Free Practice Questions for Amazon Web Services SAA-C03 Exam

Amazon RDS for Oracle is a managed database service, which significantly reduces operational overhead compared to running Oracle on EC2 or on-premises. AWS Secrets Manager natively integrates with RDS and supports automatic, scheduled password rotation with minimal setup. You can configure the rotation schedule (including yearly), and Secrets Manager will handle the secure password storage and rotation workflow for you.

AWS Documentation Extract:

" AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. You can configure automatic rotation for supported databases such as Amazon RDS for Oracle. "

(Source: AWS Secrets Manager documentation)

A, C, D: These solutions require custom scripting, Lambda, and alarms, leading to more operational overhead.

To meet the requirement of deleting objects older than 3 years while retaining certain data, this solution leverages serverless technologies to minimize operational overhead.

S3 Inventory: S3 Inventory provides a flat file that lists all the objects in an S3 bucket and their metadata, which can be configured to include data such as the last modified date. This inventory can be generated daily or weekly.

AWS Lambda Function: A Lambda function can be created to process the S3 Inventory report, filtering out the objects that need to be retained and identifying those that should be deleted.

S3 Batch Operations: S3 Batch Operations can execute tasks such as object deletion at scale. By invoking the Lambda function through S3 Batch Operations, you can automate the process of deleting the identified objects, ensuring that the solution is serverless and requires minimal operational management.

Why Not Other Options?:

Option A (AWS CLI script on EC2): Running a script on an EC2 instance adds unnecessary operational overhead and is not serverless.

Option B (AWS Batch): AWS Batch is designed for running large-scale batch computing workloads, which is overkill for this scenario.

Option C (AWS Glue + script): AWS Glue is more suited for ETL tasks, and this approach would add unnecessary complexity compared to the serverless Lambda solution.

AWS References:

Amazon S3 Inventory- Information on how to set up and use S3 Inventory.

S3 Batch Operations- Documentation on how to perform bulk operations on S3 objects using S3 Batch Operations.

Lambda supports mounting an Amazon EFS file system inside your function to store larger dependencies beyond the 250 MB layer quota.

EFS automatically encrypts data in transit using TLS.

“You can configure your Lambda function to mount an Amazon EFS file system, enabling your function to access large amounts of data or large dependencies.”

“Amazon EFS automatically encrypts all data at rest and in transit.”

— Lambda with Amazon EFS

This is the least operational overhead approach.

IAM Roles for Service Accounts (IRSA) is the AWS-recommended mechanism to grant fine-grained, pod-level AWS permissions in Amazon EKS. IRSA avoids the security risks of granting permissions to the entire node and aligns with the principle of least privilege.

To implement IRSA, two core components are required. First, an IAM role must be created with a trust policy that references an OIDC identity provider associated with the EKS cluster. This is why Option E is required. The OIDC provider allows AWS STS to authenticate Kubernetes service accounts and issue temporary credentials. Without this trust relationship, service accounts cannot assume IAM roles securely.

Second, the Kubernetes service account must be explicitly annotated with the ARN of the IAM role it is allowed to assume. This is provided by Option D. The annotation creates a direct mapping between a specific service account and a specific IAM role, ensuring granular access control at the pod level.

Option A is incorrect because attaching policies to the node IAM role grants permissions to all pods on the node, which violates least-privilege principles. Option B addresses network-level access but does not control AWS API authorization. Option C is incorrect because IAM roles should not be overloaded with permissions for multiple service accounts, and there is no direct one-to-one mapping between IAM roles and Kubernetes roles in this way.

Therefore, D and E together form the correct and secure IRSA configuration, enabling granular, auditable, and secure access to AWS resources from EKS workloads.

For the relational database tier, Amazon RDS Multi-AZ provides high availability with minimal manual intervention. In Multi-AZ mode, RDS maintains a synchronous standby in a different Availability Zone and provides automatic failover during certain failure scenarios. This reduces operational burden because the service handles replication, health monitoring, and failover orchestration.

For the container-based application tier, Amazon ECS with the Fargate launch type minimizes operational overhead because it removes the need to provision, patch, and scale the underlying EC2 instances that host containers. With Fargate, AWS manages the compute infrastructure, and the team focuses on task definitions, scaling policies, and application configuration. This supports a highly available, load-balanced architecture because ECS services can run tasks across multiple Availability Zones behind an Application Load Balancer, and scaling is managed via ECS Service Auto Scaling.

Option B describes read replicas, which are primarily used for scaling reads and, depending on configuration, may not provide the same automated failover characteristics as Multi-AZ for high availability. Read replicas are not a direct substitute for Multi-AZ HA. Option C (self-managed Docker cluster on EC2) is operationally heavy: you must manage node capacity, patching, cluster lifecycle, and scheduling. Option E (ECS on EC2) is a valid container platform but still requires managing EC2 instances, AMIs, and scaling/patching, which increases manual intervention compared to Fargate.

