Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 601:

  A company is migrating mobile banking applications to run on Amazon EC2 instances in a VPC. Backend service applications run in an on-premises data center. The data center has an AWS Direct Connect connection into AWS. The applications that run in the VPC need to resolve DNS requests to an on-premises Active Directory domain that runs in the data center.

  Which solution will meet these requirements with the LEAST administrative overhead?

  A. Provision a set of EC2 instances across two Availability Zones in the VPC as caching DNS servers to resolve DNS queries from the application servers within the VPC.
  B. Provision an Amazon Route 53 private hosted zone. Configure NS records that point to on-premises DNS servers.
  C. Create DNS endpoints by using Amazon Route 53 Resolver. Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.
  D. Provision a new Active Directory domain controller in the VPC with a bidirectional trust between this new domain and the on-premises Active Directory domain.
  C. Create DNS endpoints by using Amazon Route 53 Resolver. Add conditional forwarding rules to resolve DNS namespaces between the on-premises data center and the VPC.

  ---

  Explanation

  Amazon Route 53 Resolver endpoints allow you to integrate DNS between AWS and on-premises environments easily. By creating inbound and outbound resolver endpoints, you can configure conditional forwarding rules so that DNS queries for your on-premises AD domain are forwarded to the on-premises DNS servers. This approach is fully managed, scales automatically, and requires the least administrative overhead.

  AWS Documentation Extract:

  " Route 53 Resolver provides DNS resolution between AWS and on-premises environments, using endpoints and forwarding rules to manage DNS query routing seamlessly. "

  (Source: Route 53 Resolver documentation)

  Option A, Option D: Require provisioning, managing, and patching EC2 servers or domain controllers.

  Option B: NS records in a private hosted zone do not provide true DNS forwarding.

  References:

  AWS Certified Solutions Architect?Official Study Guide, Hybrid DNS Integration.

• Question 602:

  A company has an application that runs on Amazon EC2 instances within a private subnet in a VPC. The instances access data in an Amazon S3 bucket in the same AWS Region. The VPC contains a NAT gateway in a public subnet to access the S3 bucket. The company wants to reduce costs by replacing the NAT gateway without compromising security or redundancy.

  Which solution meets these requirements?

  A. Replace the NAT gateway with a NAT instance.
  B. Replace the NAT gateway with an internet gateway.
  C. Replace the NAT gateway with a gateway VPC endpoint.
  D. Replace the NAT gateway with an AWS Direct Connect connection.
  C. Replace the NAT gateway with a gateway VPC endpoint.

  ---

  Explanation

  A VPC gateway endpoint for Amazon S3 enables private connectivity to S3 without routing traffic through a NAT gateway or over the internet, eliminating NAT gateway costs. This solution is secure and redundant, as S3 endpoints are highly available by design.

  Option A: NAT instances still incur operational overhead and costs.

  Option B: Internet gateway exposes resources and does not provide private access.

  Option D: Direct Connect is for hybrid networking, not for cost-efficient S3 access.

  References:

  AWS Certified Solutions Architect?Official Study Guide, VPC Networking and Endpoints.

• Question 603:

  A company performs tests on an application that uses an Amazon DynamoDB table. The tests run for 4 hours once a week. The company knows how many read and write operations the application performs to the table each second during the tests. The company does not currently use DynamoDB for any other use case. A solutions architect needs to optimize the costs for the table.

  Which solution will meet these requirements?

  A. Choose on-demand mode. Update the read and write capacity units appropriately.
  B. Choose provisioned mode. Update the read and write capacity units appropriately.
  C. Purchase DynamoDB reserved capacity for a 1-year term.
  D. Purchase DynamoDB reserved capacity for a 3-year term.
  B. Choose provisioned mode. Update the read and write capacity units appropriately.

• Question 604:

  A company stores data for multiple business units in a single Amazon S3 bucket that is in the company's payer AWS account. To maintain data isolation, the business units store data in separate prefixes in the S3 bucket by using an S3 bucket policy. The company plans to add a large number of dynamic prefixes. The company does not want to rely on a single S3 bucket policy to manage data access at scale. The company wants to develop a secure access management solution in addition to the bucket policy to enforce prefix-level data isolation.

  Which solution will meet these requirements?

  A. Configure the S3 bucket policy to deny s3:GetObject permissions for all users. Configure the bucket policy to allow s3:* access to individual business units.
  B. Enable default encryption on the S3 bucket by using server-side encryption with Amazon S3 managed keys (SSE-S3).
  C. Configure resource-based permissions on the S3 bucket by creating an S3 access point for each business unit.
  D. Use pre-signed URLs to provide access to the S3 bucket.
  C. Configure resource-based permissions on the S3 bucket by creating an S3 access point for each business unit.

  ---

  Explanation

  Why Option C is Correct:

  S3 Access Points: Provide scalable management of access to large datasets with specific permissions for individual prefixes.

  Dynamic Prefixes: Access points simplify managing access to a growing number of prefixes without relying solely on a single bucket policy.

  Fine-Grained Control: Resource-based permissions on access points enforce prefix-level isolation effectively.

  Why other options are incorrect:

  Option A: Using deny/allow bucket policies introduces complexity and is less scalable for dynamic prefixes.

