Cert-Pass
Log in Sign up
AWS

AWS Solutions Architect – Associate (SAA-C03) Practice Questions

1008 exam-accurate questions with explanations

info

Free Sample Questions

Showing 10 of 1008 questions. Get full access to all questions, detailed explanations, and study materials.

1
Design Secure Architectures

A media startup runs a payments API in private subnets. The application must read objects from Amazon S3 without using the internet, NAT gateways, or public IP addresses. Which design should the solutions architect recommend? In this data platform migration, the environment includes 60 branch offices; assume all services are available in the selected Region. The documented scale target is 1,013 users or events for this scenario.

A Attach an internet gateway to the private subnets and allow outbound HTTPS.
B Create a NAT gateway in each Availability Zone and route S3 traffic through the NAT gateways.
C Deploy an Application Load Balancer in front of Amazon S3 and restrict it with security groups.
D Create a gateway VPC endpoint for Amazon S3 and associate it with the private subnet route tables. check_circle
lightbulb

Explanation

An S3 gateway endpoint provides private S3 access from a VPC and avoids NAT gateway processing charges. The tempting wrong choice adds complexity without meeting the key requirement: NAT gateways can reach S3, but they do not satisfy the private-no-NAT requirement and add cost.

2
Design Secure Architectures

A public sector agency uses multiple AWS accounts for a data lake ingestion workflow. Security wants to prevent account administrators from disabling AWS CloudTrail or leaving AWS Organizations. What is the most effective control? The current pattern has steady weekday traffic and the team wants an AWS managed option. In this regional expansion, the environment includes 80 million requests/month; assume all services are available in the selected Region. The documented scale target is 1,026 users or events for this scenario.

A Configure security groups to deny access to AWS Organizations endpoints.
B Use AWS WAF rules to block CloudTrail API calls.
C Apply service control policies in AWS Organizations that deny the prohibited actions for the target OUs. check_circle
D Create IAM policies in each account that deny the actions to all roles except administrators.
lightbulb

Explanation

SCPs are organization-level guardrails that restrict actions even when principals have local administrator permissions. This is a common trap because it solves only part of the requirement: IAM policies inside each account are weaker because privileged local administrators can change them unless constrained by an SCP.

3
Design Secure Architectures

A partner company must upload reports to one prefix in an S3 bucket owned by a education platform. The company must not create long-term IAM users for the partner. Which approach best follows least privilege? The architects prefer a design with minimal custom operations and clear exam-style tradeoffs. In this security review, the environment includes 40 production VPCs; assume all services are available in the selected Region. The documented scale target is 1,039 users or events for this scenario.

A Create an IAM user in the bucket account and email the access keys to the partner.
B Make the S3 bucket public and rely on unpredictable object names.
C Use a cross-account IAM role or bucket policy that grants the partner account permission only to the required prefix. check_circle
D Use a security group rule that permits the partner IP range to access the bucket.
lightbulb

Explanation

Cross-account access with a resource policy or role avoids long-term shared credentials and can be scoped to a specific prefix. This is a common trap because it solves only part of the requirement: S3 buckets are not protected by security groups, and IP-based access alone is not a full identity and least-privilege design.

4
Design Secure Architectures

A mobile app for a retail company needs user sign-up, sign-in, and temporary AWS credentials for authenticated users to access restricted resources. Which service combination should be used? The solution must be suitable for production and avoid unnecessary operational risk. In this performance tuning sprint, the environment includes 300 GB/day; assume all services are available in the selected Region. The documented scale target is 1,052 users or events for this scenario.

A AWS Organizations accounts for every mobile user.
B AWS Directory Service Simple AD exposed to the internet.
C Amazon Cognito user pools and identity pools. check_circle
D AWS IAM users for every mobile user.
lightbulb

Explanation

Cognito handles application identity and can exchange authenticated identities for temporary AWS credentials. The tempting wrong choice adds complexity without meeting the key requirement: IAM users for app consumers create long-term credentials and do not scale securely for mobile sign-in.

5
Design Secure Architectures

A media startup stores regulated records in S3. Records must be retained for seven years and must not be deleted by any user, including administrators, during retention. What should be configured? The team needs the BEST answer, not merely a solution that can work. In this cost review cycle, the environment includes 18 Availability Zones; assume all services are available in the selected Region. The documented scale target is 1,065 users or events for this scenario.

A S3 Intelligent-Tiering with lifecycle expiration disabled.
B A bucket policy that denies s3:DeleteObject to all IAM users.
C S3 Object Lock in compliance mode with an appropriate retention period. check_circle
D S3 server access logging with MFA Delete disabled.
lightbulb

Explanation

S3 Object Lock compliance mode provides WORM retention that administrators cannot bypass during the retention period. The best wrong answer is close, but it misses the stated constraint: A deny-delete bucket policy can often be changed by sufficiently privileged administrators, so it does not provide the same immutable retention.

