Free Practice Questions for Amazon Web Services SAA-C03 Exam

The requirements are UDP support, ultra-low latency, and the ability to handle millions of requests per second in a cost-effective manner. Network Load Balancer (NLB) is the AWS service designed for high-performance Layer 4 load balancing, including TCP, TLS, and UDP. NLB can scale to very high throughput and connection rates while maintaining low latency, which is critical for real-time gaming traffic.

Option C is correct because NLB supports UDP listeners and forwards traffic directly to EC2 targets with minimal processing overhead. This yields lower latency than Layer 7 solutions and is well suited for game protocols that are latency-sensitive and often use UDP for fast, lightweight communication. NLB also provides static IP addresses per Availability Zone and integrates cleanly with Auto Scaling groups.

Option A is incorrect because an Application Load Balancer operates at Layer 7 (HTTP/HTTPS) and does not handle raw UDP traffic; it’s optimized for web applications, not gaming protocols. Option B is incorrect because Gateway Load Balancer is intended to deploy and scale third-party virtual appliances (such as firewalls) and uses Geneve encapsulation; it is not meant for distributing general internet game traffic to EC2 game servers. Option D adds significant cost and complexity by deploying multi-Region fleets. It may help global latency in some scenarios, but the question asks for the most cost-effective way to handle massive UDP traffic volume; multi-Region duplication is typically not the first choice for that requirement alone.

Therefore, C (NLB with UDP) best meets the scale and latency requirements with the most efficient, purpose-built AWS load balancing service.

Amazon FSx for NetApp ONTAP fully supports native NetApp SnapMirror replication, making it the most efficient and reliable option for migrating NetApp data from on-premises to AWS.

From AWS Documentation:

“You can use SnapMirror to replicate data from your on-premises NetApp systems to FSx for ONTAP for seamless, block-level, incremental transfers. This provides a highly efficient and performant method for migration, especially for large datasets.”

(Source: Amazon FSx for NetApp ONTAP – Migration Guide)

Why Option C is correct:

SnapMirror offers block-level replication, making it highly efficient for millions of small files.

It supports NFS and SMB file shares, preserving directory structures and permissions.

Reduces cutover time and allows for incremental syncs.

Uses the existing 10 Gbps network for fast transfers.

Why the other options are incorrect:

Option A (DataSync): Suitable for many file-based migrations but less efficient for very large datasets with millions of small files compared to SnapMirror.

Option B (Storage Gateway): Volume Gateway is not used for full-scale file migrations; it ' s for hybrid cloud access.

Option D (Snowball Edge): Useful for offline migrations, but online SnapMirror is more efficient and avoids shipping delays.

This solution meets the requirements of providing encryption at both the network and session layers while also allowing for controlled access between on-premises systems and AWS resources.

AWS Site-to-Site VPN: This service allows you to establish a secure and encrypted connection between your on-premises network and AWS VPC over the internet or via AWS Direct Connect. The VPN encrypts data at the network layer (IPsec) as it travels between the corporate network and AWS.

Routing and Security Controls: By configuring route table entries, you can ensure that only the traffic intended for AWS resources is directed to the VPC. Additionally, by setting up security groups and network ACLs, you can further restrict and control which traffic is allowed to communicate with the instances within your VPC. This approach provides the necessary security to prevent unrestricted access, aligning with the company’s security policies.

Why Not Other Options?:

Option A (AWS Direct Connect): While Direct Connect provides a private connection, it does not inherently provide encryption. Additional steps would be required to encrypt traffic, and it doesn’t address the session layer encryption.

Option B (IAM policies for Console access): This option does not meet the requirement for network-level encryption and security between the corporate network and the VPC.

Option D (AWS Transit Gateway): Although Transit Gateway can help in managing multiple connections, it doesn’t directly provide encryption at the network layer. You would still need to configure a VPN or use other methods for encryption.

AWS References:

AWS Site-to-Site VPN- Overview of AWS Site-to-Site VPN capabilities, including encryption.

Security Groups and Network ACLs- Information on configuring security groups and network ACLs to control traffic.

To capture DNS query and response data, including response codes, Amazon Route 53 provides query logging, which is the most precise and AWS-supported solution for this requirement.

