Practice Free SAA-C03 Exam Online Questions
Question #91
A healthcare provider is planning to store patient data on AWS as PDF files. To comply with regulations, the company must encrypt the data and store the files in multiple locations. The data must be available for immediate access from any environment.
- A . Store the files in an Amazon S3 bucket. Use the Standard storage class. Enable server-side encryption with Amazon S3 managed keys (SSE-S3) on the bucket. Configure cross-Region replication on the bucket.
- B . Store the files in an Amazon Elastic File System (Amazon EFS) volume. Use an AWS KMS managed key to encrypt the EFS volume. Use AWS DataSync to replicate the EFS volume to a second AWS Region.
- C . Store the files in an Amazon Elastic Block Store (Amazon EBS) volume. Configure AWS Backup to back up the volume on a regular schedule. Use an AWS KMS key to encrypt the backups.
- D . Store the files in an Amazon S3 bucket. Use the S3 Glacier Flexible Retrieval storage class. Ensure that all PDF files are encrypted by using client-side encryption before the files are uploaded. Configure cross-Region replication on the bucket.
Correct Answer: A
A
Explanation:
AmazonS3 with the Standard storage classis the best solution:
Encryption: SSE-S3 ensures server-side encryption of the data, meeting compliance requirements.
Immediate access: The Standard storage class provides low-latency and high-throughput access to data.
Multi-location storage: Cross-Region replication ensures data is stored in multiple AWS Regions for redundancy.
Why Other Options Are Not Ideal:
Option B:
Amazon EFS is more costly and suited for file systems rather than object storage. Not cost-effective.
Option C:
Amazon EBS is block storage and not optimized for object storage like PDFs. Backup schedules do not ensure immediate availability. Not suitable.
Option D:
S3 Glacier Flexible Retrieval is designed for archival, not immediate access. Does not meet access requirements.
AWS
Reference: Amazon S3 Standard Storage: AWS Documentation – S3 Storage Classes
Amazon S3 Cross-Region Replication: AWS Documentation – Cross-Region Replication
AWS Encryption Options: AWS Documentation – S3 Encryption
A
Explanation:
AmazonS3 with the Standard storage classis the best solution:
Encryption: SSE-S3 ensures server-side encryption of the data, meeting compliance requirements.
Immediate access: The Standard storage class provides low-latency and high-throughput access to data.
Multi-location storage: Cross-Region replication ensures data is stored in multiple AWS Regions for redundancy.
Why Other Options Are Not Ideal:
Option B:
Amazon EFS is more costly and suited for file systems rather than object storage. Not cost-effective.
Option C:
Amazon EBS is block storage and not optimized for object storage like PDFs. Backup schedules do not ensure immediate availability. Not suitable.
Option D:
S3 Glacier Flexible Retrieval is designed for archival, not immediate access. Does not meet access requirements.
AWS
Reference: Amazon S3 Standard Storage: AWS Documentation – S3 Storage Classes
Amazon S3 Cross-Region Replication: AWS Documentation – Cross-Region Replication
AWS Encryption Options: AWS Documentation – S3 Encryption
Question #92
The lead member of a DevOps team creates an AWS account. A DevOps engineer shares the account credentials with a solutions architect through a password manager application.
The solutions architect needs to secure the root user for the new account.
Which actions will meet this requirement? (Select TWO.)
- A . Update the root user password to a new, strong password.
- B . Secure the root user account by using a virtual multi-factor authentication (MFA) device.
- C . Create an IAM user for each member of the DevOps team. Assign the AdministratorAccess AWS managed policy to each IAM user.
- D . Create root user access keys. Save the keys as a new parameter in AWS Systems Manager Parameter Store.
- E . Update the IAM role for the root user to ensure the root user can use only approved services.
Correct Answer: A,B
A,B
Explanation:
Securing the root user account requires setting a strong password and enabling multi-factor authentication (MFA). AWS recommends never sharing the root user credentials, setting up individual IAM users for everyday operations, and always protecting the root user with MFA for maximum security.
Reference Extract:
"AWS recommends securing the root user with a strong password and enabling multi-factor authentication (MFA). Do not use or share root credentials for everyday tasks."
Source: AWS Certified Solutions Architect C Official Study Guide, IAM and Security Best Practices section.
A,B
Explanation:
Securing the root user account requires setting a strong password and enabling multi-factor authentication (MFA). AWS recommends never sharing the root user credentials, setting up individual IAM users for everyday operations, and always protecting the root user with MFA for maximum security.
