AWS SAA-C03 Practice Test: Solutions Architect Associate

SAA-C03 is AWS’s Solutions Architect Associate certification for candidates who need to design secure, resilient, high-performing, and cost-aware AWS architectures. If you are searching for SAA-C03 sample questions, SAA-C03 practice exam questions, an AWS Solutions Architect Associate practice test, mock exam, or exam simulator, this is the main IT Mastery page to start on web and continue on iOS or Android with the same IT Mastery account.

Free diagnostic: Try the 65-question AWS SAA-C03 full-length practice exam before subscribing. Use it as one architecture baseline, then return to IT Mastery for timed mocks, domain drills, explanations, and the full Solutions Architect Associate question bank.

What this SAA-C03 practice page gives you

• a direct route into IT Mastery practice for SAA-C03
• topic drills and mixed sets across security, resiliency, performance, and cost optimization
• detailed explanations that show why the best architecture answer is correct
• a clear free-preview path before you subscribe
• the same IT Mastery account across web and mobile

SAA-C03 exam snapshot

• Vendor: AWS
• Official exam name: AWS Certified Solutions Architect - Associate (SAA-C03)
• Exam code: SAA-C03
• Items: 65 total
• Exam time: 130 minutes
• Question types: multiple-choice and multiple-response
• Assessment style: scenario-based AWS architecture trade-offs across resiliency, security, performance, and cost

SAA-C03 questions usually reward the option that satisfies the stated requirement with the cleanest architectural fit, lowest operational burden, and strongest alignment to AWS defaults and service constraints.

Topic coverage for SAA-C03 practice

SAA-C03 architecture decision filters

Use these filters before choosing between two plausible architecture answers:

• Requirement fit: identify the hard constraint first, such as RTO, RPO, latency, compliance, throughput, durability, or operational burden.
• Security boundary: check IAM, encryption, private connectivity, public exposure, network segmentation, and least-privilege access before optimizing anything else.
• Resilience pattern: decide whether the scenario needs Multi-AZ, multi-Region, managed failover, backup/restore, decoupling, caching, or queue-based buffering.
• Performance bottleneck: separate compute scaling, database scaling, storage throughput, CDN/cache placement, and asynchronous processing.
• Cost trade-off: avoid the most powerful service when a simpler managed pattern satisfies the requirement at lower cost.

SAA-C03 readiness map

How to use the SAA-C03 simulator efficiently

1. Start with domain drills so you can isolate whether your misses are driven by security, resiliency, performance, or cost.
2. Review every miss until you can explain why the best answer fits the architecture constraints better than the tempting alternatives.
3. Move into mixed sets once you can switch between VPC, IAM, storage, compute, database, and hybrid-connectivity scenarios without losing the main trade-off.
4. Finish with timed runs so 65-question architecture scenarios feel normal before exam day.

Final 7-day SAA-C03 practice sequence

When SAA-C03 practice is enough

If you can complete several unseen mixed attempts above roughly 75% and explain the architecture trade-off behind each correct answer, it is usually better to take the exam than keep drilling until answers feel memorized. The goal is to recognize AWS design patterns under pressure, not to memorize a large bank of stems.

Focused sample questions

Use these child pages when you want focused IT Mastery practice before returning to mixed sets and timed mocks.

• Free AWS SAA-C03 Full-Length Practice Exam
• Design Secure Architectures
• Design Resilient Architectures
• Design High-Performing Architectures
• Design Cost-Optimized Architectures

Free study resources

Need concept review first? Read the AWS SAA-C03 Cheat Sheet on Tech Exam Lexicon, then return here for timed mocks, topic drills, and full IT Mastery practice.

Free preview vs premium

• Free preview: a smaller web set so you can validate the question style and explanation depth.
• Premium: the full SAA-C03 practice bank, focused drills, mixed sets, timed mock exams, detailed explanations, and progress tracking across web and mobile.

Related AWS practice routes

• Need the easier starting point first? CLF-C02
• Want the wider AWS family view? AWS exam pages
• Want another live Associate track? SOA-C03 or DEA-C01

24 SAA-C03 sample questions with detailed explanations

These are original IT Mastery practice questions aligned to SAA-C03 architecture, resilience, security, performance, cost optimization, migration, and AWS service-selection decisions. They are not AWS exam questions and are not copied from any exam sponsor. Use them to check readiness here, then continue in IT Mastery with mixed sets, topic drills, and timed mocks.

Question 1

Topic: Domain 4: Design Cost-Optimized Architectures

Which of the following statements about placing NAT gateways in public subnets, and the impact on redundancy and cost, are true? (Select TWO.)

Options:

• A. Using a single NAT gateway for the entire Region is always cheaper than one per Availability Zone because NAT gateway pricing does not depend on data transfer between Availability Zones.
• B. To reduce cost, NAT gateways should be placed in public subnets that do not have an internet gateway attached so that egress traffic remains within the VPC.
• C. NAT gateways are Regional resources, so creating a single NAT gateway in any public subnet provides automatic failover across all Availability Zones in the Region without additional configuration.
• D. Deploying one NAT gateway in each Availability Zone and routing each private subnet to the NAT gateway in the same Availability Zone improves resiliency and avoids cross-AZ data transfer for that egress traffic.
• E. Using a single NAT gateway in one Availability Zone for private subnets in multiple Availability Zones can incur cross-AZ data transfer charges for traffic from the other Availability Zones.

Correct answers: D and E

Explanation: The statement about using a single NAT gateway for multiple Availability Zones causing cross-AZ data transfer is correct because any traffic from an instance to a NAT gateway in another Availability Zone must cross AZ boundaries and incur cross-AZ charges.

