Amazon AWS Certified Solutions Architect - Associate SAA-C03 AWS Certified Solutions Architect - Associate Dumps in PDF

Free Amazon AWS Certified Solutions Architect - Associate Real Questions (page: 5)

A company runs an online marketplace web application on AWS. The application serves hundreds of thousands of users during peak hours. The company needs a scalable, near-real-time solution to share the details of millions of financial transactions with several other internal applications. Transactions also need to be processed to remove sensitive data before being stored in a document database for low-latency retrieval.
What should a solutions architect recommend to meet these requirements?

  1. Store the transactions data into Amazon DynamoDB. Set up a rule in DynamoDB to remove sensitive data from every transaction upon write. Use DynamoDB Streams to share the transactions data with other applications.
  2. Stream the transactions data into Amazon Kinesis Data Firehose to store data in Amazon DynamoDB and Amazon S3. Use AWS Lambda integration with Kinesis Data Firehose to remove sensitive data. Other applications can consume the data stored in Amazon S3.
  3. Stream the transactions data into Amazon Kinesis Data Streams. Use AWS Lambda integration to remove sensitive data from every transaction and then store the transactions data in Amazon DynamoDB. Other applications can consume the transactions data off the Kinesis data stream.
  4. Store the batched transactions data in Amazon S3 as files. Use AWS Lambda to process every file and remove sensitive data before updating the files in Amazon S3. The Lambda function then stores the data in Amazon DynamoDB. Other applications can consume transaction files stored in Amazon S3.

Answer(s): C

Explanation:

The correct answer, C, uses Kinesis Data Streams for near-real-time ingestion, Lambda for on-the-fly redaction, and DynamoDB for low-latency storage accessible by multiple applications, meeting scalability and latency requirements.
A is incorrect because DynamoDB Streams with direct writes and in-place data masking is not designed for real-time processing of large volumes and cross-application consumption with flexible transformation; it’s better suited for event-driven updates, not streaming ingestion.
B is incorrect because Firehose is for near-real-time delivery to destinations (S3, Redshift, DynamoDB) but introducing Firehose plus Lambda redaction adds latency and complexity; batch-oriented storage in S3 is less suitable for low-latency access.
D is incorrect because batching to S3 and per-file Lambda processing introduces additional delay and complexity; DynamoDB as the primary low-latency store is not used directly for stream consumers here.



A company hosts its multi-tier applications on AWS. For compliance, governance, auditing, and security, the company must track configuration changes on its AWS resources and record a history of API calls made to these resources.
What should a solutions architect do to meet these requirements?

  1. Use AWS CloudTrail to track configuration changes and AWS Config to record API calls.
  2. Use AWS Config to track configuration changes and AWS CloudTrail to record API calls.
  3. Use AWS Config to track configuration changes and Amazon CloudWatch to record API calls.
  4. Use AWS CloudTrail to track configuration changes and Amazon CloudWatch to record API calls.

Answer(s): B

Explanation:

AWS Config tracks configuration changes and provides a history of resource configurations, while AWS CloudTrail records API calls for governance and auditing. Therefore option B correctly assigns AWS Config for configuration history and AWS CloudTrail for API call logging.
A) Reverses roles; CloudTrail logs API activity, not configuration history; Config is needed for resource configuration changes.
C) CloudWatch does not provide a comprehensive API-call log for governance; it is primarily for metrics and logs, not an authoritative API activity history.
D) CloudTrail handles API calls, but CloudWatch alone does not provide configuration history.



A company is preparing to launch a public-facing web application in the AWS Cloud. The architecture consists of Amazon EC2 instances within a VPC behind an Elastic Load Balancer (ELB). A third-party service is used for the DNS. The company's solutions architect must recommend a solution to detect and protect against large-scale DDoS attacks.
Which solution meets these requirements?

  1. Enable Amazon GuardDuty on the account.
  2. Enable Amazon Inspector on the EC2 instances.
  3. Enable AWS Shield and assign Amazon Route 53 to it.
  4. Enable AWS Shield Advanced and assign the ELB to it.

