Free Practice Questions for Amazon Web Services SAA-C03 Exam

Amazon EFS is a “fully managed, elastic, shared file system” that provides NFSv4 access across many EC2 instances and AZs, ideal for lift-and-shift of Linux NFS workloads. AWS DataSync “automates moving data between on-premises NFS servers and Amazon EFS,” performing incremental, parallel transfers with encryption and integrity checks, enabling cutover with minimal disruption. FSx for Lustre (A) targets HPC and S3-backed workloads, not general NFS shares. FSx for Windows (D) exposes SMB, not NFS. S3 (C) is object storage and not directly NFS-accessible by multiple EC2 hosts. EFS + DataSync satisfies NFS compatibility, multi-client access, and low-touch migration while remaining cost-effective for a 200-GB dataset.

The best multi-Region DR design isAurora global databasefor the database layer andS3 Cross-Region Replicationfor object storage. AWS documentation states that Aurora global database automatically synchronizes changes from a primary cluster to secondary clusters in other AWS Regions, providing multi-Region resiliency and fast recovery from Region-level outages. AWS also documents thatS3 CRRcopies objects to a destination bucket in another AWS Region, which is the standard way to protect S3 data across Regions. Same-Region options do not satisfy the multi-Region requirement, and the backup-based alternatives are less aligned with minimizing potential data loss than continuous cross-Region replication. Therefore,Aurora global database plus S3 CRRis the correct answer. (AWS Documentation)

============

Apresigned URLallows temporary access to a specific object in an S3 bucket without needing to make the bucket public or creating and managing additional IAM users. The URL is time-limited, and permissions are granted only to the specific object (in this case, the annual report), making it a highly secure and operationally efficient solution.

With a presigned URL, the consultant can access the report for the specified duration (7 days), after which the URL will expire automatically, removing the need for manual intervention to revoke access.

AWS References:

Amazon S3 Presigned URLsexplain how to generate a presigned URL to grant temporary access to S3 objects.

Best Practices for S3 Securityemphasize using presigned URLs for sharing temporary access to S3 objects securely.

Why the other options are incorrect:

A. Public static website: This approach involves making the S3 bucket publicly accessible, which is unnecessary and insecure for sensitive data.

B. Enable public access: Granting public access to the entire bucket, even temporarily, is a security risk and violates best practices.

C. Create an IAM user: Creating an IAM user and managing credentials is unnecessary overhead and less secure compared to a presigned URL for this short-term need.

Amazon ECS with AWS Fargate provides serverless container compute that can scale tasks dynamically in response to demand. This matches the unpredictable scaling requirements of a gaming workload. Aurora Serverless v2 provides on-demand, autoscaling relational database capacity while supporting complex SQL queries. EC2 with Auto Scaling (A) works but requires significant management overhead. Lambda with DynamoDB (B) is not suitable because the workload requires a relational database and long-running processes. ParallelCluster with HPC (D) is designed for batch scientific workloads, not dynamic, interactive gaming. Option C provides the correct balance of elasticity, performance, and managed services for both compute and relational database needs.

Business-critical applications often require predictable, low-latency I/O and high durability. Provisioned IOPS SSD (io1 or io2) Amazon EBS volumes are specifically engineered for these workloads.

Option C provides consistent, high-performance storage with guaranteed IOPS and low latency. EBS volumes are network-attached and persist independently of the EC2 instance lifecycle, ensuring durability and data protection. Provisioned IOPS volumes are commonly used for databases, transactional systems, and latency-sensitive applications.

Option A (instance store) offers low latency but is ephemeral and loses data on instance stop or failure. Option B is in-memory caching and not durable storage. Option D is optimized for large, sequential workloads and does not provide consistent low latency.

Therefore, C is the correct choice because it delivers the required performance, durability, and reliability for mission-critical applications.

