Amazon SAA-C03 Exam Questions Instant Access

Question 1

A healthcare company needs a storage solution for electronic health records EHRs. The company must store the EHRs for at least 10 years to comply with regulations. The company rarely accesses the records. The records must be secure, immutable, and retrievable within a few hours when needed. Which solution will meet these requirements in the MOST cost-effective way?

AStore the records in Amazon S3 Standard. Enable server-side encryption with Amazon S3 managed keys SSE-S3 and S3 Versioning.

BStore the records in Amazon S3 Glacier Flexible Retrieval. Configure S3 Object Lock and set a retention period of 10 years.

CStore the records in Amazon S3 One Zone-Infrequent Access S3 One Zone-IA. Configure an S3 Lifecycle policy to remove records after 10 years.

DStore the records in Amazon S3 Intelligent-Tiering. Configure automatic archiving to the Archive Access tier.

Answer : B

S3 Glacier Flexible Retrieval is designed for long-lived archive data that is accessed infrequently and can be retrieved in minutes to hours, making it a strong cost-effective choice for medical records that are rarely accessed. AWS documentation states that standard retrievals from this storage class typically finish in 3 to 5 hours, which fits the requirement to retrieve records within a few hours. For immutability, AWS S3 Object Lock provides a WORM model and can prevent deletion or overwriting for a fixed retention period. Together, Glacier Flexible Retrieval and Object Lock satisfy the needs for low-cost archival storage, long retention, immutability, and acceptable restore times. S3 Standard and Intelligent-Tiering cost more than necessary for rarely accessed 10-year data, and One Zone-IA does not provide the same resilience posture.

============

Question 2

A company is developing a rating system for its ecommerce web application. The company needs a solution to save ratings that users submit in an Amazon DynamoDB table. The company wants to ensure that developers do not need to interact directly with the DynamoDB table. The solution must be scalable and reusable.

Which solution will meet these requirements with the LEAST operational overhead?

ACreate an Application Load Balancer ALB. Create an AWS Lambda function, and set the function as a target group in the ALB. Invoke the Lambda function by using the PutItem method through the ALB.

BCreate an AWS Lambda function. Configure the Lambda function to interact with the DynamoDB table by using the PutItem method from Boto3. Invoke the Lambda function from the web application.

CCreate an Amazon SQS queue and an AWS Lambda function that has an SQS trigger type. Instruct the developers to add customer ratings to the SQS queue as JSON messages. Configure the Lambda function to fetch the ratings from the queue and store the ratings in DynamoDB.

DCreate an Amazon API Gateway REST API. Define a resource and create a new POST method. Choose AWS as the integration type, and select DynamoDB as the service. Set the action to PutItem.

Answer : D

The lowest-overhead answer isAPI Gateway with direct AWS service integration to DynamoDB PutItem. DynamoDB's API includes a native PutItem action for writing an item to a table, and API Gateway supports direct AWS service integrations, which lets the web application send requests through an API layer without developers touching DynamoDB directly. This approach is scalable, reusable, and avoids managing Lambda code purely as a pass-through layer. The SQS-based design adds unnecessary queueing for a straightforward write API, and ALB is not the appropriate frontend for invoking DynamoDB actions. Therefore, direct API Gateway service integration is the cleanest design.

============

Question 3

A solutions architect is building a static website hosted on Amazon S3. The website uses an Amazon Aurora PostgreSQL database accessed through an AWS Lambda function. The production website uses a Lambda alias that points to a specific version of the Lambda function.

Database credentials must rotate every 2 weeks. Previously deployed Lambda versions must always use the most recent credentials.

Which solution will meet these requirements?

AStore credentials in AWS Secrets Manager. Turn on rotation. Write code in the Lambda function to retrieve credentials from Secrets Manager.

BInclude the credentials in the Lambda function code and update the function regularly.

CUse Lambda environment variables and update them when new credentials are available.

DStore credentials in AWS Systems Manager Parameter Store. Turn on rotation. Write code to retrieve credentials from Parameter Store.

Answer : A

AWS Secrets Manager is the recommended service for storing database credentials and performing automated rotation. Any Lambda function version or alias can fetch the latest secret value at runtime, ensuring no outdated credentials exist in deployed versions.

Environment variables (Option C) are static per version. Embedding credentials in code (Option B) is insecure and requires redeployment. Parameter Store (Option D) supports rotation but requires more configuration and is not as seamless as Secrets Manager for database credential rotation.

=====================================================

Question 4

A solutions architect is designing the network architecture for an application that runs on Amazon EC2 instances in an Auto Scaling group. The application needs to access data that is in Amazon S3 buckets.

Traffic to the S3 buckets must not use public IP addresses. The solutions architect will deploy the application in a VPC that has public and private subnets.

Which solutions will meet these requirements? (Select TWO.)

ADeploy the EC2 instances in a private subnet. Configure a default route to an egress-only internet gateway.

BDeploy the EC2 instances in a public subnet. Create a gateway endpoint for Amazon S3. Associate the endpoint with the subnet's route table.

CDeploy the EC2 instances in a public subnet. Create an interface endpoint for Amazon S3. Configure DNS hostnames and DNS resolution for the VPC.

DDeploy the EC2 instances in a private subnet. Configure a default route to a NAT gateway in a public subnet.

EDeploy the EC2 instances in a private subnet. Configure a default route to a customer gateway.

Answer : B, D

Option B:A gateway endpoint for S3 allows traffic to S3 without using public IPs and integrates with route tables.

