CloudPass LogoCloud Pass
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
Certifications
AWSGoogle CloudMicrosoftCiscoCompTIADatabricks
AWS Certified Solutions Architecture - Associate (SAA-C03)
AWS Certified Solutions Architecture - Associate (SAA-C03)

Practice Test #9

Simulate the real exam experience with 65 questions and a 130-minute time limit. Practice with AI-verified answers and detailed explanations.

65Questions130Minutes720/1000Passing Score
Browse Practice Questions

AI-Powered

Triple AI-Verified Answers & Explanations

Every answer is cross-verified by 3 leading AI models to ensure maximum accuracy. Get detailed per-option explanations and in-depth question analysis.

GPT Pro
Claude Opus
Gemini Pro
Per-option explanations
In-depth question analysis
3-model consensus accuracy

Practice Questions

1
Question 1

A healthcare technology company operates a patient management system that stores medical records and imaging data in an Amazon RDS for PostgreSQL database. The database contains over 15 million patient records with associated metadata. The database uses 3 TB of General Purpose SSD storage and processes millions of daily transactions from hospitals and clinics for patient data updates, appointment scheduling, and medical record insertions. Recent performance monitoring shows that new patient registration operations are taking 12-15 seconds to complete, significantly impacting user experience. Analysis confirms that database storage I/O performance is the bottleneck. Which solution will most effectively address this storage performance issue?

Changing to Provisioned IOPS SSD (io1/io2) directly addresses the stated bottleneck: storage I/O. io1/io2 lets you provision sustained IOPS and achieve more consistent, lower-latency disk performance than General Purpose SSD. For a large (3 TB) and transaction-heavy PostgreSQL RDS workload with slow inserts/registrations, this is the most targeted and effective improvement to reduce I/O wait time.

A memory-optimized instance (r5/r6i) can help if the bottleneck is CPU, memory pressure, or cache hit ratio (e.g., more data fits in buffer cache). However, the question confirms storage I/O is the bottleneck. If the workload is already waiting on disk, adding RAM/CPU may provide only marginal gains and won’t deliver the predictable IOPS increase needed to fix slow write transactions.

Burstable instances (t3/t4g) are intended for variable workloads with intermittent CPU bursts and are generally not recommended for large, consistently busy production databases. They do not solve an EBS storage I/O bottleneck and can introduce additional risk if CPU credits are exhausted. For a healthcare OLTP system with millions of daily transactions, this option is both ineffective and operationally risky.

Multi-AZ improves availability and durability via synchronous standby replication and automated failover, but it does not increase primary write I/O performance; in some cases it can add write commit latency due to synchronous replication. Read replicas can scale read traffic, but they do not accelerate write-heavy operations like new patient registrations on the primary. This option targets resilience/read scaling, not the identified storage I/O bottleneck.

Question Analysis

Core Concept: This question tests Amazon RDS storage performance tuning—specifically how EBS-backed RDS storage types (General Purpose SSD vs Provisioned IOPS SSD) affect I/O latency and throughput for write-heavy OLTP workloads. Why the Answer is Correct: The monitoring and analysis explicitly identify storage I/O as the bottleneck, and the workload includes millions of daily transactions with slow insert/registration operations (write path). With 3 TB of General Purpose SSD (gp2/gp3), performance is limited by the storage’s IOPS/throughput characteristics. Provisioned IOPS SSD (io1/io2) is designed for I/O-intensive, latency-sensitive databases and allows you to provision and sustain high IOPS with more predictable performance. Moving to io1/io2 directly targets the confirmed bottleneck and is the most effective single change to reduce I/O wait and improve transaction latency. Key AWS Features: - RDS storage types: General Purpose SSD is cost-effective but may not provide enough sustained IOPS for large, busy OLTP systems; Provisioned IOPS SSD provides consistent, high IOPS. - io2 (and io2 Block Express where supported) offers higher durability and better price/performance at scale than io1, and is commonly recommended for critical production databases. - Storage scaling and performance tuning: you can modify the RDS storage type and provisioned IOPS (within engine/instance limits) to match workload demand. Common Misconceptions: It’s tempting to “scale up” the DB instance (more RAM/CPU) when queries are slow, but if the bottleneck is storage I/O, additional memory/CPU often yields limited improvement. Similarly, Multi-AZ/read replicas improve availability and read scaling, not primary write latency caused by storage constraints. Exam Tips: When a question states the bottleneck is storage I/O, prioritize storage-type changes (Provisioned IOPS, throughput/IOPS provisioning) over instance class changes. For write-heavy OLTP on RDS, io1/io2 is the go-to answer for predictable low-latency I/O. Also remember: Multi-AZ is for HA/failover; read replicas are for read scaling—neither fixes slow writes on the primary caused by EBS I/O limits.

2
Question 2
(Select 2)

An online education platform operates a learning management system (LMS) on Amazon EC2. The LMS runs on a single EC2 instance and uses an Amazon Aurora PostgreSQL Multi-AZ DB instance for storing course data and student records. Course videos and educational materials are stored on an Amazon Elastic Block Store (Amazon EBS) volume that is mounted inside the EC2 instance. The platform experiences performance bottlenecks during peak enrollment periods with over 5,000 concurrent students accessing course materials. The company needs to improve system performance and ensure high availability to handle traffic spikes. Which combination of actions should a solutions architect take to improve the performance and resilience of the learning platform? (Choose two.)

