Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1021:

  A company hosts its web applications in the AWS Cloud. The company configures Elastic Load Balancers to use certificates that are imported into AWS Certificate Manager (ACM). The company's security team must be notified 30 days before the expiration of each certificate.

  What should a solutions architect recommend to meet this requirement?

  A. Add a rule in ACM to publish a custom message to an Amazon Simple Notification Service (Amazon SNS) topic every day, beginning 30 days before any certificate will expire.
  B. Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.
  C. Use AWS Trusted Advisor to check for certificates that will expire within 30 days. Create an Amazon CloudWatch alarm that is based on Trusted Advisor metrics for check status changes. Configure the alarm to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
  D. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to detect any certificates that will expire within 30 days. Configure the rule to invoke an AWS Lambda function. Configure the Lambda function to send a custom alert by way of Amazon Simple Notification Service (Amazon SNS).
  B. Create an AWS Config rule that checks for certificates that will expire within 30 days. Configure Amazon EventBridge (Amazon CloudWatch Events) to invoke a custom alert by way of Amazon Simple Notification Service (Amazon SNS) when AWS Config reports a noncompliant resource.

• Question 1022:

  A solutions architect is creating a data processing job that runs once daily and can take up to 2 hours to complete. If the job is interrupted, it has to restart from the beginning.

  How should the solutions architect address this issue in the MOST cost-effective manner?

  A. Create a script that runs locally on an Amazon EC2 Reserved Instance that is triggered by a cron job.
  B. Create an AWS Lambda function triggered by an Amazon EventBridge scheduled event.
  C. Use an Amazon Elastic Container Service (Amazon ECS) Fargate task triggered by an Amazon EventBridge scheduled event.
  D. Use an Amazon Elastic Container Service (Amazon ECS) task running on Amazon EC2 triggered by an Amazon EventBridge scheduled event.
  C. Use an Amazon Elastic Container Service (Amazon ECS) Fargate task triggered by an Amazon EventBridge scheduled event.

• Question 1023:

  A company stores a large volume of image files in an Amazon S3 bucket. The images need to be readily available for the first 180 days. The images are infrequently accessed for the next 180 days. After 360 days, the images need to be archived but must be available instantly upon request. After 5 years, only auditors can access the images. The auditors must be able to retrieve the images within 12 hours. The images cannot be lost during this process.

  A developer will use S3 Standard storage for the first 180 days. The developer needs to configure an S3 Lifecycle rule.

  Which solution will meet these requirements MOST cost-effectively?

  A. Transition the objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 180 days. S3 Glacier Instant Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years.
  B. Transition the objects to S3 One Zone-Infrequent Access (S3 One Zone-IA) after 180 days. S3 Glacier Flexible Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years.
  C. Transition the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 180 days, S3 Glacier Instant Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years.
  D. Transition the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 180 days, S3 Glacier Flexible Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years.
  C. Transition the objects to S3 Standard-Infrequent Access (S3 Standard-IA) after 180 days, S3 Glacier Instant Retrieval after 360 days, and S3 Glacier Deep Archive after 5 years.

• Question 1024:

  A company runs demonstration environments for its customers on Amazon EC2 instances. Each environment is isolated in its own VPC. The company's operations team needs to be notified when RDP or SSH access to an environment has been established.

  Which solution will meet this requirement?

  A. Configure Amazon CloudWatch Application Insights to create AWS Systems Manager OpsItems when RDP or SSH access is detected.
  B. Configure the EC2 instances with an IAM instance profile that has an IAM role with the AmazonSSMManagedInstanceCore policy attached.
  C. Publish VPC flow logs to Amazon CloudWatch Logs. Create required metric filters. Create an Amazon CloudWatch metric alarm with a notification action for when the alarm is in the ALARM state.
  D. Configure an Amazon EventBridge rule to listen for events of type EC2 Instance State-change Notification. Configure an Amazon Simple Notification Service (Amazon SNS) topic as a target. Subscribe the operations team to the topic.
  C. Publish VPC flow logs to Amazon CloudWatch Logs. Create required metric filters. Create an Amazon CloudWatch metric alarm with a notification action for when the alarm is in the ALARM state.

