Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 131:

  A company has 150 TB of archived image data stored on-premises that needs to be moved to the AWS Cloud within the next month. The company's current network connection allows up to 100 Mbps uploads for this purpose during the night only.

  What is the MOST cost-effective mechanism to move this data and meet the migration deadline?

  A. Use AWS Snowmobile to ship the data to AWS.
  B. Order multiple AWS Snowball devices to ship the data to AWS.
  C. Enable Amazon S3 Transfer Acceleration and securely upload the data.
  D. Create an Amazon S3 VPC endpoint and establish a VPN to upload the data.
  B. Order multiple AWS Snowball devices to ship the data to AWS.

• Question 132:

  A company creates a VPC that has one public subnet and one private subnet. The company attaches an internet gateway to the VPC. An Application Load Balancer (ALB) in the public subnet communicates with Amazon EC2 instances in the private subnet.

  The EC2 instances in the private subnet must be able to download operating system and application updates from the internet. The instances must not be accessible from the internet.

  Which combination of steps will meet these requirements? (Choose Three.)

  A. Associate an Elastic IP address with the NAT gateway.
  B. Add a route of 0.0.0.0/0 to the private subnet route table. Set the NAT gateway as a target.
  C. Deploy a NAT gateway in the public subnet.
  D. Deploy a NAT gateway in the private subnet.
  E. Add a route of 0.0.0.0/0 to the public subnet route table. Set the NAT gateway as a target.
  F. Associate an Elastic IP address with the internet gateway.
  A. Associate an Elastic IP address with the NAT gateway.
  B. Add a route of 0.0.0.0/0 to the private subnet route table. Set the NAT gateway as a target.
  C. Deploy a NAT gateway in the public subnet.

  ---

  Explanation

  Instances in a private subnet cannot directly reach the internet because they do not have public IP addresses and the private subnet route table typically does not send 0.0.0.0/0 traffic to an internet gateway. However, these instances still need outbound-only internet access to download patches and updates while remaining inaccessible from the internet. The standard AWS design to achieve this is a NAT gateway deployed in a public subnet.

  Option C is required because a NAT gateway must reside in a public subnet that has a route to the internet gateway. This allows the NAT gateway to forward outbound traffic from private instances to the internet and return responses, without allowing inbound connections initiated from the internet to those instances.

  Option A is required because a NAT gateway uses an Elastic IP address to represent its public-facing identity on the internet. Without an Elastic IP, the NAT gateway cannot communicate with internet endpoints. The Elastic IP is associated with the NAT gateway, not with the internet gateway.

  Option B is required because the private subnet needs a route for 0.0.0.0/0 (default route) that targets the NAT gateway. This ensures that outbound internet-bound traffic from the private instances is sent to the NAT gateway rather than being dropped.

  Option D is incorrect because a NAT gateway in a private subnet would not have a working route to the internet gateway and would not provide internet egress.

  Option E is incorrect because the public subnet's default route should point to the internet gateway, not to the NAT gateway.

  Option F is incorrect because you do not associate Elastic IPs with an internet gateway. Therefore, A, B, and C correctly implement private subnet outbound internet access while keeping the instances unreachable from the internet.

• Question 133:

  A company is building a new web application that serves static and dynamic content from an API. Users will access the application from around the world. The company wants to minimize latency in the most cost-effective way.

  Which solution will meet these requirements MOST cost-effectively?

  A. Deploy the static content to an Amazon S3 bucket. Use an Amazon API Gateway HTTP API to serve the dynamic content. Create an Amazon CloudFront distribution that uses the S3 bucket and the HTTP API as origins. Enable caching for static content.
  B. Deploy the static content to an Amazon S3 bucket. Provide the bucket website endpoint to users. Use an Amazon API Gateway HTTP API with caching enabled to serve the dynamic content.
  C. Deploy the static content to an Amazon S3 bucket. Use two Amazon EC2 instances as web servers. Deploy an Application Load Balancer to distribute traffic. Create an Amazon CloudFront distribution in front of the S3 bucket to cache static content.
  D. Deploy the static content to an Amazon S3 bucket. Provide the bucket website endpoint to users. Create an Amazon CloudFront distribution in front of the S3 bucket to cache static content.
  A. Deploy the static content to an Amazon S3 bucket. Use an Amazon API Gateway HTTP API to serve the dynamic content. Create an Amazon CloudFront distribution that uses the S3 bucket and the HTTP API as origins. Enable caching for static content.

  ---

  Explanation

  For global low latency, AWS recommends using Amazon CloudFront as a content delivery network in front of both static and dynamic origins when possible. Static content on Amazon S3 + CloudFront is the standard cost-effective pattern: S3 for low-cost durable storage, CloudFront for global edge caching.

  Dynamic content exposed via Amazon API Gateway HTTP API can also be used as an origin for CloudFront, giving global users reduced latency and the ability to cache appropriate responses (when safe).

  This pattern minimizes cost by:

  Using S3 instead of EC2 for static hosting.

