Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 14 )

Updated On: 18-Mar-2026
Page 14 of 205
PDF with 824 Questions

A company is developing a two-tier web application on AWS. The company's developers have deployed the application on an Amazon EC2 instance that connects directly to a backend Amazon RDS database. The company must not hardcode database credentials in the application. The company must also implement a solution to automatically rotate the database credentials on a regular basis.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Store the database credentials in the instance metadata. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and instance metadata at the same time.
  2. Store the database credentials in a configuration file in an encrypted Amazon S3 bucket. Use Amazon EventBridge (Amazon CloudWatch Events) rules to run a scheduled AWS Lambda function that updates the RDS credentials and the credentials in the configuration file at the same time. Use S3 Versioning to ensure the ability to fall back to previous values.
  3. Store the database credentials as a secret in AWS Secrets Manager. Turn on automatic rotation for the secret. Attach the required permission to the EC2 role to grant access to the secret.
  4. Store the database credentials as encrypted parameters in AWS Systems Manager Parameter Store. Turn on automatic rotation for the encrypted parameters. Attach the required permission to the EC2 role to grant access to the encrypted parameters.

Answer(s): C

Explanation:

Storing credentials in AWS Secrets Manager with automatic rotation provides secure, centralized credential management and seamless rotation without hardcoding, and EC2 can access the secret via its IAM role.
A) Storing in instance metadata is insecure and not designed for credential rotation; updating metadata is not supported for secret rotation.
B) Encrypted S3 config files require custom rotation logic and risk of stale applications; not ideal for automatic, centralized rotation.
C) CORRECT: Secrets Manager supports automatic rotation and fine-grained IAM access for EC2.
D) Parameter Store rotation exists but Secrets Manager offers richer rotation and easier credential management; more suitable for automatic rotation with minimal ops.



A company is deploying a new public web application to AWS. The application will run behind an Application Load Balancer (ALB). The application needs to be encrypted at the edge with an SSL/TLS certificate that is issued by an external certificate authority (CA). The certificate must be rotated each year before the certificate expires.
What should a solutions architect do to meet these requirements?

  1. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
  2. Use AWS Certificate Manager (ACM) to issue an SSL/TLS certificate. Import the key material from the certificate. Apply the certificate to the ALUse the managed renewal feature to automatically rotate the certificate.
  3. Use AWS Certificate Manager (ACM) Private Certificate Authority to issue an SSL/TLS certificate from the root CA. Apply the certificate to the ALB. Use the managed renewal feature to automatically rotate the certificate.
  4. Use AWS Certificate Manager (ACM) to import an SSL/TLS certificate. Apply the certificate to the ALB. Use Amazon EventBridge (Amazon CloudWatch Events) to send a notification when the certificate is nearing expiration. Rotate the certificate manually.

Answer(s): D

Explanation:

ACM certificates cannot be imported; ACMs public certificates are issued only by ACM or public CAs managed by ACM. The correct approach is to import a externally issued certificate into ACM for use with the ALB and manually rotate before expiration, since ACM does not automatically rotate externally issued certificates. A) Incorrect because ACM cannot auto-rotate externally issued certificates. B) Incorrect because you cannot import key material to ACM-certified certificates for automatic rotation; ACM manages keys for public certificates. C) Incorrect because ACM Private CA issues privately trusted certificates, but automatic rotation still isn’t automatic for externally issued public certs and adds unnecessary complexity. D) Correct: import external certificate, attach to ALB, and set alerts for manual rotation before expiry.



A company runs its infrastructure on AWS and has a registered base of 700,000 users for its document management application. The company intends to create a product that converts large .pdf files to .jpg image files. The .pdf files average 5 MB in size. The company needs to store the original files and the converted files. A solutions architect must design a scalable solution to accommodate demand that will grow rapidly over time.
Which solution meets these requirements MOST cost-effectively?

  1. Save the .pdf files to Amazon S3. Configure an S3 PUT event to invoke an AWS Lambda function to convert the files to .jpg format and store them back in Amazon S3.
  2. Save the .pdf files to Amazon DynamoDUse the DynamoDB Streams feature to invoke an AWS Lambda function to convert the files to .jpg format and store them back in DynamoD
  3. Upload the .pdf files to an AWS Elastic Beanstalk application that includes Amazon EC2 instances, Amazon Elastic Block Store (Amazon EBS) storage, and an Auto Scaling group. Use a program in the EC2 instances to convert the files to .jpg format. Save the .pdf files and the .jpg files in the EBS store.
  4. Upload the .pdf files to an AWS Elastic Beanstalk application that includes Amazon EC2 instances, Amazon Elastic File System (Amazon EFS) storage, and an Auto Scaling group. Use a program in the EC2 instances to convert the file to .jpg format. Save the .pdf files and the .jpg files in the EBS store.

