Free Practice Questions for Amazon Web Services SAA-C03 Exam

AWS Lambda for Operational Efficiency:

AWS Lambdais a serverless compute service that allows you to run code without provisioning or managing servers. It automatically scales based on the number of invocations and eliminates the need to maintain and monitor EC2 instances, making it far more operationally efficient compared to running a cron job on EC2.

By using Lambda, you pay only for the compute time that your function uses. This is especially beneficial when dealing with lightweight tasks, such as scanning a DynamoDB table and sending email messages once a day.

Amazon DynamoDB:

DynamoDBis a highly scalable, fully managed NoSQL database. The table stores employee start dates, and scanning the table to find the employees who have a work anniversary on the current day is a lightweight operation. Lambda can easily perform this operation using theDynamoDB Scan APIor queries, depending on how the data is structured.

Amazon SNS for Email Notifications:

Amazon Simple Notification Service (SNS)is a fully managed messaging service that supports sending notifications to a variety of endpoints, including email. SNS is well-suited for sendingout email messages to employees, as it can handle the fan-out messaging pattern (sending the same message to multiple recipients).

In this scenario, once Lambda identifies employees who have their work anniversaries, it can use SNS to send the email notifications efficiently. SNS integrates seamlessly with Lambda, and sending emails via SNS is a common pattern for this type of use case.

Event Scheduling:

To automate this daily task, you can schedule the Lambda function usingAmazon EventBridge (formerly CloudWatch Events). EventBridge can trigger the Lambda function on a daily schedule (cron-like scheduling). This avoids the complexity and operational overhead of manually setting up cron jobs on EC2 instances.

Why Not EC2 or SQS?:

Option A & Bsuggest running a cron job on anAmazon EC2instance. This approach requires you to manage, scale, and patch the EC2 instance, which increases operational overhead. Lambda is a better choice because it automatically scales and doesn’t require server management.

Amazon Simple Queue Service (SQS)is ideal for decoupling distributed systems but isn’t necessary in this context because the goal is to send notifications to employees on their work anniversaries. SQS adds unnecessary complexity for this straightforward use case, whereSNSis the simpler and more efficient solution.

AWS References:

AWS Lambda

Amazon SNS

Amazon DynamoDB

Amazon EventBridge

Summary:

UsingAWS Lambdacombined withAmazon SNSto send notifications, and scheduling the function withAmazon EventBridgeto run daily, is the most operationally efficient solution. It leverages AWS serverless technologies, which reduce the need for infrastructure management and provide automatic scaling. Therefore,Option Cis the correct and optimal choice.

The key requirements are asynchronous processing, high availability, burst handling, and strict message ordering. Amazon SQS FIFO queues are specifically designed to guarantee exactly-once processing and ordered message delivery, making them ideal for transactional workflows like ecommerce order processing.

Option B meets all requirements. SQS FIFO preserves the order of messages within a message group and scales automatically to absorb traffic spikes. Integrating SQS FIFO with AWS Lambda enables serverless, event-driven processing with automatic scaling and no infrastructure management. Lambda processes messages as they arrive while maintaining order guarantees.

Option A (SNS) does not guarantee ordering and is designed for fan-out messaging. Option C (SQS standard) scales well but does not preserve order. Option D introduces unnecessary batch infrastructure and increased latency.

Therefore, B is the best solution because it combines ordered delivery, resilience, elasticity, and serverless compute, ensuring reliable and scalable order processing.

AWS Secrets Manager is designed specifically to securely store and manage sensitive information such as database credentials. It integrates seamlessly with AWS services like Lambda and RDS, and it provides automatic credential rotation with minimal operational overhead.

AWS Secrets Manager: By storing the database credentials in Secrets Manager, you ensure that the credentials are securely stored, encrypted, and managed. Secrets Manager provides a built-in mechanism to automatically rotate credentials at regular intervals (e.g., every 30 days), which helps in maintaining security best practices without requiring additional manual intervention.

