Instructions: This mock exam contains 65 questions weighted by domain to match the actual SAA-C03 exam. Take your time and select the best answer for each question.
Domain Weighting:
Passing Score: 720/1000 (approximately 47/65 questions correct)
A company needs to grant temporary access to an S3 bucket for external partners. The access should be limited to specific objects and expire after 2 hours. Which approach is most secure?
Correct: B
Pre-signed URLs provide temporary access to specific S3 objects with configurable expiration times. They don’t require creating IAM users or making buckets public.
Domain: 1 — Design Secure Architectures Task: 1.1
A company wants to ensure that all EC2 instances in their organization cannot access the internet directly, even if someone creates an Internet Gateway. Which service should they use?
Correct: B
SCPs can deny the creation of Internet Gateways or attachment of IGWs to VPCs across all accounts in an organization. Config rules detect violations but don’t prevent them. IAM policies apply to users/roles, not organizational restrictions.
Domain: 1 — Design Secure Architectures Task: 1.1
A web application needs to authenticate users against an existing Active Directory. The application runs on AWS and should not store user credentials. Which solution is most appropriate?
Correct: C
IAM Identity Center (formerly AWS SSO) with SAML federation allows users to authenticate against existing Active Directory without storing credentials in AWS. AD Connector extends AD to AWS but doesn’t provide web app authentication.
Domain: 1 — Design Secure Architectures Task: 1.1
A company needs to encrypt data in DynamoDB and wants full control over the encryption keys, including key rotation. Which encryption option should they choose?
Correct: C
Customer managed KMS keys provide full control over key policies, rotation, and access. Default encryption uses AWS owned keys (no customer control). AWS managed keys are controlled by AWS.
Domain: 1 — Design Secure Architectures Task: 1.3
A company has a VPC with public and private subnets. They want to allow instances in private subnets to download software updates but prevent inbound internet access. Which combination provides this capability?
Correct: B
NAT Gateway in a public subnet allows outbound internet access for private subnet instances while preventing inbound access. Route tables direct traffic from private subnets to the NAT Gateway.
Domain: 1 — Design Secure Architectures Task: 1.2
An application stores sensitive customer data in S3. The security team requires that all data be encrypted with keys that automatically rotate annually. Which solution meets this requirement with the LEAST operational overhead?
Correct: C
SSE-KMS with customer managed keys supports automatic annual rotation. AWS managed keys also rotate automatically but don’t provide the same level of control. SSE-S3 doesn’t support customer-controlled rotation.
Domain: 1 — Design Secure Architectures Task: 1.3
A company needs to protect their web application from SQL injection and cross-site scripting attacks. The application is behind an Application Load Balancer. Which AWS service should they use?
Correct: B
AWS WAF provides Layer 7 protection against SQL injection, XSS, and other web exploits. It can be attached to ALB, CloudFront, and API Gateway. Shield protects against DDoS. GuardDuty is for threat detection.
Domain: 1 — Design Secure Architectures Task: 1.2
A company wants to centrally manage access to multiple AWS accounts for their employees. Employees should use their corporate credentials to access AWS. Which solution provides this capability?
Correct: B
IAM Identity Center provides centralized access management across multiple AWS accounts with support for external identity providers (SAML 2.0). It’s the recommended solution for workforce identity federation.
Domain: 1 — Design Secure Architectures Task: 1.1
A security team needs to detect when AWS credentials are being used from unusual locations or at unusual times. Which service provides this capability?
Correct: B
GuardDuty uses machine learning to detect anomalous API activity, including unusual credential usage patterns. CloudTrail logs API calls but doesn’t analyze them for anomalies. Config tracks resource configurations.
Domain: 1 — Design Secure Architectures Task: 1.2
A company needs to store database credentials securely and rotate them automatically every 30 days. Which AWS service should they use?
Correct: B
Secrets Manager provides automatic rotation of database credentials with built-in rotation functions for RDS, Redshift, and DocumentDB. Parameter Store can store secrets but doesn’t provide automatic rotation.
Domain: 1 — Design Secure Architectures Task: 1.3
A company has a hybrid architecture with on-premises servers that need to access AWS services privately without going over the internet. Which solution provides this capability?