The statement about deploying one NAT gateway per Availability Zone and routing each private subnet to the NAT gateway in the same Availability Zone is also correct. This design keeps egress traffic within each Availability Zone (avoiding cross-AZ transfer for that path) and ensures that if one Availability Zone fails, instances in the other AZs still have their own NAT gateways, improving resiliency.

Question 2

Topic: Domain 4: Design Cost-Optimized Architectures

A company runs a web application on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The following CloudWatch metrics summarize a typical weekday.

Based only on this data, which action should the solutions architect take to reduce compute costs while maintaining performance?

Options:

• A. Purchase a 1-year Compute Savings Plan sized for six instances running 24/7 to reduce the hourly rate of the existing capacity.
• B. Configure scheduled scaling actions on the Auto Scaling group to lower the minimum and desired capacity during overnight hours and restore capacity before business hours.
• C. Replace the current instance type with a larger instance so that the Auto Scaling group’s desired capacity can be fixed at three instances at all times.
• D. Enable EC2 hibernation for the Auto Scaling group instances so they automatically pause when CPU utilization is low and resume when traffic increases.

Best answer: B

Explanation: Configuring scheduled scaling on the Auto Scaling group aligns capacity with predictable demand. The key data is the 01:00 row, which shows an Avg CPU per instance of 6% while the ASG desired capacity remains 6. This clearly indicates that instances are mostly idle overnight. By lowering the minimum and desired capacity during these hours and restoring them before business hours, the company can stop paying for unnecessary instances while still satisfying the higher utilization periods at 09:00 and 13:00.

Question 3

Topic: Domain 1: Design Secure Architectures

Your company owns an S3 bucket in its production account. An external vendor uses its own AWS account and needs read-only access to that single bucket for 3 months. Access must be limited to IAM principals in that vendor account only. Which THREE approaches should you AVOID? (Select THREE.)

Options:

• A. In the vendor account, attach an IAM identity-based policy to vendor users that allows s3:GetObject and s3:ListBucket on the bucket ARN, without changing the bucket policy.
• B. Attach an S3 bucket policy on the bucket with Principal: "*" allowing s3:GetObject and s3:ListBucket, and disable S3 Block Public Access for the bucket so the vendor can read objects.
• C. Add an S3 bucket policy on the bucket that grants s3:GetObject and s3:ListBucket to a specific IAM role ARN from the vendor account; have the vendor assume that role in its own account.
• D. In AWS Organizations, attach an SCP to the vendor account that explicitly allows s3:GetObject and s3:ListBucket on the bucket ARN, without modifying the bucket policy or creating any roles.
• E. Create an IAM role in your production account that trusts the vendor AWS account; attach an identity-based policy to the role allowing s3:GetObject and s3:ListBucket on only that bucket, and have the vendor assume this role.

Correct answers: A, B, and D

Explanation: The three approaches to avoid all misuse the policy types relative to the requirement:

• The choice that only attaches an IAM identity-based policy in the vendor account relies solely on the vendor’s identity policy. Because the bucket is in a different account and no resource-based policy or trusted role exists in your account, S3’s default cross-account deny applies, so the vendor still cannot access the bucket.

• The choice that uses a bucket policy with Principal: "*" and disables S3 Block Public Access exposes the bucket publicly to the internet. This completely violates the requirement that access be limited to IAM principals in the vendor account only; it’s a clear security anti-pattern.

• The choice that attaches an SCP to the vendor account and tries to “allow” S3 access misunderstands SCP behavior. SCPs never grant permissions; they just constrain what identity and resource policies can do. Without matching identity-based or resource-based permissions, the vendor will not obtain access to the bucket, so the requirement is not met.

Question 4

Topic: Domain 4: Design Cost-Optimized Architectures

A company must store 200 TB of application log files for regulatory compliance for 10 years. The logs are rarely accessed, and auditors can wait up to 12 hours to retrieve data. The data must be highly durable, and minimizing monthly storage cost is the priority. Which Amazon S3 storage class is the most appropriate choice?

Options:

• A. Amazon S3 Standard-Infrequent Access (S3 Standard-IA)
• B. Amazon S3 Glacier Flexible Retrieval
• C. Amazon S3 Glacier Deep Archive
• D. Amazon S3 Standard

Best answer: C

Explanation: The option that uses Amazon S3 Glacier Deep Archive is correct because it aligns with all key requirements:

• Cost priority: It is the lowest-cost S3 storage class for long-term storage per GB.
• Access pattern: It is intended for data that is rarely accessed, matching the compliance logs use case.
• Retrieval latency tolerance: The workload can wait up to 12 hours for retrieval, which fits Deep Archive’s expected retrieval times.
• Durability: It provides the same high durability as other S3 storage classes, suitable for regulatory data.

This combination of ultra-low cost and acceptable hours-level retrieval latency is the discriminating factor that makes S3 Glacier Deep Archive the best choice compared to other S3 classes listed.

Question 5

Topic: Domain 2: Design Resilient Architectures

Which THREE statements about designing a scalable and secure three-tier web application architecture on AWS are correct? (Select THREE.)

Options:

• A. Using separate security groups so that the web tier only accepts traffic from the ALB, the application tier only accepts from the web tier, and the database tier only accepts from the application tier enforces least-privilege access.
• B. Storing user session state only in the memory of individual web servers is recommended for highly scalable architectures behind an Application Load Balancer.
• C. Designing tiers to be stateless where possible and using features such as Auto Scaling groups for the application tier and managed database scaling mechanisms allows each layer to scale independently.
• D. Placing the database instance in the same public subnet and security group as the web servers simplifies connectivity and is recommended for production three-tier architectures.
• E. Placing web servers in public subnets behind an Application Load Balancer, with application and database tiers in private subnets, helps separate presentation, application, and data layers.
• F. Using a single large EC2 instance running web, application, and database services together in one public subnet, fronted by an Elastic IP address, is an example of a scalable three-tier architecture on AWS.