Answer(s): A

Explanation:

A) This serverless approach leverages S3 storage, event-driven Lambda processing, and on-demand scaling with virtually unlimited concurrency, minimizing cost for variable load and large file processing. S3 PUT events trigger Lambda to convert and store JPEGs back in S3, avoiding EC2, EBS, or managed servers.
B) DynamoDB is a NoSQL database, not suitable for storing large binary files or for file processing pipelines without additional services; using DynamoDB Streams with Lambda does not address file storage or processing efficiently.
C) Elastic Beanstalk with EC2 and EBS is scalable but requires managing servers and storage; ongoing costs are higher than a serverless solution for sporadic or growing demand.
D) EB with EFS still incurs EC2 management and higher storage costs; mixing EFS with EBS storage is inconsistent and less cost-effective for this use case.



A company has more than 5 TB of file data on Windows file servers that run on premises. Users and applications interact with the data each day.
The company is moving its Windows workloads to AWS. As the company continues this process, the company requires access to AWS and on-premises file storage with minimum latency. The company needs a solution that minimizes operational overhead and requires no significant changes to the existing file access patterns. The company uses an AWS Site-to-Site VPN connection for connectivity to AWS.
What should a solutions architect do to meet these requirements?

  1. Deploy and configure Amazon FSx for Windows File Server on AWS. Move the on-premises file data to FSx for Windows File Server. Reconfigure the workloads to use FSx for Windows File Server on AWS.
  2. Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to the S3 File Gateway. Reconfigure the on-premises workloads and the cloud workloads to use the S3 File Gateway.
  3. Deploy and configure an Amazon S3 File Gateway on premises. Move the on-premises file data to Amazon S3. Reconfigure the workloads to use either Amazon S3 directly or the S3 File Gateway. depending on each workload's location.
  4. Deploy and configure Amazon FSx for Windows File Server on AWS. Deploy and configure an Amazon FSx File Gateway on premises. Move the on-premises file data to the FSx File Gateway. Configure the cloud workloads to use FSx for Windows File Server on AWS. Configure the on-premises workloads to use the FSx File Gateway.

Answer(s): D

Explanation:

The correct answer D is right because it provides a low-latency, seamless hybrid NAS solution: FSx for Windows File Server on AWS for cloud workloads and an FSx File Gateway on premises to access data locally, preserving on-premises access patterns with minimal changes and centralized management over VPN. A) would require moving all data to managed Windows shares in AWS, increasing cutover risk and latency for on-prem users. B) and C) rely on S3, which is object storage with higher latency for file semantics and insufficient OS-level file share semantics without gateways for on-prem access. D preserves NAS compatibility and hybrid performance.



A hospital recently deployed a RESTful API with Amazon API Gateway and AWS Lambda. The hospital uses API Gateway and Lambda to upload reports that are in PDF format and JPEG format. The hospital needs to modify the Lambda code to identify protected health information (PHI) in the reports.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Use existing Python libraries to extract the text from the reports and to identify the PHI from the extracted text.
  2. Use Amazon Textract to extract the text from the reports. Use Amazon SageMaker to identify the PHI from the extracted text.
  3. Use Amazon Textract to extract the text from the reports. Use Amazon Comprehend Medical to identify the PHI from the extracted text.
  4. Use Amazon Rekognition to extract the text from the reports. Use Amazon Comprehend Medical to identify the PHI from the extracted text.

Answer(s): C

Explanation:

Using Textract for OCR and Comprehend Medical for PHI identification provides a managed, purpose-built solution with minimal operational overhead. Textract handles PDF and JPEG text extraction; Comprehend Medical specializes in PHI/PHI-like aetiology, delivering HIPAA-friendly, scalable PHI detection integrated with AWS services.
A) Manual Python libraries require custom maintenance and OCR/PHI logic, increasing overhead.
B) SageMaker adds operation and model management complexity; PHI detection may require custom labeling and pipelines.
D) Rekognition OCR is not optimized for document-heavy PHI tasks and pairing with Comprehend Medical adds unnecessary mismatch; Textract+Comprehend Medical is a better fit.



Viewing page 14 of 205
Viewing questions 66 - 70 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!