Free Practice Questions for Amazon Web Services SAA-C03 Exam

This solution is the most cost-effective and efficient way to break down costs per application.

Tagging Resources: By tagging all AWS resources with a specific key (e.g., " cost " ) and a value representing the application ' s name, you can easily identify and categorize costs associated with each application. This tagging strategy allows for granular tracking of costs within AWS.

Activating Cost Allocation Tags: Once tags are applied to resources, you need to activate cost allocation tags in the AWS Billing and Cost Management console. This ensures that the costs associated with each tag are included in your billing reports and can be used for cost analysis.

AWS Cost Explorer: Cost Explorer is a powerful tool that allows you to visualize, understand, and manage your AWS costs and usage over time. You can filter and group your cost data by the tags you’ve applied to resources, enabling you to easily see the cost breakdown for each application. Cost Explorer also supports generating regular reports, which can be scheduled and emailed to stakeholders.

Why Not Other Options?:

Option A (AWS Budgets): AWS Budgets is more focused on setting cost and usage thresholds and monitoring them, rather than providing detailed cost breakdowns by application.

Option B (Load Cost and Usage Reports into RDS): This approach is less cost-effective and involves more operational overhead, as it requires setting up and maintaining an RDS instance and running SQL queries.

Option D (AWS Billing and Cost Management Console): While you can download bills, this method is more manual and less dynamic compared to using Cost Explorer with activated tags.

AWS References:

AWS Tagging Strategies- Overview of how to use tagging to organize and track AWS resources.

AWS Cost Explorer- Details on how to use Cost Explorer to analyze costs.

AmazonKinesis Data Streamsis the best choice for this scenario:

Message throughput: Kinesis Data Streams supports high throughput with enhanced fan-out and dedicated throughput for consumers.

Large message size: Supports message sizes up to 1 MB, meeting the 500 KB requirement.

Message retention: Data streams can retain messages for up to 365 days.

Strict ordering: Guarantees message ordering within shards.

Why Other Options Are Not Ideal:

Option B:

While SQS FIFO supports strict ordering, SNS topics do not. SNS also does not natively support message retention or strict ordering across consumers.Does not meet requirements.

Option C:

EventBridge does not provide strict ordering guarantees or message retention beyond 24 hours.Does not meet requirements.

Option D:

SNS topics with Data Firehose are not designed for use cases requiring strict ordering or long message retention.Does not meet requirements.

AWS References:

Amazon Kinesis Data Streams:AWS Documentation - Kinesis Data Streams

AWS Messaging Services Comparison:AWS Documentation - Messaging Services

AWS Storage Gateway file gateway presents a file interface backed by Amazon S3 and supports NFS. This allows local applications to access data via NFS while also enabling cloud applications to use the data stored in S3 for analytics and processing, fulfilling both hybrid and cloud-native requirements.

Reference Extract:

" AWS Storage Gateway file gateway offers NFS and SMB access to data stored in Amazon S3, supporting hybrid workloads for local and cloud access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Hybrid and Storage Gateway section.

To meet the requirement of controlling key rotation with minimal operational overhead, creating acustomer managed key(CMK) in AWS KMS is the optimal solution. With CMKs, you can define custom key rotation policies, ensuring that you retain control over the key lifecycle, including enabling automatic key rotation every year.

Key AWS features:

Custom Key Management: A customer managed key allows you to control the key policies, lifecycle, and enable key rotation for compliance.

Least Operational Overhead: Using a customer managed key simplifies encryption management while offering more flexibility than AWS managed or owned keys.

AWS Documentation: The AWS Well-Architected Framework recommends customer managed keys for environments where key control and flexibility are required​.

Aurora PostgreSQL supports the pgvector extension, which allows storage and querying of vector embeddings directly inside the database. This eliminates the need for external vector databases and provides cost-effective and performant integration for AI workloads.

The correct answer isAbecause the application processes videos for5–30 minutes, must runmultiple jobs in parallel, and should have theleast operational overhead.Amazon ECS with AWS Fargateis a managed container solution that removes the need to provision and manage EC2 instances while still supporting longer-running parallel jobs. UsingAmazon SQS standard queuesdecouples the upload event from processing and provides a scalable buffer for incoming work.

With this design, Amazon S3 sends object-created notifications to the SQS queue whenever users upload videos. ECS services or tasks on Fargate can then consume messages from the queue and process videos independently. Auto scaling based onSQS queue depthensures the system increases task count when more videos arrive and decreases capacity when demand drops. This provides elasticity and efficient parallel processing with minimal infrastructure management.

Option B is incorrect because EC2-based scaling introduces more operational overhead than Fargate. Option C is incorrect because AWS Lambda has a maximum execution duration and is not appropriate for jobs that can run up to 30 minutes. Option D is also incorrect for the same reason; Lambda is not the best fit for this processing duration, and SNS does not provide the same durable queued work pattern as SQS for controlled parallel processing.

