SAA-C03 Exam Prep Free practice test →

Free SAA-C03 Practice Questions

10 free, exam-style AWS Certified Solutions Architect - Associate (SAA-C03) practice questions with answers and explanations. No signup required. Work through them below, then take the full free SAA-C03 practice test to study every exam domain.

Question 1

A solutions architect is reviewing IAM policies attached to a user. The user has an inline policy that allows s3:GetObject on a bucket and a managed policy that explicitly denies s3:GetObject on the same bucket. What will happen when the user attempts to read an object?

  1. The request will succeed because inline policies override managed policies
  2. The request will be denied because explicit deny overrides any allow
  3. The request will succeed because the most recently attached policy applies
  4. The request will produce an error and the user must reauthenticate first
Show answer & explanation

Correct answer: B - The request will be denied because explicit deny overrides any allow

Question 2

A solutions architect must encrypt 5 GB of data using KMS. KMS direct encryption is limited to 4 KB per request. What approach should be used?

  1. Use AWS CloudHSM directly because KMS cannot encrypt anything larger than 4 KB at all
  2. Split the data into 4 KB chunks and call KMS Encrypt for each chunk with the same CMK
  3. Use KMS asymmetric keys to encrypt arbitrary-size data without the 4 KB request limit
  4. Use envelope encryption: KMS generates a data key, the SDK encrypts data with that key
Show answer & explanation

Correct answer: D - Use envelope encryption: KMS generates a data key, the SDK encrypts data with that key

Question 3

A company stores customer PII in many S3 buckets. A solutions architect must continuously identify and report which buckets contain sensitive data. Which service is BEST?

  1. AWS Inspector scanning S3 buckets for sensitive content across the entire AWS account
  2. Amazon GuardDuty configured to detect data exfiltration from S3 storage automatically
  3. Amazon Macie using ML and pattern matching to discover sensitive data in S3 buckets
  4. AWS Trusted Advisor security checks that flag buckets containing customer PII data
Show answer & explanation

Correct answer: C - Amazon Macie using ML and pattern matching to discover sensitive data in S3 buckets

Question 4

A global application requires sub-second cross-Region database replication and RTO under 1 minute. Which AWS solution meets this?

  1. RDS cross-Region read replicas with manual promotion during regional disaster events
  2. Aurora Global Database with one primary Region and up to five secondary Regions
  3. DynamoDB Global Tables, which is the only AWS option with sub-second cross-Region replication
  4. Amazon S3 cross-Region replication for the database storage volume across multiple regions
Show answer & explanation

Correct answer: B - Aurora Global Database with one primary Region and up to five secondary Regions

Question 5

A company requires DR with RPO of seconds and RTO of minutes, but does not need full production capacity in the DR Region until failover. Which strategy is MOST appropriate?

  1. Warm standby with scaled-down replicas always running and full scale-up on failover event
  2. Backup and restore approach with periodic snapshots restored on failover event in DR Region
  3. Pilot light with only data layer running and full app provisioning on failover in DR Region
  4. Multi-site active-active with full production capacity always running in both Regions live
Show answer & explanation

Correct answer: A - Warm standby with scaled-down replicas always running and full scale-up on failover event

Question 6

A solutions architect needs to durably fanout events from a single source to many SQS queues with different processing logic. Which architecture is BEST?

  1. Publisher sends directly to multiple SQS queues in a loop, ensuring each receives the message
  2. Publisher sends to an SNS topic with multiple SQS queues subscribed for parallel processing
  3. Publisher sends to one SQS queue and a Lambda function fans the message out to other queues
  4. Publisher sends to Kinesis Data Streams and consumers read from the stream independently
Show answer & explanation

Correct answer: B - Publisher sends to an SNS topic with multiple SQS queues subscribed for parallel processing

Question 7

A solutions architect is comparing SQS and Kinesis Data Streams. Which scenario favors Kinesis Data Streams?

  1. Multiple consumers reading the same stream independently with replay over a 24-hour window
  2. Single consumer pulling messages with at-least-once delivery for asynchronous backend processing
  3. Pub-sub fanout to many subscribers with HTTP, email, SMS, Lambda, and SQS delivery options
  4. Long-running orchestration with branching, parallel paths, and multi-day human approval steps
Show answer & explanation

Correct answer: A - Multiple consumers reading the same stream independently with replay over a 24-hour window

Question 8

A solutions architect needs a database for a SaaS application with hundreds of small tenants. Each tenant has different access patterns. Which approach is appropriate?

  1. Aurora with Aurora Serverless v2 to scale capacity dynamically per tenant access pattern
  2. RDS for MySQL on a single large instance for all tenants regardless of access patterns
  3. Multiple separate Aurora Provisioned clusters, one per tenant, for fixed predictable monthly cost
  4. DynamoDB single-table design with on-demand to scale per tenant access pattern at any rate
Show answer & explanation

Correct answer: D - DynamoDB single-table design with on-demand to scale per tenant access pattern at any rate

Question 9

A company archives data for compliance for 7 years and rarely retrieves it. When retrievals happen, hours of wait time is acceptable. Which class is MOST cost-effective?

  1. S3 Glacier Instant Retrieval at higher storage cost with millisecond retrieval times
  2. S3 Glacier Flexible Retrieval at higher storage cost with 1-5 minute retrieval times
  3. S3 Glacier Deep Archive at the lowest storage cost with 12-hour standard retrieval times
  4. S3 Standard-IA at higher storage cost with millisecond retrieval times for compliance archives
Show answer & explanation

Correct answer: C - S3 Glacier Deep Archive at the lowest storage cost with 12-hour standard retrieval times

Question 10

An application requires a load balancer that preserves the client source IP, supports static IP addresses for firewall whitelisting, and handles TCP traffic with millions of requests per second. Which load balancer should be used?

  1. Classic Load Balancer (CLB), which is the only load balancer with source-IP preservation
  2. Application Load Balancer (ALB), which is required for TCP traffic with static IPs
  3. Gateway Load Balancer (GWLB), which provides static IPs for any TCP/UDP application
  4. Network Load Balancer (NLB), which provides ultra-low latency and static IPs per AZ
Show answer & explanation

Correct answer: D - Network Load Balancer (NLB), which provides ultra-low latency and static IPs per AZ

Ready for the real thing?

Practice hundreds more SAA-C03 questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing