Hard SAA-C03 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 8 hard questions available — no sign-up, always free.
A company hires a third-party SaaS monitoring vendor that needs read-only access to CloudWatch metrics in the company's AWS account. The vendor will access the account programmatically from their own AWS account. The security team wants to grant this access without creating long-term IAM user credentials and wants to protect against the 'confused deputy' problem where the vendor could be tricked into accessing the wrong customer's account. What is the MOST secure way to configure this access?
A company runs a chatty microservices application on EC2 across three Availability Zones in a single Region. The services exchange large volumes of traffic with each other continuously. The finance team notices a large and growing line item for inter-AZ data transfer on the monthly bill. The architecture must remain highly available, but the team wants to reduce these data transfer costs. Which approach best reduces the inter-AZ transfer charges while preserving availability?
A financial services company has established a 10 Gbps AWS Direct Connect dedicated connection between its on-premises data center and AWS. A new compliance requirement mandates that all data traversing the physical connection be encrypted at Layer 2. The security team wants the lowest-latency solution that meets this requirement without adding an overlay tunnel. What should the solutions architect recommend?
A financial services company wants to let its development team create their own IAM roles for Lambda functions without opening a ticket each time. Security requires that any role the developers create can never grant more than read/write access to a specific set of DynamoDB tables and S3 buckets, even if the developers attach broader policies. Which approach meets these requirements with the least ongoing administrative effort?
A company runs a data-processing Lambda function that must temporarily decrypt objects using a customer managed KMS key owned by a separate analytics team. The analytics team wants to allow the Lambda's execution role to decrypt for the duration of a batch job without permanently editing the KMS key policy, and they want the ability to revoke the permission programmatically when the job completes. Which approach best meets these requirements?
A financial services company runs a fleet of EC2 instances in private subnets that must reach the internet through a NAT gateway to download OS patches. Compliance rules require that outbound traffic be restricted so instances can only communicate with a specific allowlist of external domains (such as the OS vendor's update repositories) and all other outbound traffic must be blocked and logged for auditing. Which solution best meets these requirements?
A financial services company uses AWS Organizations with 40 member accounts. The security team must ensure that a tamper-resistant, centralized audit trail of all API activity across every account is retained for 7 years, and that member account administrators cannot disable or delete the logging configuration. Which approach best meets these requirements?
A company runs a fleet of EC2 instances in private subnets that make frequent API calls to Amazon DynamoDB, Amazon SQS, and AWS Systems Manager. All outbound traffic currently routes through a NAT gateway to reach these AWS service public endpoints. The finance team reports that NAT gateway data-processing charges have become a significant portion of the monthly bill. A solutions architect wants to reduce these costs while keeping traffic on the AWS network. Which approach is the MOST cost-effective?