AWS best practices recommend usingevent-driven queues with containerized workersfor medium-duration processing jobs that need concurrency and minimal management. Therefore,S3 + SQS + ECS on Fargate with queue-based scalingis the best solution.

AWS Lake Formation natively supports fine-grained access control, including:

Row-level security

Cell/column-level security

These are implemented through data filters and Lake Formation permissions on governed tables and views. This allows you to centrally define which users or groups can access which rows and which columns, including sensitive data fields, with minimal custom code or maintenance.

Why others are incorrect:

A: IAM alone does not provide row-level or cell-level data security inside Lake Formation tables.

C and D: Using Lambda to scrub or periodically remove sensitive data is complex, error-prone, and high overhead compared to built-in Lake Formation data filters.

AWS documentation states that the correct and least-privilege method for cross-account SNS-to-SQS integration is:

• Add specific SNS topic ARNs to the SQS queue policy.

• Allow only those topics to publish messages to the queue.

• Ensure SNS has permission to publish to the specific queue ARN.

This ensures strict scoping and adheres to least privilege.

Options A and D grant overly broad permissions. Option B allows publishing to any queue, which violates least privilege.

Amazon S3 Access Points simplify managing data access for shared datasets in S3 by allowing the creation of distinct access policies for different applications or users. Each access point has its own policy and can be managed independently. This method avoids overloading a single bucket policy and helps remain within policy size limits.

Option D provides a scalable and operationally efficient solution by offloading individual access controls from a central bucket policy to individually managed access points, which is ideal for environments with many consuming applications.

AWS Global Accelerator is designed to improve the availability and performance of applications with global users by using the AWS global network. It provides static anycast IP addresses and routes user traffic over the AWS edge network to the optimal AWS Region and endpoint based on health, geography, and routing policies. Global Accelerator supports both TCP and UDP traffic and can have Network Load Balancers as endpoints.

For latency-sensitive workloads such as multiplayer gaming, Global Accelerator reduces latency and jitter compared to internet-based routing and handles Regional failover quickly.

CloudFront (Option A) is optimized for HTTP/HTTPS content caching and is not appropriate for arbitrary TCP/UDP gaming traffic. Application Load Balancers (Option B) do not support UDP traffic. API Gateway (Option D) is for HTTP APIs and is not suitable for raw TCP/UDP game traffic.

For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.

This protects against:

Data center failure

Device failure

Location outages

“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.”

— AWS Direct Connect Resiliency Recommendations

Option C follows AWS maximum resiliency model.

Amazon S3 Object Lock is the AWS feature designed for WORM storage. AWS documentation says Object Lock helps prevent objects from being deleted or overwritten for a fixed amount of time or indefinitely and supports a WORM model. In compliance mode, even an administrator cannot shorten or remove the retention period before it expires, which is critical for confidential medical records and regulatory retention. Setting a 1-year retention period satisfies the minimum retention requirement, and IAM policies can still control which approved users are allowed to upload new objects. MFA Delete and ordinary IAM policies do not provide the same immutable WORM guarantees. A custom Lambda-based approach would add unnecessary complexity and still would not be the native compliance-oriented control that S3 Object Lock provides.

============

The key issue is repeated reads of identical data from an RDS MySQL database, which leads to unnecessary database load and degraded performance. The AWS-recommended solution for this pattern is to introduce an in-memory cache between the application and the database.

Amazon ElastiCache (Redis OSS) is purpose-built for caching frequently accessed data with microsecond-level latency. By caching identical query results, the backend EC2 instances can serve responses directly from memory instead of repeatedly querying the database. This significantly reduces read pressure on the RDS instance and improves overall application performance and scalability.

Option B is correct because Redis integrates cleanly with EC2-based applications and supports advanced caching patterns such as key expiration, eviction policies, and fine-grained control over cached objects. This approach also improves resilience during traffic spikes by offloading work from the database.

Option A is incorrect because SNS is a messaging service and does not cache or accelerate database queries. Option C is incorrect because DynamoDB Accelerator (DAX) works only with DynamoDB tables, not Amazon RDS. Option D is designed for streaming data ingestion and analytics, not for optimizing synchronous database access.

Therefore, B is the correct solution because it addresses the root cause of the performance problem by caching repeated database reads, following AWS best practices for high-performing application architectures.

Provisioned IOPS SSD (io1 or io2) volumes are designed to deliver predictable, high performance for I/O-intensive workloads such as databases. They offer consistent, low-latency performance and durability, making them ideal for business-critical applications that cannot tolerate latency or data loss.

Amazon S3 Glacier Flexible Retrieval is a low-cost archival storage class that supports retrieval of data within minutes (expedited access ~1–5 minutes), making it ideal for audit scenarios where occasional, quick access to archived data is required. In contrast, Glacier Deep Archive takes hours to retrieve.

