Amazon AWS Certified Solutions Architect - Associate SAA-C03 AWS Certified Solutions Architect - Associate Dumps in PDF

Free Amazon AWS Certified Solutions Architect - Associate Real Questions (page: 22)

A company is concerned about the security of its public web application due to recent web attacks. The application uses an Application Load Balancer (ALB). A solutions architect must reduce the risk of DDoS attacks against the application.
What should the solutions architect do to meet this requirement?

  1. Add an Amazon Inspector agent to the ALB.
  2. Configure Amazon Macie to prevent attacks.
  3. Enable AWS Shield Advanced to prevent attacks.
  4. Configure Amazon GuardDuty to monitor the ALB.

Answer(s): C

Explanation:

Enabling AWS Shield Advanced provides DDoS protection at the edge and integrates with ALB, offering enhanced DDoS mitigation, scrubbing, and 24/7 DDoS response team support, directly addressing DDoS risk for the public web application. A) Amazon Inspector assesses EC2 instances, not real-time DDoS protection on ALB. B) Amazon Macie focuses on data security and privacy, not DDoS defense. D) Amazon GuardDuty monitors for threats and compromised instances, not active DDoS mitigation for an ALB. Therefore, Shield Advanced is the correct choice.



A company’s web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only.
Which configuration will meet this requirement?

  1. Configure the security group for the EC2 instances.
  2. Configure the security group on the Application Load Balancer.
  3. Configure AWS WAF on the Application Load Balancer in a VP
  4. Configure the network ACL for the subnet that contains the EC2 instances.

Answer(s): C

Explanation:

A) The security group on the EC2 instances does not filter by geographic location; it controls traffic at the instance level, not country-based access. B) The security group on the ALB does not provide country-based filtering; SGs are per resource and operate at the IP/port level without geo controls. C) AWS WAF on the ALB supports geo Match Conditions to allow or block requests by country, satisfying the requirement. D) Network ACLs operate at the subnet level and do not offer granular geo-based filtering for specific country access.



A company provides an API to its users that automates inquiries for tax computations based on item prices. The company experiences a larger number of inquiries during the holiday season only that cause slower response times. A solutions architect needs to design a solution that is scalable and elastic.
What should the solutions architect do to accomplish this?

  1. Provide an API hosted on an Amazon EC2 instance. The EC2 instance performs the required computations when the API request is made.
  2. Design a REST API using Amazon API Gateway that accepts the item names. API Gateway passes item names to AWS Lambda for tax computations.
  3. Create an Application Load Balancer that has two Amazon EC2 instances behind it. The EC2 instances will compute the tax on the received item names.
  4. Design a REST API using Amazon API Gateway that connects with an API hosted on an Amazon EC2 instance. API Gateway accepts and passes the item names to the EC2 instance for tax computations.

Answer(s): B

Explanation:

A REST API with API Gateway and AWS Lambda (B) is scalable and elastic, as API Gateway handles traffic management and Lambda provides automatic scaling for compute without provisioning servers. Lambda’s pay-per-use model fits seasonal spikes.
A: EC2-based compute is not inherently elastic; requires provisioning and scaling groups, which adds management overhead and slower cold starts.
C: ELB with fixed EC2 instances lacks automatic scaling during spikes and requires manual capacity planning.
D: API Gateway-to-EC2 integration reintroduces server management and lacks the fully serverless, scalable benefits of Lambda; adds latency from the extra hop.



A solutions architect is creating a new Amazon CloudFront distribution for an application. Some of the information submitted by users is sensitive. The application uses HTTPS but needs another layer of security. The sensitive information should.be protected throughout the entire application stack, and access to the information should be restricted to certain applications.
Which action should the solutions architect take?

  1. Configure a CloudFront signed URL.
  2. Configure a CloudFront signed cookie.
  3. Configure a CloudFront field-level encryption profile.
  4. Configure CloudFront and set the Origin Protocol Policy setting to HTTPS Only for the Viewer Protocol Policy.

