Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 13 )

Updated On: 18-Mar-2026
Page 13 of 205
PDF with 824 Questions

A company has registered its domain name with Amazon Route 53. The company uses Amazon API Gateway in the ca-central-1 Region as a public interface for its backend microservice APIs. Third-party services consume the APIs securely. The company wants to design its API Gateway URL with the company's domain name and corresponding certificate so that the third-party services can use HTTPS.
Which solution will meet these requirements?

  1. Create stage variables in API Gateway with Name="Endpoint-URL" and Value="Company Domain Name" to overwrite the default URL. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM).
  2. Create Route 53 DNS records with the company's domain name. Point the alias record to the Regional API Gateway stage endpoint. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the us-east-1 Region.
  3. Create a Regional API Gateway endpoint. Associate the API Gateway endpoint with the company's domain name. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region. Attach the certificate to the API Gateway endpoint. Configure Route 53 to route traffic to the API Gateway endpoint.
  4. Create a Regional API Gateway endpoint. Associate the API Gateway endpoint with the company's domain name. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the us-east-1 Region. Attach the certificate to the API Gateway APIs. Create Route 53 DNS records with the company's domain name. Point an A record to the company's domain name.

Answer(s): C

Explanation:

A) Incorrect. Stage variables cannot overwrite the base API URL to use a custom domain; ACM certificate must be attached at API Gateway custom domain, not via stage variables.
B) Incorrect. DNS alias to a Regional API Gateway endpoint is valid, but ACM certificate must be issued and associated via a Custom Domain Name in the same region; cross-region requirement and certificate handling are not satisfied as stated.
C) Correct. Use a Regional API Gateway endpoint with a Custom Domain Name and ACM certificate in the same region, attach the certificate to the custom domain, and Route 53 routes traffic to that endpoint, enabling HTTPS with the company domain.
D) Incorrect. ACM certificate must be attached to a Custom Domain Name, not directly to APIs; also A records alone to a domain require proper custom domain mapping in API Gateway.



A company is running a popular social media website. The website gives users the ability to upload images to share with other users. The company wants to make sure that the images do not contain inappropriate content. The company needs a solution that minimizes development effort.
What should a solutions architect do to meet these requirements?

  1. Use Amazon Comprehend to detect inappropriate content. Use human review for low-confidence predictions.
  2. Use Amazon Rekognition to detect inappropriate content. Use human review for low-confidence predictions.
  3. Use Amazon SageMaker to detect inappropriate content. Use ground truth to label low-confidence predictions.
  4. Use AWS Fargate to deploy a custom machine learning model to detect inappropriate content. Use ground truth to label low-confidence predictions.

Answer(s): B

Explanation:

Amazon Rekognition provides built-in image moderation with pre-trained content classifiers suitable for user-uploaded images and minimizes development effort; low-confidence predictions can be routed to human review. A) Comprehend is for text, not image content. C) SageMaker requires building/training a model, increasing effort. D) Fargate with a custom model adds unnecessary complexity compared to managed Rekognition. A and C also misalign with image content detection scope or require more customization. B correctly uses a managed service for image moderation with optional human review for uncertain cases.



A company wants to run its critical applications in containers to meet requirements for scalability and availability. The company prefers to focus on maintenance of the critical applications. The company does not want to be responsible for provisioning and managing the underlying infrastructure that runs the containerized workload.
What should a solutions architect do to meet these requirements?

  1. Use Amazon EC2 instances, and install Docker on the instances.
  2. Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 worker nodes.
  3. Use Amazon Elastic Container Service (Amazon ECS) on AWS Fargate.
  4. Use Amazon EC2 instances from an Amazon Elastic Container Service (Amazon ECS)-optimized Amazon Machine Image (AMI).

Answer(s): C

Explanation:

F) The correct answer is C. Using Amazon ECS on AWS Fargate runs containers without managing underlying servers, aligning with the requirement to avoid provisioning and managing infrastructure.
A) ECS on EC2 requires managing EC2 instances and Docker runtime, increasing maintenance.
B) ECS on EC2 again delegates to EC2 hosts you must manage, not meeting the no-infrastructure-management goal.
D) ECS-optimized AMI on EC2 still requires patching and managing the EC2 instances and OS.



A company hosts more than 300 global websites and applications. The company requires a platform to analyze more than 30 TB of clickstream data each day.
What should a solutions architect do to transmit and process the clickstream data?

  1. Design an AWS Data Pipeline to archive the data to an Amazon S3 bucket and run an Amazon EMR cluster with the data to generate analytics.
  2. Create an Auto Scaling group of Amazon EC2 instances to process the data and send it to an Amazon S3 data lake for Amazon Redshift to use for analysis.
  3. Cache the data to Amazon CloudFront. Store the data in an Amazon S3 bucket. When an object is added to the S3 bucket. run an AWS Lambda function to process the data for analysis.
  4. Collect the data from Amazon Kinesis Data Streams. Use Amazon Kinesis Data Firehose to transmit the data to an Amazon S3 data lake. Load the data in Amazon Redshift for analysis.

Answer(s): D

Explanation:

Collecting with Kinesis Data Streams and delivering via Kinesis Data Firehose to an S3 data lake provides scalable, real-time ingest for large-scale clickstream data and seamless loading into Redshift for analytics.
A) Data Pipeline is deprecated for new workloads; EMR processing after archiving adds latency and complexity.
B) Auto Scaling EC2 approach lacks managed streaming and built-in real-time ingestion; Redshift requires ETL steps not streamlined here.
C) CloudFront caching is for content delivery, not durable data capture; Serverless Lambda processing is not suited for 30 TB/day streaming without complex orchestration.
D) Correct: end-to-end managed streaming with Kinesis, durable S3 lake, and Redshift analytics.



A company has a website hosted on AWS. The website is behind an Application Load Balancer (ALB) that is configured to handle HTTP and HTTPS separately. The company wants to forward all requests to the website so that the requests will use HTTPS.
What should a solutions architect do to meet this requirement?

  1. Update the ALB's network ACL to accept only HTTPS traffic.
  2. Create a rule that replaces the HTTP in the URL with HTTPS.
  3. Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.
  4. Replace the ALB with a Network Load Balancer configured to use Server Name Indication (SNI).

Answer(s): C

Explanation:

A) Create a listener rule on the ALB to redirect HTTP traffic to HTTPS.
C) Correct because ALB listener rules can perform redirects from HTTP to HTTPS, ensuring all traffic uses TLS without changing clients. This keeps end-to-end encryption and uses the appropriate 301/302 redirect to the HTTPS endpoint.
B) Replacing HTTP in the URL is not a built-in ALB capability; ALB cannot modify schemes by string replacement in requests.
A) Updating network ACLs to only allow HTTPS disrupts legitimate initial connections and does not guarantee proper TLS termination or redirects at the ALB.
D) Replacing with a Network Load Balancer does not provide an application-layer redirect capability to enforce HTTPS and SNI is not relevant to this requirement.



Viewing page 13 of 205
Viewing questions 61 - 65 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!