AWS Solutions Architect – Associate (SAA-C03) Practice Questions

65 exam-accurate questions with explanations

info

Free Sample Questions

Showing 10 of 65 questions. Get full access to all questions, detailed explanations, and study materials.

Domain 1 - Design Secure Architectures

A company wants to limit an S3 bucket to only accounts within its AWS Organisation with least operational overhead. Which solution meets these requirements?

A aws:PrincipalOrgID condition in bucket policy check_circle

B aws:PrincipalOrgPaths per OU

C CloudTrail events + manual policy updates

D Tag users + aws:PrincipalTag

lightbulb

Explanation

aws:PrincipalOrgID covers all current and future org accounts in a single condition—no ongoing updates needed. Other options require more complex or manual maintenance.

Domain 1 - Design Secure Architectures

An EC2 instance in a VPC needs to access an S3 bucket without internet connectivity. Which solution meets this requirement?

A Gateway VPC endpoint to S3 check_circle

B Stream to CloudWatch Logs then export

C Instance profile (IAM role) on EC2

D API Gateway + PrivateLink

lightbulb

Explanation

A gateway VPC endpoint routes S3 traffic within the AWS network, requiring no internet gateway or NAT. An instance profile grants permissions but not private network connectivity.

Domain 1 - Design Secure Architectures

EC2 instances connect to Aurora using credentials in a local file. Which solution minimises credential management overhead?

A AWS Secrets Manager + automatic rotation check_circle

B Systems Manager Parameter Store + rotation

C Encrypted S3 bucket for credentials

D Encrypted EBS volume per instance

lightbulb

Explanation

Secrets Manager is purpose-built for managing secrets with native automatic rotation, IAM integration, and audit via CloudTrail. Parameter Store lacks native rotation; S3 and EBS require custom logic.

Domain 1 - Design Secure Architectures

Rotate RDS for MySQL credentials across multiple AWS Regions monthly with least operational overhead. Which solution meets these requirements?

A Secrets Manager + multi-Region replication + scheduled rotation check_circle

B Parameter Store + multi-Region replication

C S3 (SSE) + EventBridge + Lambda

D KMS multi-Region keys + DynamoDB global table + Lambda

lightbulb

Explanation

Secrets Manager natively supports multi-Region secret replication and scheduled automatic rotation—no custom code needed. All other options require significant custom development.

Domain 1 - Design Secure Architectures

Company migrated to AWS and needs to replicate on-premises traffic flow inspection and filtering for its production VP C. Which service meets this requirement?

A Amazon GuardDuty

B Traffic Mirroring

C AWS Network Firewall check_circle

D AWS Firewall Manager

lightbulb

Explanation

AWS Network Firewall provides inline deep packet inspection and traffic filtering at Layers 3, 4, and 7—directly matching on-premises inspection server behaviour. GuardDuty detects threats but does not filter traffic.

Domain 1 - Design Secure Architectures

Data lake on S3 + RDS PostgreSQL. Management needs full access; other employees need limited access to visualisations. Which solution meets these requirements?

A QuickSight dashboards shared via IAM roles

B QuickSight dashboards shared via users and groups check_circle

C Glue + ETL → S3 reports with bucket policies

D Glue + Athena Federated Query → S3 reports

lightbulb

Explanation

QuickSight connects to both S3 and RDS and supports native user/group sharing for granular dashboard access control. IAM roles control resource access, not QuickSight dashboard access; Glue/Athena produce static reports.

Domain 1 - Design Secure Architectures

Two EC2 instances need access to an S3 bucket for document storage. Which solution is most appropriate?

A IAM role with S3 access attached to EC2 instances check_circle

B IAM policy attached directly to EC2

C IAM group attached to EC2

D IAM user credentials stored on EC2

lightbulb

Explanation

IAM roles provide temporary, automatically-rotated credentials to EC2 instances. Policies cannot be attached directly to EC2; groups are for users only; storing IAM user credentials on EC2 is a security anti-pattern.

Domain 1 - Design Secure Architectures

Three-tier web app with third-party firewall appliance in inspection VP C. All inbound traffic must be inspected before reaching web servers with least operational overhead. Which solution meets these requirements?

A NLB in public subnet routes to appliance

B ALB in public subnet routes to appliance

C Transit gateway in inspection VPC

D Gateway Load Balancer + GWLB endpoint in inspection VPC check_circle

lightbulb

Explanation

GWLB is purpose-built for inline traffic inspection via virtual appliances. A GWLB endpoint transparently intercepts and forwards traffic to the appliance—fully managed and auto-scaling. NLB/ALB are not designed for transparent packet redirection; Transit Gateway requires complex routing.

Domain 1 - Design Secure Architectures

IAM user accidentally exposed AWS credentials on a public code repository. What immediate steps should be taken? (Choose TWO)

A Remove the IAM user's permissions

B Delete the exposed access key check_circle

C Rotate the exposed access key check_circle

D Enable MFA for the IAM user

E Invalidate temporary credentials by contacting AWS Support

lightbulb

Explanation

Immediately deactivate/delete the exposed key (B) to prevent unauthorised use and rotate/create a new key (C) to restore legitimate access. Removing permissions (A) would break operations; MFA (D) doesn't revoke already-exposed keys; temporary credentials expire on their own (E).

Domain 1 - Design Secure Architectures

Company needs to ensure data at rest in S3 is encrypted using keys they fully control. Which solution meets this requirement?

A S3 managed keys (SSE-S3)

B AWS KMS managed keys (SSE-KMS) check_circle

C Customer-provided keys (SSE-C)

D Client-side encryption

lightbulb

Explanation

SSE-KMS uses AWS KMS CMKs that the company creates, controls, and can audit via CloudTrail—full key control with managed infrastructure. SSE-S3 is AWS-managed; SSE-C requires managing keys outside AWS; client-side encryption adds application complexity.

Get all 65 questions

Full access includes all questions, detailed explanations, PDF downloads, and timed mock exams.

quiz Start Free Practice download Free PDF