AWS SAA-C03 Advanced Quiz - Free Practice Quiz

Question 1 of 60

A company uses AWS Organizations with 40 accounts. The security team must prevent any account from disabling AWS CloudTrail, regardless of account-level IAM policies. They also want existing CloudTrail trails to be protected from deletion. Which preventative control achieves both objectives across all accounts with a single configuration? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable AWS Config in all accounts with a managed rule that detects CloudTrail disablement and triggers automatic SSM Automation remediation to re-enable it within 5 minutes. B Apply an SCP at the root OU level with Deny effects on cloudtrail:DeleteTrail, cloudtrail:StopLogging, and cloudtrail:UpdateTrail; this SCP applies to all member accounts and cannot be overridden by account-level IAM policies. C Use AWS Security Hub's Foundational Security Best Practices standard, which alerts on CloudTrail disablement across all accounts, and configure automated response using EventBridge and Lambda. D Create an IAM permission boundary in each account that excludes cloudtrail:DeleteTrail and cloudtrail:StopLogging from all IAM principals, including administrators.

1 / 60

Question 2 of 60

A company's microservices architecture on Amazon EKS experiences intermittent failures when Pod A calls Pod B across Availability Zones. Network diagnostics show 0% packet loss, but connection establishment is slow. A service mesh is already deployed. Which architectural change most directly resolves AZ-crossing latency? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable EKS managed node groups with spread topology constraints across all AZs to ensure Pod A and Pod B are always placed on different nodes in the same AZ. B Configure Kubernetes topology-aware routing (Topology Aware Hints) on Pod B's Service so that the kube-proxy prefers routing traffic to endpoints in the same AZ as the caller, minimizing cross-AZ communication. C Deploy a Network Load Balancer in front of Pod B's service, using cross-zone load balancing to distribute traffic evenly across AZs and reduce the probability of cross-AZ calls. D Upgrade the EKS cluster to the latest Kubernetes version, which includes improvements to kube-proxy iptables rules that reduce cross-AZ connection latency.

2 / 60

Question 3 of 60

An enterprise stores 500 TB of archival data in Amazon S3 Glacier Deep Archive. A compliance requirement mandates that any retrieval of more than 100 objects must be authorized by a second approver before data can be accessed. Which AWS mechanism enforces this dual-approval requirement? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure an S3 bucket policy with a Condition that requires two separate IAM role ARNs to be present in the PrincipalOrgPaths before allowing s3:RestoreObject, enforcing two-entity authorization natively. B Use AWS S3 Glacier Vault Lock with an access policy that requires MFA authentication for RestoreObject operations, combined with an AWS Step Functions workflow that gates retrieval requests behind a human approval task using Amazon SNS notifications to the second approver. C Enable S3 Object Lock in Governance mode, which requires the second approver to hold the s3:BypassGovernanceRetention permission and explicitly approve each retrieval by signing the request. D Use AWS IAM Identity Center with a multi-factor group policy that requires two group members to simultaneously authenticate before RestoreObject API calls are permitted.

3 / 60

Question 4 of 60

A company needs to run containerized data processing jobs that take 2â€“4 hours each, require 64 vCPUs and 256 GB RAM, and must finish even if interrupted. The jobs run multiple times daily. The company wants minimum cost with managed scheduling. Which AWS service combination is optimal? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Lambda container images with 10 GB memory, breaking each job into tasks that run in parallel within the 15-minute timeout, orchestrated by AWS Step Functions. B Use AWS Batch with managed compute environments using Spot Instances; configure retry strategies so that if a Spot instance is reclaimed, the job automatically retries from a checkpoint on a new instance, achieving low cost with managed scheduling. C Use Amazon ECS on EC2 with On-Demand r5.16xlarge instances managed by an Auto Scaling group; the ECS service scheduler ensures tasks are automatically restarted if interrupted. D Use Amazon EKS with Karpenter node autoscaling configured to provision Spot instances; deploy jobs as Kubernetes Jobs with backoffLimit set to 5 to handle Spot interruptions with automatic node replacement.

4 / 60

Question 5 of 60

A company's application team accidentally deleted an Aurora PostgreSQL database cluster with deletion protection disabled. The cluster had automated backups with a 7-day retention period and no final snapshot was taken. Can the cluster be restored, and if so, how? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A The cluster cannot be restored because Aurora clusters are permanently deleted when deletion protection is disabled, and no data is recoverable without a final snapshot. B Use the AWS CLI command aws rds restore-db-cluster-to-point-in-time with the deleted cluster's identifier; Aurora retains automated backups for the configured retention period even after cluster deletion, enabling point-in-time recovery to any second within the 7-day window. C Contact AWS Support to restore the cluster from AWS internal backups; AWS retains a 30-day shadow copy of all deleted Aurora clusters for recovery by the account owner. D Restore the cluster from an automated backup by navigating to RDS Backups in the AWS Console, selecting the most recent backup, and choosing Restore; this creates a new cluster from the backup snapshot taken before deletion.

5 / 60

Question 6 of 60

A company's DevOps team uses AWS CloudFormation for all infrastructure. They need to ensure that any CloudFormation stack update that modifies a production RDS instance's instance class or storage type is blocked unless approved by the DBA team. How can this approval gate be enforced? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Apply a CloudFormation Stack Policy that denies updates to the RDS resource type, requiring the DBA team to temporarily remove the stack policy before any approved changes. B Use CloudFormation Change Sets: require the DevOps team to create a change set for any production stack update; integrate an approval stage in the CI/CD pipeline (e.g., AWS CodePipeline manual approval) that notifies the DBA team and blocks execution until approved. C Configure an AWS Config rule that detects changes to RDS instance class or storage type and triggers an SNS notification to the DBA team with an automatic rollback after 30 minutes if not approved. D Use AWS Service Catalog to publish the CloudFormation template; configure a Service Catalog portfolio constraint requiring DBA approval before products containing RDS resources can be updated.

6 / 60

Question 7 of 60

A company's solution architect must design a multi-account landing zone for 200 AWS accounts. The design requires: centralized CloudTrail logging to an immutable S3 bucket, baseline security guardrails applied to all accounts, automated account vending, and centralized cost tracking. Which AWS service is purpose-built for this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A AWS Organizations with manual SCPs and CloudFormation StackSets can replicate the same functionality as Control Tower with more customization by the engineering team, and it avoids Control Tower's opinionated guardrail structure. B AWS Control Tower automates multi-account setup with pre-packaged guardrails (SCPs and Config rules), a centralized Log Archive account with immutable CloudTrail logging, automated account vending via Account Factory, and consolidated billing integrationâ€”all managed from a single governance console. C AWS Config with an aggregator in the management account provides centralized visibility into configuration compliance across all accounts, replacing the need for Control Tower's guardrail framework. D AWS Security Hub with Organizations integration centralizes security findings, compliance scores, and automated remediation across 200 accounts, providing the full landing zone governance required.

7 / 60

Question 8 of 60

A company's streaming application on AWS processes real-time stock price updates from 10,000 trading symbols using Kinesis Data Streams with 100 shards. A new requirement demands sub-100ms end-to-end processing latency. Currently Lambda consumers average 250ms per batch. Which architectural change most directly reduces Lambda processing latency? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Increase Kinesis Data Stream shard count from 100 to 500 to provide five times the throughput capacity, reducing the time each Lambda function spends reading from each shard. B Switch from Lambda batch processing to Kinesis Data Streams with Amazon Kinesis Data Analytics (Managed Apache Flink) for stateful stream processing with sub-millisecond record-level latency guarantees. C Enable Kinesis Enhanced Fan-Out to provide dedicated 2 MB/s per shard per consumer, eliminating shared throughput contention and reducing the polling latency for each Lambda consumer. D Reduce the Lambda event source mapping batch size to 1 record per invocation and set the bisect-on-error option to true, ensuring each record is processed as soon as it arrives.

