Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 661:

  A solutions architect needs to design a system to process incoming work items immediately. Processing can take up to 30 minutes and involves calling external APIs, executing multiple states, and storing intermediate states.

  The solution must scale with variable workloads and minimize operational overhead.

  Which combination of steps meets these requirements? (Choose Two.)

  A. Invoke an AWS Lambda function for each incoming work item. Configure each function to handle the work item completely. Store states in DynamoDB.
  B. Invoke an AWS Step Functions workflow to process incoming work items. Use Lambda functions for business logic. Store work item states in DynamoDB.
  C. Set up an API Gateway REST API to receive work items. Configure the API to invoke a Lambda function for each work item.
  D. Deploy two EC2 Reserved Instances behind an ALB and send requests to an SQS queue.
  E. Set up an API Gateway REST API to receive work items. Send the work items to an SQS queue.
  B. Invoke an AWS Step Functions workflow to process incoming work items. Use Lambda functions for business logic. Store work item states in DynamoDB.
  E. Set up an API Gateway REST API to receive work items. Send the work items to an SQS queue.

  ---

  Explanation

  AWS Step Functions is the recommended service for orchestrating multi-step, long-running workflows with state tracking, retries, and external API calls. It reduces operational overhead by eliminating the need for custom orchestration logic.

  API Gateway receiving work items and sending them to SQS (Option E) provides buffering, elasticity, and decoupling, ensuring immediate ingestion regardless of backend load.

  Option A forces Lambda to handle long execution paths, which is not optimal for 30-minute tasks and multi-state workflows.

  Option C triggers Lambda directly without buffering.

  Option D uses fixed EC2 instances, which does not scale dynamically.

• Question 662:

  A solutions architect wants to use the following JSON text as an identity-based policy to grant specific permissions:

  

  Which IAM principals can the solutions architect attach this policy to? (Choose two.)

  A. Role
  B. Group
  C. Organization
  D. Amazon Elastic Container Service (Amazon ECS) resource
  E. Amazon EC2 resource
  A. Role
  B. Group

• Question 663:

  A gaming company has a web application that displays scores. The application runs on Amazon EC2 instances behind an Application Load Balancer. The application stores data in an Amazon RDS for MySQL database. Users are starting to experience long delays and interruptions that are caused by database read performance. The company wants to improve the user experience while minimizing changes to the application's architecture.

  What should a solutions architect do to meet these requirements?

  A. Use Amazon ElastiCache in front of the database.
  B. Use RDS Proxy between the application and the database.
  C. Migrate the application from EC2 instances to AWS Lambda.
  D. Migrate the database from Amazon RDS for MySQL to Amazon DynamoDB.
  A. Use Amazon ElastiCache in front of the database.

• Question 664:

  A company is migrating its on-premises workload to the AWS Cloud. The company already uses several Amazon EC2 instances and Amazon RDS DB instances. The company wants a solution that automatically starts and stops the EC2 instances and DB instances outside of business hours. The solution must minimize cost and infrastructure maintenance.

  Which solution will meet these requirements?

  A. Scale the EC2 instances by using elastic resize. Scale the DB instances to zero outside of business hours.
  B. Explore AWS Marketplace for partner solutions that will automatically start and stop the EC2 instances and DB instances on a schedule.
  C. Launch another EC2 instance. Configure a crontab schedule to run shell scripts that will start and stop the existing EC2 instances and DB instances on a schedule.
  D. Create an AWS Lambda function that will start and stop the EC2 instances and DB instances. Configure Amazon EventBridge to invoke the Lambda function on a schedule.
  D. Create an AWS Lambda function that will start and stop the EC2 instances and DB instances. Configure Amazon EventBridge to invoke the Lambda function on a schedule.

• Question 665:

  A marketing team wants to build a campaign for an upcoming multi-sport event. The team has news reports from the past five years in PDF format. The team needs a solution to extract insights about the content and the sentiment of the news reports.

  The solution must use Amazon Textract to process the news reports.

  Which solution will meet these requirements with the LEAST operational overhead?

  A. Provide the extracted insights to Amazon Athena for analysis. Store the extracted insights and analysis in an Amazon S3 bucket.
  B. Store the extracted insights in an Amazon DynamoDB table. Use Amazon SageMaker to build a sentiment model.
  C. Provide the extracted insights to Amazon Comprehend for analysis. Save the analysis to an Amazon S3 bucket.
  D. Store the extracted insights in an Amazon S3 bucket. Use Amazon QuickSight to visualize and analyze the data.
  C. Provide the extracted insights to Amazon Comprehend for analysis. Save the analysis to an Amazon S3 bucket.

• Question 666:

  A company needs to move data from an Amazon EC2 instance to an Amazon S3 bucket. The company must ensure that no API calls and no data are routed through public internet routes. Only the EC2 instance can have access to upload data to the S3 bucket.

  Which solution will meet these requirements?

  A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
  B. Create a gateway VPC endpoint for Amazon S3 in the Availability Zone where the EC2 instance is located. Attach appropriate security groups to the endpoint. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
  C. Run the nslookup tool from inside the EC2 instance to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
  D. Use the AWS provided, publicly available ip-ranges.json file to obtain the private IP address of the S3 bucket's service API endpoint. Create a route in the VPC route table to provide the EC2 instance with access to the S3 bucket. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.
  A. Create an interface VPC endpoint for Amazon S3 in the subnet where the EC2 instance is located. Attach a resource policy to the S3 bucket to only allow the EC2 instance's IAM role for access.

• Question 667:

  A company is migrating some workloads to AWS. However, many workloads will remain on premises. The on-premises workloads require secure and reliable connectivity to AWS with consistent, low-latency performance.