Reference Extract:
"AWS recommends securing the root user with a strong password and enabling multi-factor authentication (MFA). Do not use or share root credentials for everyday tasks."
Source: AWS Certified Solutions Architect C Official Study Guide, IAM and Security Best Practices section.
Question #93
A company runs an HPC workload that uses a 200-TB file system on premises. The company needs to migrate this data to Amazon FSx for Lustre. Internet capacity is 10 Mbps, and all data must be migrated within 30 days.
Which solution will meet this requirement?
- A . Use AWS DMS to transfer data into S3 and link FSx for Lustre to the bucket.
- B . Deploy AWS DataSync on premises and transfer directly into FSx for Lustre.
- C . Use AWS Storage Gateway Volume Gateway to move data into FSx for Lustre.
- D . Use an AWS Snowball Edge storage-optimized device to transfer data into S3 and link FSx for Lustre to the bucket.
Correct Answer: D
D
Explanation:
At 10 Mbps, the maximum transferable data in 30 days is far below 200 TB, making any online transfer (Options A, B, C) impossible within the time window.
AWS Snowball Edge storage-optimized devices support high-speed, offline bulk data migration of large datasets. Once the data is delivered to S3, FSx for Lustre can be linked to the S3 bucket to populate the Lustre filesystem.
DataSync cannot meet the time constraint over 10 Mbps. Storage Gateway is not designed for large-scale migrations.
D
Explanation:
At 10 Mbps, the maximum transferable data in 30 days is far below 200 TB, making any online transfer (Options A, B, C) impossible within the time window.
AWS Snowball Edge storage-optimized devices support high-speed, offline bulk data migration of large datasets. Once the data is delivered to S3, FSx for Lustre can be linked to the S3 bucket to populate the Lustre filesystem.
DataSync cannot meet the time constraint over 10 Mbps. Storage Gateway is not designed for large-scale migrations.
Question #94
A company is developing a new application that uses a relational database to store user data and application configurations. The company expects the application to have steady user growth. The company expects the database usage to be variable and read-heavy, with occasional writes.
The company wants to cost-optimize the database solution. The company wants to use an AWS managed database solution that will provide the necessary performance.
Which solution will meet these requirements MOST cost-effectively?
- A . Deploy the database on Amazon RDS. Use Provisioned IOPS SSD storage to ensure consistent performance for read and write operations.
- B . Deploy the database on Amazon Aurora Serveriess to automatically scale the database capacity based on actual usage to accommodate the workload.
- C . Deploy the database on Amazon DynamoDB. Use on-demand capacity mode to automatically scale throughput to accommodate the workload.
- D . Deploy the database on Amazon RDS Use magnetic storage and use read replicas to accommodate the workload
Correct Answer: B
B
Explanation:
Amazon Aurora Serverless is a cost-effective, on-demand, autoscaling configuration for Amazon Aurora. It automatically adjusts the database’s capacity based on the current demand, which is ideal
for workloads with variable and unpredictable usage patterns. Since the application is expected to be read-heavy with occasional writes and steady growth, Aurora Serverless can provide the necessary performance without requiring the management of database instances.
Cost-Optimization: Aurora Serverless only charges for the database capacity you use, making it a more cost-effective solution compared to always running provisioned database instances, especially for workloads with fluctuating demand.
Scalability: It automatically scales database capacity up or down based on actual usage, ensuring that you always have the right amount of resources available.
Performance: Aurora Serverless is built on the same underlying storage as Amazon Aurora, providing high performance and availability.
Why Not Other Options?
Option A (RDS with Provisioned IOPS SSD): While Provisioned IOPS SSD ensures consistent performance, it is generally more expensive and less flexible compared to the autoscaling nature of Aurora Serverless.
Option C (DynamoDB with On-Demand Capacity): DynamoDB is a NoSQL database and may not be the best fit for applications requiring relational database features.
Option D (RDS with Magnetic Storage and Read Replicas): Magnetic storage is outdated and generally slower. While read replicas help with read-heavy workloads, the overall performance might not be optimal, and magnetic storage doesn’t provide the necessary performance.
AWS
Reference: Amazon Aurora Serverless- Information on how Aurora Serverless works and its use cases.
Amazon Aurora Pricing- Details on the cost-effectiveness of Aurora Serverless.
B
Explanation:
Amazon Aurora Serverless is a cost-effective, on-demand, autoscaling configuration for Amazon Aurora. It automatically adjusts the database’s capacity based on the current demand, which is ideal
for workloads with variable and unpredictable usage patterns. Since the application is expected to be read-heavy with occasional writes and steady growth, Aurora Serverless can provide the necessary performance without requiring the management of database instances.