Moving videos/materials to S3 is directionally good for durability and scale, but “mounted on every EC2 instance” is a red flag. S3 is object storage accessed via API/SDK, not a native shared POSIX file system mount for typical exam scenarios. The more correct shared-file replacement for EBS in an EC2 Auto Scaling architecture is Amazon EFS, or use CloudFront+S3 without mounting.

Exporting an NFS share from the primary EC2 instance and mounting it on others introduces a major single point of failure and a scaling bottleneck (network, disk, instance limits). If the primary instance fails or is overloaded, all instances lose access to course materials. This does not meet the high availability and resilience requirements and is not an AWS managed best practice.

Amazon EFS is the correct managed replacement for storing shared course materials that must be accessed concurrently by multiple EC2 instances. EFS is multi-AZ and can be mounted by many instances in an Auto Scaling group, removing the single-instance EBS constraint. This improves resilience (no single EC2 host for storage) and supports scaling the application tier horizontally.

ALB + ASG with a minimum of two instances is good for high availability and scaling, but AWS Global Accelerator primarily optimizes network path and provides static anycast IPs; it does not cache content. For a workload dominated by repeated access to videos/materials, caching is a key performance lever. Global Accelerator can help, but CloudFront is typically the more appropriate service here.

Creating an AMI and deploying behind an ALB with an ASG (min 2) addresses the single-instance bottleneck and improves availability across AZs. Adding CloudFront improves performance by caching static and cacheable content at edge locations, reducing latency and offloading the origin during peak enrollment. This combination directly targets both resilience (multi-instance) and performance (edge caching).

Question Analysis

Core Concept: This question tests designing a scalable, highly available web application tier on EC2 and decoupling shared content storage from a single instance. It also tests using edge caching to reduce origin load during traffic spikes. Why the Answer is Correct: The LMS is a single EC2 instance with course materials on an attached EBS volume. EBS is block storage tied to one instance (and one AZ), so it becomes both a performance bottleneck and a single point of failure for static content. To scale the web tier horizontally, multiple EC2 instances must access the same shared content. Amazon EFS provides a managed, elastic, multi-AZ NFS file system that can be mounted concurrently by many EC2 instances, enabling shared access to videos/materials while improving resilience. Next, the platform needs to handle 5,000+ concurrent students. Creating an AMI and placing instances behind an Application Load Balancer (ALB) in an Auto Scaling group (ASG) with a minimum of two instances provides high availability across multiple AZs and scales out during peaks. Adding Amazon CloudFront in front of the platform caches and serves frequently accessed course content from edge locations, reducing latency for students and offloading requests from the ALB/EC2 and the shared file system. Key AWS Features: - Amazon EFS: Multi-AZ durability/availability, elastic throughput, concurrent mounts, POSIX permissions; ideal for shared web content across an ASG. - ALB + ASG: Multi-AZ load balancing, health checks, automatic replacement, scale-out/in policies; minimum capacity of 2 improves availability. - CloudFront: Edge caching, origin failover patterns, reduced origin load, improved global performance; can use ALB (dynamic) and/or S3/EFS-backed origins depending on architecture. Common Misconceptions: - “Mount S3 on every instance” is not a standard, supported POSIX file system approach for production workloads; S3 is object storage accessed via APIs, not NFS. - Using an NFS share from the primary EC2 instance keeps a single point of failure and does not meet high availability goals. - Global Accelerator improves TCP/UDP routing to regional endpoints but does not provide caching; for heavy static content access, CloudFront is typically the better fit. Exam Tips: When you see “EBS mounted inside a single EC2 instance” plus “need multiple instances and HA,” think EFS (shared POSIX) or S3 (object). When you see “many concurrent users accessing static materials,” think CloudFront caching plus an Auto Scaling web tier behind an ALB.

3
Question 3

A financial services company operates a distributed document processing system on Amazon EC2 instances within a single VPC. The EC2 instances are deployed across multiple subnets in different Availability Zones for fault tolerance. These instances work independently without inter-instance communication, but they frequently download financial reports from Amazon S3 and upload processed documents back to S3 through a single NAT gateway. The company processes approximately 500GB of documents daily and is experiencing significant data transfer costs. They need to find the most cost-effective solution to eliminate Regional data transfer charges while maintaining the current architecture. What is the MOST cost-effective way for the company to avoid Regional data transfer charges?

Deploying a NAT gateway per Availability Zone is an HA best practice and can reduce cross-AZ data transfer charges caused by routing to a NAT in another AZ. However, it does not eliminate Regional data transfer charges for S3 access in the most cost-effective way because all S3 traffic still incurs NAT gateway data processing charges, and you add multiple NAT hourly charges. It improves architecture but is usually more expensive than an S3 gateway endpoint.

A NAT instance might reduce hourly NAT cost in some cases, but it introduces significant operational burden (patching, scaling, failover) and can become a throughput bottleneck for 500 GB/day. It also does not inherently eliminate Regional data transfer charges; cross-AZ routing can still occur, and traffic still traverses a NAT device rather than using the optimized private path to S3. This is rarely the best answer for cost and reliability on exams.