  The company has deployed the AWS workloads across multiple AWS accounts and multiple VPCs. The company plans to scale to hundreds of VPCs within the next year. The company must establish connectivity between each of the VPCs and from the on-premises environment to each VPC.

  Which solution will meet these requirements?

  A. Use an AWS Direct Connect connection to connect the on-premises environment to AWS. Configure VPC peering to establish connectivity between VPCs.
  B. Use multiple AWS Site-to-Site VPN connections to connect the on-premises environment to AWS. Create a transit gateway to establish connectivity between VPCs.
  C. Use an AWS Direct Connect connection with a Direct Connect gateway to connect the on-premises environment to AWS. Create a transit gateway to establish connectivity between VPCs. Associate the transit gateway with the Direct Connect gateway.
  D. Use an AWS Site-to-Site VPN connection to connect the on-premises environment to AWS. Configure VPC peering to establish connectivity between VPCs.
  C. Use an AWS Direct Connect connection with a Direct Connect gateway to connect the on-premises environment to AWS. Create a transit gateway to establish connectivity between VPCs. Associate the transit gateway with the Direct Connect gateway.

  ---

  Explanation

  The optimal solution for scalable and resilient hybrid networking is to use AWS Direct Connect with a Direct Connect gateway for secure, low-latency access to AWS, and an AWS Transit Gateway to manage connectivity among hundreds of VPCs.

  By associating the Transit Gateway with the Direct Connect gateway, you enable transitive routing between on-premises and all VPCs, while minimizing network complexity and maintaining high performance.

  VPC peering does not scale well, and VPNs don't offer the same performance or consistency.

• Question 668:

  A company needs to export its database once a day to Amazon S3 for other teams to access. The exported object size varies between 2 GB and 5 GB. The S3 access pattern for the data is variable and changes rapidly. The data must be immediately available and must remain accessible for up to 3 months.

  The company needs the most cost-effective solution that will not increase retrieval time.

  Which S3 storage class should the company use to meet these requirements?

  A. S3 Intelligent-Tiering
  B. S3 Glacier Instant Retrieval
  C. S3 Standard
  D. S3 Standard-Infrequent Access (S3 Standard-IA)
  A. S3 Intelligent-Tiering

• Question 669:

  A company uses AWS CloudFormation to deploy IAM resources within accounts that AWS Control Tower governs. The security team wants to prevent the deployment of IAM roles that include inline policies with the following statements:

  " Effect ": " Allow ", " Action ": " * ", " Resource ": " * "

  Which solution will meet this requirement?

  A. Use AWS Control Tower proactive controls to block CloudFormation stacks that match these inline policy statements.
  B. Use AWS Control Tower detective controls to detect and delete IAM inline policies that contain these statements upon deployment.
  C. Use AWS Config to create a rule that detects these statements in any inline IAM policies. Configure the rule to automatically remove these statements by using the AWS-DeleteIAMInlinePolicy remediation.
  D. Use AWS Config to create a rule that detects these statements in inline IAM policies and sends a notification to the security team.
  A. Use AWS Control Tower proactive controls to block CloudFormation stacks that match these inline policy statements.

  ---

  Explanation

  Comprehensive and Detailed 250 to 300 words of Explanation (AWS documentation-based, no links): The security requirement is preventive: "prevent the deployment" of IAM roles that contain an overly permissive inline policy (Allow on Action:* and Resource:*). Preventive enforcement should occur at deployment time so noncompliant IAM resources are blocked before they exist. In a Control Tower-governed environment where resources are provisioned through CloudFormation, the most appropriate mechanism is a proactive control that evaluates templates and denies noncompliant stack operations.

  Option A matches this intent. Control Tower proactive controls are designed to provide preventative guardrails by checking resource configurations (including Infrastructure as Code deployments) against defined rules and blocking deployments that violate policy. This stops risky IAM roles from being created in the first place, which is preferable to after-the-fact detection and cleanup.

  Options B, C, and D are detective or reactive patterns. Detective controls (and AWS Config rules) can identify noncompliance after resources are created, but that does not "prevent deployment." Even if remediation is automated (Option C), there is still a window where an overly permissive role exists and could be assumed or exploited.

  Option D only notifies, which is insufficient.

  Option B suggests deleting policies on deployment, but Control Tower detective controls are not intended to automatically delete deployed IAM policies; they primarily detect and report drift/noncompliance.

  Therefore, A is the best solution because it enforces the requirement proactively by blocking noncompliant CloudFormation deployments, maintaining a stronger security posture and reducing operational burden associated with detection and remediation.

• Question 670:

  A company wants to migrate an Oracle database to AWS. The database consists of a single table that contains millions of geographic information systems (GIS) images that are high resolution and are identified by a geographic code. When a natural disaster occurs, tens of thousands of images get updated every few minutes. Each geographic code has a single image or row that is associated with it. The company wants a solution that is highly available and scalable during such events.

  Which solution meets these requirements MOST cost-effectively?

  A. Store the images and geographic codes in a database table. Use Oracle running on an Amazon RDS Multi-AZ DB instance.
  B. Store the images in Amazon S3 buckets. Use Amazon DynamoDB with the geographic code as the key and the image S3 URL as the value.
  C. Store the images and geographic codes in an Amazon DynamoDB table. Configure DynamoDB Accelerator (DAX) during times of high load.
  D. Store the images in Amazon S3 buckets. Store geographic codes and image S3 URLs in a database table. Use Oracle running on an Amazon RDS Multi-AZ DB instance.
  B. Store the images in Amazon S3 buckets. Use Amazon DynamoDB with the geographic code as the key and the image S3 URL as the value.