SAA-C03 Amazon Web Services AWS Certified Solutions Architect - Associate (SAA-C03) Free Practice Exam Questions (2026 Updated)

The requirement is to scan container images for CVEs with the fewest changes to existing ECS workloads. Amazon ECS integrates natively with Amazon Elastic Container Registry (ECR), making ECR the natural place to implement vulnerability scanning without modifying the orchestration platform.

Option A meets the requirement most efficiently. ECR provides built-in vulnerability scanning that can be enabled using scan on push, ensuring that every new image uploaded to the repository is automatically scanned for known CVEs. This capability requires no changes to ECS task definitions beyond referencing ECR images, which is typically already the case. Scan results are maintained by AWS and can be reviewed centrally, providing ongoing security visibility.

Option C introduces a major architectural change by migrating to EKS, which violates the “fewest changes” requirement. Options B and D misuse services: Amazon Macie is designed for sensitive data discovery in S3, not container image vulnerability scanning, and storing images in S3 breaks container-native workflows. Lambda-driven Inspector scans for container images are not required when ECR already provides integrated scanning.

Therefore, A is the optimal solution because it leverages native ECS–ECR integration, requires minimal operational changes, and provides automated CVE scanning aligned with AWS container security best practices.

AWS documentation states that workloads running 24/7 should use Reserved Instances or Savings Plans for the lowest cost. Therefore, the frontend nodes, which always run, should use Reserved Instances.

The backend nodes process asynchronous, restartable jobs, which makes them ideal for EC2 Spot Instances, the most cost-effective compute option for interruption-tolerant workloads.

Fargate (Options A and D) is significantly more expensive for large compute usage. Spot Instances cannot be used for critical frontend nodes (Option C).

=====================================================

An S3 Bucket Key reduces the cost of using AWS KMS for server-side encryption by decreasing the number of requests made to KMS. By enabling S3 Bucket Key, the company can meet its encryption requirements with KMS keys while optimizing costs by reducing the number of KMS API requests.

Key AWS features:

Cost Optimization: S3 Bucket Keys reduce the frequency of KMS calls, optimizing the cost associated with encryption while still using AWS KMS for key management.

Compliance with KMS Encryption: This solution continues to meet the strict encryption requirements of the company by using KMS managed keys.

AWS Documentation: Using an S3 Bucket Key is recommended for organizations looking to optimize encryption costs without compromising security​​.

The most resilient and scalable architecture for handling millions of high-resolution images with frequent updates is to store the binary images in Amazon S3 and store their metadata or reference (geographic code and S3 URL) in Amazon DynamoDB.

From AWS Documentation:

“Store large objects like images in Amazon S3 and use Amazon DynamoDB to store metadata and references. This design pattern is scalable, highly available, and cost-effective.”

(Source: AWS Architecture Blog – Best Practices for Handling Large Objects)

Why B is correct:

Amazon S3 is designed for storing large volumes of binary data (images).

DynamoDB provides low-latency reads/writes using the geographic code as the partition key.

Highly available, serverless, and auto-scaling, suitable for disaster scenarios with bursts of activity.

Reduces pressure on the database layer by separating metadata from image storage.

Why the others are incorrect:

Option A and D: Storing images directly in RDS is expensive, unscalable, and not optimal for binary storage.

Option C: DynamoDB is suitable, but storing actual binary image data in DynamoDB is not best practice due to item size limits (400 KB) and performance concerns.

AWS Transit Gateway simplifies network connectivity by acting as a hub that can connect VPCs and on-premises networks through VPN or Direct Connect. It provides scalability and reduces administrative overhead by eliminating the need to manage complex peering relationships as the number of accounts and VPCs grows.

Amazon S3 Standard-IA: This storage class is designed for data that is accessed less frequently but requires rapid access when needed. It offers lower storage costs compared to S3 Standard while still providing high availability and durability.

Access Patterns: Since the files are frequently accessed in the first 30 days and rarely accessed afterward, transitioning them to S3 Standard-IA after 30 days aligns with their access patterns and reduces storage costs significantly.

Lifecycle Policy: Implementing a lifecycle policy to transition the files to S3 Standard-IA ensures automatic management of the data lifecycle, moving files to a lower-cost storage class without manual intervention. Deleting the files after 4 years further optimizes costs by removing data that is no longer needed.

