Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1341:

  A company wants to improve the availability and performance of its hybrid application. The application consists of a stateful TCP-based workload hosted on Amazon EC2 instances in different AWS Regions and a stateless UDP-based workload hosted on premises.

  Which combination of actions should a solutions architect take to improve availability and performance? (Choose two.)

  A. Create an accelerator using AWS Global Accelerator. Add the load balancers as endpoints.
  B. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the load balancers.
  C. Configure two Application Load Balancers in each Region. The first will route to the EC2 endpoints, and the second will route to the on-premises endpoints.
  D. Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure a Network Load Balancer in each Region that routes to the on-premises endpoints.
  E. Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure an Application Load Balancer in each Region that routes to the on-premises endpoints.
  A. Create an accelerator using AWS Global Accelerator. Add the load balancers as endpoints.
  D. Configure a Network Load Balancer in each Region to address the EC2 endpoints. Configure a Network Load Balancer in each Region that routes to the on-premises endpoints.

• Question 1342:

  A company is designing a web application on AWS. The application will use a VPN connection between the company's existing data centers and the company's VPCs. The company uses Amazon Route 53 as its DNS service. The application must use private DNS records to communicate with the on-premises services from a VPC.

  Which solution will meet these requirements in the MOST secure manner?

  A. Create a Route 53 Resolver outbound endpoint. Create a resolver rule. Associate the resolver rule with the VPC.
  B. Create a Route 53 Resolver inbound endpoint. Create a resolver rule. Associate the resolver rule with the VPC.
  C. Create a Route 53 private hosted zone. Associate the private hosted zone with the VPC.
  D. Create a Route 53 public hosted zone. Create a record for each service to allow service communication
  A. Create a Route 53 Resolver outbound endpoint. Create a resolver rule. Associate the resolver rule with the VPC.

• Question 1343:

  A solutions architect is implementing a document review application using an Amazon S3 bucket for storage. The solution must prevent accidental deletion of the documents and ensure that all versions of the documents are available. Users must be able to download, modify, and upload documents.

  Which combination of actions should be taken to meet these requirements? (Choose two.)

  A. Enable a read-only bucket ACL.
  B. Enable versioning on the bucket.
  C. Attach an IAM policy to the bucket.
  D. Enable MFA Delete on the bucket.
  E. Encrypt the bucket using AWS KMS.
  B. Enable versioning on the bucket.
  D. Enable MFA Delete on the bucket.

• Question 1344:

  A company has resources across multiple AWS Regions and accounts. A new solutions architect needs to build a map of the workloads and their relationships but has no documentation from the previous employee.

  Which solution will provide these details with the least operational effort?

  A. Use AWS Systems Manager Inventory to generate a map from the detailed report.
  B. Use AWS Step Functions to collect workload details and build diagrams manually.
  C. Use Workload Discovery on AWS to generate architecture diagrams.
  D. Use AWS X-Ray to view workload details and manually draw diagrams.
  C. Use Workload Discovery on AWS to generate architecture diagrams.

  ---

  Explanation

  Workload Discovery on AWS automatically scans AWS accounts and Regions, identifies deployed resources, and generates relationship-aware architecture diagrams. This provides a complete workload map with minimal operational effort.

  Systems Manager Inventory (Option A) collects instance metadata but does not build multi-account architecture diagrams.

  Step Functions (Option B) and X-Ray (Option D) require manual diagramming and do not meet the operational-efficiency requirement.

• Question 1345:

  A company is building a serverless application to process large video files that users upload. The application performs multiple tasks to process each video file. Processing can take up to 30 minutes for the largest files.

  The company needs a scalable architecture to support the processing application.

  Which solution will meet these requirements?

  A. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure a schedule in Amazon EventBridge Scheduler to invoke an AWS Lambda function periodically to check for new files. Configure the Lambda function to perform all the processing tasks.
  B. Store the uploaded video files in Amazon Elastic File System (Amazon EFS). Configure an Amazon EFS event notification to start an AWS Step Functions workflow that uses AWS Fargate tasks to perform the processing tasks.
  C. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to send an event to Amazon EventBridge when a user uploads a new video file. Configure an AWS Step Functions workflow as a target for an EventBridge rule. Use the workflow to manage AWS Fargate tasks to perform the processing tasks.
  D. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to invoke an AWS Lambda function when a user uploads a new video file. Configure the Lambda function to perform all the processing tasks.
  C. Store the uploaded video files in Amazon S3. Configure an Amazon S3 event notification to send an event to Amazon EventBridge when a user uploads a new video file. Configure an AWS Step Functions workflow as a target for an EventBridge rule. Use the workflow to manage AWS Fargate tasks to perform the processing tasks.

