Free Practice Questions for Amazon Web Services SAA-C03 Exam

AWS Transfer Family is a fully managed service that provides SFTP, FTPS, and FTP access directly to Amazon S3. It allows organizations to support legacy data transfer protocols without managing infrastructure. This approach gives the vendors a familiar SFTP interface, with files landing directly in S3, and requires minimal operational effort compared to managing EC2 servers or using gateways.

Reference Extract from AWS Documentation / Study Guide:

" AWS Transfer Family enables secure transfer of files directly into and out of Amazon S3 using SFTP, FTPS, and FTP, and is fully managed by AWS, significantly reducing operational overhead. "

Source: AWS Certified Solutions Architect – Official Study Guide, Data Migration and Transfer section.

Amazon S3 Multi-Region Access Points allow applications to access S3 buckets in multiple Regions through a single global endpoint. This provides active-active read access with automatic routing to the closest bucket for low latency. With cross-Region replication, writes in the primary Region are automatically copied to the secondary Region, providing fault tolerance. Option A (CloudFront) provides caching and distribution, but does not address write replication or active-active bucket access. Option B (Transfer Acceleration) optimizes uploads across distances but does not enable cross-Region fault tolerance. Option C (AWS Backup) is designed for backup/restore, not real-time multi-Region reads and writes. Therefore, D is the correct solution for active-active read access and disaster recovery.

Amazon S3 presigned URLs are the most secure fit because they providetime-limited access to specific objectswithout requiring the external vendor to have AWS credentials or direct bucket permissions. AWS documentation states that presigned URLs grant temporary access to private S3 objects and can be used for downloads through a browser or program. This is stronger than creating an IAM user or sharing temporary keys because those methods still expose AWS credentials to a third party. A bucket policy based only on source IP is broader and less precise than object-level, time-bounded access. Presigned URLs let the company control exactlywhich objectcan be downloaded andfor how long, which is exactly what the scenario requires. (AWS Documentation)

============

The most secure option is to use across-account IAM rolein the central logging account and allow authorized Lambda functions in member accounts to assume that role. AWS cross-account access guidance is based on trusted roles rather than sharing long-term IAM user credentials. This keeps access temporary, auditable, and centrally controlled. The IAM user answers are weaker because they depend on long-term credentials, which is not the recommended pattern for Lambda-based cross-account access. A bucket policy that broadly allows “AWS Lambda” is also too permissive and not scoped to the organization’s trusted workloads. Therefore, a central role with an appropriate trust policy is the strongest design among the listed choices.

============

Tape Gateway is purpose-built for organizations that want tokeep their existing tape backup workflowswhile moving the tape infrastructure to AWS. AWS documentation states that Tape Gateway provides cloud-backed virtual tape storage and can archive tapes toS3 Glacier Flexible Retrieval or S3 Glacier Deep Archive. Because the company needs 10-year retention and wants the most cost-effective archive tier,Glacier Deep Archiveis the best fit. This approach also avoids redesigning the backup process, which is one of the explicit requirements. Snowball can move data in bulk, but it changes the workflow and the storage-class target in option C is not the lowest-cost long-term archive. Tape Gateway aligns directly with both operational continuity and archival economics.

============

Amazon Kinesis is the right streaming service because it ingests and processes data in real time. For the user-data store, Amazon DynamoDB is the correct database because AWS documents that DynamoDB is a serverless, fully managed, distributed NoSQL database with single-digit millisecond performance at any scale. That directly matches the durability, low-latency, and unknown-scale requirements in the question. RDS is not the most natural fit for unpredictable massive serverless scaling here, while CloudFront and Global Accelerator solve delivery and network-edge problems rather than real-time event ingestion plus low-latency persistence. For a serverless analytics application with streaming game data and highly scalable user storage, Kinesis and DynamoDB are the best pair.

============

Detailed Explanation:

A. EventBridge Rule:Detects modifications to CloudFront distributions in real time and triggers the Lambda function for further action.

B. ALB + Config:Focuses on ALB security violations, not relevant for CloudFront logging changes.

C. Lambda + SNS:Provides real-time notifications about changes in logging configuration.

D. GuardDuty:Focuses on threat detection, not logging configuration changes.

E. API Gateway + WAF:Unrelated to CloudFront logging changes.

Amazon S3 Standard-IA: This storage class is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard while still providing high availability and durability.

