Free Practice Questions for Amazon Web Services SAA-C03 Exam

Application Load Balancer (ALB): ALB is suitable for routing HTTP/HTTPS traffic to the application servers. It provides advanced routing features and integrates well with Auto Scaling groups.

Target Group Configuration:

Create a target group for the application servers and register the Auto Scaling group with this target group.

Configure the ALB to forward requests from the web servers to the application servers.

Security Group Setup:

Configure the security group of the application servers to only allow traffic from the web servers' security group.

This ensures that only the web servers can access the application servers, meeting the requirement to limit access.

Benefits:

Security: Using security groups to restrict access ensures a secure environment where only intended traffic is allowed.

Scalability: ALB works seamlessly with Auto Scaling groups, ensuring the application can handle varying loads efficiently.

To provide unique, secure URLs efficiently:

A: Create a wildcard custom domain in Route 53 as an alias for the API Gateway endpoint.

D: Request a wildcard certificate in ACM in the same Region as API Gateway (certificates must be in the same Region as the API).

F: Create a custom domain name in API Gateway and attach the certificate.

“You can configure a custom domain name for your API Gateway API. To use a wildcard certificate, request it from ACM in the same Region as your API.”

— API Gateway Custom Domain Names

This combination provides secure wildcard URLs without creating separate endpoints or hosted zones per user.

AWS WAF (Web Application Firewall): AWS WAF allows you to create custom rules to block or allow web requests based on conditions that you specify.

Web ACL (Access Control List):

Create a web ACL and associate it with the ALB.

Use IP rule sets to specify the IP addresses of the retail locations that are allowed to access the application.

Security and Flexibility:

AWS WAF provides a scalable way to manage access control, ensuring that only traffic from registered IP addresses is allowed.

You can dynamically update the IP rule sets to add or remove IP addresses as needed.

Operational Simplicity: Using AWS WAF with a web ACL is straightforward and integrates seamlessly with the ALB, providing an efficient solution for managing access control based on IP addresses.

For infrequent or ad hoc querying of log data, Amazon S3 + Amazon Athena provides the most cost-effective, serverless, and scalable analytics solution.

From AWS Documentation:

“Amazon Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is serverless, so there is no infrastructure to manage, and you pay only for the queries that you run.”

(Source: Amazon Athena User Guide)

Why A is correct:

Amazon S3 offers durable, scalable, and cost-efficient storage.

Athena allows SQL-based querying on structured or semi-structured data like logs.

No need to provision or manage infrastructure.

Ideal for occasional querying at low cost.

Why the others are not optimal:

Option B: OpenSearch adds cost and is best for frequent, low-latency log querying.

Option C: RDS is not optimized for large-scale write-heavy log ingestion and costs more.

Option D: CloudWatch Logs is suitable for real-time monitoring, not for long-term storage and analytics of large log volumes.

The most resilient and scalable architecture for handling millions of high-resolution images with frequent updates is to store the binary images in Amazon S3 and store their metadata or reference (geographic code and S3 URL) in Amazon DynamoDB.

From AWS Documentation:

“Store large objects like images in Amazon S3 and use Amazon DynamoDB to store metadata and references. This design pattern is scalable, highly available, and cost-effective.”

(Source: AWS Architecture Blog – Best Practices for Handling Large Objects)

Why B is correct:

Amazon S3 is designed for storing large volumes of binary data (images).

DynamoDB provides low-latency reads/writes using the geographic code as the partition key.

Highly available, serverless, and auto-scaling, suitable for disaster scenarios with bursts of activity.

Reduces pressure on the database layer by separating metadata from image storage.

Why the others are incorrect:

Option A and D: Storing images directly in RDS is expensive, unscalable, and not optimal for binary storage.

Option C: DynamoDB is suitable, but storing actual binary image data in DynamoDB is not best practice due to item size limits (400 KB) and performance concerns.

When operating in disconnected or limited-connectivity environments, such as ships at sea, AWS recommends using AWS Snowball Edge devices to host local compute and storage workloads. Snowball Edge supports Amazon EC2 instances and AWS IoT Greengrass, and can run Amazon EKS Anywhere for local Kubernetes cluster deployments.

From AWS Documentation:

“You can use AWS Snowball Edge devices to run compute-intensive applications in remote or disconnected locations. Snowball Edge devices support running Amazon EC2 instances and Amazon EKS Anywhere clusters.”

(Source: AWS Snow Family – Developer Guide)

Why A is correct:

Snowball Edge provides local compute and storage even without internet connectivity.

Multiple Snowball Edge devices can be clustered together for high availability and failover.

Fully self-contained environment suitable for ships or field operations.

Why the others are incorrect:

B, C, D require network connectivity to AWS Regions or Zones (Local Zone, Outposts, Wavelength), which is not available at sea. These options cannot operate fully disconnected.

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.

Amazon Aurora MySQL supports the SELECT INTO OUTFILE S3 SQL syntax to export query results directly to Amazon S3. This is an efficient and low-overhead method for archiving data.

