AWS (Amazon Web Services) Certification
60 practice questions with correct answers and detailed explanations. Use this guide to review concepts before taking the practice exam.
The AWS (Amazon Web Services) AWS Certified Solutions Architect – Associate (SAA-C03) certification validates professional expertise in AWS (Amazon Web Services) technologies. This study guide covers all 60 practice questions from our SAA-C03 practice test, complete with correct answers and explanations to help you understand each concept thoroughly.
Review each question and explanation below, then test yourself with the full interactive practice exam to measure your readiness.
A company needs to store documents that are accessed infrequently but must be retrievable within 24 hours. Which S3 storage class provides the most cost-effective solution?
S3 Glacier Deep Archive offers the lowest cost for long-term storage with retrieval times up to 24 hours (Standard retrieval option), making it ideal for infrequently accessed documents.
Which AWS service allows you to run containerized applications without managing the underlying infrastructure?
AWS Fargate is a serverless container orchestration service that eliminates the need to manage EC2 instances while running Docker containers through Amazon ECS or EKS.
Your application requires a database that can handle high throughput with flexible schema requirements and needs to scale horizontally. What would be the best choice?
DynamoDB is a fully managed NoSQL database that provides automatic horizontal scaling and flexible schema, making it ideal for high-throughput applications with variable data structures.
An organization wants to establish a dedicated network connection between its on-premises data center and AWS with consistent network performance. Which service should be used?
AWS Direct Connect provides a dedicated network connection with consistent bandwidth and lower latency compared to VPN, which is ideal for hybrid architectures requiring predictable performance.
You need to protect your web application from DDoS attacks and filter malicious traffic at the application layer. Which service combination would be most effective?
AWS WAF filters application-layer attacks while AWS Shield Advanced provides enhanced DDoS protection; both work effectively with ALB for comprehensive web application protection.
A solutions architect is designing a system that requires read replicas for disaster recovery and scaling read operations across multiple regions. Which database service best supports this?
Amazon Aurora supports cross-region read replicas for disaster recovery and read scaling while maintaining high availability, making it ideal for multi-region deployments.
What is the maximum data size for a single object stored in Amazon S3?
Amazon S3 supports objects up to 5 TB in size; for objects larger than 5 GB, multipart upload must be used.
Your application experiences variable traffic patterns throughout the day. You want to ensure you have sufficient capacity during peak hours while minimizing costs. Which approach is recommended?
Combining Reserved Instances for predictable baseline load with On-Demand or Spot Instances for variable demand provides cost optimization while maintaining capacity.
An organization requires encryption of data both in transit and at rest for compliance purposes. Which statement is true regarding S3 encryption?
S3 offers SSE-S3 and SSE-KMS for server-side encryption at rest, and automatically supports SSL/TLS for data in transit when HTTPS endpoints are used.
You are designing a highly available application with an RTO of 1 hour and RPO of 15 minutes. Which backup and recovery strategy would meet these requirements?
Continuous replication ensures RPO of 15 minutes or less, while automated failover achieves an RTO of 1 hour, meeting the specified recovery objectives.
A company wants to implement infrastructure as code to manage AWS resources consistently across environments. Which service is specifically designed for this purpose?
AWS CloudFormation enables infrastructure as code through templates that define and provision AWS resources in a repeatable, consistent manner.
What is the primary benefit of using Amazon CloudFront for a static website hosted on S3?
CloudFront is a Content Delivery Network that caches content at edge locations worldwide, significantly reducing latency and improving user experience for global audiences.
Your organization needs to ensure that EC2 instances in a VPC can communicate with on-premises resources securely. The connection must support high availability. Which configuration is optimal?
Multiple VPN connections with dynamic routing via BGP provides redundancy and high availability for hybrid connectivity, ensuring failover capability between gateways.
An application requires low-latency access to session data that is frequently updated. Which caching solution would be most appropriate?
ElastiCache for Redis provides in-memory caching with support for complex data structures and persistence, making it ideal for frequently updated session data requiring low latency.
You need to grant temporary access to AWS resources for a mobile application user without storing long-term credentials. What is the recommended approach?
Amazon Cognito integrates with STS to provide temporary security credentials, eliminating the need to store long-term credentials on mobile devices.
A company deploys applications across multiple availability zones in a region. Which of the following statements about RTO and availability is accurate?
Multi-AZ deployments enable automated failover across availability zones, reducing RTO; RPO depends on how frequently data is replicated between AZs.
Which AWS service provides real-time insights into API calls and AWS service activities for auditing and compliance?
AWS CloudTrail records and logs all API calls made to AWS services, providing an audit trail for compliance and security monitoring purposes.
You are designing a microservices architecture where services need to communicate asynchronously. Which combination of services would provide reliable message delivery and decoupling?
SQS provides reliable message queuing for decoupling, while SNS enables publish-subscribe messaging; together they support various async communication patterns in microservices.
A solutions architect must ensure that sensitive data in DynamoDB is encrypted using customer-managed keys. How should this be configured?
DynamoDB encryption at rest can be configured with AWS KMS using a customer-managed customer master key (CMK) for enhanced control over key management.
