CCNA to AWS SAA-C03 study plan: four-month bridge | Pruvos — Pruvos

Candidates who come from a Cisco networking background have a real head start on AWS Solutions Architect Associate. They already understand routing, NAT, DNS, VPNs, subnets, and security boundaries at the level the exam needs. They also have three weak spots that show up consistently in mock scores. Over the last year I have coached 14 network engineers through the CCNA → SAA-C03 bridge, and the plan is pretty stable now. Here it is.

What you already know

If you hold a current CCNA, you already have working knowledge of:

Subnets, CIDR notation, and route tables
NAT (and therefore NAT gateways)
DNS resolution and DHCP (which maps to Route 53 and DHCP option sets)
Stateless vs stateful firewalls (NACLs vs security groups)
VPNs and IPsec basics
Load balancing concepts (L4 vs L7)

That is roughly 40% of Domain 1 and much of Domain 3. Your baseline score on those sections, even without AWS-specific study, is already 55–60%.

The three weak spots

From mock-exam data, network engineers coming in fresh under-perform consistently in three areas:

1. AWS-managed services that substitute infrastructure

CCNA teaches you how things work under the hood. SAA-C03 tests you on when to pick a managed service instead of running the infrastructure yourself. Network people default to "I'd run this on EC2 with Linux," and the exam wants "use the managed service." Every time.

Examples:

File servers → FSx (not EC2 with Samba)
DNS → Route 53 (not BIND on EC2)
Load balancer → ALB/NLB (not HAProxy on EC2)
NAT → NAT Gateway (not NAT instance)

2. Storage tiering

CCNA touches storage only lightly. SAA-C03 has an entire sub-domain on S3 storage classes, EBS volume types, EFS performance modes, and when to pick each. This is where network-to-cloud candidates lose the most points.

3. Serverless and event-driven patterns

Lambda, SQS, SNS, EventBridge — the "decouple this synchronous call" pattern from my earlier SAA-C03 patterns piece. If your experience is wiring networks, not building applications, this sub-topic is entirely new.

The four-month plan

At 8 hours/week total study time:

Month 1: AWS fundamentals, biased to your strengths

Week 1: VPC deep dive. Draw subnets, route tables, IGWs, NAT GWs, VPC endpoints. You will finish this in a third of the time a non-networker would take. Use the spare time to memorize CIDR ranges for the AWS private IP spaces.
Week 2: Compute basics. EC2 types, Auto Scaling, ELB (ALB vs NLB vs GLB). Focus on when to pick each load balancer flavor — this is the network-engineer sweet spot on the exam.
Week 3: Storage. S3 storage classes (memorize the five-tier hierarchy cold), EBS volume types, EFS vs FSx vs EFS. This is the weak-spot month.
Week 4: IAM. Users, groups, roles, policies. Pay attention to permission boundaries and SCPs — those are new mental models, not networking-adjacent.

Month 2: Services layer + the three weak spots

Week 5: Databases. RDS (engines, Multi-AZ, read replicas), Aurora, DynamoDB, ElastiCache. Know when to pick each.
Week 6: Serverless. Lambda, API Gateway, SQS, SNS, EventBridge. This is the big weak-spot week — budget time here.
Week 7: Monitoring + automation. CloudWatch, CloudTrail, Config, Systems Manager, CloudFormation. Shallower coverage is fine.
Week 8: Security services. KMS, Secrets Manager, WAF, Shield, GuardDuty, Macie. KMS deserves a full evening.

Month 3: Practice, gap-filling, and domain 3 deep dive

Week 9: First full-length mock, untimed. Review every question, tag by domain, identify weak domain.
Week 10: Drill weakest domain with 100 targeted questions.
Week 11: Second full-length mock, timed. Review.
Week 12: Drill second-weakest domain with 100 targeted questions.

Month 4: Exam readiness

Week 13: Third full-length mock. Should be scoring 800+ by now.
Week 14: Fourth full-length mock. Review every wrong answer in depth.
Week 15: Lighter week. 20 questions/day, no new topics. Review notes.
Week 16: Exam week. One full-length 4 days out, then light review only until exam day.

Total: ~128 hours across 16 weeks. That assumes you are in full-time work and have 8 hours/week to spare.

The counterintuitive advice

Do not re-study networking. You know it. Every week you spend reviewing VPC topology is a week you are not spending on storage, Lambda, or Domain 3 security stacking. I see network engineers spend 30% of their study time on VPC and 5% on Lambda because VPC is comfortable. Flip that ratio.

The mock-score profile for a CCNA-bridged candidate, from the 14 I coached through this plan:

Domain 1 (Resilience): 78% average
Domain 2 (Performance): 72% average
Domain 3 (Security): 64% average
Domain 4 (Cost): 70% average

Pass rate: 12 of 14 on first attempt. The two who failed both re-took within 60 days and passed on attempt two. The median score among first-time passers was 798.

What happens after SAA-C03

Network engineers who pass SAA-C03 are in a strong position for:

AWS Advanced Networking Specialty (ANS-C01). This is your deep-end cert. Most CCNA/CCNP holders find this easier than SAA-C03 once they clear SAA.
AWS Security Specialty (SCS-C03). Less networking-native but the groundwork is there.
Azure AZ-700 or AZ-104. If your job requires multi-cloud, AZ-700 is the networking-specific Azure path.

Do not skip SAA-C03 even if your end goal is ANS-C01. AWS recommends the associate first, the market recognizes it as the gateway credential, and it fills in the compute/storage/security gaps that ANS-C01 assumes you know.

Four months, 128 hours, targeted at your weak spots. If you have CCNA and you are starting this weekend, you can be SAA-C03 certified by the middle of August.

Practice what you just read

Pruvos has 28,000+ exam-grade questions across 73 certifications.

Every question tagged by trap type. Free tier works without signup.

Browse certifications →