Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 1431:

  A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet.

  The company has no existing dedicated connectivity to AWS.

  Which combination of steps should a solutions architect take to meet these requirements? (Choose Two.)

  A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
  B. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC.
  C. Create an Amazon S3 interface endpoint in the networking account.
  D. Create an Amazon S3 gateway endpoint in the networking account.
  E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.
  A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
  E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.

  ---

  Explanation

  Explanation (AWS Docs):

  A: Use Direct Connect with a private VIF to ensure private connectivity from on-premises to AWS.

  E: Peer the networking VPC with VPCs in the accounts hosting S3 buckets to allow private routing.

  "A private virtual interface enables private connectivity to your VPC."

  -- Direct Connect Private VIF

• Question 1432:

  A company's order system sends requests from clients to Amazon EC2 instances. The EC2 instances process the orders and then store the orders in a database on Amazon RDS. Users report that they must reprocess orders when the system fails. The company wants a resilient solution that can process orders automatically if a system outage occurs.

  What should a solutions architect do to meet these requirements?

  A. Move the EC2 instances into an Auto Scaling group. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to target an Amazon Elastic Container Service (Amazon ECS) task.
  B. Move the EC2 instances into an Auto Scaling group behind an Application Load Balancer (ALB). Update the order system to send messages to the ALB endpoint.
  C. Move the EC2 instances into an Auto Scaling group. Configure the order system to send messages to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the EC2 instances to consume messages from the queue.
  D. Create an Amazon Simple Notification Service (Amazon SNS) topic. Create an AWS Lambda function, and subscribe the function to the SNS topic. Configure the order system to send messages to the SNS topic. Send a command to the EC2 instances to process the messages by using AWS Systems Manager Run Command.
  C. Move the EC2 instances into an Auto Scaling group. Configure the order system to send messages to an Amazon Simple Queue Service (Amazon SQS) queue. Configure the EC2 instances to consume messages from the queue.

• Question 1433:

  A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information. The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running.

  All configurations for the network ACLs, security groups, and route tables are still in their default states.

  What should a solutions architect recommend to fix the application?

  A. Add an explicit rule to the private subnet's network ACL to allow traffic from the web tier's EC2 instances.
  B. Add a route in the VPC route table to allow traffic between the web tier's EC2 instances and the database tier.
  C. Deploy the web tier's EC2 instances and the database tier's RDS instance into two separate VPCs, and configure VPC peering.
  D. Add an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tiers security group.
  D. Add an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tiers security group.

• Question 1434:

  A company hosts a video streaming web application in a VPC. The company uses a Network Load Balancer (NLB) to handle TCP traffic for real-time data processing. There have been unauthorized attempts to access the application.

  The company wants to improve application security with minimal architectural change to prevent unauthorized attempts to access the application.

  Which solution will meet these requirements?

  A. Implement a series of AWS WAF rules directly on the NLB to filter out unauthorized traffic.
  B. Recreate the NLB with a security group to allow only trusted IP addresses.
  C. Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.
  D. Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.
  D. Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.

• Question 1435:

  A company manages its own Amazon EC2 instances that run MySQL databases. The company is manually managing replication and scaling as demand increases or decreases. The company needs a new solution that simplifies the process of adding or removing compute capacity to or from its database tier as needed. The solution also must offer improved performance, scaling, and durability with minimal effort from operations.

  Which solution meets these requirements?

  A. Migrate the databases to Amazon Aurora Serverless for Aurora MySQL.
  B. Migrate the databases to Amazon Aurora Serverless for Aurora PostgreSQL.
  C. Combine the databases into one larger MySQL database. Run the larger database on larger EC2 instances.
  D. Create an EC2 Auto Scaling group for the database tier. Migrate the existing databases to the new environment.
  A. Migrate the databases to Amazon Aurora Serverless for Aurora MySQL.

