Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 32 )

Updated On: 20-Mar-2026
Page 32 of 205
PDF with 824 Questions

A company wants to migrate its on-premises data center to AWS. According to the company's compliance requirements, the company can use only the ap-northeast-3 Region. Company administrators are not permitted to connect VPCs to the internet.
Which solutions will meet these requirements? (Choose two.)

  1. Use AWS Control Tower to implement data residency guardrails to deny internet access and deny access to all AWS Regions except ap-northeast-3.
  2. Use rules in AWS WAF to prevent internet access. Deny access to all AWS Regions except ap-northeast-3 in the AWS account settings.
  3. Use AWS Organizations to configure service control policies (SCPS) that prevent VPCs from gaining internet access. Deny access to all AWS Regions except ap-northeast-3.
  4. Create an outbound rule for the network ACL in each VPC to deny all traffic from 0.0.0.0/0. Create an IAM policy for each user to prevent the use of any AWS Region other than ap-northeast-3.
  5. Use AWS Config to activate managed rules to detect and alert for internet gateways and to detect and alert for new resources deployed outside of ap-northeast-3.

Answer(s): A,C

Explanation:

A) Correct: AWS Control Tower can implement data residency guardrails, including restricting regions and enforcing internet access policies, aligning with ap-northeast-3-only and no internet exposure for administrators.
C) Correct: AWS Organizations with Service Control Policies (SCPs) can block internet egress and constrain region usage to ap-northeast-3, applying at the organization/account level.
B) Incorrect: WAF governs web traffic for resources like CloudFront or ALB, not outbound regional access controls or VPC-level egress; SCPs are the proper mechanism for broad account-level restrictions.
D) Incorrect: Network ACLs are per-subnet, not global policy enforcement; IAM policies cannot centrally enforce region restrictions at the VPC/telemetry level.
E) Incorrect: Config rules detect configurations but do not prevent actions; protection requires preventive controls (SCPs/guardrails) rather than solely detection.



A company uses a three-tier web application to provide training to new employees. The application is accessed for only 12 hours every day. The company is using an Amazon RDS for MySQL DB instance to store information and wants to minimize costs.
What should a solutions architect do to meet these requirements?

  1. Configure an IAM policy for AWS Systems Manager Session Manager. Create an IAM role for the policy. Update the trust relationship of the role. Set up automatic start and stop for the DB instance.
  2. Create an Amazon ElastiCache for Redis cache cluster that gives users the ability to access the data from the cache when the DB instance is stopped. Invalidate the cache after the DB instance is started.
  3. Launch an Amazon EC2 instance. Create an IAM role that grants access to Amazon RDS. Attach the role to the EC2 instance. Configure a cron job to start and stop the EC2 instance on the desired schedule.
  4. Create AWS Lambda functions to start and stop the DB instance. Create Amazon EventBridge (Amazon CloudWatch Events) scheduled rules to invoke the Lambda functions. Configure the Lambda functions as event targets for the rules.

Answer(s): D

Explanation:

Starting and stopping the RDS instance on a schedule with Lambda and EventBridge minimizes compute and storage costs during idle periods without maintaining always-on infrastructure.
A) Incorrect: Session Manager IAM config and automatic RDS start/stop is not a standard, cost-effective method for automating RDS lifecycle; Session Manager is for EC2/session access, not scheduling RDS power states.
B) Incorrect: ElastiCache adds cost and complexity; it’s not a required substitute for a stopped RDS, and cache invalidation on restart can risk stale data and downtime.
C) Incorrect: Running an EC2 instance to proxy or access the DB adds unnecessary cost and management overhead versus native RDS stop/start automation.
D) Correct: Lambda + EventBridge provides serverless, low-cost, event-driven lifecycle control for RDS with scheduled start/stop.



A company sells ringtones created from clips of popular songs. The files containing the ringtones are stored in Amazon S3 Standard and are at least 128 KB in size. The company has millions of files, but downloads are infrequent for ringtones older than 90 days. The company needs to save money on storage while keeping the most accessed files readily available for its users.
Which action should the company take to meet these requirements MOST cost-effectively?

  1. Configure S3 Standard-Infrequent Access (S3 Standard-IA) storage for the initial storage tier of the objects.
  2. Move the files to S3 Intelligent-Tiering and configure it to move objects to a less expensive storage tier after 90 days.
  3. Configure S3 inventory to manage objects and move them to S3 Standard-Infrequent Access (S3 Standard-1A) after 90 days.
  4. Implement an S3 Lifecycle policy that moves the objects from S3 Standard to S3 Standard-Infrequent Access (S3 Standard-1A) after 90 days.

Answer(s): D

Explanation:

S) D) is correct because an S3 Lifecycle policy can automatically transition objects from S3 Standard to S3 Standard-IA after 90 days, reducing storage costs for infrequently accessed files while keeping them readily available when needed. A) S3 Standard-IA applies to objects initially; not aligned with the requirement to start in Standard and transition later. B) S3 Intelligent-Tiering may incur unnecessary monitoring fees; though it automatically moves, it is not as cost-optimal for a predictable 90-day access pattern with large number of objects. C) S3 Inventory is a reporting feature, not an automatic data movement mechanism.



A company needs to save the results from a medical trial to an Amazon S3 repository. The repository must allow a few scientists to add new files and must restrict all other users to read-only access. No users can have the ability to modify or delete any files in the repository. The company must keep every file in the repository for a minimum of 1 year after its creation date.
Which solution will meet these requirements?

  1. Use S3 Object Lock in governance mode with a legal hold of 1 year.
  2. Use S3 Object Lock in compliance mode with a retention period of 365 days.
  3. Use an IAM role to restrict all users from deleting or changing objects in the S3 bucket. Use an S3 bucket policy to only allow the IAM role.
  4. Configure the S3 bucket to invoke an AWS Lambda function every time an object is added. Configure the function to track the hash of the saved object so that modified objects can be marked accordingly.

Answer(s): B

Explanation:

S3 Object Lock in compliance mode with a retention period of 365 days ensures immutability for 1 year after creation, meeting the read-only requirement for most users and preventing deletion or modification. Compliance mode enforces write-once-read-many behavior for all objects, regardless of IAM, protecting against both user and account-level changes.
A) Governance mode allows users with special permissions to override, which fails the no-modification requirement.
C) IAM role + bucket policy can block deletes but does not guarantee immutability or prevent override without Object Lock.
D) Lambda hash tracking does not enforce immutability and cannot prevent deletions or modifications.



A large media company hosts a web application on AWS. The company wants to start caching confidential media files so that users around the world will have reliable access to the files. The content is stored in Amazon S3 buckets. The company must deliver the content quickly, regardless of where the requests originate geographically.
Which solution will meet these requirements?

  1. Use AWS DataSync to connect the S3 buckets to the web application.
  2. Deploy AWS Global Accelerator to connect the S3 buckets to the web application.
  3. Deploy Amazon CloudFront to connect the S3 buckets to CloudFront edge servers.
  4. Use Amazon Simple Queue Service (Amazon SQS) to connect the S3 buckets to the web application.

Answer(s): C

Explanation:

A) CloudFront edge servers cache and deliver S3-stored media content from edge locations globally, reducing latency for users worldwide, meeting the requirement for fast, geographically distributed access.
B) Global Accelerator optimizes global application availability and performance for IP endpoints, but it does not cache or serve S3 content from edge locations.
C) CloudFront is a CDN that caches S3 content at edge locations, providing low-latency delivery worldwide.
D) SQS is a queuing service for decoupled workflows and does not provide content caching or geographic acceleration.



Viewing page 32 of 205
Viewing questions 156 - 160 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!