6
Design Secure Architectures

An EC2 instance in a private subnet must retrieve database credentials securely. The team wants automatic rotation and no secrets stored in user data or environment variables. What is the best solution? In this resilience test, the environment includes 12 microservices; assume all services are available in the selected Region. The documented scale target is 1,078 users or events for this scenario.

A Put the password in Systems Manager Parameter Store as a plain String parameter.
B Store the password in an encrypted AMI and rotate the AMI monthly.
C Embed the password in EC2 user data and restrict access with a security group.
D Store the credential in AWS Secrets Manager, enable rotation, and allow the instance role to retrieve the secret. check_circle
lightbulb

Explanation

Secrets Manager supports managed secret retrieval and rotation through IAM-controlled access. The best wrong answer is close, but it misses the stated constraint: Parameter Store can store secure strings, but a plain String does not protect the secret and does not satisfy the secure-rotation requirement.

7
Design Secure Architectures

A mobile backend uses an Application Load Balancer. The security team requires TLS termination with managed certificates and automatic certificate renewal. What should the architect configure? The current pattern has unpredictable daily spikes and the team wants an AWS managed option. In this audit preparation, the environment includes 25 TB; assume all services are available in the selected Region. The documented scale target is 1,091 users or events for this scenario.

A Upload self-signed certificates to each EC2 instance and renew them manually.
B Use a Network ACL to encrypt traffic between clients and the load balancer.
C Use AWS Certificate Manager certificates on the HTTPS listener of the Application Load Balancer. check_circle
D Use AWS KMS keys directly as TLS certificates on the listener.
lightbulb

Explanation

ACM integrates with ALB listeners and can renew eligible public certificates automatically. The best wrong answer is close, but it misses the stated constraint: Self-signed certificates on instances add manual operations and do not provide managed public TLS termination at the ALB.

8
Design Secure Architectures

A company needs centralized threat detection across all accounts and Regions for workloads including S3, EC2, and IAM activity. Which AWS service should be enabled with delegated administration? The architects prefer a design with minimal custom operations and clear exam-style tradeoffs. In this mobile rollout, the environment includes 200 developer accounts; assume all services are available in the selected Region. The documented scale target is 1,104 users or events for this scenario.

A Amazon Inspector only for S3 bucket policies.
B AWS Trusted Advisor only.
C AWS Config only with no managed rules.
D Amazon GuardDuty. check_circle
lightbulb

Explanation

GuardDuty analyzes events such as CloudTrail management events, VPC Flow Logs, DNS logs, and S3 data events for threat detection across accounts. This is a common trap because it solves only part of the requirement: Trusted Advisor provides checks but is not a managed threat detection service for suspicious activity.

9
Design Secure Architectures

A media startup must allow analysts to query encrypted data in S3 with Athena. The KMS key policy must be least privilege. Which design is best? The solution must be suitable for production and avoid unnecessary operational risk. In this warehouse modernization, the environment includes 15,000 requests/minute; assume all services are available in the selected Region. The documented scale target is 1,117 users or events for this scenario.

A Use SSE-KMS for the bucket and grant Athena query roles kms:Decrypt and S3 read access only to the required data locations. check_circle
B Put the KMS key ID in the object names so Athena can discover it automatically.
C Use SSE-S3 and give all analysts AdministratorAccess.
D Disable encryption during Athena queries and re-enable it afterwards.
lightbulb

Explanation

Athena can query SSE-KMS encrypted S3 data when the execution role has the needed S3 and KMS permissions. This is a common trap because it solves only part of the requirement: AdministratorAccess violates least privilege and SSE-S3 does not meet a requirement for customer-managed KMS access control.

10
Design Secure Architectures

A public web API is behind Amazon API Gateway. The company needs protection from common web exploits and rate-based abusive requests. Which solution should be used? The team needs the BEST answer, not merely a solution that can work. In this partner onboarding, the environment includes 6 Regions; assume all services are available in the selected Region. The documented scale target is 1,130 users or events for this scenario.

A Place a security group directly on API Gateway and deny SQL injection payloads.
B Associate AWS WAF with API Gateway and configure managed rule groups plus rate-based rules. check_circle
C Use AWS Shield Advanced only and disable API Gateway throttling.
D Create a private NAT gateway for all client requests.
lightbulb

Explanation

AWS WAF integrates with API Gateway and can block common exploit patterns and rate-based traffic. The distractor is valid in another architecture but not for this scenario: Shield helps with DDoS protection, but WAF is the service used for application-layer rules such as SQL injection and rate limits.

Get all 1008 questions

Full access includes all questions, detailed explanations, PDF downloads, and timed mock exams.

quiz Start Free Practice download Free PDF