Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1081:

  A company wants to back up its on-premises virtual machines (VMs) to AWS. The company's backup solution exports on-premises backups to an Amazon S3 bucket as objects. The S3 backups must be retained for 30 days and must be automatically deleted after 30 days.

  Which combination of steps will meet these requirements? (Choose three.)

  A. Create an S3 bucket that has S3 Object Lock enabled.
  B. Create an S3 bucket that has object versioning enabled.
  C. Configure a default retention period of 30 days for the objects.
  D. Configure an S3 Lifecycle policy to protect the objects for 30 days.
  E. Configure an S3 Lifecycle policy to expire the objects after 30 days.
  F. Configure the backup solution to tag the objects with a 30-day retention period
  A. Create an S3 bucket that has S3 Object Lock enabled.
  C. Configure a default retention period of 30 days for the objects.
  E. Configure an S3 Lifecycle policy to expire the objects after 30 days.

• Question 1082:

  A solutions architect is provisioning an Amazon Elastic File System (Amazon EFS) file system to provide shared storage across multiple Amazon EC2 instances. The instances all exist in the same VPC across multiple Availability Zones. There are two instances in each Availability Zone. The solutions architect must make the file system accessible to each instance with the lowest possible latency.

  Which solution will meet these requirements?

  A. Create a mount target for the EFS file system in the VPC. Use the mount target to mount the file system on each of the instances.
  B. Create a mount target for the EFS file system in one Availability Zone of the VPC. Use the mount target to mount the file system on the instances in that Availability Zone. Share the directory with the other instances.
  C. Create a mount target for each instance. Use each mount target to mount the EFS file system on each respective instance.
  D. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.
  D. Create a mount target in each Availability Zone of the VPC. Use the mount target to mount the EFS file system on the instances in the respective Availability Zone.

  ---

  Explanation

  Amazon EFS requires a mount target in each Availability Zone where EC2 instances access the file system. This is because each mount target provides an elastic network interface in the subnet and AZ, reducing network latency by allowing EC2 instances to communicate locally with the EFS mount target.

  Creating a mount target in each AZ optimizes file system access performance and availability. Instances mount the EFS file system via the mount target in their respective AZ, which provides the lowest possible latency and avoids cross-AZ traffic.

  Option A, with only a single mount target in the VPC, will cause cross-AZ traffic for instances in other AZs, increasing latency and potentially incurring data transfer costs.

  Option B is incomplete and introduces complexity with sharing directories across instances.

  Option C is invalid because mount targets are per AZ and per subnet, not per instance.

  References:

  Amazon EFS Overview (https://docs.aws.amazon.com/efs/latest/ug/whatisefs.html)

  Creating Mount Targets (https://docs.aws.amazon.com/efs/latest/ug/manage-fs-access.html#creating-mount-targets)

  AWS Well-Architected Framework -- Performance Efficiency Pillar (https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf)

• Question 1083:

  A company wants to implement a backup strategy for Amazon EC2 data and multiple Amazon S3 buckets.

  Because of regulatory requirements, the company must retain backup files for a specific time period. The company must not alter the files for the duration of the retention period.

  Which solution will meet these requirements?

  A. Use AWS Backup to create a backup vault that has a vault lock in governance mode. Create the required backup plan.
  B. Use Amazon Data Lifecycle Manager to create the required automated snapshot policy.
  C. Use Amazon S3 File Gateway to create the backup. Configure the appropriate S3 Lifecycle management.
  D. Use AWS Backup to create a backup vault that has a vault lock in compliance mode. Create the required backup plan.
  D. Use AWS Backup to create a backup vault that has a vault lock in compliance mode. Create the required backup plan.

• Question 1084:

  A company hosts an industrial control application that receives sensor input through Amazon Kinesis Data Streams. The application needs to support new sensors for real-time anomaly detection in monitored equipment. The company wants to integrate new sensors in a loosely coupled, fully managed, and serverless way. The company cannot modify the application code.

  Which solution will meet these requirements?

  A. Forward the existing stream in Kinesis Data Streams to Amazon Managed Service for Apache Flink for anomaly detection. Use a second stream in Kinesis Data Streams to send the Flink output to the application.
  B. Use Amazon Data Firehose to stream data to Amazon S3. Use Amazon Redshift Spectrum to perform anomaly detection on the S3 data. Use S3 Event Notifications to invoke an AWS Lambda function that sends analyzed data to the application through a second stream in Kinesis Data Streams.
  C. Configure Amazon EC2 instances in an Auto Scaling group to consume data from the data stream and to perform anomaly detection. Create a second stream in Kinesis Data Streams to send data from the EC2 instances to the application.
  D. Configure an Amazon Elastic Container Service (Amazon ECS) task that uses Amazon EC2 instances to consume data from the data stream and to perform anomaly detection. Create a second stream in Kinesis Data Streams to send data from the containers to the application.
  A. Forward the existing stream in Kinesis Data Streams to Amazon Managed Service for Apache Flink for anomaly detection. Use a second stream in Kinesis Data Streams to send the Flink output to the application.

