Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 22 )

Updated On: 16-Mar-2026
Page 22 of 205
PDF with 824 Questions

A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates.
What should the solutions architect do to enable Internet access for the private subnets?

  1. Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
  2. Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ.
  3. Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway.
  4. Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress-only Internet gateway.

Answer(s): A

Explanation:

Public subnets use an Internet Gateway; private subnets require outbound internet access via NAT. A correctly implements NAT in each AZ to preserve HA: three NAT gateways in public subnets, with private subnets’ route tables directing non-VPC traffic to the NAT gateway in the same AZ. This provides scalable, managed NAT with high availability.
A) Correct: per-AZ NAT gateways ensure private subnets can reach the internet for updates while remaining non-routable from the internet.
B) NAT instances are self-managed and require maintenance; using three adds operational overhead and single AZ failure risk.
C) A second internet gateway is not supported; private subnets cannot route to an Internet Gateway directly.
D) Egress-only gateways are for IPv6; private IPv4 traffic cannot rely on this for general internet egress.



A company wants to migrate an on-premises data center to AWS. The data center hosts an SFTP server that stores its data on an NFS-based file system. The server holds 200 GB of data that needs to be transferred. The server must be hosted on an Amazon EC2 instance that uses an Amazon Elastic File System (Amazon EFS) file system.
Which combination of steps should a solutions architect take to automate this task? (Choose two.)

  1. Launch the EC2 instance into the same Availability Zone as the EFS file system.
  2. Install an AWS DataSync agent in the on-premises data center.
  3. Create a secondary Amazon Elastic Block Store (Amazon EBS) volume on the EC2 instance for the data.
  4. Manually use an operating system copy command to push the data to the EC2 instance.
  5. Use AWS DataSync to create a suitable location configuration for the on-premises SFTP server.

Answer(s): B,E

Explanation:

DataSync provides a scalable, automated method to transfer on-premises data to an EFS-backed EC2 environment, and setting up the on-premises DataSync agent enables this integration and migration.
A) Wrong: EC2 and EFS do not require being in the same AZ for DataSync; EFS is accessible across AZs within the same region, and this is not a distinct migration requirement.
B) Correct: Installing a DataSync agent in the on-premises data center enables discovery and transfer to the target EFS through DataSync.
C) Wrong: Using a secondary EBS volume on the EC2 instance adds management overhead and is unnecessary when targeting EFS via DataSync.
D) Wrong: Manual OS copy is non-automated and error-prone, not suitable for automated migration at scale.
E) Correct: DataSync can configure a location for the on-premises SFTP data source, enabling automated transfer to EFS-backed storage.



A company has an AWS Glue extract, transform, and load (ETL) job that runs every day at the same time. The job processes XML data that is in an Amazon S3 bucket. New data is added to the S3 bucket every day. A solutions architect notices that AWS Glue is processing all the data during each run.
What should the solutions architect do to prevent AWS Glue from reprocessing old data?

  1. Edit the job to use job bookmarks.
  2. Edit the job to delete data after the data is processed.
  3. Edit the job by setting the NumberOfWorkers field to 1.
  4. Use a FindMatches machine learning (ML) transform.

Answer(s): A

Explanation:

The correct answer is A. AWS Glue job bookmarks track processed data and only process new or changed records in subsequent runs, preventing reprocessing of old XML data when the job runs on a fixed schedule.
B is incorrect because deleting processed data is destructive and not a recommended ETL pattern; it would remove data rather than control reprocessing.
C is incorrect because NumberOfWorkers only affects throughput and parallelism, not whether previously processed data is re-read.
D is incorrect because FindMatches ML transform is for deduplication or relationship finding, not for preventing reprocessing of previously processed data.



A solutions architect must design a highly available infrastructure for a website. The website is powered by Windows web servers that run on Amazon EC2 instances. The solutions architect must implement a solution that can mitigate a large-scale DDoS attack that originates from thousands of IP addresses. Downtime is not acceptable for the website.
Which actions should the solutions architect take to protect the website from such an attack? (Choose two.)

  1. Use AWS Shield Advanced to stop the DDoS attack.
  2. Configure Amazon GuardDuty to automatically block the attackers.
  3. Configure the website to use Amazon CloudFront for both static and dynamic content.
  4. Use an AWS Lambda function to automatically add attacker IP addresses to VPC network ACLs.
  5. Use EC2 Spot Instances in an Auto Scaling group with a target tracking scaling policy that is set to 80% CPU utilization.

Answer(s): A,C

Explanation:

Amazon CloudFront and Shield Advanced provide scalable, at-edge DDoS protection and caching that mitigate large-scale attacks with minimal downtime. A) Shield Advanced offers DDoS detection and mitigation for AWS resources, suitable for high-traffic, volumetric attacks. C) CloudFront distributes traffic, accelerates content, and absorbs/mitigates DDoS at edge, protecting origin. B) GuardDuty is a threat detection service, not an automatic blocker for inbound traffic. D) Dynamically updating VPC NACLs via Lambda is risky, brittle, and not scalable for large, rapid DDoS. E) Spot Instances don’t address DDoS mitigation and can undermine availability.



A company is preparing to deploy a new serverless workload. A solutions architect must use the principle of least privilege to configure permissions that will be used to run an AWS Lambda function. An Amazon EventBridge (Amazon CloudWatch Events) rule will invoke the function.
Which solution meets these requirements?

  1. Add an execution role to the function with lambda:InvokeFunction as the action and * as the principal.
  2. Add an execution role to the function with lambda:InvokeFunction as the action and Service: lambda.amazonaws.com as the principal.
  3. Add a resource-based policy to the function with lambda:* as the action and Service: events.amazonaws.com as the principal.
  4. Add a resource-based policy to the function with lambda:InvokeFunction as the action and Service: events.amazonaws.com as the principal.

Answer(s): D

Explanation:

EventBridge should be allowed to invoke the Lambda function via a resource-based policy granting lambda:InvokeFunction to the events.amazonaws.com principal.
A) Incorrect: granting a Lambda execution role with lambda:InvokeFunction to * principal is not valid for a function invocation by EventBridge and risks broad, unintended access; use a resource-based policy for cross-service invocation.
B) Incorrect: associating the function’s execution role does not grant EventBridge permission to invoke; invocation must be allowed by a resource-based policy.
C) Incorrect: resource-based policy with lambda:* on events.amazonaws.com is overly broad and violates least privilege; restrict to InvokeFunction.
D) Correct: resource-based policy limiting to lambda:InvokeFunction for events.amazonaws.com grants only required permission for EventBridge to invoke the function.



Viewing page 22 of 205
Viewing questions 106 - 110 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!