Option A enables Route 53 query logging, which records detailed information about DNS queries, such as the queried domain, record type, source IP, and DNS response code. These logs are delivered to Amazon CloudWatch Logs, where administrators can search, analyze, and retain them for forensic investigation and root cause analysis.

Option B is incorrect because AWS CloudTrail records API calls to AWS services, not DNS query traffic. Option C provides aggregated metrics (such as query counts and health checks) but does not include per-query response codes. Option D offers best-practice recommendations but does not collect or analyze DNS query data.

Therefore, A is the correct solution because Route 53 query logging provides the detailed, low-level DNS visibility required for troubleshooting and operational analysis.

For the web tier, the company needs multi-AZ scaling and high availability, which is best achieved with anAuto Scaling group across multiple Availability Zones behind an Application Load Balancer. AWS fault-tolerance guidance recommends distributing EC2 instances across multiple AZs and using Auto Scaling to maintain balance and resilience. For the database tier, the question specifically requires reduced MySQL read latency, so anAurora MySQL cluster with a reader instance in a separate AZis the stronger fit. AWS Aurora guidance recommends distributing the primary and reader instances across Availability Zones and notes that Aurora Auto Scaling can add reader instances for handling increased connectivity and workload. Together, B and C deliver scalability, HA, and better read performance.

============

AmazonTextractcan extract text from the PDFs, andAmazon Comprehendis the most suitable service to analyze the extracted text for sentiment and insights. Comprehend offers a fully managed, low-operational overhead solution for analyzing text data. The results can then be stored in anAmazon S3bucket, ensuring scalability and easy access.

Option A: Athena is for querying structured data and is not suitable for sentiment analysis.

Option B: SageMaker adds complexity and is not necessary when Comprehend can handle sentiment analysis natively.

Option D: QuickSight is used for visualization and analytics, but it does not provide sentiment analysis.

AWS References:

Amazon Comprehend

Amazon Textract

AWS Glue Crawler: AWS Glue is a fully managed ETL (Extract, Transform, Load) service that makes it easy to prepare and load data for analytics. A Glue crawler can automatically discover new data and schema in Amazon S3, making it easy to keep the data catalog up-to-date.

Crawling the Data:

Set up an AWS Glue crawler to scan the S3 bucket containing the clickstream data.

The crawler will automatically detect the schema and create/update the tables in the AWS Glue Data Catalog.

Amazon Athena:

Athena is an interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL.

Once the data catalog is updated by the Glue crawler, use Athena to query the clickstream data directly in S3.

Operational Efficiency: This solution leverages fully managed services, reducing operational overhead. Glue crawlers automate data cataloging, and Athena provides a serverless, pay-per-query model for quick data analysis without the need to set up or manage infrastructure.

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

" Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

The correct answer isBbecause the company wantshigh availability,minimum downtime,minimum data loss, and theleast operational effort. For the application tier, configuring the Auto Scaling group to spanmultiple Availability Zonesincreases resilience by ensuring that the loss of one Availability Zone does not make the application unavailable. Since the application is already behind an Application Load Balancer, traffic can continue to be routed to healthy instances in other Availability Zones.

For the database tier, the single-AZ Aurora PostgreSQL deployment represents a single point of failure. Configuring the database forMulti-AZimproves availability and durability by maintaining a synchronized standby in another Availability Zone and supporting failover with minimal disruption. This approach is aligned with AWS best practices for relational database high availability.

UsingAmazon RDS Proxyfurther improves availability at the application layer by managing database connections efficiently and helping applications reconnect more quickly during failover events. This reduces the operational complexity of handling transient database interruptions and can improve application resilience.

Option A introduces multi-Region complexity, which is not required to meet the stated need and creates more operational overhead. Option C does not provide high availability because snapshots are a backup and restore mechanism, not an automatic failover solution, and hourly snapshots can result in significant data loss. Option D is unnecessarily complex and changes the application data flow in a way that is not needed.

The simplest and most AWS-aligned solution is to make both the compute and database layers highly available acrossmultiple Availability Zones. That provides resilience with the least operational burden.

