Practice questions · IT & Cloud
AWS Solutions Architect – Associate (SAA-C03): Practice Questions
Original, scenario-based practice questions for the AWS Certified Solutions Architect – Associate (SAA-C03). Each answer is explained, including why the other options are wrong. Filter by domain or difficulty. These are concept checks - not real exam questions.
Answered 0 · Correct 0
-
An application on EC2 needs read-only access to one S3 bucket. What is the most secure way to grant it?
Correct answer: B. An IAM role on the instance provides temporary, rotated credentials scoped to exactly what is needed. Embedding access keys risks leaking long-lived credentials; making the bucket public is insecure; root credentials should never be used by applications. -
Which approach encrypts objects at rest in Amazon S3 with the least operational overhead?
Correct answer: C. Server-side encryption (SSE-S3 or SSE-KMS) encrypts objects at rest automatically. Client-side-only encryption adds overhead and key burden; public buckets are not about encryption; TLS protects data in transit, not at rest. -
You must give an application temporary, automatically rotated AWS credentials. Which service issues them?
Correct answer: C. STS issues short-lived, temporary credentials (often via roles). S3 is storage; Config tracks resource configuration; SES is email - none issue credentials. -
How should an application store a database password securely on AWS?
Correct answer: C. Secrets Manager stores and rotates secrets, retrieved securely at runtime. Hardcoding, public storage and email all expose the secret. -
You want resources in a private subnet to reach Amazon S3 without traversing the public internet. What do you use?
Correct answer: D. A VPC gateway endpoint routes S3 traffic privately within AWS. An Internet Gateway and Elastic IPs send traffic over the public internet; a NAT Gateway is for outbound internet access, not private S3 access. -
Which is a security best practice for the AWS account root user?
Correct answer: B. The root user should have MFA and be reserved for the few tasks that require it. Daily use, sharing, and root access keys all increase risk; use IAM roles/users instead. -
A web app must stay available even if an entire Availability Zone fails. What is the core design choice?
Correct answer: A. Spreading across multiple AZs survives a single-AZ failure. One instance or one AZ is a single point of failure; disabling health checks removes the mechanism that reroutes traffic. -
A producer service occasionally overwhelms a slower consumer. Which service best decouples them?
Correct answer: C. An SQS queue buffers messages so the consumer processes at its own pace. CloudFront is a CDN; IAM is access control; Route 53 is DNS - none decouple producer and consumer. -
To handle variable load automatically while staying available, you should combine an Elastic Load Balancer with:
Correct answer: C. An ELB plus an Auto Scaling group of stateless instances adds/removes capacity with demand and spreads traffic. A fixed instance or manual scaling cannot react automatically; a larger volume addresses storage, not scaling. -
You need an RDS database to fail over automatically to a standby if the primary fails. What do you enable?
Correct answer: D. RDS Multi-AZ maintains a standby in another AZ and fails over automatically. A read replica scales reads but is not automatic failover; instance size and S3 versioning are unrelated. -
Which service sends the same notification to many subscribers (fan-out) such as email, SQS queues and Lambda?
Correct answer: C. SNS publishes a message to multiple subscribers (fan-out). EBS is block storage; KMS manages keys; Athena queries data in S3. -
An e-commerce site has heavy, repeated read queries slowing its database. What improves read performance most directly?
Correct answer: A. ElastiCache (Redis/Memcached) serves frequent reads from memory, offloading the database. S3 class and MFA are unrelated; a smaller instance would reduce performance. -
Users worldwide complain that static assets load slowly. Which service reduces latency?
Correct answer: B. CloudFront is a CDN that caches content at edge locations near users. Secrets Manager, SQS and Config do not address content-delivery latency. -
Which storage is best for serving large numbers of static objects with high durability and virtually unlimited scale?
Correct answer: B. S3 is highly durable, massively scalable object storage ideal for static assets. EBS is per-instance block storage; instance store is ephemeral; EFS is a shared file system, less suited to web-scale object serving. -
You need to ingest and process a high-throughput stream of clickstream data in near real time. Which service fits?
Correct answer: A. Kinesis ingests and processes streaming data at scale. Glacier is cold archival storage; IAM is access control; Route 53 is DNS. -
Which read scaling option offloads read traffic from a relational primary without providing automatic failover?
Correct answer: C. Read replicas scale read traffic but are not an automatic-failover mechanism. Multi-AZ provides failover (not read scaling); Auto Scaling and Elastic IPs are unrelated to database reads. -
Data is accessed rarely but must be retrievable within hours when needed. Which S3 option is most cost-effective?
Correct answer: B. S3 Glacier archival tiers are the cheapest for rarely accessed data tolerant of slower retrieval. S3 Standard costs more for hot data; EBS and instance store are block/ephemeral storage, not archival. -
A workload runs 24/7 at a steady, predictable level for the next three years. Which pricing reduces cost most?
Correct answer: C. Reserved Instances or Savings Plans give a large discount for committed, steady usage. On-Demand is full price; Spot is cheap but interruptible (wrong for steady critical load); Dedicated Hosts at list price are the most expensive. -
A fault-tolerant batch job can be interrupted and resumed. Which compute option is cheapest?
Correct answer: C. Spot Instances offer the deepest discount and suit interruptible, fault-tolerant work. Reserved and On-Demand cost more; Dedicated Hosts are the most expensive and unnecessary here. -
Which combination avoids paying for idle capacity while handling demand spikes?
Correct answer: B. Auto Scaling with right-sized instances matches capacity to demand, avoiding idle spend. Permanent over-provisioning and a huge always-on instance waste money; quarterly manual scaling cannot follow spikes. -
Which tools help you monitor and control AWS spend?
Correct answer: C. Cost Explorer analyses spend and Budgets alerts on thresholds. IAM/KMS are security, SQS/SNS are messaging, and EBS/EFS are storage - none are cost-management tools. -
A private-subnet application needs outbound internet access for updates but must not be reachable from the internet. What do you use?
Correct answer: A. A NAT Gateway allows outbound-only internet access for private subnets. An Internet Gateway or public IPs would make instances reachable inbound; VPC peering connects VPCs, not the internet. -
Which AWS service lets you centrally manage user identities and their permissions?