• Question 1025:

  An ecommerce company experiences a surge in mobile application traffic every Monday at 8 AM during the company's weekly sales events. The application's backend uses an Amazon API Gateway HTTP API and AWS Lambda functions to process user requests. During peak sales periods, users report encountering TooManyRequestsException errors from the Lambda functions. The errors result in a degraded user experience. A solutions architect needs to design a scalable and resilient solution that minimizes the errors and ensures that the application's overall functionality remains unaffected.

  Which solution will meet these requirements?

  A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send user requests to the SQS queue. Configure the Lambda function with provisioned concurrency. Set the SQS queue as the event source trigger.
  B. Use AWS Step Functions to orchestrate and process user requests. Configure Step Functions to invoke the Lambda functions and to manage the request flow.
  C. Create an Amazon Simple Notification Service (Amazon SNS) topic. Send user requests to the SNS topic. Configure the Lambda functions with provisioned concurrency. Subscribe the functions to the SNS topic.
  D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send user requests to the SQS queue. Configure the Lambda functions with reserved concurrency. Set the SQS queue as the event source trigger for the functions.
  A. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send user requests to the SQS queue. Configure the Lambda function with provisioned concurrency. Set the SQS queue as the event source trigger.

  ---

  Explanation

  TooManyRequestsException errors occur when Lambda exceeds concurrency limits. The recommended pattern is to use Amazon SQS with Lambda to decouple and buffer traffic, ensuring that bursts of requests are queued and processed smoothly. Enabling provisioned concurrency for Lambda ensures that functions are pre-initialized and ready to handle spikes in load with low latency. Step Functions (B) is designed for workflow orchestration, not high-throughput request buffering. SNS with Lambda (C) does not provide buffering and may overwhelm Lambda during bursts. Reserved concurrency (D) limits function scaling instead of improving resilience. Therefore, option A provides a scalable and resilient solution, minimizing errors during traffic surges.

  References:

  AWS Lambda Developer Guide -- Provisioned concurrency and scaling with SQS?Amazon SQS User Guide -- Using Lambda with Amazon SQS?AWS Well-Architected Framework -- Reliability Pillar

• Question 1026:

  A company plans to use an Amazon S3 bucket to archive backup data. Regulations require the company to retain the backup data for 7 years.

  During the retention period, the company must prevent users, including administrators, from deleting the data.

  The company can delete the data after 7 years.

  Which solution will meet these requirements?

  A. Create an S3 bucket policy that denies delete operations for 7 years. Create an S3 Lifecycle policy to delete the data after 7 years.
  B. Create an S3 Object Lock default retention policy that retains data for 7 years in governance mode. Create an S3 Lifecycle policy to delete the data after 7 years.
  C. Create an S3 Object Lock default retention policy that retains data for 7 years in compliance mode. Create an S3 Lifecycle policy to delete the data after 7 years.
  D. Create an S3 Batch Operations job to set a legal hold on each object for 7 years. Create an S3 Lifecycle policy to delete the data after 7 years.
  C. Create an S3 Object Lock default retention policy that retains data for 7 years in compliance mode. Create an S3 Lifecycle policy to delete the data after 7 years.

  ---

  Explanation

  The requirement is toprevent data deletion by any user, including administrators, for 7 years while allowing automatic deletion afterward.

  S3 Object Lock in Compliance Mode (Correct Choice - C)

  Compliance mode ensures that even the root user cannot delete or modify the objects during the retention period.

  After 7 years, the S3 Lifecycle policy automatically deletes the objects.

  This meets bothimmutability and automatic deletionrequirements.

  Governance Mode (Option B - Incorrect)

  Governance mode prevents deletion,but administrators can override it.

  The requirement explicitly states thateven administrators must not be able to delete the data.

  S3 Bucket Policy (Option A - Incorrect)

  An S3 bucket policy candeny deletes, but policies can be modified at any time by administrators.

