Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1191:

  A solutions architect is designing a new service behind Amazon API Gateway. The request patterns for the service will be unpredictable and can change suddenly from 0 requests to over 500 per second. The total size of the data that needs to be persisted in a backend database is currently less than 1 GB with unpredictable future growth. Data can be queried using simple key-value requests.

  Which combination ofAWS services would meet these requirements? (Choose two.)

  A. AWS Fargate
  B. AWS Lambda
  C. Amazon DynamoDB
  D. Amazon EC2 Auto Scaling
  E. MySQL-compatible Amazon Aurora
  B. AWS Lambda
  C. Amazon DynamoDB

• Question 1192:

  A company has an application that uses an Amazon RDS for PostgreSQL database. The company is developing an application feature that will store sensitive information for an individual in the database.

  During a security review of the environment, the company discovers that the RDS DB instance is not encrypting data at rest. The company needs a solution that will provide encryption at rest for all the existing data and for any new data that is entered for an individual.

  Which combination of steps should the company take to meet these requirements? (Choose Two.)

  A. Create a snapshot of the DB instance. Enable encryption on the snapshot. Use the encrypted snapshot to create a new DB instance. Adjust the application configuration to use the new DB instance.
  B. Create a snapshot of the DB instance. Create an encrypted copy of the snapshot. Use the encrypted snapshot to create a new DB instance. Adjust the application configuration to use the new DB instance.
  C. Modify the configuration of the DB instance by enabling encryption. Create a snapshot of the DB instance. Use the snapshot to create a new DB instance. Adjust the application configuration to use the new DB instance.
  D. Use AWS Key Management Service (AWS KMS) to create a new default AWS managed aws/rds key. Select this key as the encryption key for operations with Amazon RDS.
  E. Use AWS Key Management Service (AWS KMS) to create a new customer managed key. Select this key as the encryption key for operations with Amazon RDS.
  B. Create a snapshot of the DB instance. Create an encrypted copy of the snapshot. Use the encrypted snapshot to create a new DB instance. Adjust the application configuration to use the new DB instance.
  E. Use AWS Key Management Service (AWS KMS) to create a new customer managed key. Select this key as the encryption key for operations with Amazon RDS.

  ---

  Explanation

  Amazon RDS does not support enabling encryption at rest on an existing unencrypted DB instance. To encrypt an existing RDS instance's data at rest, the recommended method is to:

  Take a snapshot of the unencrypted DB instance.

  Create an encrypted copy of the snapshot using AWS KMS. This encrypted snapshot contains the existing data encrypted at rest.

  Restore a new DB instance from the encrypted snapshot. This new instance will have encryption at rest enabled.

  Additionally, to manage encryption keys securely, companies can use customer managed keys (CMKs) in AWS Key Management Service (KMS). CMKs provide greater control over key management policies, rotation, and usage permissions compared to default AWS managed keys. Using a CMK allows customization of access control and auditability.

  Option A is incorrect because you cannot enable encryption directly on a snapshot; you must create an encrypted copy.

  Option C is invalid because encryption cannot be enabled by modifying an existing instance's configuration.

  Option D refers to the default AWS managed key, which is less flexible than customer managed keys.

  References:

  Encrypting Amazon RDS Resources (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html)

  Copying an Encrypted Snapshot (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_CopySnapshot.html)

  AWS KMS Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html)

  AWS Well-Architected Framework -- Security Pillar (https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf)

• Question 1193:

  A company hosts a three-tier web application that includes a PostgreSQL database. The database stores the metadata from documents. The company searches the metadata for key terms to retrieve documents that the company reviews in a report each month. The documents are stored in Amazon S3. The documents are usually written only once, but they are updated frequently. The reporting process takes a few hours with the use of relational queries. The reporting process must not prevent any document modifications or the addition of new documents. A solutions architect needs to implement a solution to speed up the reporting process.

  Which solution will meet these requirements with the LEAST amount of change to the application code?

  A. Set up a new Amazon DocumentDB (with MongoDB compatibility) cluster that includes a read replica. Scale the read replica to generate the reports.
  B. Set up a new Amazon Aurora PostgreSQL DB cluster that includes an Aurora Replica. Issue queries to the Aurora Replica to generate the reports.
  C. Set up a new Amazon RDS for PostgreSQL Multi-AZ DB instance. Configure the reporting module to query the secondary RDS node so that the reporting module does not affect the primary node.
  D. Set up a new Amazon DynamoDB table to store the documents. Use a fixed write capacity to support new document entries. Automatically scale the read capacity to support the reports.
  B. Set up a new Amazon Aurora PostgreSQL DB cluster that includes an Aurora Replica. Issue queries to the Aurora Replica to generate the reports.

• Question 1194:

  A company uses Amazon Elastic Kubernetes Service (Amazon EKS) to run a container application. The EKS cluster stores sensitive information in the Kubernetes secrets object. The company wants to ensure that the information is encrypted.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use the container application to encrypt the information by using AWS Key Management Service (AWS KMS).
  B. Enable secrets encryption in the EKS cluster by using AWS Key Management Service (AWS KMS).
  C. Implement an AWS Lambda function to encrypt the information by using AWS Key Management Service (AWS KMS).
  D. Use AWS Systems Manager Parameter Store to encrypt the information by using AWS Key Management Service (AWS KMS).
  B. Enable secrets encryption in the EKS cluster by using AWS Key Management Service (AWS KMS).

