Which SAA-C03 domain is hardest? Real pass-rate data | Pruvos — Pruvos

When someone signs up for SAA-C03 prep, they almost always walk in expecting Domain 1 — Design Resilient Architectures — to be the hardest. It is the biggest domain by weight (26%), it contains the Multi-AZ questions, and it sounds architecty. So that is where they spend the most time.

The data tells a different story. Across the 4,108 SAA-C03 full-length mock exams we have telemetry for, the domain with the lowest average score is not Domain 1. It is Domain 3 — Design Secure Applications and Architectures — and it is not close.

The numbers

Averaged across the cohort:

Domain 1 (Resilience, 26%): 72% correct
Domain 2 (High-performing, 24%): 69% correct
Domain 3 (Secure, 30%): 61% correct
Domain 4 (Cost-optimized, 20%): 74% correct

Domain 3 is also the largest-weighted domain on the exam since the 2022 refresh. Under-performing by 10+ points on 30% of the test is the most common reason people fail with a score in the 650–710 range — close to the 720 pass mark but short.

Why Domain 3 eats candidates

Three reasons, all structural.

1. The IAM subtopics are dense and interlocking

Candidates can memorize the existence of IAM roles, IAM users, groups, and policies. What they cannot memorize is the interplay: a permissions boundary sets a ceiling, an SCP sets an organizational ceiling, an explicit deny anywhere wins, a resource-based policy can grant access even without an identity-based policy. A realistic Domain 3 question will stack three of these at once, and if you only know one, you will fail it.

2. KMS is tested at a depth most study guides skip

The average study guide says "KMS stores keys." The exam asks about key policies vs grants, customer-managed vs AWS-managed vs AWS-owned keys, asymmetric keys for signing, key rotation, envelope encryption, cross-account key sharing, and which services can and cannot use customer-managed KMS keys. I have seen three full Domain 3 questions hinge on the subtle distinction between a grant and a key policy statement.

3. Networking-as-security is a whole second topic

Private subnets, NAT gateways, VPC endpoints (interface vs gateway), PrivateLink, the difference between a security group and a NACL, when a NACL's stateless behavior matters, VPC peering vs Transit Gateway for isolated environments — all of this lives inside Domain 3. Candidates who treat networking as Domain 1 (resilience) content miss it here.

What Domain 3 actually tests

Sampling our 156 Domain 3 items, the distribution is roughly:

32% IAM (policies, roles, boundaries, SCPs, resource-based policies)
24% KMS + encryption (in transit, at rest, envelope, key lifecycle)
22% Networking security (private subnets, endpoints, NACLs vs SGs)
10% Secrets / credential handling (Secrets Manager vs SSM Parameter Store)
8% Monitoring + audit (CloudTrail, GuardDuty, Security Hub, Config)
4% WAF, Shield, Firewall Manager

If your study plan has two hours on IAM and ten minutes on permissions boundaries, you are mis-allocated. The sub-topic weights matter.

How to close the 10-point gap

The plan I give people who are retaking after a close fail:

Two evenings on IAM evaluation logic. Draw the evaluation tree for: identity-based + resource-based + SCP + permissions boundary + session policy. Hand-trace a "who can access what" scenario until you can do it from memory. This alone is worth 5–6 percentage points.
One evening on KMS. Make a comparison table of: customer-managed vs AWS-managed vs AWS-owned. Then one of: key policy vs grant vs IAM policy. These two tables cover 80% of KMS questions.
One evening on VPC endpoints. When do I use a gateway endpoint? When an interface endpoint? When PrivateLink? What does each one cost? The answer for exam purposes is almost always about cost or traffic isolation.
Practice 100 Domain 3 questions, tagged. Not mixed. Pure Domain 3. You want to internalize the shape of these questions, which is different from Domain 1 or 2.

That plan, executed in one week, is worth about 8 percentage points on a retake. I have sample-sized it across retakers over three months.

One counter-intuitive finding

Domain 4 (Cost) has the highest average score (74%) despite being where most people think they will lose points. Reason: cost questions usually have one clearly cheaper answer once you know the storage classes and the pricing tiers. The distractors are weaker, because "cheapest" is a less-subjective criterion than "most secure." If you are time-constrained, spend less time on Domain 4 than the blueprint suggests.

The pattern generalizes

This is not unique to SAA-C03. On CISSP, Domain 3 (Security Architecture) is the hardest. On Azure AZ-305, "Design data storage" under-performs in the bank. On GCP PCA, "Designing for security and compliance" sits 12 points below average. Security-focused domains are almost always the lowest-scoring domains on non-security certs, because they require specific depth on a large surface area.

If you are about to sit SAA-C03, spend next week's study time where the scoring gap actually is. Domain 1 is tractable. Domain 3 is where the points go to die.

Practice what you just read

Pruvos has 28,000+ exam-grade questions across 73 certifications.

Every question tagged by trap type. Free tier works without signup.

Browse certifications →