Access Patterns: Since the files are frequently accessed in the first 30 days and rarely accessed afterward, transitioning them to S3 Standard-IA after 30 days aligns with their access patterns and reduces storage costs significantly.

Lifecycle Policy: Implementing a lifecycle policy to transition the files to S3 Standard-IA ensures automatic management of the data lifecycle, moving files to a lower-cost storage class without manual intervention. Deleting the files after 4 years further optimizes costs by removing data that is no longer needed.

Workload Discovery on AWS automatically scans AWS accounts and Regions, identifies deployed resources, and generates relationship-aware architecture diagrams. This provides a complete workload map with minimal operational effort.

Systems Manager Inventory (Option A) collects instance metadata but does not build multi-account architecture diagrams.

Step Functions (Option B) and X-Ray (Option D) require manual diagramming and do not meet the operational-efficiency requirement.

=====================================================

AWS documentation states that the most secure method for granting private S3 access from VPCs is to use gateway VPC endpoints for Amazon S3. Endpoint policies enforce least privilege by allowing only specific IAM roles access to specific S3 buckets. Because users can obtain temporary credentials through IAM roles, no permanent access keys must be distributed.

S3 bucket policies based on CIDR ranges (Option B) are less secure because CIDR-based access is broader and can grant unintended access. Access points (Option C) still rely on public S3 endpoints unless combined with VPC-only access, which is not stated here. Option D exposes S3 to public internet egress and depends on public IPs, violating least-privilege principles.

=====================================================

IAM Access Analyzeris the correct service because AWS documents that it helps identify and reviewunused accessfor IAM users and roles across AWS accounts and organizations. It can generate findings that show where permissions are broader than necessary and can recommend narrower policies when applicable. Network Access Analyzer focuses on network reachability, not IAM over-permission. CloudWatch alarms on user activity do not analyze granted permissions, and Amazon Inspector is not the service for IAM permission-rightsizing. Since the company wants the least administrative overhead across multiple accounts managed with AWS Organizations, IAM Access Analyzer is the AWS-native service purpose-built for this kind of access review. (AWS Documentation)

============

Large binary objects are usually more cost-effective inAmazon S3than in a relational database. AWS S3 documentation describes S3 as highly durable object storage, and AWS storage guidance commonly uses a database to holdmetadatawhile S3 stores the objects themselves. Moving the documents out of the Oracle database reduces expensive database storage growth and can improve database performance by shrinking the amount of blob data managed inside the DB engine. The existing database can continue to store metadata and relational records, preserving application structure while improving cost efficiency and resilience. The other options either increase database cost further or shift to a much bigger redesign than needed.

============

EBS Encryption:

Default EBS Encryption: Can be enabled for new EBS volumes.

Use of AWS KMS: Specify AWS KMS keys to handle encryption and decryption of data transparently.

Amazon RDS Encryption:

RDS Encryption: Encrypts the underlying storage for RDS instances using AWS KMS.

Configuration: Enable encryption when creating the RDS instance or modify an existing instance to enable encryption.

Least Amount of Changes:

Both EBS and RDS support seamless encryption with AWS KMS, requiring minimal changes to the existing infrastructure.

Enables compliance with regulatory requirements without modifying the application.

Operational Efficiency: Using AWS KMS for both EBS and RDS ensures a consistent, managed approach to encryption, simplifying key management and enhancing security.

Using an Application Load Balancer (ALB) allows for integration with AWS WAF to inspect all incoming traffic. Running the application on Amazon ECS provides a scalable and managed container orchestration service. Utilizing Amazon Aurora Serverless for the PostgreSQL database offers automatic scaling based on application demand, which is cost-effective for workloads with variable traffic patterns, such as higher traffic on weekdays and lower traffic on weekends.

AWS Global Accelerator is the best answer because it providesstatic anycast IP addressesand routes users to the optimal healthy endpoint over the AWS global network. AWS documentation explains that Global Accelerator continuously monitors endpoint health and redirects traffic to the next best healthy endpoint almost immediately, which avoids dependence on DNS resolver caching or client-side IP caching. That is especially important for low-latency global applications such as Voice over IP. Route 53 geolocation routing does not provide the same fast failover characteristics, and CloudFront is not the service for generic bidirectional VoIP application traffic. (docs.aws.amazon.com)

============

Explanation (AWS Docs):

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache specifically for DynamoDB. It reduces read load and latency without requiring code changes (only SDK config). This is the least development effort.