Correct answer: A. IAM manages identities and permissions. S3 is storage, CloudFront a CDN, and Lambda runs code. -
To filter common web exploits such as SQL injection at the application layer, you place which service in front of your app?
Correct answer: C. AWS WAF inspects and filters web requests. RDS is a database, SQS a queue, and Glue an ETL service. -
To distribute incoming traffic across multiple EC2 instances in several Availability Zones, you use:
Correct answer: A. An Elastic Load Balancer spreads traffic across instances and AZs. A single Elastic IP points to one instance; health checks and S3 do not balance load. -
Which service is a fully managed, multi-region, low-latency NoSQL store that scales on demand?
Correct answer: B. DynamoDB with global tables is managed, multi-region NoSQL. Redshift is a data warehouse, EBS is block storage, and a single EC2 DB is neither managed nor multi-region. -
To reduce read load on a relational database using an in-memory cache, you use:
Correct answer: D. ElastiCache caches frequent reads in memory. Glacier is cold storage, Snowball moves bulk data physically, and SES sends email. -
Which service runs code without provisioning servers, scaling automatically with the number of requests?
Correct answer: C. Lambda is serverless and scales per request. EC2 needs managed instances, EBS is storage, and Direct Connect is a network link. -
To automatically move infrequently accessed S3 objects to cheaper storage classes over time, you configure:
Correct answer: B. S3 Lifecycle policies transition or expire objects on a schedule to cheaper tiers. A security group is a firewall, an Auto Scaling group manages compute capacity, and a NAT gateway provides outbound internet - none manage storage tiers. -
Which service gives recommendations to reduce cost and improve performance, security and fault tolerance across your account?
Correct answer: C. Trusted Advisor inspects your account and recommends improvements. CloudFront is a CDN, Shield is DDoS protection, and Athena queries data in S3. -
A team wants to grant developers permission to start and stop EC2 instances but never to delete them. What is the cleanest way to express this?
Correct answer: C. An IAM identity policy that allows ec2:StartInstances and ec2:StopInstances while not granting ec2:TerminateInstances expresses least privilege precisely. AdministratorAccess grants far more than needed; the root password must never be shared; a security group is a network firewall and does not control API permissions. -
Which AWS feature lets you require a one-time code from a hardware or virtual device in addition to a password when signing in?
Correct answer: B. MFA adds a second factor (a time-based code) on top of the password, greatly reducing the risk of stolen credentials. A security group filters network traffic; an S3 bucket policy controls object access; a CloudFront signed cookie restricts content delivery - none add a sign-in second factor. -
You need to encrypt traffic between users' browsers and an Application Load Balancer. What do you attach to the load balancer's HTTPS listener?
Correct answer: A. An HTTPS listener terminates TLS using a certificate, and AWS Certificate Manager can provision and renew it for free. A NAT gateway provides outbound internet for private subnets; an IAM role grants API permissions; a Route 53 hosted zone holds DNS records - none encrypt the browser-to-ALB connection. -
Which service stores and automatically rotates database credentials so applications never hold a static password?
Correct answer: D. Secrets Manager stores secrets, rotates them on a schedule, and serves them to applications at runtime through the API. CloudWatch collects metrics and logs; Route 53 is DNS; CloudTrail records API calls - none manage or rotate application secrets. -
A compliance rule says every API call in the account must be recorded for later audit. Which service produces that record?
Correct answer: B. CloudTrail logs management and (optionally) data API activity across the account for audit and forensics. SNS is pub/sub messaging; EFS is shared file storage; Batch runs batch compute jobs - none provide an API audit trail. -
Which statement about IAM groups is correct?
Correct answer: D. An IAM group is simply a collection of users that share attached policies, which simplifies permission management. Groups cannot assume roles, have no credentials of their own, and cannot sign in - only users (or roles) have those capabilities. -
To block all inbound traffic to an EC2 instance except HTTPS from anywhere, you configure:
Correct answer: D. A security group is a stateful instance-level firewall; allowing only inbound TCP 443 permits HTTPS and implicitly denies everything else inbound. An S3 bucket policy governs object access; a Route 53 alias record is DNS; an IAM permission boundary caps identity permissions - none filter instance network traffic. -
Which approach keeps data confidential while it travels over the public internet to your application?
Correct answer: D. TLS (HTTPS) encrypts data in transit so it cannot be read if intercepted on the network. S3 versioning protects against overwrites at rest; instance size affects performance; Auto Scaling adjusts capacity - none protect data while it is in transit. -
Which service lets you create and centrally control the encryption keys used by many AWS services?
Correct answer: A. KMS creates, stores, and controls access to encryption keys, and integrates with services such as S3, EBS, and RDS. SQS is a message queue; CloudFront is a CDN; Step Functions orchestrates workflows - none manage encryption keys. -
A new employee should have no permissions until explicitly granted. Which IAM default supports this?
Correct answer: D. IAM is deny-by-default: a new identity can do nothing until a policy explicitly allows an action. IAM never allows-by-default, never grants admin automatically, and does not copy another user's permissions - all of which would be insecure. -
An application running on ECS tasks needs to read from a specific DynamoDB table. What is the recommended way to provide access?
Correct answer: A. An ECS task role delivers temporary, automatically rotated credentials scoped to exactly the required table actions. Baking access keys into an image risks leaking long-lived credentials; DynamoDB tables are not made public; admin credentials in env vars are over-privileged and easily exposed. -
You must ensure that objects uploaded to an S3 bucket are always encrypted with a specific KMS key, rejecting any unencrypted upload. What enforces this?
Correct answer: C. A bucket policy can deny uploads that lack the expected server-side-encryption header, forcing all writes to use the chosen KMS key. Security groups filter network traffic, Route 53 handles DNS, and Transfer Acceleration only speeds uploads - none enforce encryption on write. -
A company wants permissions defined once and reused across many AWS accounts, with central control. Which approach fits best?
Correct answer: B. AWS Organizations plus service control policies set guardrails centrally, and cross-account IAM roles grant access without duplicating users. Hand-creating users everywhere does not scale; emailing credentials and sharing a root user are insecure and unauditable. -
Which design lets an external mobile app obtain short-lived AWS credentials after a user signs in with a social identity provider?
