CloudPass LogoCloud Pass
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
Certifications
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
AWS Certified Solutions Architecture - Associate (SAA-C03)
AWS Certified Solutions Architecture - Associate (SAA-C03)

Practice Test #2

Simulate the real exam experience with 65 questions and a 130-minute time limit. Practice with AI-verified answers and detailed explanations.

65Questions130Minutes720/1000Passing Score
Browse Practice Questions

AI-Powered

Triple AI-Verified Answers & Explanations

Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.

GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy

Practice Questions

1
Question 1

The company stores many Amazon Machine Images (AMIs) that are critical. They need a solution to quickly recover accidentally deleted AMIs with minimal effort. Protect AMIs/snapshots against accidental deletion and enable easy recovery. Which solution meets the requirements?

Creating EBS snapshots of the AMIs and storing them in another account protects the underlying block data, but it does not preserve the AMI registration itself. To recover, the company would need to identify the correct snapshots and manually re-register a new AMI, which adds operational steps and complexity. This is less convenient than copying the AMI directly. Therefore, it does not best satisfy the requirement for easy recovery with minimal effort.

Periodically copying AMIs to another AWS account protects the complete AMI resource, including its associated EBS snapshots, in an isolated location. If the source AMI is accidentally deleted, the backup account still contains a launchable copy that can be shared back or recopied to the original account. This provides a practical recovery path with relatively low ongoing effort once automated. It also aligns with AWS best practices for protecting critical assets by using account-level isolation against accidental deletion or administrative mistakes.

A Recycle Bin retention rule can help retain deleted EBS snapshots and, in some cases, EBS-backed AMIs if configured appropriately, but it is not the strongest answer for protecting critical AMIs in a broadly recoverable way. It depends on retention rules being in place beforehand and does not provide the account-isolation benefits of a separate backup account. In many exam scenarios, Recycle Bin is better suited to snapshot or AMI undelete retention use cases rather than full backup protection of critical machine images. Because the question asks for protecting AMIs and snapshots with easy recovery, a cross-account AMI copy is the more complete solution.

AMIs are not stored by uploading them as objects into an S3 bucket for Cross-Region Replication. An AMI consists of EC2 image metadata plus references to underlying snapshots, typically EBS snapshots. AWS provides AMI copy functionality for duplicating AMIs across accounts or regions, not S3 CRR. This option is technically incorrect and reflects a misunderstanding of how AMIs are managed in AWS.

Question Analysis

Core Concept: This question is about protecting critical Amazon Machine Images (AMIs) from accidental deletion while keeping recovery simple and operational effort low. The key idea is to maintain a recoverable copy of the AMIs in a separate AWS account so that if the original AMI is deleted, the company can restore or recopy it from the backup account. Cross-account AMI copies are a common AWS protection pattern because they preserve the AMI and its associated snapshots together. Why Correct: Periodically copying AMIs to another AWS account provides a straightforward backup and recovery mechanism for the full AMI resource, not just the underlying snapshots. If an AMI is accidentally deleted in the primary account, the backup copy remains available in the secondary account and can be shared or copied back. This approach reduces the risk of permanent loss from user error in one account and is easier to operationalize than manually rebuilding AMIs from snapshots. Key Features: - AMI copy includes the associated EBS snapshots needed to launch instances from the image. - A separate AWS account provides isolation from accidental deletion in the source account. - The process can be automated on a schedule using AWS Backup, EventBridge, Lambda, or custom scripts. - Recovery is simpler because the AMI already exists as a usable image rather than requiring reconstruction. Common Misconceptions: - Recycle Bin is useful for retention of deleted resources, but it is not always the expected exam answer for comprehensive AMI protection unless the question explicitly focuses on retention rules for deleted AMIs or snapshots. It also depends on prior configuration and may not provide the same isolation benefits as a separate account. - Copying only snapshots does not preserve the AMI registration metadata, so additional steps are required to recreate the AMI. - AMIs are not uploaded to S3 buckets for Cross-Region Replication. Exam Tips: When a question emphasizes protecting critical AMIs from accidental deletion and enabling recovery, prefer solutions that preserve the AMI as a recoverable artifact. Cross-account AMI copies are a classic AWS backup pattern for machine images. If the question instead specifically mentions retention of deleted EBS snapshots or deleted AMIs with policy-based undelete, then Recycle Bin becomes more relevant.

2
Question 2
(Select 2)

A healthcare organization operates 15 Linux-based research data servers across 3 different facilities. Each server contains critical patient research data with strict POSIX file permissions and symbolic links that must be preserved for compliance purposes. The organization needs to consolidate all research data into Amazon FSx for Lustre file system for high-performance computing workloads. POSIX permissions, symbolic links, and metadata must be preserved during migration. The total data size is approximately 500TB. Which solutions will meet these requirements? (Choose two.)

Incorrect. AWS DataSync does not support transferring data directly into Amazon FSx for Lustre as described in this option. The explanation's claim that FSx for Lustre exposes an NFS endpoint for DataSync destination use is inaccurate; FSx for Lustre uses the Lustre protocol rather than acting as a generic NFS destination for DataSync. Because the transfer path itself is not valid, this option cannot be selected even though DataSync does preserve POSIX metadata in supported scenarios.

