SAA-C03 Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) Free Practice Exam Questions (2026 Updated)

The first step is to configure a delegated administrator account for IAM Access Analyzer at the organization level. Only after delegating the administrator account can you aggregate Access Analyzer findings from all member accounts into a designated audit account. This must be set up in the AWS Organizations management account.

AWS Documentation Extract:

“You must designate a delegated administrator for IAM Access Analyzer at the organization level. The delegated administrator account aggregates findings from all member accounts.”

(Source: IAM Access Analyzer documentation)

A, C, D: These steps do not establish the organization-wide aggregation required for Access Analyzer.

The correct answer is C because the company already uses Amazon FSx for NetApp ONTAP and requires a disaster recovery solution in a secondary Region that preserves access through the same protocols , specifically CIFS and NFS . The most appropriate solution is to deploy a second FSx for ONTAP file system in the secondary Region and use NetApp SnapMirror to replicate data between Regions. SnapMirror is built for ONTAP-based replication and is the native mechanism for efficient, storage-level disaster recovery.

This option provides the least operational overhead because it uses the capabilities already integrated into FSx for ONTAP rather than introducing another storage platform or custom replication tooling. It also preserves protocol compatibility, so applications in the recovery Region can continue to access data through CIFS and NFS without architectural changes.

Option A is incorrect because replicating data to Amazon S3 does not preserve native CIFS and NFS file shares. Option B can support recovery, but backups and restores are not the best fit for an active DR strategy where the secondary Region needs accessible replicated storage with the same protocols and lower recovery effort. Option D is incorrect because Amazon EFS does not provide CIFS/SMB support in the same way as FSx for ONTAP and would require a platform change.

AWS guidance for FSx for ONTAP disaster recovery favors using SnapMirror replication to another FSx for ONTAP deployment. This approach is protocol-compatible, efficient, and operationally simpler than building a custom DR workflow.

AWS Control Tower: Provides a managed service to set up and govern a secure, multi-account AWS environment based on AWS best practices. It automates the setup of AWS Organizations and applies security controls (guardrails).

Networking Account:

Create a centralized networking account that includes a VPC with both private and public subnets.

This centralized VPC will manage and control the networking resources.

AWS Resource Access Manager (AWS RAM):

Use AWS RAM to share the subnets from the networking account with the other workload accounts.

This allows different workload accounts to utilize the shared networking resources without the need to manage their own VPCs.

Operational Efficiency: Using AWS Control Tower simplifies the setup and governance of multiple AWS accounts, while AWS RAM facilitates centralized management of networking resources, reducing operational overhead and ensuring consistent security and compliance.

The most cost-effective solution for serving video content with different bitrates is to store multiple versions of each video inAmazon S3. S3 provides scalable and cost-effective storage for largemedia files. Serving the videos from a single Amazon EC2 instance ensures low-latency delivery, and S3 storage helps minimize costs.

Option A (ElastiCache): Caching large video files in memory would be prohibitively expensive and unnecessary.

Option B (Auto Scaling group): Using Auto Scaling groups to serve video is less cost-effective compared to leveraging S3 for static storage.

Option D (Kinesis Video Streams): Kinesis Video Streams is designed for real-time video streaming and is not suitable for storing and serving pre-recorded videos.

AWS References:

Amazon S3 for Media Storage

AWS Fargate is a serverless compute engine for containers that works with Amazon EKS. With Fargate, you do not need to provision or manage EC2 instances or clusters. You simply define and deploy your pods, and Fargate automatically launches the required compute resources. This results in the lowest operational overhead because AWS manages the infrastructure. Fargate profiles allow you to specify which pods run on Fargate.

AWS Documentation Extract:

“AWS Fargate is a serverless, pay-as-you-go compute engine that lets you focus on building applications without managing servers. With Amazon EKS and Fargate, you only need to define your application’s pods; Fargate provisions and manages the required compute resources for you.”

(Source: Amazon EKS documentation, AWS Fargate integration)

Other options:

A: Self-managed nodes require you to manage EC2 instances.

B: Managed node groups reduce some overhead, but you are still responsible for patching and managing the EC2 instances.

D: Managed node groups with Karpenter automate scaling but do not remove the need to manage underlying instances.

