Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 16 )

Updated On: 18-Mar-2026
Page 16 of 205
PDF with 824 Questions

A company runs a shopping application that uses Amazon DynamoDB to store customer information. In case of data corruption, a solutions architect needs to design a solution that meets a recovery point objective (RPO) of 15 minutes and a recovery time objective (RTO) of 1 hour.
What should the solutions architect recommend to meet these requirements?

  1. Configure DynamoDB global tables. For RPO recovery, point the application to a different AWS Region.
  2. Configure DynamoDB point-in-time recovery. For RPO recovery, restore to the desired point in time.
  3. Export the DynamoDB data to Amazon S3 Glacier on a daily basis. For RPO recovery, import the data from S3 Glacier to DynamoDB.
  4. Schedule Amazon Elastic Block Store (Amazon EBS) snapshots for the DynamoDB table every 15 minutes. For RPO recovery, restore the DynamoDB table by using the EBS snapshot.

Answer(s): B

Explanation:

D) B) reason
B) Point-in-time recovery provides continuous backups and allows restore to any second within the last 35 days, meeting 15-minute RPO and 1-hour RTO when combined with fast restoration of the table. A) Global tables address cross-region replication, not RPO/RTO in a single-region failure. C) Daily export to S3 Glacier introduces long restore times and does not meet 15-minute RPO. D) DynamoDB uses managed backups; EBS snapshots are not applicable to DynamoDB since DynamoDB is a managed service, and backups are not tied to EBS.



A company runs a photo processing application that needs to frequently upload and download pictures from Amazon S3 buckets that are located in the same AWS Region. A solutions architect has noticed an increased cost in data transfer fees and needs to implement a solution to reduce these costs.
How can the solutions architect meet this requirement?

  1. Deploy Amazon API Gateway into a public subnet and adjust the route table to route S3 calls through it.
  2. Deploy a NAT gateway into a public subnet and attach an endpoint policy that allows access to the S3 buckets.
  3. Deploy the application into a public subnet and allow it to route through an internet gateway to access the S3 buckets.
  4. Deploy an S3 VPC gateway endpoint into the VPC and attach an endpoint policy that allows access to the S3 buckets.

Answer(s): D

Explanation:

S3 VPC endpoint provides private, region-local connectivity to S3 without data traversing the public internet, eliminating inter‑region and NAT data transfer costs between the VPC and S3.
A) API Gateway does not route S3 traffic; it adds unnecessary public exposure and cost.
B) NAT gateway adds egress charges and does not provide private, region‑local S3 access; endpoint is more cost-effective.
C) Routing through an internet gateway uses public internet paths and incurs data transfer costs and potential exposure.
D) Correct: S3 VPC endpoint with appropriate policy enables private, low‑cost access to S3 in the same region.



A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  1. Replace the current security group of the bastion host with one that only allows inbound access from the application instances.
  2. Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.
  3. Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.
  4. Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.
  5. Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.

Answer(s): C,D

Explanation:

The correct choices C and D implement secure bastion-based SSH access: the bastion’s SG allows inbound SSH only from the company’s external IP range, and the application instances’ SG allows inbound SSH only from the bastion host’s private IP, enforcing via private path through the bastion.
A is wrong because restricting to application IPs would block initial SSH from the bastion’s public endpoint. B is wrong because allowing only internal IPs would block the on-premises to-bastion connection via the internet. E is wrong because permitting from the bastion’s public IP on the app instances would expose SSH to the external interface; traffic from the public IP must reach the bastion, then traverse to private IPs through the VPC.



A solutions architect is designing a two-tier web application. The application consists of a public-facing web tier hosted on Amazon EC2 in public subnets. The database tier consists of Microsoft SQL Server running on Amazon EC2 in a private subnet. Security is a high priority for the company.
How should security groups be configured in this situation? (Choose two.)

  1. Configure the security group for the web tier to allow inbound traffic on port 443 from 0.0.0.0/0.
  2. Configure the security group for the web tier to allow outbound traffic on port 443 from 0.0.0.0/0.
  3. Configure the security group for the database tier to allow inbound traffic on port 1433 from the security group for the web tier.
  4. Configure the security group for the database tier to allow outbound traffic on ports 443 and 1433 to the security group for the web tier.
  5. Configure the security group for the database tier to allow inbound traffic on ports 443 and 1433 from the security group for the web tier.

Answer(s): A,C

Explanation:

A) The web tier SG should permit inbound 443 from the internet (0.0.0.0/0) to allow HTTPS access from users. B is incorrect because outbound from 0.0.0.0/0 is not required for web access and is unnecessary for standard web traffic; inbound is what matters. C) The DB tier SG should allow inbound 1433 only from the web tier's SG, ensuring the database accepts connections only from the web layer, not from anywhere else. D is incorrect because outbound 443/1433 from DB to web tier is unnecessary; traffic is initiated by the web tier. E is incorrect because inbound 443 on DB is not needed; DB should only receive 1433 from the web tier.



A company wants to move a multi-tiered application from on premises to the AWS Cloud to improve the application's performance. The application consists of application tiers that communicate with each other by way of RESTful services. Transactions are dropped when one tier becomes overloaded. A solutions architect must design a solution that resolves these issues and modernizes the application.
Which solution meets these requirements and is the MOST operationally efficient?

  1. Use Amazon API Gateway and direct transactions to the AWS Lambda functions as the application layer. Use Amazon Simple Queue Service (Amazon SQS) as the communication layer between application services.
  2. Use Amazon CloudWatch metrics to analyze the application performance history to determine the servers' peak utilization during the performance failures. Increase the size of the application server's Amazon EC2 instances to meet the peak requirements.
  3. Use Amazon Simple Notification Service (Amazon SNS) to handle the messaging between application servers running on Amazon EC2 in an Auto Scaling group. Use Amazon CloudWatch to monitor the SNS queue length and scale up and down as required.
  4. Use Amazon Simple Queue Service (Amazon SQS) to handle the messaging between application servers running on Amazon EC2 in an Auto Scaling group. Use Amazon CloudWatch to monitor the SQS queue length and scale up when communication failures are detected.

Answer(s): A

Explanation:

A) Uses API Gateway and Lambda for the application tier, with SQS as the decoupled messaging backbone. This reduces coupling, elastically scales responsive endpoints, and prevents cascading failures when a tier is overloaded, satisfying operational efficiency through serverless components and asynchronous queues.
B) Relies on manual scaling of EC2 instances based on historic metrics; does not address decoupling or prevent overloads and is not operationally efficient.
C) SNS is a pub/sub fan-out service, not designed as a reliable queue for request/response between tightly coupled tiers; monitoring queue length in SNS is not applicable for autoscaling decisions in this pattern.
D) SQS decouples components but pairing with EC2 ASGs and monitoring queue length is less efficient than a serverless approach; also does not leverage API Gateway/Lambda for core modernization.



Viewing page 16 of 205
Viewing questions 76 - 80 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!