An S3 gateway VPC endpoint is the most cost-effective solution for private subnet access to S3. It removes the need for NAT for S3 traffic, eliminating NAT gateway data processing charges and avoiding cross-AZ NAT routing that can create Regional data transfer costs. It maintains the existing architecture (EC2 in private subnets) while improving security (no internet path required) and enabling fine-grained access control via endpoint and bucket policies.

EC2 Dedicated Hosts address licensing, compliance, and host-level isolation requirements, not VPC egress data transfer costs. Moving to Dedicated Hosts will not change how instances reach S3 (they would still use NAT or an endpoint) and will significantly increase compute costs. This option is unrelated to the networking cost driver described and is not a cost-optimized solution for S3 data transfer charges.

Question Analysis

Core Concept: This question tests cost-optimized VPC egress design for private subnets accessing Amazon S3. The key concept is that using a NAT gateway for S3 access forces traffic to traverse an AZ-scoped NAT and can incur Regional data transfer charges (especially when subnets in multiple AZs use a single NAT in one AZ), whereas an Amazon S3 gateway VPC endpoint keeps S3 traffic on the AWS network without NAT. Why the Answer is Correct: A gateway VPC endpoint for Amazon S3 provides private, direct connectivity from the VPC to S3 without requiring an internet gateway, public IPs, or a NAT device. This removes NAT gateway data processing charges for S3-bound traffic and avoids cross-AZ data transfer that occurs when instances in AZ-B/C route to a NAT gateway located in AZ-A. With ~500 GB/day of S3 downloads/uploads, eliminating NAT processing and cross-AZ routing is typically the most cost-effective way to reduce or eliminate these Regional data transfer charges while keeping the same EC2-in-private-subnets architecture. Key AWS Features: - Gateway VPC endpoint (S3/DynamoDB): added to route tables for private subnets. - Endpoint policies: restrict which S3 buckets/actions are allowed (supports least privilege). - Works with S3 bucket policies using aws:SourceVpce to enforce access only via the endpoint. - No hourly charge for gateway endpoints; you pay only for S3 requests and data transfer as applicable for S3, not NAT processing. Common Misconceptions: It’s tempting to think “more NAT gateways” (one per AZ) is the fix. While that reduces cross-AZ data transfer, it increases NAT hourly costs and still incurs NAT data processing charges for all S3 traffic. Another misconception is that NAT instances are cheaper; they can reduce hourly cost but introduce operational overhead, scaling limits, and still keep traffic flowing through NAT rather than using the purpose-built private S3 path. Exam Tips: When private subnets need to access S3/DynamoDB at scale, default to gateway VPC endpoints for cost and security. Use NAT gateways primarily for general internet egress (e.g., OS updates, external APIs). If you see “single NAT gateway” + “multiple AZs” + “high data volume,” think cross-AZ charges and consider endpoints first for AWS service traffic.

4
Question 4

A healthcare research organization needs to migrate its medical image processing system to AWS. The organization receives hundreds of DICOM medical images daily via SFTP from various hospitals and clinics. Currently, an on-premises system processes these images overnight using batch processing that takes several hours to complete. The organization wants the AWS solution to process incoming medical images as soon as they arrive with minimal changes to the SFTP clients used by hospitals. The solution must automatically delete processed images after successful analysis. Each image processing task requires 4-10 minutes to complete. Which solution will meet these requirements in the MOST operationally efficient way?

Incorrect. Running an SFTP server on Amazon EC2 creates unnecessary operational overhead because the organization would need to manage patching, scaling, availability, and security of the server. Storing newly arrived images in S3 Glacier Deep Archive is also incompatible with the requirement to process images as soon as they arrive because retrieval from that storage class is designed for archival use and has very high latency. In addition, invoking processing nightly directly conflicts with the near-real-time processing requirement.

Incorrect. This option also relies on a self-managed EC2-based SFTP server, which is less operationally efficient than AWS Transfer Family. Using an EBS volume as the landing area ties the data to an instance and does not provide the simple event-driven object-ingestion pattern that S3 offers. Most importantly, the images are processed nightly rather than on arrival, so the design fails the core business requirement.

Incorrect. AWS Transfer Family supports Amazon S3 or Amazon EFS as storage backends, not Amazon EBS, so this architecture is not valid as written. The option also mentions using an S3 event notification even though the files are supposedly stored on EBS, which is internally inconsistent. Although AWS Batch would be a reasonable compute choice for 4–10 minute jobs, the storage and eventing design in this option makes it incorrect.

Correct. AWS Transfer Family provides a managed SFTP endpoint, which allows hospitals and clinics to continue using their existing SFTP clients with minimal or no client-side changes. Storing incoming files in Amazon S3 Standard enables native S3 event notifications so processing can begin immediately when each image arrives rather than waiting for a nightly batch window. The Lambda function can perform the analysis workflow and then delete the object only after successful completion, satisfying the cleanup requirement while keeping the solution operationally simple and fully managed.