• Question 1436:

  A company needs to create an AWS Lambda function that will run in a VPC in the company's primary AWS account. The Lambda function needs to access files that the company stores in an Amazon Elastic File System (Amazon EFS) file system. The EFS file system is located in a secondary AWS account. As the company adds files to the file system, the solution must scale to meet the demand.

  Which solution will meet these requirements MOST cost-effectively?

  A. Create a new EFS file system in the primary account. Use AWS DataSync to copy the contents of the original EFS file system to the new EFS file system.
  B. Create a VPC peering connection between the VPCs that are in the primary account and the secondary account.
  C. Create a second Lambda function in the secondary account that has a mount that is configured for the file system. Use the primary account's Lambda function to invoke the secondary account's Lambda function.
  D. Move the contents of the file system to a Lambda layer. Configure the Lambda layer's permissions to allow the company's secondary account to use the Lambda layer.
  B. Create a VPC peering connection between the VPCs that are in the primary account and the secondary account.

  ---

  Explanation

• Question 1437:

  A company's website provides users with downloadable historical performance reports. The website needs a solution that will scale to meet the company's website demands globally. The solution should be cost-effective, limit the provisioning of infrastructure resources, and provide the fastest possible response time.

  Which combination should a solutions architect recommend to meet these requirements?

  A. Amazon CloudFront and Amazon S3
  B. AWS Lambda and Amazon DynamoDB
  C. Application Load Balancer with Amazon EC2 Auto Scaling
  D. Amazon Route 53 with internal Application Load Balancers
  A. Amazon CloudFront and Amazon S3

• Question 1438:

  An e-commerce company stores inventory, order, and user information in multiple Amazon Redshift clusters. The Redshift clusters must comply with the company's security policies. The company must receive notifications about any security configuration violations.

  Which solution will meet these requirements?

  A. Create an Amazon EventBridge rule that uses the Redshift clusters as the source. Create an AWS Lambda function to evaluate the Redshift cluster security configuration. Configure theLambda function to notify the company of any violations of the security policies. Add the Lambda function as a target of the EventBridge rule.
  B. Create an AWS Lambda function to check the validity of the Redshift cluster security configurations. Create an Amazon EventBridge rule that invokes the Lambda function when Redshift clusters are created. Notify the company of any violations of security policies.
  C. Set up Amazon Redshift Advisor in the company's AWS account to monitor cluster configurations. Configure Redshift Advisor to generate notifications for security items that the company must address.
  D. Create an AWS Lambda function to check the Redshift clusters for any violation of the security configurations. Create an AWS Config custom rule to invoke the Lambda function when Redshift cluster security configurations are modified. Provide the compliance state of each Redshift cluster to AWS Config. Configure AWS Config to notify the company of any violations of the security policies.
  D. Create an AWS Lambda function to check the Redshift clusters for any violation of the security configurations. Create an AWS Config custom rule to invoke the Lambda function when Redshift cluster security configurations are modified. Provide the compliance state of each Redshift cluster to AWS Config. Configure AWS Config to notify the company of any violations of the security policies.

  ---

  Explanation

  The company needs automatic monitoring and notifications for security violations in Amazon Redshift clusters.

  Option A:

  Create an Amazon EventBridge rule that uses the Redshift clusters as the source. Create an AWS Lambda function to evaluate the Redshift cluster security configuration. Configure the Lambda function to notify the company of any violations of the security policies. Add the Lambda function as a target of the EventBridge rule.

  EventBridge can trigger actions based on events.

  However, it does not track changes in Redshift security configurations.

  Option B:

  Create an AWS Lambda function to check the validity of the Redshift cluster security configurations.

  Create an Amazon EventBridge rule that invokes the Lambda function when Redshift clusters are created.

  Notify the company of any violations of security policies. This solution only checks security at cluster creation.

  It does not detect changes that happen after the cluster is created.

  Option C:

  Set up Amazon Redshift Advisor in the company's AWS account to monitor cluster configurations.

  Configure Redshift Advisor to generate notifications for security items that the company must address.

