Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1281:

  A company uses two AWS accounts named Account A and Account B. Account A hosts a data analytics application. Account B hosts a data lake in an Amazon S3 bucket. Data analysts in Account A need to access the data lake in Account A. The access solution must be secure, use temporary credentials, enforce the principle of least privilege, and avoid long-term access keys.

  Which solution will meet these requirements?

  B. The access solution must be secure, use temporary credentials, enforce the principle of least privilege, and avoid long-term access keys.

  C. Create IAM users in Account B and share the access keys for the users with analysts in Account

  D. Use an S3 bucket policy to configure the S3 bucket in Account B to be publicly accessible.
  E. Configure a resource-based policy for the S3 bucket in Account B to allow access from an IAM role in Account
  F. Use a bastion host in Account B to proxy analyst requests from Account A through an Amazon EC2 instance.
  C

  ---

  Explanation

  The correct answer is C because the company needs a secure cross-account access solution that uses temporary credentials, follows least privilege, and avoids long-term access keys. The best practice for this design is to allow an IAM role in Account A to access the Amazon S3 bucket in Account B through a resource-based bucket policy. Analysts or applications in Account A can assume the IAM role and receive temporary credentials through AWS Security Token Service (AWS STS), which satisfies the requirement to avoid permanent access keys.

  This approach is secure because permissions can be scoped precisely to the required bucket and prefixes, supporting least-privilege access. It also avoids creating separate IAM users in Account B and eliminates the operational and security risks of sharing static credentials across accounts. Cross-account access through IAM roles and S3 bucket policies is the standard AWS pattern for securely granting one account access to resources in another account.

  Option A is incorrect because creating IAM users and sharing access keys introduces long-term credentials, which the company explicitly wants to avoid.

  Option B is incorrect because making the S3 bucket public violates security requirements and does not enforce least privilege.

  Option D is incorrect because using a bastion host adds unnecessary infrastructure and operational overhead and is not the recommended approach for S3 access.

  AWS security best practices favor role-based access with temporary credentials and resource policies for cross-account resource sharing. Therefore, configuring the S3 bucket policy in Account B to allow access from an IAM role in Account A is the most secure and appropriate solution.

• Question 1282:

  A company is building a serverless application to process clickstream data from its website. The clickstream data is sent to an Amazon Kinesis Data Streams data stream from the application web servers.

  The company wants to enrich the clickstream data by joining the clickstream data with customer profile data from an Amazon Aurora Multi-AZ database. The company wants to use Amazon Redshift to analyze the enriched data. The solution must be highly available.

  Which solution will meet these requirements?

  A. Use an AWS Lambda function to process and enrich the clickstream data. Use the same Lambda function to write the clickstream data to Amazon S3. Use Amazon Redshift Spectrum to query the enriched data in Amazon S3.
  B. Use an Amazon EC2 Spot Instance to poll the data stream and enrich the clickstream data. Configure the EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.
  C. Use an Amazon Elastic Container Service (Amazon ECS) task with AWS Fargate Spot capacity to poll the data stream and enrich the clickstream data. Configure an Amazon EC2 instance to use the COPY command to send the enriched results to Amazon Redshift.
  D. Use Amazon Kinesis Data Firehose to load the clickstream data from Kinesis Data Streams to Amazon S3. Use AWS Glue crawlers to infer the schema and populate the AWS Glue Data Catalog. Use Amazon Athena to query the raw data in Amazon S3.
  A. Use an AWS Lambda function to process and enrich the clickstream data. Use the same Lambda function to write the clickstream data to Amazon S3. Use Amazon Redshift Spectrum to query the enriched data in Amazon S3.

  ---

  Explanation

  Option Ais the best solution as it leveragesAWS Lambdafor serverless, scalable, and highly available processing and enrichment of clickstream data. Lambda can process the data in real-time, join it with the Aurora database data, and write the enriched results to Amazon S3. FromS3,Amazon Redshift Spectrumcan directly query the enriched data without needing to load the data into Redshift, enabling cost efficiency and high availability.

  Why other options are incorrect:

  Option B: EC2 Spot Instances are not guaranteed to be highly available, as Spot Instances can be interrupted at any time. This does not align with the requirement for high availability.

  Option C: While ECS with AWS Fargate provides scalability, using EC2 for the COPY command introduces operational overhead and compromises high availability.

  Option D: Kinesis Data Firehose and Athena are suitable for querying raw data, but they do not directly support enriching the data by joining with Aurora. This solution fails to meet the requirement for data enrichment.

