AWS SAA-C03 Intermediate - Free Practice Quiz

Question 1 of 60

A company runs a web application with stateful user sessions on EC2 instances behind an Application Load Balancer. Users occasionally lose session data when requests route to different instances. Which AWS solution preserves session state without changing the application code? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure sticky sessions (session affinity) on the ALB target group so each client is consistently routed to the same EC2 instance for the duration of a session. B Place an NLB in front of the ALB to enforce consistent IP-based routing across all EC2 instances in the target group. C Enable Cross-Zone Load Balancing on the ALB and increase the number of EC2 instances to reduce the probability of session mismatches. D Migrate the application to AWS Lambda, which is inherently stateless and avoids the session routing problem entirely.

1 / 60

Question 2 of 60

An organization wants to enforce that all S3 buckets in the AWS account block public access by default, regardless of individual bucket policies. What is the most operationally efficient way to achieve this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable S3 Block Public Access at the account level from the S3 console or CLI, which overrides all individual bucket configurations. B Use IAM permission boundaries on all IAM users and roles to deny s3:PutBucketPolicy and s3:PutBucketAcl actions for public access. C Create an AWS Config rule that detects public buckets and triggers an SSM Automation document to enable block-public-access settings on non-compliant buckets. D Deploy a Service Control Policy (SCP) in AWS Organizations that denies s3:PutBucketAcl for all member accounts.

2 / 60

Question 3 of 60

A startup's DynamoDB table experiences uneven access patterns, with certain partition keys receiving far more read/write traffic than others, causing ProvisionedThroughputExceededException errors. The team does not want to switch to on-demand capacity mode. What is the best mitigation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Redesign the partition key to include a random suffix (write sharding), distributing hot-key traffic across multiple physical partitions and combining results on read. B Increase the table's read and write capacity units uniformly across all partitions to absorb the hot partition traffic. C Enable DynamoDB Accelerator (DAX) to cache reads and offload the hot partition, eliminating the throughput exception. D Move frequently accessed items to a separate table with a higher provisioned capacity to isolate the hot traffic.

3 / 60

Question 4 of 60

A company needs to ensure that Amazon RDS for PostgreSQL backups are retained for 35 days to satisfy regulatory requirements. The standard RDS automated backup maximum is 35 days, but the team also needs point-in-time recovery beyond that window using the least operational overhead. What should the architect recommend? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable RDS automated backups with a 35-day retention period. For longer retention, use AWS Backup to create additional snapshots on a custom schedule with extended retention policies. B Enable RDS automated backups with a 35-day retention period and create an AWS Backup plan with a lifecycle rule to transition snapshots to cold storage after 35 days. C Use Amazon Database Migration Service (DMS) to continuously replicate the RDS instance to a second RDS instance in another region, providing an extended recovery window. D Configure RDS automated backups with a 35-day retention period and manually copy the final backup snapshot to S3 using the AWS CLI each day.

4 / 60

Question 5 of 60

A financial services company processes transactions using Amazon SQS. A bug was recently discovered where a subset of messages caused processing failures and the messages disappeared from the queue. How should the architect prevent future message loss when processing errors occur? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure a Dead-Letter Queue (DLQ) for the SQS queue and set the maxReceiveCount to a low value so that repeatedly failing messages are moved to the DLQ rather than deleted. B Enable SQS Long Polling on the main queue so that messages are received reliably and the consumer has more time to process each message before it becomes visible again. C Increase the SQS message visibility timeout to 24 hours so that the consumer always has enough time to process any message before it becomes available to other consumers. D Switch from SQS Standard to SQS FIFO so that messages are processed exactly once and in order, preventing duplicate processing failures.

5 / 60

Question 6 of 60

A company's application generates approximately 2 TB of log data daily, which must be queryable for 90 days at low cost and then archived to Amazon S3 Glacier. Currently the logs are stored in Amazon OpenSearch Service, which has become expensive. Which redesign reduces cost while maintaining 90-day query capability? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Store logs in Amazon S3 using Parquet format, query with Amazon Athena for 90 days, and use an S3 lifecycle rule to transition objects to Glacier after 90 days. B Store logs in OpenSearch with UltraWarm nodes for the primary tier and use Cold Storage for data older than 30 days, then lifecycle to S3 Glacier at 90 days. C Move logs from OpenSearch to an Amazon RDS MySQL cluster with partitioned tables by date, dropping partitions older than 90 days and archiving them to Glacier. D Ingest logs into Amazon Kinesis Data Firehose, which buffers and compresses the logs, then queries them using Kinesis Data Analytics over the 90-day window.

6 / 60

Question 7 of 60

A company has a primary RDS MySQL database in us-east-1 and needs a read replica in eu-west-1 to serve European users. The replication lag is acceptable, but the team needs the replica to be promotable to a standalone database within minutes if the primary fails. What should the architect configure? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create an RDS cross-region read replica in eu-west-1 using asynchronous replication; promote the replica to a standalone instance when the primary fails. B Create an RDS Multi-AZ deployment in us-east-1, which automatically provides a synchronous standby in eu-west-1 that can be promoted instantly. C Use Amazon Aurora Global Database with the primary in us-east-1 and a secondary cluster in eu-west-1; Aurora provides sub-second RPO and managed promotion. D Enable RDS automated backups in us-east-1 and restore the most recent backup to a new RDS instance in eu-west-1 when a failover is required.

7 / 60

Question 8 of 60

An IoT platform ingests sensor data from 50,000 devices at variable rates peaking at 500,000 records per second. The data must be processed in real time and stored for 24 hours of replay. Which AWS service combination best handles this ingestion and replay requirement? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon Kinesis Data Streams with a retention period of 24 hours; consumers use the Kinesis Client Library to process records in real time and replay from any point within the 24-hour window. B Use Amazon Managed Streaming for Apache Kafka (MSK) to ingest and buffer sensor data with a 24-hour retention period; consumers process records in real time. C Use Amazon Kinesis Data Firehose to ingest and buffer the sensor data, delivering it to Amazon S3; use Athena to query for replay scenarios. D Use Amazon SQS FIFO queues with 500 message groups to ingest sensor data; a Lambda function polls the queues and writes to DynamoDB for 24-hour storage.

