Free Practice Questions for Amazon Web Services SAA-C03 Exam

Amazon EventBridge supports routing application-generated events to AWS Lambda targets. The Lambda function can process and insert events into a DynamoDB table. This is a standard design pattern for connecting event-driven applications with DynamoDB. Option A confuses DynamoDB Streams (which streams changes from DynamoDB) with EventBridge (which is for event routing). Options C and D reference partner event buses, which are intended for SaaS integrations, not custom application events. Therefore, the correct and simplest solution is to use a custom EventBridge event bus with a Lambda target (B).

DynamoDB Accelerator (DAX) is a fully managed, in-memory cache for DynamoDB that delivers up to a 10x performance improvement—even at millions of requests per second. DAX requires minimal changes to existing applications and offloads the read workload from DynamoDB during report generation.

Reference Extract:

"DAX provides in-memory acceleration for DynamoDB tables, reducing response times from milliseconds to microseconds with minimal application changes."

Source: AWS Certified Solutions Architect – Official Study Guide, DynamoDB and Performance section.

The most secure solution for allowing EC2 instances to access an S3 bucket is by usingIAM roles. An IAM role can be created with an access policy that grants the required permissions (e.g., to read and write to the S3 bucket). The IAM role is then associated with the EC2 instances through anIAM instance profile.

By associating the role with the instances, the EC2 instances can securely assume the role and receive temporary credentials via the instance metadata service. This avoids the need to store credentials (such as access keys) on the instances or within the application, enhancing security and reducing the risk of credentials being exposed.

AWS CloudFormation can be used to automate the creation of the entire infrastructure, including EC2 instances, IAM roles, and associated policies.

AWS References:

IAM Roles for EC2 Instancesoutlines the use of IAM roles for secure access to AWS services.

AWS CloudFormation User Guidedetails how to create and manage resources using CloudFormation templates.

Why the other options are incorrect:

A. Save IAM access key in UserData: This is insecure because it involves storing long-term credentials in the instance user data, which can be exposed.

B. Store access keys in S3: This is also insecure, as it involves managing and distributing long-term credentials, which should be avoided.

D. Retrieve access keys via a script: This approach is unnecessarily complex and less secure than using IAM roles, which provide temporary credentials automatically.

Amazon Route 53 supports failover routing policies, which use health checks to route DNS queries to a secondary Region only if the primary endpoint fails. This design ensures only one Region is active for traffic at any given time. This is the recommended architecture for active-passive, multi-Region DR strategies.

AWS Documentation Extract:

“Failover routing lets you route traffic to a primary resource, such as a web server in one Region, and a secondary resource in another Region. If the primary fails, Route 53 can route traffic to the secondary resource automatically.”

(Source: Amazon Route 53 documentation, Routing Policy Types)

A, D: These options do not configure DNS failover for external users.

C: Geolocation routing is for regional distribution, not DR failover.

The requirement is to provide granular, scalable access to thousands of tables and columns in a data lake across many users and departments, with the least operational overhead.

AWS Lake Formation supports tag-based access control (TBAC) using LF-tags (Lake Formation tags), which allows you to assign tags to tables, columns, and databases. You can then define permissions on resources by specifying tags rather than managing permissions for individual resources. This approach is highly scalable and efficient when dealing with a growing number of tables and columns. By associating IAM roles to departments and granting access based on LF-tags, you dramatically reduce the operational burden as new tables or columns are added; you only need to assign the appropriate tags.

Amazon Athena can directly query data in S3 with Lake Formation providing fine-grained access control.

AWS Documentation Extract:

"With LF-tag-based access control, you can grant permissions to resources based on tags, making it easy to manage access at scale, especially in environments with large and dynamic numbers of resources."

"LF-tags provide a scalable way to manage permissions for large numbers of resources without having to define permissions individually for each table or column."

(Source: AWS Lake Formation documentation, Access Control, Tag-Based Access Control)

Other options:

A: Would require managing explicit permissions for each table and column as the environment grows, increasing operational overhead.

