☁︎SAA-C03

Well-Architected & DR

AWS Well-Architected Framework — Concept

What it is

AWS Well-Architected Framework (WAF) = a set of principles & best practices for building secure, resilient, performant, cost-effective workloads on AWS. The exam expects you to recognize the six pillars and the language they use.

The 6 Pillars

  1. Operational Excellence — run and monitor systems; perform operations as code; small frequent reversible changes; refine procedures; learn from events. Tools: CloudFormation/CDK, CloudWatch, X-Ray, Systems Manager.

  2. Security — protect data, systems, assets; least privilege; defense in depth; encryption everywhere; traceability. Tools: IAM, KMS, GuardDuty, WAF, Shield, Secrets Manager, Config, CloudTrail.

  3. Reliability — recover from failures; auto-scale; test recovery; manage change automatically. Tools: Multi-AZ, ASG, Route 53 failover, AWS Backup, RDS Multi-AZ, S3 versioning, RDS PITR.

  4. Performance Efficiency — use the right instance types / DB / storage; experiment; monitor; serverless when possible. Tools: Compute Optimizer, ASG, CloudFront, ElastiCache, RDS Proxy.

  5. Cost Optimization — adopt consumption model; measure efficiency; analyze and attribute; use managed services; right-size. Tools: Cost Explorer, Budgets, Savings Plans, Spot, S3 lifecycle.

  6. Sustainability (added 2021) — minimize environmental impact; right-size; use managed services; choose efficient regions; archive cold data. Tools: same right-sizing + lifecycle + serverless.

Key cross-cutting principles

  • Design for failure — anything can fail; multi-AZ everywhere.
  • Decouple components — SQS, SNS, EventBridge, Step Functions.
  • Automate — IaC (CloudFormation/CDK), Auto Scaling, Lambda automation.
  • Implement least privilege — IAM roles & policies, scoped down.
  • Encrypt everywhere — at rest (KMS) + in transit (TLS / ACM).
  • Monitor everything — CloudWatch + CloudTrail + Config + GuardDuty.
  • Right size + use the right service — managed services often cheapest & most reliable.

Disaster recovery (DR) strategies — memorize

StrategyRTO / RPOCostDescription
Backup & RestoreHours / Hours$Backups in S3/Glacier, restore on demand
Pilot Light10s of min / minutes$$Minimal scaled-down env always running
Warm StandbyMinutes / seconds$$$Fully functional smaller env, scale up on failover
Multi-Site Active-ActiveSeconds / 0$$$$Identical regions, traffic split

AWS Well-Architected Tool

  • Console wizard for self-assessment; gives improvement items per workload.

Common exam scenarios

  1. "Cheapest DR"Backup & Restore.
  2. "Active-active DR < 1 min RTO across regions"Multi-Site / Aurora Global DB / DynamoDB Global Tables / Route 53 + Global Accelerator.
  3. "Reduce blast radius and apply least privilege" → Separate accounts (Orgs), IAM roles.
  4. "Improve cost without losing performance" → Right-size (Compute Optimizer), SP/RI, Spot, S3 lifecycle, gp3.
  5. "Highly available web app" → ASG across ≥ 2 AZs + ALB + Aurora Multi-AZ + S3 + CloudFront.
  6. "Detect security issues continuously" → GuardDuty + Inspector + Macie + Security Hub.

Exam tip

The WAF pillars almost always boil down to:

  • Multi-AZ + Auto Scaling + ELB for reliability.
  • IAM least privilege + KMS + GuardDuty for security.
  • Decoupling (SQS/SNS/EventBridge) + serverless for both reliability and cost.
  • Savings Plans + Spot + lifecycle for cost.

References