A highly available relational database with minimal manual intervention is best delivered by Amazon RDS Multi-AZ, which provides managed standby infrastructure and automatic failover. For the container-based application layer, Amazon ECS with the Fargate launch type reduces operational effort because AWS manages the underlying compute capacity for the containers. That combination provides managed availability for both the database and the application tier. Read replicas can help scale reads, but they do not replace Multi-AZ as the primary high-availability pattern for the database. ECS on EC2 is workable, but it requires more instance management than Fargate. This makes A and D the strongest pair for high availability with minimal operational overhead.

============

AWS Elastic Disaster Recovery (AWS DRS) enables fast, reliable, and cost-effective disaster recovery. It replicates on-premises machines to AWS using continuous block-level replication. It supports automated testing and failover, meeting aggressive RTO targets such as 15 minutes.

The best practice to securely provide short-term access to AWS resources, such as Amazon S3, without using long-term credentials, is to use AWS Security Token Service (STS). According to the AWS IAM Best Practices and the Security Pillar of the AWS Well-Architected Framework, temporary credentials should always be used over long-term credentials when possible.

From AWS IAM Documentation:

“Use temporary credentials (IAM roles and AWS STS) instead of long-term access keys. Temporary security credentials are short-term, automatically expire, and are retrieved using AWS STS.”

(Source: IAM Best Practices – IAM User Guide)

Option D outlines the use of a trust relationship and assume-role mechanism via AWS STS. This allows the on-premises application to request temporary, scoped-down credentials to upload files to S3 securely. This approach is:

Secure – Uses short-lived credentials with least privilege

Scalable – No need for EC2 or VPN tunnels

Low Operational Overhead – No infrastructure to maintain

AWS-Recommended – Aligned with security best practices

In contrast:

Option A uses long-term credentials, which is a security risk.

Option B requires additional infrastructure (EC2, VPN), increasing complexity and cost.

Option C relies on IP-based access, which is insecure and not a form of identity-based authentication.

Amazon RDS Proxy helps manage thousands of concurrent database connections by pooling and reusing them efficiently. It is especially useful for serverless applications like AWS Lambda that can open numerous connections quickly, potentially overwhelming the database. Using RDS Proxy reduces connection management overhead and improves fault tolerance.

To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the “owner” tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage. This approach is both scalable and operationally efficient.

For Amazon RDS for PostgreSQL, AWS provides IAM database authentication. With this feature, applications do not use stored long-term usernames and passwords. Instead, they use temporary authentication tokens that are generated by AWS and validated by the RDS database.

The AWS best practice pattern is:

Attach an IAM role to the EC2 instances (instance profile).

Grant that role the necessary permissions (for example, rds-db:connect) to the specific RDS database user.

The application running on the EC2 instance uses the role’s temporary credentials to call the RDS token-generation API and obtain a short-lived authentication token.

The application then uses this token as the password when connecting to RDS for PostgreSQL.

This removes the need to store long-term credentials in the application or on the instance and uses IAM roles with temporary credentials, aligning with the security requirement.

Option A still relies on stored credentials (even if in Secrets Manager), which are long-lived and rotated but not token-based per-connection IAM authentication.

Option B uses static passwords and IP-based access, which does not meet the “no long-term credentials” requirement.

Option C stores long-term IAM user keys on the instances, which is explicitly against best practices and does not directly integrate with RDS authentication.

The requirements include:

Scalability: The solution must scale as video files are uploaded.

Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

Analysis of Options:

Option A:

AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

Option B:

AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

Option C:

Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

Option D:

Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

AWS References:

Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

AWS Step Functions:AWS Documentation - Step Functions

AWS Fargate:AWS Documentation - Fargate

Comparison of Storage Services:AWS Storage Options

By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

AWS Fargate with Spot capacity is the most cost-effective and serverless container option for short-duration jobs that are flexible on start time. Since the job is not latency-critical and runs nightly, it is a good candidate for Fargate Spot, which can offer up to 70% cost savings over On-Demand pricing.