Answer(s): C

Explanation:

CloudFront field-level encryption (FLE) encrypts specific data fields in user requests at the edge, protecting sensitive information end-to-end through the stack and restricting access to designated applications that hold the decryption keys.
A) CloudFront signed URLOnly controls access to the content, not field-level data protection. B) Signed cookies also manage access, not data encryption within requests. D) Origin Protocol Policy HTTPS Only ensures transport security to the origin, but does not encrypt specific fields in transit or enforce per-field access control. C) Correct: FLE provides per-field encryption, meeting the requirement for protecting sensitive information across the stack and limiting access to authorized apps.



A gaming company hosts a browser-based application on AWS. The users of the application consume a large number of videos and images that are stored in Amazon S3. This content is the same for all users.
The application has increased in popularity, and millions of users worldwide accessing these media files. The company wants to provide the files to the users while reducing the load on the origin.
Which solution meets these requirements MOST cost-effectively?

  1. Deploy an AWS Global Accelerator accelerator in front of the web servers.
  2. Deploy an Amazon CloudFront web distribution in front of the S3 bucket.
  3. Deploy an Amazon ElastiCache for Redis instance in front of the web servers.
  4. Deploy an Amazon ElastiCache for Memcached instance in front of the web servers.

Answer(s): B

Explanation:

Using CloudFront in front of S3 caches and delivers static media at edge locations, reducing origin load and lowering cost for global, cacheable content.
A) Global Accelerator optimizes network paths to endpoints but does not provide caching for S3 content, so cost reduction and cache benefits are limited.
C) ElastiCache for Redis introduces a caching layer but is stateful and requires application changes; it sits behind the app, not at the edge for static media.
D) ElastiCache for Memcached similarly adds a cache but at the origin side; it’s not a global CDN and lacks edge caching for S3 content.



A company has a multi-tier application that runs six front-end web servers in an Amazon EC2 Auto Scaling group in a single Availability Zone behind an Application Load Balancer (ALB). A solutions architect needs to modify the infrastructure to be highly available without modifying the application.
Which architecture should the solutions architect choose that provides high availability?

  1. Create an Auto Scaling group that uses three instances across each of two Regions.
  2. Modify the Auto Scaling group to use three instances across each of two Availability Zones.
  3. Create an Auto Scaling template that can be used to quickly create more instances in another Region.
  4. Change the ALB in front of the Amazon EC2 instances in a round-robin configuration to balance traffic to the web tier.

Answer(s): B

Explanation:

The correct answer is B.
A) Deploying across two Regions is unnecessary for regional HA and introduces cross-region latency and data transfer costs; not required for high availability within a single application.
B) Using three instances across two Availability Zones distributes load and resilience against AZ failures, meeting HA requirements without modifying the app.
C) An Auto Scaling template to another Region aids rapid deployment but does not ensure active HA without cross-region routing and syncing; it’s not a direct HA architecture adjustment.
D) ALB round-robin does not address AZ failure scenarios and does not increase HA beyond current single-AZ deployment.



An ecommerce company has an order-processing application that uses Amazon API Gateway and an AWS Lambda function. The application stores data in an Amazon Aurora PostgreSQL database. During a recent sales event, a sudden surge in customer orders occurred. Some customers experienced timeouts, and the application did not process the orders of those customers.
A solutions architect determined that the CPU utilization and memory utilization were high on the database because of a large number of open connections. The solutions architect needs to prevent the timeout errors while making the least possible changes to the application.
Which solution will meet these requirements?

  1. Configure provisioned concurrency for the Lambda function. Modify the database to be a global database in multiple AWS Regions.
  2. Use Amazon RDS Proxy to create a proxy for the database. Modify the Lambda function to use the RDS Proxy endpoint instead of the database endpoint.
  3. Create a read replica for the database in a different AWS Region. Use query string parameters in API Gateway to route traffic to the read replica.
  4. Migrate the data from Aurora PostgreSQL to Amazon DynamoDB by using AWS Database Migration Service (AWS DMS). Modify the Lambda function to use the DynamoDB table.