Answer(s): D

Explanation:

AWS Shield Advanced, when assigned to the ELB, provides comprehensive DDoS protection for public-facing apps at the edge and scales with traffic, offering enhanced DDoS mitigation, 24/7 DDoS response team access, and attack analytics, which fits the requirement for large-scale protection of the web application behind an ELB.
A) GuardDuty detects anomalous activity and potential threats in AWS accounts and workloads, not dedicated DDoS mitigation.
B) Inspector assesses EC2 instances for vulnerabilities, not DDoS protection.
C) Shield with Route 53 is viable, but Route 53 is the DNS provider; Shield Advanced is primarily applied to the load balancer or CloudFront, and the option emphasizes assigning to ELB, which is the correct pairing for this scenario.



A company is building an application in the AWS Cloud. The application will store data in Amazon S3 buckets in two AWS Regions. The company must use an AWS Key Management Service (AWS KMS) customer managed key to encrypt all data that is stored in the S3 buckets. The data in both S3 buckets must be encrypted and decrypted with the same KMS key. The data and the key must be stored in each of the two Regions.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Create an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  2. Create a customer managed multi-Region KMS key. Create an S3 bucket in each Region. Configure replication between the S3 buckets. Configure the application to use the KMS key with client-side encryption.
  3. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Configure replication between the S3 buckets.
  4. Create a customer managed KMS key and an S3 bucket in each Region. Configure the S3 buckets to use server-side encryption with AWS KMS keys (SSE-KMS). Configure replication between the S3 buckets.

Answer(s): B

Explanation:

A concise explanation: The correct approach is B because a customer managed multi-Region KMS key enables cross-region accessibility for encryption/decryption without exposing keys in each region’s data plane, while replication ensures both regions contain the same data and the same KMS CMK is used via client-side encryption management. A is wrong because SSE-S3 does not use a customer-managed key. C is wrong because it uses SSE-S3 (not KMS) and does not ensure the same CMK is used for both regions. D is wrong because it uses SSE-KMS but requires the same CMK in both regions; multi-Region CMK with client-side encryption is more appropriate to meet “least operational overhead.”



A company recently launched a variety of new workloads on Amazon EC2 instances in its AWS account. The company needs to create a strategy to access and administer the instances remotely and securely. The company needs to implement a repeatable process that works with native AWS services and follows the AWS Well-Architected Framework.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Use the EC2 serial console to directly access the terminal interface of each instance for administration.
  2. Attach the appropriate IAM role to each existing instance and new instance. Use AWS Systems Manager Session Manager to establish a remote SSH session.
  3. Create an administrative SSH key pair. Load the public key into each EC2 instance. Deploy a bastion host in a public subnet to provide a tunnel for administration of each instance.
  4. Establish an AWS Site-to-Site VPN connection. Instruct administrators to use their local on-premises machines to connect directly to the instances by using SSH keys across the VPN tunnel.

Answer(s): B

Explanation:

AWS Systems Manager Session Manager with an IAM role attached to each instance provides agent-based, audited, and permission-controlled remote access without opening inbound ports. It integrates with IAM and SSM, supports logging and session encryption, and minimizes operational overhead, fitting the Well-Architected principle of security and reliability.
A) EC2 serial console is manual, per-instance, and not scalable for remote administration at scale. B) Correct: scalable, secure, least-ops. C) SSH ключ + bastion adds maintenance, exposure, and bastion management overhead. D) Site-to-site VPN plus direct SSH is complex, costly, and increases attack surface with direct instance exposure.



A company is hosting a static website on Amazon S3 and is using Amazon Route 53 for DNS. The website is experiencing increased demand from around the world. The company must decrease latency for users who access the website.
Which solution meets these requirements MOST cost-effectively?