AWS Lambda is event driven and “scales automatically with the number of requests,” charging per request and compute duration in milliseconds; you can schedule with Amazon EventBridge rules. Allocating 1 GB memory proportionally increases available CPU, which suits short CPU bursts. For a 10-second, once-per-hour job, Lambda eliminates instance idle time, providing the lowest cost and no servers to manage. Fargate tasks (A) bill per-second with a 1-minute minimum and require container packaging; for a 10-second job, costs are higher than Lambda. Options C and D keep EC2 management overhead and either maintain instances or add start/stop orchestration complexity; EC2 costs dominate because the instance sits idle for 59+ minutes each hour. Therefore, Lambda + EventBridge is the most cost-effective and operationally simple solution.

For logs that are:

Written and processed within a short period (24 hours)

Accessed quickly for compute/analytics

With unknown object count and size

Amazon S3 Standard is the most appropriate and cost-effective. Intelligent-Tiering is designed for data stored for longer periods (typically 30+ days) with changing access patterns and charges a per-object monitoring and automation fee that becomes inefficient for very short-lived objects.

S3 Glacier Deep Archive and S3 One Zone-IA are optimized for long-term archival or infrequently accessed data with retrieval time or availability constraints that are not suitable for nightly active processing.

The correct answer is C because the company needs a secure cross-account access solution that uses temporary credentials , follows least privilege , and avoids long-term access keys . The best practice for this design is to allow an IAM role in Account A to access the Amazon S3 bucket in Account B through a resource-based bucket policy . Analysts or applications in Account A can assume the IAM role and receive temporary credentials through AWS Security Token Service (AWS STS), which satisfies the requirement to avoid permanent access keys.

This approach is secure because permissions can be scoped precisely to the required bucket and prefixes, supporting least-privilege access. It also avoids creating separate IAM users in Account B and eliminates the operational and security risks of sharing static credentials across accounts. Cross-account access through IAM roles and S3 bucket policies is the standard AWS pattern for securely granting one account access to resources in another account.

Option A is incorrect because creating IAM users and sharing access keys introduces long-term credentials, which the company explicitly wants to avoid. Option B is incorrect because making the S3 bucket public violates security requirements and does not enforce least privilege. Option D is incorrect because using a bastion host adds unnecessary infrastructure and operational overhead and is not the recommended approach for S3 access.

AWS security best practices favor role-based access with temporary credentials and resource policies for cross-account resource sharing. Therefore, configuring the S3 bucket policy in Account B to allow access from an IAM role in Account A is the most secure and appropriate solution.

Amazon EFS integrates natively with Lambda, supports shared, persistent storage, and allows independent updates without redeploying functions. EBS and /tmp are not supported for this use case; FSx is unnecessary.

Why Option B is Correct:

AWS WAF: Provides a simple way to create geographic match rules to block or allow traffic based on country IP ranges.

Least Operational Overhead: Attaching the WAF rule to the ALB ensures centralized control without modifying ACLs or instance firewalls.

Why Other Options Are Not Ideal:

Option A: Network ACLs operate at the subnet level and can become complex to manage for dynamic or evolving IP ranges.

Option C: Managing IP-based rules in security groups and ACLs lacks scalability and does not provide country-based filtering.

Option D: Configuring host-based firewalls increases operational overhead and does not leverage AWS-managed solutions.

AWS References:

AWS WAF Geomatch:AWS Documentation - WAF Geomatch

This solution usesCloudFrontto serve the website securely over HTTPS usingAWS Certificate Manager (ACM)for SSL certificates.Origin Access Control (OAC)ensures that only CloudFront can access the S3 bucket directly.AWS WAFwith an IP set rule restricts access to the website, allowing only the on-premises IP address.Route 53is used to create an alias record pointing to the CloudFront distribution. This setup ensures secure, private access to the website with low administrative overhead.

Option A and B: S3 bucket policies and access points do not provide HTTPS support, nor do they offer the same level of security as CloudFront with WAF.

Option D: Signed URLs are more suitable for temporary, expiring access rather than a permanent solution for on-premises employees.

