AWS SAA-C03: Solutions Architect Associate Practice Exam

What the AWS SAA-C03 exam covers

• Design Secure Architectures107 questions
• Design Resilient Architectures105 questions
• Design High-Performing Architectures102 questions
• Design Cost-Optimized Architectures100 questions

Free AWS SAA-C03 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 414.

1. Question 1Design Secure Architectures

   A financial services company stores sensitive customer documents in Amazon S3. A recent compliance audit requires that all objects be encrypted at rest using keys managed by the company's security team, with full control over key rotation schedules and the ability to audit key usage. The company also needs to disable keys immediately if a breach is suspected. Which encryption approach meets these requirements?

   • AImplement client-side encryption using the AWS Encryption SDK with keys stored in AWS Secrets Manager
   • BEnable SSE-S3 default encryption on the S3 bucket
   • Cenable SSE-KMS encryption using an AWS managed key (aws/s3)
   • DEnable SSE-KMS encryption using a customer managed key (CMK) in AWS KMSCorrect
   ✓ Correct answer: D

   A customer managed KMS key provides the company with full control over key rotation schedules, audit trails of key usage, and the ability to disable the key immediately during a suspected breach. Unlike AWS managed keys (aws/s3), CMKs allow organizations to define their own key rotation policies and access the AWS CloudTrail logs that record every time the key is used. The compliance audit specifically requires company control, which only a CMK provides.

   Why the other options are wrong

   • AImplement client-side encryption using the AWS Encryption SDK with keys stored in AWS Secrets Manager is incorrect because Secrets Manager is not designed for managing CMKs and does not provide the same audit capabilities or immediate key disabling functionality required by the compliance framework.
   • BEnable SSE-S3 default encryption on the S3 bucket is incorrect because SSE-S3 uses AWS-managed keys that the company cannot control, rotate on their own schedule, or disable independently.
   • Cenable SSE-KMS encryption using an AWS managed key (aws/s3) is incorrect because AWS managed keys do not allow the company to control key rotation schedules or immediately disable the key if a breach is suspected.
2. Question 2Design Secure Architectures

   A company runs a web application that uses Amazon API Gateway and AWS Lambda. The application must authenticate users and authorize access to specific API resources based on user group membership. The company wants to use a managed service and avoid managing its own user directory infrastructure. Which solution should the solutions architect recommend?

   • ADeploy an OpenLDAP server on Amazon EC2 and integrate it with API Gateway using a Lambda authorizer.
   • BCreate an Amazon Cognito user pool, configure groups, and use a Cognito user pool authorizer in API Gateway.Correct
   • CStore user credentials in Amazon DynamoDB and validate them using a Lambda authorizer.
   • DUse IAM users and groups with IAM authorization in API Gateway.
   ✓ Correct answer: B

   Cognito user pools provide a managed user directory with built-in authentication and authorization. Groups can be configured within the user pool, and users can be assigned to groups. API Gateway's Cognito user pool authorizer validates JWT tokens from Cognito and enforces group-based authorization, allowing you to control access to API resources based on group membership without managing a separate user directory infrastructure.

   Why the other options are wrong

   • ADeploy an OpenLDAP server on Amazon EC2 and integrate it with API Gateway using a Lambda authorizer is incorrect because this requires managing OpenLDAP infrastructure, which is operational overhead and not a managed service.
   • CStore user credentials in Amazon DynamoDB and validate them using a Lambda authorizer is incorrect because storing credentials in DynamoDB is a security risk and doesn't provide the user management and federation capabilities of a managed service.
   • DUse IAM users and groups with IAM authorization in API Gateway is incorrect because IAM is designed for AWS service access, not for application user management, and would require creating an IAM user for every application user.
3. Question 3Design Secure Architectures

   CloudFirst Retail stores customer payment card data in Amazon RDS for MySQL. PCI DSS compliance requires that the database is not accessible from the internet, encrypted at rest, and that connections to the database are encrypted in transit. Which combination of configurations satisfies these requirements?