8 / 60

Question 9 of 60

A company stores sensitive customer PII in Amazon S3. A security audit requires that all data must be encrypted at rest using keys managed by the company, and the company must be able to audit every use of the encryption key. Which S3 encryption option meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use SSE-KMS with a customer managed key (CMK) stored in AWS KMS. CMKs provide full key policy control and CloudTrail logs every KMS API call, including Decrypt operations. B Use SSE-S3 (AES-256) where AWS manages the key lifecycle automatically, providing transparent encryption without any key management overhead. C Use client-side encryption with the AWS Encryption SDK, generating a data key locally and storing the encrypted key material in AWS Secrets Manager. D Use SSE-KMS with an AWS managed key (aws/s3) so that KMS automatically rotates the key annually and logs usage in CloudTrail.

9 / 60

Question 10 of 60

A company runs a containerized microservices application on Amazon ECS with Fargate. One service handles image processing and requires GPU acceleration. Fargate does not support GPU instances. Which AWS solution runs the GPU workload with the least infrastructure management overhead? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon ECS on EC2 launch type with a GPU-optimized ECS-optimized AMI and configure an EC2 Auto Scaling group as a capacity provider for the GPU task. B Re-architect the image processing service to run on AWS Lambda with a container image, leveraging Graviton2 processors as a GPU substitute for image manipulation workloads. C Launch EC2 P3 GPU instances and install the ECS agent manually, then register them as an ECS cluster capacity provider to run the GPU-enabled task definitions. D Migrate the GPU workload to Amazon SageMaker Processing Jobs, which provides managed GPU instances for batch image processing without cluster management.

10 / 60

Question 11 of 60

A company's on-premises Oracle database is 8 TB and must be migrated to Amazon Aurora PostgreSQL with minimal downtime. The cutover window is 2 hours. Which migration approach achieves near-zero downtime? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS DMS with a full-load phase followed by continuous Change Data Capture (CDC) replication; perform the cutover once the target is in sync with minimal lag. B Use the AWS Database Migration Service (DMS) full-load task to migrate the entire 8 TB database over the 2-hour cutover window by parallelizing table loads. C Use AWS Schema Conversion Tool (SCT) to export the Oracle schema, restore it on Aurora PostgreSQL, then perform a one-time bulk data export using Oracle Data Pump and S3. D Use AWS Snowball Edge to export the Oracle database offline, ship it to AWS, import it into Aurora PostgreSQL, then replay the Oracle redo logs for the 2-hour window.

11 / 60

Question 12 of 60

A company wants to provide its developers with temporary AWS credentials to access resources in multiple AWS accounts without long-term access keys. The company uses Active Directory (AD) on-premises for identity management. Which AWS solution enables federation with the least ongoing maintenance? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS IAM Identity Center (SSO) with an AD Connector or AWS Managed Microsoft AD to integrate with on-premises AD, providing a single sign-on portal for multi-account access with temporary credentials. B Deploy an AD Connector in each AWS account to proxy authentication requests to the on-premises AD, and issue temporary credentials through STS AssumeRole. C Configure SAML 2.0 federation between the on-premises AD FS and IAM in each account, allowing developers to exchange SAML assertions for temporary STS credentials. D Create IAM users for each developer in every AWS account and synchronize passwords from Active Directory using a custom Lambda-based synchronization script.

12 / 60

Question 13 of 60

An application's API Gateway and Lambda architecture experiences occasional latency spikes due to Lambda cold starts. The function runs for approximately 800ms on average and handles 5 requests per second with variable traffic. What is the most cost-effective way to reduce cold start impact? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure Lambda Provisioned Concurrency for a small number of instances (e.g., 2â€“5) to keep pre-initialized execution environments ready, eliminating cold starts for the provisioned count. B Enable Lambda Reserved Concurrency set to the maximum expected concurrency level, which prevents throttling and also eliminates cold starts by pre-warming environments. C Deploy the Lambda function in a VPC with an interface VPC endpoint for API Gateway to reduce network latency and eliminate cold start initialization time. D Increase the Lambda function's memory allocation to 3,008 MB, which allocates more CPU and reduces initialization time, effectively eliminating cold starts.

13 / 60

Question 14 of 60

A company's S3 data lake stores billions of objects organized by date prefix (year/month/day). A data engineering team runs ad-hoc queries using Amazon Athena. Query performance is poor because scans read entire prefixes. What two changes will most improve Athena query performance and reduce cost? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Convert data files from CSV to Apache Parquet columnar format and configure Athena table partitions aligned with the S3 prefix structure (year/month/day). B Enable S3 Intelligent-Tiering on all objects to move infrequently accessed data to lower-cost tiers, which Athena automatically skips during scans. C Consolidate all objects into a single S3 prefix and use Athena workgroups to partition query results by execution date. D Run AWS Glue ETL jobs to merge small S3 objects into fewer large files (compaction) and register the new paths in the Glue Data Catalog for Athena to discover.

14 / 60

Question 15 of 60

A SaaS company needs to isolate each customer's data in Amazon S3 while using a single application deployment. Each customer should only be able to access their own prefix in a shared bucket. Which IAM approach achieves this with the least overhead? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use IAM role session policies with the ${aws:PrincipalTag/CustomerId} condition key to dynamically restrict access to only the S3 prefix matching the authenticated user's customer ID attribute. B Create a separate S3 bucket for each customer and use bucket policies to restrict access; grant each customer's IAM user access to only their bucket. C Create individual IAM users for each customer with inline policies that explicitly allow access to their S3 prefix and deny access to all other prefixes. D Use S3 Access Points, creating one access point per customer with a policy that restricts access to the customer-specific prefix within the shared bucket.

15 / 60

Question 16 of 60

A company wants to implement a multi-region active-passive disaster recovery strategy for an application using Amazon RDS Aurora and Route 53. The RTO must be under 15 minutes. Which configuration achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable RDS Cross-Region Automated Backups and restore the database from the latest backup in the secondary region; update the Route 53 DNS record manually after the restore completes. B Create an Aurora read replica in the secondary region. Configure a Route 53 health check on the primary endpoint; when the primary fails, manually promote the replica and update the DNS record. C Use Aurora Global Database with the primary cluster in the primary region and a secondary cluster in the DR region. Configure Route 53 with a health check on the primary endpoint and a failover routing policy pointing to the secondary cluster's endpoint; promote the secondary cluster during a DR event. D Deploy Aurora in the primary region with Multi-AZ enabled. Configure a Route 53 latency-based routing policy to distribute 50% of traffic to both regions at all times.

