Home
Amazon
SAA-C03: AWS Certified Solutions Architect - Associate Dumps

Free Amazon SAA-C03 Exam Dumps

Here you can find all the free questions related with Amazon AWS Certified Solutions Architect - Associate (SAA-C03) exam. You can also find on this page links to recently updated premium files with which you can practice for actual Amazon AWS Certified Solutions Architect - Associate Exam. These premium versions are provided as SAA-C03 exam practice tests, both as desktop software and browser based application, you can use whatever suits your style. Feel free to try the AWS Certified Solutions Architect - Associate Exam premium files for free, Good luck with your Amazon AWS Certified Solutions Architect - Associate Exam.

Question No: 1

MultipleChoice

A company that has multiple AWS accounts maintains an on-premises Microsoft Active Directory. The company needs a solution to implement Single Sign-On for its employees. The company wants to use AWS IAM Identity Center.

The solution must meet the following requirements:

Allow users to access AWS accounts and third-party applications by using existing Active Directory credentials.

Enforce multi-factor authentication (MFA) to access AWS accounts.

Centrally manage permissions to access AWS accounts and applications.

Options:

Options

ACreate an IAM identity provider for Active Directory in each AWS account. Ensure that Active Directory users and groups access AWS accounts directly through IAM roles. Use IAM Identity Center to enforce MFA in each account for all users.

BUse AWS Directory Service to create a new AWS Managed Microsoft AD Active Directory. Configure IAM Identity Center in each account to use the new AWS Managed Microsoft AD Active Directory as the identity source. Use IAM Identity Center to enforce MFA for all users.

CUse IAM Identity Center with the existing Active Directory as the identity source. Enforce MFA for all users. Use AWS Organizations and Active Directory groups to manage access permissions for AWS accounts and application access.

DUse AWS Lambda functions to periodically synchronize Active Directory users and groups with IAM users and groups in each AWS account. Use IAM roles and policies to manage application access. Create a second Lambda function to enforce MFA.

Answer
CExplanation

Detailed

A . IAM identity provider: Does not support centralized management across multiple accounts.

B . AWS Managed AD: Unnecessary if an on-premises Active Directory already exists.

C . IAM Identity Center + Existing AD: Best approach to integrate existing Active Directory for SSO, with MFA and centralized permissions.

D . Lambda for synchronization: Adds complexity and does not leverage IAM Identity Center capabilities.

Question No: 2

MultipleChoice

A company runs an order management application on AWS. The application allows customers to place orders and pay with a credit card. The company uses an Amazon CloudFront distribution to deliver the application.

A security team has set up logging for all incoming requests. The security team needs a solution to generate an alert if any user modifies the logging configuration.

Options (Select TWO):

Options

AConfigure an Amazon EventBridge rule that is invoked when a user creates or modifies a CloudFront distribution. Add the AWS Lambda function as a target of the EventBridge rule.

BCreate an Application Load Balancer (ALB). Enable AWS WAF rules for the ALB. Configure an AWS Config rule to detect security violations.

CCreate an AWS Lambda function to detect changes in CloudFront distribution logging. Configure the Lambda function to use Amazon Simple Notification Service (Amazon SNS) to send notifications to the security team.

DSet up Amazon GuardDuty. Configure GuardDuty to monitor findings from the CloudFront distribution. Create an AWS Lambda function to address the findings.

ECreate a private API in Amazon API Gateway. Use AWS WAF rules to protect the private API from common security problems.

Answer
A, CExplanation

Detailed

A . EventBridge Rule: Detects modifications to CloudFront distributions in real time and triggers the Lambda function for further action.

B . ALB + Config: Focuses on ALB security violations, not relevant for CloudFront logging changes.

C . Lambda + SNS: Provides real-time notifications about changes in logging configuration.

D . GuardDuty: Focuses on threat detection, not logging configuration changes.

E . API Gateway + WAF: Unrelated to CloudFront logging changes.

Question No: 3

MultipleChoice

An application runs on an Amazon EC2 instance that has an Elastic IP address in VPC

A The application requires access to a database in VPC B. Both VPCs are in the same AWS account.

Which solution will provide the required access MOST securely?

Options

ACreate a DB instance security group that allows all traffic from the public IP address of the application server in VPC A.

BConfigure a VPC peering connection between VPC A and VPC B.

CMake the DB instance publicly accessible. Assign a public IP address to the DB instance.

DLaunch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance.

Answer
BExplanation

A VPC peering connection is a networking connection between two VPCs that enables users to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network.A VPC peering connection can be created between VPCs in the same or different AWS accounts and Regions1. By configuring a VPC peering connection between VPC A and VPC B, the solution can provide the required access most securely.

A) Create a DB instance security group that allows all traffic from the public IP address of the application server in VPC A.This solution will not provide the required access most securely, as it involves exposing the DB instance to the public internet and relying on a single IP address for access control2.

C) Make the DB instance publicly accessible. Assign a public IP address to the DB instance.This solution will not provide the required access most securely, as it involves exposing the DB instance to the public internet and allowing any source to connect to it2.

D) Launch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance.This solution will not provide the required access most securely, as it involves creating an additional resource and configuring a proxy server that may introduce latency and complexity3.

Reference URL: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Question No: 4

MultipleChoice

A company has a web application lhat is based on Java and PHP The company plans to move the application from on premises to AWS The company needs the ability to test new site features trequenlty. The company also needs a highly available and managed solution that requires minimum operational overhead

Which solution will meel these requirements?

