Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Amazon
  3. AWS Certified Solutions Architect - Associate

Amazon AWS Certified Solutions Architect - Associate SAA-C03 AWS Certified Solutions Architect - Associate Exam Questions in PDF

Free Amazon AWS Certified Solutions Architect - Associate Dumps Questions (page: 10)

AWS Certified Solutions Architect - Associate PDF — 903 Questions

A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  1. Replace the current security group of the bastion host with one that only allows inbound access from the application instances.
  2. Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.
  3. Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.
  4. Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.
  5. Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.

Answer(s): C,D

Explanation:

The correct choices C and D implement secure bastion-based SSH access: the bastion’s SG allows inbound SSH only from the company’s external IP range, and the application instances’ SG allows inbound SSH only from the bastion host’s private IP, enforcing via private path through the bastion.
A is wrong because restricting to application IPs would block initial SSH from the bastion’s public endpoint. B is wrong because allowing only internal IPs would block the on-premises to-bastion connection via the internet. E is wrong because permitting from the bastion’s public IP on the app instances would expose SSH to the external interface; traffic from the public IP must reach the bastion, then traverse to private IPs through the VPC.



A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company.
How should security groups be configured in this situation? (Choose two.)

  1. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.
  2. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.
  3. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.
  4. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.
  5. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Answer(s): A,C

Explanation:

A) The web tier SG should permit inbound 443 from the internet (0.0.0.0/0) to allow HTTPS access from users. B is incorrect because outbound from 0.0.0.0/0 is not required for web access and is unnecessary for standard web traffic; inbound is what matters. C) The DB tier SG should allow inbound 1433 only from the web tier's SG, ensuring the database accepts connections only from the web layer, not from anywhere else. D is incorrect because outbound 443/1433 from DB to web tier is unnecessary; traffic is initiated by the web tier. E is incorrect because inbound 443 on DB is not needed; DB should only receive 1433 from the web tier.



A company wants to move a multi-tiered application from on premises to the AWS Cloud to improve the application's performance. The application consists of application tiers that communicate with each other by way of RESTful services. Transactions are dropped when one tier becomes overloaded. A solutions architect must design a solution that resolves these issues and modernizes the application.
Which solution meets these requirements and is the MOST operationally efficient?

  1. Use Amazon API Gateway and direct transactions to the AWS Lambda functions as the application layer. Use Amazon Simple Queue Service (Amazon SQS) as the communication layer between application services.
  2. Use Amazon CloudWatch metrics to analyze the application performance history to determine the servers' peak utilization during the performance failures. Increase the size of the application server's Amazon EC2 instances to meet the peak requirements.
  3. Use Amazon Simple Notification Service (Amazon SNS) to handle the messaging between application servers running on Amazon EC2 in an Auto Scaling group. Use Amazon CloudWatch to monitor the SNS queue length and scale up and down as required.
  4. Use Amazon Simple Queue Service (Amazon SQS) to handle the messaging between application servers running on Amazon EC2 in an Auto Scaling group. Use Amazon CloudWatch to monitor the SQS queue length and scale up when communication failures are detected.

Answer(s): A

Explanation:

A) Uses API Gateway and Lambda for the application tier, with SQS as the decoupled messaging backbone. This reduces coupling, elastically scales responsive endpoints, and prevents cascading failures when a tier is overloaded, satisfying operational efficiency through serverless components and asynchronous queues.
B) Relies on manual scaling of EC2 instances based on historic metrics; does not address decoupling or prevent overloads and is not operationally efficient.
C) SNS is a pub/sub fan-out service, not designed as a reliable queue for request/response between tightly coupled tiers; monitoring queue length in SNS is not applicable for autoscaling decisions in this pattern.
D) SQS decouples components but pairing with EC2 ASGs and monitoring queue length is less efficient than a serverless approach; also does not leverage API Gateway/Lambda for core modernization.



A company receives 10 TB of instrumentation data each day from several machines located at a single factory. The data consists of JSON files stored on a storage area network (SAN) in an on-premises data center located within the factory. The company wants to send this data to Amazon S3 where it can be accessed by several additional systems that provide critical near-real-time analytics. A secure transfer is important because the data is considered sensitive.
Which solution offers the MOST reliable data transfer?