Correct answer: D. Cognito identity pools federate external identities and exchange them (via STS) for temporary, scoped AWS credentials. Shipping a shared access key or root credentials in an app is a severe leak risk; creating an IAM user per mobile user does not scale and is not the intended pattern. -
To detect publicly accessible S3 buckets and unusual IAM activity automatically, which service should you enable?
Correct answer: B. GuardDuty continuously analyses logs and threat intelligence to flag anomalies such as risky IAM behaviour and exposed resources. EFS is file storage, Direct Connect is a private network link, and Kinesis Data Firehose loads streaming data - none perform threat detection. -
An EC2 instance in a private subnet must call the AWS KMS API without sending traffic over the internet. What enables this?
Correct answer: C. An interface VPC endpoint creates a private elastic network interface so API calls to KMS stay on the AWS network. An internet gateway and a NAT instance route traffic toward the internet, and an Elastic IP is a public address - none keep the call private within the VPC. -
Which practice reduces the blast radius if a single set of credentials is compromised?
Correct answer: D. Least privilege limits what a compromised identity can touch, containing the damage. Broad admin rights and shared accounts widen the blast radius, and disabling CloudTrail removes the audit trail you need to investigate - all increase risk. -
You want application code on EC2 to access Secrets Manager, but you must avoid storing any static credentials on the instance. What do you use?
Correct answer: B. An instance profile attaches an IAM role to the EC2 instance, supplying temporary credentials with only the needed Secrets Manager permission. A hardcoded key or root keys are static long-lived credentials that violate the requirement; a public S3 object exposes the secret to everyone. -
Which option provides network-level, stateless filtering for an entire subnet as an extra layer beyond security groups?
Correct answer: C. A network ACL is a stateless, subnet-level filter that complements stateful security groups for defence in depth. An IAM policy controls API permissions, a KMS key policy governs key usage, and an S3 access point scopes bucket access - none filter subnet network traffic. -
A regulated workload must ensure that even AWS-managed encryption uses a key the customer can audit and disable. Which choice meets this?
Correct answer: B. A customer managed KMS key gives the customer control over rotation, key policies, auditing via CloudTrail, and the ability to disable it. SSE-S3 keys are fully Amazon-controlled and not auditable per key; relying on private subnets is not encryption; obfuscation is not real encryption. -
Which mechanism lets one AWS account grant a partner account permission to assume a role with specific permissions, without sharing long-term keys?
Correct answer: C. A cross-account role's trust policy lets the partner's principals assume it and receive temporary credentials, keeping access scoped and auditable. Emailing keys leaks long-lived credentials, public resources expose everyone, and security groups control network traffic, not cross-account API access. -
To protect a web application from large-scale layer-3/4 DDoS attacks with managed mitigation and 24/7 support, you use:
Correct answer: A. Shield Advanced provides enhanced DDoS protection, cost protection, and access to the response team. Athena queries data in S3, Glue is ETL, and SQS is a message queue - none provide DDoS mitigation. -
Which configuration ensures S3 objects cannot be deleted or overwritten for a fixed retention period, even by administrators?
Correct answer: A. S3 Object Lock in compliance mode enforces write-once-read-many retention that no one, including the root user, can shorten or bypass. Instance class affects compute, a NAT gateway is networking, and Auto Scaling manages capacity - none provide immutability. -
An application's logs must be encrypted at rest in CloudWatch Logs using a key your security team controls. What do you configure?
Correct answer: D. CloudWatch Logs can be encrypted with a customer managed KMS key, giving the security team control over the key. A public bucket exposes the logs, disabling encryption fails the requirement, and local-disk-only storage is neither durable nor centrally encrypted. -
Which practice helps you discover and remediate overly permissive policies by showing which permissions are actually used?
Correct answer: D. IAM Access Analyzer and service-last-accessed data reveal unused or external-facing access so you can tighten policies. Larger EBS volumes, Transfer Acceleration, and extra AZs address storage, upload speed, and availability - not permission right-sizing. -
You need to give a Lambda function permission to write to a specific S3 prefix and nothing else. What do you attach?
Correct answer: A. A Lambda execution role with a tightly scoped policy grants exactly the needed S3 write permission on the chosen prefix. AdministratorAccess is far too broad, a security group controls network traffic rather than S3 API permissions, and a Route 53 record is DNS. -
Which approach lets you centrally deploy and audit firewall rules across many VPCs and accounts?
Correct answer: B. Firewall Manager centrally configures and audits WAF, Shield, and security-group policies across accounts in an Organization. EFS is file storage, SES sends email, and Snowball moves bulk data physically - none manage firewall policy centrally. -
To allow temporary, time-boxed access to an S3 object for someone without AWS credentials, you generate:
Correct answer: B. A presigned URL grants time-limited access to a specific object using the signer's permissions, with no AWS account needed by the recipient. Creating an IAM user is heavyweight and persistent, a public bucket exposes everything, and VPC peering connects networks, not object access. -
A workload must use envelope encryption where a data key encrypts the data and a KMS key encrypts the data key, minimising KMS calls for large files. Which pattern matches?
Correct answer: A. GenerateDataKey returns a plaintext data key for local bulk encryption plus an encrypted copy to store, which is exactly envelope encryption and avoids sending large data to KMS. KMS does not encrypt large payloads directly; a private subnet is not encryption; a hardcoded static key is insecure and unrotatable. -
An organization wants to guarantee that no member account, regardless of its IAM policies, can disable CloudTrail. What enforces this guardrail?
Correct answer: B. An SCP sets a permission ceiling that even account administrators cannot exceed, so denying StopLogging org-wide protects the trail. A support plan, instance size, and DNS failover have no effect on whether an account can stop logging. -
You must ensure a private API in your VPC can be reached by another VPC owned by a partner, exposing only that one service and no broader network access. Which option is most appropriate?
Correct answer: A. PrivateLink exposes a single service through an interface endpoint without joining the two networks, limiting access to just that service. Full peering exposes far more of the network, an internet gateway makes the service public, and opening all ports is the opposite of least privilege. -
A security policy requires that EBS volumes are always encrypted at creation across an entire Region, with no chance for a user to forget. What achieves this?