Answer(s): B

Explanation:

Amazon RDS Proxy offloads and multiplexes database connections, reducing open connections and CPU/memory pressure on Aurora PostgreSQL during spikes, which minimizes timeouts without substantial application changes. A) Provisioned concurrency helps Lambda cold-starts but does not address DB connection saturation. Global database and regional failover add complexity and latency rather than solving connection limits. C) Read replicas in another region do not alleviate connection saturation and routing via API Gateway adds overhead. D) Migrating to DynamoDB is a major architecture change and unnecessary for this issue. B) correctly targets connection management with minimal changes to the Lambda and existing Aurora setup.



An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table.
What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?

  1. Use a VPC endpoint for DynamoDB.
  2. Use a NAT gateway in a public subnet.
  3. Use a NAT instance in a private subnet.
  4. Use the internet gateway attached to the VPC.

Answer(s): A

Explanation:

Ansible: A) reason
A) A VPC endpoint for DynamoDB provides private, secure connectivity to DynamoDB from within the VPC without traversing the public internet, ensuring traffic stays on the AWS network.
B) A NAT gateway allows private-subnet instances to access the internet, not DynamoDB privately, and could expose traffic to the public internet if DynamoDB were reachable otherwise.
C) A NAT instance has similar limitations and maintenance overhead as a NAT gateway, and still routes through the public internet unless the service supports VPC endpoints.
D) An internet gateway would route traffic to the public internet, not keeping it entirely within the AWS network.



Share your comments for Amazon AWS Certified Solutions Architect - Associate exam with other users:

A
Anonymous User
4/14/2026 12:31:34 PM

Question 2:
For question 2, the key concept is the Longest Prefix Match. Routers pick the route whose subnet mask is the most specific (largest prefix length) that still matches the destination IP.
From the options:

  • A) 10.10.10.0/28 ? 10.10.10.0–10.10.10.15
  • B) 10.10.13.0/25 ? 10.10.13.0–10.10.13.127
  • C) 10.10.13.144/28 ? 10.10.13.144–10.10.13.159
  • D) 10.10.13.208/29 ? 10.10.13.208–10.10.13.215

The destination Host A’s IP must fall within 10.10.13.208–10.10.13.215 for the /29 to be the best match. Since /29 is the longest prefix among the matching options, Router1 will use 10.10.13.208/29.
Thus, the correct answer is D.

S
srameh
4/14/2026 10:09:29 AM

Question 3:

  • Correct answer: Phase 4, Post Accreditation

  • Explanation:
- In DITSCAP, the four phases are: - Phase 1: Definition (concept and requirements) - Phase 2: Verification (design and testing) - Phase 3: Validation (fielding and evaluation) - Phase 4: Post Accreditation (ongoing operations and lifecycle management) - The description—continuing operation of an accredited IT system and addressing changing threats throughout its life cycle—fits the Post Accreditation phase, which covers operations, maintenance, monitoring, and reauthorization as threats and environment evolve.

O
onibokun10
4/13/2026 7:50:14 PM

Question 129:
Correct answer: CNAME

  • A CNAME record creates an alias for a domain, so newapplication.comptia.org will resolve to whatever IP address www.comptia.org resolves to. This ensures both names point to the same resource without duplicating the IP.
  • Why not the others:
- SOA defines authoritative information for a zone. - MX specifies mail exchange servers. - NS designates name servers for a zone.
  • Notes: The alias name (newapplication.comptia.org) should not have other records if you use a CNAME for it, and CNAMEs aren’t used for the zone apex (root) domain. This scenario uses a subdomain, so a CNAME is appropriate.

A
Anonymous User
4/13/2026 6:29:58 PM

Question 1:

  • Correct answer: C

  • Why this is best:
- Uses OS Login with IAM, so SSH access is granted via Google accounts rather than distributing per-user SSH keys. - Granting the compute.osAdminLogin role to a Google group gives admin access to all team members in a centralized, auditable way. - Access is auditable: Cloud Audit Logs show who accessed which VM, satisfying the security requirement to determine who accessed a given instance.
  • How it works:
- Enable OS Login on the project/instances (enable-oslogin metadata). - Add the team’s

A
Anonymous User
4/13/2026 1:00:51 PM

Question 2:

  • Answer: D. Azure Advisor

  • Why: To view security-related recommendations for resources in the Compute and Apps area (including App Service Web Apps and Functions), you use Azure Advisor. Advisor surfaces personalized best-practice recommendations across resources, including security, and shows which resources are affected and the severity.