16 / 60

Question 17 of 60

A company needs to run a containerized batch job that processes genomics data. The job requires 96 vCPUs and 384 GB RAM for approximately 2 hours and runs irregularlyâ€”sometimes daily, sometimes weekly. Which AWS service and instance type combination minimizes cost? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Lambda with 10 GB memory and 15-minute timeout, breaking the genomics workload into smaller chunks processed in parallel to stay within Lambda limits. B Use Amazon ECS on EC2 with On-Demand r5.24xlarge instances reserved for 1 year using a Convertible Reserved Instance to benefit from the discount for irregular workloads. C Use AWS Batch with a Spot Fleet consisting of memory-optimized instance types (r5 family). Batch handles retries if Spot instances are interrupted, and Spot pricing reduces compute cost by up to 90%. D Use Amazon EMR with a transient cluster, choosing Spot pricing for core nodes and On-Demand for the master node, automatically terminating the cluster after the job completes.

17 / 60

Question 18 of 60

A company's application writes data to DynamoDB and requires that changes be processed in order per user ID to update a downstream search index. Which AWS service combination preserves per-partition ordering while fan-out to multiple consumers? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable DynamoDB Streams and use a Lambda function triggered by the stream to publish change events to an SQS Standard queue; downstream consumers poll the queue for updates. B Enable DynamoDB Streams and publish each stream record directly to an SNS FIFO topic, which guarantees per-message-group ordering for all subscribers. C Enable DynamoDB Streams and use a Lambda function triggered by the stream to publish events to Amazon Kinesis Data Streams, using the user ID as the partition key to preserve per-user ordering across multiple consumers. D Enable DynamoDB Streams and trigger a Lambda function that writes change events to an SQS FIFO queue using the user ID as the message group ID, then fan out via SNS to multiple downstream consumers.

18 / 60

Question 19 of 60

A company is deploying a new microservice and must ensure it can never consume more than 500 concurrent Lambda invocations, even during traffic spikes, to protect downstream dependencies. What configuration enforces this limit? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure Lambda Provisioned Concurrency to 500, which caps the number of pre-initialized environments and throttles requests above that limit. B Configure an SQS queue in front of Lambda with a batch size of 1 and a Lambda concurrency limit of 500 set in the SQS event source mapping. C Set Lambda Reserved Concurrency to 500 for the function, which hard-caps the maximum concurrent executions for that function and throttles any requests exceeding the limit. D Deploy the Lambda function inside a VPC with a security group rule limiting inbound connections to 500 concurrent connections from the API Gateway.

19 / 60

Question 20 of 60

An e-commerce company needs to cache product catalog data that changes infrequently (every 4 hours) to reduce DynamoDB read costs. The cache must be highly available and support sub-millisecond reads. The team does not want to manage cache invalidation logic. Which approach meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon CloudFront with a 4-hour TTL as a CDN caching layer in front of the API, caching API responses at edge locations to reduce DynamoDB reads. B Deploy Amazon ElastiCache for Redis in cluster mode with automatic failover; update the cache using a write-through pattern whenever the DynamoDB catalog is updated. C Use DynamoDB DAX (DynamoDB Accelerator) with a 4-hour item TTL, which automatically caches DynamoDB reads and invalidates items as they expire, requiring no cache invalidation logic. D Configure DynamoDB DAX with a 4-hour TTL and DynamoDB Streams to trigger a Lambda function that proactively invalidates DAX cache entries when catalog items change.

20 / 60

Question 21 of 60

A company's application uses Amazon Cognito User Pools for authentication. After login, users receive JWT tokens. The company wants to add multi-factor authentication (MFA) for all users using time-based one-time passwords (TOTP). Which Cognito configuration achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Integrate AWS IAM Identity Center with the Cognito User Pool to inherit Identity Center's built-in TOTP MFA capability for all federated users. B Enable SMS-based MFA in Cognito User Pool settings and instruct users to install an authenticator app that reads SMS messages to generate TOTP codes. C In the Cognito User Pool settings, set MFA to 'Required' and enable 'Authenticator apps (TOTP)' under MFA configuration; users will be prompted to register a TOTP authenticator app during their first sign-in. D Configure a Lambda Pre-Authentication trigger that validates a custom TOTP token sent as an additional authentication parameter before issuing JWT tokens.

21 / 60

Question 22 of 60

A company stores audit logs in Amazon S3 that must be preserved for 7 years and must not be deletable or modifiable by any user, including the root account, for the first 5 years. Which S3 feature enforces this requirement? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable MFA Delete on the S3 bucket, requiring multi-factor authentication for any delete operation, preventing unauthorized deletion for the compliance period. B Apply an S3 bucket policy with an explicit Deny on s3:DeleteObject and s3:PutObject for all principals, including the root account, using a condition on the object creation date. C Enable S3 Object Lock in Compliance mode with a 5-year retention period. Objects under Compliance mode retention cannot be deleted or modified by any user, including root, until the retention period expires. D Enable S3 Object Lock in Governance mode with a 5-year retention period and restrict the s3:BypassGovernanceRetention permission using an SCP to prevent any user from bypassing the lock.

22 / 60

Question 23 of 60

A company is using AWS CloudFormation to deploy infrastructure and has noticed that stack updates occasionally fail midway, leaving resources in an inconsistent state. The team wants CloudFormation to automatically roll back all changes when any resource update fails. What should the architect configure? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure CloudFormation Stack Policies with a Deny effect on all resource types, which prevents any update from applying changes that could cause failures. B Use CloudFormation Change Sets to preview all changes before applying them; review the change set for potential failures and cancel it if any resource update looks risky. C Enable the 'Rollback on failure' option (--on-failure ROLLBACK) when creating or updating the stack; CloudFormation will automatically roll back all changes in the stack on any resource failure. D Configure CloudFormation StackSets with automatic deployment so that any failed stack instance is automatically replaced with a fresh deployment from the template.

23 / 60

Question 24 of 60

A company's application makes synchronous REST API calls to a third-party payment gateway that occasionally responds slowly (10â€“30 seconds), causing the application's EC2 instances to hold threads and exhaust connection pools. Which architecture refactoring resolves the thread exhaustion problem? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Increase the EC2 instance size to m5.4xlarge to provide more CPU cores and connection threads, reducing the probability of thread exhaustion during slow payment gateway responses. B Place an ALB in front of the EC2 instances with connection draining enabled and increase the idle timeout to 60 seconds to accommodate slow payment gateway responses. C Refactor the payment API call to use Amazon SQS: the application enqueues a payment request, a separate consumer process calls the payment gateway asynchronously, and the application polls or receives a webhook callback for the result, decoupling the slow API call from the main request thread. D Use Amazon SQS to queue payment requests from the application EC2 instances, then have a separate consumer Lambda function call the payment gateway, eliminating thread blocking on the main application.