The correct answer isDbecause the company needsNFS supportfor its on-premises environment and wants to back up files intoAmazon S3in themost cost-effectiveway.AWS Storage Gateway File Gatewayis the AWS service designed to present a file interface usingNFS(and SMB) while storing the files as objects in Amazon S3. This allows the company to keep using NFS-based workflows without redesigning the backup process.

The company also wants toarchive the backup files after 5 daysand is willing to waita few daysto retrieve archived data for disaster recovery. That retrieval tolerance aligns well withAmazon S3 Glacier Deep Archive, which is the lowest-cost S3 archival storage class for long-term retention when fast retrieval is not required. By applying anS3 Lifecycle ruleto transition files to Glacier Deep Archive after 5 days, the company can minimize storage cost while still retaining the backups durably in S3.

Option A is incorrect becauseS3 Standard-IAis cheaper than Standard for infrequent access, but it is not archival storage and is more expensive than Glacier Deep Archive for long-term backup retention. Option B is incorrect becauseVolume Gatewayprovides block storage interfaces, not NFS file access. Option C is incorrect becauseTape Gatewayis intended for virtual tape backup workflows, not direct NFS file storage access.

AWS best practices recommendFile Gatewaywhen on-premises applications need file-based access to Amazon S3, andS3 Glacier Deep Archivewhen the lowest-cost archival tier is acceptable. Therefore,File Gateway with a lifecycle transition to S3 Glacier Deep Archiveis the best solution.

Amazon API Gateway with CloudFront: API Gateway allows you to create, deploy, and manage APIs, while CloudFront provides a CDN to deliver content with low latency and high transfer speeds.

AWS WAF (Web Application Firewall):

AWS WAF can be configured in CloudFront to protect against common web exploits, including SQL injection and cross-site scripting (XSS).

WAF allows you to create custom rules to block specific attack patterns and can be managed centrally.

Configuration:

Deploy your APIs using Amazon API Gateway.

Set up an Amazon CloudFront distribution in front of the API Gateway.

Configure AWS WAF on the CloudFront distribution to apply security rules.

Operational Efficiency: This solution provides robust protection with minimal operational overhead by leveraging managed AWS services, ensuring that your APIs are secure without extensive custom implementation.

Amazon EC2 On-Demand Instances: Since the batch jobs cannot be disrupted, On-Demand Instances provide the necessary reliability and availability.

Amazon S3 Standard: Storing data in S3 Standard for the first 30 days ensures quick and frequent access.

S3 Glacier Deep Archive: After 30 days, moving data to S3 Glacier Deep Archive significantly reduces storage costs for data that is rarely accessed.

S3 Lifecycle Configuration: Automating the transition and deletion of objects using lifecycle policies ensures cost optimization and compliance with data retention requirements.

Amazon RDS Proxy helps manage and pool database connections from serverless compute like AWS Lambda, significantly reducing the stress on the database during unpredictable traffic surges. It improves scalability and resiliency by efficiently managing connections, protecting the database from being overwhelmed, and enabling failover handling.

Option A is the most cost-effective and operationally efficient approach to handling unpredictable surges and improving resilience without requiring major application changes.

Option B involves a migration to DynamoDB, which is a significant architectural change and costlier initially. Option C is manual connection cleanup, insufficient for unpredictable surges. Option D increases resources but does not solve connection storm problems efficiently and is more costly.

The primary requirements are automatic scaling, resilience to traffic spikes, and guaranteed order durability without losing customer orders. Option D follows a well-established, AWS-recommended decoupled architecture pattern that meets all these requirements.

Using an Application Load Balancer (ALB) provides Layer 7 request routing and distributes incoming traffic across multiple EC2 instances in Auto Scaling groups, allowing the application layer to scale horizontally as traffic increases. This ensures that spikes in web traffic do not overwhelm individual instances.

The critical resilience feature in this design is Amazon SQS, which acts as a durable buffer for unprocessed customer orders. If the application experiences a sudden traffic surge or if downstream processing slows, SQS stores incoming orders reliably until they can be processed. This decoupling prevents request loss and protects the user experience by absorbing load bursts.

Processed orders are stored in Amazon RDS with a Multi-AZ deployment, which provides synchronous replication to a standby instance in another Availability Zone and automatic failover. This ensures high availability and data durability for transactional order data.

The other options misuse services or introduce unnecessary complexity. NAT gateways (Option A) do not manage web traffic or provide resiliency for application workloads. Redshift (Option B) is an analytics data warehouse and not suitable for transactional order processing. Gateway Load Balancer (Option C) is designed for network appliances, not application traffic management or order capture.

Therefore, D is the correct solution because it combines load balancing, auto scaling, message queuing, and highly available databases to deliver a resilient, scalable, and fault-tolerant order processing architecture.