   • ADeploy the RDS instance in a public subnet with no public IP, enable storage encryption, and use a security group to restrict access.
   • BDeploy the RDS instance in a private subnet, enable RDS encryption, and rely on the default VPC security to encrypt traffic in transit.
   • Cdeploy the RDS instance in a private subnet, enable RDS encryption at rest with KMS, and enforce SSL/TLS connections by setting the rds.force_ssl parameter to 1.Correct
   • DDeploy the RDS instance in a private subnet, use client-side encryption for all queries, and store encryption keys in the application code.
   ✓ Correct answer: C

   Placing the instance in a private subnet ensures it's not directly accessible from the internet. Enabling RDS encryption at rest with KMS protects data at rest according to PCI DSS requirements. Setting rds.force_ssl parameter to 1 enforces that all client connections to the database must use SSL/TLS, encrypting data in transit. This combination meets all three PCI DSS requirements: not accessible from internet, encrypted at rest, and encrypted in transit.

   Why the other options are wrong

   • ADeploy the RDS instance in a public subnet with no public IP, enable storage encryption, and use a security group to restrict access is incorrect because the public subnet still poses risks and security groups alone cannot prevent all internet exposure.
   • BDeploy the RDS instance in a private subnet, enable RDS encryption at rest with KMS, and rely on the default VPC security to encrypt traffic in transit is incorrect because VPC security does not automatically encrypt in-transit traffic; SSL/TLS must be explicitly enforced.
   • DDeploy the RDS instance in a private subnet, use client-side encryption for all queries, and store encryption keys in the application code is incorrect because storing encryption keys in code is a security vulnerability and doesn't meet the requirement for proper key management.
4. Question 4Design Secure Architectures

   A company wants to deploy a web application firewall to protect its Amazon CloudFront distribution from common web exploits such as SQL injection and cross-site scripting (XSS). The solution should require minimal management effort. What should the solutions architect recommend?

   • AAssociate an AWS WAF web ACL with the CloudFront distribution using AWS Managed Rules for the OWASP Top 10.Correct
   • BUse Amazon GuardDuty to block SQL injection and XSS attacks.
   • CConfigure CloudFront to use signed URLs for all requests.
   • DDeploy a third-party firewall appliance on an EC2 instance in front of CloudFront.
   ✓ Correct answer: A

   AWS WAF can be directly associated with CloudFront distributions. AWS Managed Rules include rule groups covering the OWASP Top 10 vulnerabilities, including SQL injection and XSS. These rules are maintained by AWS and require minimal configuration, providing both protection and ease of management.

   Why the other options are wrong

   • BUse Amazon GuardDuty to block SQL injection and XSS attacks is incorrect because GuardDuty detects threats but doesn't block web application attacks at the layer 7 level.
   • CConfigure CloudFront to use signed URLs for all requests is incorrect because signed URLs control access but don't protect against injection attacks.
   • DDeploy a third-party firewall appliance on an EC2 instance in front of CloudFront is incorrect because this adds complexity and cost compared to using AWS WAF.
5. Question 5Design Resilient Architectures

   A company runs a critical web application on Amazon EC2 instances behind an Application Load Balancer (ALB) in a single Availability Zone. The business requires the application to remain available even if an entire Availability Zone experiences an outage. What should the solutions architect do to improve availability?

   • ACreate an Auto Scaling group that spans multiple Availability Zones and configure the ALB to distribute traffic across all zones.Correct
   • BDeploy a second EC2 instance in the same Availability Zone and configure the ALB to use both instances.
   • CTake regular EBS snapshots and restore instances manually in another Availability Zone if a failure occurs.
   • DEnable enhanced monitoring on the EC2 instances to detect failures faster.
   ✓ Correct answer: A

   An Auto Scaling group spanning multiple AZs ensures that if one AZ goes down, instances in other AZs remain operational. The ALB distributes traffic across instances in all configured AZs. If one AZ fails, the remaining instances in other AZs continue serving traffic, maintaining application availability.

   Why the other options are wrong

   • BDeploy a second EC2 instance in the same Availability Zone and configure the ALB to use both instances is incorrect because both instances are in the same AZ; if that AZ fails, both are unavailable.
   • CTake regular EBS snapshots and restore instances manually in another Availability Zone if a failure occurs is incorrect because manual restoration takes time and is not automatic.
   • DEnable enhanced monitoring on the EC2 instances to detect failures faster is incorrect because detection doesn't prevent unavailability; you need geographic distribution.
6. Question 6Design Resilient Architectures

   A company uses Amazon S3 to store critical business documents. The team accidentally deleted an important folder last week and wants to ensure they can recover from accidental deletions in the future. Which S3 feature should the solutions architect enable?

   • AS3 Intelligent-Tiering.
   • BS3 Transfer Acceleration.
   • CS3 Versioning on the bucket.Correct
   • DS3 Cross-Region Replication.
   ✓ Correct answer: C

   S3 Versioning enables you to keep multiple versions of an object. When an object is deleted, the current version is marked as deleted, but previous versions remain accessible. This allows recovery of accidentally deleted objects by restoring a previous version.