AWS References:

Amazon CloudFront with Origin Access Control

The requirement is for immediate processing of uploaded videos and prompt notification to users. According to AWS best practices for event-driven architectures, using S3 event notifications to trigger a Lambda function upon an object creation (upload) is the optimal solution for real-time processing. Lambda can process the file as soon as it is uploaded, ensuring low latency. Once processing is complete, Lambda can save the processed file back to S3 and use Amazon SNS to notify the user.

This approach uses managed services with minimal operational overhead, is scalable, and ensures event-driven processing with instant user feedback. AWS Amplify primarily facilitates application development and hosting but does not natively provide direct push notification support for this backend workflow; instead, SNS is designed for such notification scenarios.

Reference Extract from AWS Documentation / Study Guide:

" Amazon S3 can publish events to AWS Lambda when objects are created. AWS Lambda runs code in response to events and can interact with other AWS services. Amazon SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients. "

Source: AWS Certified Solutions Architect – Official Study Guide, Event-driven Architectures section; AWS Lambda Developer Guide (S3 triggers); Amazon SNS User Guide.

Option Auses an IAM role attached to the EC2 instance profile, enabling secure and automated access to Secrets Manager. This is the recommended approach.

Option Buses IAM users, which is less secure and harder to manage.

Option Cis not practical for accessing secrets programmatically.

Option Dviolates best practices by granting direct access to the EC2 instance.

To decouple the monolith and enhance scalability, AWS best practice is to introduce an asynchronous message queue, such as Amazon SQS, between the web/API tier and the order-processing logic.

AWS Lambda functions consuming from the SQS queue provide serverless, auto-scaling processing without managing servers.

To track and reprocess failed orders, SQS supports dead-letter queues (DLQs). Messages that cannot be processed successfully after a configurable number of attempts are automatically moved to the DLQ, where operations teams or automated processes can inspect and reprocess them.

Why others are not correct:

B: ECS tasks can consume an SQS queue, but this requires managing container infrastructure and does not inherently provide as simple reprocessing/visibility as combining Lambda with a DLQ. Visibility timeout is not a tracking or archival mechanism.

C: Kinesis is a streaming service designed for ordered event streams, not primarily for order-queue semantics and DLQs; SQS is simpler and purpose-built for this pattern.

D: Long polling reduces empty responses and API calls but does nothing for tracking or reprocessing failed messages; without a DLQ, failed orders are harder to manage

AWS Transit Gateway is purpose-built for large-scale, hub-and-spoke network architectures. It simplifies connectivity between multiple VPCs and on-premises environments, which is ideal for managing hundreds of VPCs.

“AWS Transit Gateway enables you to connect your VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships.”

— Transit Gateway Documentation

Features:

Scales to thousands of VPCs.

Integrates with AWS Direct Connect via Direct Connect Gateway.

Centralized routing control.

Incorrect Options:

A: VPC endpoints are for private access to AWS services—not VPC-to-VPC connectivity.

C: Route 53 is DNS, not a network transport layer.

D: Secrets Manager is for secret storage, not networking.

For near-real-time streaming workloads that are highly latency-sensitive, the network layer must provide ultra-low latency and high throughput between compute nodes. Elastic Fabric Adapter (EFA) is specifically designed to meet these requirements. EFA enables EC2 instances to communicate using a high-performance network interface that bypasses traditional TCP/IP networking, providing lower and more consistent latency. This is especially valuable for tightly coupled workloads that require fast inter-node communication.

Option B is the correct choice because EFA supports custom networking stacks and is optimized for applications such as real-time data processing, distributed computing, and high-performance workloads. EFA integrates directly with supported EC2 instance types and allows applications to take advantage of enhanced networking capabilities without requiring complex multi-VPC architectures.

Option A introduces additional network hops and latency due to VPC peering and is not suitable for ultra-low-latency workloads. Option C (spread placement groups) is designed to increase fault tolerance by placing instances on separate hardware, but it does not optimize for low-latency communication and may actually increase network distance between instances. Option D improves storage performance, not network performance, and does not affect inter-instance latency.

Therefore, B is the best solution because Elastic Fabric Adapter is the AWS-recommended approach for achieving the lowest possible network latency between EC2 instances in performance-critical streaming architectures.