8 / 60

Question 9 of 60

An application uses Amazon SQS as a buffer between an API Gateway and a downstream processor. During traffic spikes, the SQS queue depth reaches millions of messages. The Lambda consumer is throttled because it has hit the account-level Lambda concurrency limit (1,000). How should the architect resolve this without requesting a limit increase? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Switch the SQS consumer from Lambda to an Amazon ECS Fargate service with auto-scaling based on the SQS queue depth metric (ApproximateNumberOfMessagesVisible), which is not subject to Lambda concurrency limits. B Configure the Lambda event source mapping for SQS with a maximum concurrency setting and use Reserved Concurrency specifically allocated to this Lambda function; rebalance Reserved Concurrency from lower-priority functions to free up capacity for the SQS consumer. C Enable SQS long polling on the queue and increase the visibility timeout to 15 minutes, reducing the number of redundant receive-message calls and freeing Lambda concurrency for actual processing. D Migrate the SQS queue to SQS FIFO, which processes messages in order and reduces Lambda concurrency requirements by serializing message processing through a single consumer thread.

9 / 60

Question 10 of 60

A company's application on EC2 accesses an Amazon RDS PostgreSQL database using hard-coded credentials in the application config file. The security team requires that credentials be rotated every 30 days without application downtime. Which AWS solution achieves seamless credential rotation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Store the database password in an AWS Systems Manager Parameter Store SecureString parameter; update the application to read the parameter at startup, and schedule a Lambda function to update the parameter and database password every 30 days. B Use AWS Secrets Manager to store the database credentials; configure automatic rotation with a Lambda rotation function that updates both the Secrets Manager secret and the RDS database password every 30 days; update the application to fetch credentials from Secrets Manager at connection time. C Enable RDS automatic password rotation in the RDS console, which rotates the master user password every 30 days and automatically updates all connected EC2 instances via the RDS agent installed on each instance. D Create an IAM database user in RDS that authenticates with IAM instead of a password; configure the application to generate short-lived IAM authentication tokens using the RDS API, eliminating the need for password rotation.

10 / 60

Question 11 of 60

A company deploys a multi-tier application using AWS CloudFormation. The database tier is in a nested stack (NestedDBStack) that exports the RDS endpoint. The application tier nested stack (NestedAppStack) imports the RDS endpoint. After deployment, the DBA updates the RDS instance class in NestedDBStack, which causes the endpoint to change. The parent stack update fails because NestedAppStack's import cannot be updated while another stack exports the value. How should the architect address this cross-stack dependency? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Fn::GetAtt from the parent stack to pass the RDS endpoint from NestedDBStack directly to NestedAppStack as an input parameter, avoiding cross-stack Fn::ImportValue references entirely. B Store the RDS endpoint in AWS Systems Manager Parameter Store from NestedDBStack using a custom resource Lambda; have NestedAppStack retrieve the endpoint using the {{resolve:ssm:/rds/endpoint}} dynamic reference instead of Fn::ImportValue, breaking the hard cross-stack export dependency. C Update the NestedDBStack in isolation first to change the RDS instance class; the endpoint will not change for RDS instance class modifications, so the update will succeed without affecting NestedAppStack. D Delete NestedAppStack, update NestedDBStack with the new instance class, then redeploy NestedAppStack with the new endpointâ€”accepting temporary downtime as a necessary consequence of cross-stack dependencies.

11 / 60

Question 12 of 60

A company has a large Hadoop cluster on-premises that runs daily ETL jobs processing 50 TB of data. The team wants to migrate to AWS while preserving the ability to run PySpark code with minimal changes and automatically terminating the cluster after each job to minimize costs. Which AWS service and configuration is optimal? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Refactor all PySpark jobs to run on AWS Glue ETL with the Glue DynamicFrame API, which is PySpark-compatible and fully managed, with serverless pricing per DPU-hour. B Use Amazon EMR with a transient cluster configuration: data stored in Amazon S3 (replacing HDFS); the cluster is created, runs the PySpark job with minimal code changes, then automatically terminates; you pay only for the duration of the job. C Run the Hadoop cluster on a fleet of EC2 instances using the Amazon EMR on EC2 AMI, configuring the cluster with HDFS; S3 is too slow for 50 TB daily ETL at Hadoop performance requirements. D Migrate the Hadoop cluster to Amazon EKS using EMR on EKS; run PySpark jobs as Spark operator jobs on Kubernetes, which provides better resource utilization through multi-tenant cluster sharing.

12 / 60

Question 13 of 60

A company's production RDS Aurora MySQL cluster experiences performance degradation during peak hours. Amazon RDS Performance Insights shows that the top wait event is 'lock/table/sql_lock'. Queries from a reporting application are acquiring table-level locks that block transactional workloads. What is the architecturally correct solution? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Increase the Aurora cluster's instance size to a db.r5.8xlarge to provide more CPU and memory, reducing query execution time and the duration that locks are held. B Add one or more Aurora read replicas and redirect the reporting application's queries to the reader endpoint, separating reporting read traffic from transactional write traffic and eliminating lock contention on the primary writer. C Enable Aurora Parallel Query, which offloads query processing to the storage layer and eliminates table-level locks for analytical queries run on the primary instance. D Migrate the reporting application to Amazon Athena, querying data exported from Aurora to S3 via AWS DMS Change Data Capture, eliminating any database-level lock contention.

13 / 60

Question 14 of 60

An application produces events that must trigger actions in three downstream services: payment processing, inventory update, and audit logging. Payment processing must complete before inventory update, but audit logging can run in parallel with both. The entire workflow must support automatic retry and maintain execution history for 90 days. Which AWS service orchestrates this workflow? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon SQS with three separate queues; the payment service acknowledges the SQS message and writes a new message to the inventory queue only after completing; the audit queue receives a copy from a fan-out Lambda trigger. B Use AWS Step Functions Standard Workflow with a state machine that sequences payment processing â†’ inventory update in series, with audit logging in a parallel branch; Step Functions retries failed states automatically and stores execution history for 90 days. C Use AWS Lambda with a chain of synchronous invocations: the trigger Lambda calls the payment Lambda, waits for completion, then calls the inventory Lambda; a separate async invocation triggers audit logging. D Use Amazon EventBridge with three separate rules matching the same event source; each rule triggers its respective downstream service; EventBridge provides built-in retry logic and archives events for 90 days.

14 / 60

Question 15 of 60

A startup builds a SaaS application where each customer gets a logically isolated environment. The team uses a single AWS account with customer data separated by DynamoDB table name prefix (customer_id_*). As the customer base grows to 500, the DBA notices the 2,500 DynamoDB table limit per account will be reached. What is the most scalable long-term architectural change? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create separate AWS accounts for each customer using AWS Organizations Account Factory and deploy a separate DynamoDB table per customer in each account, distributing the table count across accounts. B Migrate to a single-table design using customer_id as the partition key and sub-entity type as the sort key; use IAM fine-grained access control with LeadingKeys condition to enforce per-customer data isolation, eliminating the need for per-customer tables. C Request a service limit increase from AWS Support to raise the DynamoDB table limit to 5,000 per account, providing headroom for 2 years of growth at the current rate. D Implement a sharding strategy where customer_ids are hashed into 10 buckets; create 10 DynamoDB tables with a customer_id prefix; each table serves ~50 customers, keeping total table count well below 2,500.

15 / 60

Question 16 of 60

A company's EC2-based application stores session data in local memory. The Auto Scaling group scales out frequently, but new instances don't have session data, causing users to be logged out. The team wants to externalize sessions with sub-millisecond latency and high availability, and the session data must survive a single AZ failure. Which AWS service meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon DynamoDB with DAX to store session data; DynamoDB provides cross-AZ redundancy by default and DAX provides sub-millisecond read latency for session lookups. B Store session data in Amazon EFS, mounted by all EC2 instances; EFS provides shared file system access across all AZs with automatic replication for high availability. C Enable ALB sticky sessions to pin each user to a specific EC2 instance, ensuring their session data (stored in local memory) is always accessible on the same instance. D Use Amazon ElastiCache for Redis in cluster mode with Multi-AZ replication and automatic failover; Redis provides sub-millisecond in-memory session storage with AZ-level resilience through replicas.

