with cross-region copies.

Learn how EBS encryption uses KMS keys to encrypt data at rest in host memory, with new volumes getting unique data keys and snapshots sharing the key.

Create and customize Amazon machine images to deploy consistent EC2 instances with pre-baked configurations, manage regional copies, block device mappings, and access permissions.

Launch an EC2 instance from a corporate AMI with user data scripts, IAM roles, and an S3 bucket to host a web app in a DMZ VPC.

Explore the Amazon Data Lifecycle Manager (DLM) to automate EBS snapshot and EBS-backed AMI creation with default and custom policies, scheduling retention, and cross-region disaster recovery.

Discover Amazon elastic file system (efs) as regional linux storage with mount targets, dns access, and nfs 4.x. Use posix permissions, storage classes (standard, infrequent access, archive), and throughput options.

Set up an AWS EFS file system, configure mount targets and security groups, mount it on EC2 instances using the console and CLI, then test file sharing and clean up.

Explore FSx for Windows File Server, a managed Windows file system with native SMB sharing across VPC, VPN, or Direct Connect, offering single or multi-AZ configurations and Active Directory integration.

Explore FSx for Lustre on AWS, a low-latency file system for speed-critical workloads with scratch or persistent deployments, SSD or HDD storage, integrated with S3 for data access and export.

Explore Amazon EC2 instance metadata and user data, compare Imds v1 and v2, and learn to use tokens and base64-encoded bootstrap scripts to configure instances at launch.

Explore EC2 placement groups, including cluster, spread, and partition options, to optimize high throughput, fault tolerance, and topology aware deployments across availability zones and racks.

Explore EC2 networking fundamentals, including private, public, and elastic IP addresses, and how network interfaces, security groups, and NAT concepts enable reliable connectivity.

Enable enhanced EC2 networking with ENI, ENA, ENA Express, and EFA via SR-IOV and RDMA to boost throughput, lower latency, and reduce CPU usage for HPC and ML workloads.

Use EC2 hibernate to store RAM on the encrypted root EBS volume for faster restarts; Linux up to 150 GB, Windows up to 16 GB, max 60 days.

Discover how AWS batch provides a fully managed solution that automatically provisions compute resources for batch jobs, using job definitions, queues, and VPC-bound compute environments.

Learn how relational databases on AWS organize data with tables, keys, and SQL, and compare EC2-hosted databases with AWS RDS and Aurora across engines like MySQL and PostgreSQL.

Learn how Amazon RDS provisions a fully managed relational database by engine and instance size, deployed in a VPC with a DB subnet group and multi-az.

Deploy a single mysql rds instance in a two-az subnet group via the aws management console, with a private vpc, inbound 3306, and a 20gb gp2 storage.

Master multi-az options in Amazon RDS for high availability with a primary and standby, synchronous replication, and standby backups. Explore multi-az clusters with read replicas and reader endpoints for failover.

Explore read replicas in Amazon RDS for load offloading and scalability. Understand asynchronous replication, promotion to primary, backups, RPO/RTO, and cross-region options.

Explore how Amazon RDS custom provides operating system access and admin control for Oracle and Microsoft SQL engines, offering a middle ground between EC2 and managed RDS.

Store and manage database credentials securely with AWS Secrets Manager, avoiding hard-coded secrets in code. Retrieve credentials dynamically via the AWS SDK, rotate them with Lambda, and integrate with RDS.

Explore how the RDS proxy reduces connection overhead by pooling and multiplexing connections. It also manages credentials with Secrets Manager, supports multi-az failover, and keeps apps within the VPC.

Explore Amazon Aurora, a MySQL and PostgreSQL compatible, cluster-based relational database in the RDS family, offering higher throughput and flexible endpoints for reads and writes.

Explore Aurora serverless concepts, ACU-based scaling, and the router fleet that enables seamless scaling for variable workloads, including version two with reader and writer DB instances, multi-AZ, and pay-per-second pricing.

Learn how Aurora global databases enable a single writer in primary region with read replicas across up to five secondary clusters in other regions, delivering low latency and RTO/RPO.

Explore AWS ElastiCache, an in-memory key-value cache that speeds read-heavy apps and stores session data. Learn cache miss and hit, serverless vs fine-grained clusters, and memcache vs Redis differences.

Explore DynamoDB, AWS's serverless NoSQL database, featuring flexible schema, primary key and sort key concepts, nested attributes, and capacity and consistency options for scalable modern apps.

Compare DynamoDB scan and query operations to understand retrieval patterns, costs, and how projection expressions, filter expressions, and read consistency affect performance.

Explore DynamoDB secondary indexes, including local secondary indexes and global secondary indexes, to query on alternate keys with projected attributes, improving efficiency over scans. Understand creation timing, limits, and consistency.

Discover how DynamoDB accelerator (Dax) speeds responses to microseconds with in‑memory item and query caches in a Dax cluster within your VPC, using TTL and right‑through writes.

Discover how DynamoDB streams track 24-hour item changes in an ordered sequence, recording key attributes, new images, old images, or both to trigger Lambda and drive business logic.

Explore DynamoDB global tables, a multi-master, multi-regional solution that replicates writes across regions within one second, handles conflicts with the last writer wins reconciliation, and scales with replicated capacity units.