B & D: Involve significant duplication of resources (clusters) and do not scale as efficiently as a centralized data lake with tag-based access.

AWS Secrets Manager is the recommended service for managing and automatically rotating database credentials. It integrates natively with Amazon RDS (including PostgreSQL), supports built-in rotation functionality, and requires minimal setup.

Secrets Manager also supports versioning and auditing, which enhances operational excellence and security. Parameter Store does not natively support credential rotation. AWS KMS manages key encryption—not application secrets—so it is not applicable here.

Aurora Global Database is designed for low-latency cross-Region reads and disaster recovery for relational data.

Amazon S3 Cross-Region Replication (CRR) automatically replicates unstructured data to another Region, ensuring high availability and resilience.

“Aurora Global Database replicates your data with typical latency of less than 1 second to secondary AWS Regions.”

“Amazon S3 Cross-Region Replication automatically replicates every object uploaded to your bucket to a destination bucket in another AWS Region.”

— Aurora Global Database

— S3 Cross-Region Replication

This combination meets the multi-Region, high availability, fault-tolerant requirement for both relational and unstructured data.

For maximum resiliency and fault tolerance in a mission-critical scenario, AWS recommends redundant Direct Connect connections from multiple data centers to multiple AWS Direct Connect locations.

This protects against:

Data center failure

Device failure

Location outages

“For workloads that require high availability, we recommend that you use multiple Direct Connect connections at multiple Direct Connect locations.”

— AWS Direct Connect Resiliency Recommendations

Option C follows AWS maximum resiliency model.

Creating a listener rule on theApplication Load Balancer (ALB)to return a maintenance response during the maintenance window is the most straightforward solution with the least operational overhead. The rule can be configured to match all incoming requests and return a custom response, and it can be easily removed once maintenance is complete.

Option A (Aurora table flag): This adds unnecessary complexity for a temporary maintenance response.

Option B and D (SQS or SNS): These options introduce more components than needed for a simple maintenance message.

AWS References:

ALB Listener Rules

SAML 2.0-based federation allows organizations to integrate their on-premises Active Directory with AWS, enabling Single Sign-On (SSO) for AWS Management Console and AWS CLI/API access. This lets users continue using their existing AD credentials, removing the need to manage separate identities for AWS and on-premises systems. Mapping roles to AD groups provides granular access control and seamless management.

Reference Extract from AWS Documentation / Study Guide:

"AWS supports SAML 2.0 for federated access, enabling integration with Active Directory or other identity providers to provide single sign-on to AWS resources without creating separate IAM users."

Source: AWS Certified Solutions Architect – Official Study Guide, Identity and Access Management section.

Creating aVPC endpointfor S3 and configuring abucket policyto allow access only from the endpoint ensures that only EC2 instances within the VPC can access the S3 bucket. This solutionimproves security by restricting access at the network level without the need for public internet access.

Option A (IAM policies): IAM policies alone cannot restrict access based on the network location.

Option B and D (Encryption): Encryption secures data at rest but does not restrict network access to the bucket.

AWS References:

Amazon S3 VPC Endpoints

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

Amazon QuickSight includes built-in ML-powered forecasting capabilities, allowing you to create, visualize, and interact with time series forecasts directly within the BI dashboard, with no ML experience or infrastructure management required. This is the lowest management overhead solution.

AWS Documentation Extract:

"Amazon QuickSight provides built-in ML-powered forecasting, allowing business users to forecast future trends with a few clicks and no machine learning expertise required."

(Source: Amazon QuickSight documentation)

A, C, D: Require additional setup, management, or ML knowledge.

For bidirectional communication such as chat applications, Amazon API Gateway WebSocket API is the correct service. WebSocket APIs allow clients to establish long-lived connections and exchange messages with the backend Lambda functions in real time.

HTTP APIs and REST APIs are suitable for request-response models, not continuous two-way communication. CloudFront cannot maintain stateful WebSocket connections, so only Option C fits the requirements for a real-time, bidirectional application.