SAA-C03 Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) Free Practice Exam Questions (2026 Updated)

A & B. GuardDuty:Designed for threat detection, not for identifying or classifying sensitive data in S3 buckets.

C. Macie with EventBridge + SNS:Automatically identifies sensitive data, triggers alerts, and uses SNS for immediate notification via email.

D. Macie with EventBridge + SQS:Introduces latency due to periodic polling and adds unnecessary complexity.

Amazon S3 Intelligent-Tiering is designed for unknown or unpredictable access patterns, automatically moving objects to the most cost-effective tier without performance impact.

It is ideal when you do not know object size or access frequency.

S3 Standard (Option B) works but costs more.

S3 One Zone-IA and Glacier Deep Archive (Options D and A) are not appropriate because data is frequently accessed for processing and persists only 24 hours.

=====================================================

Amazon S3 Intelligent-Tiering automatically moves objects between two access tiers based on changing access patterns. Objects not accessed for 30 days move to a lower-cost tier, but are still immediately available with millisecond retrieval. If objects become frequently accessed again, they are moved back to the frequent access tier. There are no retrieval charges and no impact on availability or performance. This storage class is specifically designed for unpredictable access patterns and cost optimization, requiring minimal management.

AWS Documentation Extract:

"S3 Intelligent-Tiering is the only storage class that automatically moves data between frequent and infrequent access tiers when access patterns change, with no retrieval charges and no impact on performance. It is designed to optimize costs automatically when data access patterns are unpredictable."

(Source: Amazon S3 documentation, Intelligent-Tiering storage class)

B: Glacier Deep Archive is for archival, not for low-latency millisecond access.

C: EFS is not optimized for object storage or global CDN distribution.

D: Cache-Control only affects CloudFront or browser caching, not S3 storage cost.

Amazon RDS Blue/Green Deployments provide a safe and straightforward way to make database changes with minimal downtime and risk. Blue/Green deployments create an exact copy ("green") of your production environment ("blue") where you can make schema changes and run tests. After validation, you can promote the green environment to production with a single click or API call, achieving near-zero downtime and maximum availability. This is the AWS-recommended method for deploying major database changes in a way that minimizes impact to users and maximizes uptime.

Reference Extract from AWS Documentation / Study Guide:

"Amazon RDS Blue/Green Deployments enable you to make changes to your database environment safely. You can perform schema updates and feature testing in a fully managed staging environment and switch over with minimal downtime, ensuring the highest availability."

Source: AWS Certified Solutions Architect – Official Study Guide, Database and Migration section; Amazon RDS Blue/Green Deployments Documentation.

Amazon FSx for Lustre is a high-performance parallel file system designed for machine learning and HPC that can be linked to Amazon S3 via Data Repository Associations (DRA). With DRA, you can import S3 objects as files (lazy or preloaded) and export results back to S3, providing very high throughput and low-latency POSIX access on the training cluster. This S3-native integration minimizes data loading overhead and accelerates training cycles at scale. EFS (A) is general-purpose and lower throughput per TB than Lustre. EBS (C) requires manual copy and does not scale as a shared parallel filesystem. DataSync alone (D) is a transfer tool, not a high-throughput training filesystem. FSx for Lustre with S3 DRA best satisfies scalability, throughput, and native S3 integration for rapid ML training.

This solution provides encryption at rest and in transit with the least operational overhead while adhering to the company’s security policies.

Encryption at Rest: Amazon RDS for MySQL can be configured to encrypt data at rest by using AWS Key Management Service (KMS) managed keys. This encryption is applied automatically to all data stored on disk, including backups, read replicas, and snapshots. This solution requires minimal operational overhead because AWS manages the encryption and key management process.

Encryption in Transit: AWS Certificate Manager (ACM) allows you to provision, manage, and deploy SSL/TLS certificates seamlessly. These certificates can be used to encrypt data in transit by configuring the MySQL instance to use SSL/TLS for connections. This setup ensures thatdata is encrypted between the application and the database, protecting it from interception during transmission.

Why Not Other Options?:

Option B (IPsec tunnels): While IPsec tunnels encrypt data in transit, they are more complex to manage and require additional configuration and maintenance, leading to higher operational overhead.

