Hands-On AWS Labs for Solutions Architect Candidates: Practical Projects That Mirror Exam Scenarios

If you’re studying for the AWS Certified Solutions Architect (Associate or Professional), reading and watching videos only gets you so far. The exam rewards decision-making under constraints—tradeoffs, cost awareness, security boundaries, and “what would you do next?” reasoning. That’s why hands-on AWS labs are the secret weapon: they turn AWS concepts into muscle memory and make the exam feel familiar.

This guide is a practical, exam-aligned lab playbook—built around AWS exam labs, hands-on practice, and real-world scenario prep. You’ll find deep-dive project ideas that mirror actual exam patterns, plus step-by-step approaches you can rebuild for consistent progress. If you pair these labs with a realistic study plan and careful cost controls, you’ll get the confidence that comes from repeatedly solving problems the same way the exam tests you.

Why “Labs” Matter More Than You Think for Solutions Architect

The Solutions Architect exams aren’t purely about definitions. They’re about selecting the best architecture based on requirements like availability, security posture, latency, scaling, operational burden, and cost. When you only study theory, you may understand services—but not how they behave together under real constraints.

Hands-on work changes that. It forces you to make design decisions while you’re actually configuring AWS components. You see what breaks, what takes time, what costs money, and how to recover—exactly the kinds of “scenario pressure” moments you’ll face on exam day.

What you gain from lab practice

• Service-to-service intuition: knowing how Route 53, ALB, IAM, VPC, Auto Scaling, and CloudWatch fit together.
• Security reflexes: practicing least privilege, encryption defaults, and safe network exposure.
• Cost realism: learning which choices explode costs and which ones stay exam-friendly.
• Troubleshooting confidence: debugging connectivity, performance bottlenecks, and access issues like a real architect.

Exam Scenario Patterns You Should Design Labs Around

To build labs that truly mirror exam scenarios, you need to recognize common patterns. Below are high-probability themes that show up frequently in both Associate and Professional-style thinking. Your labs will map directly to these.

High-frequency exam themes

• VPC architecture with public/private separation
• Load balancing and autoscaling
• Data storage choices (S3, EBS, EFS, DynamoDB, RDS)
• IAM and access patterns (roles, policies, least privilege)
• Observability (CloudWatch metrics/alarms/logs, tracing mindset)
• Security boundaries (KMS encryption, security groups, WAF, TLS)
• Resilience (multi-AZ design, failover strategy)
• Migration or modernization (lift-and-shift vs managed services)
• Operational requirements (maintenance windows, RTO/RPO, managed scaling)

If your lab projects hit these themes repeatedly, you’ll start seeing the exam questions as variations of designs you already practiced.

Lab Strategy: How to Build Muscle Memory Efficiently

You can absolutely do “random” labs, but you’ll progress faster with a strategy. The goal is not to click through tutorials; the goal is to internalize architecture patterns and their tradeoffs.

A repeatable lab workflow (the “architect loop”)

Use this loop for every project:

1. Requirements snapshot (2–3 minutes)
   • Identify: availability target, data sensitivity, traffic profile, scale assumptions, operational constraints.
2. Architecture sketch (5–10 minutes)
   • Draw a simple diagram: entry point → network → compute → data → observability → security controls.
3. Cost guardrails first
   • Choose minimal viable resources (small instance sizes, limited autoscaling ranges, careful logging retention).
4. Build with deliberate choices
   • Don’t just “use defaults.” Make decisions: subnets, security groups, encryption, IAM boundaries.
5. Add failure tests
   • Simulate: instance termination, security rule break, route misconfiguration, or IAM permission denial.
6. Validate using CloudWatch + logs
   • Prove the architecture works and can be monitored.
7. Write a short “exam note”
   • Summarize the key decisions and why alternatives were weaker.

This last step is underrated. Even a few bullet points per lab strengthens recall for both exam answer selection and timed reasoning.

Cost Control: Using the Free Tier Safely for Real Labs

Cost is the biggest reason candidates abandon labs midway. The good news: you can do serious hands-on practice on modest spend if you’re disciplined.