This solution is the most cost-effective and meets the RPO and RTO requirements of 24 hours.

Automatic Snapshots: Amazon RDS automatically creates snapshots of your DB instance at regular intervals. By copying these snapshots to another AWS Region every 24 hours, you ensure that you have a backup available in a different geographic location, providing disaster recovery capability.

RPO and RTO: Since the company’s RPO and RTO are both 24 hours, copying snapshots daily to another Region is sufficient. In the event of a disaster, you can restore the DB instance from the most recent snapshot in the target Region.

Why Not Other Options?:

Option A (Cross-Region Read Replica): This could provide a faster recovery time but is more costly due to the ongoing replication and resource usage in another Region.

Option B (DMS Cross-Region Replication): While effective for continuous replication, it introduces complexity and cost that isn’t necessary given the 24-hour RPO/RTO.

Option C (Cross-Region Native Backup Copy): This involves more manual steps and doesn’t offer as straightforward a solution as automated snapshot copying.

AWS References:

Amazon RDS Automated Backups and Snapshots- Details on automated backups and snapshots in RDS.

Copying an Amazon RDS DB Snapshot- How to copy DB snapshots to another Region.

Amazon CloudFront is a global content delivery network (CDN) that caches and distributes content to users with low latency. By setting the existing ALB as the origin, CloudFront can cache dynamic and static content closer to users worldwide, improving performance and reducing the load on the application servers. This is the most cost-optimized and AWS-recommended way to globally serve dynamic content for web applications.

Reference Extract:

" CloudFront accelerates delivery of both static and dynamic content, reducing latency and offloading origin resources by caching content at edge locations. "

Source: AWS Certified Solutions Architect – Official Study Guide, CloudFront and Global Application section.

The ALB must be in a public subnet to receive internet traffic. The EC2 instances and the RDS database should be in private subnets to prevent direct internet access, minimizing the attack surface. This aligns with AWS security best practices for web application architectures.

Reference Extract:

" Internet-facing ALBs should be placed in public subnets; EC2 instances and RDS databases should be in private subnets to restrict direct internet access. "

Source: AWS Certified Solutions Architect – Official Study Guide, Network Security and Design section.

Amazon RDS for Oracle is a managed database service, which significantly reduces operational overhead compared to running Oracle on EC2 or on-premises. AWS Secrets Manager natively integrates with RDS and supports automatic, scheduled password rotation with minimal setup. You can configure the rotation schedule (including yearly), and Secrets Manager will handle the secure password storage and rotation workflow for you.

AWS Documentation Extract:

" AWS Secrets Manager helps you protect access to your applications, services, and IT resources without the upfront investment and on-going maintenance costs of operating your own infrastructure. You can configure automatic rotation for supported databases such as Amazon RDS for Oracle. "

(Source: AWS Secrets Manager documentation)

A, C, D: These solutions require custom scripting, Lambda, and alarms, leading to more operational overhead.

AWS Fargate with Spot capacity is the most cost-effective and serverless container option for short-duration jobs that are flexible on start time. Since the job is not latency-critical and runs nightly, it is a good candidate for Fargate Spot, which can offer up to 70% cost savings over On-Demand pricing.

The job runs for 1 hour, which exceeds the AWS Lambda maximum execution time (15 minutes). Therefore, Lambda is not suitable. EC2-based solutions involve higher operational overhead and cost, making Fargate Spot the best low-cost, low-maintenance solution.

DynamoDB Streams: Captures real-time changes in DynamoDB tables and allows integration with Lambda for processing the changes.

Minimal Operational Overhead: Using a Lambda function directly to write data to S3 ensures simplicity and reduces the complexity of the pipeline.

Amazon DynamoDB Streams Documentation

AWS recommends multi-Region active-active architectures for applications requiring high availability, automatic failover, and disaster recovery. Route 53 latency-based routing directs users to the Region providing the lowest latency and automatically shifts traffic if Regional endpoints become unhealthy.

Combined with Application Load Balancers and EC2-based microservices deployed in multiple Regions, this architecture delivers fault tolerance, multi-Region resiliency, and automatic recovery.

Option D provides high availability but does not inherently provide multi-Region failover routing without additional configuration. Option B is single-Region. Option A is not resilient.