Your organization uses multiple AWS accounts for different departments. You need a centralized way to manage user access across all accounts. What is the recommended solution?
AWS Organizations enables centralized management across accounts with cross-account roles, providing scalable and secure access control without sharing credentials.
An application requires automatic scaling based on custom application metrics rather than CPU or memory. Which service should be used?
Application Auto Scaling supports scaling based on custom CloudWatch metrics, allowing you to define scaling policies based on application-specific performance indicators.
When designing a resilient application, you must choose between scaling vertically and horizontally. Which scenario best favors horizontal scaling?
Stateless applications can scale horizontally across multiple instances behind a load balancer, distributing traffic and improving resilience.
You need to monitor application performance metrics and create alarms that trigger SNS notifications when thresholds are exceeded. Which service should be configured?
CloudWatch allows you to create custom alarms based on metrics; these alarms can be configured to send notifications through SNS topics.
A company requires that all data leaving the VPC be encrypted in transit. Which combination of services would enforce this requirement?
AWS PrivateLink provides private connectivity without internet exposure, and combined with mandatory TLS/SSL at the application layer, ensures all data transit is encrypted.
Which S3 feature allows you to replicate objects across AWS regions automatically for disaster recovery?
S3 Cross-Region Replication automatically copies objects from a source bucket to a destination bucket in another region for disaster recovery and compliance.
An organization wants to establish a hub-and-spoke network topology connecting multiple VPCs and on-premises networks. Which AWS service is specifically designed for this architecture?
AWS Transit Gateway acts as a central hub to connect multiple VPCs and on-premises networks, simplifying network management in complex topologies.
A company needs to store frequently accessed data with sub-millisecond latency. Which AWS service should be used?
ElastiCache provides in-memory caching for sub-millisecond latency. While DAX is also valid for DynamoDB, ElastiCache is the primary caching solution for general-purpose ultra-low latency requirements.
What is the maximum number of security groups that can be attached to an EC2 instance by default?
The default maximum is 5 security groups per EC2 instance, though this limit can be increased via AWS support.
A solutions architect is designing a multi-region application that requires strong consistency across all regions. Which database solution best meets this requirement?
RDS Multi-AZ provides strong consistency within a region. For true multi-region strong consistency, application-level replication or synchronous writes are necessary, as distributed systems cannot achieve both high availability and strong consistency across regions (CAP theorem).
Which AWS service allows you to run containerized applications without managing the underlying servers?
AWS Fargate is a serverless container orchestration service that runs containers without requiring you to manage EC2 instances or clusters directly.
A company wants to migrate a monolithic on-premises application to AWS with minimal code changes. Which migration strategy is most appropriate?
AWS Application Migration Service (MGN) is designed for rehost migrations with minimal changes, lifting and shifting applications to AWS while maintaining compatibility.
What happens to data stored in an EC2 instance store when the instance is stopped?
Instance store data is ephemeral and lost when the instance is stopped or terminated. For persistent storage, use EBS volumes or S3.
An organization requires encryption at rest for sensitive data in S3 buckets with customer-managed encryption keys. Which encryption method should be used?
SSE-KMS with customer-managed keys provides server-side encryption at rest while maintaining customer control over the encryption keys through AWS KMS.
A web application requires autoscaling based on a custom business metric not available in CloudWatch. What solution best addresses this?
Custom metrics can be published to CloudWatch using the PutMetricData API, then used to create Auto Scaling policies just like built-in metrics.
Which feature of VPC allows a private subnet to communicate with the internet while preventing inbound traffic from the internet?
A NAT Gateway enables outbound internet connectivity from private subnets while blocking unsolicited inbound traffic, perfect for secure outbound-only communication.
A company uses AWS Organizations and wants to apply security policies across all member accounts. Which service should be used?
AWS Security Hub aggregates and centrally manages security findings across multiple AWS accounts and regions, making it ideal for Organizations-wide security policies.
What is the primary benefit of using Amazon CloudFront over serving content directly from an S3 bucket?
CloudFront distributes content globally through edge locations, providing reduced latency and improved performance compared to direct S3 access from a single region.
An application needs to process 1 million messages per day with guaranteed delivery and ordering within message groups. Which service is most suitable?
SQS FIFO queues provide guaranteed message ordering within message group IDs and exactly-once processing, ideal for ordered message delivery requirements.
A database requires automatic backups with point-in-time recovery capability. Which RDS feature provides this?
RDS automated backups combined with transaction logs enable point-in-time recovery (PITR) to any second within the backup retention period.
A solutions architect is designing a system that must handle variable traffic spikes while minimizing costs. Which combination of services is most cost-effective?
A mixed instances policy combining Reserved Instances (or Savings Plans) for baseline load with Spot instances for variable traffic provides optimal cost efficiency.
What does AWS Config primarily monitor?
AWS Config tracks configuration changes and evaluates resource compliance against rules, maintaining a detailed inventory of AWS resources and their configurations.
A company needs to establish a private connection between its on-premises data center and AWS without using the public internet. Which solution should be implemented?
AWS Direct Connect establishes a private, dedicated network connection between on-premises infrastructure and AWS, bypassing the public internet.
