Amazon SAA-C03 Online Practice Questions and Exam Preparation

Amazon SAA-C03 Online Questions & Answers

• Question 71:

  A security team needs to enforce the rotation of all IAM users' access keys every 90 days. If an access key is found to be older, the key must be made inactive and removed. A solutions architect must create a solution that will check for and remediate any keys older than 90 days.

  Which solution meets these requirements with the LEAST operational effort?

  A. Create an AWS Config rule to check for the key age. Configure the AWS Config rule to run an AWS Batch job to remove the key.
  B. Create an Amazon EventBridge rule to check for the key age. Configure the rule to run an AWS Batch job to remove the key.
  C. Create an AWS Config rule to check for the key age. Define an Amazon EventBridge rule to schedule an AWS Lambda function to remove the key.
  D. Create an Amazon EventBridge rule to check for the key age. Define an EventBridge rule to run an AWS Batch job to remove the key.
  C. Create an AWS Config rule to check for the key age. Define an Amazon EventBridge rule to schedule an AWS Lambda function to remove the key.

  ---

  Explanation

  The requirement has two parts: (1) continuously or regularly evaluate IAM access key age against a 90- day policy, and (2) remediate noncompliant keys by disabling and deleting them. The least operational effort generally comes from using managed compliance evaluation and lightweight serverless remediation.

  AWS Config is designed to assess resource configuration compliance over time. Using an AWS Config rule to check access key age fits the governance model because Config maintains a compliance history, supports central reporting, and can evaluate keys across an account (and commonly across an organization with aggregation patterns). After detection, remediation should be automated with minimal infrastructure, and AWS Lambda is the lightest operational tool for directly calling IAM APIs (UpdateAccessKey to Inactive, then DeleteAccessKey) on a schedule.

  Option C pairs these appropriately: Config performs compliance evaluation, and an EventBridge scheduled rule triggers a Lambda function to remediate keys older than 90 days. This avoids running and maintaining compute fleets or batch infrastructure. It also provides clear separation of duties: Config for detection and evidence, Lambda for corrective action.

  Options A, B, and D rely on AWS Batch, which introduces additional operational overhead (compute environments, job definitions, queues, scaling, and monitoring) that is unnecessary for a simple IAM housekeeping task. Also, EventBridge by itself is not a compliance evaluation service; it can schedule a job, but it does not inherently track "key age" state or compliance posture the way Config does.

  Therefore, C best meets the requirement with the least operational effort by using Config for continuous compliance visibility and a scheduled Lambda for automated key deactivation and deletion.

• Question 72:

  A media company has a multi-account AWS environment in the us-east-1 Region. The company has an Amazon Simple Notification Service (Amazon SNS) topic in a production account that publishes performance metrics. The company has an AWS Lambda function in an administrator account to process and analyze log data. The Lambda function that is in the administrator account must be invoked by messages from the SNS topic that is in the production account when significant metrics are reported.

  Which combination of steps will meet these requirements? (Choose two.)

  A. Create an IAM resource policy for the Lambda function that allows Amazon SNS to invoke the function.
  B. Implement an Amazon Simple Queue Service (Amazon SQS) queue in the administrator account to buffer messages from the SNS topic that is in the production account. Configure the SQS queue to invoke the Lambda function.
  C. Create an IAM policy for the SNS topic that allows the Lambda function to subscribe to the topic.
  D. Use an Amazon EventBridge rule in the production account to capture the SNS topic notifications. Configure the EventBridge rule to forward notifications to the Lambda function that is in the administrator account.
  E. Store performance metrics in an Amazon S3 bucket in the production account. Use Amazon Athena to analyze the metrics from the administrator account.
  A. Create an IAM resource policy for the Lambda function that allows Amazon SNS to invoke the function.
  C. Create an IAM policy for the SNS topic that allows the Lambda function to subscribe to the topic.

• Question 73:

  A company has developed an API using Amazon API Gateway REST API and AWS Lambda.

  How can latency be reduced for users worldwide?

  A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding to compress data in transit.
  B. Deploy the REST API as a Regional API endpoint. Enable caching. Enable content encoding to compress data in transit.
  C. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Configure reserved concurrency for Lambda functions.
  D. Deploy the REST API as a Regional API endpoint. Enable caching. Configure reserved concurrency for Lambda functions.
  A. Deploy the REST API as an edge-optimized API endpoint. Enable caching. Enable content encoding to compress data in transit.

  ---

  Explanation

  Edge-optimized API endpointsroute requests through CloudFront, reducing latency for global users.

  Option A correctly implements edge-optimization, caching, and compression to minimize latency.

  Options B and D do not use edge optimization, leading to higher latency for global users.

  Reserved concurrency in Options C and D improves backend scaling but does not address global latency directly.