16 / 60

Question 17 of 60

A company needs to implement an event-driven architecture where an S3 data lake upload triggers a data quality validation pipeline. If validation succeeds, downstream processing is triggered; if it fails, a notification is sent to a data engineering Slack channel and the object is moved to a quarantine prefix. The pipeline must handle concurrent uploads without data loss. Which AWS combination implements this with the least custom code? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure S3 Event Notifications to trigger a Lambda function that runs validation inline, calls the Slack API on failure, and copies the object to the quarantine prefix; use SQS to decouple S3 events from Lambda invocations to handle concurrency. B Use AWS Glue Data Quality rules on the S3 data catalog table; configure Glue to trigger downstream Glue ETL jobs on success and send a CloudWatch alarm notification to SNS (â†’ Slack) on failure. C Configure S3 Event Notifications to write to an SNS topic; subscribe a Lambda function and an SQS queue to the topic; Lambda handles validation while SQS buffers events for downstream processing; Slack notifications are sent via the Slack SDK in the Lambda function. D Use Amazon EventBridge with an S3 event source rule to trigger an AWS Step Functions Express Workflow for each upload; the state machine runs validation (via Lambda), routes to downstream processing on success, or routes to an Amazon SNS topic (â†’ Slack via Chatbot) and an S3 copy task on failure.

17 / 60

Question 18 of 60

A company's AWS workload produces 10 GB of VPC Flow Logs daily. The security team must query logs for specific source IPs within 24 hours, but the logs need not be analyzed automatically. Current storage in CloudWatch Logs costs $5/GB/month and is becoming expensive. What is the most cost-effective storage and query solution? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Store VPC Flow Logs in Amazon OpenSearch Service with a 7-day hot tier and 23-day warm tier; use OpenSearch Dashboards for ad-hoc queries, reducing storage cost compared to CloudWatch Logs. B Export CloudWatch Logs to Amazon S3 using an export task daily; compress the logs using gzip; use Amazon Athena to query the gzipped logs on S3, reducing storage cost to approximately $0.023/GB/month. C Enable VPC Flow Logs directly to Amazon S3, storing in CSV format; use Amazon QuickSight to visualize and query the flow log data from S3 using direct query mode. D Enable VPC Flow Logs directly to Amazon S3 in Apache Parquet format with Hive-compatible partitioning (account-id/region/vpc-id/year/month/day); query using Amazon Athena for ad-hoc source IP lookups with partition pruning.

18 / 60

Question 19 of 60

A company runs a critical OLTP application on Amazon RDS PostgreSQL with a 5-minute RPO and a 30-minute RTO requirement for a region-level disaster. The application database is 2 TB. Which DR configuration meets both requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable RDS cross-region automated backups with a 5-minute backup window; in a disaster, restore the latest backup to the DR region within the 30-minute RTO. Verify RPO by checking the backup completion timestamp against the disaster time. B Use AWS Database Migration Service (DMS) for continuous replication from the primary RDS PostgreSQL to a standby RDS PostgreSQL in the DR region; DMS provides sub-second replication lag, achieving the 5-minute RPO. C Deploy an Aurora Global Database with a 5-second RPO replication lag; on disaster, initiate managed failover which completes in under 1 minute, satisfying both the 5-minute RPO and 30-minute RTO. D Create an RDS cross-region read replica in the DR region; configure Point-In-Time Recovery (PITR) with 5-minute granularity; on disaster, promote the replica as the new primary within 30 minutes.

19 / 60

Question 20 of 60

A fintech company must ensure that no S3 object in their data lake can be read by any AWS service or IAM principal outside of the company's AWS Organization, even if the bucket or object ACL is misconfigured. What is the most robust preventative control? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable S3 Block Public Access at the account level for all accounts in the organization, preventing public ACL-based access to all S3 objects. B Apply an SCP that denies s3:GetObject calls unless the aws:PrincipalOrgID condition key matches the company's Organization ID, ensuring only organization principals can read S3 objects. C Implement S3 VPC Endpoint policies on all VPC endpoints that restrict S3 access to only principals in the organization; combine with S3 bucket policies on all buckets using aws:PrincipalOrgID condition to deny access from outside the organization. D Use AWS Service Control Policies (SCPs) to enforce a Deny on s3:PutBucketPolicy and s3:PutObjectAcl unless the principal is in the organization's management account, preventing cross-organization bucket policies from being set.

20 / 60

Question 21 of 60

A company stores financial reports in Amazon S3. A security audit reveals that some reports contain PII that should have been redacted before storage. The company wants to automatically detect PII in new S3 uploads and quarantine any objects that contain sensitive data before they are processed by downstream applications. Which AWS service detects PII in S3 objects automatically? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon Rekognition to analyze each S3 object upload for personally identifiable information; Rekognition's content moderation API flags objects containing PII for quarantine. B Deploy Amazon Inspector V2 with Lambda scanning enabled; Inspector scans S3 objects for PII as part of its vulnerability assessment workflow and generates findings for quarantine automation. C Use AWS Lambda with Amazon Comprehend to analyze each new S3 upload triggered by S3 Event Notifications; Comprehend's entity recognition identifies PII entities and the Lambda function moves flagged objects to quarantine. D Enable Amazon Macie on the S3 bucket; Macie automatically scans new S3 objects for PII (names, SSNs, credit card numbers, etc.) using ML-based discovery and creates findings that trigger an EventBridge rule to move flagged objects to a quarantine bucket.

21 / 60

Question 22 of 60

A company is designing a globally distributed application. Users in Asia, Europe, and North America must experience latency under 50ms to the application's API. The API is stateless. The company has RDS PostgreSQL databases in us-east-1, eu-west-1, and ap-northeast-1. Which global API routing strategy achieves sub-50ms latency for all regions? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy the API on EC2 in all three regions behind Regional ALBs; use Route 53 Geolocation routing to direct each continent's users to the nearest region's ALB endpoint. B Use Amazon CloudFront with Lambda@Edge to run the stateless API logic at CloudFront edge locations globally; cache responses at the edge for the most common API queries to reduce latency. C Deploy the API on EC2 in all three regions; use Route 53 weighted routing with equal weights across all three regional endpoints so that traffic is distributed globally. D Use AWS Global Accelerator with endpoint groups in us-east-1, eu-west-1, and ap-northeast-1; Global Accelerator routes users to the nearest endpoint over the AWS global backbone, achieving consistent sub-50ms latency.

22 / 60

Question 23 of 60

A company's application uses Amazon SQS Standard queues. During a surge, Lambda consumers fail to process some messages in time, and those messages are received multiple times by different Lambda instances. The application's downstream database applies the same write multiple times, causing duplicate records. What is the correct approach to prevent duplicate database writes? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable SQS message deduplication by adding a MessageDeduplicationId to each SQS message at the producer; this prevents SQS from delivering the same message to more than one Lambda consumer. B Switch from SQS Standard to SQS FIFO queues, which provide exactly-once processing semantics, eliminating duplicate deliveries and ensuring the database never receives the same write twice. C Increase the SQS visibility timeout to 24 hours and set Lambda Reserved Concurrency high enough so that each message is always processed by the same Lambda instance before becoming visible again. D Implement idempotent message processing in the Lambda function using the SQS message ID as a deduplication key: before writing to the database, check a DynamoDB table for the message ID and skip processing if already seen; write the message ID to DynamoDB upon successful processing.