24 / 60

Question 25 of 60

A multinational company needs to store customer data in specific AWS regions to comply with local data residency laws. Data stored in the EU region must never leave the EU. Which AWS Organizations mechanism prevents data replication or transfer outside the approved region? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon Macie in the EU region to classify and monitor data; Macie automatically prevents data from being replicated to non-EU regions. B Enable AWS Config rules in each account to detect cross-region data transfers and trigger an SNS alert; operations teams review alerts and manually delete non-compliant resources. C Apply a Service Control Policy (SCP) that denies the creation of cross-region replication rules, cross-region snapshot copies, and any IAM action with a RequestedRegion condition that does not match the approved EU region. D Configure AWS CloudTrail in the EU accounts to capture all cross-region API calls and use EventBridge rules to invoke Lambda functions that revert any non-compliant data transfer.

25 / 60

Question 26 of 60

A company needs its web application to serve content from multiple geographic regions while minimizing origin load. The application is hosted in us-east-1. Static assets rarely change, but dynamic API responses must never be cached. What is the optimal CloudFront configuration? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create a single CloudFront distribution with one cache behavior for all paths and a short 60-second TTL, allowing API responses to be cached briefly while still reducing origin load. B Use Route 53 latency-based routing to direct users to the nearest of three EC2-hosted application deployments in us-east-1, eu-west-1, and ap-southeast-1. C Configure a CloudFront distribution with two cache behaviors: a default behavior for static assets with a long TTL (e.g., 1 year using cache-busting filenames), and a separate behavior for /api/* with a TTL of 0 and Cache-Control: no-store to forward all API requests to the origin without caching. D Configure a CloudFront distribution with an origin group that includes both an S3 bucket (for static assets) and an ALB (for API requests), using Lambda@Edge to route requests based on path.

26 / 60

Question 27 of 60

A company must ensure that all outbound traffic from its Amazon VPC to the internet passes through a centralized security appliance for deep packet inspection before leaving AWS. The company has multiple VPCs. Which architecture implements this most scalably? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy a NAT Gateway in each VPC with a custom route table that forwards all outbound traffic to an EC2-based firewall instance in the same VPC. B Attach an internet gateway to each VPC, configure security groups on all EC2 instances to deny all outbound traffic except to a centralized proxy NLB endpoint. C Use AWS Transit Gateway to connect all VPCs to a shared inspection VPC; deploy AWS Network Firewall in the inspection VPC and route all outbound traffic through it before exiting to the internet. D Use VPC Peering to connect all spoke VPCs to a hub VPC containing the security appliance; configure route tables to send all outbound traffic through the hub VPC's appliance.

27 / 60

Question 28 of 60

A company's EC2 instances in a private subnet need to access Amazon DynamoDB without traversing the public internet. The solution must not use a NAT Gateway, as the company wants to reduce per-GB data processing charges. Which AWS feature enables private DynamoDB access? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure a Transit Gateway with a VPC attachment to the private subnet and a static route to DynamoDB's public IP ranges, avoiding the NAT Gateway but still traversing AWS backbone routing. B Create a VPC endpoint (interface endpoint using AWS PrivateLink) for DynamoDB in the VPC so that EC2 instances in private subnets can access DynamoDB via private IP addresses. C Create a VPC gateway endpoint for DynamoDB in the VPC and update the route tables for the private subnets to direct DynamoDB traffic through the gateway endpoint, which has no per-GB charge. D Deploy an EC2-based reverse proxy in the public subnet that forwards DynamoDB API requests from the private subnet instances, eliminating the NAT Gateway requirement.

28 / 60

Question 29 of 60

A media company ingests large video files (1â€“50 GB each) to Amazon S3. Uploads from remote offices over variable-bandwidth connections frequently fail midway. What upload strategy eliminates failed uploads and improves reliability? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use the AWS CLI sync command with --retry-attempts 10 to automatically retry the entire file upload if any failure occurs, ensuring the file eventually reaches S3 intact. B Use Amazon S3 Transfer Acceleration to route uploads through AWS CloudFront edge locations, reducing latency and eliminating partial uploads due to improved network path reliability. C Use Amazon S3 Multipart Upload to divide each file into 5â€“100 MB parts, upload parts in parallel, and complete the upload only when all parts succeed; resume failed parts without restarting the entire file. D Enable S3 Event Notifications to detect incomplete multipart uploads and trigger a Lambda function that re-uploads the missing segments from the remote office.

29 / 60

Question 30 of 60

A company needs to share specific encrypted AMIs from a production AWS account with a partner company's AWS account while ensuring the partner cannot copy the AMI to other regions or share it further. Which configuration enforces these restrictions? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Export the AMI as an OVA file to S3, generate a pre-signed URL with a 24-hour expiry, and share the URL with the partner so they can import the AMI into their account. B Make the AMI public in the AWS Marketplace so that the partner account can subscribe and use the AMI within the approved regions; disable the copy permission using an AMI launch permission attribute. C Modify the AMI's launch permissions to add the partner account ID, share the underlying EBS snapshot encrypted with a customer managed KMS key, and add the partner account to the KMS key policy to allow Decrypt but not re-encryption or sharing. D Enable AMI sharing in the AWS Resource Access Manager (RAM), share the AMI with the partner's OU in AWS Organizations, and attach an SCP in the partner's OU that denies ec2:CopyImage and ec2:ModifyImageAttribute.

30 / 60

Question 31 of 60

A company's web application is experiencing HTTP 503 errors during traffic spikes. The application runs on EC2 instances behind an ALB with Auto Scaling. The Auto Scaling group's scale-out policy triggers at 70% CPU but instances take 8 minutes to pass health checks and join the target group. How can the architect reduce the time between a spike and new capacity being available? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Switch the Auto Scaling scale-out metric from CPU utilization to ALB RequestCountPerTarget to trigger scaling earlier before CPU reaches 70%. B Use a predictive scaling policy and pre-bake a custom AMI with the application pre-installed and pre-warmed to reduce instance launch and health check time during scale-out events. C Increase the Auto Scaling maximum instance count so more instances are always running in standby, ready to serve traffic when the spike occurs without needing to launch new instances. D Configure the ALB target group's health check interval to 5 seconds and the healthy threshold to 2 checks (10 seconds total), reducing the time before new instances receive traffic.