Start by using the AWS Free Tier safely and follow a “turn off after lab” mindset. Here’s the internal guide that should be your companion while doing these projects:

• How to Use the AWS Free Tier Safely for Exam Practice Without Blowing Your Budget

Practical cost guardrails (non-negotiables)

• Use small instance types (and stop them when not needed).
• Limit autoscaling to a small max capacity during labs.
• Set lifecycle policies for S3 test data.
• Lower log retention (or at least delete test log groups after).
• Avoid “always-on” NAT gateways unless required—use alternatives when possible.

If you follow these rules, you can run labs frequently instead of “saving up” for one giant expensive build.

Your Lab Environment Setup (Exam-Ready, Not Messy)

Before the projects, set up your workspace so every lab starts cleanly. This is also where candidates lose time—especially when they reuse accounts carelessly.

Recommended environment practices

• Use one AWS account for practice, but separate labs logically with tags.
• Add tags like:
  • Project, Owner, LabName, CostCenter, CreatedDate
• Create a lab admin IAM role with limited permissions and MFA enabled.
• Set up basic dashboards/alarms to confirm you can observe resources (even if you later delete them).

A “do this before building” checklist

• Confirm region(s) where you will operate.
• Ensure you understand where logs go (CloudWatch vs S3).
• Decide your target architecture style:
  • Public exposure only through a load balancer
  • Private app behind internal load balancer
• Confirm encryption settings and KMS involvement (especially for exams).

12 Hands-On AWS Lab Projects That Mirror Exam Scenarios

These projects are designed to be realistic and exam-aligned. Each one includes:

• Exam scenario it mirrors
• What to build
• What to test
• What to write down for exam recall
• Common pitfalls

You can do them in any order, but the sequence below gradually increases complexity.

Lab 1: Design a Public/Private VPC with Secure Routing and Observability

Exam scenario it mirrors

You’re given requirements for web access, restricted backend access, and monitoring expectations. You must choose subnet layout and security boundaries.

What to build (hands-on)

• Create a VPC with:
  • Public subnets in at least two AZs
  • Private subnets in at least two AZs
• Add:
  • Internet Gateway for public subnets
  • NAT Gateway or alternative for outbound from private subnets
• Deploy a simple web service architecture (can be a minimal EC2 behind a load balancer).

What to test

• From the internet: can you reach the web endpoint?
• From private instances: can you reach external endpoints?
• Check CloudWatch:
  • CPU and network metrics
  • Basic logs from your app container or EC2 user-data scripts
• Break one security group rule and confirm the expected failure mode.

Write down (exam recall)

• Why public subnets exist and what they host.
• Why private subnets host application or data tiers.
• How you’d explain NAT vs alternative approaches.

Common pitfalls

• Accidentally exposing the database in a public subnet.
• Missing required inbound rules for the load balancer to reach targets.
• Forgetting that private subnets without NAT can’t reach the internet for updates.

Lab 2: Route 53 + ALB Routing with Host-Based Rules

Exam scenario it mirrors

The exam often gives domain and routing requirements: host-based routing, TLS termination, and resilient DNS.

What to build

• Create a public Route 53 hosted zone (for practice use a domain you control or use a sandbox approach).
• Set up:
  • An Application Load Balancer (ALB)
  • Target groups for two “apps” (can be simple static responses)
  • Listener rules:
    • app1.example.com → Target Group 1
    • app2.example.com → Target Group 2

What to test

• Validate DNS resolution and routing behavior.
• Confirm:
  • Security groups allow ALB to reach targets
  • TLS settings on the listener (even with test certificates)
• Review ALB access logs (optional, but great learning).

Write down

• The relationship between DNS (Route 53), listener rules, and target groups.
• How to handle certificate association and what changes after ALB is introduced.

Common pitfalls

• Confusing security group rules between ALB and instances.
• Forgetting that routing relies on correct Host headers.