Option C (Third-party application-level encryption): Implementing application-level encryption adds complexity, requires code changes, and increases operational overhead.

Option D (VPN for encryption): A VPN solution for encrypting data in transit is unnecessary and adds additional complexity without providing any benefit over SSL/TLS, which is simpler to implement and manage.

AWS References:

Amazon RDS Encryption- Information on how to configure and use encryption for Amazon RDS.

AWS Certificate Manager (ACM)- Details on using ACM to manage SSL/TLS certificates for securing data in transit.

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

To prevent loss of access to the AWS root user account due to a lost MFA device, AWS recommends enabling multiple MFA devices for the root user.

Multiple MFA Devices: AWS allows up to eight MFA devices (virtual, hardware, or security keys) to be associated with a single root user account. This redundancy ensures that if one device is lost, others can be used to authenticate and access the account.

Security Best Practices: Implementing multiple MFA devices enhances account security and provides resilience against potential access issues.

By proactively setting up multiple MFA devices, the company can maintain uninterrupted access to its critical AWS resources, even in the event of a lost or malfunctioning MFA device.

In Amazon EKS, Kubernetes stores objects such as Secrets in the cluster’s etcd key-value store. By default, Kubernetes Secrets are base64-encoded and are not automatically encrypted at the application object level unless encryption is configured. Amazon EKS provides a managed capability to encrypt Kubernetes Secrets at rest in etcd using AWS Key Management Service (KMS). The requirement explicitly states that “all secrets that are stored in Amazon EKS must be encrypted in the Kubernetes etcd key-value store,” which maps directly to enabling EKS secrets encryption with a customer-managed KMS key.

Option B is exactly this: create a KMS key and enable EKS KMS secrets encryption on the cluster. With this enabled, EKS uses envelope encryption so that Secrets are encrypted when stored in etcd, and decrypt operations are controlled through KMS permissions. This is the standard, AWS-native method that fulfills the requirement without requiring application changes or external secret stores for the encryption-at-rest requirement in etcd.

Option A (Secrets Manager) is a strong service for secret lifecycle management and rotation, but it does not by itself guarantee that Kubernetes Secrets stored in etcd are encrypted unless EKS secrets encryption is also enabled or the cluster avoids storing secrets in etcd entirely. The question specifically targets etcd encryption. Option C is unrelated: the EBS CSI driver concerns persistent volumes, not etcd secret encryption. Option D concerns EBS volume encryption and a specific AWS-managed key alias used for EBS; it also does not address etcd encryption for Kubernetes Secrets.

Therefore, B is the correct solution because it directly enables encryption of Kubernetes Secrets within etcd using KMS.

Amazon Elastic File System (EFS) is the ideal solution for migrating legacy applications that require NFS (Network File System) communication. EFS provides fully managed, scalable NFS storage in the cloud, and it supports the standard NFS protocols, allowing the legacy application to continue using NFS without modification after migration to AWS.

Key AWS features:

NFS Support: EFS natively supports the NFSv4 protocol, which makes it the best solution for workloads that rely on NFS communication.

Scalability and Availability: EFS automatically scales as application demands grow, making it a highly available and reliable storage solution.

AWS Documentation: According to AWS’s best practices for file storage, EFS is recommended for any workloads requiring NFS support in a cloud environment​​.

Creating a manual copy of the automated snapshot is the most operationally efficient option because it directly meets the requirement—retain a specific snapshot beyond the automated retention window—with the least added process and tooling. In Amazon RDS, automated backups and their snapshots are retained only for the configured backup retention period (up to the service maximum). When that retention period is exceeded, older automated snapshots are removed automatically. However, manual snapshots are retained until you explicitly delete them, so converting (copying) an automated snapshot to a manual snapshot is the standard operational approach to keep a point-in-time backup for long-term retention.

Option C is incorrect because you cannot extend automated snapshot retention beyond the maximum supported retention; also, setting “45 days” may still be within or beyond the service limits depending on the engine and configuration, and it doesn’t guarantee indefinite retention. Option B (export to S3) is not the most operationally efficient for the stated goal: exporting is a different workflow (often used for analytics, archiving in open formats, or cross-tool usage) and introduces extra steps, format considerations, and ongoing management in S3. Option D is also heavier operationally: native SQL Server backups require managing backup jobs, storage layout, restores, and permissions, and it shifts responsibility to the customer for operational correctness.