  It does not enforce strict retention like Object Lock. S3 Batch Operations Job (Option D - Incorrect)

  A legal hold does not have an automatic expiration.

  Legal holds must be manually removed, which is not efficient.

  Why Option C is Correct:

  S3 Object Lock in Compliance Mode prevents deletion by all users, including administrators.

  The S3 Lifecycle policy deletes the data automatically after 7 years, reducing operational overhead.

  References:

  S3 Object Lock Compliance Mode

  S3 Lifecycle Policies

• Question 1027:

  A company uses AWS Organizations to run workloads within multiple AWS accounts. A tagging policy adds department tags to AWS resources when the company creates tags. An accounting team needs to determine spending on Amazon EC2 consumption. The accounting team must determine which departments are responsible for the costs regardless ofAWS account. The accounting team has access to AWS Cost Explorer for all AWS accounts within the organization and needs to access all reports from Cost Explorer.

  Which solution meets these requirements in the MOST operationally efficient way?

  A. From the Organizations management account billing console, activate a user-defined cost allocation tag named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.
  B. From the Organizations management account billing console, activate an AWS-defined cost allocation tag named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.
  C. From the Organizations member account billing console, activate a user-defined cost allocation tag named department. Create one cost report in Cost Explorer grouping by the tag name, and filter by EC2.
  D. From the Organizations member account billing console, activate an AWS-defined cost allocation tag named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.
  A. From the Organizations management account billing console, activate a user-defined cost allocation tag named department. Create one cost report in Cost Explorer grouping by tag name, and filter by EC2.

• Question 1028:

  A company requires centralized auditing for all AWS accounts and compliance monitoring against AWS Foundational Security Best Practices (FSBP) with minimal operational overhead.

  Which solution will meet these requirements?

  A. Deploy AWS Control Tower in the management account. Enable AWS Security Hub and Account Factory.
  B. Deploy AWS Control Tower in a member account.
  C. Use AWS Managed Services (AMS) with GuardDuty.
  D. Use AWS Managed Services (AMS) with Security Hub.
  A. Deploy AWS Control Tower in the management account. Enable AWS Security Hub and Account Factory.

  ---

  Explanation

  AWS Control Tower provides automatic account governance, centralized logging, CloudTrail aggregation, and integrates directly with AWS Security Hub, which evaluates compliance against FSBP standards. This is the lowest operational overhead AWS-native solution.

• Question 1029:

  A company is building an application that consists of several microservices. The company has decided to use container technologies to deploy its software on AWS. The company needs a solution that minimizes the amount of ongoing effort for maintenance and scaling. The company cannot manage additional infrastructure.

  Which combination of actions should a solutions architect take to meet these requirements? (Choose two.)

  A. Deploy an Amazon Elastic Container Service (Amazon ECS) cluster.
  B. Deploy the Kubernetes control plane on Amazon EC2 instances that span multiple Availability Zones.
  C. Deploy an Amazon Elastic Container Service (Amazon ECS) service with an Amazon EC2 launch type. Specify a desired task number level of greater than or equal to 2.
  D. Deploy an Amazon Elastic Container Service (Amazon ECS) service with a Fargate launch type. Specify a desired task number level of greater than or equal to 2.
  E. Deploy Kubernetes worker nodes on Amazon EC2 instances that span multiple Availability Zones. Create a deployment that specifies two or more replicas for each microservice.
  A. Deploy an Amazon Elastic Container Service (Amazon ECS) cluster.
  D. Deploy an Amazon Elastic Container Service (Amazon ECS) service with a Fargate launch type. Specify a desired task number level of greater than or equal to 2.

• Question 1030:

  A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 443.

  Which combination of steps will accomplish this task? (Choose two.)

  A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.
  B. Create a security group with a rule to allow TCP port 443 to destination 0.0.0.0/0.
  C. Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.
  D. Update the network ACL to allow inbound/outbound TCP port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0.
  E. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.
  A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.
  E. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.