Free Practice Questions for Amazon Web Services SAA-C03 Exam

Export Requirements:

To export data from DynamoDB to Amazon S3, point-in-time recovery (PITR) must be enabled for the tables. This feature creates a snapshot of the data, which is essential for exports.

Incorrect Options Analysis:

Option B: S3 buckets and DynamoDB tables do not need to be in the same region for exports.

Option C: DynamoDB streams are unrelated to the export functionality.

Option D: DAX accelerates reads but has no role in exports.

AWS documentation states that you can associate a security group with a Network Load Balancer and use it to allow inbound traffic only from specified source IP ranges. AWS also recommends referencing theNLB’s security groupin the target instances’ security groups so the targets accept traffic only from the load balancer. That maps exactly to option B: allow the listed client IPs into the NLB on port 22, then allow port 22 from the NLB security group to the EC2 targets. The network ACL answer is less precise and harder to manage, and options C and D are broader than necessary.

============

AWS Site-to-Site VPN is a cost-effective way to securely connect your on-premises data center with AWS resources. In this scenario:

Applications in private subnetsrequire access to the API hosted in the on-premises data center.

ASite-to-Site VPN connectionis a secure and cost-efficient option to route traffic between the VPC and on-premises resources.

Transit GatewayandPrivateLinkare not cost-effective for this use case.

NAT Gatewayonly provides internet access for private subnets, which is not suitable for reaching an on-premises resource.

AWS Documentation Reference:

AWS Site-to-Site VPN

The requirement is to scan container images for CVEs with the fewest changes to existing ECS workloads. Amazon ECS integrates natively with Amazon Elastic Container Registry (ECR), making ECR the natural place to implement vulnerability scanning without modifying the orchestration platform.

Option A meets the requirement most efficiently. ECR provides built-in vulnerability scanning that can be enabled using scan on push, ensuring that every new image uploaded to the repository is automatically scanned for known CVEs. This capability requires no changes to ECS task definitions beyond referencing ECR images, which is typically already the case. Scan results are maintained by AWS and can be reviewed centrally, providing ongoing security visibility.

Option C introduces a major architectural change by migrating to EKS, which violates the “fewest changes” requirement. Options B and D misuse services: Amazon Macie is designed for sensitive data discovery in S3, not container image vulnerability scanning, and storing images in S3 breaks container-native workflows. Lambda-driven Inspector scans for container images are not required when ECR already provides integrated scanning.

Therefore, A is the optimal solution because it leverages native ECS–ECR integration, requires minimal operational changes, and provides automated CVE scanning aligned with AWS container security best practices.

AWS Step Functions is the recommended service for orchestrating multi-step, long-running workflows with state tracking, retries, and external API calls. It reduces operational overhead by eliminating the need for custom orchestration logic.

API Gateway receiving work items and sending them to SQS (Option E) provides buffering, elasticity, and decoupling, ensuring immediate ingestion regardless of backend load.

Option A forces Lambda to handle long execution paths, which is not optimal for 30-minute tasks and multi-state workflows. Option C triggers Lambda directly without buffering. Option D uses fixed EC2 instances, which does not scale dynamically.

=====================================================

When on-premises DNS servers need to resolve private DNS names in a VPC, the correct pattern is to create a Route 53 Resolver inbound endpoint. The inbound endpoint allows DNS queries to flow from the on-premises environment into the VPC, where Route 53 can resolve VPC-specific names (such as private hosted zones or private resource records). Outbound endpoints (C) are for sending VPC DNS queries to on-premises, not the reverse. Verified Access (A) is unrelated to DNS resolution. Direct Connect (B) provides network connectivity but does not provide DNS forwarding capabilities. Therefore, option D is the correct design.

AWS Shield Advanced is designed to provide enhanced protection against DDoS attacks with proactive engagement and response capabilities, making it the best solution for this scenario.

AWS Shield Advanced: This service provides advanced protection against DDoS attacks. It includes detailed attack diagnostics, 24/7 access to the AWS DDoS Response Team (DRT), and financial protection against DDoS-related scaling charges. Shield Advanced also integrates with Route 53 and the Application Load Balancer (ALB) to ensure comprehensive protection for your web applications.