Therefore, A is the simplest and most AWS-native way to preserve an RDS snapshot long-term with minimal operational overhead.

The IAM policy includes two statements:

1️⃣ Allow ec2:TerminateInstances on all resources

2️⃣ Deny ec2:TerminateInstances if the request does NOT come from:

192.0.2.0/24

203.0.113.0/24

AWS IAM policy evaluation rules state:

Explicit Deny always overrides Allow.

A request must meet all applicable conditions in the policy to be granted.

aws:SourceIp condition applies when IAM actions are invoked via the public AWS APIs.

In this scenario, the administrator is not originating the request from one of the allowed CIDR blocks, so the Deny condition is triggered, overriding the Allow statement.

Therefore, the operation is blocked with:

403 AccessDenied: explicit deny

This matches the behavior described in the AWS IAM Policy Evaluation Logic used in the Security Pillar of the Well-Architected Framework:

Explicit Deny > Allow > Default Deny

IP-based Conditions restrict API calls originating outside approved network ranges

Options A/B/C do not accurately reflect this explicit Deny condition behavior.

Aurora I/O-Optimized: This storage configuration is designed to provide consistent high performance for Aurora databases. It automatically scales IOPS as the workload increases, without needing to provision IOPS separately.

Cost-Effectiveness: With Aurora I/O-Optimized, you only pay for the storage and I/O you use, making it a cost-effective solution for applications with varying and unpredictable I/O demands.

Implementation:

During the creation of the Aurora PostgreSQL Serverless v2 cluster, select the I/O-Optimized storage configuration.

The storage system will automatically handle scaling and performance optimization based on the application load.

Operational Efficiency: This configuration reduces the need for manual tuning and ensures optimal performance without additional administrative overhead.

Since the workload is interruptible and can resume after restarts, Amazon EC2 Spot Instances are the most cost-effective option, offering savings of up to 90% compared to On-Demand. Running the batch workload on AWS Batch with Spot Instances allows automatic job queue management, interruption handling, and scheduling. Option A and C reduce cost but still rely on reserved or committed pricing for On-Demand capacity. Option B (Capacity Reservations) increases cost instead of reducing it. Therefore, the most cost-optimized solution is D — AWS Batch with EC2 Spot Instances.

The design already uses one transit gateway (TGW) per Region and inter-Region TGW peering, which addresses the multi-Region AWS-side routing. The remaining requirement is to extend on-premises connectivity over Direct Connect so that on-premises networks can reach VPCs attached to the TGWs across all three Regions. The most operationally efficient and scalable approach is to use AWS Direct Connect Gateway (DXGW) with a transit virtual interface (transit VIF) and then associate the Regional transit gateways to that DXGW.

Option C is purpose-built for this: a transit VIF is specifically used to connect a Direct Connect connection to a Direct Connect gateway, and a DXGW can then be associated to multiple transit gateways (and can be used across Regions), enabling centralized connectivity from on-premises to TGW-connected VPCs. With TGW attachments and TGW route tables, you can propagate and control routes across many VPCs and accounts, which fits the “50 accounts, thousands of VPCs” scale. Inter-Region TGW peering then allows on-premises routes learned via the DXGW/TGW in one Region to reach workloads in the other Regions through the TGW peering relationships, subject to routing configuration.

Option A is too limited and not scalable because it ties Direct Connect to a virtual private gateway (VGW) associated with a single VPC, which does not meet the multi-VPC, multi-account hub-and-spoke requirement. Option B incorrectly suggests associating a DXGW with a VGW “in each VPC” (VGW is per VPC and would not scale well here, and it doesn’t integrate with the TGW hub design you’ve already built). Option D is not the intended pattern: Site-to-Site VPN and public VIF do not replace the DXGW + transit VIF architecture for large-scale TGW-based private routing.

AWS Lake Formationis designed for managing fine-grained access control to data in an efficient manner:

Granular Permissions: Lake Formation allows column-level, row-level, and table-level access controls, which can precisely define access to PII data.