=====================================================

Using Service Control Policies (SCPs) to enforce permissions boundaries ensures that all created roles are constrained, regardless of attached policies. This is the most secure, scalable, and AWS-recommended preventive control.

AWS DataSync provides a fully managed, secure, and high-performance service for transferring large amounts of data between on-premises storage and Amazon S3. It uses TLS encryption in transit and automates data validation, scheduling, and monitoring.

From AWS Documentation:

“AWS DataSync securely and efficiently transfers large amounts of data online between on-premises storage and AWS services. All data is encrypted in transit using TLS.”

(Source: AWS DataSync User Guide – How DataSync Works)

Why B is correct:

Encrypts all data in transit automatically.

Optimized for high-throughput WAN environments (100 Mbps to multi-Gbps).

Fully managed, with no need to provision additional infrastructure.

Integrates natively with S3 and supports incremental syncs.

Why others are incorrect:

A: DMS is designed for database migration, not unstructured data.

C: Snowball is for offline migrations, not needed given available connectivity.

D: Direct Connect is costly for temporary data transfers and unnecessary here.

Amazon RDSBlue/Green Deploymentsis the ideal solution for upgrading the database version with minimal operational overhead and no data loss. Blue/Green Deployments allows you to create a separate, fully managed " green " environment with the upgraded database version. You can test the new version in the green environment while the " blue " environment continuesserving production traffic. Once testing is complete, you can seamlessly switch traffic to the green environment without downtime.

This solution provides:

Fast, non-disruptive upgrade: Traffic is only switched to the new environment after testing, ensuring zero data loss.

Minimal operational overhead: AWS handles the infrastructure management, reducing manual intervention.

Option A (Manual snapshot): This requires manual intervention and involves more operational overhead.

Option B (Native backup/restore): This approach is more labor-intensive and slower than Blue/Green Deployments.

Option C (DMS): AWS DMS adds unnecessary complexity for a simple version upgrade when Blue/Green Deployments can handle the task more efficiently.

AWS References:

Amazon RDS Blue/Green Deployments

This question centers on improving scalability and global access performance.

Auto Scaling groups enable EC2 instances to scale dynamically in response to demand, ensuring availability during peak hours without manual intervention. Amazon RDS read replicas offload read traffic, improving read throughput and reducing latency on the primary database instance. Deploying Amazon CloudFront with S3 as origin accelerates delivery of static transaction documents globally by caching content at edge locations, reducing latency for users worldwide.

Option B focuses on vertical scaling (larger instances) and caching with ElastiCache, but it does not address global content delivery optimally. AWS Global Accelerator accelerates network traffic but is better suited for accelerating TCP and UDP traffic; CloudFront is generally preferred for HTTP content delivery.

Option C migrates workloads to Lambda and Aurora global databases, which is an advanced and potentially costly redesign that may not be necessary. Option D suggests moving to ECS and multi-AZ RDS but does not address global content delivery efficiently.

Therefore, option A uses proven scalability and caching best practices aligned with AWS Well-Architected Framework pillars for performance and operational excellence.

Encryption at Rest: AWS Key Management Service (AWS KMS) provides centralized control over the cryptographic keys used to protect data. By using AWS KMS with Amazon S3, you can manage encryption keys and define policies to control access to them.

Encryption in Transit: By enforcing the aws:SecureTransport condition in the S3 bucket policy, you ensure that all data is transmitted over HTTPS, protecting data in transit.

Access Control: IAM policies allow you to define fine-grained permissions for users and roles, ensuring that only authorized entities can access the customer records.

Monitoring: AWS CloudTrail provides a record of actions taken by a user, role, or AWS service in Amazon S3, enabling you to monitor access to the records.

According to the AWS Well-Architected Framework – Security Pillar and the AWS Identity and Access Management (IAM) User Guide, the root user account in an AWS account is extremely powerful and should be protected with strict security measures.

From AWS documentation:

“We recommend that you not use the root user for everyday tasks, even administrative ones. Instead, create IAM users and grant them only the permissions they need. To help protect your AWS account, enable multi-factor authentication (MFA) for the root user.”

(Source: AWS Identity and Access Management User Guide – Securing the Root User)

The correct and recommended action is to create IAM users with specific permissions for daily operations and enable MFA on the root user to provide an additional layer of security. The root user cannot be disabled, so Option A is technically incorrect. AWS also explicitly advises against using root access keys (Option C) or sharing root credentials (Option D), both of which violate the principle of least privilege.