  Key AWS Features Used:

  AWS Lambda:Real-time serverless processing with integration capabilities for Aurora and S3. Amazon

  S3:Cost-effective storage for enriched data.

  Amazon Redshift Spectrum:Direct querying of data stored in S3 without loading it into Redshift.

  References:

  AWS Lambda Function Overview

  Amazon Redshift Spectrum

  Processing Streaming Data with Kinesis Data Streams

• Question 1283:

  A company is designing an application where users upload small files into Amazon S3. After a user uploads a file, the file requires one-time simple processing to transform the data and save the data in JSON format for later analysis. Each file must be processed as quickly as possible after it is uploaded.

  Demand will vary. On some days, users will upload a high number of files.

  On other days, users will upload a few files or no files.

  Which solution meets these requirements with the LEAST operational overhead?

  A. Configure Amazon EMR to read text files from Amazon S3. Run processing scripts to transform the data. Store the resulting JSON file in an Amazon Aurora DB cluster.
  B. Configure Amazon S3 to send an event notification to an Amazon Simple Queue Service (Amazon SQS) queue. Use Amazon EC2 instances to read from the queue and process the data. Store the resulting JSON file in Amazon DynamoDB.
  C. Configure Amazon S3 to send an event notification to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function to read from the queue and process the data. Store the resulting JSON file in Amazon DynamoDB.
  D. Configure Amazon EventBridge (Amazon CloudWatch Events) to send an event to Amazon Kinesis Data Streams when a new file is uploaded. Use an AWS Lambda function to consume the event from the stream and process the data. Store the resulting JSON file in an Amazon Aurora DB cluster.
  C. Configure Amazon S3 to send an event notification to an Amazon Simple Queue Service (Amazon SQS) queue. Use an AWS Lambda function to read from the queue and process the data. Store the resulting JSON file in Amazon DynamoDB.

• Question 1284:

  A company is deploying an application in three AWS Regions using an Application Load Balancer. Amazon Route 53 will be used to distribute traffic between these Regions.

  Which Route 53 configuration should a solutions architect use to provide the MOST high-performing experience?

  A. Create an A record with a latency policy.
  B. Create an A record with a geolocation policy.
  C. Create a CNAME record with a failover policy.
  D. Create a CNAME record with a geoproximity policy.
  A. Create an A record with a latency policy.

• Question 1285:

  A company has Amazon EC2 instances that run nightly batch jobs to process data. The EC2 instances run in an Auto Scaling group that uses On-Demand billing. If a job fails on one instance, another instance will reprocess the job. The batch jobs run between 12:00 AM and 06:00 AM local time every day.

  Which solution will provide EC2 instances to meet these requirements MOST cost-effectively?

  A. Purchase a 1-year Savings Plan for Amazon EC2 that covers the instance family of the Auto Scaling group that the batch job uses.
  B. Purchase a 1-year Reserved Instance for the specific instance type and operating system of the instances in the Auto Scaling group that the batch job uses.
  C. Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances. Set a policy to scale out based on CPU usage.
  D. Create a new launch template for the Auto Scaling group. Increase the instance size. Set a policy to scale out based on CPU usage.
  C. Create a new launch template for the Auto Scaling group. Set the instances to Spot Instances. Set a policy to scale out based on CPU usage.

• Question 1286:

  A company has users all around the world accessing its HTTP-based application deployed on Amazon EC2 instances in multiple AWS Regions. The company wants to improve the availability and performance of the application. The company also wants to protect the application against common web exploits that may affect availability, compromise security, or consume excessive resources. Static IP addresses are required.

  What should a solutions architect recommend to accomplish this?

  A. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the NLBs. Create an accelerator using AWS Global Accelerator and register the NLBs as endpoints.
  B. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Deploy AWS WAF on the ALBs. Create an accelerator using AWS Global Accelerator and register the ALBs as endpoints.
  C. Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the NLBs. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the NLBs.
  D. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the ALBs. Deploy AWS WAF on the CloudFront distribution.
  B. Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Deploy AWS WAF on the ALBs. Create an accelerator using AWS Global Accelerator and register the ALBs as endpoints.

• Question 1287:

  A company has hired an external vendor to work in the company's AWS account. The vendor uses an automated tool that the vendor hosts in its own AWS account. The vendor does not have IAM access to the company's AWS account. A solutions architect needs to grant access to the vendor.