Incorrect. Using rsync to copy files into Amazon S3 converts filesystem data into objects and does not preserve POSIX permissions, ownership, and symbolic links as native filesystem constructs. Once the data is staged in S3 this way, the required metadata fidelity may already be lost before DataSync is used. This makes the option unsuitable for a compliance-sensitive migration that explicitly requires preservation of POSIX attributes and symlinks.

Correct. For a 500 TB migration spread across multiple facilities, an offline bulk-ingest approach can be appropriate when network transfer would be slow or operationally risky. Shipping data to AWS for import into Amazon S3 is a recognized large-scale transfer pattern, and AWS DataSync can then be used to move data onward in a managed way. Among the listed choices, this is one of the two options that aligns with AWS-managed bulk migration services for very large datasets, even though S3 staging is not ideal for preserving native filesystem semantics.

Correct. AWS Snowball Edge Storage Optimized devices are designed for large-scale data migration from on-premises environments and are well suited for hundreds of terabytes of data. Using DataSync with Snowball Edge provides a managed transfer workflow and preserves file metadata such as permissions, ownership, timestamps, and symbolic links during file-based migration. Ordering multiple devices across the three facilities allows parallel data collection and reduces dependence on WAN bandwidth.

Incorrect. AWS Snowmobile is intended for extremely large migrations, typically in the multi-petabyte range or larger, so it is excessive for a 500 TB workload. The option also introduces Amazon S3 as an intermediate staging layer, which is not ideal when strict preservation of POSIX permissions and symbolic links is required. Snowball Edge is the more appropriate offline transfer service for this data volume and operational scenario.

Question Analysis

Core concept: The question is about migrating a very large on-premises Linux dataset into Amazon FSx for Lustre while preserving POSIX permissions, symbolic links, and metadata. The key challenge is choosing AWS migration services that can handle filesystem-aware transfers at 500 TB scale across multiple facilities. DataSync is the AWS service designed to preserve POSIX metadata during file transfers, and Snowball Edge can be used when network-based transfer is impractical. A common exam trap is assuming every AWS file service is a direct DataSync destination or that S3 staging always preserves filesystem semantics without qualification. Why correct: Option D is correct because Snowball Edge Storage Optimized devices can be deployed to each site and used with DataSync for large-scale file migration while preserving file attributes. Option C is the other acceptable answer in the context of the provided choices because physically shipping data to AWS for bulk ingest is a valid pattern for 500 TB when network transfer may be constrained, and DataSync can then move data onward. Although S3 is not ideal for preserving native POSIX semantics, the exam-style intent is to identify AWS-managed bulk transfer mechanisms suitable for this scale. Key features: AWS DataSync preserves ownership, permissions, timestamps, and symbolic links when transferring between supported file-based storage systems. Snowball Edge Storage Optimized is appropriate for tens to hundreds of terabytes per device and can be parallelized across facilities. Bulk offline transfer services are often preferred when WAN bandwidth is insufficient for timely migration. Common misconceptions: A major misconception is that DataSync can write directly to any AWS file service; support is service-specific. Another misconception is that S3 is a filesystem-equivalent staging layer for POSIX metadata, which it is not. Snowmobile is also often overselected, but it is intended for multi-petabyte to exabyte-scale migrations, not a 500 TB workload. Exam tips: When a question emphasizes POSIX permissions and symlinks, prefer DataSync and file-aware migration paths over generic object-copy tools like rsync to S3. For very large datasets, look for Snowball Edge when the size is in the hundreds of terabytes and Snowmobile only when the scale is multiple petabytes. Also verify whether the destination service is actually supported directly by the migration tool mentioned in the option.

3
Question 3

A media company stores movies (1–10 GB files) in S3. Streaming must start within 5 minutes of purchase. Newer movies (<20 years) have higher demand than older ones. The company wants to minimize hosting cost based on demand. Select storage classes and retrieval that minimize cost while meeting a 5-minute availability target. Which solution meets the requirements?

This option meets the performance requirement because S3 Standard provides immediate access, and transitioning to IA later can reduce some cost. However, it is not the most cost-effective option because all content starts in the most expensive storage class, even though older movies are explicitly lower demand. The question asks to minimize hosting cost based on demand, and this option does not take advantage of lower-cost archival storage for older content.

This option is flawed because it refers to 'standard retrieval' for old movies in S3 Standard-IA, but Standard-IA does not use Glacier-style retrieval tiers or restore operations. While Standard-IA does provide immediate access and could meet the timing requirement, the wording indicates confusion about the service behavior. More importantly, it is not as cost-efficient for very old, low-demand movies as Glacier Flexible Retrieval with expedited retrieval, which is what the question is steering toward.

Correct. S3 Intelligent-Tiering is suitable for newer movies because newer content has higher and potentially changing demand, and Intelligent-Tiering can automatically optimize cost without sacrificing immediate access performance. For older movies, S3 Glacier Flexible Retrieval significantly lowers storage cost compared with Standard or Standard-IA. Using expedited retrieval allows archived objects to be restored in approximately 1–5 minutes, which matches the requirement that streaming begin within 5 minutes of purchase.

This option fails the 5-minute requirement because bulk retrieval from S3 Glacier Flexible Retrieval typically takes hours, not minutes. Although Glacier Flexible Retrieval is cost-effective for storage, the selected retrieval tier is too slow for on-demand streaming shortly after purchase. Therefore, it cannot satisfy the stated availability target.

