Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1221:

  A company has deployed a serverless application that invokes an AWS Lambda function when new documents are uploaded to an Amazon S3 bucket. The application uses the Lambda function to process the documents. After a recent marketing campaign, the company noticed that the application did not process many of the documents.

  What should a solutions architect do to improve the architecture of this application?

  A. Set the Lambda function's runtime timeout value to 15 minutes.
  B. Configure an S3 bucket replication policy. Stage the documents in the S3 bucket for later processing.
  C. Deploy an additional Lambda function. Load balance the processing of the documents across the two Lambda functions.
  D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send the requests to the queue. Configure the queue as an event source for Lambda.
  D. Create an Amazon Simple Queue Service (Amazon SQS) queue. Send the requests to the queue. Configure the queue as an event source for Lambda.

• Question 1222:

  A company is developing a containerized web application that needs to be highly available and scalable.

  The application requires access to GPU resources.

  Which solution will meet these requirements?

  A. Package the application as an AWS Lambda function in a container image. Use Lambda to run the containerized application on a runtime with GPU access.
  B. Deploy the application container to Amazon Elastic Kubernetes Service (Amazon EKS). Use AWS Fargate to manage compute resources and access to GPU resources.
  C. Deploy the application container to Amazon Elastic Container Registry (Amazon ECR). Use Amazon ECR to run the containerized application with an attached GPU.
  D. Run the application on Amazon EC2 instances from a GPU instance family by using Amazon Elastic Container Service (Amazon ECS) for orchestration.
  D. Run the application on Amazon EC2 instances from a GPU instance family by using Amazon Elastic Container Service (Amazon ECS) for orchestration.

  ---

  Explanation

  Why Option D is Correct:

  GPU Access: Only EC2 instances in the GPU family (e.g., P2, P3) can provide GPU resources.

  ECS Orchestration: Simplifies container deployment and management.

  Why other options are not correct:

  Option A: Lambda does not support GPU-based runtimes.

  Option B: AWS Fargate does not support GPU-based workloads.

  Option C: ECR is a container registry, not an orchestration or execution service.

  References:

  Amazon ECS with GPU Instances:AWS Documentation - ECS GPU Instances

• Question 1223:

  A company has migrated an application to Amazon EC2 Linux instances. One of these EC2 instances runs several 1- hour tasks on a schedule. These tasks were written by different teams and have no common programming language. The company is concerned about performance and scalability while these tasks run on a single instance. A solutions architect needs to implement a solution to resolve these concerns.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use AWS Batch to run the tasks as jobs. Schedule the jobs by using Amazon EventBridge (Amazon CloudWatch Events).
  B. Convert the EC2 instance to a container. Use AWS App Runner to create the container on demand to run the tasks as jobs.
  C. Copy the tasks into AWS Lambda functions. Schedule the Lambda functions by using Amazon EventBridge (Amazon CloudWatch Events).
  D. Create an Amazon Machine Image (AMI) of the EC2 instance that runs the tasks. Create an Auto Scaling group with the AMI to run multiple copies of the instance.
  A. Use AWS Batch to run the tasks as jobs. Schedule the jobs by using Amazon EventBridge (Amazon CloudWatch Events).

• Question 1224:

  An ecommerce company has an application that collects order-related information from customers. The company uses one Amazon DynamoDB table to store customer home addresses, phone numbers, and email addresses. Customers can check out without creating an account. The application copies the customer information to a second DynamoDB table if a customer does create an account.

  The company requires a solution to delete personally identifiable information (PII) for customers who did not create an account within 28 days.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Create an AWS Lambda function to delete items from the first DynamoDB table that have a delivery date more than 28 days in the past. Use a scheduled Amazon EventBridge rule to run the Lambda function every day.
  B. Update the application to store PII in an Amazon S3 bucket. Create an S3 Lifecycle rule to expire the objects after 28 days. Move the data to DynamoDB when a user creates an account.
  C. Launch an Amazon EC2 instance. Configure a daily cron job to run on the instance. Configure the cron job to use AWS CLI commands to delete items from DynamoDB.
  D. Use a createdAt timestamp to set TTL for data in the first DynamoDB table to 28 days.
  D. Use a createdAt timestamp to set TTL for data in the first DynamoDB table to 28 days.

  ---

  Explanation

  DynamoDB has a built-in feature called Time to Live (TTL) which automatically deletes expired items without manual intervention. This requires adding a timestamp attribute and setting a TTL on the table.

  This is the lowest operational overhead approach.

  "You can use DynamoDB TTL to automatically delete items after a specified time, reducing storage costs and administrative overhead."

  -- DynamoDB TTL

• Question 1225:

  An application runs on an Amazon EC2 instance that has an Elastic IP address in VPC A. The application requires access to a database in VPC B. Both VPCs are in the same AWS account.

  Which solution will provide the required access MOST securely?

  B. Proxy all requests through the new EC2 instance.
  C. Make the DB instance publicly accessible. Assign a public IP address to the DB instance.
  D. Launch an EC2 instance with an Elastic IP address into VPC
  B. Proxy all requests through the new EC2 instance.

• Question 1226:

  A company stores a file in an S3 bucket containing IP allow/deny lists. The file must be accessible via an HTTP endpoint. Firewalls outside AWS must read the file. The company wants to restrict access to only the firewall IP addresses.

  The S3 Block Public Access feature is enabled on the account.

  Which solution meets these requirements?

  A. Host the bucket as a static website and restrict access by IP.
  B. Create a bucket policy that explicitly allows access only from the firewall IP addresses.
  C. Create a CloudFront distribution with the S3 bucket as the origin. Use an origin access control (OAC) that allows access only from the firewall IP addresses.
  D. Create a Lambda function to validate IP addresses and return the lists.
  B. Create a bucket policy that explicitly allows access only from the firewall IP addresses.