Correct answers: A, C, and E

Explanation: The statement about placing web servers in public subnets behind an ALB with app and database tiers in private subnets is correct because it reflects the canonical three-tier pattern: only the ALB is internet-facing, while compute and data layers are isolated.

The statement describing separate security groups for each tier is correct because it enforces least-privilege, tier-to-tier access (for example, ALB to web, web to app, app to database) and implements defense-in-depth around the data layer.

The statement about designing tiers to be stateless where possible and using Auto Scaling groups and managed database scaling mechanisms is correct because it captures the key scalability benefit of multi-tier designs: each layer can scale independently (out or up) without redesigning the entire stack.

Question 6

Topic: Domain 4: Design Cost-Optimized Architectures

A company has 1,000 IoT sensors, each sending 1GB of data per day to an application in one AWS Region. Data transfer into the Region costs $0.09/GB. Using AWS IoT Greengrass, only 25% of data will be sent. What is the reduction in data transfer charges over 30 days, in dollars? Round to the nearest dollar.

Options:

• A. $1,350
• B. $2,025
• C. $2,700
• D. $675

Best answer: B

Explanation: The choice with a $2,025 reduction correctly applies the 75% savings to the original monthly cost. The original cost is 30,000GB × $0.09 = $2,700. Since edge processing causes only 25% of data to be sent, 75% of the transfer (and cost) is removed: $2,700 × 0.75 = $2,025 reduction.

Question 7

Topic: Domain 3: Design High-Performing Architectures

Which TWO statements are true about designing Amazon QuickSight dashboards to surface operational metrics effectively for different stakeholders? (Select TWO.)

Options:

• A. 3D charts are recommended for all operational dashboards in QuickSight because they convey trends and anomalies more accurately than simple 2D visuals.
• B. Storing frequently queried operational data in QuickSight SPICE improves dashboard performance and interactivity, especially for dashboards that many users access concurrently.
• C. For executive stakeholders, it is best practice to show raw event-level logs directly in QuickSight visuals instead of aggregated KPIs or summaries.
• D. Using row-level security in QuickSight allows teams to publish one dashboard that shows different subsets of operational data to different stakeholder groups without duplicating datasets.
• E. To avoid confusing stakeholders, QuickSight dashboards for operations should avoid filters and controls and instead present all available metrics on one long page.

Correct answers: B and D

Explanation: The statement about using row-level security to publish one dashboard that shows different subsets of data to different users is correct because QuickSight supports row-level security mappings that control which records each user or group can see. This directly aligns with the goal of providing stakeholder-specific operational views without duplicating datasets or dashboards.

The statement about using SPICE for frequently queried operational data is also correct. SPICE stores data in-memory and is optimized for fast, concurrent access. For heavily used operational dashboards, this significantly improves user experience and reduces load on the underlying operational databases or log stores, which is a key aspect of a high-performing visualization solution.

Question 8

Topic: Domain 3: Design High-Performing Architectures

Which TWO of the following statements about Amazon Kinesis Data Streams ordering and scaling behavior are true? (Select TWO.)

Options:

• A. When you add shards to a stream, existing records are automatically redistributed from old shards to the new shards to balance load.
• B. Each consumer can read from a shard at any rate because Kinesis Data Streams does not enforce per-shard read limits.
• C. Records that share the same partition key are written to the same shard and can be processed in strict order.
• D. In provisioned-capacity streams, you must reshard (split or merge shards) to change overall throughput; Kinesis does not automatically add shards when traffic increases.
• E. Kinesis Data Streams preserves a single global order of all records across every shard in a stream.
• F. If producers exceed a shard’s write capacity, Kinesis Data Streams silently buffers extra records and delivers them later without errors.

Correct answers: C and D

Explanation: The statement that records with the same partition key are written to the same shard and can be processed in strict order is correct because the partition key controls shard assignment, and Kinesis guarantees ordering within a shard via sequence numbers. This is how you maintain ordered processing for related events.

The statement that provisioned-capacity streams require manual resharding to change throughput is also correct. In this mode, Kinesis does not automatically scale shard count when traffic increases; you must explicitly split or merge shards to increase or decrease capacity. This aligns with how throughput is provisioned and managed in Kinesis Data Streams.

Question 9

Topic: Domain 3: Design High-Performing Architectures

Which of the following statements about Amazon MSK and Amazon Kinesis Data Streams is INCORRECT?

Options:

• A. Amazon Kinesis Data Streams requires producers and consumers to use AWS-specific APIs or libraries rather than native Kafka clients.
• B. Throughput in Amazon Kinesis Data Streams is scaled primarily by adjusting the number and capacity mode of shards, whereas Amazon MSK scales throughput by adding brokers and partitions.
• C. Amazon MSK is typically chosen when applications must remain compatible with existing Kafka clients, tooling, and Kafka ecosystem integrations.
• D. When minimizing operational overhead is the only priority, Amazon MSK is generally simpler to operate than Amazon Kinesis Data Streams because AWS fully abstracts cluster capacity and scaling for MSK.

Best answer: D

Explanation: The incorrect choice states that Amazon MSK is generally simpler to operate than Amazon Kinesis Data Streams because AWS fully abstracts cluster capacity and scaling for MSK.

