Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1411:

  A company hosts an application that processes highly sensitive customer transactions on AWS. The application uses Amazon RDS as its database. The company manages its own encryption keys to secure the data in Amazon RDS.

  The company needs to update the customer-managed encryption keys at least once each year.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Set up automatic key rotation in AWS Key Management Service (AWS KMS) for the encryption keys.
  B. Configure AWS Key Management Service (AWS KMS) to alert the company to rotate the encryption keys annually.
  C. Schedule an AWS Lambda function to rotate the encryption keys annually.
  D. Create an AWS CloudFormation stack to run an AWS Lambda function that deploys new encryption keys once each year.
  A. Set up automatic key rotation in AWS Key Management Service (AWS KMS) for the encryption keys.

  ---

  Explanation

  AWS KMS automatic key rotationis the simplest and most operationally efficient solution. Enabling automatic key rotation ensures that KMS automatically generates new key material for the key every year without requiring manual intervention.

  Option B:Configuring alerts to rotate keys introduces operational overhead as the actual rotation must still be managed manually.

  Option C:Scheduling a Lambda function to rotate keys adds unnecessary complexity compared to enabling automatic key rotation.

  Option D:Using a CloudFormation stack to run a Lambda function for key rotation increases operational overhead and complexity unnecessarily.

  References:

  AWS KMS Key Rotation

  Using Customer-Managed Keys with Amazon RDS

• Question 1412:

  A company is using AWS DataSync to migrate millions of files from an on-premises system to AWS. The files are 10 KB in size on average.

  The company wants to use Amazon S3 for file storage. For the first year after the migration, the files will be accessed once or twice and must be immediately available. After 1 year, the files must be archived for at least 7 years.

  Which solution will meet these requirements MOST cost-effectively?

  A. Use an archive tool to group the files into large objects. Use DataSync to migrate the objects. Store the objects in S3 Glacier Instant Retrieval for the first year. Use a lifecycle configuration to transition the files to S3 Glacier Deep Archive after 1 year with a retention period of 7 years.
  B. Use an archive tool to group the files into large objects. Use DataSync to copy the objects to S3 Standard-Infrequent Access (S3 Standard-IA). Use a lifecycle configuration to transition the files to S3 Glacier Instant Retrieval after 1 year with a retention period of 7 years.
  C. Configure the destination storage class for the files as S3 Glacier Instant Retrieval. Use a lifecycle policy to transition the files to S3 Glacier Flexible Retrieval after 1 year with a retention period of 7 years.
  D. Configure a DataSync task to transfer the files to S3 Standard-Infrequent Access (S3 Standard-IA). Use a lifecycle configuration to transition the files to S3 Deep Archive after 1 year with a retention period of 7 years.
  A. Use an archive tool to group the files into large objects. Use DataSync to migrate the objects. Store the objects in S3 Glacier Instant Retrieval for the first year. Use a lifecycle configuration to transition the files to S3 Glacier Deep Archive after 1 year with a retention period of 7 years.

• Question 1413:

  A company is conducting an internal audit. The company wants to ensure that the data in an Amazon S3 bucket that is associated with the company's AWS Lake Formation data lake does not contain sensitive customer or employee data.

  The company wants to discover personally identifiable information (PII) or financial information, including passport numbers and credit card numbers.

  Which solution will meet these requirements?

  A. Configure AWS Audit Manager on the account. Select the Payment Card Industry Data Security Standards (PCI DSS) for auditing.
  B. Configure Amazon S3 Inventory on the S3 bucket Configure Amazon Athena to query the inventory.
  C. Configure Amazon Macie to run a data discovery job that uses managed identifiers for the required data types.
  D. Use Amazon S3 Select to run a report across the S3 bucket.
  C. Configure Amazon Macie to run a data discovery job that uses managed identifiers for the required data types.

• Question 1414:

  A company runs an ecommerce application on premises on Microsoft SQL Server. The company is planning to migrate the application to the AWS Cloud. The application code contains complex T-SQL queries and stored procedures. The company wants to minimize database server maintenance and operating costs after the migration is completed. The company also wants to minimize the need to rewrite code as part of the migration effort.

  Which solution will meet these requirements?

  A. Migrate the database to Amazon Aurora PostgreSQL. Turn on Babelfish.
  B. Migrate the database to Amazon S3. Use Amazon Redshift Spectrum for query processing.
  C. Migrate the database to Amazon RDS for SQL Server. Turn on Kerberos authentication.
  D. Migrate the database to an Amazon EMR cluster that includes multiple primary nodes.
  A. Migrate the database to Amazon Aurora PostgreSQL. Turn on Babelfish.

  ---

  Explanation

  The requirement combines two key goals: reduce post-migration database administration/maintenance cost and minimize application rewrites for an existing Microsoft SQL Server application that relies heavily on T- SQL and stored procedures. Amazon Aurora PostgreSQL-Compatible with Babelfish is designed for this exact migration pattern: it helps applications written for SQL Server to run with reduced code changes by providing compatibility for commonly used SQL Server semantics, including T-SQL constructs, procedural logic, and SQL Server-style connectivity patterns (depending on feature usage). Aurora itself is a managed database service that reduces operational overhead compared to self-managed databases by offloading tasks such as provisioning, patching (within service capabilities), backups, and high availability patterns.

  Option C (RDS for SQL Server) would indeed minimize rewrites because it keeps the engine the same, but it typically does not optimize operating costs as effectively as migrating off commercial SQL Server licensing /edition costs; it also keeps you on the same engine family, which often carries higher license implications and may not meet the "minimize operating costs" intent as strongly as moving to Aurora

  PostgreSQL with Babelfish.