Edge-optimized API Gateway endpoints utilize the Amazon CloudFront global network to decrease latency for clients globally. This setup ensures that the request is routed to the closest edge location, significantly reducing response time and improving performance for worldwide users.

Maintaining two NAT gateways for production ensures high availability. Reducing to one NAT gateway in non-production environments lowers cost while maintaining necessary connectivity. This approach is recommended by AWS for cost optimization in non-critical environments.

Reference Extract:

" For environments that do not require high availability, you can reduce costs by using a single NAT gateway and updating route tables accordingly. "

Source: AWS Certified Solutions Architect – Official Study Guide, Cost Optimization and NAT Gateway section.

The correct answer is C because the requirement specifically calls for an Amazon EBS data volume that provides configurable and consistent IOPS for a transaction-heavy application. Provisioned IOPS SSD (io2) volumes are designed for workloads that need high performance, low latency, and predictable I/O performance. These volumes are the best fit for applications that process a large number of transactions and require storage performance to remain stable under load.

Using a gp3 volume for the root device is appropriate because the operating system volume usually does not require the same high and sustained performance characteristics as the application data volume. The io2 data volume provides the ability to provision IOPS independently to match the application’s transactional demands. This separation of root and data storage is a common AWS design pattern for performance-sensitive workloads.

Option A is incorrect because st1 and sc1 are HDD-based volumes intended for large, sequential workloads, not high-transaction workloads that require consistent low-latency I/O. Option B is also incorrect because st1 does not provide the required configurable and consistent IOPS characteristics. Option D is incorrect because the requirement explicitly states that the application needs an Amazon EBS data volume , and Amazon S3 is object storage rather than block storage attached as an EBS volume.

AWS storage best practices recommend Provisioned IOPS SSD volumes for mission-critical applications, transactional systems, and workloads that need sustained, predictable performance. Therefore, a gp3 root volume combined with an io2 data volume is the most appropriate solution for this use case.

The correct answer is D because the company needs to authenticate users from an on-premises LDAP directory to the AWS Management Console , but the directory is not SAML-compatible . In this scenario, the AWS-recommended pattern is to use a custom identity broker that authenticates users against the existing LDAP directory and then requests temporary AWS credentials from AWS Security Token Service (AWS STS) . This enables federated access to AWS without creating long-term IAM user credentials for each person.

A custom identity broker serves as the intermediary between the non-SAML directory and AWS. After validating a user with LDAP, the broker can call AWS STS to issue short-lived credentials or console sign-in access. This approach preserves the use of the company’s existing identity source while meeting AWS security best practices for temporary credentials and centralized identity management.

Option A is incorrect because AWS IAM Identity Center typically relies on supported identity sources and federation methods, and the question explicitly states that the LDAP directory is not SAML-compatible. Option B is incorrect because IAM policies do not integrate directly into LDAP as an authentication mechanism. Option C is incorrect because rotating IAM credentials tied to LDAP changes still relies on long-term credentials and does not provide a proper federated sign-in model.

AWS federation guidance supports the use of a custom identity broker when an organization has a non-SAML-compatible identity system. Therefore, the best solution is to develop an on-premises custom identity broker that uses AWS STS to obtain short-lived credentials for AWS Management Console access.

To achieve a 60-second RTO, pre-warming the DR environment (including running EC2 instances and Route 53 health checks) is essential. Active/passive failover using Route 53 with health checks ensures fast redirection when the primary Region becomes unavailable. S3 cross-region replication ensures document availability.

Detailed Explanation:

A. ECS + API Gateway:Overly complex and costly for an on-demand, intermittent workload.

B. EventBridge + SNS:EventBridge schedules are unnecessary for on-demand generation.

C. EKS + API Gateway:Overkill for this use case, with high operational overhead.

D. Lambda + SES:Most cost-effective and efficient solution for generating and emailing reports on demand.

Workload Discovery on AWS is a tool that automatically discovers AWS resources across multiple accounts and Regions and builds visual architecture diagrams that show resource relationships. It is specifically designed to help teams understand and document existing workloads with minimal manual effort.

This service provides multi-account visibility, relationship mapping, and exportable diagrams, which directly satisfies the need to “build and map the relationship details of the various workloads” with the least operational overhead.