Cost-Optimization: Aurora Serverless only charges for the database capacity you use, making it a more cost-effective solution compared to always running provisioned database instances, especially for workloads with fluctuating demand.
Scalability: It automatically scales database capacity up or down based on actual usage, ensuring that you always have the right amount of resources available.
Performance: Aurora Serverless is built on the same underlying storage as Amazon Aurora, providing high performance and availability.
Why Not Other Options?
Option A (RDS with Provisioned IOPS SSD): While Provisioned IOPS SSD ensures consistent performance, it is generally more expensive and less flexible compared to the autoscaling nature of Aurora Serverless.
Option C (DynamoDB with On-Demand Capacity): DynamoDB is a NoSQL database and may not be the best fit for applications requiring relational database features.
Option D (RDS with Magnetic Storage and Read Replicas): Magnetic storage is outdated and generally slower. While read replicas help with read-heavy workloads, the overall performance might not be optimal, and magnetic storage doesn’t provide the necessary performance.
AWS
Reference: Amazon Aurora Serverless- Information on how Aurora Serverless works and its use cases.
Amazon Aurora Pricing- Details on the cost-effectiveness of Aurora Serverless.
Question #95
An ecommerce company is redesigning a web application to run on the AWS Cloud. The application needs to store static website content and must use a Microsoft SQL Server database to store customer data. The company needs to deploy the application in a resilient way across multiple Availability Zones.
Which solution will meet these requirements?
- A . Use an Amazon S3 bucket to store static content. Deploy an Amazon RDS Custom for SQL Server DB instance for the database.
- B . Use an Amazon S3 bucket to store static content. Create an Amazon RDS for SQL Server Multi-AZ deployment for the database.
- C . Create an Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume to store static content. Deploy an Amazon RDS for SQL Server DB instance for the database.
- D . Create an Amazon Elastic Block Store (Amazon EBS) Multi-Attach volume to store static content. Deploy SQL Server on two Amazon EC2 instances in separate Availability Zones.
Correct Answer: B
B
Explanation:
Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):
To achieve resilience across multiple Availability Zones, the architecture should use services that natively provide Multi-AZ durability and failover with minimal manual intervention. For static website content, Amazon S3 is the natural choice because it stores objects durably and is designed for high availability; it also integrates well with common web delivery patterns. For the database, the requirement is explicitly Microsoft SQL Server and resilience across AZs.
An Amazon RDS for SQL Server Multi-AZ deployment (Option B) is designed to provide high availability by maintaining a standby replica in a different Availability Zone and performing automated failover in certain failure scenarios. This meets the Multi-AZ resiliency requirement while reducing operational overhead compared to self-managed database clustering on EC2.
Option A uses RDS Custom for SQL Server, which is intended for scenarios where you need OS-level and database-level access/customization. That typically increases operational responsibility and is not the simplest “resilient Multi-AZ” answer unless the scenario demands deep customization (it does not here).
Options C and D propose using EBS Multi-Attach for static content, which is not a good fit for static website assets and adds complexity; Multi-Attach is limited and does not replace object storage semantics.
Option D also adds substantial operational overhead by running and managing SQL Server across EC2 instances in multiple AZs, including patching, backups, and HA configuration.
Therefore, B best meets all requirements: S3 for static object content and RDS for SQL Server Multi-AZ for resilient, managed database high availability across Availability Zones.
B
Explanation:
Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links):
To achieve resilience across multiple Availability Zones, the architecture should use services that natively provide Multi-AZ durability and failover with minimal manual intervention. For static website content, Amazon S3 is the natural choice because it stores objects durably and is designed for high availability; it also integrates well with common web delivery patterns. For the database, the requirement is explicitly Microsoft SQL Server and resilience across AZs.
An Amazon RDS for SQL Server Multi-AZ deployment (Option B) is designed to provide high availability by maintaining a standby replica in a different Availability Zone and performing automated failover in certain failure scenarios. This meets the Multi-AZ resiliency requirement while reducing operational overhead compared to self-managed database clustering on EC2.
Option A uses RDS Custom for SQL Server, which is intended for scenarios where you need OS-level and database-level access/customization. That typically increases operational responsibility and is not the simplest “resilient Multi-AZ” answer unless the scenario demands deep customization (it does not here).
Options C and D propose using EBS Multi-Attach for static content, which is not a good fit for static website assets and adds complexity; Multi-Attach is limited and does not replace object storage semantics.
Option D also adds substantial operational overhead by running and managing SQL Server across EC2 instances in multiple AZs, including patching, backups, and HA configuration.