Lab 3: Autoscaling Web Tier with Application Load Balancer

Exam scenario it mirrors

You get traffic changes and scaling requirements. You must choose a scalable approach with controlled cost.

What to build

• Keep the ALB from Lab 2 (or build a minimal ALB again).
• Create:
  • Launch Template
  • Auto Scaling Group (ASG) across multiple AZs
• Use a simple health check endpoint.
• Choose conservative scaling settings (e.g., min = 1, max = 2–3 for exam-friendly cost).

What to test

• Trigger scale-out:
  • Generate load (even simple scripted requests)
  • Observe ASG scaling events
• Terminate an instance:
  • Confirm the target group health checks respond correctly
  • Verify replacement instance becomes healthy

Write down

• The difference between ALB health checks and EC2 health.
• How ASG reacts to load and health check failures.

Common pitfalls

• Wrong health check path leading to “unhealthy” targets.
• Security group rules blocking instance health checks from ALB.

Lab 4: IAM Least Privilege for a Typical App (S3 Read/Write + KMS)

Exam scenario it mirrors

A common exam theme: “A service needs access to data securely.” You must implement least privilege and encryption boundaries.

What to build

• Create an S3 bucket for app assets.
• Create a KMS key (or use a KMS-managed key pattern).
• Configure:
  • Bucket with encryption requirement
  • IAM role for app/EC2 with permissions scoped to:
    • s3:GetObject and/or s3:PutObject for a specific prefix
    • KMS key usage only for that bucket’s objects

What to test

• Confirm access works from your compute role.
• Attempt a forbidden action:
  • e.g., list the bucket if it’s not allowed
• Rotate the role permissions (remove one action) and validate what breaks.

Write down

• How IAM policies scope to resource ARNs and prefixes.
• Why encryption permissions (KMS) can break otherwise “correct” S3 permissions.

Common pitfalls

• Over-permissioning with s3:* across the entire account.
• Ignoring KMS permissions when bucket encryption uses a customer-managed key.

Lab 5: Private Data Tier with RDS or DynamoDB + Security Controls

Exam scenario it mirrors

Data tier requirements include confidentiality, network isolation, and availability. The exam expects you to place the data correctly and protect access.

What to build (choose one path)

• Path A (RDS):
  • Deploy an RDS instance in private subnets
  • Create security groups allowing access from the app tier only
• Path B (DynamoDB):
  • Create a DynamoDB table
  • Use IAM conditions (where applicable) and encryption at rest

What to test

• Confirm the data is not reachable from public networks.
• Confirm only the app security group can access the database endpoints.
• Validate app connectivity and failure handling.

Write down

• Networking isolation strategy (private subnet + SG restrictions).
• For DynamoDB: what IAM controls apply to actions and resources.

Common pitfalls

• Using 0.0.0.0/0 inbound rules to “make it work.”
• Not restricting security group inbound by the app tier security group.

Lab 6: Serverless API with API Gateway + Lambda + DynamoDB

Exam scenario it mirrors

The exam often tests whether you can choose serverless when requirements fit: scaling, reduced ops, and manageable cost.

What to build

• Create a Lambda function that writes/reads items from DynamoDB.
• Set up API Gateway:
  • REST API or HTTP API (for learning; match exam mindset)
  • Integrate methods (GET/POST)
• Add authentication (lightweight for practice):
  • At minimum, require IAM auth or use a simple authorizer if you’ve practiced it.

What to test

• Validate throttling behavior:
  • confirm you understand how API Gateway throttling affects calls
• Confirm IAM permissions for Lambda to DynamoDB.
• Check CloudWatch logs for request failures and missing permissions.

Write down

• When to choose Lambda/API Gateway vs EC2+ALB.
• The operational “surface area” differences.

Common pitfalls

• Granting overly broad DynamoDB permissions.
• Forgetting to examine CloudWatch logs when responses fail.

Lab 7: WAF + CloudFront for Secure Delivery (Protection Against Bad Traffic)

Exam scenario it mirrors

Security and edge protection: block common web attacks, protect an application, and handle HTTPS properly.