   Why the other options are wrong

   • AS3 Intelligent-Tiering is incorrect because this manages storage classes for cost optimization, not for recovering deleted objects.
   • BS3 Transfer Acceleration is incorrect because this improves upload speeds, not recovery.
   • DS3 Cross-Region Replication is incorrect because while this provides backup, versioning is the simpler solution for accidental deletion recovery.
7. Question 7Design Cost-Optimized Architectures

   FrugalData Corp stores 100 TB of log data in Amazon S3. The data is analyzed once when first stored and then rarely accessed again, but must be retained for 5 years for compliance. After the first 30 days, retrieval is needed only once or twice a year with a retrieval time of up to 12 hours. Which S3 storage strategy is MOST cost-effective?

   • AUse an S3 Lifecycle policy to transition objects from S3 Standard to S3 Glacier Deep Archive after 30 days.Correct
   • BStore all data in S3 One Zone-Infrequent Access permanently.
   • CStore all data in S3 Standard permanently.
   • DUse an S3 Lifecycle policy to transition objects from S3 Standard to S3 Standard-IA after 30 days.
   ✓ Correct answer: A

   This represents the optimal approach based on cost optimization best practices and the specific scenario requirements. AWS offers multiple tools and strategies to reduce costs while maintaining performance and reliability.

   Why the other options are wrong

   • BStore all data in S3 One Zone-Infrequent Access permanently. is incorrect because this option does not represent the most cost-effective solution for the scenario.
   • CStore all data in S3 Standard permanently. is incorrect because this option does not represent the most cost-effective solution for the scenario.
   • DUse an S3 Lifecycle policy to transition objects from S3 Standard to S3 Standard-IA after 30 days. is incorrect because this option does not represent the most cost-effective solution for the scenario.
8. Question 8Design Cost-Optimized Architectures

   Which EC2 pricing model provides the largest discount for steady-state workloads?

   • AReserved Instances (3-year, all upfront)Correct
   • BDedicated Hosts
   • COn-Demand
   • DSpot Instances
   ✓ Correct answer: A

   This represents the optimal approach based on cost optimization best practices and the specific scenario requirements. AWS offers multiple tools and strategies to reduce costs while maintaining performance and reliability.

   Why the other options are wrong

   • BDedicated Hosts is incorrect because this option does not represent the most cost-effective solution for the scenario.
   • COn-Demand is incorrect because this option does not represent the most cost-effective solution for the scenario.
   • DSpot Instances is incorrect because this option does not represent the most cost-effective solution for the scenario.
9. Question 9Design Secure Architectures

   When designing a Design solution for Design Secure Architectures, which principle is most important?

   • ASkip planning and configure based on assumptions
   • BImplement untested solutions found in online forums
   • CFollow documented best practices and vendor guidelinesCorrect
   • DUse default settings without any review or modification
   ✓ Correct answer: C

   This represents the optimal approach based on cost optimization best practices and the specific scenario requirements. AWS offers multiple tools and strategies to reduce costs while maintaining performance and reliability.

   Why the other options are wrong

   • ASkip planning and configure based on assumptions is incorrect because this option does not represent the most cost-effective solution for the scenario.
   • BImplement untested solutions found in online forums is incorrect because untested solutions risk compatibility issues and may not follow AWS best practices.
   • DUse default settings without any review or modification is incorrect because default configurations are not optimized for specific use cases.
10. Question 10Design High-Performing Architectures

    Which best practice should be followed when managing Design within Design High-Performing Architectures?

    • AImplement untested solutions found in online forums
    • BSkip planning and configure based on assumptions
    • CUse default settings without any review or modification
    • DFollow documented best practices and vendor guidelinesCorrect
    ✓ Correct answer: D

    This represents the optimal approach based on cost optimization best practices and the specific scenario requirements. AWS offers multiple tools and strategies to reduce costs while maintaining performance and reliability.

    Why the other options are wrong

    • AImplement untested solutions found in online forums is incorrect because untested solutions risk compatibility issues and may not follow AWS best practices.
    • BSkip planning and configure based on assumptions is incorrect because this option does not represent the most cost-effective solution for the scenario.
    • CUse default settings without any review or modification is incorrect because default configurations are not optimized for specific use cases.

AWS SAA-C03 practice exam FAQ