Therefore, B best meets all requirements: S3 for static object content and RDS for SQL Server Multi-AZ for resilient, managed database high availability across Availability Zones.
Question #96
A company has a multi-tier web application. The application’s internal service components are deployed on Amazon EC2 instances. The internal service components need to access third-party software as a service (SaaS) APIs that are hosted on AWS.
The company needs to provide secure and private connectivity from the application’s internal services to the third-party SaaS application. The company needs to ensure that there is minimal public internet exposure.
Which solution will meet these requirements?
- A . Implement an AWS Site-to-Site VPN to establish a secure connection with the third-party SaaS provider.
- B . Deploy AWS Transit Gateway to manage and route traffic between the application’s VPC and the third-party SaaS provider.
- C . Configure AWS PrivateLink to allow only outbound traffic from the VPC without enabling the third-party SaaS provider to establish a return path to the network.
- D . Use AWS PrivateLink to create a private connection between the application’s VPC and the third-party SaaS provider.
Correct Answer: D
D
Explanation:
AWS PrivateLink enables private connectivity between VPCs and supported AWS or third-party services without exposing traffic to the public internet. It ensures secure and private communications, making it ideal for connecting internal services to SaaS applications hosted in AWS.
Reference: AWS Documentation C AWS PrivateLink for SaaS Connectivity
D
Explanation:
AWS PrivateLink enables private connectivity between VPCs and supported AWS or third-party services without exposing traffic to the public internet. It ensures secure and private communications, making it ideal for connecting internal services to SaaS applications hosted in AWS.
Reference: AWS Documentation C AWS PrivateLink for SaaS Connectivity
Question #97
A company has developed an API using an Amazon API Gateway REST API and AWS Lambda functions. The API serves static and dynamic content to users worldwide. The company wants to decrease the latency of transferring content for API requests.
- A . Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding
in the API definition to compress the application data in transit. - B . Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
- C . Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
- D . Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
Correct Answer: A
A
Explanation:
A
Explanation:
Question #98
A company has a business system that generates hundreds of reports each day. The business system saves the reports to a network share in CSV format. The company needs to store this data in the AWS Cloud in near-real time for analysis.
- A . Use AWS DataSync to transfer the files to Amazon S3. Create a scheduled task that runs at the end of each day.
- B . Create an Amazon S3 File Gateway. Update the business system to use a new network share from the S3 File Gateway.
- C . Use AWS DataSync to transfer the files to Amazon S3. Create an application that uses the DataSync API in the automation workflow.
- D . Deploy an AWS Transfer for SFTP endpoint. Create a script that checks for new files on the network share and uploads the new files by using SFTP.
Correct Answer: B
B
Explanation:
Amazon S3 File Gateway (AWS Storage Gateway) exposes an on-premises NFS/SMB file share that durably stores files as S3 objects with local caching, enabling low-latency writes on-premises and asynchronous, near-real-time ingestion into Amazon S3 for analytics. It is purpose-built to “present a file interface backed by Amazon S3” and to “store files as objects in your S3 buckets,” so existing applications writing to a network share can transparently land data in S3 without custom scripts or job orchestration. Compared with scheduled transfers (e.g., end-of-day DataSync), S3 File Gateway continuously uploads new/changed files, better meeting the near-real-time requirement. Transfer Family (SFTP) would require custom polling and client changes, increasing operational burden. DataSync is excellent for bulk or periodic migrations/synchronizations but is not as seamless for continuous ingestion from a live file share.
Therefore, updating the application to point to an S3 File Gateway share provides the simplest, performant path to near-real-time delivery into S3 for downstream analytics.
Reference: AWS Storage Gateway User Guide ― “What is Amazon S3 File Gateway,” “How S3 File Gateway works,” “File share protocols (SMB, NFS),” “Object creation and upload behavior,” and AWS Well-Architected ― Analytics ingestion patterns.
B
Explanation:
Amazon S3 File Gateway (AWS Storage Gateway) exposes an on-premises NFS/SMB file share that durably stores files as S3 objects with local caching, enabling low-latency writes on-premises and asynchronous, near-real-time ingestion into Amazon S3 for analytics. It is purpose-built to “present a file interface backed by Amazon S3” and to “store files as objects in your S3 buckets,” so existing applications writing to a network share can transparently land data in S3 without custom scripts or job orchestration. Compared with scheduled transfers (e.g., end-of-day DataSync), S3 File Gateway continuously uploads new/changed files, better meeting the near-real-time requirement. Transfer Family (SFTP) would require custom polling and client changes, increasing operational burden. DataSync is excellent for bulk or periodic migrations/synchronizations but is not as seamless for continuous ingestion from a live file share.