What to build

• Put a small web app behind CloudFront.
• Add WAF rules (managed rule sets are great for practice).
• Configure:
  • Allowed methods
  • Basic caching policy
  • TLS configuration

What to test

• Attempt a request pattern WAF should block.
• Verify CloudFront behavior:
  • caching headers
  • origin reachability
• Check logs or metrics to confirm WAF actions.

Write down

• WAF vs security groups vs application logic (and why each exists).
• Why CloudFront improves performance and reduces origin load.

Common pitfalls

• Confusing which rules apply at the edge vs origin.
• Not understanding that CloudFront caching can mask changes until invalidations.

Lab 8: End-to-End Event Processing with SQS + Lambda + Dead-Letter Queue

Exam scenario it mirrors

The exam tests asynchronous processing and reliability: handle failures, retry policies, and decouple components.

What to build

• Create an SQS queue.
• Create a Lambda function consuming messages.
• Add a DLQ to capture failed messages.
• Configure:
  • visibility timeout appropriately
  • retry behavior through queue/Lambda settings

What to test

• Send valid and invalid payloads.
• Ensure:
  • failures go to DLQ after configured retries
  • successful processing doesn’t duplicate unnecessarily

Write down

• How DLQs support reliability and auditability.
• The “at-least-once delivery” mindset.

Common pitfalls

• Setting visibility timeout too low, causing duplicate processing.
• Not inspecting DLQ messages when debugging.

Lab 9: Multi-Region-ish Resilience Pattern (Failover with Route 53 + Health Checks)

Exam scenario it mirrors

The exam may ask you to increase availability and design failover using managed routing and monitoring.

What to build (practice-friendly approach)

• Create two regional endpoints (can be two ALBs in separate regions or simplified endpoints).
• Use Route 53 health checks and failover routing policies.
• Configure DNS records for active/passive or weighted failover.

What to test

• Simulate endpoint failure (stop one target).
• Confirm Route 53 failover routing switches correctly (with observed propagation and health check intervals).
• Verify application availability remains within expected behavior.

Write down

• How health checks affect routing decisions.
• Why DNS failover isn’t instant but is still valuable.

Common pitfalls

• Expecting immediate failover without accounting for health check intervals and TTL.
• Not testing from a realistic client perspective.

Lab 10: Observability Deep Dive—CloudWatch Dashboards, Alarms, and Logs

Exam scenario it mirrors

You’re asked not just to build, but to operate: monitor key metrics, set alerts, and investigate issues.

What to build

• Create a CloudWatch dashboard with:
  • ALB request count / latency
  • EC2 CPU and network
  • Lambda errors (if applicable)
  • DynamoDB read/write throttles (if applicable)
• Create alarms:
  • high CPU
  • increased 5xx responses (ALB)
  • DLQ message count > 0

What to test

• Induce a controlled error:
  • temporarily block access or break an endpoint
• Confirm alarms trigger and logs contain the information you need.

Write down

• What metrics map to user impact.
• How you’d prioritize alerts based on severity and likely root causes.

Common pitfalls

• Setting alarms that never trigger or trigger too frequently.
• Not connecting alarms to actual runbooks (even if you write them as notes).

For troubleshooting-focused prep, use this internal link too:

• Troubleshooting AWS Architectures: Debugging Connectivity, Performance, and Security for Exam-Level Confidence

Lab 11: “Production-Style” Architecture from Requirements—Timeboxed Build

Exam scenario it mirrors

The exam gives a scenario with partial constraints and expects you to choose the most correct design. This lab trains that exact skill.

What to build

Take a realistic requirement set (you can reuse the ones below), then build within a strict timeframe like 60–90 minutes.

Example requirement set

• Company needs a secure website with autoscaling
• Data must be encrypted at rest
• Admin access restricted to corporate IP
• Must include logging and alarms
• Budget constraints: keep initial deployment small

How to execute

• 10 minutes: write your architecture choices and “why”
• 40–70 minutes: implement the minimum viable architecture
• 10–20 minutes: add CloudWatch and basic failure tests
• 5 minutes: final write-up

Write down

• Alternatives you rejected and why (e.g., why ALB vs NLB, why private DB, why serverless vs EC2 for this part).