Lambda Integration: The Lambda function can be easily configured to retrieve the credentials from Secrets Manager using the AWS SDK, ensuring that the credentials are accessed securely at runtime.

Why Not Other Options?:

Option A (Parameter Store with Rotation): While Parameter Store can store parameters securely, Secrets Manager is more tailored for secrets management and automatic rotation, offering more features and less operational overhead.

Option C (Encrypted Lambda environment variable): Storing credentials directly in Lambda environment variables, even when encrypted, requires custom code to manage rotation, which increases operational complexity.

Option D (KMS with automatic rotation): KMS is for managing encryption keys, not for storing and rotating secrets like database credentials. This option would require more custom implementation to manage credentials securely.

AWS References:

AWS Secrets Manager- Detailed documentation on how to store, manage, and rotate secrets using AWS Secrets Manager.

Using Secrets Manager with AWS Lambda- Guidance on integrating Secrets Manager with Lambda for secure credential management.

AWS Step Functions supports long-running workflows and error retries, making it ideal for a job composed of many tasks. Integration with EventBridge allows automatic triggering from S3 events. This setup is resilient and supports up to 1-year execution duration.

Amazon S3 Standard provides virtually unlimited scalability, high durability (11 nines), and millisecond latency. It is designed for storing large volumes of unstructured content such as media files. S3 also supports pre-signed URLs and direct browser uploads, enabling users to upload files securely without passing through backend servers. EBS volumes (A) are block storage, limited to single AZ, and not suitable for web-scale storage. EFS (B) is a shared file system for POSIX workloads, not for direct browser uploads. S3 Express One Zone (D) offers higher performance for small objects but does not provide cross-AZ durability, making it unsuitable for growing global content. Therefore, option C is the most scalable, durable, and cost-effective solution.

Comprehensive Explanation:Deploying the frontend as a CloudFront distribution with multiple origins provides an efficient and scalable solution. Using WAF rules with CloudFront protects against web vulnerabilities, while the multi-origin configuration allows traffic routing to the on-premises backend APIs. This approach minimizes operational overhead compared to managing EC2 instances.

AWS Outposts extends AWS infrastructure and services to on-premises locations. Running Amazon EMR on Outposts allows for processing data that resides locally while benefiting from the managed services of EMR. This enables compliance with data residency requirements and provides scalability and manageability for analytics.

AWS PrivateLinkis the most suitable solution for providing fine-grained access control while allowing multiple VPCs, potentially across multiple accounts, to access the new application. This approach offers the following advantages:

Fine-grained control: Endpoint policies can restrict access to specific services or principals.

No need for route table updates: Unlike VPC peering or transit gateways, AWS PrivateLink does not require complex route table management.

Scalable architecture: PrivateLink scales to support traffic from multiple VPCs.

Secure connectivity: Ensures private connectivity over the AWS network, without exposing resources to the internet.

Why Other Options Are Not Ideal:

Option A:

VPC peering is not scalable when connecting multiple VPCs or accounts.

Route table management becomes complex as the number of VPCs increases.Not scalable.

Option B:

While transit gateways provide scalable VPC connectivity, they are not ideal for fine-grained access control.

Transit gateways allow connectivity but do not inherently restrict access to specific applications.Not ideal for fine-grained access control.

Option D:

Exposing the application through an ALB over the internet is not secure and does not align with the requirement to use private network resources.Security risk.