• Question 74:

  A company is using a content management system that runs on a single Amazon EC2 instance. The EC2 instance contains both the web server and the database software. The company must make its website platform highly available and must enable the website to scale to meet user demand.

  What should a solutions architect recommend to meet these requirements?

  A. Move the database to Amazon RDS, and enable automatic backups. Manually launch another EC2 instance in the same Availability Zone. Configure an Application Load Balancer in the Availability Zone, and set the two instances as targets.
  B. Migrate the database to an Amazon Aurora instance with a read replica in the same Availability Zone as the existing EC2 instance. Manually launch another EC2 instance in the same Availability Zone. Configure an Application Load Balancer, and set the two EC2 instances as targets.
  C. Move the database to Amazon Aurora with a read replica in another Availability Zone. Create an Amazon Machine Image (AMI) from the EC2 instance. Configure an Application Load Balancer in two Availability Zones. Attach an Auto Scaling group that uses the AMI across two Availability Zones.
  D. Move the database to a separate EC2 instance, and schedule backups to Amazon S3. Create an Amazon Machine Image (AMI) from the original EC2 instance. Configure an Application Load Balancer in two Availability Zones. Attach an Auto Scaling group that uses the AMI across two Availability Zones.
  C. Move the database to Amazon Aurora with a read replica in another Availability Zone. Create an Amazon Machine Image (AMI) from the EC2 instance. Configure an Application Load Balancer in two Availability Zones. Attach an Auto Scaling group that uses the AMI across two Availability Zones.

• Question 75:

  A company recently migrated its application to AWS. The application runs on Amazon EC2 Linux instances in an Auto Scaling group across multiple Availability Zones. The application stores data in an Amazon Elastic File System (Amazon EFS) file system that uses EFS Standard-Infrequent Access storage. The application indexes the company's files. The index is stored in an Amazon RDS database.

  The company needs to optimize storage costs with some application and services changes.

  Which solution will meet these requirements MOST cost-effectively?

  A. Create an Amazon S3 bucket that uses an Intelligent-Tiering lifecycle policy. Copy all files to the S3 bucket. Update the application to use Amazon S3 API to store and retrieve files.
  B. Deploy Amazon FSx for Windows File Server file shares. Update the application to use CIFS protocol to store and retrieve files.
  C. Deploy Amazon FSx for OpenZFS file system shares. Update the application to use the new mount point to store and retrieve files.
  D. Create an Amazon S3 bucket that uses S3 Glacier Flexible Retrieval. Copy all files to the S3 bucket. Update the application to use Amazon S3 API to store and retrieve files as standard retrievals.
  A. Create an Amazon S3 bucket that uses an Intelligent-Tiering lifecycle policy. Copy all files to the S3 bucket. Update the application to use Amazon S3 API to store and retrieve files.

• Question 76:

  A company hosts its application in the AWS Cloud. The application runs on Amazon EC2 instances behind an Elastic Load Balancer in an Auto Scaling group and with an Amazon DynamoDB table. The company wants to ensure the application can be made available in anotherAWS Region with minimal downtime.

  What should a solutions architect do to meet these requirements with the LEAST amount of downtime?

  A. Create an Auto Scaling group and a load balancer in the disaster recovery Region. Configure the DynamoDB table as a global table. Configure DNS failover to point to the new disaster recovery Region's load balancer.
  B. Create an AWS CloudFormation template to create EC2 instances, load balancers, and DynamoDB tables to be launched when needed Configure DNS failover to point to the new disaster recovery Region's load balancer.
  C. Create an AWS CloudFormation template to create EC2 instances and a load balancer to be launched when needed. Configure the DynamoDB table as a global table. Configure DNS failover to point to the new disaster recovery Region's load balancer.
  D. Create an Auto Scaling group and load balancer in the disaster recovery Region. Configure the DynamoDB table as a global table. Create an Amazon CloudWatch alarm to trigger an AWS Lambda function that updates Amazon Route 53 pointing to the disaster recovery load balancer.
  A. Create an Auto Scaling group and a load balancer in the disaster recovery Region. Configure the DynamoDB table as a global table. Configure DNS failover to point to the new disaster recovery Region's load balancer.

• Question 77:

  A solutions architect is designing a RESTAPI in Amazon API Gateway for a cash payback service. The application requires 1 GB of memory and 2 GB of storage for its computation resources. The application will require that the data is in a relational format.

  Which additional combination ofAWS services will meet these requirements with the LEAST administrative effort? (Choose two.)

  A. Amazon EC2
  B. AWS Lambda
  C. Amazon RDS
  D. Amazon DynamoDB
  E. Amazon Elastic Kubernetes Services (Amazon EKS)
  B. AWS Lambda
  C. Amazon RDS

• Question 78:

  Question: A company hosts a public application on AWS. The company uses an Application Load Balancer (ALB) to distribute application traffic to multiple Amazon EC2 instances that are hosted in private subnets.