23 / 60

Question 24 of 60

A company wants to implement a data mesh architecture on AWS. Each business domain owns its data as a product and must be able to share it with other domains without copying it. The data must remain in the producer's S3 bucket and be queryable by consumers in other AWS accounts using SQL. Which AWS feature enables cross-account, zero-copy data sharing? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon S3 cross-account bucket policies to grant read access to consumer accounts; consumers use Amazon Athena in their own account with a shared Glue Data Catalog to query the producer's S3 data. B Use Amazon Redshift Data Sharing to expose a datashare from the producer Redshift cluster to consumer accounts; consumers query the data using their own Redshift cluster without copying the underlying data. C Use AWS Glue bookmarks to track processed data; share the Glue ETL job configuration across accounts so consumers can run their own ETL jobs against the producer's S3 data without duplicating storage. D Use Amazon DataZone or AWS Analytics Hub (Analytics Hub is a GCP featureâ€”the AWS equivalent is AWS Data Exchange or Amazon DataZone): use AWS Lake Formation cross-account data sharing with tag-based access control, granting consumers access to Glue Data Catalog tables over the producer's S3 data via Lake Formation permissions without data copying.

24 / 60

Question 25 of 60

A company runs a serverless application using Lambda, API Gateway, and DynamoDB. During a black-box load test, the team discovers that at 5,000 concurrent requests, API Gateway returns HTTP 429 errors. Lambda's Reserved Concurrency is set to 5,000. DynamoDB is using on-demand capacity. What is the most likely root cause and resolution? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A DynamoDB on-demand capacity is throttling at 5,000 concurrent requests. Switch DynamoDB to provisioned capacity with sufficient WCU/RCU pre-warmed before the load test. B API Gateway's maximum 29-second integration timeout is reached under load, causing requests to time out and return 429 errors; increase the Lambda function timeout to 30 seconds. C Lambda's account-level concurrency limit (1,000 by default, 5,000 with Reserved Concurrency) is being hit; increase the account-level Lambda concurrency limit by contacting AWS Support. D API Gateway has a default per-stage throttle limit of 10,000 RPS with a burst limit of 5,000. During a burst to 5,000 simultaneous requests, the token bucket is exhausted, triggering 429 responses. Request a throttle limit increase or implement a request queuing strategy.

25 / 60

Question 26 of 60

A company's application produces CloudWatch custom metrics for business KPIs (e.g., orders per minute, revenue per second). The metrics must be monitored in real time with alarms that trigger within 10 seconds of a threshold breach, faster than the standard 1-minute metric resolution. Which CloudWatch feature enables this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable CloudWatch Detailed Monitoring on the application's EC2 instances, which provides 1-second metric resolution for system metrics including custom business KPIs. B Use Amazon Kinesis Data Streams to ingest business metrics in real time and configure a Kinesis Data Analytics application with a 10-second tumbling window to detect threshold breaches. C Configure CloudWatch Metric Streams to stream custom metrics to Amazon Kinesis Data Firehose and then to Amazon OpenSearch Service for real-time dashboarding with 10-second refresh. D Publish custom metrics with the StorageResolution parameter set to 1 (High-Resolution metrics); configure a CloudWatch Alarm with an evaluation period of 10 seconds, enabling alarms to trigger within 10â€“30 seconds of a threshold breach.

26 / 60

Question 27 of 60

An organization uses AWS Organizations with 100 accounts. They want to deploy a standardized VPC configuration (CIDR, subnets, route tables, IGW) to every new account automatically when it's created. The configuration must also apply to existing accounts on demand. Which AWS mechanism implements this with the least custom development? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy the VPC configuration manually to all existing accounts using the AWS CLI and create an SCP that requires all new accounts to deploy the VPC configuration CloudFormation template before any other resources can be created. B Create an AWS Lambda function triggered by the CreateAccount CloudTrail event via Amazon EventBridge; the Lambda assumes a cross-account role in the new account and deploys the VPC CloudFormation stack. C Use AWS CloudFormation StackSets with automatic deployment to the organization's root OU; configure the StackSet to deploy the VPC template to all current and future accounts, with automatic deployment of newly created accounts. D Use AWS Control Tower Account Factory with a customized account baseline that includes a CloudFormation template for the VPC configuration; new accounts receive the baseline automatically, and existing accounts can be re-enrolled to apply the baseline.

27 / 60

Question 28 of 60

A company runs a stateful WebSocket application on Amazon ECS Fargate behind an Application Load Balancer. During deployments, active WebSocket connections are dropped because tasks are replaced without waiting for connections to drain. What ALB and ECS configuration prevents connection drops during rolling deployments? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure ECS task placement constraints to force new tasks onto different EC2 instances (if using EC2 launch type); this prevents task replacement from affecting existing connections on busy nodes. B Switch from rolling deployment to blue/green deployment using AWS CodeDeploy; CodeDeploy waits for connections on the blue environment to drain before routing traffic to the green environment. C Enable ALB sticky sessions on the target group so that WebSocket clients are pinned to specific Fargate tasks; during deployment, sticky session affinity prevents connection migration to new tasks. D Configure ALB connection draining (deregistration delay) on the ECS service's target group to a value sufficient for WebSocket sessions to complete (e.g., 300 seconds); ECS waits for the deregistration delay before stopping the old task, allowing active connections to finish.

28 / 60

Question 29 of 60

A company stores 200 TB of cold scientific data in Amazon S3 Standard. The data is accessed twice per year for large batch analysis jobs and must be queryable within 4 hours of a retrieval request. The team wants to minimize storage costs while meeting the retrieval SLA. Which S3 storage class is optimal? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Move the data to Amazon S3 Glacier Deep Archive, which offers the lowest storage cost; use Bulk retrieval (12â€“48 hours) for the biannual analysis jobs. B Keep the data in Amazon S3 Standard-IA (Infrequent Access), which provides lower storage cost than S3 Standard with millisecond retrieval latency for the biannual analysis jobs. C Move the data to Amazon S3 Intelligent-Tiering, which automatically moves objects to the Archive Access Tier after 90 days of inactivity, providing Glacier-equivalent cost with automatic tiering. D Move the data to Amazon S3 Glacier Flexible Retrieval (formerly S3 Glacier); use Standard retrieval (3â€“5 hours) for the biannual analysis jobs, meeting the 4-hour SLA at significantly lower storage cost than S3 Standard.

29 / 60

Question 30 of 60

A company's DevSecOps team wants to automatically scan all container images pushed to Amazon ECR for OS and application-level vulnerabilities and block deployment to Amazon ECS if a critical vulnerability is found. Which AWS-native solution implements this pipeline control? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure ECR lifecycle policies to delete images with critical vulnerabilities automatically; this prevents ECS from pulling and deploying images flagged by the lifecycle policy. B Enable AWS Config's ec2-security-group-attached-to-eni managed rule to detect containers running with known vulnerable images and trigger automatic remediation. C Enable Amazon GuardDuty Runtime Monitoring for ECS to detect exploitation of vulnerable container images at runtime and automatically stop the ECS task when a critical vulnerability is detected. D Use Amazon Inspector V2 enhanced scanning (integrated with ECR); when a new image is pushed, Inspector scans it and generates findings; an EventBridge rule detects critical Inspector findings and triggers a CodePipeline approval action that blocks promotion to ECS.

30 / 60

Question 31 of 60

A company's monolithic Java application uses Amazon RDS MySQL for all data storage. The engineering team wants to decompose it into microservices using the strangler fig pattern. The first service to be extracted is a product catalog. During the extraction, both the monolith and the new catalog service must read and write product data consistently. Which data synchronization approach avoids data divergence with minimal application changes? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Keep a single source of truth in the existing RDS MySQL database; the extracted catalog service accesses the same database directly during the transition period; update the database schema to accommodate both the monolith and the microservice access patterns. B Create a separate MySQL database for the catalog service and configure bidirectional replication between the monolith's RDS instance and the new catalog service's RDS instance using MySQL binlog replication. C Use AWS DMS to continuously replicate product catalog tables from the monolith's RDS to the new catalog service's Aurora PostgreSQL database, with CDC ensuring the catalog service always has a fresh copy. D Implement an event-driven synchronization where the monolith publishes product change events to an SNS topic and the new catalog service subscribes to update its own database, accepting eventual consistency during the transition.

