Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 23 )

Updated On: 18-Mar-2026
Page 23 of 205
PDF with 824 Questions

A company is preparing to store confidential data in Amazon S3. For compliance reasons, the data must be encrypted at rest. Encryption key usage must be logged for auditing purposes. Keys must be rotated every year.
Which solution meets these requirements and is the MOST operationally efficient?

  1. Server-side encryption with customer-provided keys (SSE-C)
  2. Server-side encryption with Amazon S3 managed keys (SSE-S3)
  3. Server-side encryption with AWS KMS keys (SSE-KMS) with manual rotation
  4. Server-side encryption with AWS KMS keys (SSE-KMS) with automatic rotation

Answer(s): D

Explanation:

The correct answer is D. SSE-KMS with automatic rotation meets at-rest encryption, enables detailed usage logging via AWS CloudTrail for KMS key usage, and provides automatic annual key rotation to satisfy rotation requirements with minimal operational overhead.
A is SSE-C: client-side keys not logged by AWS and does not integrate with AWS KMS auditing; not suitable for centralized auditing.
B is SSE-S3: uses S3-managed keys; lacks customer-controlled key rotation auditing and detailed KMS usage logs.
C uses SSE-KMS but requires manual rotation, increasing operational overhead and potential misconfigurations.



A bicycle sharing company is developing a multi-tier architecture to track the location of its bicycles during peak operating hours. The company wants to use these data points in its existing analytics platform. A solutions architect must determine the most viable multi-tier option to support this architecture. The data points must be accessible from the REST API.
Which action meets these requirements for storing and retrieving location data?

  1. Use Amazon Athena with Amazon S3.
  2. Use Amazon API Gateway with AWS Lambda.
  3. Use Amazon QuickSight with Amazon Redshift.
  4. Use Amazon API Gateway with Amazon Kinesis Data Analytics.

Answer(s): B

Explanation:

A) Correct answer: B) API Gateway with Lambda enables a REST API front end (REST API) that can ingest and route location data to a scalable backend, such as a data store or streaming service, fitting a multi-tier architecture and real-time data capture for analytics.
B) Incorrect: A) Athena with S3 is analytics-driven and not a REST API front end; data is queried, not ingested via a REST endpoint.
C) Incorrect: QuickSight with Redshift is for visualization and data warehousing, not data collection through a REST API.
D) Incorrect: API Gateway with Kinesis Data Analytics could ingest via API, but Kinesis Analytics is for stream processing, whereas the typical pattern here emphasizes data capture and storage for analytics via a backend data store.



A company has an automobile sales website that stores its listings in a database on Amazon RDS. When an automobile is sold, the listing needs to be removed from the website and the data must be sent to multiple target systems.
Which design should a solutions architect recommend?

  1. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the information to an Amazon Simple Queue Service (Amazon SQS) queue for the targets to consume.
  2. Create an AWS Lambda function triggered when the database on Amazon RDS is updated to send the information to an Amazon Simple Queue Service (Amazon SQS) FIFO queue for the targets to consume.
  3. Subscribe to an RDS event notification and send an Amazon Simple Queue Service (Amazon SQS) queue fanned out to multiple Amazon Simple Notification Service (Amazon SNS) topics. Use AWS Lambda functions to update the targets.
  4. Subscribe to an RDS event notification and send an Amazon Simple Notification Service (Amazon SNS) topic fanned out to multiple Amazon Simple Queue Service (Amazon SQS) queues. Use AWS Lambda functions to update the targets.

Answer(s): A

Explanation:

A) The correct option uses an event-driven pattern: RDS updates trigger a Lambda that enqueues a standard SQS queue, allowing multiple targets to independently poll and process the deletion data, decoupling systems and ensuring reliable delivery. B) FIFO queue is unnecessary unless strict ordering and exactly-once processing are required; complex deduplication and throughput limits may complicate processing. C) RDS event notifications are limited and fan-out via SNS then Lambda adds extra hops and potential delay; not as direct for decoupled, scalable consumption. D) SNS to multiple SQS queues adds unnecessary fan-out and management; standard SQS from Lambda provides simpler consumption by targets.



A company needs to store data in Amazon S3 and must prevent the data from being changed. The company wants new objects that are uploaded to Amazon S3 to remain unchangeable for a nonspecific amount of time until the company decides to modify the objects. Only specific users in the company's AWS account can have the ability 10 delete the objects.
What should a solutions architect do to meet these requirements?

  1. Create an S3 Glacier vault. Apply a write-once, read-many (WORM) vault lock policy to the objects.
  2. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Set a retention period of 100 years. Use governance mode as the S3 bucket’s default retention mode for new objects.
  3. Create an S3 bucket. Use AWS CloudTrail to track any S3 API events that modify the objects. Upon notification, restore the modified objects from any backup versions that the company has.
  4. Create an S3 bucket with S3 Object Lock enabled. Enable versioning. Add a legal hold to the objects. Add the s3:PutObjectLegalHold permission to the IAM policies of users who need to delete the objects.

Answer(s): D

Explanation:

S3 Object Lock with versioning and a legal hold ensures objects cannot be deleted or overwritten until the hold is released, while granting delete permissions only to specific users via IAM. This satisfies immutability for new uploads and controlled deletion.
A) S3 Glacier vault with WORM is incorrect because Glacier vaults are for archival storage with different retention mechanisms and not directly integrated with per-object delete permissions in S3.
B) S3 Object Lock with governance mode and a 100-year retention makes objects immutable by default but does not specify per-user delete permission scopes via IAM; legal hold is needed for flexible deletion control.
C) CloudTrail logging and restore from backups do not prevent deletion or modification; they only provide audit and recovery, not enforce immutability.
D) Correct: enables Object Lock, versioning, and legal holds with targeted IAM permission for deletes.



A social media company allows users to upload images to its website. The website runs on Amazon EC2 instances. During upload requests, the website resizes the images to a standard size and stores the resized images in Amazon S3. Users are experiencing slow upload requests to the website.
The company needs to reduce coupling within the application and improve website performance. A solutions architect must design the most operationally efficient process for image uploads.
Which combination of actions should the solutions architect take to meet these requirements? (Choose two.)

  1. Configure the application to upload images to S3 Glacier.
  2. Configure the web server to upload the original images to Amazon S3.
  3. Configure the application to upload images directly from each user's browser to Amazon S3 through the use of a presigned URL
  4. Configure S3 Event Notifications to invoke an AWS Lambda function when an image is uploaded. Use the function to resize the image.
  5. Create an Amazon EventBridge (Amazon CloudWatch Events) rule that invokes an AWS Lambda function on a schedule to resize uploaded images.

Answer(s): B,D

Explanation:

The correct combination B and D enables decoupling and improves performance: B lets the web server upload originals directly to S3, reducing EC2 processing and network load on the app server. D uses S3 Event Notifications to trigger a Lambda function to resize, providing automatic, scalable image processing without maintaining servers. A is incorrect because Glacier is cold storage and not suitable for active uploads. C is plausible but introduces complexity with presigned URLs and browser-side uploads, which can complicate validation and security and may not reduce server load as effectively. E is incorrect because a scheduled resize cannot respond promptly to new uploads.



Viewing page 23 of 205
Viewing questions 111 - 115 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!