31 / 60

Question 32 of 60

A company must ensure that root user activity in all AWS accounts within an AWS Organization is logged and that an alert is triggered immediately when the root user signs in. Which combination of AWS services implements this with the least configuration effort? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable AWS Config in each account to record root user login events and configure a Config rule that triggers an SNS notification when a root login is detected. B Enable AWS CloudTrail organization trail from the management account to capture all accounts' events in a central S3 bucket; create an Amazon EventBridge rule that matches ConsoleLogin events from the root user and sends a notification to an SNS topic. C Enable CloudTrail in each account and create a CloudWatch Logs metric filter for ConsoleLogin events where userIdentity.type = Root; create a CloudWatch alarm that sends an SNS notification when the filter matches. D Deploy Amazon GuardDuty in all accounts from the management account and enable the 'Root credential usage' finding type, which sends alerts to a GuardDuty administrator account.

32 / 60

Question 33 of 60

A startup is building a serverless application with millions of users. Each user's data must be isolated. The application uses Amazon Cognito for authentication and DynamoDB for storage. Which DynamoDB table design enables per-user data isolation at the API level? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create a separate DynamoDB table for each user, named with the Cognito user sub UUID, and grant each user's IAM role access to only their table using an ARN-based IAM policy. B Use the Cognito user's sub (subject) UUID as the DynamoDB partition key. Create an IAM role with a condition policy that restricts DynamoDB:GetItem and DynamoDB:PutItem to items where the partition key matches the cognito-identity.amazonaws.com:sub session variable. C Store all user data in a single DynamoDB table with a generic partition key; use a Lambda function as a proxy that validates the Cognito JWT and filters results to only return the calling user's items. D Enable DynamoDB fine-grained access control (FGAC) with Cognito Identity Pools, using LeadingKeys condition in the IAM policy to restrict each authenticated user to items where the partition key matches their identity ID.

33 / 60

Question 34 of 60

A company's Data Analytics team needs to query Amazon S3 data that is partitioned by year/month/day/hour using Amazon Athena. Queries that filter by time range are still scanning all partitions because the table was created without partition projection. What is the fastest way to enable Athena to skip irrelevant partitions without rebuilding the table? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Delete and recreate the Athena table using a CREATE TABLE statement with explicit PARTITIONED BY columns, then run MSCK REPAIR TABLE to load all existing partitions from S3. B Alter the existing Athena table using ALTER TABLE SET TBLPROPERTIES to enable partition projection with the appropriate projection configuration, allowing Athena to derive partition paths algorithmically without a metadata lookup. C Run an AWS Glue Crawler over the S3 data to discover all partitions and populate the Glue Data Catalog, enabling Athena to use partition metadata for query pruning. D Convert the S3 data from CSV to Apache Parquet using an AWS Glue ETL job, which embeds row-group statistics that Athena uses for predicate pushdown without needing partition metadata.

34 / 60

Question 35 of 60

A company migrates a legacy on-premises NFS file server to AWS. Hundreds of Linux EC2 instances need shared read-write access to the same file system with POSIX permissions intact. Which AWS storage service meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon S3 with s3fs FUSE mount on each EC2 instance, mounting the S3 bucket as a file system; S3 provides unlimited storage and supports concurrent access from multiple instances. B Use Amazon Elastic File System (EFS) with NFS protocol, mounting the EFS file system on all EC2 instances; EFS supports POSIX permissions, concurrent multi-instance read-write access, and scales automatically. C Use Amazon FSx for Lustre, which provides a high-performance POSIX-compliant shared file system optimized for Linux EC2 workloads with multi-instance access. D Use Amazon EBS Multi-Attach with io2 volumes, attaching the same EBS volume to multiple EC2 instances and using a cluster file system like GFS2 to manage concurrent access.

35 / 60

Question 36 of 60

A company's AWS infrastructure spans 15 accounts. The security team needs to aggregate and visualize security findings from Amazon GuardDuty, AWS Security Hub, and Amazon Inspector across all accounts in a single dashboard. Which AWS feature provides this multi-account aggregation natively? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable cross-account IAM roles in each member account, allowing the security team to switch roles and view findings in each account's individual GuardDuty, Security Hub, and Inspector consoles. B Designate a security account as the AWS Security Hub administrator account and enroll all member accounts; Security Hub aggregates findings from GuardDuty, Inspector, and other services across all enrolled accounts into a single pane of glass. C Deploy an AWS Lambda function in each account that exports findings to a central DynamoDB table in the security account; build a QuickSight dashboard over the DynamoDB data. D Use Amazon CloudWatch cross-account observability to aggregate metrics and logs from all accounts, then build a CloudWatch dashboard that displays security-related metrics from GuardDuty and Inspector.

36 / 60

Question 37 of 60

A company wants to deploy AWS Lambda functions as part of a CI/CD pipeline. Function code is stored in CodeCommit, built by CodeBuild, and deployed via CloudFormation. The security team requires that Lambda function packages be scanned for vulnerabilities before deployment. Which AWS service can be integrated into this pipeline to scan Lambda function code for known vulnerabilities? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A AWS CodeGuru Reviewer performs static code analysis of Lambda function source code in CodeCommit, identifying security hotspots and recommendations before the build stage. B Amazon Inspector V2 can scan Lambda functions for software vulnerabilities (CVEs) in function code and dependencies; integrate it with the CI/CD pipeline by triggering Inspector scans after CodeBuild produces the deployment package. C Amazon GuardDuty Runtime Monitoring scans Lambda function packages for malware and vulnerabilities during deployment, blocking functions that contain known CVEs. D AWS Config's Lambda function vulnerability rule evaluates deployed Lambda functions against a managed rule set and triggers automatic remediation when vulnerabilities are detected.

37 / 60

Question 38 of 60

A company's API Gateway REST API experiences a sustained spike in requests that overwhelms the backend Lambda function. The company wants to smooth out bursts and ensure that Lambda processes requests at a controlled maximum rate, accepting that some requests may be queued. Which solution achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure API Gateway throttling limits (default and per-method) to return HTTP 429 responses for burst traffic, preventing Lambda from being overwhelmed during spikes. B Place an SQS queue between API Gateway and Lambda: API Gateway enqueues requests to SQS, and Lambda polls the queue with a concurrency limit set via the event source mapping, processing requests at a controlled rate and queuing bursts. C Set Lambda Reserved Concurrency to a low value to prevent Lambda from scaling during spikes, causing API Gateway to return errors for requests that cannot be served immediately. D Use an ALB instead of API Gateway to distribute traffic to multiple Lambda functions in parallel, increasing throughput during spikes without queuing.