  Which solution will meet these requirements MOST securely?

  A. Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the new IAM role to grant the permissions that the vendor requires.
  B. Create an IAM user in the company's account with a password. Attach the appropriate IAM policies to the IAM user.
  C. Create an IAM group in the company's account. Add the IAM user for the vendor's automated tool from the vendor account to the IAM group. Attach policies to the group.
  D. Create a new identity provider (IdP) of provider type AWS account. Supply the vendor's AWS account ID and username. Attach policies to the IdP.
  A. Create an IAM role in the company's account to delegate access to the vendor's IAM role. Attach the appropriate IAM policies to the new IAM role to grant the permissions that the vendor requires.

  ---

  Explanation

  The most secure way to grant an external vendor's AWS-hosted automation tool access into a company AWS account is to use cross-account IAM role assumption.

  Option A follows the standard AWS pattern: the company creates an IAM role in its own account that has only the permissions the vendor needs, and the role's trust policy allows the vendor's IAM role (in the vendor's AWS account) to assume it. This approach avoids creating long-lived credentials in the company account and supports least privilege, auditing, and easy revocation.

  With role assumption, the vendor continues to authenticate in its own AWS account and uses AWS STS to obtain temporary credentials when accessing the company account. Temporary credentials reduce exposure compared to access keys because they expire automatically and can be constrained with session duration, external IDs (where appropriate), and conditions. The company retains full control over permissions through the role policy, and CloudTrail can record AssumeRole events and subsequent API activity for auditing.

  Option B is less secure because it creates an IAM user in the company account and would typically require managing long-lived credentials for the vendor tool, increasing the risk of leakage and ongoing operational overhead.

  Option C is not valid because IAM users are not shared across accounts; you cannot "add" a user from another account into an IAM group in your account.

  Option D is incorrect because "AWS account" is not a typical IAM identity provider type for this purpose; cross-account access is done through role trust policies, not by creating an IdP with an AWS account ID and username. Therefore, A is the most secure solution because it uses short-lived credentials, enforces least privilege, centralizes control in the company account, and provides strong auditability without issuing permanent access keys.

• Question 1288:

  A solutions architect manages an analytics application. The application stores large amounts of semistructured data in an Amazon S3 bucket. The solutions architect wants to use parallel data processing to process the data more quickly. The solutions architect also wants to use information that is stored in an Amazon Redshift database to enrich the data.

  Which solution will meet these requirements?

  A. Use Amazon Athena to process the S3 data. Use AWS Glue with the Amazon Redshift data to enrich the S3 data.
  B. Use Amazon EMR to process the S3 data. Use Amazon EMR with the Amazon Redshift data to enrich the S3 data.
  C. Use Amazon EMR to process the S3 data. Use Amazon Kinesis Data Streams to move the S3 data into Amazon Redshift so that the data can be enriched.
  D. Use AWS Glue to process the S3 data. Use AWS Lake Formation with the Amazon Redshift data to enrich the S3 data.
  B. Use Amazon EMR to process the S3 data. Use Amazon EMR with the Amazon Redshift data to enrich the S3 data.

• Question 1289:

  A survey company has gathered data for several years from areas in the United States. The company hosts the data in an Amazon S3 bucket that is 3 TB in size and growing. The company has started to share the data with a European marketing firm that has S3 buckets. The company wants to ensure that its data transfer costs remain as low as possible.

  Which solution will meet these requirements?

  A. Configure the Requester Pays feature on the company's S3 bucket.
  B. Configure S3 Cross-Region Replication from the company's S3 bucket to one of the marketing firm's S3 buckets.
  C. Configure cross-account access for the marketing firm so that the marketing firm has access to the company's S3 bucket.
  D. Configure the company's S3 bucket to use S3 Intelligent-Tiering. Sync the S3 bucket to one of the marketing firm's S3 buckets.
  A. Configure the Requester Pays feature on the company's S3 bucket.

• Question 1290:

  A solutions architect needs to ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet.

  Which combination of steps should the solutions architect take to meet this requirement? (Choose two.)

  A. Create a route table entry for the endpoint.
  B. Create a gateway endpoint for DynamoDB.
  C. Create an interface endpoint for Amazon EC2.
  D. Create an elastic network interface for the endpoint in each of the subnets of the VPC.
  E. Create a security group entry in the endpoint's security group to provide access.
  A. Create a route table entry for the endpoint.
  B. Create a gateway endpoint for DynamoDB.