Correct: B
Direct Connect with a private virtual interface provides dedicated, private connectivity from on-premises to AWS VPCs. Site-to-Site VPN goes over the internet (encrypted). Transit Gateway connects VPCs but doesn’t provide on-premises connectivity alone.
Domain: 1 — Design Secure Architectures Task: 1.2
An application needs to assume an IAM role in another AWS account to access resources. What must be configured for this to work?
Correct: B
Cross-account role assumption requires a trust policy on the target role that specifies the source account/principal that can assume it. The source account also needs permissions to call sts:AssumeRole.
Domain: 1 — Design Secure Architectures Task: 1.1
A company wants to ensure that S3 buckets are never made public across all accounts in their organization. Which approach provides preventive control?
Correct: B
S3 Block Public Access can be enabled at the organization level through AWS Organizations, preventing any bucket from being made public. Config rules are detective, not preventive.
Domain: 1 — Design Secure Architectures Task: 1.3
A company needs to encrypt data in transit between their application servers and an RDS database. Which approach should they use?
Correct: B
SSL/TLS connections encrypt data in transit between application and database. RDS supports SSL connections with certificates. Encryption at rest protects stored data, not data in transit.
Domain: 1 — Design Secure Architectures Task: 1.3
A company wants to restrict which AWS services can be used in their development accounts. Which service provides this capability?
Correct: B
SCPs in AWS Organizations can restrict which services are available in member accounts. Permission boundaries limit individual IAM entities. Config rules detect but don’t prevent.
Domain: 1 — Design Secure Architectures Task: 1.1
A company needs to discover and protect sensitive data like PII stored in S3 buckets. Which AWS service should they use?
Correct: B
Amazon Macie uses machine learning to discover, classify, and protect sensitive data in S3. It can identify PII, financial data, and other sensitive information. GuardDuty focuses on threat detection.
Domain: 1 — Design Secure Architectures Task: 1.2
An application running on EC2 needs to access S3 without using access keys. What is the recommended approach?
Correct: B
IAM roles for EC2 provide temporary credentials automatically rotated by AWS. This is more secure than storing access keys. The instance profile allows the EC2 instance to assume the role.
Domain: 1 — Design Secure Architectures Task: 1.1
A company needs to ensure that all API calls to AWS are logged for compliance. Which service provides this capability?
Correct: B
CloudTrail logs all API calls made to AWS services, including who made the call, when, and from where. It’s essential for compliance and security auditing. CloudWatch Logs stores application logs.
Domain: 1 — Design Secure Architectures Task: 1.1
A company wants to use their own hardware security module (HSM) for key management while still using AWS services. Which option should they choose?
Correct: B
CloudHSM provides dedicated HSM instances in AWS that you control. It’s FIPS 140-2 Level 3 validated. KMS uses shared HSMs managed by AWS. CloudHSM is for customers who need direct HSM access.
Domain: 1 — Design Secure Architectures Task: 1.3
A company needs to implement network segmentation between different application tiers in a VPC. Which approach provides the MOST granular control?
Correct: B
Security groups provide stateful, instance-level filtering with granular rules. They can reference other security groups for tier-based access. NACLs are stateless and subnet-level. Separate VPCs add complexity.
Domain: 1 — Design Secure Architectures Task: 1.2
A company needs to decouple their order processing system so that spikes in orders don’t overwhelm the backend. Which architecture pattern should they use?
Correct: B
SQS provides loose coupling between components, allowing the order intake to continue accepting orders while the backend processes them at its own pace. This handles traffic spikes gracefully.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company wants their application to automatically scale based on CPU utilization, maintaining 70% average CPU. Which Auto Scaling policy type should they use?
Correct: C
Target tracking scaling automatically adjusts capacity to maintain a specified metric target (like 70% CPU). It’s the simplest and most effective for maintaining a target utilization.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company needs to ensure their web application remains available if an entire AWS Availability Zone fails. Which architecture provides this capability?
Correct: B
Multi-AZ deployment distributes instances across multiple AZs. ALB automatically routes traffic to healthy instances. If one AZ fails, the application continues running in other AZs.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company has an RDS database that needs to survive an AZ failure with automatic failover. Which configuration should they use?