  • Why not the others:
- Azure Log Analytics is for ad-hoc querying of telemetry, not for viewing security recommendations. - Azure Event Hubs is for streaming telemetry data, not for security recommendations.
  • Quick tip: In the portal, navigate to Azure Advisor and check the Security recommendations for App Services to see actionable items and affe

D
Don
4/11/2026 5:36:42 AM

Recommend using AI for Solutions rather the Answer(s) submitted here

M
Mogae Malapela
4/8/2026 6:37:56 AM

This is very interesting

A
Anon
4/6/2026 5:22:54 PM

Are these the same questions you have to pay for in ExamTopics?

L
LRK
3/22/2026 2:38:08 PM

For Question 7 - while the answer description indicates the correct answer, the option no. mentioned is incorrect. Nice and Comprehensive. Thankyou

R
Rian
3/19/2026 9:12:10 AM

This is very good and accurate. Explanation is very helpful even thou some are not 100% right but good enough to pass.

G
Gerrard
3/18/2026 6:58:37 AM

The DP-900 exam can be tricky if you aren't familiar with Microsoft’s specific cloud terminology. I used the practice questions from free-braindumps.com and found them incredibly helpful. The site breaks down core data concepts and Azure services in a way that actually mirrors the real test. As a resutl I passed my exam.

V
Vineet Kumar
3/6/2026 5:26:16 AM

interesting

J
Joe
1/20/2026 8:25:24 AM

Passed this exam 2 days ago. These questions are in the exam. You are safe to use them.

N
NJ
12/24/2025 10:39:07 AM

Helpful to test your preparedness before giving exam

A
Ashwini
12/17/2025 8:24:45 AM

Really helped

J
Jagadesh
12/16/2025 9:57:10 AM

Good explanation

S
shobha
11/29/2025 2:19:59 AM

very helpful

P
Pandithurai
11/12/2025 12:16:21 PM

Question 1, Ans is - Developer,Standard,Professional Direct and Premier

E
Einstein
11/8/2025 4:13:37 AM

Passed this exam in first appointment. Great resource and valid exam dump.

D
David
10/31/2025 4:06:16 PM

Today I wrote this exam and passed, i totally relay on this practice exam. The questions were very tough, these questions are valid and I encounter the same.

T
Thor
10/21/2025 5:16:29 AM

Anyone used this dump recently?

V
Vladimir
9/25/2025 9:11:14 AM

173 question is A not D

K
khaos
9/21/2025 7:07:26 AM

nice questions

K
Katiso Lehasa
9/15/2025 11:21:52 PM

Thanks for the practice questions they helped me a lot.

E
Einstein
9/2/2025 7:42:00 PM

Passed this exam today. All questions are valid and this is not something you can find in ChatGPT.

V
vito
8/22/2025 4:16:51 AM

i need to pass exam for VMware 2V0-11.25

M
Matt
7/31/2025 11:44:40 PM

Great questions.

O
OLERATO
7/1/2025 5:44:14 AM

great dumps to practice for the exam

A
Adekunle willaims
6/9/2025 7:37:29 AM

How reliable and relevant are these questions?? also i can see the last update here was January and definitely new questions would have emerged.

A
Alex
5/24/2025 12:54:15 AM

Can I trust to this source?

S
SPriyak
3/17/2025 11:08:37 AM

can you please provide the CBDA latest test preparation

C
Chandra
11/28/2024 7:17:38 AM

This is the best and only way of passing this exam as it is extremely hard. Good questions and valid dump.

S
Sunak
1/25/2025 9:17:57 AM

Can I use this dumps when I am taking the exam? I mean does somebody look what tabs or windows I have opened ?

F
Frank
2/15/2024 11:36:57 AM

Finally got a change to write this exam and pass it! Valid and accurate!

AI Tutor 👋 I’m here to help!