SAA-C03 Glossary — High-Confusion AWS Terms for Architecture Scenarios
A practical SAA-C03 glossary focused on the AWS terms and design distinctions candidates most often confuse under exam pressure.
On this page
Use this glossary when SAA-C03 questions feel wrong mostly because the AWS terms are too close to each other. The exam is full of options that are technically related but architecturally different.
Core terms
- Availability Zone (AZ): One or more discrete data centers within a Region. Multi-AZ design protects against one-AZ failure, not full-Region failure.
- AWS Backup: Central backup service that can coordinate backup plans across supported AWS resources. It is about recovery and retention, not live failover.
- Gateway endpoint: Private access path for S3 or DynamoDB from a VPC without using a NAT gateway.
- Interface endpoint / PrivateLink: Private access path to many AWS or partner services by placing ENIs in your subnets.
- IAM role: Temporary-credential identity used by people, services, or workloads. In architecture scenarios, roles are usually stronger than long-term access keys.
- Intelligent-Tiering: S3 storage-class option that automatically moves objects between access tiers when the access pattern is uncertain.
- KMS key policy: Resource policy on a KMS key. IAM permission alone might still not be enough if the key policy blocks use.
- Least privilege: Grant only the permissions required for the task, at the narrowest workable scope.
- Multi-AZ: High-availability deployment pattern inside one Region. It is not the same thing as global disaster recovery.
- NAT gateway: Managed outbound internet path for private subnets. One-per-AZ is the usual resilient architecture choice.
- Origin Access Control (OAC): CloudFront mechanism for private access to S3 origins without making the bucket public.
- Requester Pays: S3 access option that shifts request and data-transfer charges to the requester, useful only when the business model fits.
- Pilot light: Disaster recovery pattern where core components stay ready in a secondary Region, but full scale is activated only during failover.
- Read replica: Database copy used mainly for read scaling and sometimes DR. It is not a direct substitute for synchronous Multi-AZ protection.
- Recovery Point Objective (RPO): Maximum acceptable data loss measured in time.
- Recovery Time Objective (RTO): Maximum acceptable time to restore service after disruption.
- Route table: VPC routing rule set that decides where traffic goes next.
- Service control policy (SCP): AWS Organizations guardrail that sets an upper permission boundary for accounts or OUs.
- Savings Plans: Flexible pricing commitment that reduces compute cost across supported usage patterns.
- Security group: Stateful virtual firewall applied to ENIs and resources such as EC2 or ALB.
- SQS: Queue service used to buffer work and decouple producers from consumers.
- STS: AWS Security Token Service. Frequently appears in cross-account and assumed-role patterns.
- Transit Gateway: Hub service for connecting multiple VPCs and on-premises networks with transitive routing.
- Warm standby: Disaster recovery pattern with a scaled-down but running copy in another Region, faster to promote than pilot light.
Commonly confused pairs
| Pair | What actually differs |
|---|---|
| Multi-AZ vs read replica | Multi-AZ protects availability. Read replicas primarily scale reads and can support DR patterns. |
| Pilot light vs warm standby | Pilot light keeps only the core pieces warm. Warm standby runs a smaller but already functional environment. |
| Gateway endpoint vs interface endpoint | Gateway endpoints are only for S3 and DynamoDB. Interface endpoints are broader and cost differently. |
| Security group vs network ACL | Security groups are stateful and usually the primary control. NACLs are stateless subnet-level filters. |
| CloudFront vs Global Accelerator | CloudFront is HTTP-focused edge caching and acceleration. Global Accelerator is static anycast entry for TCP or UDP style paths. |
| ALB vs NLB | ALB is Layer 7 and supports host or path routing. NLB is Layer 4 and fits high-throughput or static-IP style needs. |
| RDS Proxy vs read replica | RDS Proxy manages database connections. A read replica handles read scaling or some DR use cases. |
| SCP vs IAM policy | SCP defines the maximum allowed permissions for the account context. IAM policy grants or denies permissions to a principal within that boundary. |
| Spot vs Savings Plans | Spot is unused-capacity pricing with interruption risk. Savings Plans are commitment discounts for predictable usage. |
| SQS vs SNS vs EventBridge | SQS buffers work, SNS fans out notifications, and EventBridge routes events between producers and consumers. |
| AWS Backup vs snapshot | AWS Backup coordinates policy and retention across supported services. A snapshot is one service-level recovery artifact. |
| Intelligent-Tiering vs Standard-IA | Intelligent-Tiering adapts when access is uncertain. Standard-IA is better when you already know the access pattern has cooled. |
| EBS vs EFS vs FSx | EBS is block storage for one instance pattern, EFS is shared elastic file storage, and FSx is managed file-system families for specific workloads. |
Fast reminders for exam day
- If the option says private subnets need S3 or DynamoDB, think gateway endpoint before NAT.
- If the option says cross-account access, think role assumption before access keys.
- If the option says organization-wide restriction, think SCP before only editing one IAM policy.
- If the option says must survive AZ failure, think Multi-AZ or multi-AZ service placement before only adding a read replica.
- If the option says public web routing with host or path rules, think ALB.
- If the option says static IPs, TCP/UDP, or extreme throughput, think NLB.
- If the option says uncertain S3 access pattern, think Intelligent-Tiering before guessing one colder class.
When the terms still feel noisy, go back to the domain chapters and ask a simpler question: what problem is this service actually solving in the architecture?