Best practices summarized from AWS official documentation:

Do not use root user for routine tasks

Enable MFA for root user immediately

Create individual IAM users and assign least privilege

Avoid creating or using root user access keys

These recommendations are foundational to securing any new AWS account and are consistently emphasized in the AWS Certified Solutions Architect – Official Study Guide and the AWS Security Best Practices whitepaper.

If the SQS visibility timeout is set shorter than the time it takes for the application to process and delete the message, the message becomes visible to other consumers and can be processed again, resulting in duplicate processing. This is a common cause of duplicate messages when using SQS.

Reference Extract from AWS Documentation / Study Guide:

" If the visibility timeout for a message is set shorter than the time it takes to process the message, the message becomes visible again and can be received and processed again, resulting in duplicate processing. "

Source: AWS Certified Solutions Architect – Official Study Guide, SQS and Messaging section.

AWS KMS with SSE-KMS provides granular key management and auditability. All use of KMS keys is logged in AWS CloudTrail, which allows compliance teams to monitor encryption and decryption operations. A bucket policy can be configured to enforce uploads only with the designated KMS key, ensuring that users cannot bypass encryption or change methods. Option A (SSE-S3 with bucket policy) enforces encryption but does not provide the same level of control or auditable key usage. Option C (client-side encryption) increases complexity and key management burden. Option D prevents bucket setting changes but does not prevent unencrypted uploads. Therefore, B ensures the most granular control, auditability, and compliance with financial data requirements.

The requirement explicitly states that the solution must not involve training a machine learning model, which immediately eliminates options that require custom ML development. Amazon Rekognition is a fully managed computer vision service that can analyze images and detect inappropriate or unwanted content using pretrained models provided by AWS.

Option B correctly uses Amazon Rekognition’s image moderation capabilities to analyze uploaded photos and identify unsafe or unwanted content categories. By invoking Rekognition from an AWS Lambda function, the solution remains serverless, automatically scalable, and operationally efficient. The Lambda function URL provides a secure HTTPS endpoint that the web application can call synchronously during uploads.

Option A violates the requirement because SageMaker Autopilot is designed to build and train ML models. Option C is incorrect because Amazon Comprehend is a natural language processing service for text analysis, not image moderation. CloudFront Functions also do not support calling external AWS services like Rekognition. Option D uses Rekognition Video, which is intended for analyzing video streams, not static images.

Using Lambda and Rekognition together ensures minimal operational overhead, no ML training effort, and immediate enforcement of content moderation policies. The architecture also allows easy extension, such as logging moderation results or blocking uploads based on confidence thresholds.

Therefore, B is the correct solution because it meets the content moderation requirement using AWS-managed ML services without requiring model training.

For short, frequent daily spikes (15–20 minutes), the most cost-effective scaling behavior typically comes from target tracking scaling driven by a request-based metric, because it continuously adjusts capacity to maintain a chosen target value rather than adding/removing capacity in coarse steps. Option D uses a custom CloudWatch metric representing the number of GET requests (sourced from ALB access logs, application instrumentation, or request counting logic) and applies target tracking so the Auto Scaling group scales out and in proportionally to demand. This helps avoid both under-provisioning (bad performance during spikes) and over-provisioning (wasted cost between spikes), which is exactly what cost-optimized elasticity aims for.

Option A (simple scaling) is usually less cost-efficient for bursty traffic because it relies on fixed adjustments and alarm thresholds, often with cooldowns. With 15–20 minute spikes, simple scaling can react too slowly, overshoot, or oscillate, leaving extra instances running after the spike or failing to ramp fast enough at the start. Option B (predictive scaling) is intended for regular, forecastable demand patterns, but it’s not always the most cost-effective choice for repeated short spikes because it can pre-scale conservatively and may require more historical data and tuning; it is often paired with dynamic scaling anyway. Option C uses UnhealthyHostCount, which is a health signal—not a demand signal—and scaling on unhealthy hosts can increase cost without addressing request volume; it may also mask underlying application issues rather than scaling to meet load.

Because the requirement explicitly allows standard or custom metrics and focuses on scaling based on request volume, D best matches a cost-efficient, responsive approach that directly tracks incoming workload.