In reality, Kinesis Data Streams is usually the simpler, lower-operations option. AWS completely manages the service, and especially with on-demand capacity mode, users do not have to plan detailed capacity beyond basic limits. By contrast, with Amazon MSK, you still decide broker instance types, storage, and topic partitioning, and you may need to manage scaling events.

Because this choice reverses AWS guidance about which service has lower operational overhead, it is the one incorrect statement.

Question 10

Topic: Domain 1: Design Secure Architectures

A company has separate security, dev, and prod AWS accounts. Requirements:

• Security engineers need read-only access only to logs in all accounts.
• App teams must administer only their own account.
• Each account needs a tightly controlled break-glass administrator path.
• The design must minimize policy duplication and keep duties separated.

Which IAM access design meets these requirements? (Select THREE.)

Options:

• A. Create one cross-account Admin role in the security account that grants full AdministratorAccess in all accounts. Allow both security engineers and app teams to assume this role when needed. Do not create additional break-glass paths; rely on CloudTrail to detect misuse.
• B. Centralize logs in the security account. Give security engineers a LogsReadOnly role in the security account that can assume a cross-account LogsCollect role in each workload account using a shared customer-managed policy. Give app teams per-account ApplicationAdmin roles. Provide a BreakGlassAdmin role in each account with AdministratorAccess and mandatory MFA.
• C. Create IAM users for security engineers and app teams in each account and place them in IAM groups with inline policies. Attach AdministratorAccess to the security group so security engineers can troubleshoot. Add a single shared BreakGlassAdmin IAM user in the security account with access keys disabled.
• D. Use AWS IAM Identity Center with separate groups for security and each app team. Map groups to permission sets that create account-level IAM roles: a SecurityAudit role with log-read policies in every account and per-account AppAdmin roles. Create a separate BreakGlassAdmin role per account with AdministratorAccess, requiring MFA and emergency-only procedures.
• E. Federate users from the corporate IdP directly into IAM roles in each account. Configure a SecurityLogsReadOnly role in every account with a shared customer-managed log-read policy, and separate AccountAdmin roles for each app team. Add an emergency BreakGlassAdmin role per account with AdministratorAccess and a strict MFA, approval, and logging process.

Correct answers: B, D, and E

Explanation: - ✔ Using IAM Identity Center groups mapped to permission sets and roles: This design cleanly maps human users into groups, then into permission sets that create IAM roles like SecurityAudit and AppAdmin. Security engineers get read-only log roles in each account, app teams get per-account admin roles, and a separate BreakGlassAdmin role exists per account. Customer-managed policies in permission sets minimize duplication and keep responsibilities separated.

• ✔ Federating directly from a corporate IdP into IAM roles with shared policies: Here, IdP groups map to IAM roles such as SecurityLogsReadOnly and AccountAdmin. A shared customer-managed policy handles log-read access across accounts, reducing duplication. Each app team’s group maps only to admin roles in its own account. A dedicated BreakGlassAdmin role per account with MFA and strict procedures provides the required emergency path.

• ✔ Centralizing logs and using cross-account log roles plus per-account admin and break-glass roles: Security engineers assume a LogsReadOnly role in the security account, which in turn assumes a LogsCollect role in workload accounts based on a shared log-read policy. App teams use per-account ApplicationAdmin roles, and each account has an explicit BreakGlassAdmin role with AdministratorAccess and mandatory MFA. This preserves least privilege, clear duty separation, and reusable policies.

Question 11

Topic: Domain 3: Design High-Performing Architectures

A company must ingest telemetry from 50,000 IoT devices, up to 200,000 events per second. They need strict ordering per device and sub-second processing for alerts. The solution should be highly scalable and use managed streaming services. Which architectures should the solutions architect AVOID? (Select THREE.)

Options:

• A. Use an on-demand Amazon Kinesis Data Stream with device ID as the partition key and use Amazon Kinesis Data Analytics to detect anomalies in near real time before outputting to downstream services.
• B. Create an Amazon MSK cluster with a multi-AZ Kafka topic that has many partitions keyed by device ID, and scale a consumer group across multiple instances for parallel, low-latency processing.
• C. Ingest events into an Amazon Kinesis Data Stream using the device ID as the partition key, provision sufficient shards, and process the stream with AWS Lambda using enhanced fan-out consumers.
• D. Create a single-shard Amazon Kinesis Data Stream and use a constant partition key such as “sensor” for all records so that all events stay in one ordered sequence for a single Lambda consumer.
• E. Send events directly to an Amazon Kinesis Data Firehose delivery stream configured with a 5-minute buffering interval to Amazon S3, then run an hourly AWS Glue job to detect anomalies.
• F. Publish events to an Amazon SQS standard queue and trigger an AWS Lambda function, relying on the queue’s at-least-once delivery and best-effort ordering to preserve device event order.

Correct answers: D, E, and F

Explanation: The architectures that should be avoided each violate a core requirement:

• The approach that sends events to Kinesis Data Firehose with a 5-minute buffer and then runs an hourly AWS Glue job introduces minutes to hours of latency. It is designed for batch loading into S3, not sub-second alerting, and does not preserve strict per-device ordering through the batch ETL pipeline.
• The approach that publishes events to an SQS standard queue and relies on best-effort ordering cannot guarantee strict ordering per device. SQS standard queues are optimized for high throughput and at-least-once delivery but explicitly do not provide strict ordering semantics.
• The approach that uses a single-shard Kinesis Data Stream with a constant partition key forces all events through one shard. This creates a hot shard that cannot scale to 200,000 events per second, causing throttling and high latency, even though it technically preserves a global order. It fails the performance requirement and should be avoided.