  Using HTTP APIs (cheaper than REST APIs) for dynamic content.

  Offloading a significant portion of requests to CloudFront cache.

  Why the other options are not correct:

  Option B: Static content is not fronted by CloudFront, so global latency is higher.

  Option C: EC2-based web servers for the core web tier add more operational and cost overhead than needed for a mostly static + API pattern.

  Option D: Only the static content uses CloudFront; the dynamic API still lacks a latency-optimized global entry point.

• Question 134:

  A company is building a new dynamic ordering website. The company wants to minimize server maintenance and patching. The website must be highly available and must scale read and write capacity as quickly as possible to meet changes in user demand.

  Which solution will meet these requirements?

  A. Host static content in Amazon S3. Host dynamic content by using Amazon API Gateway and AWS Lambda. Use Amazon DynamoDB with on-demand capacity for the database. Configure Amazon CloudFront to deliver the website content.
  B. Host static content in Amazon S3. Host dynamic content by using Amazon API Gateway and AWS Lambda. Use Amazon Aurora with Aurora Auto Scaling for the database. Configure Amazon CloudFront to deliver the website content.
  C. Host all the website content on Amazon EC2 instances. Create an Auto Scaling group to scale the EC2 instances. Use an Application Load Balancer to distribute traffic. Use Amazon DynamoDB with provisioned write capacity for the database.
  D. Host all the website content on Amazon EC2 instances. Create an Auto Scaling group to scale the EC2 instances. Use an Application Load Balancer to distribute traffic. Use Amazon Aurora with Aurora Auto Scaling for the database.
  A. Host static content in Amazon S3. Host dynamic content by using Amazon API Gateway and AWS Lambda. Use Amazon DynamoDB with on-demand capacity for the database. Configure Amazon CloudFront to deliver the website content.

• Question 135:

  A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without traveling across the internet. The company has no existing dedicated connectivity to AWS.

  Which combination of steps should a solutions architect take to meet these requirements? (Choose Two.)

  A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
  B. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC.
  C. Create an Amazon S3 interface endpoint in the networking account.
  D. Create an Amazon S3 gateway endpoint in the networking account.
  E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.
  A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
  E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.

  ---

  Explanation

  To send data privately from on-premises to S3 buckets across multiple AWS accounts:

  Option A: Using AWS Direct Connect with a private virtual interface (VIF) enables private connectivity from on-premises into the VPC.

  Option E: After establishing the central VPC in a networking account, use VPC peering to allow access to S3 buckets across multiple AWS accounts.

  "Direct Connect private virtual interface (VIF) allows private IP connectivity to VPC resources."

  "VPC Peering enables routing of traffic between VPCs using private IP addresses."

  -- AWS Direct Connect Documentation

  -- VPC Peering Guide Why not others:

  Option B: Public VIF sends traffic over public AWS services--not fully private.

  Option C: Interface endpoint is useful within a single account/VPC context.

  Option D: Gateway endpoint doesn ' t solve inter-account routing.

  References:

  Private Connectivity using Direct Connect

  VPC Peering Overview

• Question 136:

  A company has an on-premises data center that is running out of storage capacity. The company wants to migrate its storage infrastructure to AWS while minimizing bandwidth costs. The solution must allow for immediate retrieval of data at no additional cost.

  How can these requirements be met?

  A. Deploy Amazon S3 Glacier Vault and enable expedited retrieval. Enable provisioned retrieval capacity for the workload.
  B. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3 while retaining copies of frequently accessed data subsets locally.
  C. Deploy AWS Storage Gateway using stored volumes to store data locally. Use Storage Gateway to asynchronously back up point-in-time snapshots of the data to Amazon S3.
  D. Deploy AWS Direct Connect to connect with the on-premises data center. Configure AWS Storage Gateway to store data locally. Use Storage Gateway to asynchronously back up point-in-time snapshots of the data to Amazon S3.
  B. Deploy AWS Storage Gateway using cached volumes. Use Storage Gateway to store data in Amazon S3 while retaining copies of frequently accessed data subsets locally.

• Question 137:

  A home security company is expanding globally and needs to encrypt customer data. The company does not want to manage encryption keys. The keys must be usable in multiple AWS Regions, and access to the keys must be controlled.

  Which solution meets these requirements with the least operational overhead?

  A. Use AWS KMS multi-Region keys. Apply tags and use ABAC condition keys for access control.
  B. Use AWS KMS imported key material in multiple Regions with ABAC-based policies.
  C. Use AWS CloudHSM and synchronize clusters across Regions with the CMU tool.
  D. Use AWS CloudHSM users and share keys manually with CMU across Regions.
  A. Use AWS KMS multi-Region keys. Apply tags and use ABAC condition keys for access control.