Therefore, combining RDS Multi-AZ (A) for database resilience and ECS Fargate (D) for serverless container operations meets the HA requirement with the least manual effort.

The best practice for secure access control in AWS is to use IAM roles with least-privilege policies, granting only the permissions necessary to perform required tasks. Assigning roles individually ensures that developers cannot overstep their intended access boundaries.

Sharing credentials or using permanent access keys increases the risk of security breaches. Cognito is primarily intended for managing user access to applications, not AWS infrastructure. Thus, Option B best meets security and access control requirements.

Provisioned concurrency is the key requirement match because AWS documentation states that it pre-initializes Lambda execution environments and is designed to reduce cold-start latency, supporting predictable response times in the double-digit millisecond range. That makes it ideal for APIs that must remain consistently low-latency during peak traffic periods. Reserved concurrency does not solve cold starts; it only reserves capacity. ECS and EKS could certainly host the API, but both introduce more infrastructure management than API Gateway plus Lambda. Since the question asks for theleast operational overheadwhile maintaining consistent low latency, the serverless pattern with API Gateway and Lambdawith provisioned concurrencyis the strongest AWS-native answer. (AWS Documentation)

============

Option B (Amazon FSx for Lustre): FSx for Lustre is optimized for high-performance file systems required by HPC workloads, scaling to millions of IOPS and supporting parallelized data access.

Option E (Cluster Placement Group with Auto Scaling): A cluster placement group ensures low-latency communication between EC2 instances, critical for HPC workloads. Amazon EMR simplifies running large-scale analytics jobs.

Amazon FSx for Lustre Documentation,AWS Placement Groups Documentation

AWS PrivateLink enables private connectivity between VPCs and supported AWS or third-party services without exposing traffic to the public internet. It ensures secure and private communications, making it ideal for connecting internal services to SaaS applications hosted in AWS.

Kinesis Data Streams is the right ingestion service for real-time streaming data, and AWS Lambda is the least-operations compute option for processing and transforming records from the stream. AWS documents that Lambda can process events from stream sources such as Kinesis without infrastructure management. Storing the transformed data in DynamoDB provides durable, scalable storage for later analysis. The EC2 option introduces server management overhead. SQS is useful for queued work, but the question specifically centers on streaming data. SNS with ElastiCache is also not a durable analysis store design. Therefore, Kinesis Data Streams plus Lambda plus DynamoDB is the lowest-overhead architecture among the choices.

============

To build a distributed, serverless, event-driven workflow with minimal operational overhead, AWS Step Functions orchestrating AWS Lambda is the best fit. Step Functions provides a managed state machine service that coordinates multiple steps, handles retries and error handling patterns, and maintains execution state without requiring the company to run orchestration servers. Lambda provides serverless compute for each workflow task, scaling automatically with demand and eliminating server management.

Option D directly matches “performing different aspects of the workflow” because Step Functions is specifically designed to model multi-step business processes and coordinate activities across services. It also aligns with “minimize operational overhead” because both Step Functions and Lambda are managed services: there are no instances to patch, no cluster management, and scaling is handled by the platform.

Option B contradicts the serverless goal by deploying the application on EC2 instances, increasing operational overhead (capacity management, patching, scaling, and availability concerns). Option C mixes eventing with scheduling: EventBridge can route events, but invoking Lambda “on a schedule” is not the same as orchestrating a multi-step workflow with branching, waiting, retries, compensation, and state tracking. EventBridge is excellent as an event bus, but Step Functions is the purpose-built workflow orchestrator. Option A is a mismatch because AWS Glue is primarily an ETL/data integration service; while it can run jobs and triggers, it is not the general workflow orchestrator for arbitrary application steps, and using it to invoke Lambda for a broad workflow is less direct and typically less operationally clean than a Step Functions state machine.

Therefore, D is the most aligned solution for serverless, distributed workflow orchestration with low operational burden.

Because the application is public and serves global customers with dynamic IP addresses, the web tier must allow HTTPS traffic from0.0.0.0/0on port 443. For the database tier, the secure design is to allow MySQL access only from theweb tier’s security group, not from the internet. AWS RDS documentation explains that you can specify another VPC security group as the source for the DB security group, which allows application servers to connect without exposing the database publicly. That makes A the correct configuration. Options B and C do not work well for global dynamic users, and D exposes the database to the internet.

============

AWS Storage Gateway Tape Gateway provides a seamless way to migrate backup data to AWS without requiring changes to the backup software. Migrating to S3 Glacier Deep Archive ensures long-term, cost-effective storage for data that rarely needs retrieval.