Question 12

Topic: Domain 2: Design Resilient Architectures

An online learning platform runs identical HTTPS web stacks in three AWS Regions, each behind a regional Application Load Balancer. The company wants users automatically routed to the lowest-latency healthy Region. Caching and static anycast IP addresses are not required. Which AWS services are appropriate choices to meet these requirements? (Select TWO.)

Options:

• A. Use Amazon Route 53 weighted routing records to distribute traffic evenly across the three Regions.
• B. Use Amazon CloudFront with a single origin in one Region and disable caching for dynamic content.
• C. Use a single Application Load Balancer in one primary Region and configure cross-zone load balancing.
• D. Use AWS Global Accelerator with endpoint groups for each Region pointing to the regional Application Load Balancers.
• E. Use Amazon Route 53 latency-based routing records pointing to the regional Application Load Balancers.

Correct answers: D and E

Explanation: - ✔ Amazon Route 53 latency-based routing records pointing to the regional ALBs: Route 53 can create latency-based DNS records for each Region’s ALB. For each client DNS query, Route 53 returns the ALB in the Region that offers the best latency, and it can use health checks to exclude unhealthy endpoints. This directly matches the requirement to route users to the lowest-latency healthy Region without involving caching.

• ✔ AWS Global Accelerator with endpoint groups for each Region pointing to the regional ALBs: Global Accelerator provides static anycast IPs (even though they are not required) and uses the AWS global network to route users to the closest healthy endpoint group based on latency. It supports TCP/UDP, including HTTPS over TCP, and performs continuous health checks of the endpoints. It satisfies the requirement for automatic, latency-based, multi-Region routing and failover for HTTPS traffic.

Question 13

Topic: Domain 4: Design Cost-Optimized Architectures

Which THREE of the following statements about cost and connectivity trade-offs between AWS Site-to-Site VPN, AWS Direct Connect, and internet-based access are INCORRECT? (Select THREE.)

Options:

• A. AWS Site-to-Site VPN is often the lowest-cost and fastest option to provision for initial connectivity, making it suitable for lower-throughput dev/test environments or as a backup to Direct Connect.
• B. Using the public internet with HTTPS to access Amazon S3 over public endpoints eliminates all AWS data transfer charges for outbound traffic from an AWS Region to on-premises users.
• C. AWS Direct Connect has no fixed hourly port charges and is billed only on a per-GB data transfer basis, which makes it the lowest-cost option for small, intermittent traffic patterns.
• D. AWS Site-to-Site VPN generally offers more consistent latency and higher reliability than AWS Direct Connect, so it is the preferred option for mission-critical, low-latency production workloads.
• E. For large, steady volumes of data transfer between on-premises and AWS, the lower per-GB data transfer rates of AWS Direct Connect can offset its fixed port costs and result in lower total network spend than routing the same traffic over a VPN on the public internet.

Correct answers: B, C, and D

Explanation: The incorrect choices all misstate key trade-offs:

• The statement that VPN generally offers more consistent latency and higher reliability than Direct Connect is wrong because VPN depends on the public internet, whereas Direct Connect is a dedicated link with more predictable performance and often better reliability for critical workloads.
• The statement that accessing S3 over HTTPS from the internet eliminates all data transfer charges is wrong because outbound data from an AWS Region to the public internet is billed as data transfer out, regardless of whether HTTPS is used.
• The statement that Direct Connect has no fixed port charges and is cheapest for small, intermittent traffic is wrong because Direct Connect normally includes fixed hourly port charges in addition to data transfer. Those fixed costs make it relatively expensive for small or sporadic usage compared to VPN or basic internet-based access.

Question 14

Topic: Domain 1: Design Secure Architectures

Which of the following statements about designing IAM and key policies for AWS KMS customer managed keys are INCORRECT and should NOT be followed as best practices? (Select THREE.)

Options:

• A. Disabling or scheduling deletion of a KMS key can be treated as a normal operational permission for all developers who use the key, because these actions are easily reversible.
• B. To support separation of duties, key administrators should be allowed to create and manage keys but should not generally be permitted to encrypt or decrypt application data with those keys.
• C. For customer managed KMS keys, it is a best practice to reference specific IAM roles in the key policy and then use IAM policies to grant them precise permissions.
• D. The AWS account root user should retain full administrative permissions on all KMS keys and be used for routine key management tasks.
• E. Granting a security operations role unrestricted kms:* permissions on all keys in the account is recommended to avoid accidental access denial.
• F. Permissions to use a KMS key in other AWS services (such as EBS or RDS) should be scoped only to the minimum required principals and operations for that workload.

Correct answers: A, D, and E

Explanation: The statements that treat broad or risky permissions as best practice are incorrect:

• The statement recommending the root user for routine key management is wrong because the root user is too powerful and should be locked away, not used regularly. Using it for KMS management violates least privilege and increases the blast radius of any compromise.
• The statement suggesting a security operations role should have unrestricted kms:* on all keys is also incorrect. That level of access grants full administrative and usage rights across every key, far beyond what is needed, and directly conflicts with least‑privilege design.
• The statement saying disabling or scheduling deletion of a key is a normal, easily reversible operation for all developers is incorrect and unsafe. These actions can immediately break workloads and may lead to permanent data loss, so they must be tightly controlled and not granted broadly.

These three statements misrepresent KMS best practices and would introduce significant security and availability risks if followed.

Question 15

Topic: Domain 3: Design High-Performing Architectures

An online retailer collects clickstream events from web clients at 20,000 events/second, with spikes up to 100,000 events/second. Two independent consumer applications must process each event within 5 seconds and be able to replay historical data. Which solution is MOST appropriate?