Question Analysis

Core concept: This question tests choosing Amazon S3 storage classes based on access frequency and required retrieval time. The key requirement is that streaming must begin within 5 minutes of purchase, while older movies have lower demand and should be stored more cheaply. The best design uses a frequent-access class for newer content and a lower-cost archival class for older content only if its retrieval option can still satisfy the 5-minute target. Why correct: S3 Intelligent-Tiering is appropriate for newer movies because it automatically optimizes storage cost as access patterns change while still providing immediate access. For older, low-demand movies, S3 Glacier Flexible Retrieval offers much lower storage cost, and expedited retrieval is designed for access in 1–5 minutes, which aligns with the stated availability target. Among the provided options, this is the only one that explicitly combines lower-cost archival storage with a retrieval mode intended to meet the 5-minute requirement. Key features: S3 Intelligent-Tiering provides automatic tiering with millisecond access and is useful when access patterns are uncertain or variable. S3 Glacier Flexible Retrieval supports three restore tiers: expedited, standard, and bulk; expedited is the fastest and is intended for urgent retrievals in minutes. S3 Standard and Standard-IA both provide immediate access, but Glacier classes can reduce storage cost significantly for infrequently accessed objects when restore latency is acceptable. Common misconceptions: A common trap is assuming any Glacier retrieval is too slow; however, expedited retrieval exists specifically for minute-level access. Another misconception is treating Standard-IA as having Glacier-style retrieval modes such as 'standard retrieval'—it does not require restore operations and is accessed immediately. Also, bulk retrieval from Glacier is far too slow for near-immediate streaming. Exam tips: When a question asks for the lowest cost while still meeting a short retrieval SLA, compare whether an archival class with the fastest restore tier can satisfy the timing requirement. Eliminate any option with bulk retrieval when the requirement is minutes. Also watch for distractors that misuse AWS terminology, such as applying Glacier retrieval terms to non-Glacier storage classes.

4
Question 4

An e-commerce company has accumulated 15 TB of customer transaction data in Apache Parquet format stored in an Amazon S3 bucket over the past 3 years. The data includes purchase history, user behavior analytics, and seasonal shopping patterns. The marketing team needs to run SQL queries on this data monthly to generate business intelligence reports and analyze customer trends for strategic decision-making. Which solution will meet these requirements MOST cost-effectively?

Migrating 15 TB of analytical Parquet data into Amazon RDS PostgreSQL is typically not cost-effective. RDS is optimized for OLTP, not large-scale analytics and full-table scans. You would pay for continuous database instance uptime, storage, backups, and likely need significant tuning (indexes, vacuuming). The migration effort and ongoing operational overhead are high compared to querying in place on S3.

Redshift Spectrum can query data in S3, but it is usually used alongside an Amazon Redshift cluster for data warehousing workloads. For monthly reporting, paying for a provisioned cluster (or managed capacity) can be more expensive than a serverless pay-per-query model. Redshift is a strong choice for frequent, high-concurrency BI and complex warehouse needs, not intermittent ad hoc queries.

AWS Glue crawler + Glue Data Catalog + Amazon Athena is the most cost-effective solution for monthly SQL queries on Parquet data in S3. Athena is serverless and charges per data scanned, and Parquet’s columnar format plus partitioning can drastically reduce scanned bytes. Glue provides centralized schema/metadata so the marketing team can query with standard SQL without moving or duplicating the dataset.

Amazon EMR with Spark SQL can query S3 and is excellent for large-scale ETL, machine learning, and complex distributed processing. However, for monthly BI-style SQL queries, EMR is typically less cost-effective due to cluster provisioning, runtime costs, and operational management. Even with transient clusters, it is generally more complex and expensive than Athena for straightforward interactive SQL reporting.

Question Analysis

Core Concept: This question tests cost-optimized analytics on data already stored in Amazon S3 (a data lake) using serverless, pay-per-query SQL. The key services are AWS Glue Data Catalog (metadata) and Amazon Athena (interactive SQL over S3). Why the Answer is Correct: The company has 15 TB of Parquet data in S3 and needs to run SQL queries only monthly. The most cost-effective approach is to avoid always-on clusters and instead use Athena, which is serverless and charges per TB scanned. Because the data is in Apache Parquet (columnar, compressed), Athena can scan far less data than row-based formats, significantly reducing query cost. A Glue crawler can infer schema and create tables in the Glue Data Catalog, making the S3 datasets queryable with standard SQL without moving data. Key AWS Features: Athena integrates with the AWS Glue Data Catalog for table definitions and partitions. Partitioning (for example, by year/month/day) and Parquet column pruning reduce scanned bytes and cost. Athena supports workgroups, query result encryption, and S3 output locations for governance. This pattern aligns with the AWS Well-Architected Cost Optimization pillar: pay only for what you use and minimize data processing. Common Misconceptions: Redshift Spectrum (Option B) can query S3, but it typically requires a Redshift cluster (or at least provisioned/managed capacity) for the primary compute, which is less cost-effective for infrequent monthly reporting. EMR/Spark (Option D) is powerful for large-scale ETL, but running clusters for periodic SQL reporting is usually more expensive and operationally heavier than Athena. Loading into RDS (Option A) adds unnecessary data movement, storage, indexing, and ongoing instance costs; RDS is not designed for large-scale analytical scans. Exam Tips: When data already resides in S3 and queries are intermittent, default to Athena + Glue for the lowest operational overhead and cost. Look for Parquet/ORC and partitioning cues: they strongly indicate Athena/Glue as the cost-optimized serverless analytics choice. Choose Redshift when you need consistently high-performance, frequent BI workloads with complex concurrency and a dedicated warehouse.