  The company wants to authenticate all the requests by using an on-premises Active Directory Federation Service (AD FS). The company uses AWS Direct Connect to connect its on-premises data center to AWS.

  Which solution will meet this requirement?

  A. Configure an Amazon Cognito user pool. Integrate the user pool with the ALB for AD FS authentication.
  B. Configure an AWS Directory Service directory. Integrate the directory with the ALB for AD FS authentication.
  C. Replace the ALB with a Network Load Balancer (NLB). Use Amazon Connect Agent Workspace to integrate an agent workspace with the NLB.
  D. Configure an AWS Directory Service AD Connector. Integrate the AD Connector with the ALB for AD FS authentication.
  D. Configure an AWS Directory Service AD Connector. Integrate the AD Connector with the ALB for AD FS authentication.

  ---

  Explanation

  To authenticate users using an on-premises Active Directory Federation Service (AD FS), AWS provides the AWS Directory Service AD Connector. AD Connector is a proxy that connects AWS applications to your on-premises Microsoft Active Directory without requiring complex directory synchronization or the need to set up a separate directory in the cloud.

  By integrating AD Connector with the Application Load Balancer (ALB), you can authenticate and authorize users using your existing on-premises credentials. This setup allows the ALB to leverage the authentication capabilities of your on-premises AD FS, providing a seamless and secure user experience.

  References:

  How to connect your on-premises Active Directory to AWS using AD Connector

  AWS Directory Service AD Connector

• Question 79:

  A company uses Amazon Elastic Container Service (Amazon ECS) to run workloads that belong to service teams. Each service team uses an owner tag to specify the ECS containers that the team owns. The company wants to generate an AWS Cost Explorer report that shows how much each service team spends on ECS containers on a monthly basis.

  Which combination of steps will meet these requirements in the MOST operationally efficient way? (Choose Two.)

  A. Create a custom report in Cost Explorer. Apply a filter for Amazon ECS.
  B. Create a custom report in Cost Explorer. Apply a filter for the owner resource tag.
  C. Set up AWS Compute Optimizer. Review the rightsizing recommendations.
  D. Activate the owner tag as a cost allocation tag. Group the Cost Explorer report by linked account.
  E. Activate the owner tag as a cost allocation tag. Group the Cost Explorer report by the owner cost allocation tag.
  A. Create a custom report in Cost Explorer. Apply a filter for Amazon ECS.
  E. Activate the owner tag as a cost allocation tag. Group the Cost Explorer report by the owner cost allocation tag.

  ---

  Explanation

  To allocate costs based on team ownership, AWS recommends tagging resources using cost allocation tags. Activating the "owner" tag as a cost allocation tag allows AWS Cost Explorer to categorize and group spending. Additionally, filtering for Amazon ECS services enables the visibility into service-specific usage.

  This approach is both scalable and operationally efficient.

  References:

  AWS Documentation?AWS Billing and Cost Management, Cost Allocation Tags

• Question 80:

  A company is developing a public web application that needs to access multiple AWS services. The application will have hundreds of users who must log in to the application first before using the services.

  The company needs to implement a secure and scalable method to grant the web application temporary access to the AWS resources.

  A. Create an IAM role for each AWS service that the application needs to access. Assign the roles directly to the instances that the web application runs on.
  B. Create an IAM role that has the access permissions the web application requires. Configure the web application to use AWS Security Token Service (AWS STS) to assume the IAM role. Use STS tokens to access the required AWS services.
  C. Use AWS IAM Identity Center to create a user pool that includes the application users. Assign access credentials to the web application users. Use the credentials to access the required AWS services.
  D. Create an IAM user that has programmatic access keys for the AWS services. Store the access keys in AWS Systems Manager Parameter Store. Retrieve the access keys from Parameter Store. Use the keys in the web application.
  B. Create an IAM role that has the access permissions the web application requires. Configure the web application to use AWS Security Token Service (AWS STS) to assume the IAM role. Use STS tokens to access the required AWS services.

  ---

  Explanation

  Option Bis the correct solution because: AWS Security Token Service (STS)allows the web application to request temporary security credentials that grant access to AWS resources. These temporary credentials are secure and short-lived, reducing the risk of misuse.

  Using STS and IAM roles ensures scalability by enabling the application to dynamically assume roles with the required permissions for each AWS service.

  Option A:Assigning IAM roles directly to instances is less flexible and would grant the same permissions to all applications on the instance, which is not ideal for a multi-service web application.

  Option C:AWS IAM Identity Center is used for managing single sign-on (SSO) for workforce users and is not designed for granting programmatic access to web applications.

  Option D:Storing long-term access keys, even in AWS Systems Manager Parameter Store, is less secure and does not scale well compared to temporary credentials from STS.

  References:

  AWS Security Token Service (STS)

  IAM Roles for Temporary Credentials