Integration with AWS Glue Catalog: Lake Formation natively integrates with AWS Glue for seamless data cataloging and access control.

Operational Efficiency: Centralized access control policies minimize the need for separate IAM roles or policies.

Why Other Options Are Not Ideal:

Option A:

Creating multiple IAM policies introduces complexity and lacks column-level access control.Not efficient.

Option B:

Managing multiple IAM roles for granular access is operationally complex.Not efficient.

Option D:

Creating views in Glue adds unnecessary complexity and may not provide the level of granularity that Lake Formation offers.Not the best choice.

AWS References:

AWS Lake Formation:AWS Documentation - Lake Formation

Fine-Grained Permissions with Lake Formation:AWS Documentation - Fine-Grained Permissions

AWS documentation states that workloads running 24/7 should use Reserved Instances or Savings Plans for the lowest cost. Therefore, the frontend nodes, which always run, should use Reserved Instances.

The backend nodes process asynchronous, restartable jobs, which makes them ideal for EC2 Spot Instances, the most cost-effective compute option for interruption-tolerant workloads.

Fargate (Options A and D) is significantly more expensive for large compute usage. Spot Instances cannot be used for critical frontend nodes (Option C).

=====================================================

Key Requirements:

Serverless architecture.

Handle traffic bursts with high availability.

Process orders asynchronouslyin the order they are received.

Analysis of Options:

Option A:Amazon SNS delivers messages to subscribers. However, SNS does not ensure ordering, making it unsuitable for FIFO (First In, First Out) requirements.

Option B:Amazon SQS FIFO queues support ordering and ensure messages are delivered exactly once. AWS Lambda functions can be triggered by SQS to process messages asynchronously and efficiently. This satisfies all requirements.

Option C:Amazon SQS standard queues do not guarantee message order and have "at-least-once" delivery, making them unsuitable for the FIFO requirement.

Option D:Similar to Option A, SNS does not ensure message ordering, and using AWS Batch adds complexity without directly addressing the requirements.

AWS References:

Amazon SQS FIFO Queues

AWS Lambda and SQS Integration

Use SQS FIFO to durably persist orders, guarantee order processing semantics, and decouple producers/consumers. FIFO queues provide “exactly-once processing” with message deduplication and “preserve message order.” Visibility timeouts and retries ensure messages are “processed eventually” without being lost; failed messages go to a DLQ for later reprocessing. This pattern aligns with Well-Architected reliability guidance to “queue work to protect against overload and failures” and to ensure “durable, idempotent processing” with retry and backoff. ALB/RDS Proxy/read replicas (A, B) improve availability/connection management but do not guarantee durable handoff or exactly-once processing. SNS (D) is pub/sub and does not provide FIFO semantics in this option, nor a DLQ per subscription for exactly-once. Therefore, frontends write orders to an SQS FIFO queue; backend workers in an Auto Scaling group consume, process idempotently, and use a DLQ for poison messages to meet “no lost orders,” “eventual processing,” and “exactly-once” requirements.

Amazon Aurora Serverless is a fully managed, MySQL-compatible database that automatically scales based on demand and provides high availability. Combining this with EC2 Auto Scaling and an Application Load Balancer achieves both application and database high availability and scalability.

Reference Extract:

"Aurora Serverless automatically starts up, shuts down, and scales capacity based on your application's needs, providing a cost-effective, highly available database solution."

Source: AWS Certified Solutions Architect – Official Study Guide, Aurora Serverless and Scaling section.

Amazon DynamoDB provides single-digit millisecond performance at any scale and is fully managed to handle millions of catalog records. It is ideal for structured catalog data such as product metadata and scales seamlessly during high-traffic events like sales. Amazon S3 is optimized for storing unstructured large objects such as videos and manuals, with virtually unlimited scalability and high durability. Option A (RDS) would not handle massive scale or traffic spikes as efficiently. Option C overloads DynamoDB by forcing it to store large binary data, which is not its purpose. Option D (DocumentDB) is suitable for JSON-like documents but not optimal for storing large media files and would add operational complexity. Therefore, option B represents the best separation of structured and unstructured data storage.