Options:

• A. Send events to an Amazon SQS standard queue and have a single AWS Lambda function fan out data to both consumer applications
• B. Batch events on clients for 1 minute and upload to Amazon S3, then run an AWS Glue job every 5 minutes to feed the consumer applications
• C. Write events directly to an Amazon RDS database and have each consumer application poll the database for new records
• D. Ingest events into Amazon Kinesis Data Streams in on-demand capacity mode and have each consumer application read from the stream independently with its own AWS Lambda consumer

Best answer: D

Explanation: Using Amazon Kinesis Data Streams in on-demand capacity mode with separate consumers for each application best matches all requirements:

• Handles sustained high throughput and spikes up to 100,000 events/second.
• Provides sub-second to few-second end-to-end latency with Lambda or other consumers.
• Natively supports multiple independent consumers reading the same data stream.
• Retains data for a configured period, enabling replay of historical events per consumer.

No other option simultaneously delivers high-throughput ingestion, low-latency processing, independent multi-consumer access, and straightforward replay.

Question 16

Topic: Domain 1: Design Secure Architectures

A company runs many workloads in dozens of AWS accounts in a single AWS Organizations organization. Each account has one or more VPCs. The security team must:

• Perform stateful inspection and domain-based filtering on all outbound internet traffic from every VPC.
• Define and update firewall rules in one place and enforce them consistently across accounts and VPCs.
• Prevent application teams from bypassing or modifying mandatory firewall rules.
• Minimize ongoing per-account configuration and avoid building custom automation.

Which THREE approaches meet these requirements using AWS managed services? (Select THREE.)

Options:

• A. Use AWS Firewall Manager security group policies in the security account to define mandatory egress rules. In each application account, use NAT gateways and VPC route tables to send outbound traffic directly to the internet without additional firewalls.
• B. Deploy third-party firewall EC2 instances behind a Gateway Load Balancer in each application VPC. Use AWS Organizations service control policies to prevent teams from changing the security groups on the firewall instances.
• C. Create a shared egress VPC in the security account that contains NAT gateways and AWS Network Firewall endpoints. Share the egress subnets with application accounts by using AWS Resource Access Manager (AWS RAM) and require all outbound traffic to use these subnets. Use AWS Firewall Manager with an AWS Network Firewall policy so the security team centrally manages firewall rules.
• D. Create a dedicated inspection VPC in a central security account with AWS Network Firewall endpoints connected to an AWS Transit Gateway. Attach all application VPCs to the transit gateway and route internet-bound traffic through the inspection VPC. Use AWS Firewall Manager with an AWS Network Firewall policy so the security team centrally manages firewall rule groups.
• E. Use AWS Firewall Manager to create an AWS Network Firewall policy for the required OUs that automatically deploys Network Firewall firewalls into every VPC. The security team manages all Network Firewall rule groups in the Firewall Manager policy; application teams cannot change the mandatory rules.

Correct answers: C, D, and E

Explanation: The correct answers all combine AWS Network Firewall with AWS Firewall Manager in patterns that satisfy every requirement:

• They place AWS Network Firewall in the data path (central inspection VPC, distributed firewalls in each VPC, or a shared egress VPC), providing stateful inspection and domain-based filtering for all outbound internet traffic.
• They use AWS Firewall Manager with an AWS Network Firewall policy so the security team defines rule groups and policies once and has them enforced consistently across all in-scope accounts and VPCs.
• They architect traffic so application teams cannot bypass or directly modify the mandatory firewall rules (traffic is forced through inspection VPCs or shared egress infrastructure owned by the security team).
• They rely on AWS-managed services (Network Firewall, Firewall Manager, Transit Gateway, AWS RAM) to minimize custom automation and ongoing per-account configuration.

Question 17

Topic: Domain 2: Design Resilient Architectures

Which TWO statements below about correctly implementing immutable infrastructure patterns on AWS are true? (Select TWO.)

Options:

• A. Rolling back a release typically involves redeploying the previous image version rather than restoring from system-level backups.
• B. Using immutable infrastructure eliminates the need for automated testing because all servers start from the same image.
• C. Servers are replaced with new instances built from versioned golden images instead of being patched in place.
• D. Immutable infrastructure requires direct SSH access to each instance so that configuration can be updated quickly.
• E. With immutable infrastructure, configuration drift is more likely because changes accumulate on long-lived instances.

Correct answers: A and C

Explanation: The statement about replacing servers with new instances built from versioned golden images captures the core immutable idea: no in-place changes; all updates come from a new image version.

The statement about rollback via redeploying the previous image version describes the typical rollback strategy in immutable systems: switch traffic back to an earlier, stable image by redeploying it (for example, using blue/green or rolling strategies), which is faster and more consistent than restoring entire servers from backup snapshots.

Question 18

Topic: Domain 3: Design High-Performing Architectures

Which statement correctly describes the effect of adding an Amazon ElastiCache cluster between an application and its Amazon RDS database to reduce latency?

Options:

• A. It can only cache write operations, not read operations, so it does not significantly improve read latency.
• B. It reduces both read and write latency while guaranteeing that cached data is always strongly consistent with the database.
• C. It reduces read latency by serving data from memory, but the application must handle possible stale data because the cache is independent of the database.
• D. It increases read latency because every read must first go to the cache and then always query the database as well.

Best answer: C

Explanation: The choice describing that ElastiCache reduces read latency by serving data from memory while requiring the application to handle possible stale data is accurate. ElastiCache is an in-memory, network-attached cache that accelerates reads, but it does not enforce strong synchronization with RDS. Consistency behavior is determined by how the application populates and invalidates cache entries, not by ElastiCache itself.

