Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 521:

  A company runs an application on premises. The application needs to periodically upload large files to an Amazon S3 bucket. A solutions architect needs a solution to provide the application with short-lived authenticated access to the S3 bucket. The solution must not use long-term credentials. The solution needs to be secure and scalable.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Create an IAM user that has an access key and a secret key. Store the keys on the on-premises server in an environment variable. Attach a policy to the IAM user that restricts access to only the S3 bucket.
  B. Configure an AWS Site-to-Site VPN connection from the on-premises environment to the company's VPC. Launch an Amazon EC2 instance with an instance profile. Route all file uploads from the on-premises application through the EC2 instance to the S3 bucket.
  C. Configure an S3 bucket policy to allow access for the on-premises server's public IP address. Configure the policy to allow PUT operations only from the server's IP address.
  D. Configure a trust relationship between the on-premises server and AWS Security Token Service (AWS STS). Generate credentials by assuming an IAM role for each upload operation.
  D. Configure a trust relationship between the on-premises server and AWS Security Token Service (AWS STS). Generate credentials by assuming an IAM role for each upload operation.

  ---

  Explanation

  The best practice to securely provide short-term access to AWS resources, such as Amazon S3, without using long-term credentials, is to use AWS Security Token Service (AWS STS). According to AWS IAM best practices and the Security Pillar of the AWS Well-Architected Framework, temporary credentials should be used instead of long-term credentials whenever possible.

  From the AWS IAM documentation: "Use temporary credentials (IAM roles and AWS STS) instead of long-term access keys. Temporary security credentials are short-term, automatically expire, and are retrieved by using AWS STS." (Source: IAM Best Practices - IAM User Guide)

  Option D outlines the use of a trust relationship and an assume-role mechanism through AWS STS. This approach allows the on-premises application to request temporary, scoped-down credentials to upload files securely to Amazon S3.

  This approach is:

  Secure - Uses short-lived credentials with least privilege.

  Scalable - Does not require EC2 instances or VPN tunnels.

  Low operational overhead - No infrastructure to maintain.

  AWS recommended - Aligns with AWS security best practices.

  In contrast:

  Option A uses long-term credentials, which creates a security risk.

  Option B requires additional infrastructure (EC2 and VPN), which increases complexity and cost.

  Option C relies on IP-based access, which is not identity-based authentication and is less secure.

  References:

  AWS IAM Best Practices - Use temporary credentials

  AWS Security Token Service - Temporary Security Credentials

  AWS Well-Architected Framework - Security Pillar

• Question 522:

  A company stores call transcript files on a monthly basis. Users access the files randomly within 1 year of the call, but users access the files infrequently after 1 year. The company wants to optimize its solution by giving users the ability to query and retrieve files that are less than 1-year-old as quickly as possible. A delay in retrieving older files is acceptable.

  Which solution will meet these requirements MOST cost-effectively?

  A. Store individual files with tags in Amazon S3 Glacier Instant Retrieval. Query the tags to retrieve the files from S3 Glacier Instant Retrieval.
  B. Store individual files in Amazon S3 Intelligent-Tiering. Use S3 Lifecycle policies to move the files to S3 Glacier Flexible Retrieval after 1 year. Query and retrieve the files that are in Amazon S3 by using Amazon Athena. Query and retrieve the files that are in S3 Glacier by using S3 Glacier Select.
  C. Store individual files with tags in Amazon S3 Standard storage. Store search metadata for each archive in Amazon S3 Standard storage. Use S3 Lifecycle policies to move the files to S3 Glacier Instant Retrieval after 1 year. Query and retrieve the files by searching for metadata from Amazon S3.
  D. Store individual files in Amazon S3 Standard storage. Use S3 Lifecycle policies to move the files to S3 Glacier Deep Archive after 1 year. Store search metadata in Amazon RDS. Query the files from Amazon RDS. Retrieve the files from S3 Glacier Deep Archive.
  B. Store individual files in Amazon S3 Intelligent-Tiering. Use S3 Lifecycle policies to move the files to S3 Glacier Flexible Retrieval after 1 year. Query and retrieve the files that are in Amazon S3 by using Amazon Athena. Query and retrieve the files that are in S3 Glacier by using S3 Glacier Select.