5
Question 5
(Select 2)

A healthcare research institute stores patient study data and clinical trial results in an Amazon S3 bucket. The data includes longitudinal research spanning 15 years and represents investments of over $50 million in research costs. The institute must ensure that research data cannot be accidentally deleted by researchers or administrative staff, as data loss would compromise ongoing studies and regulatory compliance requirements. Which combination of steps should a solutions architect implement to protect against accidental deletion? (Choose two.)

Enabling versioning protects against accidental deletion by retaining prior versions of objects. A delete operation places a delete marker rather than removing historical versions, allowing recovery by removing the marker or restoring a previous version. This is a primary S3 control for data recovery and is commonly tested for accidental overwrite/delete scenarios.

MFA Delete requires multi-factor authentication to permanently delete object versions or to suspend versioning. This prevents irreversible deletions by users who might otherwise have permissions to delete, reducing both accidental and malicious deletion risk. It complements versioning by protecting the versions themselves from being permanently removed without MFA.

A bucket policy can restrict who can call s3:DeleteObject, but it is not the best primary control for accidental deletion protection because policies can be misconfigured, changed by privileged principals, or may not cover all deletion paths (e.g., version deletions). Also, a policy does not provide recovery if deletion occurs; it only attempts prevention.

Default encryption (SSE-S3, SSE-KMS, or DSSE) protects data at rest by ensuring objects are encrypted when stored in S3. It addresses confidentiality and compliance requirements related to encryption, but it does not prevent deletion or provide a mechanism to recover deleted objects. Therefore it is not a control for accidental deletion protection.

Lifecycle policies automate transitions and expirations. While they can help with cost optimization and retention management, they can also delete objects or noncurrent versions after a set period. That increases the risk of unintended data loss if configured incorrectly. Lifecycle rules are not the primary safeguard against accidental deletion for critical long-term research data.

Question Analysis

Core Concept: This question tests Amazon S3 data protection controls that prevent or strongly mitigate accidental deletion. The key concepts are S3 Versioning (object-level recovery) and MFA Delete (strong protection against destructive actions). Why the Answer is Correct: Enabling S3 Versioning ensures that when an object is overwritten or deleted, S3 retains prior versions. A “delete” becomes a delete marker, and the previous versions remain recoverable. This directly addresses accidental deletion by allowing restoration of the last known good version. Enabling MFA Delete adds an additional safeguard: it requires multi-factor authentication to permanently delete object versions or to suspend versioning. This prevents researchers or admins—even if they have API credentials—from performing irreversible deletions without the MFA device, significantly reducing the risk of accidental or unauthorized destructive actions. Key AWS Features: - S3 Versioning: Stores multiple variants of an object in the same bucket. Deletions add delete markers; prior versions can be restored. This is a foundational control for data durability and recovery. - MFA Delete: Requires MFA for DeleteObjectVersion and for changing the bucket’s versioning state. It is configured at the bucket level and is designed specifically to protect against accidental or malicious permanent deletion. - Best practice alignment: These controls support security and data protection goals in the AWS Well-Architected Framework (Security Pillar: protect data; Reliability Pillar: recover from failures). Common Misconceptions: Bucket policies (option C) can deny deletes, but they are often bypassed by overly broad permissions, misconfiguration, or privileged roles; they also don’t provide recovery if deletion occurs. Default encryption (D) protects confidentiality, not deletion. Lifecycle policies (E) can actually delete data automatically, increasing risk if misconfigured. Exam Tips: For “cannot be accidentally deleted” in S3, think “Versioning + MFA Delete” as the classic pair. Versioning provides recovery; MFA Delete protects against permanent deletion and disabling versioning. If the question emphasizes regulatory/critical data and irreversible loss, MFA Delete is a strong signal.

Want to practice all questions on the go?

Download Cloud Pass — includes practice tests, progress tracking & more.

6
Question 6

A financial technology startup operates a real-time fraud detection system using Amazon EC2 instances. The system processes transaction data from an Amazon SQS queue, analyzing approximately 50,000 transactions during peak hours (9 AM - 6 PM) and 15,000 transactions during off-peak hours. The workload experiences sudden spikes during promotional events that can increase volume by 300-400%. The fraud detection system must maintain 24/7 availability with zero tolerance for downtime, as any interruption could allow fraudulent transactions to pass through undetected. The system needs to handle unpredictable traffic patterns while minimizing operational costs. Which solution meets these requirements MOST cost-effectively?

Using Spot Instances exclusively is the lowest-cost compute option, but it cannot meet the stated reliability requirement. Spot capacity can be interrupted at any time and may be unavailable during demand surges (such as promotional events). For a fraud detection system with “zero tolerance for downtime,” relying solely on Spot introduces unacceptable risk of processing gaps and growing SQS backlog.