Option D:Deploying EC2 instances in a private subnet with a NAT gateway enables outbound internet connectivity for other requirements without public IPs.

Option A:Egress-only internet gateways are for IPv6 traffic and do not work for IPv4 in this context.

Option C:Interface endpoints are not required for S3 as gateway endpoints are more suitable and cost-effective.

Option E:A customer gateway is for hybrid connectivity (e.g., on-premises), not suitable for this case.

AWS Documentation Reference:

VPC Endpoints

Amazon S3 Gateway Endpoints

Question 5

A healthcare company stores personally identifiable information (PII) data in an Amazon RDS for Oracle database. The company must encrypt the PII data at rest. The company must use dedicated hardware modules to store and manage the encryption keys.

AUse AWS Key Management Service (AWS KMS) to configure encryption for the RDS database. Store and manage keys in AWS CloudHSM.

BUse AWS CloudHSM backed AWS KMS keys to configure transparent encryption for the RDS database.

CUse Amazon EC2 instance store encryption to encrypt database volumes by using AWS CloudHSM backed keys.

DConfigure RDS snapshots and use server-side encryption with Amazon S3 managed keys (SSE-S3). Store the keys in AWS CloudHSM.

Answer : B

Amazon RDS supports encryption at rest by using AWS KMS keys backed by AWS CloudHSM. This allows use of dedicated FIPS 140-2 Level 3 validated hardware modules to manage encryption keys, meeting compliance for sensitive data such as PII.

From AWS Documentation:

''You can use AWS KMS with keys that are backed by AWS CloudHSM to control the encryption of RDS databases. This provides dedicated HSM-backed key storage and management.''

(Source: Amazon RDS User Guide -- Encrypting Amazon RDS Resources)

Why B is correct:

Meets the requirement for dedicated HSM hardware.

Fully integrates with RDS for transparent encryption at rest.

Satisfies compliance standards for healthcare and regulated data.

Why others are incorrect:

A: Keys in CloudHSM directly are not used by RDS; they must be managed through KMS integration.

C: EC2 instance stores are ephemeral, not suitable for RDS databases.

D: SSE-S3 applies to S3 objects, not databases.

Amazon RDS User Guide -- ''Encryption at Rest with AWS KMS and CloudHSM''

AWS CloudHSM User Guide

AWS Well-Architected Framework -- Security Pillar

Question 6

A company runs an online order management system on AWS. The company stores order and inventory data for the previous 5 years in an Amazon Aurora MySQL database. The company deletes inventory data after 5 years.

The company wants to optimize costs to archive data.

Options:

ACreate an AWS Glue crawler to export data to Amazon S3. Create an AWS Lambda function to compress the data.

BUse the SELECT INTO OUTFILE S3 query on the Aurora database to export the data to Amazon S3. Configure S3 Lifecycle rules on the S3 bucket.

CCreate an AWS Glue DataBrew Job to migrate data from Aurora to Amazon S3. Configure S3 Lifecycle rules on the S3 bucket.

DUse the AWS Schema Conversion Tool (AWS SCT) to replicate data from Aurora to Amazon S3. Use the S3 Standard-Infrequent Access (S3 Standard-IA) storage class.

Answer : B

The SELECT INTO OUTFILE S3 feature allows you to export Amazon Aurora MySQL data directly to Amazon S3 with minimal operational overhead. This method is efficient and cost-effective for archiving historical data.

You can configure S3 Lifecycle rules to transition the exported data to lower-cost storage (e.g., S3 Glacier or S3 Standard-IA) and eventually delete it after 5 years.

No need for additional ETL tools like Glue or DataBrew unless complex transformations are required.

Exporting data from Aurora MySQL to S3

Question 7

A company runs a web application on Amazon EC2 instances in an Auto Scaling group that has a target group. The company designed the application to work with session affinity (sticky sessions) for a better user experience.

The application must be available publicly over the internet as an endpoint. A WAF must be applied to the endpoint for additional security. Session affinity (sticky sessions) must be configured on the endpoint.

ACreate a public Network Load Balancer. Specify the application target group.

BCreate a Gateway Load Balancer. Specify the application target group.

CCreate a public Application Load Balancer. Specify the application target group.

DCreate a second target group. Add Elastic IP addresses to the EC2 instances.

ECreate a web ACL in AWS WAF. Associate the web ACL with the endpoint.

Answer : C, E

The Application Load Balancer (ALB) supports sticky sessions (session affinity) using application cookies. AWS WAF integrates natively with ALB to provide Layer 7 protection at the same endpoint.

From AWS Documentation:

''You can enable sticky sessions for your Application Load Balancer target groups to ensure that a user's requests are consistently routed to the same target. AWS WAF integrates with Application Load Balancer to protect your web applications from common exploits.''

(Source: Elastic Load Balancing User Guide & AWS WAF Developer Guide)

Why C and E are correct:

C: ALB operates at Layer 7 (HTTP/HTTPS), supports sticky sessions, and can serve as a public endpoint.

E: AWS WAF can be directly associated with the ALB to inspect traffic and enforce rules.Together, they fulfill both the security and session affinity requirements.

Why others are incorrect:

A: Network Load Balancer doesn't support session affinity.

B: Gateway Load Balancer is used for virtual appliances, not web applications.

D: Using EIPs bypasses load balancing and WAF integration.

Elastic Load Balancing User Guide -- ''Sticky Sessions for Application Load Balancers''

AWS WAF Developer Guide -- ''Associating a Web ACL with an ALB''

AWS Well-Architected Framework -- Security and Performance Pillars

Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam Questions