  Option B: Encryption ensures data security but does not address access management.

  Option D: Pre-signed URLs are temporary and not suitable for managing access at scale.

  References:

  Amazon S3 Access Points:AWS Documentation - S3 Access Points

• Question 605:

  A solutions architect must create a disaster recovery (DR) plan for a high-volume software as a service (SaaS) platform. All data for the platform is stored in an Amazon Aurora MySQL DB cluster. The DR plan must replicate data to a secondary AWS Region.

  Which solution will meet these requirements MOST cost-effectively?

  A. Use MySQL binary log replication to an Aurora cluster in the secondary Region. Provision one DB instance for the Aurora cluster in the secondary Region.
  B. Set up an Aurora global database for the DB cluster. When setup is complete, remove the DB instance from the secondary Region.
  C. Use AWS Database Migration Service (AWS DMS) to continuously replicate data to an Aurora cluster in the secondary Region. Remove the DB instance from the secondary Region.
  D. Set up an Aurora global database for the DB cluster. Specify a minimum of one DB instance in the secondary Region.
  B. Set up an Aurora global database for the DB cluster. When setup is complete, remove the DB instance from the secondary Region.

• Question 606:

  A company's website uses an Amazon EC2 instance store for its catalog of items. The company wants to make sure that the catalog is highly available and that the catalog is stored in a durable location.

  What should a solutions architect do to meet these requirements?

  A. Move the catalog to Amazon ElastiCache for Redis.
  B. Deploy a larger EC2 instance with a larger instance store.
  C. Move the catalog from the instance store to Amazon S3 Glacier Deep Archive.
  D. Move the catalog to an Amazon Elastic File System (Amazon EFS) file system.
  D. Move the catalog to an Amazon Elastic File System (Amazon EFS) file system.

• Question 607:

  A company hosts an application on Amazon EC2 instances that are part of a target group behind an Application Load Balancer (ALB). The company has attached a security group to the ALB.

  During a recent review of application logs, the company found many unauthorized login attempts from IP addresses that belong to countries outside the company's normal user base. The company wants to allow traffic only from the United States and Australia.

  Which solution will meet these requirements?

  A. Edit the default network ACL to block IP addresses from outside of the allowed countries.
  B. Create a geographic match rule in AWS WAF. Attach the rule to the ALB.
  C. Configure the ALB security group to allow the IP addresses of company employees. Edit the default network ACL to block IP addresses from outside of the allowed countries.
  D. Use a host-based firewall on the EC2 instances to block IP addresses from outside of the allowed countries. Configure the ALB security group to allow the IP addresses of company employees.
  B. Create a geographic match rule in AWS WAF. Attach the rule to the ALB.

  ---

  Explanation

  Why Option B is Correct:

  AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

  Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

  Why other options are not correct:

  Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

  Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

  Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

  References:

  AWS WAF Geomatch:AWS Documentation - WAF Geomatch

• Question 608:

  A company is concerned that two NAT instances in use will no longer be able to support the traffic needed for the company's application. A solutions architect wants to implement a solution that is highly available, fault tolerant, and automatically scalable.

  What should the solutions architect recommend?

  A. Remove the two NAT instances and replace them with two NAT gateways in the same Availability Zone.
  B. Use Auto Scaling groups with Network Load Balancers for the NAT instances in different Availability Zones.
  C. Remove the two NAT instances and replace them with two NAT gateways in different Availability Zones.
  D. Replace the two NAT instances with Spot Instances in different Availability Zones and deploy a Network Load Balancer.
  C. Remove the two NAT instances and replace them with two NAT gateways in different Availability Zones.

• Question 609:

  A media company hosts its website on AWS. The website application's architecture includes a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB) and a database that is hosted on Amazon Aurora. The company's cybersecurity team reports that the application is vulnerable to SQL injection.

  How should the company resolve this issue?

  A. Use AWS WAF in front of the ALB. Associate the appropriate web ACLs with AWS WAF.
  B. Create an ALB listener rule to reply to SQL injections with a fixed response.
  C. Subscribe to AWS Shield Advanced to block all SQL injection attempts automatically.
  D. Set up Amazon Inspector to block all SQL injection attempts automatically.
  A. Use AWS WAF in front of the ALB. Associate the appropriate web ACLs with AWS WAF.

• Question 610:

  A company has developed an API using an Amazon API Gateway REST API and AWS Lambda functions.

  The API serves static and dynamic content to users worldwide. The company wants to decrease the latency of transferring content for API requests.

  Which solution will meet these requirements?

  A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
  B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.
  C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
  D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for the Lambda functions.
  A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding in the API definition to compress the application data in transit.

  ---

  Explanation

  Option A: Edge-optimized API + Caching:Reduces latency by using Amazon CloudFront for edge locations and enables caching for dynamic content. Compression reduces data transfer latency.

  Option B: Regional API + Caching:Increases latency for global users due to the lack of edge locations.

  Option C: Edge-optimized API + Reserved Concurrency:Reserved concurrency ensures Lambda availability but does not address latency for dynamic content.

  Option D: Regional API + Reserved Concurrency:Lacks edge optimization, increasing latency for global users.

  References:

  Amazon API Gateway