Amazon FSx for NetApp ONTAP supports Multi-AZ, providing automatic failover between Availability Zones for high availability. It exposes ONTAP LUNs over the iSCSI protocol, delivering shared block storage semantics with low latency and consistent performance to EC2 clients across AZs. This meets the requirement for “highly available” and “low-latency” block access across multiple AZs. S3/S3 File Gateway (A) is object/file, not block storage. EBS (B, D) provides block storage to a single instance in a single AZ; EBS volumes cannot be shared across instances/AZs, and host-side sync scripts add latency, complexity, and do not provide true HA. FSx for ONTAP natively provides synchronous HA pair replication, fast failover, and supports iSCSI multipathing for resilient, performant access suited to latency-sensitive trading workloads.

AWS Transfer Family (SFTP) allows clients to use standard SFTP clients and SSH keys without changes. By enabling service-managed users, clients can continue uploading files with their existing tools.

The service delivers the files directly into S3, reducing latency between upload and processing. This removes the need for EC2, custom scripts, and periodic transfers. It fully meets the requirement for a managed solution with minimal disruption to client processes.

Amazon EC2 allows you to install and manage SQL Server directly on a Windows or Linux VM, giving you full access to the underlying operating system. This is required when you need to install custom agents, configure OS-level features, or have complete control over the environment.

Amazon RDS and Aurora are managed services and do not provide access to the underlying OS, nor does Redshift (which is a data warehouse, not SQL Server).

AWS Documentation Extract:

"If you require access to the underlying operating system or need to install custom software, use SQL Server on Amazon EC2. Amazon RDS is a managed service and does not provide OS-level access."

(Source: AWS Database Migration documentation, SQL Server Deployment Options)

EC2 Account Attributes: Amazon EC2 allows you to set account attributes to automatically encrypt new EBS volumes. This ensures that all new volumes created in your account are encrypted by default.

Configuration Steps:

Go to the EC2 Dashboard.

Select "Account Attributes" and then "EBS encryption".

Enable default EBS encryption and select the default AWS KMS key or a customer-managed key.

Prevention of Unencrypted Volumes: By setting this account attribute, you ensure that it is not possible to create unencrypted EBS volumes, thereby enforcing compliance with security requirements.

Operational Efficiency: This solution requires minimal configuration changes and provides automatic enforcement of encryption policies, reducing operational overhead.

A. Aurora MySQL:Handles OLTP workloads efficiently with built-in replication and auto-scaling capabilities.

B. EC2 with MySQL:Requires heavy manual maintenance and does not scale seamlessly.

C. RDS for MySQL:Limited in auto-scaling compared to Aurora.

D. Redshift:Primarily for OLAP, not suitable for OLTP workloads.

AWS DataSync provides managed, incremental, parallelized transfers between EFS file systems across Regions, supporting scheduled or continuously running tasks with automatic change detection, encryption in transit, and integrity verification. You can configure two tasks in opposite directions (bi-directional) to achieve two-way synchronization with high availability using agents in each Region and EFS locations connected via VPC endpoints. Native EFS replication (B) is one-way (read-only target) and not intended for active/active two-way sync. Options A and D rely on custom rsync and cross-Region mounts or SFTP, which introduce operational overhead, latency, and fail to provide resilient, managed synchronization. DataSync minimizes operational burden while delivering fault-tolerant, scalable, cross-Region EFS sync.

Amazon EFS Lifecycle Management enables automatic cost optimization by transitioning files that haven’t been accessed for a defined period (e.g., 7 days) from EFS Standard to EFS Infrequent Access (IA).

“Amazon EFS Lifecycle Management automatically moves files that haven’t been accessed for a set period to the EFS Infrequent Access storage class, reducing storage costs for infrequently accessed files.”

— Amazon EFS Documentation

Key Points:

EFS IA is ideal for files larger than 128 KB and accessed less frequently.

It’s seamless — no code or tools needed.

Meets requirement for cost optimization and high availability.

Incorrect Options:

A: File Gateway adds unnecessary complexity and does not use EFS.

B: Storing files locally breaks shared access and resiliency.

D: Glacier Deep Archive is cold storage — not "readily available."