Question Analysis

Core concept: The requirement is for managed SFTP ingestion with minimal client changes, immediate processing when files arrive, and automatic deletion after successful processing. The best architectural pattern is to use AWS Transfer Family for the SFTP endpoint and Amazon S3 as the landing zone, then trigger processing from S3 object creation events. Why correct: Among the options, only D uses a fully managed SFTP service, stores files in S3 where arrival events are native, and processes files as soon as they arrive instead of waiting for a nightly batch window. Key features: AWS Transfer Family supports standard SFTP clients without requiring hospitals to change protocols, Amazon S3 provides durable object storage and event notifications, and AWS Lambda can be invoked directly from S3 to run per-image processing logic and delete the object after success. Common misconceptions: AWS Transfer Family does not store files on Amazon EBS, so any option describing Transfer Family with EBS is architecturally invalid; also, nightly processing does not satisfy the requirement to process images as soon as they arrive. Exam tips: Prefer managed services over self-managed EC2 when the question emphasizes operational efficiency, and verify that the storage backend and event source in an answer are actually supported by the AWS service being used.

5
Question 5

A global logistics company uses AWS Glue to process daily shipping manifests stored as JSON files in an Amazon S3 bucket. The ETL job runs automatically every morning at 6 AM to extract shipment data, transform it for analytics, and load it into a data warehouse. The solutions architect observes that each daily run processes approximately 500GB of cumulative data, including previously processed files from the past 30 days. This causes the job runtime to increase from 15 minutes initially to over 2 hours currently, significantly impacting operational costs and delayed analytics reporting. What should the solutions architect implement to ensure AWS Glue only processes new shipment data each day?

Correct. AWS Glue job bookmarks track previously processed data and maintain state across job runs. When enabled, Glue can skip files/partitions already processed in prior successful executions, enabling incremental ETL. This directly reduces data scanned each day, stabilizes runtime, and lowers cost for recurring jobs reading from S3.

Not the best answer. Moving processed files to another bucket/prefix can prevent reprocessing, but it introduces operational overhead (copy/delete, failure handling, permissions), additional S3 request costs, and potential governance/lineage complications. Glue provides a native incremental mechanism (job bookmarks) that is simpler and purpose-built for this requirement.

Incorrect. Setting the job to 1 DPU only reduces compute capacity; it does not change the input scope. The job would still read the same 500 GB of data and likely run even longer, potentially increasing cost due to extended runtime and risking missed reporting SLAs.

Incorrect. AWS Glue DataBrew recipes can clean and deduplicate records, but they do not prevent Glue from scanning and reading previously processed S3 objects. The problem is file-level reprocessing (re-reading 30 days of manifests), not duplicate rows within the new daily data.

Question Analysis

Core Concept: This question tests AWS Glue incremental processing patterns for S3-based data lakes. When an AWS Glue ETL job repeatedly scans the same S3 prefixes, it re-reads historical objects unless you implement a mechanism to track what was already processed. The key feature is AWS Glue job bookmarks, which maintain state between job runs. Why the Answer is Correct: Enabling job bookmarks ensures the Glue job processes only new (or changed) data since the last successful run. For S3 sources, bookmarks track previously processed files/partitions so subsequent runs can skip them. This directly addresses the observed behavior: the job is reprocessing ~30 days of files (500 GB cumulative), causing runtime and cost growth. With bookmarks, each 6 AM run focuses on the newly arrived daily manifests, stabilizing runtime and reducing DPUs consumed. Key AWS Features: Job bookmarks are configured at the job level (Enable job bookmark) and work with Glue DynamicFrames and supported sources. They persist state in the AWS Glue Data Catalog/metadata so the job can resume and avoid reprocessing. Best practice is to combine bookmarks with partitioned S3 layouts (for example, s3://bucket/manifests/dt=YYYY-MM-DD/) and predicate pushdown/partition pruning for even faster reads. This aligns with cost-optimization principles: reduce data scanned, reduce runtime, and right-size compute. Common Misconceptions: Moving processed files (Option B) can work operationally, but it adds complexity, extra S3 copy/delete costs, potential data governance issues, and can break lineage/auditing. Reducing DPUs (Option C) does not reduce the amount of data read; it typically increases runtime and can worsen costs. DataBrew deduplication (Option D) addresses duplicate records, not repeated file scanning; Glue would still read all historical files. Exam Tips: For “process only new data” in AWS Glue, think “job bookmarks” first. For S3-based ETL, also remember partitioning + bookmarks is a common exam pattern. If the problem is increasing runtime due to re-reading old objects, the fix is incremental processing/state tracking, not compute throttling or record-level deduplication.

Want to practice all questions on the go?

Download Cloud Pass — includes practice tests, progress tracking & more.

6
Question 6

A healthcare research institute operates an on-premises NFS file server that stores medical imaging data and research datasets. The imaging files are accessed intensively by researchers during the first 10 days after creation for analysis and processing. After 10 days, the files are accessed infrequently for compliance and archival purposes. The total data volume is growing rapidly and approaching the institute's storage capacity limits. The solutions architect needs to expand storage capacity while maintaining low-latency access to recently created files and implementing automated data lifecycle management. Which solution will meet these requirements?

AWS DataSync is useful for transferring data between on-premises NFS storage and AWS services, but it is not a storage extension solution. It does not provide a persistent hybrid file interface with local caching for active files, so it would not preserve the low-latency access pattern required for newly created datasets. The institute would also need to manage separate storage locations and movement logic, which adds operational complexity. This makes DataSync unsuitable as the primary answer for transparent capacity expansion with lifecycle-based storage management.

