AWS Certified Solutions Architect - Associate · Domain 1 · 30% of exam

Design Secure Architectures

Drill 20 practice questions focused entirely on Design Secure Architectures for the AWS SAA-C03 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A company hosts a public web application behind an Application Load Balancer. The security team imported a third-party TLS certificate into AWS Certificate Manager (ACM) to use on the ALB. They are concerned about an unplanned outage caused by the certificate expiring without notice. What is the MOST operationally efficient way to be alerted before this imported certificate expires?

Reviewed for accuracy · Report an issue
Question 2 of 20

A financial services company runs a web application behind an Application Load Balancer (ALB) in a public subnet, with EC2 instances in private subnets. Compliance requires that all client traffic to the application be encrypted in transit using a publicly trusted certificate, and the security team wants to minimize the operational overhead of certificate renewal. Which solution meets these requirements?

Reviewed for accuracy · Report an issue
Question 3 of 20

A company runs a public e-commerce web application behind an Application Load Balancer (ALB) in a VPC. Recently, security logs revealed repeated SQL injection attempts and malicious HTTP requests targeting the application's login and search pages. The security team needs a managed solution that inspects incoming HTTP/HTTPS requests at the application layer and blocks these attack patterns before they reach the backend instances, while allowing legitimate traffic. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 20

A financial services company must retain database and file server backups in an immutable state for seven years to satisfy a regulatory requirement. Auditors demand assurance that no user — including administrators with full IAM permissions — can shorten the retention period or delete backups before they expire. The company already uses AWS Backup to centralize backups of Amazon EBS, Amazon RDS, and Amazon EFS resources. Which approach meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 5 of 20

A media company hosts static website assets and downloadable files in an Amazon S3 bucket, distributed globally through Amazon CloudFront. Security requires that the S3 bucket must NOT be publicly accessible, and objects should only be reachable through the CloudFront distribution. Which approach meets these requirements with the least ongoing management effort?

Reviewed for accuracy · Report an issue
Question 6 of 20

A company is launching a mobile application that must allow users to sign up and sign in using their email address, and also offer the option to sign in with their existing Google or Facebook accounts. After authentication, the app calls a backend API fronted by Amazon API Gateway. The solutions architect must implement user authentication and secure the API with the least operational overhead. Which approach should the architect recommend?

Reviewed for accuracy · Report an issue
Question 7 of 20

A financial services company is expanding its AWS footprint and expects to onboard dozens of new accounts over the next year for different project teams. The security team wants every new account to automatically have a standardized baseline: centralized logging to a dedicated account, mandatory encryption configurations, and preventive controls that block non-compliant actions. They also want a dashboard showing which accounts drift from the required baseline. Which approach best meets these requirements with the least ongoing operational effort?

Reviewed for accuracy · Report an issue
Question 8 of 20

A company hires a third-party SaaS monitoring vendor that needs read-only access to CloudWatch metrics in the company's AWS account. The vendor will access the account programmatically from their own AWS account. The security team wants to grant this access without creating long-term IAM user credentials and wants to protect against the 'confused deputy' problem where the vendor could be tricked into accessing the wrong customer's account. What is the MOST secure way to configure this access?

Reviewed for accuracy · Report an issue
Question 9 of 20

A company runs a data analytics platform in a dedicated Analytics AWS account. Data is stored in an S3 bucket in a separate Data account. The analytics application runs on EC2 instances in the Analytics account and must read objects from the Data account bucket. The security team requires that no long-term access keys be stored on the EC2 instances and that access follow the principle of least privilege. Which approach meets these requirements?

Reviewed for accuracy · Report an issue
Question 10 of 20

A financial services company has established a 10 Gbps AWS Direct Connect dedicated connection between its on-premises data center and AWS. A new compliance requirement mandates that all data traversing the physical connection be encrypted at Layer 2. The security team wants the lowest-latency solution that meets this requirement without adding an overlay tunnel. What should the solutions architect recommend?