  Option B is not suitable because Redshift Spectrum is for analytics over data in S3, not for running an OLTP ecommerce database with stored procedures.

  Option D is also a mismatch: EMR is for big data processing frameworks, not a relational OLTP database replacement for SQL Server.

  Therefore, A best balances lower ongoing operational cost with reduced refactoring effort by using Aurora's managed capabilities while leveraging Babelfish to ease SQL Server-to-PostgreSQL migration friction.

• Question 1415:

  AWS Lambda functions need shared access to internal libraries and reference data that are updated independently by different teams.

  Which solution will meet these requirements?

  A. Use Amazon EBS Multi-Attach.
  B. Store data in the Lambda /tmp directory.
  C. Use Amazon EFS mounted to Lambda.
  D. Use Amazon FSx for Windows File Server.
  C. Use Amazon EFS mounted to Lambda.

  ---

  Explanation

  Amazon EFS integrates natively with Lambda, supports shared, persistent storage, and allows independent updates without redeploying functions. EBS and /tmp are not supported for this use case; FSx is unnecessary.

• Question 1416:

  A company that primarily runs its application servers on premises has decided to migrate to AWS. The company wants to minimize its need to scale its Internet Small Computer Systems Interface (iSCSI) storage on premises. The company wants only its recently accessed data to remain stored locally.

  Which AWS solution should the company use to meet these requirements?

  A. Amazon S3 File Gateway
  B. AWS Storage Gateway Tape Gateway
  C. AWS Storage Gateway Volume Gateway stored volumes
  D. AWS Storage Gateway Volume Gateway cached volumes
  D. AWS Storage Gateway Volume Gateway cached volumes

• Question 1417:

  A company has an Amazon Elastic File System (Amazon EFS) file system that contains a reference dataset. The company has applications on Amazon EC2 instances that need to read the dataset. However, the applications must not be able to change the dataset. The company wants to use IAM access control to prevent the applications from being able to modify or delete the dataset.

  Which solution will meet these requirements?

  A. Mount the EFS file system in read-only mode from within the EC2 instances.
  B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.
  C. Create an identity policy for the EFS file system that denies the elasticfilesystem:ClientWrite action on the EFS file system.
  D. Create an EFS access point for each application. Use Portable Operating System Interface (POSIX) file permissions to allow read-only access to files in the root directory.
  B. Create a resource policy for the EFS file system that denies the elasticfilesystem:ClientWrite action to the IAM roles that are attached to the EC2 instances.

• Question 1418:

  A solutions architect needs to ensure that only resources in VPC vpc-11aabb22 can access an S3 bucket in account 123456789012 with Block Public Access enabled.

  Which solution meets this requirement?

  A. Create a bucket policy with Deny and a Condition using " StringNotEquals ": { " aws:SourceVpc ": " vpc- 11aabb22 " }.
  B. Create a bucket policy with Allow and Resource " arn:aws:ec2:us-west-2:123456789012:vpc/vpc- 11aabb22 ".
  C. Create a bucket policy with Allow and a Condition using " StringNotEquals ": { " aws:SourceVpc ": " vpc-11aabb22 " }.
  D. Create a bucket policy with Deny and " StringNotEquals ": { " aws:PrincipalAccount ": " 123456789012 " }.
  A. Create a bucket policy with Deny and a Condition using " StringNotEquals ": { " aws:SourceVpc ": " vpc- 11aabb22 " }.

  ---

  Explanation

  To restrict S3 access to a specific VPC, AWS documentation specifies using a Deny policy with aws: SourceVpc for all unmatched VPCs:

  Deny if aws:SourceVpc!= vpc-11aabb22

  This ensures only that VPC can reach the bucket via a VPC endpoint.

  Allow policies (Options B and C) are incorrectly structured or use the wrong condition logic.

  Option D limits by account, not VPC, and does not enforce VPC-level access.

• Question 1419:

  An Amazon EventBridge rule targets a third-party API. The third-party API has not received any incoming traffic. A solutions architect needs to determine whether the rule conditions are being met and if the rule's target is being invoked.

  Which solution will meet these requirements?

  A. Check for metrics in Amazon CloudWatch in the namespace for AWS/Events.
  B. Review events in the Amazon Simple Queue Service (Amazon SQS) dead-letter queue.
  C. Check for the events in Amazon CloudWatch Logs.
  D. Check the trails in AWS CloudTrail for the EventBridge events.
  A. Check for metrics in Amazon CloudWatch in the namespace for AWS/Events.

• Question 1420:

  A solutions architect is designing a shared storage solution for a web application that is deployed across multiple Availability Zones. The web application runs on Amazon EC2 instances that are in an Auto Scaling group. The company plans to make frequent changes to the content. The solution must have strong consistency in returning the new content as soon as the changes occur.

  Which solutions meet these requirements? (Choose two.)

  A. Use AWS Storage Gateway Volume Gateway Internet Small Computer Systems Interface (iSCSI) block storage that is mounted to the individual EC2 instances.
  B. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system on the individual EC2 instances.
  C. Create a shared Amazon Elastic Block Store (Amazon EBS) volume. Mount the EBS volume on the individual EC2 instances.
  D. Use AWS DataSync to perform continuous synchronization of data between EC2 hosts in the Auto Scaling group.
  E. Create an Amazon S3 bucket to store the web content. Set the metadata for the Cache-Control header to no-cache. Use Amazon CloudFront to deliver the content.
  B. Create an Amazon Elastic File System (Amazon EFS) file system. Mount the EFS file system on the individual EC2 instances.
  E. Create an Amazon S3 bucket to store the web content. Set the metadata for the Cache-Control header to no-cache. Use Amazon CloudFront to deliver the content.