Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Amazon
  5. SAA-C03

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 35 )

Updated On: 20-Mar-2026
Page 35 of 205
PDF with 824 Questions

Organizers for a global event want to put daily reports online as static HTML pages. The pages are expected to generate millions of views from users around the world. The files are stored in an Amazon S3 bucket. A solutions architect has been asked to design an efficient and effective solution.
Which action should the solutions architect take to accomplish this?

  1. Generate presigned URLs for the files.
  2. Use cross-Region replication to all Regions.
  3. Use the geoproximity feature of Amazon Route 53.
  4. Use Amazon CloudFront with the S3 bucket as its origin.

Answer(s): D

Explanation:

Using Amazon CloudFront with the S3 bucket as its origin provides a global content delivery network that caches static HTML and serves from edge locations worldwide, reducing latency and handling high request volumes efficiently.
A) Presigned URLs are for time-limited access control, not for global caching or performance of static pages.
B) Cross-Region replication copies data between buckets, not performance or global delivery for static content.
C) Route 53 geoproximity affects DNS routing, but does not optimize content delivery or caching for static hosting.
D) Correct: CloudFront edge caching and low-latency delivery from edge locations best meets the requirements.



A company runs a production application on a fleet of Amazon EC2 instances. The application reads the data from an Amazon SQS queue and processes the messages in parallel. The message volume is unpredictable and often has intermittent traffic. This application should continually process messages without any downtime.
Which solution meets these requirements MOST cost-effectively?

  1. Use Spot Instances exclusively to handle the maximum capacity required.
  2. Use Reserved Instances exclusively to handle the maximum capacity required.
  3. Use Reserved Instances for the baseline capacity and use Spot Instances to handle additional capacity.
  4. Use Reserved Instances for the baseline capacity and use On-Demand Instances to handle additional capacity.

Answer(s): D

Explanation:

Using Reserved Instances for baseline capacity provides cost savings for steady-state load, while On-Demand instances cover variable, unpredictable spikes without long-term commitment, ensuring continuous processing without downtime at the lowest overall cost for variable traffic.
A) Incorrect: Spot Instances are cost-effective but can interrupt, risking downtime for production processing.
B) Incorrect: Reserved Instances alone fix capacity and can lead to idle or insufficient capacity during spikes; not cost-optimal for variable traffic.
C) Incorrect: Mixing RI with Spot can risk interruption during spikes and adds complexity; Spot interruptions may cause downtime, not ideal for continuous processing.
D) Correct: Baseline with RI plus On-Demand for variability balances cost and reliability for unpredictable queue-driven load.



A security team wants to limit access to specific services or actions in all of the team’s AWS accounts. All accounts belong to a large organization in AWS Organizations. The solution must be scalable and there must be a single point where permissions can be maintained.
What should a solutions architect do to accomplish this?

  1. Create an ACL to provide access to the services or actions.
  2. Create a security group to allow accounts and attach it to user groups.
  3. Create cross-account roles in each account to deny access to the services or actions.
  4. Create a service control policy in the root organizational unit to deny access to the services or actions.

Answer(s): D

Explanation:

A single Service Control Policy (SCP) in the Organizations root OU provides centralized, scalable permission boundaries for all member accounts, enforcing deny/allow across the entire organization. This is the correct approach for a single-point-of-maintenance solution. A) ACLs are not applicable to AWS service permissions at scale across accounts. B) Security groups control network traffic, not IAM permissions across accounts. C) Cross-account roles would require configuring in each account and do not provide centralized policy enforcement. D) SCPs are the correct, scalable mechanism for centralized permission control in AWS Organizations.



A company is concerned about the security of its public web application due to recent web attacks. The application uses an Application Load Balancer (ALB). A solutions architect must reduce the risk of DDoS attacks against the application.
What should the solutions architect do to meet this requirement?

  1. Add an Amazon Inspector agent to the ALB.
  2. Configure Amazon Macie to prevent attacks.
  3. Enable AWS Shield Advanced to prevent attacks.
  4. Configure Amazon GuardDuty to monitor the ALB.

Answer(s): C

Explanation:

Enabling AWS Shield Advanced provides DDoS protection at the edge and integrates with ALB, offering enhanced DDoS mitigation, scrubbing, and 24/7 DDoS response team support, directly addressing DDoS risk for the public web application. A) Amazon Inspector assesses EC2 instances, not real-time DDoS protection on ALB. B) Amazon Macie focuses on data security and privacy, not DDoS defense. D) Amazon GuardDuty monitors for threats and compromised instances, not active DDoS mitigation for an ALB. Therefore, Shield Advanced is the correct choice.



A company’s web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only.
Which configuration will meet this requirement?

  1. Configure the security group for the EC2 instances.
  2. Configure the security group on the Application Load Balancer.
  3. Configure AWS WAF on the Application Load Balancer in a VP
  4. Configure the network ACL for the subnet that contains the EC2 instances.

Answer(s): C

Explanation:

A) The security group on the EC2 instances does not filter by geographic location; it controls traffic at the instance level, not country-based access. B) The security group on the ALB does not provide country-based filtering; SGs are per resource and operate at the IP/port level without geo controls. C) AWS WAF on the ALB supports geo Match Conditions to allow or block requests by country, satisfying the requirement. D) Network ACLs operate at the subnet level and do not offer granular geo-based filtering for specific country access.



Viewing page 35 of 205
Viewing questions 171 - 175 out of 824 questions



Post your Comments and Discuss Amazon SAA-C03 exam dumps with other Community members:

SAA-C03 Exam Discussions & Posts

AI Tutor 👋 I’m here to help!