Using Reserved Instances exclusively for maximum capacity provides stable availability and predictable cost, but it is not cost-effective. You would pay for peak/probable promotional-event capacity 24/7 even though normal off-peak volume is much lower. This leads to significant overprovisioning and wasted spend, violating cost-optimization goals for a workload with large variability.

Reserved Instances for baseline plus Spot for spikes is a common cost-optimization pattern, but it conflicts with the requirement of zero tolerance for downtime. During promotional spikes, Spot interruptions or lack of Spot capacity could prevent scaling to required throughput, causing delayed or missed fraud checks. This option is only appropriate if the workload can tolerate interruptions and backlog delays.

Reserved Instances for baseline plus On-Demand for spikes best meets both reliability and cost goals. Baseline demand is covered with discounted committed capacity, while unpredictable spikes are handled by highly available On-Demand instances via Auto Scaling. This avoids Spot interruption risk and prevents paying for peak capacity all the time, making it the most cost-effective solution that still satisfies strict 24/7 availability.

Question Analysis

Core Concept: This question tests cost-optimized capacity planning for EC2 with variable and unpredictable workloads, balancing commitment-based discounts (Reserved Instances/Savings Plans) with burst capacity (On-Demand or Spot) while meeting strict availability requirements. Why the Answer is Correct: The system must be 24/7 with zero tolerance for downtime. That requirement strongly constrains the use of Spot Instances because Spot capacity can be interrupted with a 2-minute notice and can also be unavailable when you need it most (exactly during large promotional spikes). The most cost-effective approach that still preserves availability is to cover the steady, predictable baseline with Reserved Instances (or, in modern guidance, Compute Savings Plans) and then scale out for spikes using On-Demand Instances via an Auto Scaling group. On-Demand provides the highest reliability for burst capacity without interruption risk, ensuring the SQS backlog can be drained even during sudden 300–400% surges. Key AWS Features: Use an Auto Scaling group across multiple Availability Zones with scaling policies driven by Amazon SQS metrics (e.g., ApproximateNumberOfMessagesVisible, age of oldest message) to react to spikes. Purchase Reserved Instances (or Savings Plans) sized to the off-peak/steady-state processing level to reduce cost. Keep health checks, capacity rebalancing (if using mixed instances), and appropriate instance diversification to reduce capacity risk. This aligns with AWS Well-Architected Cost Optimization (use commitments for steady state) and Reliability (avoid interruption-prone capacity for critical workloads). Common Misconceptions: Spot looks “most cost-effective” for spikes, but it is not compatible with “zero tolerance for downtime” unless the workload is explicitly interruption-tolerant and designed for graceful degradation. Another misconception is reserving for maximum capacity; that wastes money because peak demand is limited to certain hours and promotional events are sporadic. Exam Tips: When you see requirements like “no downtime,” “mission critical,” or “zero tolerance,” avoid solutions that rely on Spot for required capacity. For variable workloads, the standard exam pattern is: commit to baseline with Reserved Instances/Savings Plans, burst with On-Demand for reliability (or Spot only if interruptions are acceptable). Also note SQS decoupling helps absorb spikes, but it does not remove the need for reliable compute to drain the queue within required time.

7
Question 7

A global e-learning platform company is implementing a multi-account strategy using AWS Organizations to provide isolated sandbox environments for their 50+ data science teams. Each team needs full administrative access to experiment with machine learning workloads and AWS services in their dedicated accounts. The security team requires that all API calls and activities must be logged through AWS Config for compliance auditing purposes. Since each data science team will have root-level permissions in their accounts, the architecture must prevent any team from disabling or modifying the mandatory AWS Config configuration that monitors critical security events. Which solution ensures that the mandatory AWS Config settings cannot be modified by the data science teams while maintaining their administrative access?

Incorrect. You cannot reliably attach an IAM policy to the root user (root is not an IAM principal you manage like a user/role), and even if you deny actions via IAM for admins, a team with administrative access could remove or alter those IAM policies. IAM is not a strong governance boundary for preventing privileged users within the same account from changing mandatory controls.

Partially helpful but insufficient. AWS Config can be deployed organization-wide from the management account for centralized setup and aggregation, which is good for compliance. However, organization-wide deployment alone does not inherently guarantee that administrators in member accounts cannot stop or modify Config components unless additional preventive controls (like SCP denies) are in place.

Correct. An SCP applied to the OU containing the sandbox accounts can explicitly deny AWS Config modification and disablement actions. SCPs set the maximum permissions available in member accounts and cannot be overridden by AdministratorAccess or other IAM allows. This is the standard AWS Organizations approach to enforce mandatory security controls while still granting teams broad admin permissions for experimentation.

Incorrect. Service-linked roles are managed by AWS services and are not designed as a permission boundary to restrict who can change the service configuration. Policy conditions on a service-linked role do not prevent other principals (like account admins) from calling AWS Config APIs to stop recorders or change delivery channels. Governance requirements across accounts are better met with SCPs.