  1. AWS DataSync over public internet
  2. AWS DataSync over AWS Direct Connect
  3. AWS Database Migration Service (AWS DMS) over public internet
  4. AWS Database Migration Service (AWS DMS) over AWS Direct Connect

Answer(s): B

Explanation:

AWS DataSync over AWS Direct Connect provides a secure, high-bandwidth, low-latency transfer path from on-premises SAN to S3 with reliable, incremental transfers and strong encryption, meeting near-real-time analytics needs.
A) DataSync over public internet is less reliable and sensitive to internet variability and potential security exposure.
C) DMS is for database replication, not bulk file/object transfers to S3, and not optimal for file-based JSON on SAN data.
D) DMS over Direct Connect is not appropriate for file/object migration to S3; DMS specializes in database migrations rather than general object storage transfers.



A company needs to configure a real-time data ingestion architecture for its application. The company needs an API, a process that transforms data as the data is streamed, and a storage solution for the data.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Deploy an Amazon EC2 instance to host an API that sends data to an Amazon Kinesis data stream. Create an Amazon Kinesis Data Firehose delivery stream that uses the Kinesis data stream as a data source. Use AWS Lambda functions to transform the data. Use the Kinesis Data Firehose delivery stream to send the data to Amazon S3.
  2. Deploy an Amazon EC2 instance to host an API that sends data to AWS Glue. Stop source/destination checking on the EC2 instance. Use AWS Glue to transform the data and to send the data to Amazon S3.
  3. Configure an Amazon API Gateway API to send data to an Amazon Kinesis data stream. Create an Amazon Kinesis Data Firehose delivery stream that uses the Kinesis data stream as a data source. Use AWS Lambda functions to transform the data. Use the Kinesis Data Firehose delivery stream to send the data to Amazon S3.
  4. Configure an Amazon API Gateway API to send data to AWS Glue. Use AWS Lambda functions to transform the data. Use AWS Glue to send the data to Amazon S3.

Answer(s): C

Explanation:

The correct option is C because API Gateway → Kinesis Data Stream → Firehose → S3 provides a fully managed, real-time ingestion pipeline with built-in data transformation via Lambda and minimal operational overhead.
A) Uses EC2 for API, then Firehose consumes from Kinesis data stream and Lambda transforms—unnecessary EC2 and more moving parts; still feasible but higher operational burden.
B) AWS Glue is not a real-time streaming ingestion endpoint and deploying on EC2 increases management; Glue is ETL/batch-oriented, not ideal for low-latency streaming with API gateway.
D) API Gateway to Glue with Lambda lacks real-time streaming integration and Firehose buffering/delivery that reduce ops; Glue is not the streaming endpoint here.



A company needs to keep user transaction data in an Amazon DynamoDB table. The company must retain the data for 7 years.
What is the MOST operationally efficient solution that meets these requirements?

  1. Use DynamoDB point-in-time recovery to back up the table continuously.
  2. Use AWS Backup to create backup schedules and retention policies for the table.
  3. Create an on-demand backup of the table by using the DynamoDB console. Store the backup in an Amazon S3 bucket. Set an S3 Lifecycle configuration for the S3 bucket.
  4. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke an AWS Lambda function. Configure the Lambda function to back up the table and to store the backup in an Amazon S3 bucket. Set an S3 Lifecycle configuration for the S3 bucket.

Answer(s): B

Explanation:

AWS Backup provides centralized, automated backup planning with schedules and long-term retention policies for DynamoDB, meeting the 7-year retention requirement with minimal operational overhead.
A) Point-in-time recovery is continuous restores for 35 days (default), not long-term archival for 7 years.
C) On-demand DynamoDB backups stored in S3 require manual initiation and separate lifecycle management; less scalable for policy-driven retention.
D) Event-driven Lambda backup introduces operational overhead and risk of gaps; not as efficient as a managed backup service with retention policies.
B) Correct: centralized, policy-driven backup schedules and retention via AWS Backup.