Configure DynamoDB ttl to expire items with a unix epoch timestamp; it deletes them within days, incurs no write capacity, and notes stream deletions and replica charges for global tables.

Learn how Amazon Neptune, a fast, fully managed graph database on AWS, handles billions of relationships with millisecond queries, high availability, and use cases like fraud detection and knowledge graphs.

Explore Amazon Keyspaces, a serverless, managed Cassandra-compatible database on AWS. Scale NoSQL, key-value data with Cassandra query language statements across multiple AZs and pay-as-you-go pricing.

Learn the AWS database migration service (DMS): a fully managed tool to migrate on-premises or EC2 databases to AWS platforms like RDS, DynamoDB, and Redshift, enabling homogeneous migrations and CDC.

Understand how AWS elastic load balancers distribute traffic across targets in multiple availability zones via target groups and health checks, across application, network, gateway, and classic types.

Deploy an application load balancer in the AWS Management Console to perform round-robin traffic across two EC2 instances in subnets and availability zones, via a target group and health checks.

Discover how AWS auto scaling adjusts EC2 capacity to meet demand using CloudWatch metrics for responsive scaling. Learn about manual, dynamic, scheduled, and predictive policies, launch templates, and health checks.

Configure an auto scaling group in the AWS console to deploy two EC2 instances behind an application load balancer, using a launch template and a 40% CPU target tracking policy.

Build an auto scaling group with a launch template and two EC2 instances behind a load balancer, using target tracking policy and session manager for secure access.

Enable sticky sessions to bind a user’s session to a single instance behind an elastic load balancer, providing session affinity via load balancer cookies or application cookies with expiration.

Enable cross-zone load balancing to evenly distribute traffic across multiple availability zones, with uneven instance counts. This improves resilience by handling loss of instances while still recommending even instance distribution.

Explore aws elastic load balancer secure listeners and enforce encryption in transit with ssl and tls, covering ssl offload, bridging, and pass-through options for https traffic.

Explore how AWS auto scaling group lifecycle hooks pause scale out and scale in events to run custom actions during pending, waiting, and terminating phases, with heartbeat.

Build and deploy a minimum viable product for a three-tier recipe contest app on AWS, enabling public recipe submissions via a web form and a public gallery with newest-first display.

Design an AWS-based high-level architecture for an MVP contest web app, covering architecture review, components, data flow, security, cost, and stakeholder audiences.

Explore low level design for a customer web app, detailing VPC, security groups, RDS MySQL with Secrets Manager rotation, Flask API, S3-hosted code, auto scaling, and deployment scripts.

Update the VPC by enabling port 5000 in the web app security group for the load balancer; deploy a NAT gateway and route the main route table through it.

Create an S3 bucket with versioning to host the source code for your web app, upload the flask folder (including requirements.txt and build) for deployment to EC2 instances.

Configure a multi-az Amazon RDS MySQL database across two availability zones in the richer host VPC, using a db t3 micro and 20 gb storage in a private subnet group.

Enable Secrets Manager to rotate MySQL credentials for the multi-az RDS instance, using a Lambda rotation function and security group updates to permit MySQL traffic.

Create an EC2 IAM role with S3 full access, SSM managed instance core, and a Secrets Manager inline policy to retrieve a specific secret for cross-service communication.

Configure an application load balancer in public subnets, create a target group for the flask app on port 5000, and use an auto scaling group to register targets.

Configure a two-instance auto scaling deployment of the Ritual Roast web app behind a load balancer, using a launch template and region-specific AMI to serve recipes from MySQL.

Test high availability using the AWS management console by simulating EC2 failures and multi-AZ database failover to verify auto scaling, health checks, and seamless app operation across zones.

Terminate and clean up deployed resources after the capstone project in AWS, deleting load balancers, databases, secrets, Lambda functions, and auto scaling groups, while preserving the VPC for future capstones.

Explore containers as operating system virtualization on AWS, enabling lightweight, portable deployments that share the host kernel with Docker. Compare containers with virtual machines and support microservices.

Explore how Docker images are built from a Dockerfile into layered images, stored in a repository, and used to launch containers on Amazon Elastic Container Services.

Explore Amazon ECS, comparing EC2 and Fargate launch types, and learn to deploy a multi-tier app using Docker Hub or AWS ECR, task definitions, clusters, VPC, and auto scaling.

deploy a WordPress app on AWS ECS Fargate with a single task, creating a cluster and task definition, configuring a VPC and security groups, and testing accessibility via http.

Understand the Kubernetes architecture, including the control plane, etcd, scheduler, and nodes. See how pods run containers on workers and how AWS EKS integrates cloud provider logic.

Explore Amazon EKS part 2: compare ECS standard and auto mode architectures, understand managed vs self-managed nodes, Fargate, and storage options with CSI drivers for persistent storage.

Explore Amazon App Runner, a fully managed service that deploys containerized web apps and APIs from images or source code. It handles infrastructure and offers auto scaling, load balancing, health checks, VPC networking, and observability with AWS X-Ray.

deploy a simple nginx container with AWS App Runner from ECR Public Gallery, configure build, port, and networking for public or private access, and enable X-Ray observability and CloudWatch logs.