• Question 1195:

  An ecommerce company is experiencing an increase in user traffic. The company's store is deployed on Amazon EC2 instances as a two-tier web application consisting of a web tier and a separate database tier.

  As traffic increases, the company notices that the architecture is causing significant delays in sending timely marketing and order confirmation email to users. The company wants to reduce the time it spends resolving complex email delivery issues and minimize operational overhead.

  What should a solutions architect do to meet these requirements?

  A. Create a separate application tier using EC2 instances dedicated to email processing.
  B. Configure the web instance to send email through Amazon Simple Email Service (Amazon SES).
  C. Configure the web instance to send email through Amazon Simple Notification Service (Amazon SNS).
  D. Create a separate application tier using EC2 instances dedicated to email processing. Place the instances in an Auto Scaling group.
  B. Configure the web instance to send email through Amazon Simple Email Service (Amazon SES).

• Question 1196:

  A solutions architect is designing the architecture for a software demonstration environment. The environment will run on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB). The system will experience significant increases in traffic during working hours but is not required to operate on weekends.

  Which combination of actions should the solutions architect take to ensure that the system can scale to meet demand? (Choose two.)

  A. Use AWS Auto Scaling to adjust the ALB capacity based on request rate.
  B. Use AWS Auto Scaling to scale the capacity of the VPC internet gateway.
  C. Launch the EC2 instances in multiple AWS Regions to distribute the load across Regions.
  D. Use a target tracking scaling policy to scale the Auto Scaling group based on instance CPU utilization.
  E. Use scheduled scaling to change the Auto Scaling group minimum, maximum, and desired capacity to zero for weekends. Revert to the default values at the start of the week.
  D. Use a target tracking scaling policy to scale the Auto Scaling group based on instance CPU utilization.
  E. Use scheduled scaling to change the Auto Scaling group minimum, maximum, and desired capacity to zero for weekends. Revert to the default values at the start of the week.

• Question 1197:

  A company uses AWS Lake Formation to govern its S3 data lake. It wants to visualize data in QuickSight by joining S3 data with Aurora MySQL operational data. The marketing team must see only specific columns.

  Which solution provides column-level authorization with the least operational overhead?

  A. Use EMR to ingest database data into SPICE with only required columns.
  B. Use AWS Glue Studio to ingest database data into S3 and use IAM policies for column control.
  C. Use AWS Glue Elastic Views to create materialized S3 views with column restrictions.
  D. Use a Lake Formation blueprint to ingest database data to S3. Use Lake Formation for column-level access control. Use Athena as the QuickSight data source.
  D. Use a Lake Formation blueprint to ingest database data to S3. Use Lake Formation for column-level access control. Use Athena as the QuickSight data source.

  ---

  Explanation

  AWS Lake Formation provides fine-grained (column-level) access control for data stored in S3. Using a Lake Formation blueprint ensures database ingestion is automated and governed.

  QuickSight can query Athena, and Athena honors Lake Formation permissions, enforcing column-level controls automatically.

  Options A, B, and C rely on manual filtering or IAM policies, which cannot enforce column-level authorization for SQL queries.

• Question 1198:

  A company uses Amazon S3 to store high-resolution pictures in an S3 bucket. To minimize application changes, the company stores the pictures as the latest version of an S3 object. The company needs to retain only the two most recent versions of the pictures.

  The company wants to reduce costs. The company has identified the S3 bucket as a large expense.

  Which solution will reduce the S3 costs with the LEAST operational overhead?

  A. Use S3 Lifecycle to delete expired object versions and retain the two most recent versions.
  B. Use an AWS Lambda function to check for older versions and delete all but the two most recent versions.
  C. Use S3 Batch Operations to delete noncurrent object versions and retain only the two most recent versions.
  D. Deactivate versioning on the S3 bucket and retain the two most recent versions.
  A. Use S3 Lifecycle to delete expired object versions and retain the two most recent versions.

• Question 1199:

  A solutions architect must migrate a Windows Internet Information Services (IIS) web application to AWS.

  The application currently relies on a file share hosted in the user's on-premises network-attached storage (NAS). The solutions architect has proposed migrating the IIS web servers to Amazon EC2 instances in multiple Availability Zones that are connected to the storage solution, and configuring an Elastic Load Balancer attached to the instances.

  Which replacement to the on-premises file share is MOST resilient and durable?

  A. Migrate the file share to Amazon RDS.
  B. Migrate the file share to AWS Storage Gateway.
  C. Migrate the file share to Amazon FSx for Windows File Server.
  D. Migrate the file share to Amazon Elastic File System (Amazon EFS).
  C. Migrate the file share to Amazon FSx for Windows File Server.

• Question 1200:

  A company stores data in Amazon S3. According to regulations, the data must not contain personally identifiable information (PII). The company recently discovered that S3 buckets have some objects that contain PII. The company needs to automatically detect PII in S3 buckets and to notify the company's security team.

  Which solution will meet these requirements?

  A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  B. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.
  C. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData:S3Object/Personal event type from Macie findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.
  D. Use Amazon GuardDuty. Create an Amazon EventBridge rule to filter the CRITICAL event type from GuardDuty findings and to send an Amazon Simple Queue Service (Amazon SQS) notification to the security team.
  A. Use Amazon Macie. Create an Amazon EventBridge rule to filter the SensitiveData event type from Macie findings and to send an Amazon Simple Notification Service (Amazon SNS) notification to the security team.