38 / 60

Question 39 of 60

A company wants to replicate its on-premises Microsoft SQL Server database to AWS for a read-heavy reporting workload with the minimum migration effort and no license costs. Which AWS option minimizes licensing costs while providing a compatible managed SQL Server service for reporting? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Lift-and-shift the SQL Server VM to an EC2 instance using the same SQL Server license (License Included pricing) and create a read replica using SQL Server's native Always On Availability Groups. B Migrate the database to Amazon Aurora PostgreSQL using AWS DMS and the Schema Conversion Tool, eliminating SQL Server licensing costs entirely while maintaining SQL compatibility for most reporting queries. C Use Amazon RDS for SQL Server with the License Included option to include the SQL Server license in the hourly instance charge, then create a Multi-AZ deployment for the reporting read workload. D Deploy Amazon Redshift as the reporting database, migrate the SQL Server data using AWS Glue, and use Redshift's SQL interface for all reporting queries.

39 / 60

Question 40 of 60

A company's application needs to process uploaded documents in the order they are received, ensuring no document is processed more than once, even if multiple consumers are running. Which SQS queue type and configuration meets this requirement? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use an SQS Standard queue with a Lambda consumer that uses DynamoDB conditional writes to implement idempotent processing, discarding duplicate messages based on a message ID stored in DynamoDB. B Use an SQS FIFO queue with a unique message group ID per document upload; configure exactly-once processing by enabling content-based deduplication; use a single consumer per message group to preserve order. C Use an SQS FIFO queue with content-based deduplication enabled and multiple consumer threads reading from the same message group ID to guarantee ordered, exactly-once processing at high throughput. D Use an SQS Standard queue with a visibility timeout of 24 hours to prevent messages from becoming visible to other consumers while processing, ensuring each message is processed once.

40 / 60

Question 41 of 60

A company uses AWS CodePipeline to deploy application updates. The team wants to automatically run integration tests and only promote a deployment to production if the tests pass, with the ability to roll back if issues are detected after production deployment. Which CodePipeline and CodeDeploy configuration achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure CodePipeline to deploy directly to production using an in-place deployment; enable CodeDeploy automatic rollback on deployment failure and configure post-deployment CodeBuild tests. B Add a Test stage in CodePipeline using CodeBuild to run integration tests against the staging environment; configure the Production stage to use CodeDeploy with a Blue/Green deployment and a 10-minute bake period with automatic rollback on CloudWatch alarm. C Use CodePipeline manual approval actions before production deployment as a gate; instruct the team to run integration tests manually and approve or reject the pipeline execution. D Configure a single CodeDeploy deployment group that deploys to both staging and production simultaneously, using lifecycle hooks to run integration tests during the BeforeAllowTraffic hook.

41 / 60

Question 42 of 60

A company runs a multi-tier web application: a public ALB, EC2 web servers in a public subnet, EC2 app servers in a private subnet, and an RDS database in a private subnet. Security team discovers that the web servers can directly connect to the RDS database, violating the three-tier isolation principle. Which security group configuration enforces proper tier isolation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Add an outbound deny rule to the web server security group blocking port 3306 to the RDS security group, preventing web servers from reaching the database. B Update the RDS security group to allow inbound traffic on port 3306 only from the app server security group ID, and update the app server security group to allow inbound traffic only from the web server security group ID. C Create a network ACL on the private database subnet that denies inbound traffic from the web server subnet's CIDR range on port 3306. D Enable VPC Flow Logs to detect direct connections from the web tier to the database tier, and configure an EventBridge rule to terminate any connections that violate the three-tier policy.

42 / 60

Question 43 of 60

A company wants to run AWS Fargate tasks that need access to secrets stored in AWS Secrets Manager. The secrets should be injected as environment variables when the task starts and should not be visible in the task definition in plaintext. Which configuration securely injects secrets into Fargate tasks? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Store the secrets in AWS Parameter Store as SecureString parameters, then write a startup script in the container that calls the SSM API to retrieve and export the parameters as environment variables. B In the ECS task definition, reference the Secrets Manager ARN in the 'secrets' section of the container definition; ECS will retrieve and inject the secret value as an environment variable at task launch, using the task execution role's IAM permissions. C Embed the secrets as Docker build arguments (ARGs) in the Dockerfile so they are available as environment variables at runtime without appearing in the task definition JSON. D Use AWS Lambda to retrieve secrets from Secrets Manager and write them to a shared EFS volume mounted by the Fargate task, where the application reads them at startup.

43 / 60

Question 44 of 60

A company's Amazon S3 bucket receives 100,000 PUT requests per second from globally distributed clients. Some clients report upload failures with HTTP 503 Slow Down errors. What is the correct solution? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable S3 Transfer Acceleration to route uploads through AWS edge locations, distributing the load and preventing 503 Slow Down errors from the S3 service. B S3 automatically scales to handle high request rates and partitions prefixes for throughput; a sustained 503 indicates the prefix is being throttledâ€”either implement exponential backoff or use randomized key prefixes to distribute load across more S3 partitions. C Increase the number of S3 prefixes in the bucket by using random prefixes for each object key, distributing the request load across multiple S3 partitions. D Implement exponential backoff with jitter in the client upload code to retry failed PUT requests without overwhelming the S3 service during peak traffic.

44 / 60

Question 45 of 60

A financial company requires that all API calls made by IAM users and roles in their AWS accounts be logged, tamper-proof, and retained for 7 years. Which configuration ensures tamper-proof, long-term CloudTrail log retention? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable CloudTrail in each account with log file validation enabled and store logs in an account-local S3 bucket with versioning enabled; lifecycle logs to Glacier after 90 days for long-term retention. B Enable a CloudTrail organization trail logging to a central S3 bucket; enable S3 Object Lock in Compliance mode with a 7-year retention period; enable CloudTrail log file integrity validation to detect any tampering. C Enable CloudTrail and use AWS Backup to create daily snapshots of the CloudTrail S3 bucket, retaining snapshots for 7 years with S3 Intelligent-Tiering for cost optimization. D Enable CloudTrail organization trail, store logs in CloudWatch Logs with a 7-year retention policy, and use CloudWatch Log Insights to query logs for tamper detection.

45 / 60

Question 46 of 60

A company wants to ensure that no EC2 instances in their AWS account are ever launched without an approved AMI from a specific list maintained by the security team. Which preventative control enforces this at launch time? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create an AWS Config rule that checks running EC2 instances for approved AMI IDs every 15 minutes and terminates non-compliant instances automatically via SSM Automation. B Use IAM permission boundaries on all EC2 launch IAM roles to include a condition that denies ec2:RunInstances unless the AMI ID is in a predefined list of approved AMIs. C Use AWS Systems Manager Patch Manager with a patch baseline that only allows launching EC2 instances from AMIs in the approved baseline, blocking any non-baseline AMI at instance launch. D Apply a Service Control Policy (SCP) with a Deny effect on ec2:RunInstances when the ec2:ImageId condition key does not match any of the approved AMI IDs in the policy's StringNotEquals condition.