Question 19

Topic: Domain 2: Design Resilient Architectures

A company has an image-processing pipeline where Amazon S3 sends events to an Amazon Kinesis Data Stream that is processed by AWS Lambda. Traffic is usually low but occasionally spikes. Ordering is not required. The team wants to reduce cost and operational overhead without reducing reliability. Which modification is MOST appropriate?

Options:

• A. Enable enhanced fan-out on the Kinesis Data Stream and increase the shard count to handle spikes more efficiently.
• B. Replace the Kinesis Data Stream with an Amazon SQS standard queue configured as an event source for AWS Lambda with batched polling.
• C. Replace the Kinesis Data Stream with an Amazon SNS topic that invokes the Lambda function directly.
• D. Replace the Kinesis Data Stream with an Amazon EventBridge event bus that routes S3 events to Lambda.

Best answer: B

Explanation: Replacing Kinesis Data Streams with an SQS standard queue configured as a Lambda event source mapping is best because it preserves asynchronous decoupling and at-least-once delivery while eliminating shard provisioning and resharding. SQS charges per request instead of per shard, typically reducing cost for low-traffic workloads, and the managed polling and batching from Lambda simplify operations and handle traffic spikes automatically.

Question 20

Topic: Domain 4: Design Cost-Optimized Architectures

A company migrated a read-heavy web application to EC2 with gp3 EBS volumes. Last month, AWS Cost Explorer shows a large spike in EBS gp3 charges. CloudWatch shows volume I/O never exceeds 800 IOPS and 60MiB/s; application latency is within SLOs. What is the most cost-effective fix?

Options:

• A. Increase the EC2 instance size and move the application cache into memory to reduce reliance on EBS.
• B. Reconfigure the gp3 volumes to use only the included baseline performance (3,000 IOPS and 125MiB/s) instead of higher provisioned settings.
• C. Create a RAID 0 array across multiple gp3 volumes to distribute I/O and lower per-volume costs.
• D. Migrate the volumes to Provisioned IOPS io2 with the same IOPS and throughput settings to improve cost efficiency.

Best answer: B

Explanation: The option that reconfigures the gp3 volumes to use only the baseline 3,000 IOPS and 125MiB/s directly targets the root cause: overprovisioned performance. Since actual usage peaks at 800 IOPS and 60MiB/s, the baseline is more than sufficient. Reducing provisioned IOPS/throughput to the included baseline removes unnecessary premium charges without impacting performance or changing the architecture.

Question 21

Topic: Domain 2: Design Resilient Architectures

A company runs a public web application in two AWS Regions. Each Region has instances in two Availability Zones and its own Amazon RDS database. Amazon Route 53 uses latency-based routing to send users to both Regions. About 95% of users are in one Region’s geographic area. The business requires 99.9% availability, an RPO of 1 hour, and an RTO of 4 hours for a full-Region failure. The operations team wants to reduce cost and simplify operations while still meeting all requirements. Which architectural change should a solutions architect make?

Options:

• A. Move the workload into a single Region and a single Availability Zone, and use Route 53 weighted routing across multiple instances in that Availability Zone to avoid overloading any server.
• B. Use one primary Region with multi-AZ application and RDS, keep a smaller standby stack and cross-Region RDS replica in the secondary Region, and switch Route 53 to a failover routing policy with the primary as active and the secondary as passive.
• C. Keep two active Regions but remove multi-AZ deployments in each Region to save cost. Continue using Route 53 latency-based routing between the Regions for resilience.
• D. Shut down the secondary Region and run the entire workload in a single Region using multi-AZ for the application and RDS. Point Route 53 to an alias record for the primary Region only.

Best answer: B

Explanation: The option that uses one primary multi-AZ Region with a smaller standby stack and cross-Region RDS replica in a secondary Region, combined with a Route 53 failover routing policy, is best.

• Resilience within a Region: Multi-AZ deployments for both compute and database in the primary Region handle AZ failures without downtime, supporting the 99.9% availability requirement.
• Regional disaster recovery: The secondary Region maintains a cross-Region replica and a scaled-down stack. If the primary Region fails, Route 53 failover routing can shift DNS to the DR Region. Autoscaling and restoring capacity there can be done within the 4-hour RTO, and asynchronous replication keeps the RPO near 1 hour or better.
• Cost and operations: Only one Region is fully active for live traffic, so compute and database capacity in the secondary Region can be minimized until failover. This significantly reduces ongoing cost and simplifies routing and monitoring compared with active-active multi-Region latency-based routing.

Question 22

Topic: Domain 2: Design Resilient Architectures

A company is moving several workloads to AWS. The architecture team wants managed data services that, by default, store data redundantly across multiple Availability Zones in a Region, without requiring the team to configure replication or manage underlying servers. Which services meet these requirements? (Select THREE.)

Options:

• A. Amazon Elastic File System (EFS) Standard
• B. Amazon DynamoDB standard tables
• C. Amazon RDS for MySQL with Single-AZ deployment
• D. Amazon S3 Standard storage class
• E. Amazon EC2 instances with General Purpose (gp3) EBS volumes
• F. Amazon ElastiCache for Redis with a single-node cluster

Correct answers: A, B, and D

Explanation: ✔ Amazon DynamoDB standard tables

DynamoDB is a fully managed NoSQL database service. Tables are regional resources, and AWS automatically replicates data across multiple Availability Zones within the Region. There is no need for the customer to set up replication, patch servers, or manage storage. This directly satisfies the requirements of automatic multi-AZ redundancy and minimal operational overhead.