Common pitfalls

• Overbuilding and missing the testing/validation component.
• Forgetting security and observability because you focused only on compute/storage.

For building bigger integrated setups, this internal guide helps:

• Building End-to-End Sample Architectures on AWS: From Requirements to Deployed Solution

Lab 12: Turn Real Exam Questions into Rebuildable Labs (Your Personal Scenario Library)

Exam scenario it mirrors

This is how top candidates study: they build a reusable library of architectures. Instead of repeating tutorials, they practice “recognize scenario → rebuild pattern → test.”

What to build

Pick 3–5 common exam scenarios (for example):

• “Secure web app with private database”
• “Event-driven async processing with retries”
• “API with scaling and low operations”
• “Multi-tier VPC with observability and restricted admin access”

Then turn them into rebuildable labs:

• same base architecture
• only one variable changed per lab (e.g., database type or auth method)

Write down

Create a one-page “scenario card” for each lab:

• Inputs (requirements)
• Chosen services
• Key configuration decisions
• Testing steps
• Common failure modes

Common pitfalls

• Rebuilding too many unique things with no pattern.
• Not testing failures (which weakens your exam confidence).

Use this internal link for more scenario-to-lab transformation ideas:

• Turning Common AWS Solutions Architect Exam Scenarios into Real Lab Exercises You Can Rebuild

Associate vs Professional: How to Adjust Lab Depth

Many candidates can pass the Associate exam with decent lab exposure. Professional requires deeper architectural thinking: more complex integrations, stronger security reasoning, and more explicit tradeoff analysis.

Associate lab focus (what to emphasize)

• Correct service selection
• Solid baseline VPC design
• IAM least privilege basics
• Reliable monitoring basics

Professional lab focus (what to emphasize)

• Multi-service orchestration and integration patterns
• Stronger security strategy:
  • defense in depth
  • encryption and access boundaries
  • least privilege with conditions
• Operational readiness:
  • runbooks, alarms mapping, failure recovery expectations
• Cost-performance tradeoffs that you can justify

When you move from Associate to Professional, keep the labs but increase the “architect reasoning layer.” That means more time spent on:

• alternatives (what you considered and why not)
• failure modes and how you’d detect them
• compliance-like constraints (even if not explicitly asked)

Expert Insights: What High-Scoring Candidates Do Differently

If you want exam-style performance, you need more than knowledge—you need a method. Here are patterns seen in candidates who consistently perform well.

1) They test like an architect, not like a tutorial follower

Every lab includes at least one failure:

• permissions denied
• instance terminated
• wrong security group
• DLQ trigger
• blocked outbound route

2) They keep a “decision log”

This is your personal advantage:

• What decisions did you make?
• What data did you observe?
• What surprised you?

A short decision log beats long notes.

3) They practice explaining tradeoffs out loud

Even 60 seconds per lab helps. For example:

• “I used private subnets for data tiers because…”
• “I chose ALB because host-based routing is required and…”

This mirrors how the Professional exam tests reasoning—conceptual clarity under constraints.

Troubleshooting Your Own Labs (So You Learn Faster)

Troubleshooting is where real learning happens. Instead of abandoning when something fails, treat failure as the lesson.

A practical troubleshooting rubric

When something breaks, ask:

• Connectivity
  • Can requests reach the intended endpoint?
  • Are security groups/network ACLs blocking?
• Identity & permissions
  • Does the role have required actions?
  • Are KMS permissions blocking encryption/decryption?
• Configuration mismatches
  • Are target groups pointing to the correct ports/path?
  • Are IAM policies scoped to the correct resource ARNs?
• Observability gaps
  • Are logs enabled?
  • Are you checking the correct region and log stream?