Reviewed for accuracy · Report an issue
Question 11 of 20

A financial services company stores customer records on encrypted Amazon EBS volumes in the us-east-1 Region, using a customer managed AWS KMS key. To meet disaster recovery requirements, the company must maintain encrypted copies of these EBS snapshots in the eu-west-1 Region. During testing, engineers find that snapshots copied to eu-west-1 cannot be used to launch volumes. What is the MOST likely cause and correct solution?

Reviewed for accuracy · Report an issue
Question 12 of 20

A company runs a three-tier web application in a VPC. Application servers run on EC2 instances in a private subnet, and they must connect to an Amazon RDS for PostgreSQL instance in a separate private subnet on port 5432. The security team requires that database access be restricted to only the application servers, and the solution must continue to work automatically as the Auto Scaling group adds or removes EC2 instances. Which configuration meets these requirements?

Reviewed for accuracy · Report an issue
Question 13 of 20

A development team has deployed a Python application on an Amazon EC2 instance. The application needs to read and write objects in an Amazon S3 bucket. Currently, the developers have embedded long-term IAM user access keys in the application's configuration file. A security review flagged this as a violation of AWS security best practices. Which solution should the solutions architect recommend to provide the application secure access to S3 while following the principle of least privilege?

Reviewed for accuracy · Report an issue
Question 14 of 20

A financial services company runs an application on EC2 instances in a private subnet. The instances access an S3 bucket named 'audit-logs-prod' through a VPC gateway endpoint to keep traffic off the public internet. The security team is concerned that a compromised instance could use the endpoint to exfiltrate data to other S3 buckets in different AWS accounts. Which action MOST effectively limits the endpoint so it can only be used to reach the approved bucket?

Reviewed for accuracy · Report an issue
Question 15 of 20

A company runs a fleet of EC2 instances in a production VPC. The security team wants a managed service that continuously analyzes VPC Flow Logs, DNS logs, and CloudTrail events to detect threats such as compromised instances communicating with known cryptocurrency-mining domains or command-and-control servers. The solution must require minimal setup and must not require deploying agents on the instances. Which AWS service should the team enable?

Reviewed for accuracy · Report an issue
Question 16 of 20

A company has grown to 40 AWS accounts managed under AWS Organizations. Employees currently have separate IAM users in several accounts, and administrators are struggling to manage credentials and enforce consistent permissions. The company already uses an external Microsoft Active Directory as its corporate identity source and wants employees to sign in once with their existing corporate credentials, then access only the accounts and roles appropriate to their job function. Which approach best meets these requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 17 of 20

A financial services company wants to let its development team create their own IAM roles for Lambda functions without opening a ticket each time. Security requires that any role the developers create can never grant more than read/write access to a specific set of DynamoDB tables and S3 buckets, even if the developers attach broader policies. Which approach meets these requirements with the least ongoing administrative effort?

Reviewed for accuracy · Report an issue
Question 18 of 20

A financial services company encrypts data at rest in Amazon S3 using a customer managed AWS KMS key. A new compliance policy requires that the cryptographic key material be rotated at least once every 12 months, and the audit team wants the process to be automatic with no application changes and no re-encryption of existing objects. What should the solutions architect do?

Reviewed for accuracy · Report an issue
Question 19 of 20

A company runs a data-processing Lambda function that must temporarily decrypt objects using a customer managed KMS key owned by a separate analytics team. The analytics team wants to allow the Lambda's execution role to decrypt for the duration of a batch job without permanently editing the KMS key policy, and they want the ability to revoke the permission programmatically when the job completes. Which approach best meets these requirements?

Reviewed for accuracy · Report an issue
Question 20 of 20

A company stores sensitive reports in an S3 bucket in Account A, encrypted with a customer managed AWS KMS key. A partner team operating in Account B needs to read and decrypt these objects using an IAM role. The S3 bucket policy and the IAM role in Account B have both been configured to allow the required S3 and KMS actions, but the partner still receives an AccessDenied error when downloading objects. What must the solutions architect do to resolve the issue while following least-privilege principles?

Reviewed for accuracy · Report an issue

More SAA-C03 practice

Keep going with the other AWS Certified Solutions Architect - Associate domains, or take a full timed mock exam.

← Back to SAA-C03 overview