Correct answer: A. Enabling EBS encryption by default forces every new volume in the Region to be encrypted with a chosen key, removing human error. Relying on developers to remember is error-prone, encrypting only the root volume leaves data volumes exposed, and security groups do not encrypt disks. -
An auditor needs cryptographic proof that log files have not been tampered with after CloudTrail wrote them. Which feature provides this?
Correct answer: B. Log file integrity validation produces signed digest files so you can verify logs were not modified or deleted after delivery. Bucket size is irrelevant, disabling versioning weakens protection, and a NAT gateway is networking, not tamper-evidence. -
A multi-tier app should allow the web tier to reach the app tier only on port 8080, using identities rather than fixed IPs that change with scaling. What is the cleanest design?
Correct answer: D. Security groups can reference other security groups as the source, so the rule follows instances as they scale without tracking IPs. Hardcoding IPs breaks with Auto Scaling, opening to the world is insecure, and public subnets with Elastic IPs needlessly expose the tiers. -
A company needs to rotate a long-lived third-party API key stored in Secrets Manager using custom rotation logic. What implements the rotation?
Correct answer: B. Secrets Manager triggers a Lambda rotation function that runs the custom steps to create and test the new secret value. A security group filters traffic, an S3 lifecycle policy manages object tiers, and a Route 53 health check monitors endpoints - none rotate secrets. -
Which design choice removes a single point of failure for a stateless web tier?
Correct answer: D. Multiple instances behind a load balancer across two AZs survive the loss of any single instance or AZ. One big instance, a single EBS volume, and a single Elastic IP each remain a single point of failure regardless of backups. -
What does an Auto Scaling group do when a health check marks an instance as unhealthy?
Correct answer: C. An Auto Scaling group replaces unhealthy instances to keep the desired capacity, supporting self-healing. It does not resize instances, delete the group, or reroute traffic to a NAT gateway, which is for outbound internet access. -
Which storage service is designed for 99.999999999% (eleven nines) durability of objects?
Correct answer: B. S3 is engineered for eleven nines of durability by redundantly storing objects across devices and facilities. Instance store is ephemeral, a single EBS volume is far less durable than S3 and tied to one AZ, and RAM is volatile. -
To decouple a web front end from a slow order-processing backend so a backend outage does not lose orders, you place between them:
Correct answer: C. An SQS queue buffers orders durably so the backend can process them later, even after an outage. An Elastic IP is an address, a larger CPU does not decouple components, and CloudFront is a CDN for content delivery. -
Which Route 53 feature lets DNS stop sending users to an endpoint that has failed?
Correct answer: D. Route 53 health checks detect a failed endpoint and fail traffic over to a healthy one. A NAT gateway is for outbound internet, an IAM role grants permissions, and S3 versioning protects objects - none affect DNS failover. -
What is the main benefit of designing application instances to be stateless?
Correct answer: D. Stateless instances hold no session-specific data locally, so requests can go to any instance and capacity can scale or self-heal freely. They still benefit from a load balancer, they deliberately avoid local session storage, and they work especially well with Auto Scaling. -
An application stores user session state on each web server's local disk, which breaks when Auto Scaling replaces instances. What is the best fix?
Correct answer: D. Externalising sessions to ElastiCache or DynamoDB makes instances stateless, so any instance can serve any user and scaling works cleanly. Disabling Auto Scaling sacrifices resilience, pinning users to instances does not scale, and instance store is ephemeral and lost on replacement. -
Which architecture lets a spike of incoming jobs be absorbed and processed by a fleet that scales on the backlog size?
Correct answer: C. Buffering jobs in SQS and scaling workers on queue depth handles spikes gracefully and cost-effectively. A single worker cannot absorb spikes, CloudFront caches content rather than processing jobs, and a NAT gateway only provides outbound internet. -
To run a relational database that automatically fails over to a synchronously replicated standby in another AZ, you choose:
Correct answer: B. RDS Multi-AZ keeps a synchronous standby in another AZ and fails over automatically on primary failure. A single self-managed EC2 database has no automatic failover, DynamoDB is NoSQL rather than relational, and S3 is object storage. -
A queue-based system must guarantee that each message is processed exactly once and in order. Which SQS option fits?
Correct answer: D. FIFO queues provide ordering and exactly-once processing within a message group. Standard queues offer best-effort ordering and at-least-once delivery, an SNS topic is pub/sub fan-out, and CloudFront is a CDN - none guarantee ordered exactly-once processing. -
Which approach lets an application continue serving reads if the primary database instance is briefly unavailable during failover, with minimal data loss?
Correct answer: B. Multi-AZ provides automatic failover while read replicas serve read traffic, improving resilience and read availability. A single-AZ bigger instance is still one point of failure, instance store is ephemeral, and disabling backups removes recovery options. -
To replicate critical S3 data to a bucket in another Region for disaster recovery, you enable:
Correct answer: B. Cross-Region Replication asynchronously copies objects to a bucket in another Region, supporting DR and locality. Transfer Acceleration speeds uploads to a single bucket, an Auto Scaling group manages compute, and a security group filters network traffic. -
A workflow coordinates several Lambda functions with retries, error handling, and state across steps. Which service manages this reliably?
Correct answer: C. Step Functions orchestrates multi-step workflows with built-in retries, catch logic, and state management. CloudFront is a CDN, EBS is block storage, and Certificate Manager issues TLS certificates - none orchestrate workflows. -
Which design improves resilience for a containerized service so failed tasks are automatically rescheduled across AZs?
Correct answer: D. Running on ECS or EKS with multi-AZ placement reschedules failed tasks and survives an AZ outage. A single container on one instance and pinning to one AZ are single points of failure, and instance store does not address task scheduling. -
To ensure messages that repeatedly fail processing are set aside for later inspection instead of blocking the queue, you configure:
Correct answer: A. A dead-letter queue captures messages that exceed the retry limit so they no longer block normal processing and can be examined. Instance size, a CloudFront behaviour, and an Elastic IP do not handle poison messages. -
Which option lets a fleet behind a load balancer keep serving traffic during a rolling deployment without downtime?