31 / 60

Question 32 of 60

A company runs a large-scale simulation workload that parallelizes across thousands of EC2 Spot Instances. The jobs take 2â€“6 hours. When a Spot instance is reclaimed, the job must checkpoint its state to S3, terminate cleanly, and be resumed on a new instance. The team needs to receive a 2-minute warning before termination. Which EC2 feature provides this warning? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Poll the EC2 instance metadata service (IMDS) at http://169.254.169.254/latest/meta-data/spot/termination-time from within the instance; this endpoint returns a termination timestamp approximately 2 minutes before the Spot instance is reclaimed. B Enable EC2 Spot Fleet capacity-optimized allocation strategy, which selects pools with the highest available capacity, minimizing interruptions without requiring a termination warning mechanism. C Configure an Auto Scaling lifecycle hook with a HeartbeatTimeout of 120 seconds on scale-in events; the hook sends an SNS notification to a Lambda function that triggers the checkpoint process. D Subscribe to Amazon EventBridge EC2 Spot interruption notices, which deliver the termination event to an SQS queue 2 minutes before reclamation; a Lambda function reads the queue and sends a checkpoint signal to the instance via SSM Run Command.

32 / 60

Question 33 of 60

A retail company's e-commerce platform on AWS experiences a 10x traffic spike every Black Friday. The application uses Amazon Aurora MySQL and Amazon ElastiCache for Redis. The engineering team observes that Aurora CPU reaches 95% during the spike despite Auto Scaling not being applicable to database instances. What is the most effective way to offload Aurora during the spike? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Add Aurora read replicas before the spike and use the Aurora reader endpoint to route all product browsing and search queries (SELECT statements) to the replicas, leaving the writer for transactional INSERT/UPDATE operations. B Enable Aurora Serverless v2 to automatically scale the Aurora cluster's capacity units (ACUs) up during the Black Friday spike, eliminating the CPU ceiling on provisioned instances. C Pre-warm the ElastiCache Redis cluster with all product catalog data before Black Friday by running a cache population script; all product reads hit Redis, and Aurora is only queried on a cache miss. D Enable Aurora Parallel Query to distribute analytical query processing to the Aurora storage layer, reducing CPU load on the writer instance during the Black Friday traffic spike.

33 / 60

Question 34 of 60

A company builds a multi-tenant B2B SaaS product. Each tenant requires a completely separate application stack (ECS services, RDS database, S3 bucket, API Gateway stage) for compliance reasons. The company currently has 50 tenants and expects to grow to 500. Managing 50 CloudFormation stacks manually is becoming unmanageable. Which AWS approach scales tenant provisioning with the least operational overhead? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Service Catalog with a portfolio containing the tenant stack product; configure a Service Catalog launch constraint and provisioning artifact; tenant provisioning is triggered by a Lambda function calling ServiceCatalog:ProvisionProduct, with all lifecycle managed through Service Catalog. B Build a self-service tenant portal using Amazon API Gateway and Lambda that calls CloudFormation CreateStack using the tenant stack template, triggered by a tenant onboarding event in the CRM system. C Use AWS CDK to define the tenant infrastructure as a reusable construct; run cdk deploy for each new tenant from a CI/CD pipeline triggered by a Jira ticket, using CDK's built-in stack management for drift detection. D Create an AWS CloudFormation StackSet in the organization's management account and deploy a separate stack instance per tenant account using automatic deployment to new OUs as each tenant's account is created.

34 / 60

Question 35 of 60

An architect is designing a solution where an on-premises application must write large files (10â€“100 GB) to AWS storage with low latency from the corporate data center, and the files must be immediately available for processing by AWS Lambda functions. The company has AWS Direct Connect with 10 Gbps bandwidth. Which AWS storage gateway option meets these requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Storage Gateway File Gateway: the on-premises application writes to an NFS/SMB share on the File Gateway, which caches recently written files locally for low-latency access and asynchronously uploads to Amazon S3; Lambda functions process files directly from S3. B Use AWS Storage Gateway Volume Gateway in cached mode: the on-premises application writes to an iSCSI volume that is cached locally and backed by Amazon S3; Lambda accesses the data through S3 Glacier, which Volume Gateway uses as the backing store. C Use AWS DataSync to synchronize files from the on-premises application directory to Amazon S3 on a schedule every 15 minutes; Lambda functions poll S3 for new objects using SQS event notifications. D Use AWS Storage Gateway Tape Gateway: the on-premises application writes to a virtual tape library (VTL), which stores tapes in Amazon S3 Glacier; Lambda retrieves the tapes for processing after each upload.

35 / 60

Question 36 of 60

A company's machine learning pipeline on AWS Sagemaker trains models nightly. After training, models are registered in the SageMaker Model Registry and deployed to SageMaker real-time inference endpoints. The team wants to enforce that only models that pass a manual quality review are deployed to the production endpoint. Which SageMaker feature enforces this gate? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Register the trained model in the SageMaker Model Registry with an approval status of 'PendingManualApproval'; configure an EventBridge rule that triggers a deployment Lambda function only when a model's approval status changes to 'Approved' by a reviewer. B Use Amazon SageMaker Clarify after training to evaluate model bias and explainability; configure SageMaker to block endpoint deployment automatically if bias metrics exceed defined thresholds. C Configure a SageMaker Pipeline with a Manual Approval step at the end of the training pipeline; the pipeline pauses until a reviewer approves in the SageMaker Studio console, then automatically deploys the model. D Use AWS CodePipeline with a manual approval action between the training stage and the deployment stage; the pipeline uses a SageMaker integration to deploy the approved model to the production endpoint.

36 / 60

Question 37 of 60

A company migrates on-premises Oracle RAC to AWS. The application requires: ACID transactions, up to 100 TB of data, read scalability to 15 read replicas, automatic failover within 30 seconds, and Oracle SQL compatibility. Which AWS database service meets all requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon Aurora PostgreSQL-Compatible with Aurora Global Database: Aurora supports up to 15 read replicas, automatic failover in under 30 seconds, ACID transactions, and up to 128 TB of data; migrate Oracle SQL to PostgreSQL syntax using AWS Schema Conversion Tool. B Use Amazon RDS for Oracle with Multi-AZ deployment, which provides automatic failover and up to 5 read replicas across regions; purchase BYOL Oracle Database Enterprise Edition licenses for the RAC equivalent feature set. C Use Amazon RDS for Oracle with the Oracle Active Data Guard option enabled for read replicas; Data Guard provides up to 15 standby instances and automatic failover within 30 seconds using the Oracle Failover feature. D Use Amazon Aurora MySQL-Compatible, which provides up to 15 read replicas, automatic Multi-AZ failover under 30 seconds, and ACID compliance; migrate Oracle SQL to MySQL-compatible syntax with AWS SCT.

37 / 60

Question 38 of 60

A company stores confidential HR documents in Amazon S3. These documents should be accessible only to members of a specific IAM group (hr-team). However, a recent audit discovered that an S3 bucket policy with a public access grant overrides the IAM group restriction. The company wants to ensure that HR documents can only be accessed by hr-team members under any circumstances. What combination of controls achieves this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable S3 Block Public Access at the account level (blocks all public bucket policies and ACLs); add a bucket policy that explicitly denies s3:GetObject for any principal that is not a member of the hr-team IAM group using a Deny with a StringNotLike condition on aws:PrincipalArn. B Use AWS Macie to scan the S3 bucket for public access configurations and automatically remediate any bucket policy that grants public access to HR documents. C Delete the existing bucket policy entirely and rely solely on IAM group policies to control access; by default, S3 denies access to all principals unless explicitly granted by IAM. D Enable S3 Block Public Access on the bucket to prevent public ACL and bucket policy grants, and update the bucket policy to explicitly allow access only from the hr-team IAM group ARN.