Option A:S3 Standard-IA is more expensive than Glacier for long-term storage.

Option B and D:Glacier Flexible Retrieval is costlier than Glacier Deep Archive for archival use cases with low retrieval frequency.

AWS Documentation References:

AWS Storage Gateway Tape Gateway

S3 Glacier Storage Classes

The problem is scale-out latency: when traffic spikes, new instances take time to launch, initialize, and pass health checks. This can temporarily degrade user experience even if Auto Scaling eventually adds enough capacity. The goal is to improve responsiveness to sudden spikes cost-effectively.

A key Auto Scaling feature for this situation is an EC2 Auto Scaling warm pool. A warm pool maintains a set of pre-initialized instances (stopped or running, depending on configuration) that Auto Scaling can rapidly transition into service. This reduces the time needed for instance launch and initialization, enabling faster scale-out during unexpected surges.

Option B is best because it supports the application’s peak needs by ensuring Auto Scaling can scale up to the required maximum capacity and keeps warm capacity ready. While a warm pool has some cost (especially if instances are kept running), it is typically more cost-effective than permanently running peak capacity all the time. It improves user experience by minimizing cold start delays during spikes.

Option A is counterproductive: lowering minimum capacity increases the likelihood of scale-out delays. Option C is illogical as written (“increase maximum to meet normal demand”); maximum should reflect peak potential, and a warm pool without sufficient max headroom will not solve the spike problem. Option D uses scheduled scaling, but the spike is unexpected, and increasing instance sizes increases cost and does not address launch delay; it may also reduce horizontal scaling flexibility.

Therefore, B is the most cost-effective way to improve scale-out performance and protect user experience during unexpected bursts.

A. Amazon EFS:Provides a scalable, shared file storage solution with minimal operational overhead. It ' s ideal for Linux-based workloads.

B. Amazon FSx for NetApp ONTAP:More suited for workloads requiring NetApp-specific features.

C. Amazon EBS:Requires manual management of file shares, which increases operational overhead.

D. Amazon FSx for Windows File Server:Best suited for Windows SMB workloads with low operational overhead.

E. Amazon FSx for OpenZFS:Better for Linux and Unix-based workloads.

Amazon Timestreamis purpose-built for storing and analyzing time-series data like telemetry.

Option Aleverages Timestream, SageMaker for ML, and QuickSight for visualization, meeting all requirements with minimal complexity.

Option Binvolves more complex DynamoDB-EMR integration.

Option Cuses Neptune, which is designed for graph databases, not telemetry data.

Option Dincorrectly uses Athena for visualization instead of QuickSight.

This question centers on improving scalability and global access performance.

Auto Scaling groups enable EC2 instances to scale dynamically in response to demand, ensuring availability during peak hours without manual intervention. Amazon RDS read replicas offload read traffic, improving read throughput and reducing latency on the primary database instance. Deploying Amazon CloudFront with S3 as origin accelerates delivery of static transaction documents globally by caching content at edge locations, reducing latency for users worldwide.

Option B focuses on vertical scaling (larger instances) and caching with ElastiCache, but it does not address global content delivery optimally. AWS Global Accelerator accelerates network traffic but is better suited for accelerating TCP and UDP traffic; CloudFront is generally preferred for HTTP content delivery.

Option C migrates workloads to Lambda and Aurora global databases, which is an advanced and potentially costly redesign that may not be necessary. Option D suggests moving to ECS and multi-AZ RDS but does not address global content delivery efficiently.

Therefore, option A uses proven scalability and caching best practices aligned with AWS Well-Architected Framework pillars for performance and operational excellence.

Key Requirements:

High availability and automatic recovery.

Separate transactional and analytical queries with minimal performance impact.

Allow up to a 4-hour lag for analytical queries.

Analysis of Options:

Option A:

Multi-AZ deployments provide high availability but do not include read replicas for separating transactional and analytical queries.

Analytical queries on the secondary DB instance would impact the transactional workload.

Incorrect Approach:Does not meet the requirement of query separation.

Option B:

Multi-AZ DB clusters provide high availability and include a reader endpoint. However, these are better suited for Aurora and not RDS for MySQL.

Incorrect Approach:Not applicable to standard RDS for MySQL.

Option C:

Multiple read replicas allow separation of transactional and analytical workloads.

Queries can be pointed to a replica in a different AZ, ensuring no impact on transactional queries.

Correct Approach:Meets all requirements with high availability and query separation.

Option D:

Creating nightly snapshots and read-only databases adds significant operational overhead and does not support the 4-hour lag requirement.

Incorrect Approach:Not practical for dynamic query separation.

AWS Solution Architect References:

Amazon RDS Read Replicas

Multi-AZ Deployments