• Question 523:

  A company has deployed a web application on AWS. The company hosts the backend database on Amazon RDS for MySQL with a primary DB instance and five read replicas to support scaling needs. The read replicas must lag no more than 1 second behind the primary DB instance. The database routinely runs scheduled stored procedures. As traffic on the website increases, the replicas experience additional lag during periods of peak load. A solutions architect must reduce the replication lag as much as possible.

  The solutions architect must minimize changes to the application code and must minimize ongoing operational overhead.

  Which solution will meet these requirements?

  A. Migrate the database to Amazon Aurora MySQL. Replace the read replicas with Aurora Replicas, and configure Aurora Auto Scaling. Replace the stored procedures with Aurora MySQL native functions.
  B. Deploy an Amazon ElastiCache for Redis cluster in front of the database. Modify the application to check the cache before the application queries the database. Replace the stored procedures with AWS Lambda functions.
  C. Migrate the database to a MySQL database that runs on Amazon EC2 instances. Choose large, compute optimized EC2 instances for all replica nodes. Maintain the stored procedures on the EC2 instances.
  D. Migrate the database to Amazon DynamoDB. Provision a large number of read capacity units (RCUs) to support the required throughput, and configure on-demand capacity scaling. Replace the stored procedures with DynamoDB streams.
  A. Migrate the database to Amazon Aurora MySQL. Replace the read replicas with Aurora Replicas, and configure Aurora Auto Scaling. Replace the stored procedures with Aurora MySQL native functions.

• Question 524:

  A company runs an AWS Lambda function in private subnets in a VPC. The subnets have a default route to the internet through an Amazon EC2 NAT instance. The Lambda function processes input data and saves its output as an object to Amazon S3. Intermittently, the Lambda function times out while trying to upload the object because of saturated traffic on the NAT instance's network. The company wants to access Amazon S3 without traversing the internet.

  Which solution will meet these requirements?

  A. Replace the EC2 NAT instance with an AWS managed NAT gateway.
  B. Increase the size of the EC2 NAT instance in the VPC to a network optimized instance type.
  C. Provision a gateway endpoint for Amazon S3 in the VPUpdate the route tables of the subnets accordingly.
  D. Provision a transit gateway. Place transit gateway attachments in the private subnets where the Lambda function is running.
  C. Provision a gateway endpoint for Amazon S3 in the VPUpdate the route tables of the subnets accordingly.

• Question 525:

  A recent analysis of a company's IT expenses highlights the need to reduce backup costs. The company's chief information officer wants to simplify the on-premises backup infrastructure and reduce costs by eliminating the use of physical backup tapes. The company must preserve the existing investment in the on-premises backup applications and workflows.

  What should a solutions architect recommend?

  A. Set up AWS Storage Gateway to connect with the backup applications using the NFS interface.
  B. Set up an Amazon EFS file system that connects with the backup applications using the NFS interface.
  C. Set up an Amazon EFS file system that connects with the backup applications using the iSCSI interface.
  D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.
  D. Set up AWS Storage Gateway to connect with the backup applications using the iSCSI-virtual tape library (VTL) interface.

• Question 526:

  A company has an application that runs on Amazon EC2 instances in an Auto Scaling group. The application uses hardcoded credentials to access an Amazon RDS database.

  To comply with new regulations, the company needs to automatically rotate the database password for the application service account every 90 days.

  Which solution will meet these requirements?

  A. Create an AWS Lambda function to generate new passwords and upload them to EC2 instances by using SSH.
  B. Create a secret for the database credentials in AWS Secrets Manager. Enable rotation every 90 days. Modify the application to retrieve credentials from Secrets Manager.
  C. Create an Amazon ECS task to rotate passwords and upload them to EC2 instances.
  D. Create a new EC2 instance that runs a cron job to rotate passwords.
  B. Create a secret for the database credentials in AWS Secrets Manager. Enable rotation every 90 days. Modify the application to retrieve credentials from Secrets Manager.

  ---

  Explanation

  Hardcoded database credentials create security risks and operational challenges, especially when compliance requires regular credential rotation. AWS Secrets Manager is the AWS-recommended service for securely storing, managing, and rotating secrets such as database credentials.

  Option B is the correct solution because Secrets Manager natively supports automated credential rotation using AWS-managed or custom Lambda functions. By enabling rotation on a 90-day schedule, Secrets Manager automatically updates the credentials in the RDS database and stores the new values securely.