Options

ACreate an Amazon S3 bucket Enable static web hosting on the S3 bucket Upload the static content to the S3 bucket Use AWS Lambda to process all dynamic content

BDeploy the web application to an AWS Elastic Beanstalk environment Use URL swapping to switch between multiple Elastic Beanstalk environments for feature testing

CDeploy the web application lo Amazon EC2 instances that are configured with Java and PHP Use Auto Scaling groups and an Application Load Balancer to manage the website's availability

DContainerize the web application Deploy the web application to Amazon EC2 instances Use the AWS Load Balancer Controller to dynamically route traffic between containers thai contain the new site features for testing

Answer
B

Question No: 5

MultipleChoice

A company runs an applcalion on a large Heel of Amazon EC2 ratances. The application leads and write entries into an Amazon DynamoDB (able The size of the DynamoDB table continuously grows but the application needs only data from the last 30 days. The company needs a solution that mmmizes cost and development effort.

Which solution meets these requirements?

Options

AUse an AWS CloudFomiahon template to deploy the complete solution Redeploy the CloudFormation stack every 30 days and delete the original stack

BUse an EC2 Instance that runs a monitonng application from AWS Marketplace Configure the monitoring application to use Amazon DynamoDB Streams to store the timestamp when a new item is created in the table Use a scnpt that runs on the EC2 instance to delele items that have a timestamp that is older than 30 days

CConfigure Amazon DynamoDB Streams to invoke an AWS Lambda function when a new item is created in the table Configure the Lambda function to delete items in the table that are older than 30 days

DExtend the application to add an attribute that has a value of the current timestamp plus 30 days to each new item that is created in the (able Configure DynamoDB to use the attribute as (he TTL attribute

Answer
DExplanation

Amazon DynamoDB Time to Live (TTL) allows you to define a per-item timestamp to determine when an item is no longer needed. Shortly after the date and time of the specified timestamp, DynamoDB deletes the item from your table without consuming any write throughput. TTL is provided at no extra cost as a means to reduce stored data volumes by retaining only the items that remain current for your workload's needs.

TTL is useful if you store items that lose relevance after a specific time. The following are example TTL use cases:

Remove user or sensor data after one year of inactivity in an application.

Archive expired items to an Amazon S3 data lake via Amazon DynamoDB Streams and AWS Lambda.

Retain sensitive data for a certain amount of time according to contractual or regulatory obligations.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TTL.html

Question No: 6

MultipleChoice

The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

A Group members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.

Options

BGroup members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).

CGroup members are allowed the ec2:Stoplnstances and ec2:Terminatelnstances permissions for all Regions when logged in with multi-factor authentication (MFA). Group members are
permitted any other Amazon EC2 action.

DGroup members are allowed the ec2:Stoplnstances and ec2:Terminatelnstances permissions for the us-east-1 Region only when logged in with multi-factor authentication (MFA). Group members are permitted any other Amazon EC2 action within the us-east-1 Region.

Answer
DExplanation

This answer is correct because it reflects the effect of the IAM policy on the group members. The policy has two statements: one with an Allow effect and one with a Deny effect. The Allow statement grants permission to perform any EC2 action on any resource within the us-east-1 Region. The Deny statement overrides the Allow statement and denies permission to perform the ec2:StopInstances and ec2:TerminateInstances actions on any resource within the us-east-1 Region, unless the group member is logged in with MF

A) Therefore, the group members can perform any EC2 action except stopping or terminating instances in the us-east-1 Region, unless they use MFA.

Question No: 7

MultipleChoice

An application runs on an Amazon EC2 instance that has an Elastic IP address in VPC

Options

AThe application requires access to a database in VPC B. Both VPCs are in the same AWS account.
Which solution will provide the required access MOST securely?

ACreate a DB instance security group that allows all traffic from the public IP address of the application server in VPC A.

BConfigure a VPC peering connection between VPC A and VPC B.

CMake the DB instance publicly accessible. Assign a public IP address to the DB instance.

DLaunch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance.

Answer
BExplanation

Reference URL: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Question No: 8

MultipleChoice

The following IAM policy is attached to an IAM group. This is the only policy applied to the group.

Options

AGroup members are permitted any Amazon EC2 action within the us-east-1 Region. Statements after the Allow permission are not applied.

BGroup members are denied any Amazon EC2 permissions in the us-east-1 Region unless they are logged in with multi-factor authentication (MFA).

Answer
DExplanation

A) Therefore, the group members can perform any EC2 action except stopping or terminating instances in the us-east-1 Region, unless they use MFA.

Question No: 9

MultipleChoice

An application runs on an Amazon EC2 instance that has an Elastic IP address in VPC A. The application requires access to a database in VPC B. Both VPCs are in the same AWS account.

Which solution will provide the required access MOST securely?

Options

ACreate a DB instance security group that allows all traffic from the public IP address of the application server in VPC A.

BConfigure a VPC peering connection between VPC A and VPC B.

CMake the DB instance publicly accessible. Assign a public IP address to the DB instance.

DLaunch an EC2 instance with an Elastic IP address into VPC B. Proxy all requests through the new EC2 instance.

Answer
BExplanation

Reference URL: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Question No: 10

MultipleChoice

An application running on an Amazon EC2 instance in VPC-A needs to access files in another EC2 instance in VPC-B. Both VPCs are in separate AWS accounts. The network administrator needs to design a solution to configure secure access to EC2 instance in VPC-B from VPC-A. The connectivity should not have a single point of failure or bandwidth concerns.

Which solution will meet these requirements?

Options

ASet up a VPC peering connection between VPC-A and VPC-B.

BSet up VPC gateway endpoints for the EC2 instance running in VPC-B.

CAttach a virtual private gateway to VPC-B and set up routing from VPC-A.

DCreate a private virtual interface (VIF) for the EC2 instance running in VPC-B and add appropriate routes from VPC-A.

Answer
AExplanation

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck. https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Limited Time Offer

25%

Off

Get Premium SAA-C03 Questions as Interactive Web-Based Practice Test or PDF