A company is planning to use an Amazon DynamoDB table for data storage. The company is concerned about cost optimization. The table will not be used on most mornings. In the evenings, the read and write traffic will often be unpredictable. When traffic spikes occur, they will happen very quickly.
What should a solutions architect recommend?

  1. Create a DynamoDB table in on-demand capacity mode.
  2. Create a DynamoDB table with a global secondary index.
  3. Create a DynamoDB table with provisioned capacity and auto scaling.
  4. Create a DynamoDB table in provisioned capacity mode, and configure it as a global table.

Answer(s): A

Explanation:

D) incorrect because global tables are for multi-region replication, not cost optimization for bursty traffic. A) correct because DynamoDB on-demand mode automatically handles unpredictable traffic with pay-per-request pricing, eliminating provisioning and scaling concerns. B) incorrect; a global secondary index does not address throughput provisioning or bursting behavior. C) incorrect; provisioned capacity with auto scaling can handle some variability but relies on historical patterns and may not respond instantly to sudden spikes, whereas on-demand is designed for unpredictable workloads. E) option not present. Overall, on-demand is best for infrequent usage with highly variable, sudden traffic.



A company recently signed a contract with an AWS Managed Service Provider (MSP) Partner for help with an application migration initiative. A solutions architect needs ta share an Amazon Machine Image (AMI) from an existing AWS account with the MSP Partner's AWS account. The AMI is backed by Amazon Elastic Block Store (Amazon EBS) and uses an AWS Key Management Service (AWS KMS) customer managed key to encrypt EBS volume snapshots.
What is the MOST secure way for the solutions architect to share the AMI with the MSP Partner's AWS account?

  1. Make the encrypted AMI and snapshots publicly available. Modify the key policy to allow the MSP Partner's AWS account to use the key.
  2. Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to allow the MSP Partner's AWS account to use the key.
  3. Modify the launchPermission property of the AMI. Share the AMI with the MSP Partner's AWS account only. Modify the key policy to trust a new KMS key that is owned by the MSP Partner for encryption.
  4. Export the AMI from the source account to an Amazon S3 bucket in the MSP Partner's AWS account, Encrypt the S3 bucket with a new KMS key that is owned by the MSP Partner. Copy and launch the AMI in the MSP Partner's AWS account.

Answer(s): B

Explanation:

Sharing the AMI with launch permissions to the MSP Partner’s account and allowing the keys used to decrypt EBS snapshots via KMS key policy is the correct and secure approach (option B). It preserves encryption, avoids public exposure, and restricts access to the intended account.
A is incorrect because making the AMI and snapshots public is insecure and contradicts least-privilege; it also improperly modifies the key policy to share the key publicly.
C is incorrect because trusting a new MSP-owned KMS key for encryption is unnecessary and adds complexity; the original KMS key can be shared with the MSP account via proper key policy.
D is incorrect because exporting to S3 and recreating the AMI in the MSP account is unnecessary and risks integrity; sharing the AMI with proper launch permissions is simpler and secure.



Viewing page 10 of 129

Share your comments for Amazon AWS Certified Solutions Architect - Associate exam with other users:

A
Aloke Paul
9/11/2023 6:53:00 AM

is this valid for chfiv9 as well... as i am reker 3rd time...

CHINA
C
Calbert Francis
1/15/2024 8:19:00 PM

great exam for people taking 220-1101

UNITED STATES
A
Ayushi Baria
11/7/2023 7:44:00 AM

this is very helpfull for me

Anonymous
A
alma
8/25/2023 1:20:00 PM

just started preparing for the exam

UNITED KINGDOM
C
CW
7/10/2023 6:46:00 PM

these are the type of questions i need.

UNITED STATES
N
Nobody
8/30/2023 9:54:00 PM

does this actually work? are they the exam questions and answers word for word?

Anonymous
S
Salah
7/23/2023 9:46:00 AM

thanks for providing these questions

Anonymous
R
Ritu
9/15/2023 5:55:00 AM

interesting

CANADA
R
Ron
5/30/2023 8:33:00 AM

these dumps are pretty good.