  The application retrieves credentials dynamically at runtime, eliminating the need for storing passwords on

  EC2 instances.

  Options A, C, and D all rely on custom scripts, SSH access, and manual distribution of secrets, which significantly increases operational overhead, security risk, and failure potential. These approaches also violate AWS best practices by spreading sensitive credentials across multiple hosts.

  Secrets Manager integrates with IAM for fine-grained access control, supports auditing through AWS CloudTrail, and improves overall security posture while reducing operational complexity. Therefore, B best meets the requirements in a secure, scalable, and compliant manner.

• Question 527:

  A company has more than 5 TB of file data on Windows file servers that run on premises. Users and applications interact with the data each day. The company is moving its Windows workloads to AWS. As the company continues this process, the company requires access to AWS and on-premises file storage with minimum latency. The company needs a solution that minimizes operational overhead and requires no significant changes to the existing file access patterns.

  The company uses an AWS Site-to-Site VPN connection for connectivity to AWS.

  What should a solutions architect do to meet these requirements?

  A. Deploy and configure Amazon FSx for Windows File Server on AWS. Move the on-premises file data to FSx for Windows File Server. Reconfigure the workloads to use FSx for Windows File Server on AWS.
  B. Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to the S3 File Gateway. Reconfigure the on-premises workloads and the cloud workloads to use the S3 File Gateway.
  C. Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to Amazon S3. Reconfigure the workloads to use either Amazon S3 directly or the S3 File Gateway, depending on each workload's location.
  D. Deploy and configure Amazon FSx for Windows File Server on AWS. Deploy and configure an Amazon FSx File Gateway on premises. Move the on-premises file data to the FSx File Gateway. Configure the cloud workloads to use FSx for Windows File Server on AWS. Configure the on-premises workloads to use the FSx File Gateway.
  D. Deploy and configure Amazon FSx for Windows File Server on AWS. Deploy and configure an Amazon FSx File Gateway on premises. Move the on-premises file data to the FSx File Gateway. Configure the cloud workloads to use FSx for Windows File Server on AWS. Configure the on-premises workloads to use the FSx File Gateway.

• Question 528:

  A company wants to migrate 100 GB of historical data from an on-premises location to an Amazon S3 bucket. The company has a 100 megabits per second (Mbps) internet connection on premises. The company needs to encrypt the data in transit to the S3 bucket. The company will store new data directly in Amazon S3.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Use the s3 sync command in the AWS CLI to move the data directly to an S3 bucket
  B. Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket
  C. Use AWS Snowball to move the data to an S3 bucket
  D. Set up an IPsec VPN from the on-premises location to AWS. Use the s3 cp command in the AWS CLI to move the data directly to an S3 bucket
  B. Use AWS DataSync to migrate the data from the on-premises location to an S3 bucket

• Question 529:

  A developer has an application that uses an AWS Lambda function to upload files to Amazon S3 and needs the required permissions to perform the task. The developer already has an IAM user with valid IAM credentials required for Amazon S3.

  What should a solutions architect do to grant the permissions?

  A. Add required IAM permissions in the resource policy of the Lambda function.
  B. Create a signed request using the existing IAM credentials in the Lambda function.
  C. Create a new IAM user and use the existing IAM credentials in the Lambda function.
  D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.
  D. Create an IAM execution role with the required permissions and attach the IAM role to the Lambda function.

• Question 530:

  A company is designing a new web application that will run on Amazon EC2 Instances. The application will use Amazon DynamoDB for backend data storage. The application traffic will be unpredictable. The company expects that the application read and write throughput to the database will be moderate to high.

  The company needs to scale in response to application traffic.

  Which DynamoDB table configuration will meet these requirements MOST cost-effectively?

  A. Configure DynamoDB with provisioned read and write by using the DynamoDB Standard table class. Set DynamoDB auto scaling to a maximum defined capacity.
  B. Configure DynamoDB in on-demand mode by using the DynamoDB Standard table class.
  C. Configure DynamoDB with provisioned read and write by using the DynamoDB Standard Infrequent Access (DynamoDB Standard-IA) table class. Set DynamoDB auto scaling to a maximum defined capacity.
  D. Configure DynamoDB in on-demand mode by using the DynamoDB Standard Infrequent Access (DynamoDB Standard-IA) table class.
  B. Configure DynamoDB in on-demand mode by using the DynamoDB Standard table class.