  ---

  Explanation

  The requirements include:

  Scalability: The solution must scale as video files are uploaded. Long-running tasks: Processing tasks can take up to 30 minutes. AWS Lambda has a maximum execution time of 15 minutes, which rules out options that involve Lambda performing all the processing.

  Serverless and event-driven architecture: Ensures cost-effectiveness and high availability.

  Analysis of Options:

  Option A:

  AWS Lambda has a 15-minute timeout, which cannot support tasks that take up to 30 minutes.

  EventBridge Scheduler is unnecessary for monitoring files when native event notifications are available.Not a valid choice.

  Option B:

  AWS Step Functions and AWS Fargate can handle long-running processes, but Amazon EFS is not the ideal storage for uploaded video files in a serverless architecture.

  Processing tasks triggered by EFS events are not a common pattern and may introduce complexities.Not the best practice.

  Option C:

  Amazon S3 is used for storing uploaded files, which integrates natively with event-driven services like EventBridge and Step Functions.

  Amazon S3 event notifications trigger a Step Functions workflow, which can orchestrate Fargate tasks to process large video files, meeting the scalability and execution time requirements.Correct choice.

  Option D:

  Similar to Option A, AWS Lambda cannot handle long-running processes due to its 15-minute timeout.

  Invoking Lambda for processing directly is not feasible for tasks that take up to 30 minutes.Not a valid choice.

  References:

  Amazon S3 Event Notifications:AWS Documentation - S3 Event Notifications

  AWS Step Functions:AWS Documentation - Step Functions AWS Fargate:AWS Documentation - Fargate Comparison of Storage Services:AWS Storage Options By leveragingAmazon S3,Step Functions, andFargate, this solution provides a scalable, efficient, and serverless approach to handling video processing tasks.

• Question 1346:

  The DNS provider that hosts a company's domain name records is experiencing outages that cause service disruption for a website running on AWS. The company needs to migrate to a more resilient managed DNS service and wants the service to run on AWS.

  What should a solutions architect do to rapidly migrate the DNS hosting service?

  A. Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file containing the domain records hosted by the previous provider.
  B. Create an Amazon Route 53 private hosted zone for the domain name. Import the zone file containing the domain records hosted by the previous provider.
  C. Create a Simple AD directory in AWS. Enable zone transfer between the DNS provider and AWS Directory Service for Microsoft Active Directory for the domain records.
  D. Create an Amazon Route 53 Resolver inbound endpoint in the VPC. Specify the IP addresses that the provider's DNS will forward DNS queries to. Configure the provider's DNS to forward DNS queries for the domain to the IP addresses that are specified in the inbound endpoint.
  A. Create an Amazon Route 53 public hosted zone for the domain name. Import the zone file containing the domain records hosted by the previous provider.

• Question 1347:

  A solutions architect must design a solution that uses Amazon CloudFront with an Amazon S3 origin to serve a static website. The solution must use AWS WAF to inspect all website traffic.

  Which solution will meet these requirements?

  A. Configure an S3 bucket policy to accept only requests that come from the AWS WAF Amazon Resource Name (ARN).
  B. Configure CloudFront to forward all incoming requests to AWS WAF before CloudFront requests content from the S3 origin.
  C. Configure a security group that allows only CloudFront IP addresses to access Amazon S3. Associate AWS WAF to the CloudFront distribution.
  D. Configure CloudFront and Amazon S3 to use an origin access control (OAC) to secure the origin S3 bucket. Associate AWS WAF to the CloudFront distribution.
  D. Configure CloudFront and Amazon S3 to use an origin access control (OAC) to secure the origin S3 bucket. Associate AWS WAF to the CloudFront distribution.

  ---

  Explanation

  The correct and secure approach is to use Amazon CloudFront with Origin Access Control (OAC) to protect the S3 origin and attach AWS WAF to the CloudFront distribution to inspect and filter traffic at the edge before reaching the origin.