Correct: B
RDS Multi-AZ provides synchronous replication to a standby in another AZ with automatic failover. Read replicas are for scaling reads, not HA. Cross-region is for DR, not AZ failure.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to process messages in the exact order they were sent, with no duplicates. Which SQS queue type should they use?
Correct: B
SQS FIFO queues guarantee exactly-once processing and maintain message order. Standard queues provide at-least-once delivery and best-effort ordering. FIFO is limited to 300 msg/s (3,000 with batching).
Domain: 2 — Design Resilient Architectures Task: 2.1
A company needs a disaster recovery solution with RPO of 1 hour and RTO of 4 hours. Which DR strategy is most cost-effective?
Correct: D
Backup and Restore is the most cost-effective for RPO/RTO in hours. Data is backed up regularly and restored when needed. Pilot Light and Warm Standby cost more but provide faster recovery.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company wants to route traffic to the AWS region closest to the user for lowest latency. Which Route 53 routing policy should they use?
Correct: C
Latency-based routing directs users to the region with lowest latency. Geolocation routes based on user location (compliance). Weighted distributes traffic by percentage.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to orchestrate a multi-step workflow that includes Lambda functions, human approval, and error handling. Which service should they use?
Correct: B
Step Functions provides visual workflow orchestration with built-in error handling, retries, and support for human approval tasks. It’s designed for complex, multi-step workflows.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company’s Lambda function occasionally times out when connecting to RDS during traffic spikes. What should they implement to solve this?
Correct: B
RDS Proxy pools and shares database connections, reducing connection overhead for Lambda. It handles connection management efficiently during traffic spikes. Increasing timeout doesn’t solve the root cause.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to ensure their application can handle a sudden 10x increase in traffic. Which combination provides this capability?
Correct: B
Auto Scaling with target tracking automatically adjusts capacity based on demand. ALB distributes traffic across instances. This combination handles sudden traffic increases effectively.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company wants to run containers without managing servers. Which AWS service should they use?
Correct: C
Fargate is a serverless compute engine for containers. You don’t manage servers or clusters. It works with both ECS and EKS. EC2-based options require server management.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company needs to distribute traffic across multiple regions for disaster recovery. Which service provides this capability?
Correct: C
Route 53 with health checks can route traffic to healthy endpoints across regions. Failover routing policy automatically redirects traffic when primary region is unhealthy. ALB/NLB are regional.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to cache frequently accessed data to reduce database load. The cache must support complex data types and persistence. Which service should they use?
Correct: B
ElastiCache for Redis supports complex data types (lists, sets, sorted sets), persistence, and replication. Memcached is simpler and doesn’t support persistence. DAX is specifically for DynamoDB.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company wants to trigger actions when specific events occur in their AWS environment, such as EC2 instance state changes. Which service should they use?
Correct: C
EventBridge (formerly CloudWatch Events) captures events from AWS services and routes them to targets. It’s the central event bus for AWS event-driven architectures.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company needs their application to continue operating even if the primary database becomes unavailable. Which approach provides the fastest failover?
Correct: B
Aurora automatically promotes a read replica to primary in case of failure, typically within 30 seconds. Aurora Global Database is for cross-region DR. Manual restore takes much longer.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to process large files uploaded to S3. The processing takes 20 minutes per file. Which compute option should they use?
Correct: C
AWS Batch is designed for batch processing jobs that may take longer than Lambda’s 15-minute limit. It automatically provisions compute resources. Lambda has a 15-minute timeout limit.
Domain: 2 — Design Resilient Architectures Task: 2.1
A company wants to ensure their application can handle the failure of any single component. Which design principle should they follow?
Correct: B
Designing for failure means assuming components will fail and building redundancy. This includes Multi-AZ deployments, load balancing, and automated recovery. It’s a core AWS Well-Architected principle.
Domain: 2 — Design Resilient Architectures Task: 2.2
A company needs to store 100 TB of data that will be accessed frequently with low latency. Which S3 storage class should they use?
Correct: A
S3 Standard provides low latency and high throughput for frequently accessed data. Intelligent-Tiering adds overhead for access pattern analysis. IA and Glacier are for infrequent access.