Route 53 and ALB Protection: By adding your Route 53 hosted zones and ALB resources to AWS Shield Advanced, you ensure that these components are covered under the enhanced protection plan. Shield Advanced actively monitors traffic and provides real-time attack mitigation, minimizing the impact of DDoS attacks on your application.

Why Not Other Options?:

Option A (AWS Config): AWS Config is a configuration management service and does not provide DDoS protection or detection capabilities.

Option B (AWS WAF): While AWS WAF can help mitigate some types of attacks, it does not provide the comprehensive DDoS protection and proactive engagement offered by Shield Advanced.

Option C (GuardDuty): GuardDuty is a threat detection service that identifies potentially malicious activity within your AWS environment, but it is not specifically designed to provide DDoS protection.

AWS References:

AWS Shield Advanced- Overview of AWS Shield Advanced and its DDoS protection capabilities.

Integrating AWS Shield Advanced with Route 53 and ALB- Detailed guidance on how to protect Route 53 and ALB with AWS Shield Advanced.

The requirement has three key elements: high availability with automatic recovery, separation of transactional and analytical workloads, and acceptable reporting lag up to 4 hours. The clean AWS-native pattern for isolating heavy read/reporting traffic from transactional writes in RDS for MySQL is to use read replicas and direct reporting queries to the replica endpoint(s).

Option C meets these requirements well. The primary RDS for MySQL instance handles transactional traffic (reads/writes). One or more RDS read replicas asynchronously replicate data from the primary. Because replication is asynchronous, some lag is expected; the requirement explicitly tolerates up to a 4-hour lag, which fits the read replica model. Directing batch reporting and analytical queries to a replica prevents those expensive queries from consuming CPU, memory, and I/O on the primary, thereby protecting interactive user performance. Deploying replicas across multiple Availability Zones also improves availability of the reporting tier and reduces the risk that an AZ issue prevents reporting access.

Option A is incorrect because a standard Multi-AZ DB instance uses a synchronous standby that is not readable and is intended for failover, not for serving analytical queries. Option B describes a Multi-AZ DB cluster deployment, which does provide readable standbys in some RDS engines; however, for the classic RDS MySQL exam pattern, the most direct and widely used method to isolate analytics is read replicas. Option D creates a nightly snapshot-based read-only copy; this increases operational complexity, can result in stale data for most of the day, and introduces provisioning delays, which is unnecessary when replicas provide continuous near-real-time copies.

Therefore, C is the best fit because it provides HA for the primary, isolates reporting reads to replicas, and meets the allowed replication lag requirement.

Aservice control policyattached at the organization root is the right preventive control because SCPs define the maximum permissions for principals in member accounts across the organization. AWS documentation states that SCPs restrict permissions for IAM users and roles in member accounts and that an explicit deny overrides allows from other policies. That makes an SCP the cleanest centralized way to block creation of IAM users and access keys everywhere. Inline user policies would be harder to maintain, and GuardDuty or Config would be detective or corrective controls rather than the preventive control the question asks for.

============

AWS WAF is the correct service because AWS documents that it protects web applications at Layer 7 and defends against common web exploits such as SQL injection and cross-site scripting. Associating WAF with the ALB allows malicious requests to be filtered before they reach the EC2 instances, which minimizes application impact and avoids pushing inspection logic onto the hosts. CloudTrail, GuardDuty, and network ACLs are not the best tools for active application-layer request filtering against SQLi and XSS. Shield Advanced can add further protection for broader attack scenarios, but the key control in this answer is WAF on the ALB with rules that block malicious traffic patterns.

============

AWS recommends Auto Scaling with dynamic scaling policies to handle unpredictable workload spikes. Target tracking scaling policies automatically adjust capacity based on defined metrics such as average CPU utilization or request count per target. This approach ensures applications maintain responsiveness without overprovisioning. Scheduled scaling (options B and C) is only effective when traffic patterns are predictable, which is not the case here. Reserved Instances or Spot Instances also do not address sudden demand changes effectively. Replacing the ALB with an NLB (D) does not solve latency caused by EC2 instance capacity. Therefore, using EC2 instances in an Auto Scaling group with a target tracking scaling policy is the most effective and cost-efficient solution for unpredictable, short-lived traffic spikes.