✔ Amazon S3 Standard storage class

Amazon S3 is fully managed object storage. The S3 Standard storage class redundantly stores data across multiple AZs by default in a Region. Customers only manage buckets and objects; they do not manage servers, disks, or replication within the Region. This provides high durability and availability with no extra configuration, matching the scenario.

✔ Amazon Elastic File System (EFS) Standard

EFS Standard is a regional, fully managed file system that automatically stores data redundantly across multiple Availability Zones in the Region. Customers mount the file system; AWS manages the underlying infrastructure, scaling, and multi-AZ redundancy. No replication configuration or server management is required, so it meets all stated requirements.

Question 23

Topic: Domain 4: Design Cost-Optimized Architectures

A company uses multiple AWS accounts under a single AWS Organizations management account. Leadership wants to attribute all EC2, Lambda, and container compute costs to teams and applications with minimal manual effort. Which actions SHOULD THE ARCHITECT AVOID? (Select TWO.)

Options:

• A. Enable consolidated billing in AWS Organizations and build Cost Explorer reports and Cost Categories that group compute spend by account and tag.
• B. Create AWS Budgets for each team that filter on the Team cost allocation tag and send notifications when monthly compute spend exceeds thresholds.
• C. Stop tagging Lambda functions and container tasks, and rely only on per-account totals because tagging serverless workloads is complex.
• D. Define standard cost allocation tags such as Team and Application, require them through tagging policies, and activate them as cost allocation tags in the management account.
• E. Provide long-lived IAM access keys for the management account to each team so they can download and analyze the AWS Cost and Usage Report independently.

Correct answers: C and E

Explanation: The option that shares long-lived IAM access keys for the management account with each team should be avoided because it violates the principle of least privilege and creates major security and governance risks. Teams should instead assume scoped roles or use dashboards and reports provided centrally.

The option that stops tagging Lambda functions and container tasks should be avoided because it prevents fine-grained cost allocation by team and application. Serverless and container workloads are a significant part of compute spend and must be tagged consistently so they appear correctly in Cost Explorer, Cost Categories, and AWS Budgets filters.

Question 24

Topic: Domain 1: Design Secure Architectures

A company uses a 1 Gbps AWS Direct Connect link to connect its on-premises data center to multiple VPCs. All hybrid traffic must be encrypted, production and dev VPCs must be isolated, and network costs should stay reasonable. Which TWO design choices should the architect AVOID? (Select TWO.)

Options:

• A. Rely on the private Direct Connect link without any additional IPsec or MACsec encryption, because the circuit is physically dedicated to the company.
• B. Create an AWS Site-to-Site VPN attachment on the Transit Gateway over the Direct Connect to encrypt all hybrid traffic.
• C. Provision two additional 10 Gbps Direct Connect dedicated connections solely for the low-throughput dev/test VPC, instead of using an internet-based VPN for that environment.
• D. Terminate the Direct Connect on an AWS Transit Gateway and use separate Transit Gateway route tables so that production and dev VPCs cannot route to each other.
• E. Create a separate internet-based Site-to-Site VPN connection for production as a backup path in case the Direct Connect link fails.

Correct answers: A and C

Explanation: The option that relies on the private Direct Connect link without any additional IPsec or MACsec encryption ignores the explicit requirement that all hybrid traffic must be encrypted. Direct Connect is a dedicated connection but not inherently encrypted, so using it without an overlay encryption solution is a security violation.

The option that provisions two additional 10 Gbps Direct Connect links only for a low-throughput dev/test VPC introduces significant, unnecessary cost. For nonproduction, low-bandwidth use cases, a standard internet-based Site-to-Site VPN is typically sufficient and far more cost-effective. This design therefore violates the cost-awareness aspect of the requirements.

SAA-C03 solutions architecture map

Use this map after the sample questions to connect individual items to the AWS architecture tradeoff decisions these practice samples test.

    flowchart LR
	  S1["Business and technical requirement"] --> S2
	  S2["Design secure network and identity boundary"] --> S3
	  S3["Select compute storage database and integration services"] --> S4
	  S4["Apply reliability scalability and DR"] --> S5
	  S5["Optimize cost and operations"] --> S6
	  S6["Validate tradeoffs"]

Quick Cheat Sheet

Mini Glossary

• Auto Scaling: AWS capability for adjusting capacity based on demand or policy.
• Multi-AZ: Architecture using multiple Availability Zones for resilience.
• RTO: Recovery time objective: acceptable service restoration time.
• RPO: Recovery point objective: acceptable data-loss window.
• Well-Architected: AWS framework for reviewing architecture across key pillars.

In this section

• AWS SAA-C03: Design Secure Architectures
  Try 10 focused AWS SAA-C03 questions on Design Secure Architectures, with explanations, then continue with IT Mastery.
• AWS SAA-C03: Design Resilient Architectures
  Try 10 focused AWS SAA-C03 questions on Design Resilient Architectures, with explanations, then continue with IT Mastery.
• AWS SAA-C03: Design High-Performing Architectures
  Try 10 focused AWS SAA-C03 questions on Design High-Performing Architectures, with explanations, then continue with IT Mastery.
• AWS SAA-C03: Design Cost-Optimized Architectures
  Try 10 focused AWS SAA-C03 questions on Design Cost-Optimized Architectures, with explanations, then continue with IT Mastery.
• Free AWS SAA-C03 Full-Length Practice Exam: 65 Questions
  Try 65 free AWS SAA-C03 questions across the exam domains, with explanations, then continue with full IT Mastery practice.