46 / 60

Question 47 of 60

An application hosted on EC2 in a private subnet needs to call an external HTTPS API (on the internet) and also access Amazon S3. The company wants to minimize data transfer costs. Which configuration is most cost-effective? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Attach a public Elastic IP address to each private subnet EC2 instance, enabling direct internet access for the external API and S3 without a NAT Gateway. B Deploy an egress-only internet gateway for the private subnet, route external API traffic through it, and use an S3 VPC interface endpoint for S3 access. C Use a single NAT Gateway for both the external API and S3 traffic, as the NAT Gateway provides the lowest per-GB cost for all outbound traffic from private subnets. D Deploy a NAT Gateway in the public subnet for internet-bound external API calls; add a VPC Gateway Endpoint for S3 to route S3 traffic privately without NAT Gateway data charges.

47 / 60

Question 48 of 60

A company needs to run a machine learning training job that requires 8 NVIDIA A100 GPUs. The job runs once a week for approximately 6 hours. The company wants to minimize infrastructure management and cost. Which AWS service and pricing model is optimal? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Reserve a p4d.24xlarge EC2 instance (8x A100 GPUs) for 1 year using a Standard Reserved Instance to benefit from up to 72% cost savings for the weekly training job. B Launch a p4d.24xlarge On-Demand EC2 instance for 6 hours per week and terminate it after training completes, paying only for actual usage without reservation commitments. C Use Amazon SageMaker Training Jobs with a ml.p4d.24xlarge instance, which provides managed GPU training with automatic instance provisioning and termination; use Savings Plans for partial cost reduction. D Use Amazon SageMaker Training Jobs with a ml.p4d.24xlarge Spot instance (managed spot training); SageMaker handles Spot interruptions with checkpointing, and Spot pricing can reduce GPU cost by up to 90% vs On-Demand.

48 / 60

Question 49 of 60

A company migrates an on-premises application to AWS. The application uses an LDAP directory for user authentication. The company wants to continue using the same LDAP directory for AWS resource access without migrating to a cloud-based directory. Which AWS service enables this hybrid identity integration? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon Cloud Directory to replicate the on-premises LDAP schema and user objects, creating a cloud-native copy of the directory for AWS resource authentication. B Deploy Amazon Cognito User Pools with a SAML 2.0 identity provider configured to point to the on-premises LDAP directory, federating authentication for AWS console and API access. C Create IAM users in each AWS account for every LDAP user and configure AWS Lambda to sync user attributes from the LDAP directory to IAM on a scheduled basis. D Use AWS Directory Service AD Connector to proxy LDAP authentication requests from AWS services to the on-premises LDAP/Active Directory, enabling AWS users to authenticate with their existing corporate credentials.

49 / 60

Question 50 of 60

A company's application stores user-generated images in Amazon S3. The images must be resized to three standard resolutions whenever a new image is uploaded. Processing must complete within 30 seconds of upload. Which event-driven architecture achieves this with the least operational overhead? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure an S3 event notification to trigger an SQS message on every PUT; a fleet of EC2 workers polls the SQS queue, resizes images using ImageMagick, and stores results in S3. B Use S3 Object Lambda to intercept GET requests and resize images on-the-fly at read time for each requested resolution, eliminating the need for pre-generated resized copies. C Use Amazon EventBridge to receive S3 PutObject events, trigger three parallel Step Functions state machines (one per resolution), and have each state machine invoke a Lambda function for resizing. D Configure an S3 event notification to trigger a Lambda function on every PutObject event; the Lambda function generates all three resized versions and stores them back in S3, completing within the 15-minute Lambda timeout.

50 / 60

Question 51 of 60

An enterprise must ensure that unused IAM access keys older than 90 days are automatically disabled across all AWS accounts in the organization. Which approach implements this with the least ongoing operational effort? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Schedule a daily Lambda function in each account that lists IAM users, checks access key last-used dates, and calls iam:UpdateAccessKey to disable keys older than 90 days. B Enable AWS Security Hub with the CIS AWS Foundations Benchmark standard, which detects access keys not rotated within 90 days and sends alerts to the security team for manual remediation. C Apply an SCP that denies iam:CreateAccessKey for users whose existing access keys have not been used in 90 days, preventing new keys from being created until old ones are removed. D Create an AWS Config rule (managed rule: access-keys-rotated) in all accounts via an Organizations conformance pack; configure automatic remediation using an SSM Automation document that calls iam:UpdateAccessKey to disable non-compliant keys.

51 / 60

Question 52 of 60

A company wants to allow employees to access a corporate web application running in AWS via a browser without requiring them to connect to a VPN. The application should only be accessible from managed corporate devices. Which AWS service enables clientless, device-aware access? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy the application behind an ALB in a public subnet and use HTTPS with a certificate from ACM; employees access it via browser with username/password authentication enforced by Cognito. B Use AWS Client VPN with mutual TLS (certificate-based) authentication, distributing client certificates only to managed corporate devices, and route traffic to the application through the VPN. C Use AWS Site-to-Site VPN between the corporate network and the VPC; employees on the corporate network access the application via internal routing without a separate VPN client. D Use AWS Verified Access with device trust signals (e.g., Jamf or CrowdStrike integration) to provide clientless, zero-trust browser-based access to the internal application, verifying managed device status before granting access.

52 / 60

Question 53 of 60

A company's multi-region architecture uses Amazon Route 53 for DNS. The primary region is us-east-1, and the secondary region is us-west-2. The company wants traffic to automatically shift to us-west-2 if the us-east-1 application endpoint fails a health check. Which Route 53 routing policy achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure Route 53 Geolocation routing to send North American traffic to us-east-1 and all other traffic to us-west-2; when us-east-1 fails, users receive NXDOMAIN until the configuration is updated. B Configure Route 53 Weighted routing policy with a weight of 100 for us-east-1 and weight of 0 for us-west-2; manually change the weight to 0 for us-east-1 and 100 for us-west-2 when a failure is detected. C Configure Route 53 Latency-based routing with endpoints in us-east-1 and us-west-2; Route 53 automatically routes traffic to us-west-2 when us-east-1 latency increases due to a failure. D Configure Route 53 Failover routing policy with the primary record pointing to the us-east-1 endpoint and the secondary record pointing to the us-west-2 endpoint; associate an active Route 53 health check with the primary record.