Correct answer: C. Gradually shifting traffic to new healthy instances while draining old ones avoids downtime. Stopping everything causes an outage, pointing DNS at one instance removes redundancy, and disabling health checks risks sending traffic to broken instances. -
A serverless API must remain available even if one AZ fails. How do Lambda and API Gateway help by default?
Correct answer: C. Lambda and API Gateway are managed, regional services that span multiple AZs automatically, so a single-AZ failure is handled for you. They are not single-AZ, they do not require manual instance placement, and they do not depend on an Elastic IP. -
To protect against accidental deletion of objects in an S3 bucket, you should enable:
Correct answer: D. Versioning keeps previous versions so an accidental delete or overwrite can be recovered, and MFA Delete adds protection. Transfer Acceleration speeds uploads, an Auto Scaling group manages compute, and a NAT gateway is for outbound internet - none guard against deletion. -
Which database choice gives a single relational endpoint with storage that automatically replicates across three AZs and self-heals?
Correct answer: A. Aurora replicates its storage across three AZs by design and recovers from failures automatically while presenting a relational endpoint. A single EC2 MySQL has no such replication, S3 is object storage, and CloudFront is a CDN. -
A batch system must continue if individual worker instances fail mid-job. Which combination is most resilient and cost-aware?
Correct answer: C. Idempotent workers reading from SQS can safely retry, and a mixed Spot/On-Demand Auto Scaling group is resilient and cost-aware. One large instance is a single point of failure, in-memory-only progress is lost on failure, and a lone Spot instance with no retries loses work on interruption. -
Which feature lets you distribute traffic to the healthiest endpoints across multiple Regions with fast failover and a static anycast IP?
Correct answer: A. Global Accelerator routes users over the AWS backbone to healthy regional endpoints with rapid failover behind static anycast IPs. A single Elastic IP points to one resource, an S3 bucket policy controls object access, and a security group filters traffic - none provide multi-Region routing. -
A company needs an RTO of minutes and RPO of seconds for a critical workload, but wants to avoid paying for a full duplicate environment running at all times. Which DR strategy fits best?
Correct answer: B. Pilot light or warm standby keeps data replicated and a minimal core running, so you meet a low RPO and a minutes-level RTO without full duplicate cost. Backup-and-restore is far slower (large RTO), single-Region daily snapshots miss the RPO, and full active-active meets the targets but is the most expensive, which the requirement wants to avoid. -
An Aurora database must survive the loss of an entire Region with the lowest possible RPO for global users. Which feature should you use?
Correct answer: C. Aurora Global Database replicates to secondary Regions with typically sub-second lag and supports fast cross-Region failover. Multi-AZ protects within one Region only, nightly cross-Region snapshots give a poor RPO, and DynamoDB streams are unrelated to Aurora. -
A payment service must not process the same SQS message twice even if a worker crashes after partial work. Beyond FIFO, what design property is essential?
Correct answer: A. Idempotency ensures that if a message is redelivered after a crash, reprocessing causes no duplicate side effects, which is essential for correctness. A larger message size is irrelevant, disabling the visibility timeout would cause more duplicate delivery, and instance store does not store the queue. -
A multi-tier application needs the data tier to remain consistent and available during an AZ failure while keeping write latency low. Which RDS configuration is most appropriate?
Correct answer: D. Synchronous Multi-AZ replication keeps the standby consistent and fails over automatically, preserving data on AZ loss with low write latency. Async read replicas can lag and are not automatic write failover, a single-AZ instance is a point of failure, and caching writes does not make the database durable. -
To recover an entire application stack (network, compute, configuration) reliably and repeatably after a disaster, the most robust approach is to:
Correct answer: B. Infrastructure as code lets you redeploy the whole stack consistently and quickly during recovery, reducing human error. Manual console steps, screenshots, and personal notes are slow, inconsistent, and error-prone for DR. -
Which service caches frequently requested content at edge locations to reduce latency for global users?
Correct answer: A. CloudFront is a content delivery network that serves cached content from edge locations near users. SQS is a message queue, IAM manages access, and EBS is block storage - none reduce content-delivery latency. -
To improve read performance of a database by serving frequent queries from memory, you add:
Correct answer: A. ElastiCache (Redis or Memcached) serves hot reads from memory, offloading the database. Glacier is cold archival storage, Snowball moves bulk data physically, and SES sends email - none accelerate database reads. -
Which compute option runs your code only when triggered and scales automatically with the number of events, with no servers to manage?
Correct answer: A. Lambda runs code on demand and scales with event volume without server management. A fixed EC2 instance must be managed and sized, EBS is storage, and Direct Connect is a network link. -
Which storage is best suited to a shared file system that many EC2 instances mount at the same time?
Correct answer: D. EFS is a managed, elastic file system that many instances can mount concurrently across AZs. Instance store is ephemeral and local, a standard EBS volume attaches to one instance at a time, and Glacier is cold archive storage. -
To handle a sudden, large increase in web traffic automatically, you combine a load balancer with:
Correct answer: B. An Auto Scaling group adds capacity as demand rises and the load balancer spreads it across instances. An Elastic IP is just an address, a NAT gateway is for outbound internet, and S3 versioning protects objects - none scale compute. -
A read-heavy application repeatedly runs the same expensive query. Which combination most reduces database load and latency?
Correct answer: A. Caching hot results in ElastiCache eliminates most repeat queries, and read replicas absorb the rest, cutting load and latency. Larger EBS helps I/O but not repeated reads, a smaller instance reduces performance, and a public subnet does not improve performance. -
Which storage class and feature combination delivers the lowest-latency reads for small, frequently accessed objects served to a web app?
Correct answer: A. S3 Standard holds hot objects, and CloudFront caches them at the edge for low-latency reads. Glacier Deep Archive is for cold data with long retrieval, EFS-IA is for infrequently accessed files, and a NAT gateway is networking, not caching. -
An application needs single-digit-millisecond key-value reads and writes at very large scale with no capacity planning. Which database fits?