  1. Replicate the S3 bucket that contains the website to all AWS Regions. Add Route 53 geolocation routing entries.
  2. Provision accelerators in AWS Global Accelerator. Associate the supplied IP addresses with the S3 bucket. Edit the Route 53 entries to point to the IP addresses of the accelerators.
  3. Add an Amazon CloudFront distribution in front of the S3 bucket. Edit the Route 53 entries to point to the CloudFront distribution.
  4. Enable S3 Transfer Acceleration on the bucket. Edit the Route 53 entries to point to the new endpoint.

Answer(s): C

Explanation:

CloudFront provides a global CDN in front of S3 with edge locations, reducing latency for worldwide users at a low, scalable cost for static websites. C is correct.
A) Not cost-effective or practical: replicating buckets across all regions multiplies storage and management overhead; geolocation routing doesn’t inherently optimize for global latency unless content is replicated.
B) AWS Global Accelerator is for regional endpoints and multi-service support; using it with S3 static site adds unnecessary cost and complexity for this use case.
D) S3 Transfer Acceleration improves transfer speed to S3, not general web latency via a CDN; pricing and latency benefits are less favorable for public static sites compared to CloudFront.



A company maintains a searchable repository of items on its website. The data is stored in an Amazon RDS for MySQL database table that contains more than 10 million rows. The database has 2 TB of General Purpose SSD storage. There are millions of updates against this data every day through the company's website.
The company has noticed that some insert operations are taking 10 seconds or longer. The company has determined that the database storage performance is the problem.
Which solution addresses this performance issue?

  1. Change the storage type to Provisioned IOPS SSD.
  2. Change the DB instance to a memory optimized instance class.
  3. Change the DB instance to a burstable performance instance class.
  4. Enable Multi-AZ RDS read replicas with MySQL native asynchronous replication.

Answer(s): A

Explanation:

Provisioned IOPS SSD provides consistent high IOPS and throughput for write-heavy workloads, mitigating long insert latencies on large, heavily updated MySQL tables. A) is correct because IOPS/throughput must meet demand for 10M+ rows with frequent updates; GP2 may scale but can throttle under heavy write load. B) Memory-optimized instances help CPU/RAM hot spots but don’t directly address storage IOPS/throughput bottlenecks. C) Burstable instances (t3,t4g) can throttle performance during sustained load, worsening latency. D) Read replicas improve read scaling, not write latency; writes still go to the primary and are the bottleneck.



A company has thousands of edge devices that collectively generate 1 TB of status alerts each day. Each alert is approximately 2 KB in size. A solutions architect needs to implement a solution to ingest and store the alerts for future analysis.
The company wants a highly available solution. However, the company needs to minimize costs and does not want to manage additional infrastructure. Additionally, the company wants to keep 14 days of data available for immediate analysis and archive any data older than 14 days.
What is the MOST operationally efficient solution that meets these requirements?

  1. Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts. Configure the Kinesis Data Firehose stream to deliver the alerts to an Amazon S3 bucket. Set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.
  2. Launch Amazon EC2 instances across two Availability Zones and place them behind an Elastic Load Balancer to ingest the alerts. Create a script on the EC2 instances that will store the alerts in an Amazon S3 bucket. Set up an S3 Lifecycle configuration to transition data to Amazon S3 Glacier after 14 days.
  3. Create an Amazon Kinesis Data Firehose delivery stream to ingest the alerts. Configure the Kinesis Data Firehose stream to deliver the alerts to an Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Set up the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster to take manual snapshots every day and delete data from the cluster that is older than 14 days.
  4. Create an Amazon Simple Queue Service (Amazon SQS) standard queue to ingest the alerts, and set the message retention period to 14 days. Configure consumers to poll the SQS queue, check the age of the message, and analyze the message data as needed. If the message is 14 days old, the consumer should copy the message to an Amazon S3 bucket and delete the message from the SQS queue.