Which IAM policy evaluation logic applies when there are multiple conflicting policies?
IAM uses explicit deny as the ultimate policy: any explicit deny statement overrides all allow statements, following the principle of least privilege.
A Lambda function needs to access a database in a private VPC subnet. What additional configuration is required?
Lambda functions must be explicitly configured with VPC settings (subnet and security groups) to access resources in a private VPC.
An application stores session data that expires after 24 hours. Which service is most appropriate and cost-effective?
DynamoDB with TTL (Time To Live) automatically deletes expired items, making it cost-effective for session data that needs automatic expiration.
What is the maximum size of a single object that can be uploaded to S3 in a single PUT request?
The maximum object size for a single PUT request is 5 GB. Larger objects require multipart upload.
A distributed application requires a highly available, scalable NoSQL database with strong consistency and ACID transactions. Which service best meets these requirements?
Amazon DocumentDB provides ACID transactions with strong consistency and is designed for scalable NoSQL workloads, while DynamoDB's strong consistency has limitations on transaction scope.
Which CloudWatch metric indicates that an RDS database is experiencing storage constraints?
FreeStorageSpace metric shows available storage on the database instance. Low values indicate storage constraints and potential need for instance resize.
A company wants to implement blue-green deployment for a critical application with zero downtime. Which service or combination best supports this?
AWS Elastic Beanstalk's environment swap feature enables zero-downtime blue-green deployments by switching traffic between two identical environments instantaneously.
What is the primary purpose of an AWS Systems Manager Session Manager?
Session Manager provides secure, audited shell access to EC2 instances through the AWS Systems Manager console, eliminating the need for SSH keys or bastion hosts.
A company hosts a multi-tier application on AWS using Auto Scaling groups across multiple Availability Zones. They want to ensure that during a scale-down event, instances are terminated in a way that minimizes disruption to their application. Which Auto Scaling group termination policy should they use?
OldestLaunchTemplate terminates instances launched with the oldest launch template version first, which is ideal for gradual application updates during scale-down while maintaining consistency.
An organization uses Amazon RDS for MySQL and needs to implement a disaster recovery solution with Recovery Time Objective (RTO) of 1 minute and Recovery Point Objective (RPO) of 1 second. Which approach best meets these requirements?
RDS Multi-AZ with synchronous replication provides near-zero RPO and automatic failover within seconds, meeting the strict RTO and RPO requirements.
A solutions architect is designing an application that requires persistent block storage for a database server running on EC2. The storage must support up to 32,000 IOPS and needs to be available across Availability Zones. Which storage solution is most appropriate?
EBS io2 volumes support up to 64,000 IOPS and with Multi-Attach can be connected to multiple instances, though for true AZ resilience, Multi-AZ replication strategies are recommended.
A startup is building a web application that will experience unpredictable traffic patterns. They want to minimize operational overhead while ensuring the application scales automatically. Which AWS service combination is most suitable?
AWS Elastic Beanstalk automatically handles capacity provisioning, load balancing, and auto-scaling, reducing operational overhead while providing the flexibility needed for unpredictable traffic.
A company stores sensitive customer data in Amazon S3 and wants to ensure encryption both in transit and at rest. They also need granular control over encryption keys. What is the best approach?
SSE-KMS provides granular key control through AWS KMS, and enforcing HTTPS ensures encryption in transit, meeting both requirements while maintaining AWS-managed security benefits.
An e-commerce platform uses DynamoDB for product catalog with high read traffic. The table has a partition key on 'ProductID' and is experiencing throttling during peak hours. Which optimization strategy would be most cost-effective?
On-demand billing mode automatically scales capacity based on actual demand, eliminating throttling and being cost-effective for unpredictable read traffic patterns without manual adjustments.
A solutions architect is designing a hybrid architecture where an on-premises data center needs secure connectivity to AWS with consistent network performance. Which AWS service provides a dedicated network connection?
AWS Direct Connect provides a dedicated physical network connection between on-premises and AWS, offering consistent network performance and lower latency compared to VPN-based solutions.
A microservices application deployed on Amazon ECS requires each service to have different IAM permissions. What is the best practice for managing permissions in this scenario?
Creating separate IAM roles for each ECS task definition follows the principle of least privilege, ensuring each service has only the permissions it needs.
A company has a fleet of EC2 instances running a stateless application and wants to reduce costs while maintaining performance. They can tolerate occasional interruptions lasting up to 2 hours. Which EC2 purchase option should they prioritize?
Spot Instances provide up to 90% cost savings and can tolerate the specified interruptions; combining with on-demand fallback ensures availability while maximizing savings.
A solutions architect needs to implement cross-region disaster recovery for a critical application with a 15-minute RTO requirement. The application uses Amazon RDS MySQL and Amazon S3 for static assets. Which multi-region strategy is most cost-effective while meeting RTO?
RDS read replicas can be promoted to primary in under 15 minutes when replication lag is minimal, and S3 Cross-Region Replication provides near real-time asset availability, meeting RTO without the cost of full active-active deployments.
You've reviewed all 60 questions. Take the interactive practice exam to simulate the real test environment.
▶ Start Practice Exam — Free