Predictive scaling in EC2 Auto Scaling uses machine learning to analyze historical load and forecast future capacity needs, then pre-scales capacity before the demand occurs. It is specifically designed for recurring, cyclical workloads such as weekly batch jobs.

In this scenario:

The workload pattern is known and recurring (weekly scripted jobs).

The company explicitly does not want to manually analyze trends.

They need capacity to be ready 30 minutes before jobs start.

Predictive scaling lets you:

Set the metric (CPU utilization) and target (60%).

Configure the policy to pre-launch instances 30 minutes in advance, satisfying the requirement automatically with minimal operational overhead.

Dynamic scaling (Option A) reacts after CPU increases, not before.

Scheduled scaling (Option B) requires manual analysis and ongoing adjustment of capacity values.

EventBridge + Lambda (Option D) introduces unnecessary custom logic and still reacts after CPU reaches 60%, not 30 minutes before.

AWS Step Functions is designed to coordinate multiple AWS services into serverless workflows, handling errors, retries, and complex logic. By configuring Amazon S3 Event Notifications to trigger an Amazon EventBridge rule, you can automatically start a Step Functions workflow when a new object is uploaded to S3. Step Functions can manage retries for failed uploads and orchestrate calls to various AWS services with minimal operational effort.

AWS Documentation Extract:

“You can use Amazon EventBridge to initiate AWS Step Functions workflows in response to events from S3 buckets. Step Functions can orchestrate the sequence of AWS service calls and automatically handle retries and errors, making it ideal for automating and managing complex workflows.”

(Source: AWS Step Functions documentation, Using Step Functions with EventBridge and S3)

Other options:

A: Requires manual implementation of orchestration and error handling.

B & C: Involve additional infrastructure management and custom logic for workflow orchestration and error handling, increasing operational effort.

For the relational database tier, Amazon RDS Multi-AZ provides high availability with minimal manual intervention. In Multi-AZ mode, RDS maintains a synchronous standby in a different Availability Zone and provides automatic failover during certain failure scenarios. This reduces operational burden because the service handles replication, health monitoring, and failover orchestration.

For the container-based application tier, Amazon ECS with the Fargate launch type minimizes operational overhead because it removes the need to provision, patch, and scale the underlying EC2 instances that host containers. With Fargate, AWS manages the compute infrastructure, and the team focuses on task definitions, scaling policies, and application configuration. This supports a highly available, load-balanced architecture because ECS services can run tasks across multiple Availability Zones behind an Application Load Balancer, and scaling is managed via ECS Service Auto Scaling.

Option B describes read replicas, which are primarily used for scaling reads and, depending on configuration, may not provide the same automated failover characteristics as Multi-AZ for high availability. Read replicas are not a direct substitute for Multi-AZ HA. Option C (self-managed Docker cluster on EC2) is operationally heavy: you must manage node capacity, patching, cluster lifecycle, and scheduling. Option E (ECS on EC2) is a valid container platform but still requires managing EC2 instances, AMIs, and scaling/patching, which increases manual intervention compared to Fargate.

Therefore, combining RDS Multi-AZ (A) for database resilience and ECS Fargate (D) for serverless container operations meets the HA requirement with the least manual effort.

AWS Secrets Manager natively supports automatic rotation of RDS for Oracle credentials, fully integrating with Amazon RDS. Rotation workflows are managed automatically by the service, eliminating custom scripting and reducing operational effort.

Migrating to EC2 (Option C) requires custom rotation logic. Converting to DynamoDB or Neptune (Options A and D) would require complete database redesign and do not fulfill the requirement to run Oracle.

Serving static content from Amazon S3 is highly cost-effective and scalable. By fronting the S3 bucket with Amazon CloudFront, you also enable global caching, reduced latency, and even lower costs by reducing direct S3 access. There is no need for EC2 or ALB, and no need to manage servers, further lowering operational burden and expenses. This pattern is the recommended AWS architecture for serving static web content.

Reference Extract from AWS Documentation / Study Guide:

" Hosting static websites on Amazon S3 with Amazon CloudFront reduces infrastructure costs and improves performance for global users by caching content at edge locations. "

Source: AWS Certified Solutions Architect – Official Study Guide, S3 and CloudFront section.