Answer(s): A

Explanation:

A) This uses Kinesis Data Firehose to ingest at scale with managed delivery, durable S3 storage, and lifecycle policy to archive older data, meeting high availability and minimal operational overhead.
B) Requires managing EC2 fleet across AZs and custom S3 writing, increasing maintenance and cost; not as native or scalable as Firehose.
C) OpenSearch is not ideal for archival analytics and requires manual snapshots; deletes data after 14 days complicates access and increases operational burden.
D) SQS with polling and manual archival introduces complexity and potential data loss window; less suitable for continuous high-volume ingest and long-term analytics.



Share your comments for Amazon AWS Certified Solutions Architect - Associate exam with other users:

A
Angel
8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable

S
SH
5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now

S
sudhagar
9/6/2023 3:02:00 PM

question looks valid

V
Van
11/24/2023 4:02:00 AM

good for practice

D
Divya
8/2/2023 6:54:00 AM

need more q&a to go ahead

R
Rakesh
10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview

N
Nik
11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.

D
Deep
6/12/2023 7:22:00 AM

needed dumps

T
tumz
1/16/2024 10:30:00 AM

very helpful

N
NRI
8/27/2023 10:05:00 AM

will post once the exam is finished

K
kent
11/3/2023 10:45:00 AM

relevant questions

Q
Qasim
6/11/2022 9:43:00 AM

just clear exam on 10/06/2202 dumps is valid all questions are came same in dumps only 2 new questions total 46 questions 1 case study with 5 question no lab/simulation in my exam please check the answers best of luck

C
Cath
10/10/2023 10:09:00 AM

q.112 - correct answer is c - the event registry is a module that provides event definitions. answer a - not correct as it is the definition of event log

S
Shiji
10/15/2023 1:31:00 PM

good and useful.

A
Ade
6/25/2023 1:14:00 PM

good questions

P
Praveen P
11/8/2023 5:18:00 AM

good content

A
Anastasiia
12/28/2023 9:06:00 AM

totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.

P
Priyanka
7/24/2023 2:26:00 AM

kindly upload the dumps

N
Nabeel
7/25/2023 4:11:00 PM

still learning

G
gure
7/26/2023 5:10:00 PM

excellent way to learn

C
ciken
8/24/2023 2:55:00 PM

help so much

B
Biswa
11/20/2023 9:28:00 AM

understand sql col.

S
Saint Pierre
10/24/2023 6:21:00 AM

i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.

R
Rose
7/24/2023 2:16:00 PM

this is nice.

A
anon
10/15/2023 12:21:00 PM

q55- the ridac workflow can be modified using flow designer, correct answer is d not a

N
NanoTek3
6/13/2022 10:44:00 PM

by far this is the most accurate exam dumps i have ever purchased. all questions are in the exam. i saw almost 90% of the questions word by word.

E
eriy
11/9/2023 5:12:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!

M
Muhammad Rawish Siddiqui
12/8/2023 8:12:00 PM

question # 232: accessibility, privacy, and innovation are not data quality dimensions.

V
Venkat
12/27/2023 9:04:00 AM

looks wrong answer for 443 question, please check and update

V
Varun
10/29/2023 9:11:00 PM

great question

D
Doc
10/29/2023 9:36:00 PM

question: a user wants to start a recruiting posting job posting. what must occur before the posting process can begin? 3 ans: comment- option e is incorrect reason: as part of enablement steps, sap recommends that to be able to post jobs to a job board, a user need to have the correct permission and secondly, be associated with one posting profile at minimum

I
It‘s not A
9/17/2023 5:31:00 PM

answer to question 72 is d [sys_user_role]

I
indira m
8/14/2023 12:15:00 PM

please provide the pdf

R
ribrahim
8/1/2023 6:05:00 AM

hey guys, just to let you all know that i cleared my 312-38 today within 1 hr with 100 questions and passed. thank you so much brain-dumps.net all the questions that ive studied in this dump came out exactly the same word for word "verbatim". you rock brain-dumps.net!!! section name total score gained score network perimeter protection 16 11 incident response 10 8 enterprise virtual, cloud, and wireless network protection 12 8 application and data protection 13 10 network défense management 10 9 endpoint protection 15 12 incident d

AI Tutor 👋 I’m here to help!