Once data is in S3, Lifecycle rules can be configured to automatically transition older data to lower-cost storage classes (such as S3 Glacier) or delete it after a defined period, providing a cost-optimized and automated archive solution.

The Glue-based options involve more services and operational overhead. SCT is intended for database migrations, not for periodic data archival.

For globally distributed consumers of REST APIs, API Gateway edge-optimized endpoints “route requests to the nearest CloudFront edge location, which then forwards them to your API in the [home] Region,” reducing latency for users worldwide and scaling automatically for unknown or spiky traffic. By contrast, Regional endpoints are intended for clients within the same or nearby Region and do not provide global edge acceleration. AWS Lambda provides automatic scaling for serverless backends; latency can be further reduced by right-sizing memory (which also increases CPU) and, when needed, enabling provisioned concurrency to keep functions initialized and eliminate cold starts for critical paths. Using NLBs across Regions is not serverless and adds operational complexity without CloudFront edge acceleration. Therefore, combining API Gateway edge-optimized REST APIs with Lambda meets the requirements of minimal global latency and unknown initial traffic.

A: Amazon Macie can scan S3 buckets for sensitive data and identify PII.

C: S3 Object Lock legal hold prevents object deletion until a review is complete, meeting compliance requirements.

E: EventBridge can trigger the Lambda function automatically when Macie detects sensitive data, creating an automated workflow.

AWS Documentation Extract:

"Amazon Macie automatically discovers, classifies, and protects sensitive data in AWS. You can use EventBridge to invoke a Lambda function for post-processing, such as applying Object Lock legal hold to flagged objects."

(Source: AWS Macie and S3 Object Lock documentation)

B, D: Moving to Glacier Deep Archive or applying retention in governance mode is not specific to deletion prevention pending review.

F: MFA Delete adds a security layer but does not automate object retention for flagged PII.

To run RDS instances only during business hours with the least operational overhead, you can useAmazon EventBridgeto schedule events that invokeAWS Lambda functions. The Lambda functions can be configured to start and stop the RDS instances based on the specified schedule (business hours). EventBridge rules allow you to define recurring events easily, and Lambda functions provide a serverless way to manage RDS instance start and stop operations, reducing administrative overhead.

Option A: While CloudWatch alarms could be used, they are more suited for monitoring, and using Lambda with EventBridge is simpler.

Option B (Trusted Advisor): Trusted Advisor is not ideal for scheduling tasks.

Option C (Systems Manager): Systems Manager could also work, but EventBridge and Lambda offer a more streamlined and lower-overhead solution.

AWS References:

Amazon EventBridge Scheduler

AWS Lambda

Amazon EBS io2 Block Express volumes are designed to deliver sub-millisecond latency and up to 256,000 IOPS per volume, with durability and high availability. This makes io2 Block Express the recommended choice for workloads requiring very high and predictable IOPS, such as enterprise databases and high-transaction-rate applications.

Reference Extract:

"EBS io2 Block Express volumes deliver up to 256,000 IOPS and sub-millisecond latency, supporting high-performance, high-durability workloads."

Source: AWS Certified Solutions Architect – Official Study Guide, EBS Performance section.

Explanation (AWS Docs):

To allow private subnets to access the internet, deploy NAT gateways in a public subnet in each AZ for high availability. NAT instances are less scalable and less fault-tolerant.

“To create a highly available architecture, create a NAT gateway in each Availability Zone and configure your routing to use it.”

— NAT Gateway Overview

This solution usesCloudFrontto serve the website securely over HTTPS usingAWS Certificate Manager (ACM)for SSL certificates.Origin Access Control (OAC)ensures that only CloudFront can access the S3 bucket directly.AWS WAFwith an IP set rule restricts access to the website, allowing only the on-premises IP address.Route 53is used to create an alias record pointing to the CloudFront distribution. This setup ensures secure, private access to the website with low administrative overhead.

Option A and B: S3 bucket policies and access points do not provide HTTPS support, nor do they offer the same level of security as CloudFront with WAF.

Option D: Signed URLs are more suitable for temporary, expiring access rather than a permanent solution for on-premises employees.

AWS References:

Amazon CloudFront with Origin Access Control

S3 One Zone-IA:

Suitable for infrequently accessed data that doesn't require multiple Availability Zone resilience.

Cost-effective for storing user-uploaded images that are only used for AI model training twice a year.

S3 Standard:

Ideal for frequently accessed data with high durability and availability.

Store premium user-generated AI images here to ensure they are readily available for download at any time.

S3 Standard-IA:

Cost-effective storage for data that is accessed less frequently but still requires rapid retrieval.

Store non-premium user-generated AI images here, as these images are only downloaded once every 6 hours, making it a good balance between cost and accessibility.

Cost-Effectiveness: This solution optimizes storage costs by categorizing data based on access patterns and durability requirements, ensuring that each type of data is stored in the most cost-effective manner.