53 / 60

Question 54 of 60

A company uses AWS CloudFormation nested stacks to modularize infrastructure. A child stack creates an S3 bucket with a specific naming convention. The parent stack consumes the bucket name as a parameter for another resource. How does the parent stack obtain the child stack's S3 bucket name? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Define the S3 bucket name as a parameter in the child stack template and reference it directly in the parent stack using the Parameters section without any stack reference. B Use an AWS Lambda custom resource in the parent stack that describes the child stack's resources using the CloudFormation API and returns the bucket name as a custom resource attribute. C Store the bucket name in AWS Systems Manager Parameter Store from within the child stack using a Lambda custom resource, then retrieve it in the parent stack using the resolve:ssm dynamic reference. D Export the bucket name from the child stack using the CloudFormation Outputs section with an Export Name; reference it in the parent stack using the Fn::GetAtt function against the nested stack's logical resource ID.

54 / 60

Question 55 of 60

A company has a data warehouse on Amazon Redshift and wants to provide business analysts with self-service query access using standard SQL tools (e.g., Tableau, Excel ODBC). The analysts' queries must be isolated from production ETL jobs to prevent resource contention. Which Redshift feature provides workload isolation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create separate Redshift clusters for ETL and analytics workloads and use Redshift Spectrum to federate queries across both clusters, with cluster-level isolation preventing resource contention. B Use Redshift Data Sharing to create a datashare of the production schema; analysts query a separate Redshift consumer cluster using the datashare, providing compute isolation. C Enable Redshift Concurrency Scaling to automatically add transient compute capacity when analyst query concurrency increases, isolating analyst load from ETL jobs running on the main cluster. D Create separate Workload Management (WLM) queues for ETL jobs and analyst queries with dedicated concurrency slots and memory allocations; use queue routing rules to direct queries to the appropriate queue.

55 / 60

Question 56 of 60

An architect needs to design an event-driven architecture where multiple downstream services (order fulfillment, inventory, notification) react to the same order-placed event, but each service must process events independently at its own pace without losing any event if a service is temporarily unavailable. Which pub/sub pattern meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Publish order events directly to three separate SQS queuesâ€”one per downstream serviceâ€”using an application-level fan-out implemented in the producer service code. B Use Amazon Kinesis Data Streams with three separate consumer applications; each consumer uses an enhanced fan-out subscription with a dedicated read throughput of 2 MB/s per shard per consumer. C Publish order events to an SQS FIFO queue and have all three downstream services poll the same queue; configure message group IDs to route specific order types to specific consumers. D Publish order events to an Amazon SNS topic; subscribe a separate SQS queue for each downstream service to the SNS topic. Each service processes its SQS queue independently, and SQS durably stores events if a service is temporarily unavailable.

56 / 60

Question 57 of 60

A company's web application uses Amazon ElastiCache for Redis to cache user session data. The Redis cluster has a replication group with one primary and two replicas. During a primary node failure, the application experiences 3â€“5 minutes of session errors. How can the architect reduce this failover time? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create a second ElastiCache cluster in a different region and implement application-level session replication to synchronize session data across both clusters. B Increase the ElastiCache primary node size to a larger instance type to improve performance and reduce the probability of primary node failure causing session errors. C Configure ElastiCache read-from-replica routing in the application so that session reads continue from replicas during primary failure, preventing session errors until failover completes. D Enable ElastiCache Multi-AZ with automatic failover on the replication group; when the primary fails, ElastiCache automatically promotes a replica to primary within 1â€“2 minutes and updates the cluster endpoint, reducing failover time.

57 / 60

Question 58 of 60

A company runs a high-throughput API on AWS Lambda that processes financial transactions. Each transaction must write to DynamoDB and publish a message to SQS atomicallyâ€”either both operations succeed or neither does. Lambda does not support distributed transactions natively. Which pattern ensures atomic writes? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon DynamoDB Transactions (TransactWriteItems) to write the DynamoDB item and an SQS message payload to a DynamoDB 'outbox' table atomically; a separate Lambda polls the outbox and publishes to SQS. B Use AWS Step Functions with a parallel state that writes to DynamoDB and SQS simultaneously; Step Functions provides exactly-once execution semantics across both writes. C Use Amazon EventBridge Pipes to connect DynamoDB Streams to SQS with a transformation Lambda; the pipe guarantees atomic delivery by retrying failed SQS publishes until both operations complete. D Implement the Transactional Outbox pattern: use DynamoDB TransactWriteItems to atomically write both the transaction record and an outbox record to DynamoDB; use DynamoDB Streams to trigger a Lambda function that reads the outbox record and publishes to SQS, deleting the outbox record on success.

58 / 60

Question 59 of 60

A company wants to centralize VPC networking for 50 AWS accounts using a hub-and-spoke topology. Each spoke VPC must be able to communicate with on-premises data centers and with shared services in the hub VPC, but spoke VPCs must not communicate directly with each other. Which AWS networking service implements this topology at scale? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use VPC Peering to connect each spoke VPC to the hub VPC; configure route tables in each spoke VPC to route to the hub VPC, and configure the hub VPC to route to on-premises via Site-to-Site VPN. B Use AWS Cloud WAN to define a global network policy that connects all VPCs and on-premises sites, using segment-based routing to isolate spoke VPC traffic from each other. C Use AWS PrivateLink to expose shared services from the hub VPC to each spoke VPC as VPC endpoint services; configure Direct Connect on the hub VPC to provide on-premises connectivity. D Use AWS Transit Gateway to connect all spoke VPCs and the hub VPC; attach the on-premises data center via a Transit Gateway VPN or Direct Connect attachment; use separate Transit Gateway route tables to isolate spoke-to-spoke traffic while allowing hub and on-premises communication.

59 / 60

Question 60 of 60

A company's application writes streaming telemetry data to Amazon Kinesis Data Streams at 10,000 records per second. A downstream Lambda function processes records in batches but occasionally falls behind, causing the Kinesis shard iterator to expire (24-hour retention reached). What should the architect do to prevent data loss? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Increase the Kinesis Data Stream shard count to add more throughput capacity, reducing the time required to consume all records and preventing iterator expiration. B Enable Kinesis Enhanced Fan-Out to provide dedicated 2 MB/s throughput per consumer, reducing processing lag and preventing the consumer from falling behind. C Configure the Lambda event source mapping to use a smaller batch size and a shorter bisect-on-error setting, reducing the time spent on large batches and increasing throughput. D Increase the Kinesis Data Stream data retention period from 24 hours to 7 days (extended data retention); concurrently scale the Lambda consumer by increasing parallelization factor or shard count to reduce lag before data expires.

60 / 60

AWS SAA-C03 Intermediate Quiz