Amazon S3 File Gateway is the best fit because it extends on-premises file storage using standard NFS/SMB access while storing the underlying data in Amazon S3. This allows the institute to expand beyond local storage limits without requiring researchers to change their file access methods or applications. File Gateway also maintains a local cache, which supports low-latency access for recently created and frequently used imaging files during the first 10 days. After that period, S3 Lifecycle policies can automatically transition the objects to a lower-cost archival class, making this the only option that addresses hybrid access, scalability, and lifecycle automation together.

Amazon FSx for Lustre is designed for high-performance file processing workloads, especially analytics and HPC use cases, but that is not the main requirement here. The question focuses on extending an existing on-premises NFS environment, preserving user access patterns, and automating archival of aging data. FSx for Lustre does not function as a simple hybrid extension of the on-premises file server in the same way that S3 File Gateway does. It also does not directly solve the lifecycle-based movement of older files into archival storage for compliance retention.

Installing S3 client software on each workstation would force researchers to move from a file-based NFS workflow to direct object storage access, which likely requires application changes and user retraining. That approach does not preserve the existing on-premises file access model and does not provide transparent low-latency access to active files through a local cache. Although S3 Lifecycle to S3 Glacier Flexible Retrieval is a reasonable archival mechanism, the access method is operationally disruptive and does not meet the requirement to maintain the current file-serving experience. Therefore, this option fails on usability and architecture even though its archival class is more appropriate than Deep Archive for occasional retrieval.

Question Analysis

Core Concept: This question is about extending an on-premises NFS-based file workload into AWS while preserving low-latency access for active files and automating movement of older data to lower-cost storage. The key AWS service for this pattern is Amazon S3 File Gateway, which presents an NFS/SMB interface on premises and stores files as objects in Amazon S3 with a local cache for frequently accessed data. Why the Answer is Correct: The institute needs to expand storage capacity without changing how researchers access files, and it needs recently created files to remain quickly accessible. Amazon S3 File Gateway meets this need by providing a file share interface backed by S3 and caching active data locally for low-latency access. Lifecycle management can then automatically transition older objects to a lower-cost archival storage class after 10 days, satisfying the hot-to-cold access pattern. Key AWS Features: - Amazon S3 File Gateway provides NFS/SMB access for on-premises users and applications while storing data durably in Amazon S3. - Local caching keeps recently used files available with low latency, which is ideal for the first 10 days of intensive access. - S3 Lifecycle policies can automatically transition older objects to archival classes such as S3 Glacier Flexible Retrieval for lower-cost long-term retention. Common Misconceptions: - AWS DataSync is a transfer and migration service, not a transparent hybrid file storage extension with local caching. - Amazon FSx for Lustre is optimized for high-performance compute workloads, not for extending an existing on-prem NFS environment with lifecycle-based archival. - Direct S3 access from workstations would require application and workflow changes because S3 is object storage, not a native NFS file system. Exam Tips: When a question mentions on-premises NFS or SMB workloads that need seamless expansion into AWS with minimal application changes, think of AWS Storage Gateway, especially S3 File Gateway. When the question also mentions automated aging of data into cheaper storage, pair File Gateway with S3 Lifecycle policies. Be careful to distinguish between Glacier storage classes based on retrieval needs; Deep Archive is best for rarely retrieved data with very long retrieval times, while Flexible Retrieval is better when occasional retrieval is still expected.

7
Question 7

An enterprise 'TechCorp' is migrating applications from its on-premises Microsoft Active Directory to AWS. The company uses AWS Organizations to manage multiple AWS accounts centrally. The security team requires a single sign-on (SSO) solution across all AWS accounts. The company must continue to manage its users and groups in the existing on-premises Active Directory. Which solution will meet these requirements?

Correct. AWS IAM Identity Center is the AWS service designed to provide centralized single sign-on across multiple AWS accounts that are managed with AWS Organizations. By using AWS Directory Service for Microsoft Active Directory as the identity source and integrating it with the existing on-premises AD through trust, the company can continue to manage users and groups in the on-premises directory. IAM Identity Center then uses those identities to assign permission sets and account access centrally. This directly satisfies both the multi-account SSO requirement and the requirement to retain the on-premises AD as the authoritative identity store.

Incorrect. AWS Directory Service and an AD trust relationship alone do not provide centralized SSO across all AWS accounts in an organization. The service that delivers AWS account SSO and centralized account assignments is AWS IAM Identity Center, not Directory Service by itself. Even if the directory is connected to on-premises AD, administrators would still need IAM Identity Center or another federation mechanism to grant workforce access to AWS accounts. The phrase 'automatically enable SSO for all AWS accounts' is therefore technically inaccurate.

Incorrect. Creating an AWS Managed Microsoft AD directory in AWS and using it as the identity source for IAM Identity Center could support SSO, but this option does not preserve the existing on-premises AD as the place where users and groups continue to be managed. As written, it implies that the AWS-hosted directory becomes the primary identity source rather than a trust-backed extension of the on-premises environment. That does not cleanly meet the requirement that identity administration remain in the existing on-premises Active Directory. The missing trust or linkage to the on-premises directory is the key flaw.