UsingAD ConnectorwithAWS IAM Identity Center(formerly AWS Single Sign-On) allows the company to leverage its existingon-premises Active Directoryfor centralized identity management and access control. AD Connector acts as a proxy to the on-premises AD withoutrequiring additional infrastructure or complex setup. This solution integrates seamlessly with AWS, allowing the development team to use their existing AD credentials to access AWS resources across multiple accounts managed by AWS Organizations. The permissions for AWS resources can be managed centrally through IAM Identity Center by configuring permission sets.

This solution provides:

Least operational overhead: AD Connector is fully managed, and IAM Identity Center allows centralized management of permissions across accounts.

Secure access: The solution complies with security policies by using existing AD authentication mechanisms.

Option A (AWS Managed AD): Setting up a fully managed AWS AD and establishing a trust is more complex and involves additional operational overhead.

Option B (IAM Users): Manually managing IAM users and permissions is less scalable and increases operational complexity.

Option D (Cognito): Amazon Cognito is more suited for user-facing applications rather than internal identity management for AWS resources.

AWS References:

AD Connector with IAM Identity Center

AWS IAM Identity Center

AWS Lambda is not suitable for long-running jobs that can take up to 20 minutes, as Lambda has a maximum execution duration of 15 minutes.

Amazon ECS with AWS Fargate allows you to run containers without managing EC2 instances, providing a scalable and highly available environment. You can scale Fargate tasks to handle large and parallel video processing jobs. Amazon Aurora is a highly available, managed relational database. S3 Intelligent-Tiering is cost-effective for storing large video files with variable access patterns.

AWS Documentation Extract:

" AWS Fargate lets you run containers without managing servers or clusters, providing a highly available and scalable compute environment. Fargate is suitable for running data processing workloads that require long-running compute tasks. "

(Source: AWS Fargate documentation, Use Cases)

A: Lambda is not suitable for long-running (over 15 min) or heavy compute jobs.

C: Amazon EMR is optimized for big data analytics, not specific video processing. FSx for Lustre and Kinesis are not best fit for this use case.

D: EKS with EC2 adds operational overhead and RDS in a single AZ is not highly available; Glacier Deep Archive is not suitable for frequently accessed video files.

Amazon Kinesis Data Firehose (now known as Amazon Data Firehose) supports near-real-time streaming, with built-in support to:

Invoke AWS Lambda functions for transformation.

Store data directly into Amazon S3 in desired formats like Apache Parquet.

“You can use Data Firehose to transform the data before delivering it, by invoking a Lambda function. You can convert to formats such as JSON or Apache Parquet before storing it into S3.”

— Amazon Data Firehose Developer Guide

Why not the others?

B: Kinesis Data Streams requires more operational overhead than Firehose.

C: DataSync is for file movement—not stream processing.

D: SQS isn’t designed for streaming and transformation pipelines.

Amazon ECS on AWS Fargate with Amazon EFS is the best match because it combines managed container orchestration with shared persistent storage. AWS documentation explains that Amazon EFS volumes can be used with Amazon ECS so tasks can access the same persistent file system regardless of where they run. AWS also notes that EFS volumes are useful for horizontally scaled containerized applications that need shared storage, low latency, and high throughput. Lambda is a poor fit here because Lambda invocations have a maximum timeout of 15 minutes, while the question states processing can take up to 1 hour. Instance store volumes on ECS EC2 are local to the host and do not provide the centralized persistent repository the workload needs. Fargate plus EFS best satisfies performance, duration, and operational efficiency.

============

Durable storage of incoming orders with buffering and ability to handle surges is exactly what Amazon SQS is designed for. SQS provides highly durable, scalable queues that decouple producers from consumers.

Centrally tracking workflow steps is a core use case of AWS Step Functions, which gives a visual workflow and state machine, tracks the state of each order, and can orchestrate calls to multiple microservices (in this case, Lambda functions).

Combining SQS + Step Functions + Lambda gives:

Durable queueing for orders (SQS).

Loose coupling and surge handling (SQS decoupling + auto-scaling Lambda).

Central orchestration and tracking of order-processing steps (Step Functions).

Why the other options are not correct:

A: SNS is a pub/sub service, not a durable work queue, and is not designed for “store-and-retry until processed” workloads in the same way SQS is.