  ---

  Explanation

  Amazon Managed Service for Apache Flink (formerly Kinesis Data Analytics) is a fully managed, serverless service for real-time processing of streaming data. You can consume data from Kinesis Data Streams, perform anomaly detection, and then output the results to another Kinesis stream. This approach is loosely coupled, fully managed, and does not require modifying the application code.

  AWS Documentation Extract:

  "Amazon Managed Service for Apache Flink enables you to process streaming data in real time, integrating with Kinesis Data Streams as source and sink, and is fully managed and serverless." (Source: Apache Flink on AWS documentation)

  Option B: S3/Redshift is not real-time and adds complexity. Option C, Option D: EC2/ECS solutions are not serverless or fully managed.

  References:

  AWS Certified Solutions Architect?Official Study Guide, Real-Time Analytics.

• Question 1085:

  A company has a workload in an AWS Region. Customers connect to and access the workload by using an Amazon API Gateway REST API. The company uses Amazon Route 53 as its DNS provider. The company wants to provide individual and secure URLs for all customers.

  Which combination of steps will meet these requirements with the MOST operational efficiency? (Choose three.)

  A. Register the required domain in a registrar. Create a wildcard custom domain name in a Route 53 hosted zone and record in the zone that points to the API Gateway endpoint.
  B. Request a wildcard certificate that matches the domains in AWS Certificate Manager (ACM) in a different Region.
  C. Create hosted zones for each customer as required in Route 53. Create zone records that point to the API Gateway endpoint.
  D. Request a wildcard certificate that matches the custom domain name in AWS Certificate Manager (ACM) in the same Region.
  E. Create multiple API endpoints for each customer in API Gateway.
  F. Create a custom domain name in API Gateway for the REST API. Import the certificate from AWS Certificate Manager (ACM).
  A. Register the required domain in a registrar. Create a wildcard custom domain name in a Route 53 hosted zone and record in the zone that points to the API Gateway endpoint.
  D. Request a wildcard certificate that matches the custom domain name in AWS Certificate Manager (ACM) in the same Region.
  F. Create a custom domain name in API Gateway for the REST API. Import the certificate from AWS Certificate Manager (ACM).

• Question 1086:

  A company is designing the network for an online multi-player game. The game uses the UDP networking protocol and will be deployed in eight AWS Regions. The network architecture needs to minimize latency and packet loss to give end users a high-quality gaming experience.

  Which solution will meet these requirements?

  A. Setup a transit gateway in each Region. Create inter-Region peering attachments between each transit gateway.
  B. Set up AWS Global Accelerator with UDP listeners and endpoint groups in each Region.
  C. Set up Amazon CloudFront with UDP turned on. Configure an origin in each Region.
  D. Set up a VPC peering mesh between each Region. Turn on UDP for each VPC.
  B. Set up AWS Global Accelerator with UDP listeners and endpoint groups in each Region.

• Question 1087:

  A company uses an Amazon EC2 Auto Scaling group to host an API. The EC2 instances are in a target group that is associated with an Application Load Balancer (ALB). The company stores data in an Amazon Aurora PostgreSQL database.

  The API has a weekly maintenance window. The company must ensure that the API returns a static maintenance response during the weekly maintenance window.

  Which solution will meet this requirement with the LEAST operational overhead?

  A. Create a table in Aurora PostgreSQL that has fields to contain keys and values. Create a key for a maintenance flag. Set the flag when the maintenance window starts. Configure the API to query the table for the maintenance flag and to return a maintenance response if the flag is set. Reset the flag when the maintenance window is finished.
  B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Subscribe the EC2 instances to the queue. Publish a message to the queue when the maintenance window starts. Configure the API to return a maintenance message if the instances receive a maintenance start message from the queue. Publish another message to the queue when the maintenance window is finished to restore normal operation.
  C. Create a listener rule on the ALB to return a maintenance response when the path on a request matches a wildcard. Set the rule priority to one. Perform the maintenance. When the maintenance window is finished, delete the listener rule.
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic Subscribe the EC2 instances to the topic Publish a message to the topic when the maintenance window starts. Configure the API to return a maintenance response if the instances receive the maintenance start message from the topic. Publish another message to the topic when the maintenance window finshes to restore normal operation.
  C. Create a listener rule on the ALB to return a maintenance response when the path on a request matches a wildcard. Set the rule priority to one. Perform the maintenance. When the maintenance window is finished, delete the listener rule.