38 / 60

Question 39 of 60

A company's compliance requirement states that no EC2 instance may run for more than 30 days without a patch assessment. The company has 800 EC2 instances across 10 AWS accounts. Which AWS Systems Manager capability automates patch compliance assessment and remediation at this scale? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Systems Manager Patch Manager with a patch baseline and maintenance window; configure a multi-account patch scan using AWS Organizations integration from the Systems Manager Delegated Administrator account, running patch assessments across all 800 instances and automatically applying approved patches during the maintenance window. B Use AWS Config with the ec2-managedinstance-patch-compliance-status-check managed rule to detect non-compliant instances; use SSM Automation as a remediation action to run the AWS-RunPatchBaseline document when non-compliance is detected. C Deploy an AWS Lambda function that uses the SSM API to trigger the AWS-RunPatchBaseline document on all instances on a 30-day schedule using EventBridge Scheduler, logging results to CloudWatch Logs for compliance tracking. D Use Amazon Inspector V2 to scan all EC2 instances for missing OS patches and generate findings for instances with unresolved vulnerabilities older than 30 days; remediate by manually downloading and applying patches via SSH.

39 / 60

Question 40 of 60

A company wants to implement a zero-trust network architecture for its AWS workloads. Currently all services in a VPC can communicate freely within the CIDR range. The team wants to enforce that each microservice can only communicate with explicitly permitted services, regardless of VPC CIDR, using cryptographic identity rather than IP addresses. Which AWS service implements this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy AWS App Mesh as a service mesh across all microservices; configure mutual TLS (mTLS) with Envoy proxies using certificates from AWS Certificate Manager Private CA, enforcing cryptographic identity verification for all service-to-service communication. B Deploy AWS Network Firewall in the VPC and configure stateful domain rules that allow traffic only between approved service endpoints using DNS-based filtering. C Configure VPC security groups for each microservice with explicit ingress rules referencing the source security group ID of permitted callers; this enforces identity-based access without relying on IP addresses. D Enable VPC Flow Logs and Amazon GuardDuty to monitor all inter-service traffic; configure EventBridge rules to automatically update security group rules when unauthorized traffic patterns are detected.

40 / 60

Question 41 of 60

A company's regulatory framework requires that all data written to Amazon S3 by any application be tagged with the application's cost center before storage. The tagging must be enforced even if developers forget to include the tag in the PutObject request. Which AWS mechanism enforces mandatory S3 object tagging? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use an AWS Lambda function triggered by S3 event notifications on ObjectCreated events; the Lambda function checks for the CostCenter tag and applies it if missing, using the S3 PutObjectTagging API to add the required tag after upload. B Apply an S3 bucket policy with a Deny on s3:PutObject unless the request includes the s3:RequestObjectTag/CostCenter condition key; this forces all PutObject calls to include the required tag. C Configure an SCP with a Deny on s3:PutObject unless the StringEquals condition for the s3:RequestObjectTag/CostCenter key is present, enforcing the tag requirement across all accounts in the organization. D Use Amazon EventBridge with an S3 ObjectCreated rule to trigger a Step Functions workflow that validates object tags; the workflow retags non-compliant objects and sends an SNS alert to the developer who uploaded the untagged object.

41 / 60

Question 42 of 60

A company uses Amazon Kinesis Data Firehose to deliver real-time web analytics events to Amazon Redshift. The Kinesis Firehose delivery stream's PUT rate is 40,000 records/second at peak. Firehose is configured with a buffer interval of 60 seconds and buffer size of 128 MB. The Redshift COPY command is triggered after each delivery. The team observes high COPY command queue depth during peak hours. What is the most effective way to reduce COPY command frequency and queue depth? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Increase the Kinesis Data Firehose buffer interval to 900 seconds (15 minutes) and the buffer size to 128 MB; this batches more records per delivery, reducing COPY command frequency from 60 per hour to 4 per hour and improving Redshift COPY efficiency. B Enable Redshift concurrency scaling to automatically add transient clusters that handle COPY commands during peak hours, processing the queue more rapidly. C Configure Kinesis Data Firehose to deliver to Amazon S3 instead of Redshift directly; use an Amazon Redshift Spectrum external table to query S3 data without COPY commands. D Increase the Kinesis Data Firehose shard count to provide additional throughput capacity, distributing incoming records across more shards and reducing the COPY command frequency.

42 / 60

Question 43 of 60

A company's application on Amazon ECS uses AWS Secrets Manager to store API keys. The security team requires that the API keys be automatically rotated every 24 hours. The ECS tasks must always use the current version of the secret without restarting. How can this be achieved? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure Secrets Manager automatic rotation with a 24-hour rotation schedule using a Lambda rotation function; update the application code to retrieve the secret from Secrets Manager at each API call (or cache with a short TTL) rather than fetching once at task start. B Configure ECS task definitions to inject the secret as an environment variable from Secrets Manager; when the secret rotates, ECS automatically restarts all running tasks with the new secret value. C Enable Secrets Manager automatic rotation and configure an EventBridge rule on the SecretsManager RotationSucceeded event to trigger an ECS UpdateService force new deployment, restarting tasks with the new secret. D Use AWS Parameter Store with automatic rotation enabled; mount the parameter as an environment variable in the ECS task definition, which updates automatically when the parameter value changes without task restarts.

43 / 60

Question 44 of 60

A company's Lambda function processes images from an S3 bucket. Image processing requires the Pillow library (50 MB compressed). Deploying the function with Pillow as a dependency results in a 60 MB deployment package, exceeding the Lambda console editor limit but below the 250 MB unzipped limit. However, the team also needs Pillow in multiple other Lambda functions. What is the most efficient way to share Pillow across all functions? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create a Lambda Layer containing the Pillow library and publish it; reference the layer ARN in all Lambda functions that need Pillow; the layer is extracted to /opt in the Lambda execution environment and counts toward the 250 MB unzipped limit shared across the function and its layers. B Use AWS Lambda container images: package each Lambda function with Pillow into a Docker container image and push to ECR; container images support up to 10 GB, and Pillow is included in each image. C Bundle Pillow into each Lambda function's deployment package individually; the 60 MB compressed size is within Lambda's 50 MB ZIP limit for direct upload, requiring S3 upload for functions exceeding 50 MB. D Deploy Pillow to an AWS Elastic File System (EFS) volume mounted by all Lambda functions; Lambda functions load Pillow from EFS at runtime, eliminating the need to bundle the library in each deployment package.

44 / 60

Question 45 of 60

A company's application in us-east-1 writes data to Amazon DynamoDB. The company needs to expand to eu-west-1 and wants users in both regions to read and write to a low-latency local DynamoDB endpoint, with all writes eventually replicated globally and conflict resolution handled automatically. Which DynamoDB feature enables this? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable DynamoDB Global Tables with replica tables in us-east-1 and eu-west-1; Global Tables provides active-active multi-region replication with last-writer-wins conflict resolution, typically replicating within sub-second latency. B Create a DynamoDB read replica in eu-west-1 using DynamoDB Streams and a Lambda function to replicate writes from us-east-1 to eu-west-1; the eu-west-1 replica is read-only. C Deploy separate DynamoDB tables in us-east-1 and eu-west-1; use Amazon Route 53 latency-based routing to direct users to their nearest regional table; implement application-level conflict resolution for cross-region writes. D Use DynamoDB Streams to capture all writes in us-east-1 and use an AWS Lambda function to replicate writes to a DynamoDB table in eu-west-1 with a 5-minute delay, providing near-real-time global replication.