Question Analysis

Core Concept: This question tests AWS Organizations governance controls—specifically Service Control Policies (SCPs)—to enforce mandatory security guardrails across member accounts, even when users have AdministratorAccess. It also touches AWS Config as a compliance/audit control and the need to prevent tampering. Why the Answer is Correct: An SCP applied to the organizational unit (OU) containing the sandbox accounts can explicitly deny actions that stop, delete, or alter AWS Config resources (e.g., StopConfigurationRecorder, DeleteConfigurationRecorder, PutConfigurationRecorder, PutDeliveryChannel, DeleteDeliveryChannel). SCPs define the maximum available permissions in member accounts; any explicit deny in an SCP cannot be overridden by IAM policies, including AdministratorAccess. Therefore, data science teams can retain full admin capabilities for experimentation while being technically prevented from disabling or modifying the mandatory AWS Config setup. Key AWS Features: - AWS Organizations SCPs: account-level guardrails that apply to all IAM principals in member accounts, including roles with admin permissions. - Explicit deny precedence: an SCP deny blocks the action regardless of IAM allow. - AWS Config organization-wide setup can be used, but the “cannot be modified by teams” requirement is met by SCP enforcement (often combined with org-wide Config for centralized management). - Best practice: combine preventive controls (SCP) with detective controls (AWS Config rules, CloudTrail) per the AWS Well-Architected Security Pillar. Common Misconceptions: - “Admin can do anything”: In Organizations, admin permissions are still bounded by SCPs. - “Root user can’t be restricted”: Root in member accounts is also subject to SCPs for API actions (though root can still perform some account-level tasks like closing the account). For the purpose of preventing Config API tampering, SCP is the correct control. - “Centralized Config alone prevents changes”: Organization-wide Config simplifies deployment, but without SCPs, admins in member accounts might still alter local Config components depending on how it’s deployed. Exam Tips: When you see “must prevent even admins from doing X across many accounts,” think SCP. IAM policies are not sufficient for cross-account governance, and service-linked roles don’t provide a governance boundary. For mandatory logging/configuration, pair org-wide services (Config/CloudTrail) with SCP guardrails that deny disabling or modification actions.

8
Question 8

A financial services company needs to deploy a real-time fraud detection system in the AWS Cloud. The system will analyze transaction data using machine learning algorithms running on 300+ Amazon EC2 instances that must simultaneously access shared training datasets totaling 50TB. The ML training workload requires sub-millisecond access latency to shared datasets for optimal model training performance. Multiple instances need concurrent read/write access to the same dataset files during distributed training. After training completion, data scientists need to access the processed model artifacts and training logs for analysis and validation. Which solution will meet these requirements?

Amazon EFS provides a managed NFS file system with concurrent access and POSIX semantics, which can work for many shared file use cases. However, the requirement for sub-millisecond access latency and very high parallel throughput across 300+ EC2 instances for distributed ML training strongly favors a parallel file system like Lustre. EFS performance modes help, but it is not typically the best match for extreme HPC-style training performance requirements.

Amazon S3 is object storage, not a POSIX file system. Using AWS CLI to “mount” or treat S3 like a shared file system is not appropriate for concurrent read/write file semantics required by distributed training. It can introduce consistency/rename/locking limitations and higher latencies than required. S3 is excellent for durable storage of datasets and artifacts, but not as the primary low-latency shared training file system.

Amazon FSx for Lustre is designed for high-performance workloads requiring sub-millisecond latencies and massive throughput/IOPS with many concurrent clients, which matches 300+ EC2 instances doing distributed ML training on 50 TB of shared data. Linking FSx for Lustre to S3 enables importing datasets and exporting model artifacts/logs to S3 for post-training analysis and long-term retention, combining performance during training with durability and cost efficiency after training.

AWS Resource Access Manager (RAM) can share resources across accounts, but it does not transform S3 into a low-latency shared POSIX file system. Even if all instances can access the same S3 bucket, S3 remains object storage with different access semantics than a shared file system and will not meet sub-millisecond latency requirements for distributed training with concurrent read/write to the same files.

Question Analysis

Core Concept: This question tests selection of a shared storage service for large-scale, distributed ML training that needs very low latency and high throughput with concurrent read/write from hundreds of EC2 instances. It also tests integrating high-performance file storage with durable object storage for downstream analysis. Why the Answer is Correct: Amazon FSx for Lustre is purpose-built for high-performance computing and ML workloads that require sub-millisecond latencies and very high throughput/IOPS across many clients. With 300+ EC2 instances concurrently reading and writing the same dataset files during distributed training, a POSIX-compliant parallel file system is the right fit. FSx for Lustre can scale performance with file system size and is commonly used for training jobs that need fast shared access to large datasets (50 TB here). Linking FSx for Lustre to Amazon S3 allows you to import training data from S3 and export results (model artifacts, logs) back to S3 for durable, cost-effective storage and post-training analysis. Key AWS Features: FSx for Lustre provides a managed Lustre file system with high throughput and low latency, supports concurrent access from many EC2 instances, and integrates with S3 via data repository associations (import/export). S3 then becomes the system of record for artifacts and logs, enabling analytics, sharing, lifecycle policies, and long-term retention. This aligns with AWS Well-Architected Performance Efficiency (choose storage optimized for access patterns) and Operational Excellence (managed service, fewer custom mounts/hacks). Common Misconceptions: EFS is a shared POSIX file system, but it is generally designed for elastic, shared file workloads and may not meet stringent sub-millisecond latency and extreme parallel throughput requirements at this scale. “Mounting S3 as a file system” is not a native POSIX shared file system and introduces semantic and performance issues. AWS RAM sharing does not change S3’s access semantics or make it a low-latency shared file system. Exam Tips: When you see “HPC/ML training,” “hundreds of instances,” “shared files,” and “sub-millisecond latency,” think FSx for Lustre. When you also see “long-term storage/analysis,” look for an S3 integration pattern (FSx for Lustre linked to S3).