  ---

  Explanation

  Creating a listener rule on theApplication Load Balancer (ALB)to return a maintenance response during the maintenance window is the most straightforward solution with the least operational overhead. The rule can be configured to match all incoming requests and return a custom response, and it can be easily removed once maintenance is complete.

  Option A (Aurora table flag): This adds unnecessary complexity for a temporary maintenance response.

  Option B and D (SQS or SNS): These options introduce more components than needed for a simple maintenance message.

• Question 1088:

  A company runs its critical database on an Amazon RDS for PostgreSQL DB instance. The company wants to migrate to Amazon Aurora PostgreSQL with minimal downtime and data loss.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Create a DB snapshot of the RDS for PostgreSQL DB instance to populate a new Aurora PostgreSQL DB cluster.
  B. Create an Aurora read replica of the RDS for PostgreSQL DB instance. Promote the Aurora read replicate to a new Aurora PostgreSQL DB cluster.
  C. Use data import from Amazon S3 to migrate the database to an Aurora PostgreSQL DB cluster.
  D. Use the pg_dump utility to back up the RDS for PostgreSQL database. Restore the backup to a new Aurora PostgreSQL DB cluster.
  B. Create an Aurora read replica of the RDS for PostgreSQL DB instance. Promote the Aurora read replicate to a new Aurora PostgreSQL DB cluster.

• Question 1089:

  A company hosts an application used to upload files to an Amazon S3 bucket. Once uploaded, the files are processed to extract metadata, which takes less than 5 seconds. The volume and frequency of the uploads varies from a few files each hour to hundreds of concurrent uploads. The company has asked a solutions architect to design a cost-effective architecture that will meet these requirements.

  What should the solutions architect recommend?

  A. Configure AWS CloudTrail trails to log S3 API calls. Use AWS AppSync to process the files.
  B. Configure an object-created event notification within the S3 bucket to invoke an AWS Lambda function to process the files.
  C. Configure Amazon Kinesis Data Streams to process and send data to Amazon S3. Invoke an AWS Lambda function to process the files.
  D. Configure an Amazon Simple Notification Service (Amazon SNS) topic to process the files uploaded to Amazon S3. Invoke an AWS Lambda function to process the files.
  B. Configure an object-created event notification within the S3 bucket to invoke an AWS Lambda function to process the files.

• Question 1090:

  A company generates SSL certificates from a third-party provider. The company imports the certificates into AWS Certificate Manager (ACM) to use with public web applications.

  A solutions architect must implement a solution to notify the company's security team 30 days before an imported certificate expires. The company already has an Amazon Simple Queue Service (Amazon SQS) queue. The company also has an Amazon Simple Notification Service (Amazon SNS) topic that has the security team's email address as a subscriber.

  Which solution will provide the security team with the required notification about certificates?

  A. Create an AWS Lambda function to scan for expiring certificates. Program the Lambda function to list the certificates in a JSON message and to deliver the message to the SQS queue.
  B. Create an AWS Lambda function to scan for expiring certificates. Program the Lambda function to list the certificates in a JSON message and to deliver the message to the SNS topic.
  C. Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SQS queue as the rule's target.
  D. Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SNS topic as the rule's target.
  D. Create an Amazon EventBridge rule that specifies the ACM Certificate Approaching Expiration event type. Set the SNS topic as the rule's target.

  ---

  Explanation

  The requirement is an automated notification 30 days before an imported ACM certificate expires, delivered to the security team via an existing SNS topic with email subscription. The most operationally efficient approach is to use Amazon EventBridge with the managed event type for ACM certificate expiration. ACM publishes an event when a certificate is approaching expiration, and EventBridge can match that event and route it directly to a target service without custom polling logic.

  Option D uses an EventBridge rule for the ACM Certificate Approaching Expiration event and sets the SNS topic as the target. This directly delivers an alert to the existing notification channel (email via SNS) and requires minimal code and minimal ongoing maintenance. It also avoids building and scheduling a scanner that must enumerate certificates, calculate dates, handle pagination, and manage failures.

  Option C sends the event to SQS. While SQS is useful for decoupling and buffering, the requirement is to notify the security team, and SNS is already configured for email delivery. Using SQS would add an extra consumer component to read from the queue and publish notifications, which is additional operational overhead.

  Options A and B require a custom Lambda-based scanning solution. That introduces scheduling (for example, EventBridge schedule), logic to detect "30 days remaining," error handling, and ongoing maintenance. Since ACM already emits a purpose-built event for expiring certificates, polling is unnecessary and less efficient.

  Therefore, D is the best solution: it uses a native event from ACM, routes it through EventBridge, and notifies the security team through the existing SNS topic with the least operational effort.