  From AWS Documentation:

  "AWS WAF is integrated with Amazon CloudFront, allowing inspection of HTTP(S) requests at the edge location before forwarding to your origin. To restrict direct access to the S3 bucket, use Origin Access Control (OAC)." (Source: Amazon CloudFront Developer Guide?Serving private content)

  Why Option D is correct:

  CloudFront is the only service that integrates with AWS WAF for full HTTP layer inspection.

  Origin Access Control (OAC) ensures that only CloudFront can access the S3 origin--replacing older Origin Access Identity (OAI) features.

  The S3 bucket policy is configured to trust requests only from CloudFront using OAC signed requests.

  Why the other options are incorrect:

  Option A: WAF ARN is not a principal in S3 bucket policy. IAM does not support bucket policies based on

  WAF ARNs.

  Option B: Incorrect?CloudFront doesn ' t"; forward requests to WAF";; rather, WAF is associated with CloudFront and inspects requests at the edge.

  Option C: S3 does not use security groups; they are for EC2/network interfaces. This shows a misunderstanding of how S3 works.

  References:

  Amazon CloudFront Developer Guide?

  Serving Private Content with OAC";

  AWS WAF Developer Guide?

  Protecting CloudFront with AWS WAF";

  AWS Well-Architected Framework?Security Pillar

• Question 1348:

  A company performs monthly maintenance on its AWS infrastructure. During these maintenance activities, the company needs to rotate the credentials for its Amazon RDS for MySQL databases across multiple

  AWS Regions.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule.
  B. Store the credentials as secrets in AWS Systems Manager by creating a secure string parameter. Use multi-Region secret replication for the required Regions. Configure Systems Manager to rotate the secrets on a schedule.
  C. Store the credentials in an Amazon S3 bucket that has server-side encryption (SSE) enabled. Use Amazon EventBridge (Amazon CloudWatch Events) to invoke an AWS Lambda function to rotate the credentials.
  D. Encrypt the credentials as secrets by using AWS Key Management Service (AWS KMS) multi-Region customer managed keys. Store the secrets in an Amazon DynamoDB global table. Use an AWS Lambda function to retrieve the secrets from DynamoDB. Use the RDS API to rotate the secrets.
  A. Store the credentials as secrets in AWS Secrets Manager. Use multi-Region secret replication for the required Regions. Configure Secrets Manager to rotate the secrets on a schedule.

• Question 1349:

  A financial company is migrating its banking applications to a set of AWS accounts managed by AWS Organizations. The applications will store sensitive customer data on Amazon Elastic Block Store (Amazon EBS) volumes. The company will take regular snapshots for backup purposes.

  The company wants to implement controls across all AWS accounts to prevent sharing EBS snapshots publicly.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Enable AWS Config rules for each organizational unit (OU) in Organizations to monitor EBS snapshot permissions.
  B. Enable block public access for EBS snapshots at the organization level.
  C. Create an IAM policy in the root account of the organization that prevents users from modifying snapshot permissions.
  D. Use AWS CloudTrail to track snapshot permission changes.
  B. Enable block public access for EBS snapshots at the organization level.

  ---

  Explanation

  AWS provides EBS Block Public Access at the AWS Organizations level, which, when enabled, prevents EBS snapshots from being shared publicly across all member accounts. This is an organization-wide control that requires minimal configuration and no ongoing monitoring to prevent public sharing.

  This directly satisfies the requirement:

  Covers all accounts managed by Organizations.

  Explicitly prevents public snapshot sharing.

  Has the least operational overhead because it is a single centralized control.

  AWS Config (Option A) only monitors and alerts, but does not prevent public sharing.

  An IAM policy in the root account (Option C) is harder to enforce consistently across all accounts and may not cover all permission paths.

  CloudTrail (Option D) only logs events and does not prevent public access.

• Question 1350:

  A company has an application that is running on Amazon EC2 instances. A solutions architect has standardized the company on a particular instance family and various instance sizes based on the current needs of the company.

  The company wants to maximize cost savings for the application over the next 3 years. The company needs to be able to change the instance family and sizes in the next 6 months based on application popularity and usage.

  Which solution will meet these requirements MOST cost-effectively?

  A. Compute Savings Plan
  B. EC2 Instance Savings Plan
  C. Zonal Reserved Instances
  D. Standard Reserved Instances
  A. Compute Savings Plan