Practice Free SAA-C03 Exam Online Questions
Question #31
A media company hosts a web application on AWS for uploading videos. Only authenticated users should upload within a specified time frame after authentication.
Which solution will meet these requirements with the LEAST operational overhead?
- A . Configure the application to generate IAM temporary security credentials for authenticated users.
- B . Create an AWS Lambda function that generates pre-signed URLs when a user authenticates.
- C . Develop a custom authentication service that integrates with Amazon Cognito to control and log direct S3 bucket access through the application.
- D . Use AWS Security Token Service (AWS STS) to assume a pre-defined IAM role that grants authenticated users temporary permissions to upload videos directly to the S3 bucket.
Correct Answer: B
B
Explanation:
Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.
Option Arequires the management of IAM temporary credentials, adding complexity.
Option Cinvolves unnecessary development effort.
Option Dintroduces more complexity with STS and roles than pre-signed URLs.
B
Explanation:
Option B: Pre-signed URLs provide temporary, authenticated access to S3, limiting uploads to the time frame specified. This solution is lightweight, efficient, and easy to implement.
Option Arequires the management of IAM temporary credentials, adding complexity.
Option Cinvolves unnecessary development effort.
Option Dintroduces more complexity with STS and roles than pre-signed URLs.
Question #32
A company’s software development team needs an Amazon RDS Multi-AZ cluster. The RDS cluster will serve as a backend for a desktop client that is deployed on premises. The desktop client requires direct connectivity to the RDS cluster.
The company must give the development team the ability to connect to the cluster by using the client when the team is in the office.
Which solution provides the required connectivity MOST securely?
- A . Create a VPC and two public subnets. Create the RDS cluster in the public subnets. Use AWS Site-to-Site VPN with a customer gateway in the company’s office.
- B . Create a VPC and two private subnets. Create the RDS cluster in the private subnets. Use AWS Site-to-Site VPN with a customer gateway in the company’s office.
- C . Create a VPC and two private subnets. Create the RDS cluster in the private subnets. Use RDS security groups to allow the company’s office IP ranges to access the cluster.
- D . Create a VPC and two public subnets. Create the RDS cluster in the public subnets. Create a cluster user for each developer. Use RDS security groups to allow the users to access the cluster.
Correct Answer: B
B
Explanation:
Requirement Analysis: Need secure, direct connectivity from an on-premises client to an RDS cluster, accessible only when in the office.
VPC with Private Subnets: Ensures the RDS cluster is not publicly accessible, enhancing security.
Site-to-Site VPN: Provides secure, encrypted connection between on-premises office and AWS VPC.
Implementation:
Create a VPC with two private subnets.
Launch the RDS cluster in the private subnets.
Set up a Site-to-Site VPN connection with a customer gateway in the office.
Conclusion: This setup ensures secure and direct connectivity with minimal exposure, meeting the requirement for secure access from the office.
Reference
AWS Site-to-Site VPN: AWS Site-to-Site VPN Documentation
Amazon RDS: Amazon RDS Documentation
B
Explanation:
Requirement Analysis: Need secure, direct connectivity from an on-premises client to an RDS cluster, accessible only when in the office.
VPC with Private Subnets: Ensures the RDS cluster is not publicly accessible, enhancing security.
Site-to-Site VPN: Provides secure, encrypted connection between on-premises office and AWS VPC.
Implementation:
Create a VPC with two private subnets.
Launch the RDS cluster in the private subnets.
Set up a Site-to-Site VPN connection with a customer gateway in the office.
Conclusion: This setup ensures secure and direct connectivity with minimal exposure, meeting the requirement for secure access from the office.
Reference
AWS Site-to-Site VPN: AWS Site-to-Site VPN Documentation
Amazon RDS: Amazon RDS Documentation
Question #33
A company manages multiple AWS accounts in an organization in AWS Organizations. The company’s applications run on Amazon EC2 instances in multiple AWS Regions. The company needs a solution to simplify the management of security rules across the accounts in its organization. The solution must apply shared security group rules, audit security groups, and detect unused and redundant rules in VPC security groups across all AWS environments.
Which solution will meet these requirements with the MOST operational efficiency?
- A . Use AWS Firewall Manager to create a set of rules based on the security requirements. Replicate the rules to all the AWS accounts and Regions.
- B . Use AWS CloudFormation StackSets to provision VPC security groups based on the specifications across multiple accounts and Regions. Deploy AWS Network Firewall to define the firewall rules to control network traffic across multiple accounts and Regions.