AWS References:

AWS PrivateLink:AWS Documentation - PrivateLink

AWS Networking Services Comparison:AWS Whitepaper - Networking Services

This is a classic session-persistence problem. AWS Elastic Load Balancing documentation explains thatstickinesslets a load balancer bind a user’s session to a specific target. For an ALB,application-based cookie stickinesscan be enabled at the target group level, which is useful when the application expects a user to continue hitting the same backend instance for the duration of a session. That prevents users from being redirected back to login because of requests landing on different instances. The other options either do not solve the session problem or reduce availability by forcing traffic to one instance. (docs.aws.amazon.com)

============

S3 Intelligent-Tiering is designed for data with unknown or changing access patterns. It automatically moves objects between frequent and infrequent access tiers as needed, with no retrieval fees for accessing data in any tier, and no performance impact. Minimal management overhead is required because AWS manages all transitions automatically. This class is cost-optimized and meets all requirements listed.

AWS Documentation Extract:

" S3 Intelligent-Tiering is the only storage class that automatically moves data between frequent and infrequent access tiers when access patterns change, with no retrieval charges and no impact on performance. It is designed to optimize costs automatically when data access patterns are unpredictable. "

(Source: Amazon S3 documentation, Intelligent-Tiering storage class)

Other options:

B: Storage class analysis only provides recommendations, not actual storage tiering.

C & D: S3 Standard-IA and S3 One Zone-IA both have retrieval fees and may impact retrieval time and data durability.

After 180 days, the images become infrequently accessed but still must remain immediately available, which fits S3 Standard-IA better than One Zone-IA because the question requires high availability and redundancy throughout the lifecycle. AWS documents that Standard-IA is for long-lived, infrequently accessed data with millisecond access and multi-AZ resilience, while One Zone-IA stores data in a single AZ. After 360 days, the company still needs instant access, so S3 Glacier Instant Retrieval is the right archival class. AWS states that Glacier Instant Retrieval provides real-time access with lower storage cost than Standard-IA for archive data that still must be immediately retrievable. Glacier Flexible Retrieval would not meet the instant-access requirement.

============

The correct answer isCbecause the requirement separates encryption into two parts:encryption at restandencryption in transit. Fordata at rest, AWS usesAWS Key Management Service (AWS KMS)to manage encryption keys for services such asAmazon EBSandAmazon Aurora. EBS volumes can be created as encrypted volumes by using KMS keys, and Aurora supports encryption at rest through KMS as well. This protects stored application and database data without requiring the company to build its own key management system.

Fordata in transit, the proper AWS service isAWS Certificate Manager (ACM). AnApplication Load Balancercan use an ACM-issued or ACM-imported SSL/TLS certificate to terminate HTTPS connections and encrypt traffic between clients and the load balancer. This is the AWS standard approach for securing web traffic to internet-facing applications.

Option A is incorrect because it reverses the roles of the services.KMS does not provide certificates for TLS termination on an ALB, andACM does not encrypt EBS or Aurora storage at rest. Option B is incorrect because there is no single account-wide console setting that automatically turns on all encryption for all services in this way, and use of the root account is not an AWS best practice for normal configuration tasks. Option D is incorrect becauseBitLockeris not the appropriate general AWS-native answer for EBS and Aurora encryption, and ALBs do not use KMS keys directly as TLS certificates.

AWS security best practices recommendKMS for encryption at restandACM certificates for encryption in transit. Therefore, optionCis the correct solution.

CloudFront requires ACM certificates to be created in us-east-1. Origin Access Control (OAC) securely allows CloudFront to upload objects to S3 without exposing the bucket publicly. Transfer Acceleration and S3 website endpoints are unnecessary or incompatible for this use case.

The correct recommendation is to useAWS Schema Conversion Tool AWS SCTtogether withAWS DMSand run afull load plus CDCmigration so Oracle and Aurora PostgreSQL stay synchronized during the staged application cutover. AWS prescriptive guidance for Oracle-to-Aurora PostgreSQL migration explicitly uses AWS SCT and AWS DMS for this pattern. Because the source workload has a high number of reads and writes, amemory-optimized replication instanceis the stronger fit for heavy replication activity. DataSync is not the service used for relational database migration. Selecting only the largest tables would not satisfy the requirement to keep all application data synchronized across the whole migration window.