Correct answer: A. DynamoDB delivers single-digit-millisecond performance at scale and on-demand mode removes capacity planning. A single EC2 relational database does not scale that way, Redshift is a data warehouse for analytics, and Athena queries S3 rather than serving low-latency key-value traffic. -
To accelerate uploads of large objects to S3 from users far from the bucket's Region, you enable:
Correct answer: C. Transfer Acceleration routes uploads through nearby edge locations onto the AWS backbone, speeding long-distance transfers. A NAT gateway is for outbound internet, Glacier is cold storage, and a permission boundary caps IAM permissions - none accelerate uploads. -
Which EBS volume type is designed for I/O-intensive workloads that need consistently high IOPS, such as a busy transactional database?
Correct answer: C. Provisioned IOPS SSD lets you provision sustained, high IOPS for latency-sensitive transactional databases. Cold and Throughput Optimized HDDs target infrequent or sequential workloads, and instance store is ephemeral local storage, not a durable high-IOPS volume. -
A data warehouse must run complex analytical queries over terabytes of structured data with high performance. Which service is purpose-built for this?
Correct answer: C. Redshift is a columnar, massively parallel data warehouse built for large analytical queries. DynamoDB is a key-value/document store, SQS is messaging, and Route 53 is DNS - none are analytical warehouses. -
To reduce the latency of dynamic API responses for users in distant Regions while keeping a single origin, you can use:
Correct answer: A. CloudFront can front dynamic origins, terminating connections at the edge and using the AWS backbone to cut latency. A larger origin alone does not fix distance latency, Glacier is cold storage, and a NAT gateway provides outbound internet, not acceleration. -
Which option scales database reads horizontally for a relational workload without changing the application's read query logic significantly?
Correct answer: D. Read replicas let read traffic spread across copies, scaling reads with minimal application change. A larger EBS volume helps I/O but not read fan-out, S3 class is unrelated, and MFA is a sign-in control, not a scaling mechanism. -
An application ingests millions of events per second and must process them in near real time. Which service is designed for this streaming workload?
Correct answer: D. Kinesis Data Streams ingests and processes high-throughput streaming data in near real time. Glacier is cold archival storage, Certificate Manager issues TLS certificates, and EFS is a file system - none are streaming platforms. -
To improve DynamoDB read performance for hot items down to microseconds, you add:
Correct answer: C. DAX is an in-memory cache for DynamoDB that returns hot reads in microseconds. A larger EBS volume, an S3 lifecycle policy, and a NAT gateway address block storage, object tiering, and outbound internet - none cache DynamoDB reads. -
A globally distributed application needs low-latency local reads and writes to the same table in multiple Regions. Which feature provides this?
Correct answer: B. DynamoDB global tables replicate across Regions so each Region has a local, low-latency, writable copy. A single-Region table forces distant users to cross Regions, Redshift is analytics, and Glacier is cold storage. -
Which approach best improves throughput when many small files must be processed by a fleet, avoiding a single bottleneck node?
Correct answer: A. Distributing files through a queue and processing in parallel scales throughput horizontally. Sequential processing on one node is a bottleneck, Glacier is cold storage unsuited to active processing, and an Elastic IP is just an address. -
To offload TLS termination and spread Layer 7 routing decisions across targets based on URL path, you use:
Correct answer: A. An Application Load Balancer terminates TLS and routes at Layer 7 by host or path. An Elastic IP points to one target, a NAT gateway is for outbound internet, and an S3 bucket policy controls object access - none do Layer 7 routing. -
A media company transcodes video files uploaded to S3 and wants processing to start automatically as files arrive, scaling with volume. Which design fits?
Correct answer: D. S3 event notifications can trigger Lambda or enqueue work so transcoding starts on upload and scales with volume. An hourly cron on one instance adds latency and a bottleneck, manual processing does not scale, and Glacier with monthly processing is far too slow. -
A relational database's writes have become the bottleneck under heavy load, and read replicas have not helped because the pressure is on writes. Which approach most directly addresses write scalability?
Correct answer: B. Sharding (or moving to a horizontally partitioned store like DynamoDB) spreads writes across nodes, the only way to scale write throughput beyond one instance. Read replicas and caching only help reads, and CloudFront caches HTTP content, not database writes. -
An analytics team queries large amounts of data sitting in S3 ad hoc, and wants to avoid running a cluster when idle while still getting good performance. Which service fits best?
Correct answer: B. Athena runs serverless SQL directly on S3 data, charging per query and requiring no idle cluster. An always-on cluster wastes money when idle, Glacier is archival storage not a query engine, and a small RDS instance is not built for large ad hoc S3 analytics. -
A latency-sensitive global API serves both static and dynamic content. Which combination minimizes latency end to end?
Correct answer: B. CloudFront caches static content at the edge while Global Accelerator routes dynamic traffic over the AWS backbone to the nearest healthy origin, cutting end-to-end latency. A single-Region origin without a CDN is slow for distant users, Glacier is cold storage, and NAT gateways provide outbound internet, not acceleration. -
A workload needs a shared, POSIX-compliant file system with high aggregate throughput that scales as you add more EC2 clients, without pre-provisioning capacity. Which service fits?
Correct answer: C. EFS provides a shared POSIX file system whose throughput scales with usage and clients, with no capacity to pre-provision. A single EBS volume cannot be safely shared this way, Glacier is cold object storage, and instance store is ephemeral and node-local. -
Which pricing model is cheapest for a fault-tolerant workload that can tolerate interruptions, such as image rendering?
Correct answer: B. Spot Instances offer the deepest discount and suit interruptible, fault-tolerant work. On-Demand is full price, Dedicated Hosts at list price are the most expensive, and a three-year reservation does not fit a short-lived job. -
To automatically move S3 objects to cheaper storage classes as they age, you configure:
Correct answer: D. S3 Lifecycle rules transition objects to lower-cost tiers (or expire them) on a schedule. A security group filters traffic, an Auto Scaling group manages compute, and a Route 53 record is DNS - none manage storage tiers. -
Which tools help you visualise spend and get alerted when costs exceed a threshold?
Correct answer: D. Cost Explorer visualises and analyses spend, and Budgets alerts on thresholds. SQS/SNS are messaging, IAM/KMS are security, and EBS/EFS are storage - none are cost-management tools. -
For a workload that runs steadily 24/7 for at least a year, which option reduces compute cost the most while keeping flexibility across instance families?