This is exactly why you should also practice targeted debugging with:

• Troubleshooting AWS Architectures: Debugging Connectivity, Performance, and Security for Exam-Level Confidence

How to Measure Lab Progress (Beyond “I Built It”)

A common mistake: candidates feel confident because the deployment succeeded once. The exam doesn’t care that you “got it working.” It cares that you understand the architecture and can adjust when conditions change.

Use these success metrics

• Can you rebuild the architecture from scratch?
  • within a timebox
• Can you predict what breaks when you change one variable?
  • subnet choice, security group rule, IAM permission, autoscaling limits
• Can you diagnose a problem using CloudWatch logs/metrics?
• Can you justify your design choices in 30–60 seconds?

If you can meet these goals, your lab time is producing exam-relevant competence.

Career ROI: How Labs Pay Off in Real Work (Not Just Exams)

Hands-on practice does more than boost scores. It directly improves your ability to:

• design architectures under constraints,
• collaborate with engineering and security teams,
• and troubleshoot production-like failures.

Employers often look for candidates who don’t just know AWS, but can think systemically. Labs train that thinking.

What hiring managers typically value

• Demonstrated understanding of security boundaries
• Ability to explain tradeoffs
• Practical experience with monitoring and failure handling
• Familiarity with AWS services as a system, not isolated tools

If you’re weighing study and career ROI, this mindset matters: labs can compress your learning curve and reduce the time it takes to become “useful” on day one.

Suggested 4-Week Lab Plan (Flexible, Budget-Friendly)

You can use this timeline whether you’re starting fresh or doing a refresh before the exam. Modify based on your available time.

Week 1: Baseline architecture + networking + monitoring

• Lab 1 (VPC with public/private + observability)
• Lab 2 (Route 53 + ALB routing)
• Add a small CloudWatch dashboard for your resources

Week 2: Scaling + security foundations

• Lab 3 (autoscaling web tier)
• Lab 4 (IAM least privilege + KMS/S3)
• Include one failure test (permissions or SG break)

Week 3: Data tier + serverless + event reliability

• Lab 5 (RDS or DynamoDB in private networks with SG/IAM restrictions)
• Lab 6 (API Gateway + Lambda + DynamoDB)
• Lab 8 (SQS + Lambda + DLQ)

Week 4: Hardening + scenario reasoning

• Lab 7 (CloudFront + WAF)
• Lab 10 (CloudWatch alarms + dashboards)
• Lab 11 or 12 (timeboxed requirements build + rebuildable scenario library)

This sequence ensures you repeatedly practice the “core exam spine”: networking, security, scaling, data, and observability.

Frequently Asked Questions (FAQ)

Are AWS labs enough to pass the Solutions Architect exam?

Labs are a major advantage, but you should pair them with exam-focused study. The strongest candidates combine:

• reading/understanding fundamentals
• hands-on lab repetition
• scenario reasoning practice

How do I avoid costs while doing many labs?

Use free tier carefully and implement hard shutdown routines. Keep autoscaling limits low, reduce log retention, and delete test resources when you finish each lab. Also follow guidance here:

• How to Use the AWS Free Tier Safely for Exam Practice Without Blowing Your Budget

What’s the best way to practice troubleshooting for the exam?

Deliberately break things and practice the investigation flow using CloudWatch logs, metrics, security group changes, and IAM policy checks. Start with:

• Troubleshooting AWS Architectures: Debugging Connectivity, Performance, and Security for Exam-Level Confidence

Final Takeaway: Build a Scenario Library, Not a Random Collection of Projects

If you remember one strategy, make it this: turn each learning experience into a reusable lab pattern. The exam is essentially pattern recognition—service selection and architecture reasoning under constraints.

So don’t just deploy once. Rebuild with small variations. Test failure modes. Document your decision logic. Over time, your brain will start answering exam questions the way a practicing Solutions Architect would: confidently, systematically, and with cost and security in mind.

When you’re ready to go deeper into integrated practice architectures and end-to-end builds, start with:

• Building End-to-End Sample Architectures on AWS: From Requirements to Deployed Solution