C: SQS + EventBridge provides decoupling but no central, stateful workflow tracking; EventBridge is event routing, not workflow orchestration.

D: SNS + EventBridge still lacks durable order storage and explicit centralized workflow/state tracking.

Comprehensive and Detailed Step-by-Step Explanation:

The requirement is toprevent data deletion by any user, including administrators, for 7 years while allowing automatic deletion afterward.

S3 Object Lock in Compliance Mode (Correct Choice - C)

Compliance mode ensures that even the root user cannot delete or modify the objects during the retention period.

After 7 years, the S3 Lifecycle policy automatically deletes the objects.

This meets bothimmutability and automatic deletionrequirements.

Governance Mode (Option B - Incorrect)

Governance mode prevents deletion,but administrators can override it.

The requirement explicitly states thateven administrators must not be able to delete the data.

S3 Bucket Policy (Option A - Incorrect)

An S3 bucket policy candeny deletes, but policies can be modified at any time by administrators.

It does not enforce strict retention like Object Lock.

S3 Batch Operations Job (Option D - Incorrect)

A legal hold does not have an automatic expiration.

Legal holds must be manually removed, which is not efficient.

Why Option C is Correct:

S3 Object Lock in Compliance Mode prevents deletion by all users, including administrators.

The S3 Lifecycle policy deletes the data automatically after 7 years, reducing operational overhead.

To grant the ECS application the least privilege, you create an IAM policy that explicitly lists the ARNs of the specific S3 buckets the task should access. You then attach this policy to the task role (not the instance role), ensuring only that task has the necessary permissions. This approach avoids granting permissions to other EC2 instances or services and restricts access strictly to the required buckets.

AWS Documentation Extract:

" Attach an IAM policy granting access to specific resources to the ECS task role, not to the instance role, to ensure that only the container has access according to the principle of least privilege. "

" Use explicit ARNs to control access only to specified S3 buckets. "

(Source: Amazon ECS documentation, IAM Roles for Tasks)

A: Tag-based access control for S3 buckets is possible but less direct and commonly used for identity-based access.

C: Attaching the policy to the instance role could grant unintended permissions to all containers or services running on the instance.

D: Wildcard ARNs grant broader access than necessary.

Amazon EFS is the best fit because it is a fully managed, elastic file storage service for Linux workloads, and it scales automatically without pre-provisioning capacity. AWS documentation states thatElastic throughputautomatically scales throughput up or down for spiky or unpredictable workloads, which matches the varying access pattern in the question. AWS also documents thatEFS lifecycle managementandEFS Intelligent-Tieringautomatically transition files between storage classes based on access patterns, which provides the native tiering requirement. FSx for Windows is not the right operating-system fit, and using EC2 plus EBS would require more manual storage management. Therefore,EFS with Elastic throughput and Intelligent-Tieringis the most cost-effective managed design. (AWS Documentation)

============

The optimal solution for scalable and resilient hybrid networking is to use AWS Direct Connect with a Direct Connect gateway for secure, low-latency access to AWS, and an AWS Transit Gateway to manage connectivity among hundreds of VPCs.

By associating the Transit Gateway with the Direct Connect gateway, you enable transitive routing between on-premises and all VPCs, while minimizing network complexity and maintaining high performance.

VPC peering does not scale well, and VPNs don’t offer the same performance or consistency.

AWS X-Ray is the AWS service designed for distributed tracing, giving end-to-end visibility into how requests flow through microservices, APIs, and serverless components. It provides service maps, latency breakdowns, and performance insight per service, which is exactly what is required.

To use X-Ray effectively, each application stack must be instrumented. For infrastructure deployed through AWS CloudFormation, best practice is to enable and configure X-Ray in the CloudFormation templates (for Lambda, API Gateway, ECS, etc.). That way, all teams and stacks have consistent tracing enabled as part of their IaC.

Control Tower (Option B) cannot “turn on” X-Ray tracing inside applications; it only helps with account setup and guardrails.

CloudTrail (Option A) is for audit logging of API calls, not performance tracing.

CloudWatch (Option C) provides metrics and logs, but not request-level distributed tracing across multiple services.