45 / 60

Question 46 of 60

A company processes healthcare claims using a Lambda function that calls an external FHIR API. The FHIR API is rate-limited to 100 requests per second. During peak hours, Lambda scales to 500 concurrent invocations, exceeding the API's limit and causing 429 errors. How should the architect redesign this to respect the rate limit? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Set Lambda Reserved Concurrency to 100 to limit concurrent executions to 100, matching the API's rate limit of 100 requests per second assuming each Lambda invocation takes approximately 1 second. B Implement exponential backoff with jitter in the Lambda function's FHIR API call; retries with jitter spread the requests over time, eventually fitting within the 100 RPS rate limit. C Place an SQS queue before the Lambda function; the upstream service enqueues claims; configure the Lambda event source mapping with maximum concurrency of 100 and a batch size of 1, ensuring Lambda processes at most 100 claims per second. D Deploy an Amazon API Gateway in front of the external FHIR API as a proxy; configure API Gateway throttling to 100 RPS, which enforces the rate limit before requests reach Lambda.

46 / 60

Question 47 of 60

A company wants to run workloads that require Windows Active Directory authentication natively for Amazon FSx for Windows File Server and Amazon RDS for SQL Server. The company's AD domain is on-premises. Which AWS service option enables native AD integration without migrating the domain controller to AWS? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy a Windows Server EC2 instance as a domain controller replica (RODC) in the AWS VPC and join FSx and RDS SQL Server to the AWS domain, replicating on-premises AD objects to the RODC. B Use AWS Managed Microsoft AD to create a new managed AD forest in AWS and establish a one-way forest trust from the on-premises AD to AWS Managed AD, allowing AWS services to authenticate users from the on-premises domain. C Use AWS Directory Service AD Connector to proxy Kerberos authentication requests from FSx and RDS SQL Server to the on-premises AD domain controller over a Direct Connect or VPN connection, enabling native Windows AD authentication without any AD data in AWS. D Use Amazon Cognito with SAML federation configured to use the on-premises AD FS server as the SAML identity provider, federating AD authentication for FSx and RDS SQL Server access.

47 / 60

Question 48 of 60

A company's production environment uses AWS CloudFormation with 200 stacks. A junior engineer accidentally deleted a production CloudFormation stack that contained an RDS database, an ALB, and 12 Lambda functions. CloudFormation attempted to delete the RDS instance but it had deletion protection enabled. The ALB and Lambda functions were deleted. What is the fastest way to restore the environment? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Identify the CloudFormation template in the version control repository; redeploy the stack using the original template; CloudFormation will detect the existing RDS instance (with deletion protection) via stack drift detection and import it into the new stack. B Use AWS CloudTrail to identify all resources that were deleted by the CloudFormation DeleteStack API call; manually recreate each deleted resource in the AWS console using the configuration captured in CloudTrail event details. C Redeploy the original CloudFormation template from the version control repository; for the RDS instance that survived (due to deletion protection), use CloudFormation resource import (import existing resources into a stack) to include it in the new stack rather than creating a new one, completing the restore in a single stack update. D Restore the full environment from the most recent AWS Backup job, which includes both the RDS database and all Lambda functions, providing a consistent point-in-time restore of all resources.

48 / 60

Question 49 of 60

A company needs to provide third-party auditors with read-only access to specific S3 buckets in their AWS account for a 30-day audit period. The auditors use their own AWS accounts. The company wants access to expire automatically after 30 days without any manual action. Which approach implements time-limited cross-account access? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create IAM users for each auditor in the company's AWS account with permissions limited to the specific S3 buckets; set the IAM user's password expiry to 30 days; disable the users' access keys after 30 days using an EventBridge-scheduled Lambda function. B Create a cross-account IAM role in the company's account with a trust policy allowing the auditors' AWS account IDs to assume the role; set a maximum session duration of 43,200 seconds (12 hours); use AWS Organizations Service Control Policies to block sts:AssumeRole after the 30-day period by a time-based SCP condition. C Create a cross-account IAM role in the company's account with read-only S3 permissions; set the trust policy's Condition to use DateLessThan with an explicit expiry date (30 days from now); after 30 days, the condition prevents role assumption automatically. D Generate pre-signed S3 URLs for each object in the audit scope with a 30-day expiry (2,592,000 seconds); share the URLs with auditors; the URLs expire automatically without any manual action.

49 / 60

Question 50 of 60

A company wants to implement automated cost optimization for Amazon EC2. The goal is to automatically identify instances that are consistently underutilized (CPU <10% for 14 days) and right-size them to smaller instance types during a weekly maintenance window. Which AWS service provides native right-sizing recommendations and can integrate with maintenance automation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use Amazon CloudWatch custom metrics dashboards to track EC2 CPU utilization; create CloudWatch alarms at 10% CPU and configure alarm actions to trigger an EventBridge rule that resizes the instance using the EC2 ModifyInstanceAttribute API. B Use AWS Trusted Advisor's Cost Optimization checks, which identify underutilized EC2 instances with CPU <10%; export Trusted Advisor recommendations and manually resize instances during the maintenance window. C Use AWS Compute Optimizer, which analyzes EC2 instance utilization using CloudWatch metrics over 14 days and provides instance type recommendations; use the Compute Optimizer API to retrieve recommendations and trigger instance resizing via AWS Systems Manager Automation during the maintenance window. D Use AWS Cost Explorer's rightsizing recommendations API; filter for instances with <10% CPU over 14 days; integrate the recommendations with AWS Systems Manager Automation to apply instance type changes during the maintenance window.

50 / 60

Question 51 of 60

A company uses an Amazon SQS queue to buffer requests between a producer API and a consumer service. The consumer processes messages slowly (average 8 minutes per message). The visibility timeout is set to 30 minutes. During testing, the team notices that some messages appear in the queue twiceâ€”once being processed and once visible to a second consumer. What is the most likely cause? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A The consumer is deleting the message from the SQS queue before processing completes; if the consumer crashes before the delete, the message reappears and is processed again. B SQS Standard queues guarantee at-least-once delivery by design; the duplicate deliveries are an inherent characteristic of Standard queue semantics and occur even within the visibility timeout window. C The consumer occasionally takes longer than 30 minutes to process a message; when the visibility timeout expires before processing completes, SQS makes the message visible again, causing a second consumer to pick it up. D The producer is sending duplicate messages with identical content but different MessageGroupIds, which SQS Standard treats as separate messages, resulting in two deliveries.

51 / 60

Question 52 of 60

A company runs a workload on Amazon EC2 that requires consistent 10 Gbps network throughput to an Amazon FSx for Lustre file system. During peak processing, the EC2 instance's network throughput drops to 4 Gbps. The instance type is m5.xlarge. What is the most direct fix? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable Enhanced Networking with Elastic Network Adapter (ENA) on the m5.xlarge instance; ENA provides up to 10 Gbps on supported instance types without changing instance size. B Deploy multiple m5.xlarge instances in a placement group and use FSx for Lustre's parallel access from all instances to aggregate total throughput across the fleet. C Resize the EC2 instance from m5.xlarge (up to 10 Gbps) to m5.4xlarge (up to 10 Gbps baseline with higher burst) or c5n.4xlarge (up to 25 Gbps), which provides the required sustained 10 Gbps network throughput. D Configure Jumbo Frames (MTU 9001) on the EC2 instance's ENA interface to increase frame payload size and improve effective network throughput for FSx for Lustre transfers.

52 / 60

Question 53 of 60

A company wants to analyze its AWS spending by team, project, and environment (prod/dev/staging) across 30 AWS accounts. The company uses AWS Organizations. Which configuration provides the most granular cost allocation? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Enable Cost Explorer in the management account; Cost Explorer automatically identifies costs by account ID and service type, providing team and project breakdowns without any additional configuration. B Use AWS Budgets in each account to track spending by account; consolidate budget alerts to the management account using SNS cross-account subscriptions for a unified cost view. C Enforce tagging standards across all accounts using an SCP that denies resource creation unless the Team, Project, and Environment tags are present; activate the tags as cost allocation tags in the management account's billing console; use Cost Explorer to filter and group costs by these tags. D Enable AWS Cost and Usage Reports (CUR) delivery to an S3 bucket in the management account; query CUR with Amazon Athena filtered by account ID to attribute costs to teams by mapping account IDs to team names in a lookup table.

