Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 311:

  An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table.

  What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?

  A. Use a VPC endpoint for DynamoDB.
  B. Use a NAT gateway in a public subnet.
  C. Use a NAT instance in a private subnet.
  D. Use the internet gateway attached to the VPC.
  A. Use a VPC endpoint for DynamoDB.

• Question 312:

  A company has a large amount of data in an Amazon DynamoDB table. A large batch of data is appended to the table once each day. The company wants a solution that will make all the existing and future data in DynamoDB available for analytics on a long-term basis.

  Which solution meets these requirements with the LEAST operational overhead?

  A. Configure DynamoDB incremental exports to Amazon S3.
  B. Configure Amazon DynamoDB Streams to write records to Amazon S3.
  C. Configure Amazon EMR to copy DynamoDB data to Amazon S3.
  D. Configure Amazon EMR to copy DynamoDB data to Hadoop Distributed File System (HDFS).
  A. Configure DynamoDB incremental exports to Amazon S3.

  ---

  Explanation

  Incremental Exports: Exporting DynamoDB data directly to Amazon S3 provides an automated, serverless way to make data available for analytics without operational overhead.

  Analytics-Friendly Storage: Amazon S3 supports long-term analytics workloads and can integrate with tools like Athena or QuickSight.

  DynamoDB Export to S3 Documentation

• Question 313:

  A solutions architect is designing a web application that will run on Amazon EC2 instances behind an Application Load Balancer (ALB). The company strictly requires that the application be resilient against malicious internet activity and attacks, and protect against new common vulnerabilities and exposures.

  What should the solutions architect recommend?

  A. Leverage Amazon CloudFront with the ALB endpoint as the origin.
  B. Deploy an appropriate managed rule for AWS WAF and associate it with the ALB.
  C. Subscribe to AWS Shield Advanced and ensure common vulnerabilities and exposures are blocked.
  D. Configure network ACLs and security groups to allow only ports 80 and 443 to access the EC2 instances.
  B. Deploy an appropriate managed rule for AWS WAF and associate it with the ALB.

  ---

  Explanation

  AWS WAF allows web applications to protect themselves from common web exploits and vulnerabilities.

  Using AWS managed rule groups ensures protection against known attack patterns, such as SQL injection and cross-site scripting.

  Associating AWS WAF with the ALB provides application-layer security and real-time threat mitigation.

  References:

  AWS Documentation?AWS WAF and Shield Developer Guide

• Question 314:

  A company runs workloads in the AWS Cloud. The company wants to centrally collect security data to assess security across the entire company and to improve workload protection.

  Which solution will meet these requirements with the LEAST development effort?

  A. Configure a data lake in AWS Lake Formation. Use AWS Glue crawlers to ingest the security data into the data lake.
  B. Configure an AWS Lambda function to collect the security data in .csv format. Upload the data to an Amazon S3 bucket.
  C. Configure a data lake in Amazon Security Lake to collect the security data. Upload the data to an Amazon S3 bucket.
  D. Configure an AWS Database Migration Service (AWS DMS) replication instance to load the security data into an Amazon RDS cluster.
  C. Configure a data lake in Amazon Security Lake to collect the security data. Upload the data to an Amazon S3 bucket.

• Question 315:

  A company runs an application on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The company wants to protect the application against layer 7 DDoS attacks.

  Which solution will meet this requirement?

  A. Associate AWS Shield Standard with the ALB.
  B. Create an AWS WAF web ACL and add a custom rule. Associate the web ACL with the ALB.
  C. Create an AWS WAF web ACL and add an AWS managed rule. Associate the web ACL with the ALB.
  D. Create an Amazon CloudFront distribution and set the ALB as the origin. Configure the application DNS record to point to the CloudFront distribution instead of the ALB.
  C. Create an AWS WAF web ACL and add an AWS managed rule. Associate the web ACL with the ALB.

  ---

  Explanation

  Protecting an application from layer 7 (application layer) DDoS attacks is best achieved by using AWS WAF (Web Application Firewall), which provides customizable protection against common web exploits including DDoS attacks at the application layer. AWS WAF supports managed rule groups maintained by AWS, which offer robust, tested protections against OWASP top 10 vulnerabilities and common attack patterns without requiring extensive manual rule creation.

  While AWS Shield Standard provides basic network-layer DDoS protection automatically at no additional charge, it does not offer application-layer filtering capabilities. Therefore, option A alone is insufficient.

  Option B, involving only custom rules, requires significant operational overhead and expertise, whereas AWS managed rules offer a turnkey solution with ongoing updates from AWS security teams.

  Option D, using CloudFront in front of the ALB, can provide additional protection benefits such as caching and geographic restrictions, but the question specifically asks for protecting against layer 7 DDoS on the ALB directly. CloudFront plus WAF is a valid enhanced solution, but the direct and recommended answer in AWS official documents is to use AWS WAF managed rules directly with ALB for application-level protection.

  References:

  AWS Well-Architected Framework -- Security Pillar (https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf)

  AWS WAF Overview (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html)

  AWS Shield Overview (https://aws.amazon.com/shield/)

  Protecting Web Applications with AWS WAF (https://aws.amazon.com/blogs/security/how-to-protect-your-web-application-from-dos-and-ddos-attacks-using-aws-waf/)

• Question 316:

  A company uses a payment processing system that requires messages for a particular payment ID to be received in the same order that they were sent. Otherwise, the payments might be processed incorrectly.