Correct answer: A. A Compute Savings Plan gives a large discount for a committed hourly spend while remaining flexible across instance families and Regions. On-Demand is full price, Spot is interruptible and unsuitable for steady production, and Dedicated Hosts at list price are the most expensive. -
A development environment is only used during business hours. What is the simplest way to cut its cost?
Correct answer: B. Stopping non-production instances when no one is working removes most of their compute cost immediately. Three-year reservations assume constant use, Dedicated Hosts and larger volumes increase cost rather than reduce it. -
You have unpredictable, spiky traffic and want to pay only for what you use without managing servers. Which compute choice is most cost-effective?
Correct answer: D. Lambda charges only for actual invocations and duration, ideal for spiky, unpredictable traffic. A continuously running large instance, a permanently over-provisioned fleet, and a three-year Dedicated Host reservation all pay for idle capacity. -
Which approach reduces data-transfer costs for serving the same popular files to many internet users?
Correct answer: D. CloudFront serves repeat requests from edge caches, reducing how often (and how much) data leaves the origin, which lowers cost and latency. Serving everything from the origin maximises egress, Glacier retrieval per request is slow and costly, and a NAT gateway does not serve content. -
A team runs many small, infrequent jobs and is paying for idle EC2 capacity between them. Which change best optimizes cost?
Correct answer: B. A serverless or scale-to-zero model means you stop paying when no jobs run, eliminating idle cost. Keeping a permanent large instance and buying reservations for idle capacity both pay for unused time, and a bigger instance raises cost. -
Which S3 storage class automatically moves objects between frequent and infrequent tiers based on access patterns, with no retrieval fees for the movement, ideal when access is unpredictable?
Correct answer: A. Intelligent-Tiering monitors access and shifts objects between tiers automatically, optimizing cost when patterns are unknown. S3 Standard alone does not tier, Glacier Deep Archive is for cold data with long retrieval, and instance store is ephemeral block storage. -
A company wants to reduce the cost of NAT gateway data processing for private instances that mainly talk to S3 and DynamoDB. What helps most?
Correct answer: C. Gateway endpoints route S3 and DynamoDB traffic privately at no per-GB charge, cutting NAT gateway data-processing costs. A second NAT gateway adds cost, public IPs change exposure rather than cost path, and a bigger instance does not reduce NAT charges. -
Which practice helps you continuously identify idle or underutilized resources to remove or downsize?
Correct answer: A. Regularly reviewing Cost Explorer, Trusted Advisor, and right-sizing guidance surfaces waste so you can act on it. Permanent peak provisioning, disabling monitoring, and defaulting to the largest instance all drive cost up. -
For long-term backups that are rarely retrieved and can tolerate hours of retrieval time, which is the most cost-effective storage?
Correct answer: C. Glacier Deep Archive is the lowest-cost tier for rarely accessed data that tolerates slow retrieval, ideal for long-term backups. S3 Standard is for hot data, Provisioned IOPS EBS is expensive block storage, and instance store is ephemeral. -
A predictable production database runs continuously, while a separate analytics job runs only a few hours each night. Which mix optimizes cost?
Correct answer: A. Matching commitment to usage (reservations for steady load, Spot/scheduled for the intermittent job) minimizes cost. On-Demand for both pays full price, reserving the intermittent job wastes commitment, and Dedicated Hosts at list price are the most expensive. -
Which change reduces cost for an over-provisioned EC2 fleet whose CPU and memory utilization are consistently low?
Correct answer: D. Right-sizing to smaller instances that match real utilization removes wasted capacity and cost. Adding instances, upgrading to larger types, and attaching more storage all increase spend without addressing the over-provisioning. -
A startup wants to minimize fixed costs and pay only as it grows, avoiding upfront capacity purchases. Which principle should guide its architecture?
Correct answer: A. Starting with on-demand and serverless lets a startup pay as it grows and commit only when usage stabilizes. Day-one three-year reservations, over-provisioning, and oversized instances all create fixed cost before demand justifies it. -
An application transfers large volumes of data out to the internet from one Region, and costs are dominated by data egress. Which change reduces cost the most without hurting users?
Correct answer: D. Fronting the origin with CloudFront serves repeat requests from the edge, reducing origin-to-internet egress and using CDN pricing, which lowers cost without degrading users. A larger instance, faster EBS, and a second NAT gateway address compute, disk, and outbound paths, not internet egress cost. -
A company commits to a one-year Compute Savings Plan but its workload mix shifts between EC2, Fargate, and Lambda over the year. Why is the Compute Savings Plan still a good cost choice?
Correct answer: A. A Compute Savings Plan covers EC2, Fargate, and Lambda usage flexibly, so the committed discount follows the shifting mix. It is not tied to one instance type, does not force a single family, and does not penalise changing the mix - those describe more rigid options. -
A data pipeline writes intermediate files to S3 that are only needed for 7 days, but they are accumulating and inflating storage cost. What is the most efficient fix?
Correct answer: B. A lifecycle expiration rule automatically deletes the short-lived objects after 7 days, preventing accumulation with no manual effort. Manual deletion is unreliable, moving to Provisioned IOPS EBS is more expensive, and cross-Region replication increases storage and cost. -
Which AWS service should you use to centrally store and version application configuration values such as a non-secret feature flag or an environment name?
Correct answer: B. Parameter Store holds configuration values (and can reference secrets), with versioning and access control. CloudFront is a CDN, SQS is a message queue, and Direct Connect is a private network link - none store application configuration. -
An S3 bucket policy grants access, but a separate VPC endpoint policy for S3 does not include the same action. What is the effective result for a request through that endpoint?
Correct answer: D. Access through a VPC endpoint must be permitted by all relevant policies (IAM, bucket, and endpoint policy); if the endpoint policy omits the action, the request is denied. The bucket policy alone is not sufficient when an endpoint policy is more restrictive, endpoint policies are enforced not advisory, and requests do not bypass these policies. -
Which statement best describes an AWS Availability Zone?