Therefore, updating the application to point to an S3 File Gateway share provides the simplest, performant path to near-real-time delivery into S3 for downstream analytics.
Reference: AWS Storage Gateway User Guide ― “What is Amazon S3 File Gateway,” “How S3 File Gateway works,” “File share protocols (SMB, NFS),” “Object creation and upload behavior,” and AWS Well-Architected ― Analytics ingestion patterns.
Question #99
A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?
- A . Server-side encryption with customer-provided keys (SSE-C)
- B . Server-side encryption with Amazon S3 managed keys (SSE-S3)
- C . Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
- D . Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation
Correct Answer: D
D
Explanation:
SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.
Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.
Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.
Implementation:
Create a KMS key with automatic rotation enabled.
Configure the S3 bucket to use SSE-KMS with the created KMS key.
Ensure CloudTrail is enabled for logging KMS key usage.
Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.
Reference: AWS KMS Automatic Key Rotation
Amazon S3 Server-Side Encryption
D
Explanation:
SSE-KMS: Server-side encryption with AWS Key Management Service (SSE-KMS) provides robust encryption of data at rest, integrated with AWS KMS for key management and auditing.
Automatic Key Rotation: By enabling automatic rotation for the KMS keys, the system ensures that keys are rotated annually without manual intervention, meeting compliance requirements.
Logging and Auditing: AWS KMS automatically logs all key usage and management actions in AWS CloudTrail, providing the necessary audit logs.
Implementation:
Create a KMS key with automatic rotation enabled.
Configure the S3 bucket to use SSE-KMS with the created KMS key.
Ensure CloudTrail is enabled for logging KMS key usage.
Operational Efficiency: This solution provides encryption, automatic key management, and auditing in a seamless, fully managed way, reducing operational overhead.
Reference: AWS KMS Automatic Key Rotation
Amazon S3 Server-Side Encryption
Question #100
A company hosts an application on AWS and has generated approximately 2.5 TB of data over 12 years. The data is stored on Amazon EBS volumes.
The company wants a cost-effective backup solution for long-term storage and must be able to retrieve the data within minutes for audits.
Which solution will meet these requirements?
- A . Create EBS snapshots.
- B . Use Amazon S3 Glacier Deep Archive.
- C . Use Amazon S3 Glacier Flexible Retrieval.
- D . Use Amazon Elastic File System (Amazon EFS).
Correct Answer: C
C
Explanation:
The requirements combine long-term, low-cost storage with retrieval within minutes, which narrows the viable storage classes significantly. Amazon S3 Glacier Flexible Retrieval is designed for exactly this use case: infrequently accessed data that must still be retrievable quickly.
Option C provides substantially lower storage cost than EBS snapshots or EFS while supporting expedited retrievals, which can return data within minutes when required for audits. This meets both the cost and retrieval time constraints. Glacier Flexible Retrieval also integrates seamlessly with S3 lifecycle policies, enabling automated transitions from EBS snapshots or S3 Standard to archival storage.
Option A (EBS snapshots) provides durability but is more expensive for long-term storage at this scale.
Option B (Glacier Deep Archive) is cheaper but does not meet the retrieval requirement, as restore times are measured in hours, not minutes.
Option D (EFS) is a high-performance file system and is the most expensive option for long-term backups.
Therefore, C is the correct choice because it balances cost efficiency, durability, and audit-friendly retrieval times, aligning with AWS storage best practices for compliance-driven archival data.
C
Explanation:
The requirements combine long-term, low-cost storage with retrieval within minutes, which narrows the viable storage classes significantly. Amazon S3 Glacier Flexible Retrieval is designed for exactly this use case: infrequently accessed data that must still be retrievable quickly.
Option C provides substantially lower storage cost than EBS snapshots or EFS while supporting expedited retrievals, which can return data within minutes when required for audits. This meets both the cost and retrieval time constraints. Glacier Flexible Retrieval also integrates seamlessly with S3 lifecycle policies, enabling automated transitions from EBS snapshots or S3 Standard to archival storage.
Option A (EBS snapshots) provides durability but is more expensive for long-term storage at this scale.
Option B (Glacier Deep Archive) is cheaper but does not meet the retrieval requirement, as restore times are measured in hours, not minutes.
Option D (EFS) is a high-performance file system and is the most expensive option for long-term backups.
Therefore, C is the correct choice because it balances cost efficiency, durability, and audit-friendly retrieval times, aligning with AWS storage best practices for compliance-driven archival data.