53 / 60

Question 54 of 60

A company's application uses Amazon DynamoDB Streams to trigger AWS Lambda for real-time inventory updates. During a Lambda deployment, the team notices that DynamoDB Streams records are not being processed for approximately 5 minutes. What is the most likely cause and resolution? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A DynamoDB Streams has a 5-minute polling interval; the Lambda event source mapping pauses during function deployments and resumes after the deployment completes, causing the 5-minute gap. B Lambda's Reserved Concurrency was set to 0 during deployment as a best practice to drain existing invocations; this paused stream processing for the duration of the deployment. C During a Lambda rolling deployment, all existing execution environments are replaced with new ones; the event source mapping temporarily pauses polling to drain in-flight invocations before switching to the new version, creating a brief processing gap; use Lambda Aliases with traffic shifting to enable gradual deployment without pausing stream processing. D The DynamoDB Streams shard iterator expired during the Lambda deployment; when Lambda resumed processing, it could only read from the LATEST position, missing 5 minutes of records.

54 / 60

Question 55 of 60

A company's application on Amazon ECS Fargate must connect to an Amazon RDS for PostgreSQL database. The security team requires that the database password never be stored in environment variables, container images, or ECS task definitions in plaintext. The database password rotates every 7 days. Which configuration meets both requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use IAM database authentication for RDS PostgreSQL; the application generates a short-lived IAM authentication token using the RDS GenerateAuthToken API instead of a static password, eliminating the need for password storage and rotation. B Store the database password in an environment variable in the ECS task definition; use AWS KMS to encrypt the task definition JSON; the plaintext password is only visible inside the container at runtime. C Store the database password in AWS Secrets Manager with automatic rotation enabled (7-day schedule); reference the secret ARN in the ECS task definition's 'secrets' section; ECS retrieves and injects the secret value as an environment variable at task launch using the task execution role; update the application to re-fetch the secret from Secrets Manager when a connection error occurs (detecting rotation). D Store the database password in an S3 object encrypted with SSE-KMS; the application downloads the password file from S3 at startup and reads it into memory; rotate the S3 object every 7 days using an EventBridge-scheduled Lambda function.

55 / 60

Question 56 of 60

A company stores 100 TB of genomics data in Amazon S3. Researchers run large-scale BLAST analyses against this data using a custom C++ application. The analysis requires high CPU (64 vCPUs) for 8 hours per run and runs 5 times per week. The team wants to minimize costs while ensuring the analysis completes reliably. Which configuration is most cost-effective? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Reserve a c5.18xlarge (72 vCPUs) for 1 year using an On-Demand Reserved Instance to ensure availability; the Reserved Instance discount reduces cost for the 5 weekly 8-hour runs. B Use Amazon EMR with Spark to rewrite the BLAST analysis in PySpark, distributing the computation across a transient EMR cluster with Spot pricing for maximum cost efficiency. C Use AWS Batch with Spot Instances (c5 or c5n family) configured with automatic retries; the 64 vCPU requirement fits multiple Spot instance families for capacity flexibility; jobs auto-retry on interruption using checkpoints stored in S3; Spot pricing reduces cost by 50â€“90%. D Use Amazon SageMaker Processing Jobs with an ml.c5.18xlarge instance for each BLAST analysis run; SageMaker manages instance provisioning and termination automatically, and Spot pricing is available for processing jobs.

56 / 60

Question 57 of 60

A company's web application serves dynamic content that varies by user authentication status (logged in vs. anonymous). CloudFront is deployed as the CDN. Cached responses for anonymous users are being served to authenticated users because CloudFront uses the URL as the cache key by default. How should the architect configure CloudFront to serve correct content per authentication status? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Configure CloudFront to forward the Authorization header to the origin for all requests; this disables CloudFront caching entirely for any request with an Authorization header, ensuring authenticated users always get fresh content from the origin. B Deploy a Lambda@Edge function on the CloudFront Viewer Request event that removes the Authentication cookie from anonymous requests, ensuring anonymous users receive the anonymous-user cached response from CloudFront. C Create a CloudFront Cache Policy that includes the Authorization header (or a session cookie) as a cache key component; CloudFront creates separate cache entries for different header/cookie values, ensuring authenticated and anonymous users receive different cached responses. D Disable CloudFront caching (TTL=0) for all dynamic content requests and use CloudFront only for SSL termination and DDoS protection via AWS Shield Standard, routing all requests to the origin.

57 / 60

Question 58 of 60

A company's DevOps team manages 500 EC2 instances across 20 AWS accounts. They need to run OS-level commands on all instances to collect a software inventory report within 30 minutes. The instances do not have SSH ports open. Which AWS Systems Manager feature executes commands across all instances without SSH? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Use AWS Systems Manager Run Command with the AWS-RunShellScript document; target all instances using instance IDs in a CSV list; Run Command sends commands over the SSM agent without requiring SSH. B Use AWS Systems Manager Session Manager to open browser-based shell sessions to each instance; run inventory collection scripts manually in each session to gather the required data. C Use AWS Systems Manager Run Command with the AWS-RunShellScript document, targeting instances using Resource Groups or the InstanceIds parameter set to '*'; use the AWS Organizations delegated administrator for Systems Manager to send Run Command across all 20 accounts simultaneously; collect results from the command invocation output. D Use AWS Systems Manager Inventory to automatically collect metadata (software, network config, OS info) from all managed instances; schedule inventory collection with a 30-minute association and aggregate results in the Systems Manager console across all accounts.

58 / 60

Question 59 of 60

A company's application on Lambda needs to access a private Amazon RDS database. Currently, Lambda connects to RDS using credentials stored in environment variables. The security team wants to enforce encrypted connections (TLS) and rotate credentials without redeployment. Which combination satisfies both requirements? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Deploy Lambda in a VPC and use a VPC endpoint for RDS to ensure the connection stays within the AWS network; use IAM database authentication to eliminate static credentials and ensure TLS by default with IAM auth tokens. B Configure Lambda to connect to RDS directly using the SSL CA bundle embedded in the Lambda deployment package; store credentials in Parameter Store SecureString and retrieve them at startup; implement a custom rotation script using EventBridge. C Use Amazon RDS Proxy in front of the RDS database; configure RDS Proxy to retrieve credentials from Secrets Manager with automatic rotation; enable TLS enforcement on the RDS Proxy endpoint; Lambda connects to the RDS Proxy endpoint, which handles credential refresh and TLS termination. D Enable RDS encryption at rest using AWS KMS and require TLS in the RDS parameter group (rds.force_ssl=1); store credentials in Secrets Manager without rotation; Lambda fetches credentials from Secrets Manager at each invocation.

59 / 60

Question 60 of 60

An architect reviews a company's AWS architecture and finds that all 50 EC2 instances in a VPC share a single, overly permissive security group that allows all inbound and outbound TCP traffic within the VPC CIDR (10.0.0.0/8). The company wants to enforce the principle of least privilege across the environment. What is the recommended approach to redesigning the security group architecture? (AWS Certified Solutions Architect â€” Associate, SAA-C03)

A Create one security group per application tier (web, app, database); configure each tier's security group to allow only the specific ports and protocols needed from the upstream tier, referenced by security group ID rather than CIDR. B Implement VPC Network ACLs (NACLs) at the subnet level to restrict traffic between tiers based on port and direction; remove the single permissive security group and rely on NACLs for all access control. C Create granular security groups per application function (web server, application server, cache, database, message queue), referencing upstream security groups as inbound sources on specific ports; implement a 'default deny' posture by removing all existing rules and adding only explicitly required allow rules. D Enable AWS Network Firewall in the VPC to enforce stateful deep packet inspection rules between all 50 EC2 instances, replacing the need for security groups entirely.

60 / 60