  Redshift Advisor provides performance tuning recommendations but does not monitor security settings.

  Option D:

  Create an AWS Lambda function to check the Redshift clusters for any violation of the security configurations. Create an AWS Config custom rule to invoke the Lambda function when Redshift cluster security configurations are modified. Provide the compliance state of each Redshift cluster to AWS Config.

  Configure AWS Config to notify the company of any violations of the security policies.

  AWS Config tracks configuration changes in Redshift clusters.

  Custom AWS Config rules allow security compliance enforcement.

  Lambda can perform custom security checks and notify the company.

• Question 1439:

  A home security company is expanding its business globally. The company needs to encrypt customer data. The company does not want to manage its own keys. The company needs the keys to be usable in multiple AWS Regions and needs to control access to the keys.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use AWS Key Management Service (AWS KMS) to create multi-Region keys. Apply tags to identify each key. Use attribute-based access control (ABAC) condition keys to control access to the keys.
  B. Use AWS Key Management Service (AWS KMS) to create multiple keys by importing key material. Apply tags to identify each key. Use attribute-based access control (ABAC) condition keys to control access to the keys.
  C. Use AWS CloudHSM to create a CloudHSM cluster in the company's primary Region. Synchronize the CloudHSM cluster to additional Regions by using the CloudHSM Management Utility (CMU).
  D. Use AWS CloudHSM to create users. Use the CloudHSM Management Utility (CMU) to share keys with the users. Use the shareKey command to share or unshare the key with additional users in each Region.
  A. Use AWS Key Management Service (AWS KMS) to create multi-Region keys. Apply tags to identify each key. Use attribute-based access control (ABAC) condition keys to control access to the keys.

  ---

  Explanation

  AWS Key Management Service (AWS KMS) supports multi-Region keys, which are managed customer master keys that can be replicated to multiple Regions and treated as a single logical key. This allows applications in different Regions to encrypt and decrypt data using equivalent keys while AWS handles key replication, durability, and availability.

  KMS is a fully managed key service, so the company does not need to operate hardware or manage low-level key storage. Tags combined with attribute-based access control (ABAC) let you enforce fine-grained access to keys by using IAM policies and condition keys, giving centralized and flexible access control with low operational overhead.

  CloudHSM (Options C and D) requires managing HSM clusters, scaling, backups, and manual key operations, which significantly increases operational burden. Importing key material in KMS (Option B) adds lifecycle complexity and is unnecessary when native multi-Region keys exist.

• Question 1440:

  A company uses Amazon EC2 instances behind an Application Load Balancer (ALB) to serve content to users. The company uses Amazon Elastic Block Store (Amazon EBS) volumes to store data.

  The company needs to encrypt data in transit and at rest.

  Which combination of services will meet these requirements? (Choose Two.)

  A. Amazon GuardDuty
  B. AWS Shield
  C. AWS Certificate Manager (ACM)
  D. AWS Secrets Manager
  E. AWS Key Management Service (AWS KMS)
  C. AWS Certificate Manager (ACM)
  E. AWS Key Management Service (AWS KMS)

  ---

  Explanation

  To secure data in transit, the company should use AWS Certificate Manager (ACM) to provide SSL/TLS certificates for the Application Load Balancer. ACM allows easy provisioning, management, and renewal of public and private certificates, ensuring secure communication between users and applications.

  To secure data at rest, AWS Key Management Service (KMS) is used to manage encryption keys for Amazon EBS volumes. EBS integrates with AWS KMS, allowing for server-side encryption using KMS-managed keys (SSE-KMS), thus meeting the encryption at rest requirement.

  Other options:

  GuardDuty (A) is for threat detection, not encryption.

  AWS Shield (B) protects against DDoS attacks, not encryption.

  Secrets Manager (D) manages credentials, not general data encryption.

  This solution follows the AWS Well-Architected Framework-Security Pillar.

  References:

  Encrypting EBS volumes with KMS Using ACM with ALB