============

Edge-optimized API endpointsroute requests through CloudFront, reducing latency for global users.

Option Acorrectly implements edge-optimization, caching, and compression to minimize latency.

Options B and Ddo not use edge optimization, leading to higher latency for global users.

Reserved concurrency inOptions C and Dimproves backend scaling but does not address global latency directly.

Amazon S3 Intelligent-Tiering is the most cost-effective solution for this scenario, providing both high availability and durability while adjusting automatically to changing access patterns. It moves data across two access tiers: one optimized for frequent access and another for infrequent access, based on usage patterns. This tiering ensures that the company avoids paying for unused storage while also keeping frequently accessed data in a more accessible tier.

Key AWS references and benefits ofS3 Intelligent-Tiering:

High Durability and Availability: Amazon S3 offers 99.999999999% durability and 99.9% availability for objects stored, ensuring data is always protected.

Automatic Tiering: Data is automatically moved between tiers based on access patterns, making it ideal for workloads with unpredictable or variable access patterns.

No Retrieval Fees: Unlike S3 One Zone-IA or Glacier, there are no retrieval fees, making this more cost-effective in scenarios where access patterns vary over time.

AWS Documentation: According to the AWS Well-Architected Framework under theCost Optimization Pillar, S3 Intelligent-Tiering is recommended for storage when access patterns change over time, as it minimizes costs while maintaining availability​.

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

The correct answer isAbecause the application is aglobal Voice over IPworkload that needslow latency,high availability, andautomated failover across AWS Regions.AWS Global Acceleratoris specifically designed to improve the availability and performance of global applications by routing user traffic over the AWS global network to the optimal healthy endpoint. It usesstatic Anycast IP addresses, which means users connect through fixed IP addresses that do not depend on client-side DNS or IP address caching behavior.

This is especially valuable for latency-sensitive applications such as Voice over IP, where rapid routing decisions and fast failover are critical. Global Accelerator continuously monitors endpoint health and can automatically direct traffic to healthy endpoints in another AWS Region if a failure occurs. This supports the requirement for cross-Region failover with minimal disruption.

Option B is incorrect becauseRoute 53 geolocation routingdirects traffic based on user location, but DNS-based routing can be affected by client-side caching and does not provide the same performance acceleration or fast failover behavior as Global Accelerator. Option C is incorrect becauseAmazon CloudFrontis primarily a content delivery network for HTTP and similar content distribution scenarios, not the preferred service for real-time Voice over IP traffic. Option D is incorrect because anApplication Load Balancerdoes not by itself provide global routing or multi-Region failover.

AWS best practices for global, latency-sensitive applications recommendAWS Global Acceleratorwhen the goal is to improve performance, use the AWS backbone network, and provide health-based failover without depending on DNS cache expiration. Therefore,AWS Global Accelerator with health checksis the best solution.

The most secure and least operationally intensive method is to configure cross-account access using resource-based policies on the S3 bucket. This allows trusted external AWS accounts (consulting agencies) to securely access the S3 data without the need to manage user credentials or build additional infrastructure.

Options A and B pose security risks. Option D increases operational complexity and violates least privilege by managing external users inside your AWS account.

AWS Organizations: AWS Organizations allows you to create multiple AWS accounts and manage them centrally. You can organize accounts into organizational units (OUs) and apply policies to these units.

Organizational Units (OUs):

Create separate OUs for each department: finance, data analytics, and development.

Place the respective AWS accounts for each department into their corresponding OUs.

Service Control Policies (SCPs):

SCPs are policies that can restrict which AWS services and actions are available to accounts in an OU.

Create SCPs to define which services each department can use and attach these policies to the appropriate OUs.

SCPs apply to all IAM users, groups, and roles within the accounts in the OU, providing centralized control over service usage.

Operational Efficiency: Using AWS Organizations and SCPs provides a scalable and centralized way to manage permissions across multiple accounts with minimal operational overhead.