- C . Use AWS CloudFormation StackSets to provision VPC security groups based on the specifications across multiple accounts and Regions. Configure AWS Config and AWS Lambda to evaluate compliance information and to automate enforcement across all accounts and Regions.
- D . Use AWS Network Firewall to build policies based on the security requirements. Centrally apply the new policies to all the VPCs and accounts.
Correct Answer: A
A
Explanation:
AWS Firewall Manager integrates with AWS Organizations to centrally manage and apply security group policies, AWS WAF rules, and AWS Shield Advanced protections. It automates the propagation of rules across accounts and Regions and can also audit and remediate noncompliant configurations.
Reference: AWS Documentation C AWS Firewall Manager for Centralized Security Group Management
A
Explanation:
AWS Firewall Manager integrates with AWS Organizations to centrally manage and apply security group policies, AWS WAF rules, and AWS Shield Advanced protections. It automates the propagation of rules across accounts and Regions and can also audit and remediate noncompliant configurations.
Reference: AWS Documentation C AWS Firewall Manager for Centralized Security Group Management
Question #34
A company uses a general-purpose instance class Amazon RDS for MySQL DB instance in a Multi-AZ configuration. The finance team runs SQL queries to generate reports. Customers experience performance issues during report generation.
A solutions architect needs to minimize the effect of the reporting job on the DB instance.
Which solution will meet these requirements?
- A . Create a proxy in Amazon RDS Proxy. Update the reporting job to query the proxy endpoint.
- B . Update the RDS DB instance configuration to use three Availability Zones.
- C . Add an RDS read replica. Update the reporting job to query the replica endpoint.
- D . Change the RDS configuration to a memory-optimized instance class.
Correct Answer: C
C
Explanation:
The performance issue occurs because reporting queries compete with production traffic on the same primary database instance. The best-practice AWS solution is to offload read-heavy workloads to a separate database endpoint.
Option C adds an Amazon RDS read replica, which asynchronously replicates data from the primary instance. By redirecting reporting queries to the replica endpoint, the primary database can focus on transactional workloads, significantly improving application performance and customer experience.
Read replicas are specifically designed for this use case: scaling read capacity and isolating reporting or analytics queries. This solution requires minimal changes to the reporting job (endpoint update only) and avoids overprovisioning the primary database.
Option A (RDS Proxy) improves connection management but does not reduce query load or isolate reporting traffic.
Option B is invalid because Multi-AZ does not scale reads and is not configurable across three AZs for a single instance.
Option D increases instance size but does not address the underlying contention between workloads and increases cost unnecessarily.
Therefore, C is the most efficient and scalable solution to minimize reporting impact while maintaining high performance and availability.
C
Explanation:
The performance issue occurs because reporting queries compete with production traffic on the same primary database instance. The best-practice AWS solution is to offload read-heavy workloads to a separate database endpoint.
Option C adds an Amazon RDS read replica, which asynchronously replicates data from the primary instance. By redirecting reporting queries to the replica endpoint, the primary database can focus on transactional workloads, significantly improving application performance and customer experience.
Read replicas are specifically designed for this use case: scaling read capacity and isolating reporting or analytics queries. This solution requires minimal changes to the reporting job (endpoint update only) and avoids overprovisioning the primary database.
Option A (RDS Proxy) improves connection management but does not reduce query load or isolate reporting traffic.
Option B is invalid because Multi-AZ does not scale reads and is not configurable across three AZs for a single instance.
Option D increases instance size but does not address the underlying contention between workloads and increases cost unnecessarily.
Therefore, C is the most efficient and scalable solution to minimize reporting impact while maintaining high performance and availability.
Question #35
A company decides to use AWS Key Management Service (AWS KMS) for data encryption operations. The company must create a KMS key and automate the rotation of the key. The company also needs the ability to deactivate the key and schedule the key for deletion.
Which solution will meet these requirements?
- A . Create an asymmetric customer managed KMS key. Enable automatic key rotation.
- B . Create a symmetric customer managed KMS key. Disable the envelope encryption option.
- C . Create a symmetric customer managed KMS key. Enable automatic key rotation.
- D . Create an asymmetric customer managed KMS key. Disable the envelope encryption option.
Correct Answer: C
C
Explanation:
To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.
Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.
Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs.
Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.
Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.
C
Explanation:
To meet the requirements, the key must support automatic rotation, and the company must be able to disable (deactivate) the key and schedule deletion. In AWS KMS, these lifecycle controls are available for customer managed keys. Automatic key rotation is supported for symmetric customer managed KMS keys used for encryption and decryption operations. When automatic rotation is enabled, AWS KMS generates new cryptographic material for the key on a regular schedule while the key ID remains the same, helping organizations meet compliance and security best practices without manual operational work.