Incorrect. A custom identity provider on Amazon EC2 would introduce unnecessary operational overhead, including patching, scaling, high availability design, and security hardening. AWS IAM Identity Center already supports managed integration patterns for enterprise identity, making a self-hosted IdP an unnecessarily complex solution for this use case. The question does not indicate any special protocol or legacy requirement that would justify building a custom federation platform. On AWS certification exams, managed native services are generally preferred when they satisfy the requirements.

Question Analysis

Core Concept: This question tests federated identity and centralized access management across multiple AWS accounts in AWS Organizations using AWS IAM Identity Center (successor to AWS SSO) while keeping the authoritative identity store in an existing on-premises Microsoft Active Directory. Why the Answer is Correct: Option A aligns with the standard AWS pattern: enable IAM Identity Center in the management account (or delegated admin) and connect it to Microsoft AD via AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD). You then establish a trust relationship between AWS Managed Microsoft AD and the on-premises AD so users and groups continue to be managed on-premises, while IAM Identity Center can use AD identities to provide SSO to all member accounts. IAM Identity Center natively integrates with Organizations to assign permission sets across accounts, meeting the “SSO across all AWS accounts” requirement. Key AWS Features: - IAM Identity Center + AWS Organizations integration: centralized user access, permission sets, and account assignments across the org. - AWS Directory Service for Microsoft AD: managed AD in AWS that can establish trust with on-prem AD, enabling use of existing users/groups. - Trust relationships: commonly used to allow authentication against on-prem AD while enabling AWS-side integrations. - Best practice: use IAM Identity Center rather than per-account IAM users for workforce access; manage authorization via permission sets and groups. Common Misconceptions: A frequent trap is assuming that simply creating a trust with Directory Service “automatically enables SSO” everywhere (it does not). Another misconception is that you must migrate users into AWS Managed Microsoft AD; with trust, you can keep users/groups on-prem. Also, deploying a custom IdP on EC2 is unnecessary and increases operational and security burden compared to managed integrations. Exam Tips: When you see “multiple accounts,” “AWS Organizations,” and “SSO,” think IAM Identity Center. When you see “must keep users/groups in on-prem AD,” think Directory Service + AD trust (or direct SAML to an existing IdP like ADFS/Azure AD, if offered). Prefer managed services over custom IdP deployments unless requirements explicitly demand it.

8
Question 8

A social networking application 'ConnectSphere' has a database with 5 TB of user data. The data consists of 1 million user profiles and 10 million connections between them, representing a complex many-to-many relationship. The application frequently needs to find mutual connections between users, up to five levels deep, in a highly performant manner. A solutions architect needs to identify a database solution that is highly efficient at traversing these relationships and finding multi-level connections quickly. Which solution will meet these requirements?

S3 with Athena is optimized for scanning large datasets in files (data lake analytics), not for low-latency, interactive traversal queries. Finding mutual connections up to five levels deep would require repeated self-joins over large datasets, leading to high query latency and cost due to full/large scans. Athena is best for ad hoc analysis and reporting, not real-time graph navigation in an application.

RDS for MySQL can represent users and connections with tables and foreign keys, but multi-level traversal and mutual-connection queries typically require recursive CTEs and multiple self-joins. At this scale (millions of nodes/edges), join-heavy queries can become slow and complex to tune, and performance may degrade as depth increases. Relational databases are not purpose-built for deep graph traversals.

Amazon Neptune is purpose-built for graph workloads with vertices (user profiles) and edges (connections). It efficiently executes multi-hop traversals (e.g., up to five levels) and mutual-connection queries using Gremlin or SPARQL, leveraging graph-optimized storage and indexing. Neptune is the best fit for social-network relationship exploration where traversals are frequent and must be highly performant.

DynamoDB can store adjacency lists or edge records with clever partition/sort keys, but multi-level traversal requires iterative queries/gets and application-side recursion. This increases latency (many network calls), complicates consistency and pagination, and can be costly at depth. DynamoDB excels at predictable key-based access patterns, not complex graph traversals like mutual connections several hops away.

Question Analysis

Core Concept: This question tests choosing the right database for highly connected data and deep relationship traversal. Graph databases are purpose-built for many-to-many relationships and multi-hop queries (e.g., “friends of friends” up to N levels) with predictable performance. Why the Answer is Correct: Amazon Neptune is AWS’s managed graph database optimized for traversing relationships using graph query languages. With 1 million user vertices and 10 million connection edges, queries like “mutual connections up to five levels deep” map directly to graph traversals. Neptune stores and indexes relationships so multi-hop traversals avoid expensive table joins and can execute efficiently even as the graph grows. This is exactly the social-network pattern Neptune is designed for. Key AWS Features: Neptune supports both Property Graph (Gremlin) and RDF (SPARQL), enabling expressive traversal queries (e.g., variable-length path traversals, common neighbors/mutual connections). It is managed (automated backups, patching), supports read replicas for scaling reads, and provides high availability across multiple AZs. For performance, Neptune’s graph-optimized storage and indexing reduce the computational overhead typical of relational JOIN-heavy approaches. This aligns with AWS Well-Architected Performance Efficiency principles: select data stores that match access patterns. Common Misconceptions: Relational databases (RDS MySQL) can model relationships, but deep recursive joins (CTEs) become complex and often slow at scale, especially for multi-level traversals and mutual-connection computations. DynamoDB can store adjacency lists, but multi-hop traversals require many round trips (GetItem/Query chains), complex application-side logic, and can be latency-heavy. S3 + Athena is for analytics over files, not low-latency, highly interactive graph traversals. Exam Tips: When you see “highly connected data,” “many-to-many,” “path finding,” “mutual friends,” “recommendations,” or “multi-level traversal,” think graph database. On AWS exams, Amazon Neptune is the go-to managed service for graph workloads requiring fast relationship navigation. Conversely, Athena is for ad hoc analytics, RDS for transactional relational patterns, and DynamoDB for key-value/document access patterns with predictable single-digit millisecond lookups—not deep graph traversals.