9
Question 9

A global streaming media company operates over 250 video streaming platforms across different regions. The company needs to process approximately 25 TB of user viewing behavior data daily to optimize content recommendations and analyze viewing patterns. The solution must handle high-volume real-time data ingestion, provide reliable data transmission, and enable efficient large-scale analytics processing. What should a solutions architect recommend to ingest, transmit, and process the viewing behavior data?

AWS Data Pipeline is a legacy orchestration service primarily for scheduled/batch data movement, not high-volume real-time ingestion from hundreds of producers. While S3 + EMR can process large datasets, this option does not address reliable, scalable streaming ingestion and continuous delivery. It also increases operational overhead compared to Kinesis-managed ingestion and delivery services for near-real-time pipelines.

An Auto Scaling EC2 fleet can be engineered to ingest and process events, but it requires building and operating the ingestion layer (load balancing, checkpointing, retries, backpressure, ordering, and durability). This is higher operational risk for 25 TB/day and real-time requirements. Also, the flow described is unclear (processing before durable landing) and is less aligned with managed streaming best practices.

CloudFront is designed for caching and delivering content to viewers, not collecting or buffering user behavior analytics events. Triggering Lambda on S3 object creation is event-driven batch processing and can become inefficient or constrained at very high daily volumes (object explosion, concurrency, and small-file problems). This option does not provide a robust real-time ingestion and transmission mechanism.

Kinesis Data Streams provides scalable, durable real-time ingestion for large volumes of event data from many sources. Kinesis Data Firehose then reliably delivers the stream to an S3 data lake with automatic scaling, buffering, retries, and optional transformation. From S3, loading into Amazon Redshift supports efficient large-scale analytics. This directly matches the requirements for real-time ingestion, reliable transmission, and scalable analytics.

Question Analysis

Core Concept: This question tests designing a high-throughput, near-real-time streaming ingestion pipeline and landing data into a scalable analytics store. The key services are Amazon Kinesis Data Streams (durable stream ingestion), Amazon Kinesis Data Firehose (managed delivery to storage/analytics destinations), Amazon S3 (data lake), and Amazon Redshift (large-scale analytics). Why the Answer is Correct: With ~25 TB/day from 250+ platforms, the company needs elastic ingestion, reliable transmission, and efficient analytics. Kinesis Data Streams is purpose-built for high-volume real-time event ingestion with ordered, durable storage (retention) and horizontal scaling via shards. Kinesis Data Firehose then provides a fully managed, reliable delivery mechanism to continuously batch, buffer, optionally transform, and load data into an S3 data lake with minimal operational overhead. From S3, the data can be loaded into Amazon Redshift for performant SQL analytics at scale. This architecture cleanly separates ingestion, durable storage, and analytics, aligning with best practices for streaming data pipelines. Key AWS Features: - Kinesis Data Streams: shard-based scaling, multiple producers/consumers, retention for replay, enhanced fan-out for high read throughput. - Kinesis Data Firehose: automatic scaling, buffering (size/time), retries, compression, optional Lambda transformation, delivery to S3 (and other destinations). - S3 data lake: highly durable storage, lifecycle policies, partitioning for downstream query efficiency. - Redshift: columnar storage, MPP architecture, COPY from S3 for bulk loads; can be paired with Redshift Spectrum for querying S3 directly (often a follow-on design choice). Common Misconceptions: Options that “just store in S3 then process” miss the real-time ingestion and reliable transmission requirements. CloudFront is a content delivery/cache service, not an analytics ingestion buffer. DIY EC2 ingestion/processing can work but adds significant undifferentiated heavy lifting (scaling, fault tolerance, backpressure handling) compared to managed Kinesis services. Exam Tips: When you see “high-volume real-time ingestion” plus “reliable delivery” and “analytics,” think Kinesis (Streams for ingestion, Firehose for managed delivery) landing in S3, then query/warehouse with Redshift/Athena/EMR depending on the analytics need. Prefer managed services over custom EC2 fleets for streaming pipelines unless the question explicitly requires custom processing.

10
Question 10

A financial services company is operating a microservices-based trading platform using Docker containers orchestrated by Kubernetes in their private data center. The application uses a PostgreSQL database cluster for transaction data storage. Due to rapid business growth and increasing trading volumes, the company needs to migrate portions of their infrastructure to AWS. The migration must be completed within 6 weeks without any application code modifications or changes to the current CI/CD pipeline. The solution should minimize infrastructure management overhead while maintaining compatibility with existing Kubernetes manifests and PostgreSQL-based data layer. Which solution meets these requirements?

Amazon ECS is not Kubernetes, so the company would need to convert Kubernetes manifests into ECS task definitions and services. That would likely require changes to deployment tooling and CI/CD processes, which directly conflicts with the requirement to avoid pipeline modifications. Running PostgreSQL on EC2 also creates unnecessary operational overhead for patching, backups, scaling, and high availability. This option fails both the compatibility and management-overhead goals.