  Which actions should a solutions architect take to meet this requirement? (Choose two.)

  A. Write the messages to an Amazon DynamoDB table with the payment ID as the partition key.
  B. Write the messages to an Amazon Kinesis data stream with the payment ID as the partition key.
  C. Write the messages to an Amazon ElastiCache for Memcached cluster with the payment ID as the key.
  D. Write the messages to an Amazon Simple Queue Service (Amazon SQS) queue. Set the message attribute to use the payment ID.
  E. Write the messages to an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Set the message group to use the payment ID.
  B. Write the messages to an Amazon Kinesis data stream with the payment ID as the partition key.
  E. Write the messages to an Amazon Simple Queue Service (Amazon SQS) FIFO queue. Set the message group to use the payment ID.

• Question 317:

  A financial services company launched a new application that uses an Amazon RDS for MySQL database.

  The company uses the application to track stock market trends. The company needs to operate the application for only 2 hours at the end of each week. The company needs to optimize the cost of running the database.

  Which solution will meet these requirements MOST cost-effectively?

  A. Migrate the existing RDS for MySQL database to an Aurora Serverless v2 MySQL database cluster.
  B. Migrate the existing RDS for MySQL database to an Aurora MySQL database cluster.
  C. Migrate the existing RDS for MySQL database to an Amazon EC2 instance that runs MySQL. Purchase an instance reservation for the EC2 instance.
  D. Migrate the existing RDS for MySQL database to an Amazon Elastic Container Service (Amazon ECS) cluster that uses MySQL container images to run tasks.
  A. Migrate the existing RDS for MySQL database to an Aurora Serverless v2 MySQL database cluster.

• Question 318:

  How can a company detect and notify security teams about PII in S3 buckets?

  A. Use Amazon Macie. Create an EventBridge rule for SensitiveData findings and send an SNS notification.
  B. Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SNS notification.
  C. Use Amazon Macie. Create an EventBridge rule for SensitiveData:S3Object/Personal findings and send an SQS notification.
  D. Use Amazon GuardDuty. Create an EventBridge rule for CRITICAL findings and send an SQS notification.
  A. Use Amazon Macie. Create an EventBridge rule for SensitiveData findings and send an SNS notification.

  ---

  Explanation

  Amazon Macieis purpose-built for detecting PII in S3.

  Option A uses EventBridge to filter SensitiveData findings and notify via SNS, meeting the requirements.

  Options B and Dinvolve GuardDuty, which is not designed for PII detection.

  Option C uses SQS, which is less suitable for immediate notifications.

• Question 319:

  A company has an on-premises volume backup solution that has reached its end of life. The company wants to use AWS as part of a new backup solution and wants to maintain local access to all the data while it is backed up on AWS.

  The company wants to ensure that the data backed up on AWS is automatically and securely transferred.

  Which solution meets these requirements?

  A. Use AWS Snowball to migrate data out of the on-premises solution to Amazon S3. Configure on-premises systems to mount the Snowball S3 endpoint to provide local access to the data.
  B. Use AWS Snowball Edge to migrate data out of the on-premises solution to Amazon S3. Use the Snowball Edge file interface to provide on-premises systems with local access to the data.
  C. Use AWS Storage Gateway and configure a cached volume gateway. Run the Storage Gateway software appliance on premises and configure a percentage of data to cache locally. Mount the gateway storage volumes to provide local access to the data.
  D. Use AWS Storage Gateway and configure a stored volume gateway. Run the Storage Gateway software appliance on premises and map the gateway storage volumes to on-premises storage. Mount the gateway storage volumes to provide local access to the data.
  D. Use AWS Storage Gateway and configure a stored volume gateway. Run the Storage Gateway software appliance on premises and map the gateway storage volumes to on-premises storage. Mount the gateway storage volumes to provide local access to the data.

• Question 320:

  A company wants to provide a third-party system that runs in a private data center with access to its AWS account. The company wants to call AWS APIs directly from the third-party system. The company has an existing process for managing digital certificates. The company does not want to use SAML or OpenID Connect (OIDC) capabilities and does not want to store long-term AWS credentials.

  Which solution will meet these requirements?

  A. Configure mutual TLS to allow authentication of the client and server sides of the communication channel.
  B. Configure AWS Signature Version 4 to authenticate incoming HTTPS requests to AWS APIs.
  C. Configure Kerberos to exchange tickets for assertions that can be validated by AWS APIs.
  D. Configure AWS Identity and Access Management (IAM) Roles Anywhere to exchange X.509 certificates for AWS credentials to interact with AWS APIs.
  D. Configure AWS Identity and Access Management (IAM) Roles Anywhere to exchange X.509 certificates for AWS credentials to interact with AWS APIs.

  ---

  Explanation

  A. Mutual TLS:Provides secure communication but does not integrate with AWS credential exchange. Option

  B. AWS Signature v4:Requires direct integration with AWS and is less secure for external systems. Option

  C. Kerberos:Not natively supported for AWS API authentication. Option

  D. IAM Roles Anywhere:Enables AWS API access using X.509 certificates without long-term credentials.

  References:

  IAM Roles Anywhere