Systems Manager Inventory (Option A) focuses on collecting configuration and inventory data (primarily for instances and some resources) and does not generate architecture diagrams or full relationship views.

Step Functions (Option B) and X-Ray (Option D) would require custom collection and manual diagramming and are not purpose-built for environment discovery and mapping.

Step A:AWS WAF with managed rules protects the API against application-layer attacks, such as SQL injection and cross-site scripting (XSS).

Step C:Amazon Cognito provides secure authentication and supports federation with social IdPs using OIDC or SAML. It integrates seamlessly with API Gateway.

Option B:AWS Shield Advanced provides DDoS protection, which is not explicitly required in this scenario.

Option D:API keys provide identification, not authentication, and are insufficient for this use case.

Option E:IP filters in WAF are overly restrictive for federated authentication scenarios.

AWS Documentation References:

Amazon Cognito Federation

AWS WAF Managed Rules

The correct answer is B because the requirement explicitly calls for a write once, read many (WORM) approach and a mandatory retention period of 1 year . Amazon S3 Object Lock in compliance mode is the AWS feature designed specifically for this purpose. It prevents objects from being deleted or overwritten for a fixed retention period, even by privileged users. That directly satisfies the need to preserve confidential medical results for at least one year after creation.

Using compliance mode is important because it enforces retention in a way that cannot be bypassed by users or administrators. This is appropriate for regulated workloads such as medical records, where strong immutability controls are required. The company can then use IAM policies to allow only a small set of approved users to upload new files while granting other authorized users read-only access.

Option A is incorrect because MFA Delete helps protect against accidental deletion, but it does not provide a full WORM retention model and does not prevent overwrites in the same way as Object Lock. Option C is not sufficient because IAM and bucket policies can be changed by administrators with enough permissions and therefore do not provide the same immutable retention guarantee. Option D is overly complex and does not enforce WORM behavior; tracking object hashes only detects changes after the fact.

AWS best practices for immutable retention on S3 recommend S3 Object Lock when legal hold or retention requirements exist. For least implementation effort and proper WORM enforcement, S3 Object Lock in compliance mode is the most appropriate solution.

To improve read performance for a MySQL-based RDS database under load, you can:

Use Read Replicas: Amazon RDS supports MySQL read replicas, which help offload read operations from the primary database, improving performance during high traffic.

Use ElastiCache (Memcached): Adding an in-memory cache layer using Amazon ElastiCache reduces the load on the RDS instance by serving frequent queries directly from memory, especially when data is not updated often.

Option A (AWS WAF) is for web security, not database performance. Option D relates to storage optimization, not query latency. Option E would require re-architecting from relational to NoSQL, which is unnecessary and disruptive.

Option Ais the best solution as it leveragesAWS Lambdafor serverless, scalable, and highly available processing and enrichment of clickstream data. Lambda can process the data in real-time, join it with the Aurora database data, and write the enriched results to Amazon S3. FromS3,Amazon Redshift Spectrumcan directly query the enriched data without needing to load the data into Redshift, enabling cost efficiency and high availability.

Why Other Options Are Incorrect:

Option B:EC2 Spot Instances are not guaranteed to be highly available, as Spot Instances can be interrupted at any time. This does not align with the requirement for high availability.

Option C:While ECS with AWS Fargate provides scalability, using EC2 for the COPY command introduces operational overhead and compromises high availability.

Option D:Kinesis Data Firehose and Athena are suitable for querying raw data, but they do not directly support enriching the data by joining with Aurora. This solution fails to meet the requirement for data enrichment.

Key AWS Features Used:

AWS Lambda:Real-time serverless processing with integration capabilities for Aurora and S3.

Amazon S3:Cost-effective storage for enriched data.

Amazon Redshift Spectrum:Direct querying of data stored in S3 without loading it into Redshift.

AWS Documentation References:

AWS Lambda Function Overview

Amazon Redshift Spectrum

Processing Streaming Data with Kinesis Data Streams

Amazon RDS Proxy is designed to manage a large number of database connections from applications, especially serverless applications that can scale quickly. It improves application availability and scalability by pooling and sharing established database connections. This reduces the overhead of database connections and prevents overload during traffic spikes.