Domain: 3 — Design High-Performing Architectures Task: 3.1
A company needs a shared file system for Linux-based EC2 instances across multiple Availability Zones. Which service should they use?
Correct: B
EFS provides a shared NFS file system accessible from multiple EC2 instances across AZs. EBS is block storage attached to single instances. FSx for Windows is for Windows workloads.
Domain: 3 — Design High-Performing Architectures Task: 3.1
A company needs to achieve 100,000 IOPS for their database workload. Which EBS volume type should they use?
Correct: B
io2 Block Express supports up to 256,000 IOPS. gp3 maxes out at 16,000 IOPS. st1 and sc1 are HDD volumes optimized for throughput, not IOPS.
Domain: 3 — Design High-Performing Architectures Task: 3.1
A company needs to run a high-performance computing (HPC) workload with shared storage. Which storage solution provides the best performance?
Correct: C
FSx for Lustre is designed for HPC workloads with sub-millisecond latencies and hundreds of GB/s throughput. It integrates with S3 for data processing workflows.
Domain: 3 — Design High-Performing Architectures Task: 3.1
A company needs to reduce latency for a globally distributed application. Static content is served from S3. Which service should they use?
Correct: B
CloudFront caches content at edge locations worldwide, reducing latency for static content. S3 Transfer Acceleration speeds uploads. Global Accelerator is for dynamic content and TCP/UDP.
Domain: 3 — Design High-Performing Architectures Task: 3.4
A company needs to run memory-intensive workloads. Which EC2 instance family should they choose?
Correct: B
R-series instances are memory optimized with high memory-to-CPU ratios. C-series is for compute-intensive workloads. T-series is for variable workloads. I-series is for storage-intensive workloads.
Domain: 3 — Design High-Performing Architectures Task: 3.2
A company needs microsecond latency for DynamoDB reads. Which solution should they implement?
Correct: B
DAX is an in-memory cache for DynamoDB that provides microsecond latency for reads. It’s fully managed and compatible with DynamoDB API. ElastiCache requires application changes.
Domain: 3 — Design High-Performing Architectures Task: 3.3
A company needs to process real-time streaming data from IoT devices. Which service should they use?
Correct: B
Kinesis Data Streams is designed for real-time streaming data ingestion and processing. It can handle millions of records per second. SQS is for message queuing, not streaming.
Domain: 3 — Design High-Performing Architectures Task: 3.5
A company needs to query data in S3 using SQL without loading it into a database. Which service should they use?
Correct: B
Athena is a serverless query service that analyzes data directly in S3 using SQL. No data loading required. You pay per query. Glue is for ETL. Redshift requires data loading.
Domain: 3 — Design High-Performing Architectures Task: 3.5
A company needs to improve database read performance for a read-heavy application. Which approach should they use?
Correct: B
Read replicas offload read traffic from the primary database. They can be in the same region or cross-region. Multi-AZ is for HA, not read scaling. Instance size helps but doesn’t scale reads.
Domain: 3 — Design High-Performing Architectures Task: 3.3
A company needs to deliver dynamic content with low latency globally. The content cannot be cached. Which service should they use?
Correct: B
Global Accelerator uses AWS’s global network to route traffic to optimal endpoints. It improves performance for dynamic, non-cacheable content. CloudFront is primarily for cacheable content.
Domain: 3 — Design High-Performing Architectures Task: 3.4
A company needs to transform and load data from S3 into a data warehouse. Which service should they use?
Correct: B
AWS Glue is a serverless ETL service that can discover, transform, and load data. It integrates with S3, Redshift, and other data stores. Lambda has time limits for large transformations.
Domain: 3 — Design High-Performing Architectures Task: 3.5
A company needs to run Apache Spark workloads for big data processing. Which service should they use?
Correct: B
EMR (Elastic MapReduce) is designed for big data processing with Spark, Hadoop, and other frameworks. It provides managed clusters optimized for these workloads.
Domain: 3 — Design High-Performing Architectures Task: 3.2
A company needs to connect their VPC to S3 without going over the internet. Which solution provides this with the lowest cost?
Correct: B
Gateway Endpoints for S3 are free and provide private connectivity. Interface Endpoints (PrivateLink) have hourly and data processing charges. NAT Gateway has hourly and data charges.