When using imported key material with AWS KMS, you maintain control over the key lifecycle. AWS KMS allows you to import new key material into an existing KMS key (of type " external " or " imported " ), thus rotating the key material without changing the key ID or ARNs. This enables applications to continue using the same key for cryptographic operations without disruption.

You can also set an expiration time for the old key material, after which AWS KMS deletes the old material and requires new key material to be imported, enforcing regular rotation per your compliance requirements.

AWS Documentation Extract:

" To rotate imported key material, you can re-import new key material into the same KMS key. This retains the same key ID and ARNs so applications are unaffected. You can set an expiration time for imported key material and replace it as needed, ensuring compliance with your rotation policy. "

(Source: AWS Key Management Service Developer Guide, Importing Key Material, Rotating Key Material)

Other options:

A: You cannot create a new KMS key with the same key ID as an existing one.

B: Deleting and recreating the key disrupts application access because the key ID changes.

D: Automatic rotation is only available for AWS-managed keys, not for imported key material.

Using API Gateway with API keys provides secure access control. Amazon SQS allows asynchronous decoupling between frontend and backend, ensuring that backend processing can scale independently. AWS Lambda reading from SQS ensures scalable, event-driven processing with minimal operational management. This architecture is resilient and decoupled.

Aurora Replicas: Provide read scalability and high availability. They allow offloading read traffic from the primary database instance.

AWS Global Accelerator: Provides improved availability and performance by routing user requests to the optimal endpoint using AWS’s global network.

“Aurora Replicas can be used to increase read scalability and availability.”

— Aurora Replicas

“AWS Global Accelerator improves the availability and performance of your applications with global users.”

— AWS Global Accelerator

Together, these enhance both the database and network layer resilience.

To achieve a 60-second RTO, pre-warming the DR environment (including running EC2 instances and Route 53 health checks) is essential. Active/passive failover using Route 53 with health checks ensures fast redirection when the primary Region becomes unavailable. S3 cross-region replication ensures document availability.

AWS KMS automatic key rotationis the simplest and most operationally efficient solution. Enabling automatic key rotation ensures that KMS automatically generates new key material for the key every year without requiring manual intervention.

Option B:Configuring alerts to rotate keys introduces operational overhead as the actual rotation must still be managed manually.

Option C:Scheduling a Lambda function to rotate keys adds unnecessary complexity compared to enabling automatic key rotation.

Option D:Using a CloudFormation stack to run a Lambda function for key rotation increases operational overhead and complexity unnecessarily.

AWS Documentation References:

AWS KMS Key Rotation

Using Customer-Managed Keys with Amazon RDS

The best solution is to useAmazon SQSto receive updates from the mobile app and process them with anAWS Lambdafunction. The Lambda function can rewrite the message body as necessary for each shipper and then publish the updates to the appropriateSNS topicfor distribution. Thissetup ensures that each shipper receives only the relevant data and minimizes operational overhead by using managed services.

Option A (SNS filter policy): SNS does not have the capability to rewrite message bodies before forwarding.

Option C (Second SNS topic): Using an additional SNS topic adds unnecessary complexity without solving the message rewriting requirement.

Option D (EventBridge Pipes): EventBridge Pipes is more complex than necessary for this use case, and Lambda can handle the logic more efficiently.

AWS References:

Amazon SQS

Amazon SNS with Lambda

The most cost-effective general solution isDynamoDB auto scaling. AWS recommends atarget utilization of 70%for provisioned throughput with auto scaling, which lets DynamoDB adjust capacity up or down based on sustained workload patterns. That improves both read and write performance while controlling cost better than manual scaling. A GSI is only useful for specific alternate query patterns and does not solve overall throughput management by itself. DAX helps only with read-heavy caching, not writes. A custom CloudWatch-plus-Lambda scaling solution adds unnecessary operational work compared to native auto scaling. Because the question asks broadly for read and write performance at the best cost, auto scaling with the recommended 70% target is the strongest answer.

============

Amazon EFS integrates natively with Lambda, supports shared, persistent storage, and allows independent updates without redeploying functions. EBS and /tmp are not supported for this use case; FSx is unnecessary.

AWS Outposts brings native AWS services (including Amazon EMR) on-premises, ideal when data residency or latency constraints require local processing.

You benefit from AWS’s managed services while meeting the requirement to keep data processing local.