9
Question 9

A global healthcare insurance company processes over 100,000 insurance claims daily and serves more than 30 million policyholders. The company stores claims processing data in Amazon S3 and maintains policyholder information in Amazon RDS. The company wants to make all data available to different departments (actuarial, fraud detection, customer service) for analytics purposes. The solution must provide fine-grained access control capabilities and minimize operational overhead. Which solution will meet these requirements?

Migrating all claims data into RDS is not appropriate for large-scale analytics and does not align with a data lake approach. RDS access controls are not designed for broad, cross-department analytics at this scale, and moving high-volume S3-based claim data into an OLTP database increases cost and operational complexity. It also does not provide the best fine-grained, analytics-oriented governance across diverse datasets.

Copying RDS data to S3 with Lambda plus Glue crawler and Athena can enable querying, but fine-grained access control is weak/complex if relying mainly on S3 bucket policies. You would need additional governance (e.g., Lake Formation) for table/column-level permissions and consistent control across datasets. Periodic Lambda copies also add operational overhead and can become brittle at scale compared to managed ingestion/governance patterns.

Lake Formation is purpose-built for governed data lakes on S3 with centralized, fine-grained permissions. Registering the S3 bucket enables Lake Formation to manage access, and using Glue JDBC connectivity to RDS supports bringing policyholder data into the governed environment (or cataloging/processing it via Glue jobs). This meets the requirements for multi-department analytics, least-privilege controls, and reduced operational overhead through managed governance.

Redshift can provide strong analytics performance and access controls, but it introduces more operational overhead (cluster sizing, workload management, ingestion pipelines) and typically requires ongoing tuning/cost management. The requirement emphasizes fine-grained access control with minimal ops across S3 and RDS data; a governed data lake with Lake Formation is a more direct fit. Also, periodic Lambda-based loading is not an ideal ingestion strategy at this scale.

Question Analysis

Core Concept: This question tests building a governed analytics platform (data lake) with fine-grained permissions and low operational overhead. The key services are AWS Lake Formation (centralized data lake governance), AWS Glue Data Catalog (metadata), and S3 (data lake storage), with connectivity to Amazon RDS via Glue. Why the Answer is Correct: Option C creates a data lake using Lake Formation, registers the S3 bucket, and uses a Glue JDBC connection to access/ingest RDS data into the lake governance model. Lake Formation provides centralized, fine-grained access control (database/table/column/row-level via LF-Tags and grants) across multiple analytics consumers and engines (e.g., Athena, Redshift Spectrum, EMR, Glue). This directly matches the requirement to make all data available to different departments while enforcing least privilege and minimizing operational overhead through a managed permissions model rather than custom pipelines and scattered IAM/S3 policies. Key AWS Features: - Lake Formation permissions: granular grants on Data Catalog resources; LF-Tags for scalable ABAC-style governance; cross-account sharing if needed. - Centralized governance: one place to manage who can see which tables/columns (e.g., customer service sees limited PII; fraud team sees more attributes). - Integration with Glue Data Catalog: consistent metadata for S3 datasets; Glue connections for RDS sources. - Operational simplicity: avoids building/maintaining bespoke ETL and complex policy sprawl; aligns with AWS Well-Architected Security Pillar (least privilege, centralized control) and Operational Excellence (managed services). Common Misconceptions: Teams often try to solve “fine-grained access” with only S3 bucket policies (Option B). S3 policies are powerful but become complex for table/column-level governance and do not natively express analytics-level permissions across engines. Others default to a warehouse (Option D) even when the requirement is broad departmental analytics with minimal ops and strong governance across mixed sources. Exam Tips: When you see “data lake,” “multiple departments,” “fine-grained access control,” and “minimize operational overhead,” think Lake Formation + Glue Data Catalog. Choose Lake Formation when governance (table/column/row-level, tag-based access, centralized permissions) is the primary requirement, especially with S3 as the lake and multiple analytics personas consuming the data.

10
Question 10

A healthcare organization operates a Microsoft SQL Server database on-premises that stores patient management and billing information. The organization is planning to migrate to AWS cloud infrastructure and wants to upgrade their database to the latest SQL Server version during the migration process. The organization requires a disaster recovery solution across multiple regions to ensure business continuity for critical healthcare data. They need to minimize administrative overhead for both daily operations and DR implementation. Additionally, the organization must maintain full access to the database's underlying Windows operating system for compliance auditing and custom security configurations required by healthcare regulations. Which solution will meet these requirements?