Domain: 3 — Design High-Performing Architectures Task: 3.4
A company needs to load streaming data into S3 with automatic batching and compression. Which service should they use?
Correct: B
Kinesis Data Firehose automatically batches, compresses, and delivers streaming data to S3, Redshift, or Elasticsearch. It’s fully managed with no capacity planning. Data Streams requires custom consumers.
Domain: 3 — Design High-Performing Architectures Task: 3.5
A company needs to improve the performance of SQL queries on large datasets in S3. Which approach should they use?
Correct: B
Parquet is a columnar format that reduces data scanned. Partitioning allows Athena to skip irrelevant data. Together they significantly improve query performance and reduce costs.
Domain: 3 — Design High-Performing Architectures Task: 3.5
A company runs EC2 instances 24/7 for a production workload. They want to reduce costs. Which purchasing option provides the best savings?
Correct: C
Reserved Instances and Savings Plans provide up to 72% discount for steady-state workloads. Spot is cheaper but can be interrupted. On-Demand is full price. Dedicated Hosts are for compliance.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.2
A company has data that is accessed frequently for the first 30 days, then rarely accessed. Which S3 lifecycle policy should they implement?
Correct: B
S3 Standard-IA is cost-effective for infrequently accessed data that still needs quick retrieval. Glacier has retrieval delays. Standard is expensive for rarely accessed data.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.1
A company runs batch processing jobs that can tolerate interruptions. Which EC2 purchasing option provides the lowest cost?
Correct: C
Spot Instances provide up to 90% discount for interruptible workloads. Batch processing is ideal for Spot because jobs can be restarted if interrupted. Reserved/Savings Plans are for steady workloads.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.2
A company wants to reduce NAT Gateway costs for development environments. Which alternative should they consider?
Correct: B
NAT Instance on a small EC2 instance ($3.80/month for t3.nano) is much cheaper than NAT Gateway ($32/month). It’s suitable for dev/test where high availability isn’t critical.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.4
A company needs to archive compliance data for 7 years with rare access. Which storage class is most cost-effective?
Correct: C
Glacier Deep Archive is the cheapest storage class (~$0.00099/GB/month) for data that is rarely accessed. Retrieval takes 12-48 hours. It’s ideal for compliance archives.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.1
A company wants to optimize costs for a variable workload that has unpredictable access patterns. Which S3 storage class should they use?
Correct: C
S3 Intelligent-Tiering automatically moves objects between access tiers based on usage patterns. It’s ideal when access patterns are unknown or changing. No retrieval fees.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.1
A company wants to reduce data transfer costs between their VPC and S3. Which solution should they implement?
Correct: B
Gateway Endpoints for S3 are free and keep traffic within AWS network. Transfer Acceleration speeds uploads but costs more. Direct Connect has monthly fees.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.4
A company has multiple VPCs that need to communicate. They want to minimize costs. Which solution should they use for 3 VPCs?
Correct: B
VPC Peering has no hourly charges, only data transfer costs. Transit Gateway has hourly attachment fees. For a small number of VPCs, peering is more cost-effective.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.4
A company wants to reduce RDS costs for a development database that’s only used during business hours. Which approach should they use?
Correct: B
Stopping RDS instances when not in use eliminates compute charges (storage charges continue). This is ideal for dev/test environments. Reserved Instances require 24/7 usage to be cost-effective.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.3
A company wants flexibility to change EC2 instance types while still getting a discount. Which purchasing option should they choose?
Correct: B
Convertible Reserved Instances allow changing instance family, OS, and tenancy. They provide less discount than Standard RIs but more flexibility. Spot can be interrupted.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.2
A company wants to track and allocate AWS costs by project. Which feature should they use?
Correct: B
Cost allocation tags allow you to categorize and track costs by project, department, or any custom dimension. Cost Explorer visualizes costs. Budgets alert on spending.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.1
A company wants to get recommendations for right-sizing their EC2 instances. Which service provides this?
Correct: C
Cost Explorer provides right-sizing recommendations based on actual usage patterns. It identifies underutilized instances and suggests appropriate sizes. Trusted Advisor has limited free checks.
Domain: 4 — Design Cost-Optimized Architectures Task: 4.2