Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 28 )

Updated On: 20-Mar-2026
Page 28 of 205
PDF with 824 Questions

A company is developing a file-sharing application that will use an Amazon S3 bucket for storage. The company wants to serve all the files through an Amazon CloudFront distribution. The company does not want the files to be accessible through direct navigation to the S3 URL.
What should a solutions architect do to meet these requirements?

  1. Write individual policies for each S3 bucket to grant read permission for only CloudFront access.
  2. Create an IAM user. Grant the user read permission to objects in the S3 bucket. Assign the user to CloudFront.
  3. Write an S3 bucket policy that assigns the CloudFront distribution ID as the Principal and assigns the target S3 bucket as the Amazon Resource Name (ARN).
  4. Create an origin access identity (OAI). Assign the OAI to the CloudFront distribution. Configure the S3 bucket permissions so that only the OAI has read permission.

Answer(s): D

Explanation:

A concise explanation: D is correct because using an Origin Access Identity (OAI) for CloudFront ensures the S3 bucket is not publicly accessible, and only CloudFront with the OAI can read the objects, satisfying “no direct S3 URL access.” It keeps S3 private while serving via CloudFront.
A) Incorrect: per-object policies granting CloudFront access are not a standard controlled method; they risk misconfiguration and expose direct access if not carefully scoped.
B) Incorrect: IAM users are not used to restrict S3 access via CloudFront; CloudFront does not authenticate via IAM users to S3.
C) Incorrect: Bucket policies with CloudFront distribution ID as Principal are not valid; OAIs are the supported pattern for restricted access.



A company’s website provides users with downloadable historical performance reports. The website needs a solution that will scale to meet the company’s website demands globally. The solution should be cost-effective, limit the provisioning of infrastructure resources, and provide the fastest possible response time.
Which combination should a solutions architect recommend to meet these requirements?

  1. Amazon CloudFront and Amazon S3
  2. AWS Lambda and Amazon DynamoDB
  3. Application Load Balancer with Amazon EC2 Auto Scaling
  4. Amazon Route 53 with internal Application Load Balancers

Answer(s): A

Explanation:

CloudFront with S3 (A) provides globally scalable, cost-effective delivery of static content (reports), with edge caching reducing latency and no server provisioning. S3 stores reports durably and cost-efficiently, while CloudFront speeds access worldwide and scales automatically.
B is incorrect because Lambda and DynamoDB introduce compute and database services, but delivering downloadable files at scale with low latency globally is better served by S3+CloudFront; this option adds unnecessary complexity for simple static content delivery.
C is incorrect because EC2 Auto Scaling with ALB involves provisioning and managing compute resources, failing the criteria of limiting provisioning and fastest response for static downloads.
D is incorrect since internal Route 53 and internal ALBs target private resources, not globally scalable public delivery of downloadable reports.



A company runs an Oracle database on premises. As part of the company’s migration to AWS, the company wants to upgrade the database to the most recent available version. The company also wants to set up disaster recovery (DR) for the database. The company needs to minimize the operational overhead for normal operations and DR setup. The company also needs to maintain access to the database's underlying operating system.
Which solution will meet these requirements?

  1. Migrate the Oracle database to an Amazon EC2 instance. Set up database replication to a different AWS Region.
  2. Migrate the Oracle database to Amazon RDS for Oracle. Activate Cross-Region automated backups to replicate the snapshots to another AWS Region.
  3. Migrate the Oracle database to Amazon RDS Custom for Oracle. Create a read replica for the database in another AWS Region.
  4. Migrate the Oracle database to Amazon RDS for Oracle. Create a standby database in another Availability Zone.

Answer(s): C

Explanation:

Rationale: RDS Custom for Oracle provides managed DB provisioning with access to the underlying OS for maintenance or admin tasks, while handling database patching/upgrades and DR options with minimized operational overhead. A read replica in another region (option C) achieves DR with controlled lag and regional failover if needed, aligning with DR requirements and OS access.
A) EC2 with replication requires full self-management including OS and DR failover; higher operational overhead. B) RDS for Oracle automates backups but does not provide OS access; cross-region backups don’t provide OS-level control. D) Standby in another AZ does not provide cross-region DR and still limits OS access.



A company wants to move its application to a serverless solution. The serverless solution needs to analyze existing and new data by using SL. The company stores the data in an Amazon S3 bucket. The data requires encryption and must be replicated to a different AWS Region.
Which solution will meet these requirements with the LEAST operational overhead?

  1. Create a new S3 bucket. Load the data into the new S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with AWS KMS multi-Region kays (SSE-KMS). Use Amazon Athena to query the data.
  2. Create a new S3 bucket. Load the data into the new S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with AWS KMS multi-Region keys (SSE-KMS). Use Amazon RDS to query the data.
  3. Load the data into the existing S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use Amazon Athena to query the data.
  4. Load the data into the existing S3 bucket. Use S3 Cross-Region Replication (CRR) to replicate encrypted objects to an S3 bucket in another Region. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use Amazon RDS to query the data.

Answer(s): C

Explanation:

S) Correct: C
C) Loading into existing S3 bucket, enable CRR with SSE-S3, and use Athena for serverless analytics over S3 data. This minimizes operations by using a single data store (S3), no ETL or management of compute engines, serverless analytics, and region replication.
A) Uses SSE-KMS (multiregion keys) adds key management overhead and potential cross-region latency; Athena is fine, but requiring KMS multi-Region keys is unnecessary for least overhead.
B) Recommends RDS, a managed database with stateful compute, increasing operational overhead and not serverless analytics.
D) Uses RDS instead of serverless analytics; SSE-S3 with RDS adds unnecessary database management.



A company runs workloads on AWS. The company needs to connect to a service from an external provider. The service is hosted in the provider's VPC. According to the company’s security team, the connectivity must be private and must be restricted to the target service. The connection must be initiated only from the company’s VPC.
Which solution will mast these requirements?

  1. Create a VPC peering connection between the company's VPC and the provider's VPC. Update the route table to connect to the target service.
  2. Ask the provider to create a virtual private gateway in its VPC. Use AWS PrivateLink to connect to the target service.
  3. Create a NAT gateway in a public subnet of the company’s VPUpdate the route table to connect to the target service.
  4. Ask the provider to create a VPC endpoint for the target service. Use AWS PrivateLink to connect to the target service.

Answer(s): D

Explanation:

PrivateLink with a VPC endpoint ensures the connection is private, restricted to the target service, and originates from the company’s VPC, satisfying the security team’s requirements. D uses a VPC endpoint (PrivateLink) hosted by the provider for the specific service, keeping traffic within the AWS network and preventing exposure to the public internet.
A is incorrect because VPC peering allows routing to entire VPCs and does not limit access to a single service; Plus, it does not inherently use PrivateLink.
B is incorrect because PrivateLink is for a VPC endpoint; a provider-facing gateway alone does not restrict to the target service.
C is incorrect because NAT gateway exposes outbound internet access and does not create a private connection to a specific service.



Viewing page 28 of 205
Viewing questions 136 - 140 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!