Incorrect. Running SQL Server on Amazon EC2 does provide full access to the Windows operating system and can support cross-Region disaster recovery using SQL Server native replication technologies. However, EC2 requires the most administrative effort because the organization must manage the OS, database installation, patching, backups, monitoring, and DR orchestration itself. The question explicitly asks to minimize administrative overhead for both daily operations and disaster recovery implementation. Therefore, although technically feasible, EC2 is not the best match among the listed choices.

Incorrect. Amazon RDS for SQL Server reduces operational overhead and cross-Region automated backups can support a restore-based disaster recovery strategy in another Region. However, standard RDS does not provide access to the underlying Windows operating system, so it cannot satisfy the compliance and custom security configuration requirement. In addition, copied backups are not the same as an actively replicated standby environment and generally result in higher recovery times. This option fails the critical OS-access requirement.

Correct. Amazon RDS Custom for SQL Server is specifically designed for workloads that need access to the underlying operating system and database environment while still benefiting from more managed operations than a fully self-managed EC2 deployment. That directly satisfies the compliance auditing and custom security configuration requirement that standard RDS cannot meet. Because the question also emphasizes minimizing administrative overhead, RDS Custom is a better fit than running SQL Server entirely on EC2. Among the provided options, C is the only one that aligns with both OS-level access and reduced operational burden.

Incorrect. Multi-AZ for Amazon RDS for SQL Server provides high availability by maintaining a synchronous standby in another Availability Zone within the same AWS Region. That helps with local infrastructure failures but does not provide disaster recovery across multiple Regions, which is explicitly required. Standard RDS also does not allow access to the underlying Windows operating system. As a result, this option fails both the multi-Region DR requirement and the OS-level access requirement.

Question Analysis

Core concept: The question asks for the AWS database option that supports SQL Server migration and upgrade, provides disaster recovery across multiple Regions, minimizes administrative overhead, and still allows access to the underlying Windows operating system. The key differentiator is the requirement for OS-level access, which eliminates standard Amazon RDS for SQL Server. Among the remaining choices, the best answer is the managed option that preserves OS access while reducing administration compared to self-managed EC2. Key features include RDS Custom for SQL Server, which provides database and OS access for customization and compliance needs, unlike standard RDS. Common misconceptions are that Multi-AZ equals multi-Region DR and that standard RDS allows OS-level access; neither is true. Exam tip: when a question requires both managed operations and host-level access, look for RDS Custom rather than EC2 unless the managed option clearly cannot satisfy the architecture requirement.

Success Stories(30)

C
C*********Mar 23, 2026

Study period: 1 week

요구사항 정확히 인지하기(이거 젤중요 이 훈련이 제일 중요한듯), 오답노트 갈겨서 200문제만 확실히 해서 갔어요 실제 시험 지문은 훨씬 간단한데 난이도는 앱이랑 비슷하거나 더 낮았던것같아요 느낌상 탈락이었는데 통과해서 기쁘네요 큰 도움 되었습니다 감사해요!

소
소**Feb 22, 2026

Study period: 1 week

그냥 문제 풀면서 개념들 GPT에 물어보면서 학습했어요 768점 턱걸이 합격,,

조
조**Jan 12, 2026

Study period: 3 months

그냥 꾸준히 공부하고 문제 풀고 합격했어요 saa 준비생분들 화이팅!!

김
김**Dec 9, 2025

Study period: 1 month

앱으로는 4일만에 몇 문제를 풀었는지 모르겠지만 1딜동안 aws 기본 개념부터 덤프로 시나리오 그려보고 하니까 합격했습니다. 시험은 생각보다 헷갈리게 나와서 당황했는데 30분 추가 테크로 flag한 지문들 다시 확인하니까 문제 없었습니다.

L
L*************Nov 26, 2025

Study period: 3 months

I passed the AWS SAA with a score of 850/1000. Honestly, the exam wasn’t easy, but solving the actual exam–style questions in Cloud Pass helped me understand the reasoning behind each service. The explanations were super helpful and made the concepts stick. I don’t think I could’ve scored this high without the practice here.

Other Practice Tests

Practice Test #1

65 Questions·130 min·Pass 720/1000

Practice Test #2

65 Questions·130 min·Pass 720/1000

Practice Test #3

65 Questions·130 min·Pass 720/1000

Practice Test #4

65 Questions·130 min·Pass 720/1000

Practice Test #5

65 Questions·130 min·Pass 720/1000

Practice Test #6

65 Questions·130 min·Pass 720/1000

Practice Test #7

65 Questions·130 min·Pass 720/1000

Practice Test #8

65 Questions·130 min·Pass 720/1000

Practice Test #10

65 Questions·130 min·Pass 720/1000
← View All AWS Certified Solutions Architecture - Associate (SAA-C03) Questions

Start Practicing Now

Download Cloud Pass and start practicing all AWS Certified Solutions Architecture - Associate (SAA-C03) exam questions.

Get it on Google PlayDownload on the App Store
Cloud PassCloud Pass

IT Certification Practice App

Get it on Google PlayDownload on the App Store

Certifications

AWSGCPMicrosoftCiscoCompTIADatabricks

Legal

FAQPrivacy PolicyTerms of Service

Company

ContactDelete Account

© Copyright 2026 Cloud Pass, All rights reserved.

Want to practice all questions on the go?

Get the app

Download Cloud Pass — includes practice tests, progress tracking & more.