Option C is the only choice that explicitly combines a symmetric customer managed key with automatic rotation enabled, which directly satisfies the rotation requirement. As a customer managed key, it can also be disabled (to prevent use) and scheduled for deletion (with a waiting period), meeting the rest of the lifecycle needs.
Option A is incorrect because automatic rotation is not generally available for asymmetric KMS keys in the same way; asymmetric keys are used for specialized use cases such as signing or asymmetric encryption, and rotation behavior differs.
Options B and D mention “disabling envelope encryption,” which is not a configurable “option” you turn off in KMS; envelope encryption is a recommended pattern where KMS protects data keys, and services commonly use it under the hood. Those options therefore do not describe a valid configuration that meets the requirement.
Therefore, the correct solution is to create a symmetric customer managed KMS key and enable automatic rotation, while using standard KMS controls to disable and schedule deletion when required.
Question #36
A solutions architect has created an AWS Lambda function that makes queries to an Amazon Aurora MySQL DB instance. When the solutions architect performs a test, the DB instance shows an error for too many connections.
Which solution will meet these requirements with the LEAST operational effort?
- A . Create a read replica for the DB instance. Query the replica DB instance instead of the primary DB instance.
- B . Migrate the data to an Amazon DynamoDB database.
- C . Configure the Amazon Aurora MySQL DB instance for Multi-AZ deployment.
- D . Create a proxy in Amazon RDS Proxy. Query the proxy instead of the DB instance.
Correct Answer: D
D
Explanation:
AWS RDS Proxy is a fully managed, highly available database proxy that allows applications to pool and share database connections efficiently.
In serverless architectures like Lambda, rapid invocations can open numerous concurrent connections to Aurora, potentially overwhelming the database and causing “too many connections” errors.
By using Amazon RDS Proxy, the solution:
Pools database connections.
Maintains warm connections that can be reused.
Supports IAM authentication and Secrets Manager integration.
Requires minimal application change and low operational effort.
This directly supports the Performance Efficiency pillar of the AWS Well-Architected Framework, ensuring the application scales without overloading the DB.
Reference: Amazon RDS Proxy Documentation
Lambda + RDS Best Practices
D
Explanation:
AWS RDS Proxy is a fully managed, highly available database proxy that allows applications to pool and share database connections efficiently.
In serverless architectures like Lambda, rapid invocations can open numerous concurrent connections to Aurora, potentially overwhelming the database and causing “too many connections” errors.
By using Amazon RDS Proxy, the solution:
Pools database connections.
Maintains warm connections that can be reused.
Supports IAM authentication and Secrets Manager integration.
Requires minimal application change and low operational effort.
This directly supports the Performance Efficiency pillar of the AWS Well-Architected Framework, ensuring the application scales without overloading the DB.
Reference: Amazon RDS Proxy Documentation
Lambda + RDS Best Practices
Question #37
A company runs multiple applications in multiple AWS accounts within the same organization in AWS Organizations. A content management system (CMS) runs on Amazon EC2 instances in a VPC. The CMS needs to access shared files from an Amazon Elastic File System (Amazon EFS) file system that is deployed in a separate AWS account. The EFS account is in a separate VPC.
Which solution will meet this requirement?
- A . Mount the EFS file system on the EC2 instances by using the EFS Elastic IP address.
- B . Enable VPC sharing between the two accounts. Use the EFS mount helper to mount the file system on the EC2 instances. Redeploy the EFS file system in a shared subnet.
- C . Configure AWS Systems Manager Run Command to mount the EFS file system on the EC2 instances.
- D . Install the amazon-efs-utils package on the EC2 instances. Add the mount target in the efs-config file. Mount the EFS file system by using the EFS access point.
Correct Answer: D
D
Explanation:
To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.
Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.
VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment.
Therefore, option D is the most complete and correct.
D
Explanation:
To access an EFS file system across accounts and VPCs, the EFS must be mounted using VPC peering or AWS Transit Gateway, and the EC2 instances must use the amazon-efs-utils package with the correct mount target or access point.
Using an EFS access point simplifies access management, especially across accounts, by providing a POSIX identity and access policy layer.
VPC sharing doesn’t support EFS directly unless the subnet and resources are shared properly, which requires redeployment.
Therefore, option D is the most complete and correct.