Using AWS Fargate with Amazon ECS reduces compute management overhead, and Amazon RDS for PostgreSQL is a good managed database choice. However, ECS still does not support direct reuse of existing Kubernetes manifests, so the migration would require replatforming the orchestration layer and likely adjusting the CI/CD pipeline. That makes it a poor fit for a fast migration with no application or pipeline changes. The compute model is attractive operationally, but the orchestration mismatch is the deciding issue.

Amazon EKS is the AWS service that natively supports Kubernetes, so it is the most compatible target for an application already running on Kubernetes in a private data center. Using EKS with EC2 worker nodes allows the company to reuse existing Kubernetes manifests and operational patterns with minimal changes, which is critical given the 6-week migration timeline and the requirement to avoid application code and CI/CD pipeline modifications. Amazon RDS for PostgreSQL provides a managed PostgreSQL engine that preserves compatibility with the current PostgreSQL-based data layer while reducing operational burden for backups, patching, and high availability. Although EC2 worker nodes require some infrastructure management, this option is the most broadly compatible and lowest-risk lift-and-shift path for existing Kubernetes workloads.

Amazon EKS preserves Kubernetes compatibility, and Aurora PostgreSQL-Compatible is a valid managed PostgreSQL-compatible database option. However, EKS on Fargate is not always the best lift-and-shift target for existing Kubernetes workloads because some workloads depend on capabilities or daemon patterns that are better supported on EC2-backed nodes, making migration riskier under a tight deadline. The question prioritizes completing the migration quickly without changes to the application or pipeline, and EKS with EC2 worker nodes is the more universally compatible Kubernetes landing zone. Aurora is also not required by the prompt, which asks for PostgreSQL compatibility rather than a database engine change for optimization.

Question Analysis

Core concept: The question is about choosing the fastest, lowest-risk migration path for an existing Kubernetes-based application and PostgreSQL data layer while avoiding application code changes and CI/CD pipeline changes. The primary decision point is preserving Kubernetes compatibility, which strongly favors Amazon EKS over Amazon ECS. The best answer is EKS with EC2 worker nodes and Amazon RDS for PostgreSQL because it supports existing Kubernetes manifests with minimal rework and provides a managed PostgreSQL service without introducing the workload constraints of Fargate. A common misconception is that Fargate is always the best answer when minimizing management overhead is mentioned, but for existing Kubernetes workloads, compatibility and migration speed often outweigh the incremental node-management savings. Exam tip: when a question emphasizes existing Kubernetes manifests and no pipeline changes, default to EKS first; then choose the compute model that best balances compatibility and operational simplicity.

Success Stories(30)

C
C*********Mar 23, 2026

Study period: 1 week

요구사항 정확히 인지하기(이거 젤중요 이 훈련이 제일 중요한듯), 오답노트 갈겨서 200문제만 확실히 해서 갔어요 실제 시험 지문은 훨씬 간단한데 난이도는 앱이랑 비슷하거나 더 낮았던것같아요 느낌상 탈락이었는데 통과해서 기쁘네요 큰 도움 되었습니다 감사해요!

소
소**Feb 22, 2026

Study period: 1 week

그냥 문제 풀면서 개념들 GPT에 물어보면서 학습했어요 768점 턱걸이 합격,,

조
조**Jan 12, 2026

Study period: 3 months

그냥 꾸준히 공부하고 문제 풀고 합격했어요 saa 준비생분들 화이팅!!

김
김**Dec 9, 2025

Study period: 1 month

앱으로는 4일만에 몇 문제를 풀었는지 모르겠지만 1딜동안 aws 기본 개념부터 덤프로 시나리오 그려보고 하니까 합격했습니다. 시험은 생각보다 헷갈리게 나와서 당황했는데 30분 추가 테크로 flag한 지문들 다시 확인하니까 문제 없었습니다.

L
L*************Nov 26, 2025

Study period: 3 months

I passed the AWS SAA with a score of 850/1000. Honestly, the exam wasn’t easy, but solving the actual exam–style questions in Cloud Pass helped me understand the reasoning behind each service. The explanations were super helpful and made the concepts stick. I don’t think I could’ve scored this high without the practice here.

Other Practice Tests

Practice Test #1

65 Questions·130 min·Pass 720/1000

Practice Test #3

65 Questions·130 min·Pass 720/1000

Practice Test #4

65 Questions·130 min·Pass 720/1000

Practice Test #5

65 Questions·130 min·Pass 720/1000

Practice Test #6

65 Questions·130 min·Pass 720/1000

Practice Test #7

65 Questions·130 min·Pass 720/1000

Practice Test #8

65 Questions·130 min·Pass 720/1000

Practice Test #9

65 Questions·130 min·Pass 720/1000

Practice Test #10

65 Questions·130 min·Pass 720/1000
← View All AWS Certified Solutions Architecture - Associate (SAA-C03) Questions

Start Practicing Now

Download Cloud Pass and start practicing all AWS Certified Solutions Architecture - Associate (SAA-C03) exam questions.

Get it on Google PlayDownload on the App Store
Cloud PassCloud Pass

IT Certification Practice App

Get it on Google PlayDownload on the App Store

Certifications

AWSGCPMicrosoftCiscoCompTIADatabricks

Legal

FAQPrivacy PolicyTerms of Service

Company

ContactDelete Account

© Copyright 2026 Cloud Pass, All rights reserved.

Want to practice all questions on the go?

Get the app

Download Cloud Pass — includes practice tests, progress tracking & more.