Anonymous
S
Sowl
8/10/2023 6:22:00 PM

good questions

UNITED STATES
B
Blessious Phiri
8/15/2023 2:02:00 PM

dbua is used for upgrading oracle database

Anonymous
R
Richard
10/24/2023 6:12:00 AM

i am thrilled to say that i passed my amazon web services mls-c01 exam, thanks to study materials. they were comprehensive and well-structured, making my preparation efficient.

Anonymous
J
Janjua
5/22/2023 3:31:00 PM

please upload latest ibm ace c1000-056 dumps

GERMANY
M
Matt
12/30/2023 11:18:00 AM

if only explanations were provided...

FRANCE
R
Rasha
6/29/2023 8:23:00 PM

yes .. i need the dump if you can help me

Anonymous
A
Anonymous
7/25/2023 8:05:00 AM

good morning, could you please upload this exam again?

SPAIN
A
AJ
9/24/2023 9:32:00 AM

hi please upload sre foundation and practitioner exam questions

Anonymous
P
peter parker
8/10/2023 10:59:00 AM

the exam is listed as 80 questions with a pass mark of 70%, how is your 50 questions related?

Anonymous
B
Berihun
7/13/2023 7:29:00 AM

all questions are so important and covers all ccna modules

Anonymous
N
nspk
1/19/2024 12:53:00 AM

q 44. ans:- b (goto setup > order settings > select enable optional price books for orders) reference link --> https://resources.docs.salesforce.com/latest/latest/en-us/sfdc/pdf/sfom_impl_b2b_b2b2c.pdf(decide whether you want to enable the optional price books feature. if so, select enable optional price books for orders. you can use orders in salesforce while managing price books in an external platform. if you’re using d2c commerce, you must select enable optional price books for orders.)

Anonymous
M
Muhammad Rawish Siddiqui
12/2/2023 5:28:00 AM

"cost of replacing data if it were lost" is also correct.

SAUDI ARABIA
A
Anonymous
7/14/2023 3:17:00 AM

pls upload the questions

UNITED STATES
M
Mukesh
7/10/2023 4:14:00 PM

good questions

UNITED KINGDOM
E
Elie Abou Chrouch
12/11/2023 3:38:00 AM

question 182 - correct answer is d. ethernet frame length is 64 - 1518b. length of user data containing is that frame: 46 - 1500b.

Anonymous
D
Damien
9/23/2023 8:37:00 AM

i need this exam pls

Anonymous
N
Nani
9/10/2023 12:02:00 PM

its required for me, please make it enable to access. thanks

UNITED STATES
E
ethiopia
8/2/2023 2:18:00 AM

seems good..

ETHIOPIA
W
whoAreWeReally
12/19/2023 8:29:00 PM

took the test last week, i did have about 15 - 20 word for word from this site on the test. (only was able to cram 600 of the questions from this site so maybe more were there i didnt review) had 4 labs, bgp, lacp, vrf with tunnels and actually had to skip a lab due to time. lots of automation syntax questions.

EUROPEAN UNION
V
vs
9/2/2023 12:19:00 PM

no comments

Anonymous
J
john adenu
11/14/2023 11:02:00 AM

nice questions bring out the best in you.

Anonymous
O
Osman
11/21/2023 2:27:00 PM

really helpful

Anonymous
E
Edward
9/13/2023 5:27:00 PM

question #50 and question #81 are exactly the same questions, azure site recovery provides________for virtual machines. the first says that it is fault tolerance is the answer and second says disater recovery. from my research, it says it should be disaster recovery. can anybody explain to me why? thank you

CANADA
M
Monti
5/24/2023 11:14:00 PM

iam thankful for these exam dumps questions, i would not have passed without this exam dumps.

UNITED STATES
A
Anon
10/25/2023 10:48:00 PM

some of the answers seem to be inaccurate. q10 for example shouldnt it be an m custom column?

MALAYSIA
AI Tutor 👋 I’m here to help!