  ---

  Explanation

  AWS Key Management Service (AWS KMS) provides multi-Region keys, allowing the same key to be used across Regions without managing your own hardware or key replication. Multi-Region keys are fully managed and support attribute-based access control (ABAC) using tags and condition keys. CloudHSM (Options C and D) requires full key lifecycle management, synchronization, and hardware operations, resulting in significantly higher overhead. Imported key material (Option B) increases key-management responsibility.

• Question 138:

  A company has an on-premises MySQL database used by the global sales team with infrequent access patterns. The sales team requires the database to have minimal downtime. A database administrator wants to migrate this database to AWS without selecting a particular instance type in anticipation of more users in the future.

  Which service should a solutions architect recommend?

  A. Amazon Aurora MySQL
  B. Amazon Aurora Serverless for MySQL
  C. Amazon Redshift Spectrum
  D. Amazon RDS for MySQL
  B. Amazon Aurora Serverless for MySQL

• Question 139:

  A company needs a solution to integrate transaction data from several Amazon DynamoDB tables into an existing Amazon Redshift data warehouse. The solution must maintain the provisioned throughput of DynamoDB.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Create an Amazon S3 bucket. Configure DynamoDB to export to the bucket on a regular schedule. Use an Amazon Redshift COPY command to read from the S3 bucket.
  B. Use an Amazon Redshift COPY command to read directly from each DynamoDB table.
  C. Create an Amazon S3 bucket. Configure an AWS Lambda function to read from the DynamoDB tables and write to the S3 bucket on a regular schedule. Use Amazon Redshift Spectrum to access the data in the S3 bucket.
  D. Use Amazon Athena Federated Query with a DynamoDB connector and an Amazon Redshift connector to read directly from the DynamoDB tables.
  A. Create an Amazon S3 bucket. Configure DynamoDB to export to the bucket on a regular schedule. Use an Amazon Redshift COPY command to read from the S3 bucket.

  ---

  Explanation

  DynamoDB export to Amazon S3 (via point-in-time exports or table backups) "does not consume read capacity" and has no impact on table performance. Once data is in S3, Amazon Redshift can ingest efficiently with COPY from S3, which is the standard, parallel, high-throughput load path with minimal management. Direct COPY from DynamoDB (B) performs a table scan that can consume provisioned throughput, risking throttling.

  Building Lambda pipelines (C) adds custom code and scheduling overhead.

  Athena federated queries (D) are ad hoc analytics, not optimized for bulk, recurring warehouse loads.

  Therefore, exporting to S3 and loading with Redshift COPY maintains DynamoDB throughput and minimizes operational burden.

  References:

  DynamoDB -- "Export to S3 (no RCU consumption)"

  Amazon Redshift -- "COPY from Amazon S3 (parallel

  load)"

  AWS Big Data best practices -- "Stage data in S3 for Redshift loads."

• Question 140:

  A company needs to migrate a MySQL database from an on-premises data center to AWS within 2 weeks.

  The database is 180 TB in size. The company cannot partition the database.

  The company wants to minimize downtime during the migration. The company's internet connection speed is 100 Mbps.

  Which solution will meet these requirements?

  A. Order an AWS Snowball Edge Storage Optimized device. Use AWS Database Migration Service (AWS DMS) and the AWS Schema Conversion Tool (AWS SCT) to migrate the database to Amazon RDS for MySQL and replicate ongoing changes. Send the Snowball Edge device back to AWS to finish the migration. Continue to replicate ongoing changes.
  B. Establish an AWS Site-to-Site VPN connection between the data center and AWS. Use AWS Database Migration Service (AWS DMS) and the AWS Schema Conversion Tool (AWS SCT) to migrate the database to Amazon RDS tor MySQL and replicate ongoing changes.
  C. Establish a 10 Gbps dedicated AWS Direct Connect connection between the data center and AWS. Use AWS DataSync to replicate the database to Amazon S3. Create a script to import the data from Amazon S3 to a new Amazon RDS for MySQL database instance.
  D. Use the company's existing internet connection. Use AWS DataSync to replicate the database to Amazon S3. Create a script to import the data from Amazon S3 to a new Amazon RDS for MySQL database instance.
  A. Order an AWS Snowball Edge Storage Optimized device. Use AWS Database Migration Service (AWS DMS) and the AWS Schema Conversion Tool (AWS SCT) to migrate the database to Amazon RDS for MySQL and replicate ongoing changes. Send the Snowball Edge device back to AWS to finish the migration. Continue to replicate ongoing changes.

  ---

  Explanation

  Given the large size (180 TB) of the database and the time constraint,AWS Snowball Edge Storage Optimizedis the best solution. Snowball Edge allows for the physical transfer of large datasets to AWS efficiently without relying on slow internet connections.AWS DMSandSCTcan be used to perform ongoing replication of any changes made during the migration, ensuring minimal downtime.

  Option B (VPN): Using a 100 Mbps internet connection would take far too long to transfer 180 TB.

  Option C (Direct Connect): Establishing a 10 Gbps Direct Connect link might not be feasible within the 2- week timeframe.

  Option D (DataSync over internet): With the existing internet connection, DataSync would also take too long.