The job runs for 1 hour, which exceeds the AWS Lambda maximum execution time (15 minutes). Therefore, Lambda is not suitable. EC2-based solutions involve higher operational overhead and cost, making Fargate Spot the best low-cost, low-maintenance solution.

AWS DataSync is the best fit because it is a managed service designed for repeated data movement between supported storage systems, includingAmazon S3andAmazon EFS. AWS documents that DataSync tasks can be configured to transferonly data that has changedby using theCHANGEDtransfer mode , which matches the overwrite-if-changed requirement. That removes the need to build custom synchronization code with Lambda or EC2. DataSync also has native support for S3 locations and EFS locations, so it directly covers both destinations in the question. Option A is therefore the lowest-overhead and most maintainable solution.

============

AWS VPC endpoints (interface and gateway) allow private connectivity from VPC resources to AWS services without requiring public IP addresses or internet gateways. This ensures applications remain isolated in private subnets while securely accessing AWS services. NAT gateways (B) would allow internet access, which does not meet the security requirement. Internet gateways (C) directly expose traffic to the internet, which violates the isolation requirement. Direct Connect (D) connects on-premises environments to AWS but does not provide service access from private subnets. Therefore, option A — using interface VPC endpoints — is the correct solution.

The correct design is to useRoute 53 failover records, with theprimary record pointing to the ALB and associated with a health check, and thesecondary record pointing to the static website. Route 53 failover routing is designed to return the primary resource when it is healthy and automatically return the secondary resource when the primary becomes unhealthy. The health check is attached to the primary failover record so Route 53 knows when to fail over. You do not need a Lambda function to switch records manually, because Route 53 provides built-in DNS failover. The secondary record does not need its own health check for this pattern. That is whyC and Eare the right combination. (AWS Documentation)

============

The Amazon CloudWatch agent is required to collect memory utilization metrics (as memory metrics are not reported by default). A target tracking policy is the simplest and most effective way to scale based on a custom metric such as mem_used_percent.

Reference Extract:

" Install the CloudWatch agent to collect memory metrics, and create a target tracking scaling policy using these custom metrics. "

Source: AWS Certified Solutions Architect – Official Study Guide, Monitoring and Scaling section.

Since the application uses long-lived TCP connections and must remain idle for up to 1 hour without timeout, all components involved in the connection path (ALB, GWLB, and firewall) must have their idle timeout values configured to at least 1 hour.

Gateway Load Balancer supports transparent insertion of firewalls, and configuring consistent idle timeouts ensures connections don’t drop mid-session.

Using just one firewall (option B) introduces a single point of failure. Increasing capacity (option D) doesn ' t solve idle timeout issues. Therefore, C provides a resilient and complete configuration.

The most effective way to reduce load on the web servers is to move the static video content toAmazon S3and deliver it throughAmazon CloudFront. CloudFront caches content at edge locations so repeated requests are served closer to users without repeatedly hitting the origin. AWS documentation also recommendsorigin access control OACto securely restrict direct access to the S3 origin and allow CloudFront to fetch the objects on behalf of viewers. ElastiCache is not a video-origin service, EFS would still keep the web servers in the delivery path, and File Gateway is for hybrid file access rather than internet content distribution. For high-traffic video delivery with the least origin load, S3 plus CloudFront with OAC is the correct design.

Lambda@Edge allows you to run functions at CloudFront edge locations, enabling modifications to content before it ' s delivered to users, including compression — which directly reduces data transfer cost.

“Lambda@Edge can be used to compress or modify your content before delivering it to end users, which reduces the amount of data transferred.”

— Lambda@Edge Use Cases

Since code modifications aren’t allowed, using Lambda@Edge is a non-invasive way to:

Compress responses.

Reduce transfer size = lower CloudFront cost.

Incorrect Options:

B: S3 Transfer Acceleration improves speed, not cost.

C: Caching doesn’t help if content is always unique (single-use).

D: Multipart uploads help with large file uploads, not transfers.