“Amazon DynamoDB Accelerator (DAX) is a fully managed, highly available in-memory cache for DynamoDB that delivers microsecond read performance and requires minimal application changes.”

— Amazon DAX

The correct answer isAbecause the application must acceptTLS connections from IPv4 clients, provideoutbound internet access, present asingle entry point, and maintain thelowest possible attack surface. Placing the Amazon ECS tasks inprivate subnetsis the key security design decision because it prevents direct inbound access from the internet to the tasks themselves. The public-facing entry point is the load balancer, while outbound internet access for the private tasks is provided through aNAT gatewayin the public subnet.

ANetwork Load Balancer (NLB)is well suited for handlingTLSat Layer 4 and can expose a single public endpoint for client connections. Withawsvpcnetwork mode, each ECS task receives its own elastic network interface, making it straightforward to place tasks securely in private subnets while still registering them as targets behind the load balancer.

Option B is incorrect because anegress-only internet gatewayis forIPv6 outbound traffic only, while the requirement specifically mentionsIPv4 clients. Option C is incorrect because placing ECS tasks inpublic subnetsincreases the attack surface by exposing application infrastructure more directly to the internet. Option D is also incorrect for two reasons: it uses anegress-only internet gateway, which does not satisfy IPv4 outbound needs, and it places tasks inpublic subnets, which violates the goal of minimizing exposure.

AWS security design guidance emphasizes reducing exposure by placing application workloads in private subnets and exposing only the required front-end endpoint. Therefore, a publicNLBwith private ECS tasks and aNAT gatewayis the most secure and appropriate architecture.

The correct answer isAbecause the company needs to rotatedatabase credentials every 30 dayswhile maximizing security and minimizing development effort.AWS Secrets Manageris the AWS service specifically designed to store, manage, and rotate secrets such as database usernames and passwords. It supportsautomatic rotationfor supported databases, includingAmazon Aurora MySQL, which makes it the most secure and operationally efficient solution.

With Secrets Manager, credentials are encrypted at rest, access can be controlled through IAM policies, and applications can retrieve secrets programmatically without embedding them in source code or configuration files. Automatic rotation reduces the risk associated with static credentials and helps meet compliance requirements with minimal manual work. Because rotation is built into the service, the development effort is significantly lower than creating and maintaining custom rotation logic.

Option B can work, but it requires building and operating a customLambda rotation function, which adds complexity compared with the native automation available in Secrets Manager. Options C and D are not best practices because storing credentials in environment files or configuration files increases security risk and does not provide a managed secrets lifecycle.

AWS security best practices recommend centralizing sensitive credentials inAWS Secrets Managerand enablingautomatic rotationwhenever possible. This improves security posture, reduces operational overhead, and aligns directly with compliance requirements for regular credential changes. Therefore, storing Aurora MySQL credentials inSecrets Managerwith30-day automatic rotationis the best solution.

Using S3 event notifications to trigger AWS Lambda for file processing is a cost-effective and serverless solution. Lambda scales automatically with upload volume, and processing each file takes less than 5 seconds, fitting within Lambda ' s execution time.

Option A:AWS AppSync is designed for GraphQL APIs and is not suitable for file processing.

Option C:Kinesis is overkill and more expensive for this use case.

Option D:Running an EC2 instance incurs ongoing costs and is less flexible compared to Lambda.

AWS Documentation References:

Amazon S3 Event Notifications

AWS Lambda Overview

AWS Shield Advanced provides:

Advanced DDoS detection and mitigation

24/7 access to the AWS DDoS Response Team (DRT)

Real-time metrics and alerts via CloudWatch

Integrated with CloudFront, ALB, Route 53, and Global Accelerator

“Shield Advanced provides enhanced detection and mitigation for more sophisticated DDoS attacks and gives you access to the AWS DDoS Response Team (DRT).”

— AWS Shield Advanced Overview

Incorrect Options:

A (AWS WAF): For application-layer filtering only.

B (Shield Standard): Basic protection, no DRT or attack visibility.

C (Macie): Used for discovering sensitive data in S3, unrelated to DDoS.