Correct answer: C. An Availability Zone is one or more isolated data centres in a Region with independent infrastructure, which is why spreading across AZs improves resilience. It is not a single rack, not a DNS policy, and not a storage volume type. -
A stateful legacy application cannot be made stateless quickly, but it must survive an instance failure with minimal disruption. Which interim approach best improves resilience?
Correct answer: D. Externalising state to a shared durable store lets a replacement instance pick up where a failed one left off, even before a full stateless rewrite. A single instance with AMIs still has downtime on failure, instance store loses state on failure, and a static IP with manual recovery is slow and fragile. -
Two microservices must communicate, but a failure or slowdown in the consumer must never cause the producer to fail or block. Which pattern best provides this isolation?
Correct answer: A. Asynchronous messaging via SQS decouples the services so a slow or failed consumer does not block or fail the producer. A synchronous call couples their fates, a shared connection pool spreads failure, and running in one process removes isolation entirely. -
A workload must tolerate the failure of an entire Region. Which combination of services supports an active-passive multi-Region design?
Correct answer: B. Route 53 failover plus cross-Region data replication lets traffic shift to a prepared standby Region after a regional failure. A single-Region Auto Scaling group and Multi-AZ protect only within one Region, and a larger instance does nothing for regional failure. -
During a deployment, you want to shift a small percentage of production traffic to a new version and roll back instantly if errors rise. Which approach supports this safely?
Correct answer: C. A canary/weighted release exposes the new version to a fraction of traffic and lets you roll back fast if metrics worsen. Replacing everything at once, disabling health checks, and uncontrolled full deploys all risk a full outage with no safe rollback. -
Which service delivers a global content cache plus the ability to run lightweight code at edge locations close to users?
Correct answer: A. CloudFront caches content globally and can run lightweight functions at the edge for low latency. Glacier is cold storage, SQS is messaging, and Certificate Manager issues TLS certificates - none provide edge caching or edge compute. -
To run containers without managing the underlying EC2 servers, which compute option should you choose?
Correct answer: C. Fargate runs containers serverlessly, so you do not provision or patch the underlying instances. A self-managed EC2 instance requires you to manage servers, Glacier is cold storage, and Route 53 is DNS. -
A web application's database is the bottleneck for a small set of extremely popular read keys (a hot-key problem), even with read replicas. Which approach most directly relieves it?
Correct answer: B. An in-memory cache for the hot keys absorbs the concentrated read traffic that even multiple replicas struggle with. Adding replicas spreads load but each still serves the same hot key, a larger volume does not address read concentration, and a public subnet does not improve performance. -
An application needs consistent low latency between EC2 instances doing tightly coupled, high-throughput computation (for example HPC). Which placement strategy helps most?
Correct answer: D. A cluster placement group co-locates instances for the lowest network latency and highest throughput, which HPC needs. Spreading across AZs or Regions increases latency, and the smallest instance type limits performance. -
A read-heavy relational workload serves users in three continents and needs low-latency reads everywhere while keeping a single primary for writes. Which approach fits best?
Correct answer: D. Cross-Region read replicas near users provide low-latency local reads while the primary handles writes. A single-Region instance forces distant users to cross Regions, instance store is ephemeral and node-local, and Glacier is cold storage unsuited to hot reads. -
A workload's performance suffers from cold starts and unpredictable scaling when traffic spikes sharply on a serverless function. Which feature reduces this latency for critical paths?
Correct answer: A. Provisioned concurrency keeps function instances initialised and ready, removing cold-start latency on critical paths. A larger EBS volume, an S3 lifecycle policy, and a NAT gateway address disk, object tiering, and outbound internet - none affect Lambda cold starts. -
Which AWS pricing principle means you generally pay only for the resources you actually use, with no large upfront commitment required?
Correct answer: C. Pay-as-you-go means you are billed for actual usage without mandatory upfront commitments, a core AWS cost principle. A fixed annual license, a perpetual purchase, and per-seat licensing are not how core AWS usage is billed. -
A company has steady baseline compute plus unpredictable bursts above it. Which cost strategy covers both efficiently?
Correct answer: A. Reserving the predictable baseline captures the discount, while On-Demand or Spot absorbs variable bursts without over-committing. Reserving for the peak wastes commitment during normal load, all-On-Demand pays full price for the steady part, and Spot for steady production risks interruption. -
A backup retention policy keeps EBS snapshots indefinitely, and snapshot storage cost is climbing. Which approach controls cost while meeting a 90-day retention requirement?
Correct answer: D. Data Lifecycle Manager automatically creates and deletes snapshots on a schedule, enforcing 90-day retention and removing old ones. Keeping everything forever and copying to another Region both increase cost, and converting snapshots to volumes is more expensive, not less. -
An organization wants one consolidated bill across many AWS accounts and to benefit from combined volume pricing and shared commitments. Which feature provides this?
Correct answer: D. Consolidated billing in AWS Organizations combines accounts into one bill and shares volume discounts and commitments. Separate payment methods forgo aggregation, an unshared reservation in one account misses the benefit, and disabling Cost Explorer removes visibility rather than saving money. -
A serverless API is cost-efficient at low traffic but becomes expensive at sustained very high request volumes compared with always-on containers. What is the most cost-aware response?
Correct answer: D. At sustained high volume, a provisioned model with a Savings Plan can be cheaper than per-request serverless, so matching the model to the traffic profile optimizes cost. Blindly staying serverless ignores the crossover point, the largest instance over-provisions, and ignoring cost contradicts cost optimization.
Practice questions FAQ
- Are these real SAA-C03 exam questions?
- No. These are original study questions written to test understanding. They are not real exam questions, exam dumps, or copied from any provider.
- How should I use these practice questions?
- Answer each one, read the explanation (including why the wrong options are wrong), and use the per-domain score below to focus your revision on weak areas. Revisit before exam day.
- How many questions should I do before the exam?
- Enough to score consistently across every domain, alongside full-length practice from official or reputable providers. Understanding why each answer is right matters more than raw volume.
- What score means I am ready?
- A good signal is consistently scoring around 80% or higher across all domains on questions you have not seen before, and being able to explain why the wrong options are wrong.
- Should I use exam dumps?
- No. Dumps (real or leaked questions) breach provider policy, can void your certification, and do not build the understanding the exam actually tests.