Question #38
A company’s reporting system delivers hundreds of .csv files to an Amazon S3 bucket each day. The company must convert these files to Apache Parquet format and must store the files in a transformed data bucket.
Which solution will meet these requirements with the LEAST development effort?
- A . Create an Amazon EMR cluster with Apache Spark installed. Write a Spark application to transform the data. Use EMR File System (EMRFS) to write files to the transformed data bucket.
- B . Create an AWS Glue crawler to discover the data. Create an AWS Glue extract, transform, and load (ETL) job to transform the data. Specify the transformed data bucket in the output step.
- C . Use AWS Batch to create a job definition with Bash syntax to transform the data and output the data to the transformed data bucket. Use the job definition to submit a job. Specify an array job as the job type.
- D . Create an AWS Lambda function to transform the data and output the data to the transformed data bucket. Configure an event notification for the S3 bucket. Specify the Lambda function as the destination for the event notification.
Correct Answer: B
B
Explanation:
AWS Glue provides a serverless ETL solution requiring minimal development. Glue supports conversion to Parquet with managed jobs and integrates with S3 for output.
AWS Documentation
Reference: AWS Glue Overview
B
Explanation:
AWS Glue provides a serverless ETL solution requiring minimal development. Glue supports conversion to Parquet with managed jobs and integrates with S3 for output.
AWS Documentation
Reference: AWS Glue Overview
Question #39
A company is developing a containerized web application that needs to be highly available and scalable. The application requires access to GPU resources.
- A . Package the application as an AWS Lambda function in a container image. Use Lambda to run the containerized application on a runtime with GPU access.
- B . Deploy the application container to Amazon Elastic Kubernetes Service (Amazon EKS). Use AWS Fargate to manage compute resources and access to GPU resources.
- C . Deploy the application container to Amazon Elastic Container Registry (Amazon ECR). Use Amazon ECR to run the containerized application with an attached GPU.
- D . Run the application on Amazon EC2 instances from a GPU instance family by using Amazon Elastic Container Service (Amazon ECS) for orchestration.
Correct Answer: D
D
Explanation:
Why Option D is Correct:
GPU Access: Only EC2 instances in the GPU family (e.g., P2, P3) can provide GPU resources. ECS Orchestration: Simplifies container deployment and management.
Why Other Options Are Not Ideal:
Option A: Lambda does not support GPU-based runtimes.
Option B: AWS Fargate does not support GPU-based workloads.
Option C: ECR is a container registry, not an orchestration or execution service.
AWS
Reference: Amazon ECS with GPU Instances: AWS Documentation – ECS GPU Instances
D
Explanation:
Why Option D is Correct:
GPU Access: Only EC2 instances in the GPU family (e.g., P2, P3) can provide GPU resources. ECS Orchestration: Simplifies container deployment and management.
Why Other Options Are Not Ideal:
Option A: Lambda does not support GPU-based runtimes.
Option B: AWS Fargate does not support GPU-based workloads.
Option C: ECR is a container registry, not an orchestration or execution service.
AWS
Reference: Amazon ECS with GPU Instances: AWS Documentation – ECS GPU Instances
Question #40
A company runs an application in a VPC on AWS. The company’s on-premises data center has a DNS server. The data center is connected to AWS through an AWS Direct Connect connection with a private virtual interface (VIF). The on-premises DNS server needs to resolve the DNS name of the application in the VPC.
- A . Set up AWS Verified Access endpoints in the VPC. Configure DNS forwarding rules in Verified Access. Configure the on-premises DNS server to forward DNS queries through the Verified Access endpoints.
- B . Configure the Direct Connect connection to enable DNS resolution between the on-premises DNS server and the application in the VPC.
- C . Create an Amazon Route 53 Resolver outbound endpoint and a Resolver rule in the VPC. Configure the on-premises DNS server to send requests for the application to the outbound endpoint.
- D . Create an Amazon Route 53 Resolver inbound endpoint in the VPC. Configure the on-premises DNS server to send requests for the application to the inbound endpoint.
Correct Answer: D
D
Explanation:
When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution.
Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities.
Therefore, option D is the correct design.
Reference:
• Amazon Route 53 Resolver Developer Guide ― Inbound and outbound endpoints
• AWS Well-Architected Framework ― Security Pillar: Hybrid DNS integration
D
Explanation:
When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution.
Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities.
Therefore, option D is the correct design.
Reference:
• Amazon Route 53 Resolver Developer Guide ― Inbound and outbound endpoints
• AWS Well-Architected Framework ― Security Pillar: Hybrid DNS integration