  ---

  Explanation

  S3 Block Public Access only blocks public access--not explicitly allowed access.

  An S3 bucket policy can explicitly permit access only from specific source IP addresses using the aws: SourceIp condition. This allows secure, direct HTTP access to the S3 object from known firewall IP addresses.

  Static website hosting (Option A) requires the bucket to be public and is blocked by the enabled S3 Block Public Access setting.

  CloudFront with OAC (Option C) is unnecessary and adds cost and complexity.

  Lambda (Option D) introduces operational overhead and is not needed since S3 policies can enforce IP restrictions directly.

• Question 1227:

  A company's solutions architect is building a static website to be deployed in Amazon S3 for a production environment. The website integrates with an Amazon Aurora PostgreSQL database by using an AWS Lambda function. The website that is deployed to production will use a Lambda alias that points to a specific version of the Lambda function.

  The company must rotate the database credentials every 2 weeks. Lambda functions that the company deployed previously must be able to use the most recent credentials.

  Which solution will meet these requirements?

  A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.
  B. Include the database credentials as part of the Lambda function code. Update the credentials periodically and deploy the new Lambda function.
  C. Use Lambda environment variables. Update the environment variables when new credentials are available.
  D. Store the database credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Systems Manager Parameter Store.
  A. Store the database credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve the credentials from Secrets Manager.

  ---

  Explanation

  AWS Secrets Manager is the managed service for securely storing, rotating, and retrieving database credentials. When you store Aurora credentials in Secrets Manager and enable automatic rotation, Secrets Manager updates the credentials in both the database and the stored secret.

  Each Lambda function version or alias can call Secrets Manager at runtime to retrieve the current secret value, so even older deployed Lambda versions that use an alias will always obtain the most recent credentials without redeployment.

  Why others are not suitable:

  Option B: Embeds credentials in code, requiring redeployment on every rotation and violating security best practices.

  Option C: Environment variables are version-specific; old aliases would continue using outdated values unless you redeploy or change them.

  Option D: Parameter Store can store and rotate secrets but is less integrated for database credential rotation than Secrets Manager; Secrets Manager is the purpose-built minimal-overhead choice here.

• Question 1228:

  A solutions architect is building a static website hosted on Amazon S3. The website uses an Amazon Aurora PostgreSQL database accessed through an AWS Lambda function. The production website uses a Lambda alias that points to a specific version of the Lambda function. Database credentials must rotate every 2 weeks. Previously deployed Lambda versions must always use the most recent credentials.

  Which solution will meet these requirements?

  A. Store credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve credentials from Secrets Manager.
  B. Include the credentials in the Lambda function code and update the function regularly.
  C. Use Lambda environment variables and update them when new credentials are available.
  D. Store credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code to retrieve credentials from Parameter Store.
  A. Store credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve credentials from Secrets Manager.

  ---

  Explanation

  AWS Secrets Manager is the recommended service for storing database credentials and performing automated rotation. Any Lambda function version or alias can fetch the latest secret value at runtime, ensuring no outdated credentials exist in deployed versions.

  Environment variables (Option C) are static per version. Embedding credentials in code (Option B) is insecure and requires redeployment. Parameter Store (Option D) supports rotation but requires more configuration and is not as seamless as Secrets Manager for database credential rotation.

• Question 1229:

  A healthcare company uses an Amazon EMR cluster to process patient data. The data must be encrypted in transit and at rest. Local volumes in the cluster also need to be encrypted.

  Which solution will meet these requirements?

  A. Create Amazon EBS volumes. Enable encryption. Attach the volumes to the existing EMR cluster.
  B. Create an EMR security configuration that encrypts the data and the volumes as required.
  C. Create an EC2 instance profile for the EMR instances. Configure the instance profile to enforce encryption.
  D. Create a runtime role that has a trust policy for the EMR cluster.
  B. Create an EMR security configuration that encrypts the data and the volumes as required.

  ---

  Explanation

  Amazon EMR allows the creation of security configurations to specify settings for encrypting data at rest, data in transit, or both. These configurations can be applied to clusters to ensure that data stored in Amazon S3, local disks, and data moving between nodes is encrypted.

  By creating and applying an EMR security configuration, the company can ensure that all data processing complies with encryption requirements for sensitive patient data.

• Question 1230:

  A company maintains an Amazon RDS database that maps users to cost centers. The company has accounts in an organization in AWS Organizations. The company needs a solution that will tag all resources that are created in a specific AWS account in the organization. The solution must tag each resource with the cost center ID of the user who created the resource.

  Which solution will meet these requirements?

  A. Move the specific AWS account to a new organizational unit (OU) in Organizations from the management account. Create a service control policy (SCP) that requires all existing resources to have the correct cost center tag before the resources are created. Apply the SCP to the new OU.
  B. Create an AWS Lambda function to tag the resources after the Lambda function looks up the appropriate cost center from the RDS database. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function.
  C. Create an AWS CloudFormation stack to deploy an AWS Lambda function. Configure the Lambda function to look up the appropriate cost center from the RDS database and to tag resources. Create an Amazon EventBridge scheduled rule to invoke the CloudFormation stack.
  D. Create an AWS Lambda function to tag the resources with a default value. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function when a resource is missing the cost center tag.
  B. Create an AWS Lambda function to tag the resources after the Lambda function looks up the appropriate cost center from the RDS database. Configure an Amazon EventBridge rule that reacts to AWS CloudTrail events to invoke the Lambda function.