Free SAA-C03 Practice Questions & AI Tutor

QUESTION: 176

An application runs on Amazon EC2 instances in private subnets. The application needs to access an Amazon DynamoDB table.
What is the MOST secure way to access the table while ensuring that the traffic does not leave the AWS network?

Use a VPC endpoint for DynamoDB.
Use a NAT gateway in a public subnet.
Use a NAT instance in a private subnet.
Use the internet gateway attached to the VPC.

Answer(s): A

Explanation:

Ansible: A) reason
A) A VPC endpoint for DynamoDB provides private, secure connectivity to DynamoDB from within the VPC without traversing the public internet, ensuring traffic stays on the AWS network.
B) A NAT gateway allows private-subnet instances to access the internet, not DynamoDB privately, and could expose traffic to the public internet if DynamoDB were reachable otherwise.
C) A NAT instance has similar limitations and maintenance overhead as a NAT gateway, and still routes through the public internet unless the service supports VPC endpoints.
D) An internet gateway would route traffic to the public internet, not keeping it entirely within the AWS network.

Show Answer Next Question

QUESTION: 177

An entertainment company is using Amazon DynamoDB to store media metadata. The application is read intensive and experiencing delays. The company does not have staff to handle additional operational overhead and needs to improve the performance efficiency of DynamoDB without reconfiguring the application.
What should a solutions architect recommend to meet this requirement?

Use Amazon ElastiCache for Redis.
Use Amazon DynamoDB Accelerator (DAX).
Replicate data by using DynamoDB global tables.
Use Amazon ElastiCache for Memcached with Auto Discovery enabled.

Answer(s): B

Explanation:

D
A) Incorrect: ElastiCache adds a caching layer but requires application or integration changes unless using a compatible data access pattern; DAX is purpose-built for DynamoDB with seamless integration.
B) Correct: DynamoDB Accelerator (DAX) provides in-memory caching for DynamoDB with zero code changes and transparent reads, reducing latency for read-heavy workloads.
C) Incorrect: Global tables offer multi-region replication for availability and write/read scalability, not latency optimization for a single-region read-heavy workload; it doesn’t address read latency via caching.
D) Incorrect: ElastiCache for Memcached with Auto Discovery is a generic cache, but requires more integration effort and does not offer DynamoDB-specific seamless read-path acceleration like DAX.

Show Answer Next Question

QUESTION: 178

A company’s infrastructure consists of Amazon EC2 instances and an Amazon RDS DB instance in a single AWS Region. The company wants to back up its data in a separate Region.
Which solution will meet these requirements with the LEAST operational overhead?

Use AWS Backup to copy EC2 backups and RDS backups to the separate Region.
Use Amazon Data Lifecycle Manager (Amazon DLM) to copy EC2 backups and RDS backups to the separate Region.
Create Amazon Machine Images (AMIs) of the EC2 instances. Copy the AMIs to the separate Region. Create a read replica for the RDS DB instance in the separate Region.
Create Amazon Elastic Block Store (Amazon EBS) snapshots. Copy the EBS snapshots to the separate Region. Create RDS snapshots. Export the RDS snapshots to Amazon S3. Configure S3 Cross-Region Replication (CRR) to the separate Region.

Answer(s): A

Explanation:

AWS Backup provides centralized, automated cross-region backups for both EC2 (AMI/volume data via backup vaults) and RDS with minimal operator effort, meeting the requirement with least overhead. A) consolidates backup scheduling, lifecycle policies, and cross-region replication in one service across EC2 and RDS.
B) DLM only covers EC2 backups; it does not natively manage RDS backups cross-region at the same operational level, increasing complexity.
C) AMIs plus cross-region copy require manual consistency for RDS and the read replica approach does not provide equivalent cross-region RDS backup coverage or automated lifecycle.
D) EBS snapshots and RDS snapshots with CRR adds multiple steps and monitoring, increasing operational overhead without an integrated cross-region backup solution.

Show Answer Next Question

QUESTION: 179

A solutions architect needs to securely store a database user name and password that an application uses to access an Amazon RDS DB instance. The application that accesses the database runs on an Amazon EC2 instance. The solutions architect wants to create a secure parameter in AWS Systems Manager Parameter Store.
What should the solutions architect do to meet this requirement?

Create an IAM role that has read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM role to the EC2 instance.
Create an IAM policy that allows read access to the Parameter Store parameter. Allow Decrypt access to an AWS Key Management Service (AWS KMS) key that is used to encrypt the parameter. Assign this IAM policy to the EC2 instance.
Create an IAM trust relationship between the Parameter Store parameter and the EC2 instance. Specify Amazon RDS as a principal in the trust policy.
Create an IAM trust relationship between the DB instance and the EC2 instance. Specify Systems Manager as a principal in the trust policy.

Answer(s): A

Explanation:

A) Correct. Attach an IAM role to the EC2 instance that grants read access to the Parameter Store parameter and allows decrypt via the KMS key used to encrypt the parameter. This enables the application to securely retrieve the SecureString value at runtime without embedding credentials.
B) Incorrect. IAM policies grant permissions, but the secure practice is to use an instance IAM role attached to EC2 for credential retrieval; a policy alone on the instance is insufficient unless it’s attached to a role.
C) Incorrect. Parameter Store access is controlled via IAM roles/policies, not a trust relationship between the parameter and the EC2 instance; trust policies do not apply to Parameter Store.
D) Incorrect. Trust relationships are between principals for assuming roles; Systems Manager or DB instance do not require a trust with the EC2 instance for Parameter Store access.

Show Answer Next Question

QUESTION: 180

A company is designing a cloud communications platform that is driven by APIs. The application is hosted on Amazon EC2 instances behind a Network Load Balancer (NLB). The company uses Amazon API Gateway to provide external users with access to the application through APIs. The company wants to protect the platform against web exploits like SQL injection and also wants to detect and mitigate large, sophisticated DDoS attacks.
Which combination of solutions provides the MOST protection? (Choose two.)

Use AWS WAF to protect the NLB.
Use AWS Shield Advanced with the NL
Use AWS WAF to protect Amazon API Gateway.
Use Amazon GuardDuty with AWS Shield Standard
Use AWS Shield Standard with Amazon API Gateway.

Answer(s): B,C

Explanation:

AWS Shield Advanced with the NLB provides enhanced DDoS protection and DDoS cost protection; AWS WAF on API Gateway protects against web exploits like SQLi and can be tied to API Gateway for external API access, giving both web ACL filtering and protection for API endpoints. A) WAF on NLB is not supported (WAF integrates with CloudFront, ALB, and API Gateway, not NLB). C) WAF on API Gateway is valid for filtering API requests. D) GuardDuty is a threat-detection service, not a DDoS mitigation or web ACL protection. E) Shield Standard lacks advanced protections and is insufficient for API Gateway-specific WAF rules. Correct: B and C.

Show Answer Next Question

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 37 )

QUESTION: 176

Explanation:

QUESTION: 177

Explanation:

QUESTION: 178

Explanation:

QUESTION: 179

Explanation:

QUESTION: 180

Explanation:

SAA-C03 Exam Discussions & Posts

Amazon SAA-C03 Exam Questions AWS Certified Solutions Architect - Associate SAA-C03 (Page 37 )

QUESTION: 176

Explanation:

QUESTION: 177

Explanation:

QUESTION: 178

Explanation:

QUESTION: 179

Explanation:

QUESTION: 180

Explanation:

SAA-C03 Exam Discussions & Posts

Amazon SAA-C03 Exam Questions
AWS Certified Solutions Architect - Associate SAA-C03 (Page 37 )